From dac8f66a598d2369af81e6d55dc79489e58d3365 Mon Sep 17 00:00:00 2001
From: Justin Baur <19896123+justindbaur@users.noreply.github.com>
Date: Fri, 22 Nov 2024 16:05:15 -0500
Subject: [PATCH 001/384] Resolve AC Warnings (#4644)

* Resolve AC Warnings

* Remove Unneeded Changes

* Add Back RequiredAttribute

* Format
---
 src/Admin/AdminConsole/Models/OrganizationEditModel.cs   | 2 +-
 src/Api/AdminConsole/Public/Models/MemberBaseModel.cs    | 9 ++++++---
 .../Public/Models/Response/MemberResponseModel.cs        | 3 +++
 .../Models/Mail/Provider/ProviderInitiateDeleteModel.cs  | 2 --
 4 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/src/Admin/AdminConsole/Models/OrganizationEditModel.cs b/src/Admin/AdminConsole/Models/OrganizationEditModel.cs
index 4ba22130f7..48340df708 100644
--- a/src/Admin/AdminConsole/Models/OrganizationEditModel.cs
+++ b/src/Admin/AdminConsole/Models/OrganizationEditModel.cs
@@ -143,7 +143,7 @@ public class OrganizationEditModel : OrganizationViewModel
     [Display(Name = "SCIM")]
     public bool UseScim { get; set; }
     [Display(Name = "Secrets Manager")]
-    public bool UseSecretsManager { get; set; }
+    public new bool UseSecretsManager { get; set; }
     [Display(Name = "Self Host")]
     public bool SelfHost { get; set; }
     [Display(Name = "Users Get Premium")]
diff --git a/src/Api/AdminConsole/Public/Models/MemberBaseModel.cs b/src/Api/AdminConsole/Public/Models/MemberBaseModel.cs
index c56117ae71..dc3f91d49f 100644
--- a/src/Api/AdminConsole/Public/Models/MemberBaseModel.cs
+++ b/src/Api/AdminConsole/Public/Models/MemberBaseModel.cs
@@ -1,8 +1,11 @@
 using System.ComponentModel.DataAnnotations;
+using System.Diagnostics.CodeAnalysis;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Models.Data.Organizations.OrganizationUsers;
 
+#nullable enable
+
 namespace Bit.Api.AdminConsole.Public.Models;
 
 public abstract class MemberBaseModel
@@ -25,6 +28,7 @@ public abstract class MemberBaseModel
         }
     }
 
+    [SetsRequiredMembers]
     public MemberBaseModel(OrganizationUserUserDetails user)
     {
         if (user == null)
@@ -46,14 +50,13 @@ public abstract class MemberBaseModel
     /// </summary>
     [Required]
     [EnumDataType(typeof(OrganizationUserType))]
-    public OrganizationUserType? Type { get; set; }
+    public required OrganizationUserType? Type { get; set; }
     /// <summary>
     /// External identifier for reference or linking this member to another system, such as a user directory.
     /// </summary>
     /// <example>external_id_123456</example>
     [StringLength(300)]
-    public string ExternalId { get; set; }
-
+    public string? ExternalId { get; set; }
     /// <summary>
     /// The member's custom permissions if the member has a Custom role. If not supplied, all custom permissions will
     /// default to false.
diff --git a/src/Api/AdminConsole/Public/Models/Response/MemberResponseModel.cs b/src/Api/AdminConsole/Public/Models/Response/MemberResponseModel.cs
index ab6ecbca44..499c27cfc9 100644
--- a/src/Api/AdminConsole/Public/Models/Response/MemberResponseModel.cs
+++ b/src/Api/AdminConsole/Public/Models/Response/MemberResponseModel.cs
@@ -1,4 +1,5 @@
 using System.ComponentModel.DataAnnotations;
+using System.Diagnostics.CodeAnalysis;
 using System.Text.Json.Serialization;
 using Bit.Api.Models.Public.Response;
 using Bit.Core.Entities;
@@ -16,6 +17,7 @@ public class MemberResponseModel : MemberBaseModel, IResponseModel
     [JsonConstructor]
     public MemberResponseModel() { }
 
+    [SetsRequiredMembers]
     public MemberResponseModel(OrganizationUser user, IEnumerable<CollectionAccessSelection> collections) : base(user)
     {
         if (user == null)
@@ -31,6 +33,7 @@ public class MemberResponseModel : MemberBaseModel, IResponseModel
         ResetPasswordEnrolled = user.ResetPasswordKey != null;
     }
 
+    [SetsRequiredMembers]
     public MemberResponseModel(OrganizationUserUserDetails user, bool twoFactorEnabled,
         IEnumerable<CollectionAccessSelection> collections) : base(user)
     {
diff --git a/src/Core/Models/Mail/Provider/ProviderInitiateDeleteModel.cs b/src/Core/Models/Mail/Provider/ProviderInitiateDeleteModel.cs
index 196decb5ee..a5071527fe 100644
--- a/src/Core/Models/Mail/Provider/ProviderInitiateDeleteModel.cs
+++ b/src/Core/Models/Mail/Provider/ProviderInitiateDeleteModel.cs
@@ -8,10 +8,8 @@ public class ProviderInitiateDeleteModel : BaseMailModel
         Token,
         ProviderNameUrlEncoded);
 
-    public string WebVaultUrl { get; set; }
     public string Token { get; set; }
     public Guid ProviderId { get; set; }
-    public string SiteName { get; set; }
     public string ProviderName { get; set; }
     public string ProviderNameUrlEncoded { get; set; }
     public string ProviderBillingEmail { get; set; }

From c4ab5f31f5979319d4b7a9d3189117edaca3304c Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Mon, 25 Nov 2024 15:12:04 +0100
Subject: [PATCH 002/384] [deps] Tools: Update aws-sdk-net monorepo (#5065)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 src/Core/Core.csproj | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/Core/Core.csproj b/src/Core/Core.csproj
index 2f40fb7b23..d16624898d 100644
--- a/src/Core/Core.csproj
+++ b/src/Core/Core.csproj
@@ -21,8 +21,8 @@
 
   <ItemGroup>
     <PackageReference Include="AspNetCoreRateLimit.Redis" Version="2.0.0" />
-    <PackageReference Include="AWSSDK.SimpleEmail" Version="3.7.401.46" />
-    <PackageReference Include="AWSSDK.SQS" Version="3.7.400.56" />
+    <PackageReference Include="AWSSDK.SimpleEmail" Version="3.7.402" />
+    <PackageReference Include="AWSSDK.SQS" Version="3.7.400.57" />
     <PackageReference Include="Azure.Data.Tables" Version="12.9.0" />
     <PackageReference Include="Azure.Extensions.AspNetCore.DataProtection.Blobs" Version="1.3.4" />
     <PackageReference Include="Microsoft.AspNetCore.DataProtection" Version="8.0.10" />

From 07592e22b9f4102e118d817c6384a7c4da604195 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Mon, 25 Nov 2024 16:17:59 +0100
Subject: [PATCH 003/384] [deps]: Update Microsoft.NET.Test.Sdk to 17.12.0
 (#5067)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Daniel James Smith <2670567+djsmith85@users.noreply.github.com>
---
 .../Infrastructure.Dapper.Test.csproj                           | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/Infrastructure.Dapper.Test/Infrastructure.Dapper.Test.csproj b/test/Infrastructure.Dapper.Test/Infrastructure.Dapper.Test.csproj
index dfc8951cc3..82d63bd3c1 100644
--- a/test/Infrastructure.Dapper.Test/Infrastructure.Dapper.Test.csproj
+++ b/test/Infrastructure.Dapper.Test/Infrastructure.Dapper.Test.csproj
@@ -10,7 +10,7 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.11.1" />
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.12.0" />
     <PackageReference Include="xunit" Version="2.9.2" />
     <PackageReference Include="xunit.runner.visualstudio" Version="2.8.2">
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>

From fd7ff2ac63f40cbee8457af1aa44e6bc9a1c0070 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Mon, 25 Nov 2024 14:30:02 -0500
Subject: [PATCH 004/384] [deps] Billing: Update FluentAssertions to 6.12.2
 (#5015)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Alex Morask <144709477+amorask-bitwarden@users.noreply.github.com>
---
 test/Billing.Test/Billing.Test.csproj | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/Billing.Test/Billing.Test.csproj b/test/Billing.Test/Billing.Test.csproj
index 3bbda52ded..c6a7ef48e0 100644
--- a/test/Billing.Test/Billing.Test.csproj
+++ b/test/Billing.Test/Billing.Test.csproj
@@ -6,7 +6,7 @@
 
   <ItemGroup>
     <PackageReference Include="Divergic.Logging.Xunit" Version="4.3.0" />
-    <PackageReference Include="FluentAssertions" Version="6.12.1" />
+    <PackageReference Include="FluentAssertions" Version="6.12.2" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(MicrosoftNetTestSdkVersion)" />
     <PackageReference Include="RichardSzalay.MockHttp" Version="7.0.0" />
     <PackageReference Include="xunit" Version="$(XUnitVersion)" />

From b974899127ee0154b20fb8ad8d254b17194ee523 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Mon, 25 Nov 2024 14:30:32 -0500
Subject: [PATCH 005/384] [deps] Billing: Update Braintree to 5.28.0 (#5019)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Alex Morask <144709477+amorask-bitwarden@users.noreply.github.com>
---
 src/Core/Core.csproj | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Core/Core.csproj b/src/Core/Core.csproj
index d16624898d..5970629caa 100644
--- a/src/Core/Core.csproj
+++ b/src/Core/Core.csproj
@@ -54,7 +54,7 @@
     <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
     <PackageReference Include="Serilog.Sinks.SyslogMessages" Version="4.0.0" />
     <PackageReference Include="AspNetCoreRateLimit" Version="5.0.0" />
-    <PackageReference Include="Braintree" Version="5.27.0" />
+    <PackageReference Include="Braintree" Version="5.28.0" />
     <PackageReference Include="Stripe.net" Version="45.14.0" />
     <PackageReference Include="Otp.NET" Version="1.4.0" />
     <PackageReference Include="YubicoDotNetClient" Version="1.2.0" />

From 8f703a29ac4dd46d8f5eacee09b9fbb73ede9031 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Tue, 26 Nov 2024 13:20:42 -0500
Subject: [PATCH 006/384] [deps] DbOps: Update Microsoft.Azure.Cosmos to 3.46.0
 (#5066)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 src/Core/Core.csproj | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Core/Core.csproj b/src/Core/Core.csproj
index 5970629caa..fd4d8cc7e1 100644
--- a/src/Core/Core.csproj
+++ b/src/Core/Core.csproj
@@ -36,7 +36,7 @@
     <PackageReference Include="Handlebars.Net" Version="2.1.6" />
     <PackageReference Include="MailKit" Version="4.8.0" />    
     <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.10" />
-    <PackageReference Include="Microsoft.Azure.Cosmos" Version="3.45.0" />
+    <PackageReference Include="Microsoft.Azure.Cosmos" Version="3.46.0" />
     <PackageReference Include="Microsoft.Azure.NotificationHubs" Version="4.2.0" />
     <PackageReference Include="Microsoft.Data.SqlClient" Version="5.2.2" />
     <PackageReference Include="Microsoft.Extensions.Caching.Cosmos" Version="1.6.1" />

From 1b75e35c319f588d9e8a5fe7fd9ccd6591813cf1 Mon Sep 17 00:00:00 2001
From: Jared McCannon <jmccannon@bitwarden.com>
Date: Tue, 26 Nov 2024 16:37:12 -0600
Subject: [PATCH 007/384] [PM-10319] - Revoke Non Complaint Users for 2FA and
 Single Org Policy Enablement (#5037)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Revoking users when enabling single org and 2fa policies.
- Updated emails sent when users are revoked via 2FA or Single Organization policy enablement

Co-authored-by: Matt Bishop <mbishop@bitwarden.com>
Co-authored-by: Rui Tomé <108268980+r-tome@users.noreply.github.com>
---
 .../AdminConsole/Enums/EventSystemUser.cs     |   1 +
 .../AdminConsole/Models/Data/IActingUser.cs   |  10 +
 .../AdminConsole/Models/Data/StandardUser.cs  |  16 ++
 .../AdminConsole/Models/Data/SystemUser.cs    |  16 ++
 .../VerifyOrganizationDomainCommand.cs        |  93 +++++----
 ...vokeNonCompliantOrganizationUserCommand.cs |   9 +
 .../Requests/RevokeOrganizationUserRequest.cs |  13 ++
 ...vokeNonCompliantOrganizationUserCommand.cs | 112 +++++++++++
 .../Policies/Models/PolicyUpdate.cs           |   2 +
 .../SingleOrgPolicyValidator.cs               |  70 ++++++-
 .../TwoFactorAuthenticationPolicyValidator.cs |  69 ++++++-
 .../IOrganizationUserRepository.cs            |   2 +
 .../AdminConsole/Services/IPolicyService.cs   |   2 +-
 .../Services/Implementations/PolicyService.cs |  15 +-
 ...tionUserRevokedForSingleOrgPolicy.html.hbs |  14 ++
 ...tionUserRevokedForSingleOrgPolicy.text.hbs |   5 +
 ...tionUserRevokedForTwoFactorPolicy.html.hbs |  15 ++
 ...tionUserRevokedForTwoFactorPolicy.text.hbs |   7 +
 src/Core/Models/Commands/CommandResult.cs     |  12 ++
 ...nUserRevokedForPolicySingleOrgViewModel.cs |   6 +
 ...nUserRevokedForPolicyTwoFactorViewModel.cs |   6 +
 ...OrganizationServiceCollectionExtensions.cs |   1 +
 src/Core/Services/IMailService.cs             |   2 +
 .../Implementations/HandlebarsMailService.cs  |  31 ++-
 .../NoopImplementations/NoopMailService.cs    |   6 +
 .../OrganizationUserRepository.cs             |  10 +
 .../OrganizationUserRepository.cs             |  12 ++
 ...OrganizationUser_SetStatusForUsersById.sql |  29 +++
 .../AutoFixture/PolicyUpdateFixtures.cs       |   4 +-
 .../VerifyOrganizationDomainCommandTests.cs   |  38 +++-
 ...onCompliantOrganizationUserCommandTests.cs | 185 ++++++++++++++++++
 .../SingleOrgPolicyValidatorTests.cs          | 151 ++++++++++++++
 ...actorAuthenticationPolicyValidatorTests.cs | 150 +++++++++++++-
 .../Policies/SavePolicyCommandTests.cs        |   4 +-
 .../Services/EventServiceTests.cs             |   1 -
 .../2024-11-26-00_OrgUserSetStatusBulk.sql    |  28 +++
 36 files changed, 1074 insertions(+), 73 deletions(-)
 create mode 100644 src/Core/AdminConsole/Models/Data/IActingUser.cs
 create mode 100644 src/Core/AdminConsole/Models/Data/StandardUser.cs
 create mode 100644 src/Core/AdminConsole/Models/Data/SystemUser.cs
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Interfaces/IRevokeNonCompliantOrganizationUserCommand.cs
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Requests/RevokeOrganizationUserRequest.cs
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RevokeNonCompliantOrganizationUserCommand.cs
 create mode 100644 src/Core/MailTemplates/Handlebars/AdminConsole/OrganizationUserRevokedForSingleOrgPolicy.html.hbs
 create mode 100644 src/Core/MailTemplates/Handlebars/AdminConsole/OrganizationUserRevokedForSingleOrgPolicy.text.hbs
 create mode 100644 src/Core/MailTemplates/Handlebars/AdminConsole/OrganizationUserRevokedForTwoFactorPolicy.html.hbs
 create mode 100644 src/Core/MailTemplates/Handlebars/AdminConsole/OrganizationUserRevokedForTwoFactorPolicy.text.hbs
 create mode 100644 src/Core/Models/Commands/CommandResult.cs
 create mode 100644 src/Core/Models/Mail/OrganizationUserRevokedForPolicySingleOrgViewModel.cs
 create mode 100644 src/Core/Models/Mail/OrganizationUserRevokedForPolicyTwoFactorViewModel.cs
 create mode 100644 src/Sql/dbo/Stored Procedures/OrganizationUser_SetStatusForUsersById.sql
 create mode 100644 test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/RevokeNonCompliantOrganizationUserCommandTests.cs
 create mode 100644 util/Migrator/DbScripts/2024-11-26-00_OrgUserSetStatusBulk.sql

diff --git a/src/Core/AdminConsole/Enums/EventSystemUser.cs b/src/Core/AdminConsole/Enums/EventSystemUser.cs
index df9be9a350..c3e13705dd 100644
--- a/src/Core/AdminConsole/Enums/EventSystemUser.cs
+++ b/src/Core/AdminConsole/Enums/EventSystemUser.cs
@@ -2,6 +2,7 @@
 
 public enum EventSystemUser : byte
 {
+    Unknown = 0,
     SCIM = 1,
     DomainVerification = 2,
     PublicApi = 3,
diff --git a/src/Core/AdminConsole/Models/Data/IActingUser.cs b/src/Core/AdminConsole/Models/Data/IActingUser.cs
new file mode 100644
index 0000000000..f97235f34c
--- /dev/null
+++ b/src/Core/AdminConsole/Models/Data/IActingUser.cs
@@ -0,0 +1,10 @@
+using Bit.Core.Enums;
+
+namespace Bit.Core.AdminConsole.Models.Data;
+
+public interface IActingUser
+{
+    Guid? UserId { get; }
+    bool IsOrganizationOwnerOrProvider { get; }
+    EventSystemUser? SystemUserType { get; }
+}
diff --git a/src/Core/AdminConsole/Models/Data/StandardUser.cs b/src/Core/AdminConsole/Models/Data/StandardUser.cs
new file mode 100644
index 0000000000..f21a41db7c
--- /dev/null
+++ b/src/Core/AdminConsole/Models/Data/StandardUser.cs
@@ -0,0 +1,16 @@
+using Bit.Core.Enums;
+
+namespace Bit.Core.AdminConsole.Models.Data;
+
+public class StandardUser : IActingUser
+{
+    public StandardUser(Guid userId, bool isOrganizationOwner)
+    {
+        UserId = userId;
+        IsOrganizationOwnerOrProvider = isOrganizationOwner;
+    }
+
+    public Guid? UserId { get; }
+    public bool IsOrganizationOwnerOrProvider { get; }
+    public EventSystemUser? SystemUserType => throw new Exception($"{nameof(StandardUser)} does not have a {nameof(SystemUserType)}");
+}
diff --git a/src/Core/AdminConsole/Models/Data/SystemUser.cs b/src/Core/AdminConsole/Models/Data/SystemUser.cs
new file mode 100644
index 0000000000..c4859f928f
--- /dev/null
+++ b/src/Core/AdminConsole/Models/Data/SystemUser.cs
@@ -0,0 +1,16 @@
+using Bit.Core.Enums;
+
+namespace Bit.Core.AdminConsole.Models.Data;
+
+public class SystemUser : IActingUser
+{
+    public SystemUser(EventSystemUser systemUser)
+    {
+        SystemUserType = systemUser;
+    }
+
+    public Guid? UserId => throw new Exception($"{nameof(SystemUserType)} does not have a {nameof(UserId)}.");
+
+    public bool IsOrganizationOwnerOrProvider => false;
+    public EventSystemUser? SystemUserType { get; }
+}
diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationDomains/VerifyOrganizationDomainCommand.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationDomains/VerifyOrganizationDomainCommand.cs
index 870fa72aa7..dd6add669f 100644
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationDomains/VerifyOrganizationDomainCommand.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationDomains/VerifyOrganizationDomainCommand.cs
@@ -1,7 +1,9 @@
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Data;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationDomains.Interfaces;
 using Bit.Core.AdminConsole.Services;
+using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
@@ -12,124 +14,121 @@ using Microsoft.Extensions.Logging;
 
 namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationDomains;
 
-public class VerifyOrganizationDomainCommand : IVerifyOrganizationDomainCommand
+public class VerifyOrganizationDomainCommand(
+    IOrganizationDomainRepository organizationDomainRepository,
+    IDnsResolverService dnsResolverService,
+    IEventService eventService,
+    IGlobalSettings globalSettings,
+    IPolicyService policyService,
+    IFeatureService featureService,
+    ICurrentContext currentContext,
+    ILogger<VerifyOrganizationDomainCommand> logger)
+    : IVerifyOrganizationDomainCommand
 {
-    private readonly IOrganizationDomainRepository _organizationDomainRepository;
-    private readonly IDnsResolverService _dnsResolverService;
-    private readonly IEventService _eventService;
-    private readonly IGlobalSettings _globalSettings;
-    private readonly IPolicyService _policyService;
-    private readonly IFeatureService _featureService;
-    private readonly ILogger<VerifyOrganizationDomainCommand> _logger;
-
-    public VerifyOrganizationDomainCommand(
-        IOrganizationDomainRepository organizationDomainRepository,
-        IDnsResolverService dnsResolverService,
-        IEventService eventService,
-        IGlobalSettings globalSettings,
-        IPolicyService policyService,
-        IFeatureService featureService,
-        ILogger<VerifyOrganizationDomainCommand> logger)
-    {
-        _organizationDomainRepository = organizationDomainRepository;
-        _dnsResolverService = dnsResolverService;
-        _eventService = eventService;
-        _globalSettings = globalSettings;
-        _policyService = policyService;
-        _featureService = featureService;
-        _logger = logger;
-    }
 
 
     public async Task<OrganizationDomain> UserVerifyOrganizationDomainAsync(OrganizationDomain organizationDomain)
     {
-        var domainVerificationResult = await VerifyOrganizationDomainAsync(organizationDomain);
+        if (currentContext.UserId is null)
+        {
+            throw new InvalidOperationException(
+                $"{nameof(UserVerifyOrganizationDomainAsync)} can only be called by a user. " +
+                $"Please call {nameof(SystemVerifyOrganizationDomainAsync)} for system users.");
+        }
 
-        await _eventService.LogOrganizationDomainEventAsync(domainVerificationResult,
+        var actingUser = new StandardUser(currentContext.UserId.Value, await currentContext.OrganizationOwner(organizationDomain.OrganizationId));
+
+        var domainVerificationResult = await VerifyOrganizationDomainAsync(organizationDomain, actingUser);
+
+        await eventService.LogOrganizationDomainEventAsync(domainVerificationResult,
             domainVerificationResult.VerifiedDate != null
                 ? EventType.OrganizationDomain_Verified
                 : EventType.OrganizationDomain_NotVerified);
 
-        await _organizationDomainRepository.ReplaceAsync(domainVerificationResult);
+        await organizationDomainRepository.ReplaceAsync(domainVerificationResult);
 
         return domainVerificationResult;
     }
 
     public async Task<OrganizationDomain> SystemVerifyOrganizationDomainAsync(OrganizationDomain organizationDomain)
     {
+        var actingUser = new SystemUser(EventSystemUser.DomainVerification);
+
         organizationDomain.SetJobRunCount();
 
-        var domainVerificationResult = await VerifyOrganizationDomainAsync(organizationDomain);
+        var domainVerificationResult = await VerifyOrganizationDomainAsync(organizationDomain, actingUser);
 
         if (domainVerificationResult.VerifiedDate is not null)
         {
-            _logger.LogInformation(Constants.BypassFiltersEventId, "Successfully validated domain");
+            logger.LogInformation(Constants.BypassFiltersEventId, "Successfully validated domain");
 
-            await _eventService.LogOrganizationDomainEventAsync(domainVerificationResult,
+            await eventService.LogOrganizationDomainEventAsync(domainVerificationResult,
                 EventType.OrganizationDomain_Verified,
                 EventSystemUser.DomainVerification);
         }
         else
         {
-            domainVerificationResult.SetNextRunDate(_globalSettings.DomainVerification.VerificationInterval);
+            domainVerificationResult.SetNextRunDate(globalSettings.DomainVerification.VerificationInterval);
 
-            await _eventService.LogOrganizationDomainEventAsync(domainVerificationResult,
+            await eventService.LogOrganizationDomainEventAsync(domainVerificationResult,
                 EventType.OrganizationDomain_NotVerified,
                 EventSystemUser.DomainVerification);
 
-            _logger.LogInformation(Constants.BypassFiltersEventId,
+            logger.LogInformation(Constants.BypassFiltersEventId,
                 "Verification for organization {OrgId} with domain {Domain} failed",
                 domainVerificationResult.OrganizationId, domainVerificationResult.DomainName);
         }
 
-        await _organizationDomainRepository.ReplaceAsync(domainVerificationResult);
+        await organizationDomainRepository.ReplaceAsync(domainVerificationResult);
 
         return domainVerificationResult;
     }
 
-    private async Task<OrganizationDomain> VerifyOrganizationDomainAsync(OrganizationDomain domain)
+    private async Task<OrganizationDomain> VerifyOrganizationDomainAsync(OrganizationDomain domain, IActingUser actingUser)
     {
         domain.SetLastCheckedDate();
 
         if (domain.VerifiedDate is not null)
         {
-            await _organizationDomainRepository.ReplaceAsync(domain);
+            await organizationDomainRepository.ReplaceAsync(domain);
             throw new ConflictException("Domain has already been verified.");
         }
 
         var claimedDomain =
-            await _organizationDomainRepository.GetClaimedDomainsByDomainNameAsync(domain.DomainName);
+            await organizationDomainRepository.GetClaimedDomainsByDomainNameAsync(domain.DomainName);
 
         if (claimedDomain.Count > 0)
         {
-            await _organizationDomainRepository.ReplaceAsync(domain);
+            await organizationDomainRepository.ReplaceAsync(domain);
             throw new ConflictException("The domain is not available to be claimed.");
         }
 
         try
         {
-            if (await _dnsResolverService.ResolveAsync(domain.DomainName, domain.Txt))
+            if (await dnsResolverService.ResolveAsync(domain.DomainName, domain.Txt))
             {
                 domain.SetVerifiedDate();
 
-                await EnableSingleOrganizationPolicyAsync(domain.OrganizationId);
+                await EnableSingleOrganizationPolicyAsync(domain.OrganizationId, actingUser);
             }
         }
         catch (Exception e)
         {
-            _logger.LogError("Error verifying Organization domain: {domain}. {errorMessage}",
+            logger.LogError("Error verifying Organization domain: {domain}. {errorMessage}",
                 domain.DomainName, e.Message);
         }
 
         return domain;
     }
 
-    private async Task EnableSingleOrganizationPolicyAsync(Guid organizationId)
+    private async Task EnableSingleOrganizationPolicyAsync(Guid organizationId, IActingUser actingUser)
     {
-        if (_featureService.IsEnabled(FeatureFlagKeys.AccountDeprovisioning))
+        if (featureService.IsEnabled(FeatureFlagKeys.AccountDeprovisioning))
         {
-            await _policyService.SaveAsync(
-                new Policy { OrganizationId = organizationId, Type = PolicyType.SingleOrg, Enabled = true }, null);
+            await policyService.SaveAsync(
+                new Policy { OrganizationId = organizationId, Type = PolicyType.SingleOrg, Enabled = true },
+                savingUserId: actingUser is StandardUser standardUser ? standardUser.UserId : null,
+                eventSystemUser: actingUser is SystemUser systemUser ? systemUser.SystemUserType : null);
         }
     }
 }
diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Interfaces/IRevokeNonCompliantOrganizationUserCommand.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Interfaces/IRevokeNonCompliantOrganizationUserCommand.cs
new file mode 100644
index 0000000000..c9768a8905
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Interfaces/IRevokeNonCompliantOrganizationUserCommand.cs
@@ -0,0 +1,9 @@
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Requests;
+using Bit.Core.Models.Commands;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+
+public interface IRevokeNonCompliantOrganizationUserCommand
+{
+    Task<CommandResult> RevokeNonCompliantOrganizationUsersAsync(RevokeOrganizationUsersRequest request);
+}
diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Requests/RevokeOrganizationUserRequest.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Requests/RevokeOrganizationUserRequest.cs
new file mode 100644
index 0000000000..88f1dc8aa1
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Requests/RevokeOrganizationUserRequest.cs
@@ -0,0 +1,13 @@
+using Bit.Core.AdminConsole.Models.Data;
+using Bit.Core.Models.Data.Organizations.OrganizationUsers;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Requests;
+
+public record RevokeOrganizationUsersRequest(
+    Guid OrganizationId,
+    IEnumerable<OrganizationUserUserDetails> OrganizationUsers,
+    IActingUser ActionPerformedBy)
+{
+    public RevokeOrganizationUsersRequest(Guid organizationId, OrganizationUserUserDetails organizationUser, IActingUser actionPerformedBy)
+        : this(organizationId, [organizationUser], actionPerformedBy) { }
+}
diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RevokeNonCompliantOrganizationUserCommand.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RevokeNonCompliantOrganizationUserCommand.cs
new file mode 100644
index 0000000000..971ed02b29
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RevokeNonCompliantOrganizationUserCommand.cs
@@ -0,0 +1,112 @@
+using Bit.Core.AdminConsole.Models.Data;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Requests;
+using Bit.Core.Enums;
+using Bit.Core.Models.Commands;
+using Bit.Core.Models.Data.Organizations.OrganizationUsers;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers;
+
+public class RevokeNonCompliantOrganizationUserCommand(IOrganizationUserRepository organizationUserRepository,
+    IEventService eventService,
+    IHasConfirmedOwnersExceptQuery confirmedOwnersExceptQuery,
+    TimeProvider timeProvider) : IRevokeNonCompliantOrganizationUserCommand
+{
+    public const string ErrorCannotRevokeSelf = "You cannot revoke yourself.";
+    public const string ErrorOnlyOwnersCanRevokeOtherOwners = "Only owners can revoke other owners.";
+    public const string ErrorUserAlreadyRevoked = "User is already revoked.";
+    public const string ErrorOrgMustHaveAtLeastOneOwner = "Organization must have at least one confirmed owner.";
+    public const string ErrorInvalidUsers = "Invalid users.";
+    public const string ErrorRequestedByWasNotValid = "Action was performed by an unexpected type.";
+
+    public async Task<CommandResult> RevokeNonCompliantOrganizationUsersAsync(RevokeOrganizationUsersRequest request)
+    {
+        var validationResult = await ValidateAsync(request);
+
+        if (validationResult.HasErrors)
+        {
+            return validationResult;
+        }
+
+        await organizationUserRepository.RevokeManyByIdAsync(request.OrganizationUsers.Select(x => x.Id));
+
+        var now = timeProvider.GetUtcNow();
+
+        switch (request.ActionPerformedBy)
+        {
+            case StandardUser:
+                await eventService.LogOrganizationUserEventsAsync(
+                    request.OrganizationUsers.Select(x => GetRevokedUserEventTuple(x, now)));
+                break;
+            case SystemUser { SystemUserType: not null } loggableSystem:
+                await eventService.LogOrganizationUserEventsAsync(
+                    request.OrganizationUsers.Select(x =>
+                        GetRevokedUserEventBySystemUserTuple(x, loggableSystem.SystemUserType.Value, now)));
+                break;
+        }
+
+        return validationResult;
+    }
+
+    private static (OrganizationUserUserDetails organizationUser, EventType eventType, DateTime? time) GetRevokedUserEventTuple(
+        OrganizationUserUserDetails organizationUser, DateTimeOffset dateTimeOffset) =>
+        new(organizationUser, EventType.OrganizationUser_Revoked, dateTimeOffset.UtcDateTime);
+
+    private static (OrganizationUserUserDetails organizationUser, EventType eventType, EventSystemUser eventSystemUser, DateTime? time) GetRevokedUserEventBySystemUserTuple(
+        OrganizationUserUserDetails organizationUser, EventSystemUser systemUser, DateTimeOffset dateTimeOffset) => new(organizationUser,
+        EventType.OrganizationUser_Revoked, systemUser, dateTimeOffset.UtcDateTime);
+
+    private async Task<CommandResult> ValidateAsync(RevokeOrganizationUsersRequest request)
+    {
+        if (!PerformedByIsAnExpectedType(request.ActionPerformedBy))
+        {
+            return new CommandResult(ErrorRequestedByWasNotValid);
+        }
+
+        if (request.ActionPerformedBy is StandardUser user
+            && request.OrganizationUsers.Any(x => x.UserId == user.UserId))
+        {
+            return new CommandResult(ErrorCannotRevokeSelf);
+        }
+
+        if (request.OrganizationUsers.Any(x => x.OrganizationId != request.OrganizationId))
+        {
+            return new CommandResult(ErrorInvalidUsers);
+        }
+
+        if (!await confirmedOwnersExceptQuery.HasConfirmedOwnersExceptAsync(
+                    request.OrganizationId,
+                    request.OrganizationUsers.Select(x => x.Id)))
+        {
+            return new CommandResult(ErrorOrgMustHaveAtLeastOneOwner);
+        }
+
+        return request.OrganizationUsers.Aggregate(new CommandResult(), (result, userToRevoke) =>
+        {
+            if (IsAlreadyRevoked(userToRevoke))
+            {
+                result.ErrorMessages.Add($"{ErrorUserAlreadyRevoked} Id: {userToRevoke.Id}");
+                return result;
+            }
+
+            if (NonOwnersCannotRevokeOwners(userToRevoke, request.ActionPerformedBy))
+            {
+                result.ErrorMessages.Add($"{ErrorOnlyOwnersCanRevokeOtherOwners}");
+                return result;
+            }
+
+            return result;
+        });
+    }
+
+    private static bool PerformedByIsAnExpectedType(IActingUser entity) => entity is SystemUser or StandardUser;
+
+    private static bool IsAlreadyRevoked(OrganizationUserUserDetails organizationUser) =>
+        organizationUser is { Status: OrganizationUserStatusType.Revoked };
+
+    private static bool NonOwnersCannotRevokeOwners(OrganizationUserUserDetails organizationUser,
+        IActingUser actingUser) =>
+        actingUser is StandardUser { IsOrganizationOwnerOrProvider: false } && organizationUser.Type == OrganizationUserType.Owner;
+}
diff --git a/src/Core/AdminConsole/OrganizationFeatures/Policies/Models/PolicyUpdate.cs b/src/Core/AdminConsole/OrganizationFeatures/Policies/Models/PolicyUpdate.cs
index 117a7ec733..d1a52f0080 100644
--- a/src/Core/AdminConsole/OrganizationFeatures/Policies/Models/PolicyUpdate.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Policies/Models/PolicyUpdate.cs
@@ -1,6 +1,7 @@
 #nullable enable
 
 using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Data;
 using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
 using Bit.Core.Utilities;
 
@@ -15,6 +16,7 @@ public record PolicyUpdate
     public PolicyType Type { get; set; }
     public string? Data { get; set; }
     public bool Enabled { get; set; }
+    public IActingUser? PerformedBy { get; set; }
 
     public T GetDataModel<T>() where T : IPolicyDataModel, new()
     {
diff --git a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/SingleOrgPolicyValidator.cs b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/SingleOrgPolicyValidator.cs
index cc6971f946..050949ee7f 100644
--- a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/SingleOrgPolicyValidator.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/SingleOrgPolicyValidator.cs
@@ -2,8 +2,10 @@
 
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Data;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationDomains.Interfaces;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Requests;
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies.Models;
 using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Repositories;
@@ -18,6 +20,8 @@ namespace Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyValidators;
 public class SingleOrgPolicyValidator : IPolicyValidator
 {
     public PolicyType Type => PolicyType.SingleOrg;
+    private const string OrganizationNotFoundErrorMessage = "Organization not found.";
+    private const string ClaimedDomainSingleOrganizationRequiredErrorMessage = "The Single organization policy is required for organizations that have enabled domain verification.";
 
     private readonly IOrganizationUserRepository _organizationUserRepository;
     private readonly IMailService _mailService;
@@ -27,6 +31,7 @@ public class SingleOrgPolicyValidator : IPolicyValidator
     private readonly IFeatureService _featureService;
     private readonly IRemoveOrganizationUserCommand _removeOrganizationUserCommand;
     private readonly IOrganizationHasVerifiedDomainsQuery _organizationHasVerifiedDomainsQuery;
+    private readonly IRevokeNonCompliantOrganizationUserCommand _revokeNonCompliantOrganizationUserCommand;
 
     public SingleOrgPolicyValidator(
         IOrganizationUserRepository organizationUserRepository,
@@ -36,7 +41,8 @@ public class SingleOrgPolicyValidator : IPolicyValidator
         ICurrentContext currentContext,
         IFeatureService featureService,
         IRemoveOrganizationUserCommand removeOrganizationUserCommand,
-        IOrganizationHasVerifiedDomainsQuery organizationHasVerifiedDomainsQuery)
+        IOrganizationHasVerifiedDomainsQuery organizationHasVerifiedDomainsQuery,
+        IRevokeNonCompliantOrganizationUserCommand revokeNonCompliantOrganizationUserCommand)
     {
         _organizationUserRepository = organizationUserRepository;
         _mailService = mailService;
@@ -46,6 +52,7 @@ public class SingleOrgPolicyValidator : IPolicyValidator
         _featureService = featureService;
         _removeOrganizationUserCommand = removeOrganizationUserCommand;
         _organizationHasVerifiedDomainsQuery = organizationHasVerifiedDomainsQuery;
+        _revokeNonCompliantOrganizationUserCommand = revokeNonCompliantOrganizationUserCommand;
     }
 
     public IEnumerable<PolicyType> RequiredPolicies => [];
@@ -54,10 +61,54 @@ public class SingleOrgPolicyValidator : IPolicyValidator
     {
         if (currentPolicy is not { Enabled: true } && policyUpdate is { Enabled: true })
         {
-            await RemoveNonCompliantUsersAsync(policyUpdate.OrganizationId);
+            if (_featureService.IsEnabled(FeatureFlagKeys.AccountDeprovisioning))
+            {
+                var currentUser = _currentContext.UserId ?? Guid.Empty;
+                var isOwnerOrProvider = await _currentContext.OrganizationOwner(policyUpdate.OrganizationId);
+                await RevokeNonCompliantUsersAsync(policyUpdate.OrganizationId, policyUpdate.PerformedBy ?? new StandardUser(currentUser, isOwnerOrProvider));
+            }
+            else
+            {
+                await RemoveNonCompliantUsersAsync(policyUpdate.OrganizationId);
+            }
         }
     }
 
+    private async Task RevokeNonCompliantUsersAsync(Guid organizationId, IActingUser performedBy)
+    {
+        var organization = await _organizationRepository.GetByIdAsync(organizationId);
+
+        if (organization is null)
+        {
+            throw new NotFoundException(OrganizationNotFoundErrorMessage);
+        }
+
+        var currentActiveRevocableOrganizationUsers =
+            (await _organizationUserRepository.GetManyDetailsByOrganizationAsync(organizationId))
+            .Where(ou => ou.Status != OrganizationUserStatusType.Invited &&
+                         ou.Status != OrganizationUserStatusType.Revoked &&
+                         ou.Type != OrganizationUserType.Owner &&
+                         ou.Type != OrganizationUserType.Admin &&
+                         !(performedBy is StandardUser stdUser && stdUser.UserId == ou.UserId))
+            .ToList();
+
+        if (currentActiveRevocableOrganizationUsers.Count == 0)
+        {
+            return;
+        }
+
+        var commandResult = await _revokeNonCompliantOrganizationUserCommand.RevokeNonCompliantOrganizationUsersAsync(
+            new RevokeOrganizationUsersRequest(organizationId, currentActiveRevocableOrganizationUsers, performedBy));
+
+        if (commandResult.HasErrors)
+        {
+            throw new BadRequestException(string.Join(", ", commandResult.ErrorMessages));
+        }
+
+        await Task.WhenAll(currentActiveRevocableOrganizationUsers.Select(x =>
+            _mailService.SendOrganizationUserRevokedForPolicySingleOrgEmailAsync(organization.DisplayName(), x.Email)));
+    }
+
     private async Task RemoveNonCompliantUsersAsync(Guid organizationId)
     {
         // Remove non-compliant users
@@ -67,7 +118,7 @@ public class SingleOrgPolicyValidator : IPolicyValidator
         var org = await _organizationRepository.GetByIdAsync(organizationId);
         if (org == null)
         {
-            throw new NotFoundException("Organization not found.");
+            throw new NotFoundException(OrganizationNotFoundErrorMessage);
         }
 
         var removableOrgUsers = orgUsers.Where(ou =>
@@ -76,18 +127,17 @@ public class SingleOrgPolicyValidator : IPolicyValidator
             ou.Type != OrganizationUserType.Owner &&
             ou.Type != OrganizationUserType.Admin &&
             ou.UserId != savingUserId
-            ).ToList();
+        ).ToList();
 
         var userOrgs = await _organizationUserRepository.GetManyByManyUsersAsync(
-                removableOrgUsers.Select(ou => ou.UserId!.Value));
+            removableOrgUsers.Select(ou => ou.UserId!.Value));
         foreach (var orgUser in removableOrgUsers)
         {
             if (userOrgs.Any(ou => ou.UserId == orgUser.UserId
-                        && ou.OrganizationId != org.Id
-                        && ou.Status != OrganizationUserStatusType.Invited))
+                                   && ou.OrganizationId != org.Id
+                                   && ou.Status != OrganizationUserStatusType.Invited))
             {
-                await _removeOrganizationUserCommand.RemoveUserAsync(organizationId, orgUser.Id,
-                    savingUserId);
+                await _removeOrganizationUserCommand.RemoveUserAsync(organizationId, orgUser.Id, savingUserId);
 
                 await _mailService.SendOrganizationUserRemovedForPolicySingleOrgEmailAsync(
                     org.DisplayName(), orgUser.Email);
@@ -111,7 +161,7 @@ public class SingleOrgPolicyValidator : IPolicyValidator
             if (_featureService.IsEnabled(FeatureFlagKeys.AccountDeprovisioning)
                 && await _organizationHasVerifiedDomainsQuery.HasVerifiedDomainsAsync(policyUpdate.OrganizationId))
             {
-                return "The Single organization policy is required for organizations that have enabled domain verification.";
+                return ClaimedDomainSingleOrganizationRequiredErrorMessage;
             }
         }
 
diff --git a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/TwoFactorAuthenticationPolicyValidator.cs b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/TwoFactorAuthenticationPolicyValidator.cs
index ef896bbb9b..c2dd8cff91 100644
--- a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/TwoFactorAuthenticationPolicyValidator.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/TwoFactorAuthenticationPolicyValidator.cs
@@ -2,12 +2,15 @@
 
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Data;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Requests;
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies.Models;
 using Bit.Core.Auth.UserFeatures.TwoFactorAuth.Interfaces;
 using Bit.Core.Context;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
+using Bit.Core.Models.Data.Organizations.OrganizationUsers;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 
@@ -21,6 +24,10 @@ public class TwoFactorAuthenticationPolicyValidator : IPolicyValidator
     private readonly ICurrentContext _currentContext;
     private readonly ITwoFactorIsEnabledQuery _twoFactorIsEnabledQuery;
     private readonly IRemoveOrganizationUserCommand _removeOrganizationUserCommand;
+    private readonly IFeatureService _featureService;
+    private readonly IRevokeNonCompliantOrganizationUserCommand _revokeNonCompliantOrganizationUserCommand;
+
+    public const string NonCompliantMembersWillLoseAccessMessage = "Policy could not be enabled. Non-compliant members will lose access to their accounts. Identify members without two-step login from the policies column in the members page.";
 
     public PolicyType Type => PolicyType.TwoFactorAuthentication;
     public IEnumerable<PolicyType> RequiredPolicies => [];
@@ -31,7 +38,9 @@ public class TwoFactorAuthenticationPolicyValidator : IPolicyValidator
         IOrganizationRepository organizationRepository,
         ICurrentContext currentContext,
         ITwoFactorIsEnabledQuery twoFactorIsEnabledQuery,
-        IRemoveOrganizationUserCommand removeOrganizationUserCommand)
+        IRemoveOrganizationUserCommand removeOrganizationUserCommand,
+        IFeatureService featureService,
+        IRevokeNonCompliantOrganizationUserCommand revokeNonCompliantOrganizationUserCommand)
     {
         _organizationUserRepository = organizationUserRepository;
         _mailService = mailService;
@@ -39,16 +48,65 @@ public class TwoFactorAuthenticationPolicyValidator : IPolicyValidator
         _currentContext = currentContext;
         _twoFactorIsEnabledQuery = twoFactorIsEnabledQuery;
         _removeOrganizationUserCommand = removeOrganizationUserCommand;
+        _featureService = featureService;
+        _revokeNonCompliantOrganizationUserCommand = revokeNonCompliantOrganizationUserCommand;
     }
 
     public async Task OnSaveSideEffectsAsync(PolicyUpdate policyUpdate, Policy? currentPolicy)
     {
         if (currentPolicy is not { Enabled: true } && policyUpdate is { Enabled: true })
         {
-            await RemoveNonCompliantUsersAsync(policyUpdate.OrganizationId);
+            if (_featureService.IsEnabled(FeatureFlagKeys.AccountDeprovisioning))
+            {
+                var currentUser = _currentContext.UserId ?? Guid.Empty;
+                var isOwnerOrProvider = await _currentContext.OrganizationOwner(policyUpdate.OrganizationId);
+                await RevokeNonCompliantUsersAsync(policyUpdate.OrganizationId, policyUpdate.PerformedBy ?? new StandardUser(currentUser, isOwnerOrProvider));
+            }
+            else
+            {
+                await RemoveNonCompliantUsersAsync(policyUpdate.OrganizationId);
+            }
         }
     }
 
+    private async Task RevokeNonCompliantUsersAsync(Guid organizationId, IActingUser performedBy)
+    {
+        var organization = await _organizationRepository.GetByIdAsync(organizationId);
+
+        var currentActiveRevocableOrganizationUsers =
+            (await _organizationUserRepository.GetManyDetailsByOrganizationAsync(organizationId))
+            .Where(ou => ou.Status != OrganizationUserStatusType.Invited &&
+                         ou.Status != OrganizationUserStatusType.Revoked &&
+                         ou.Type != OrganizationUserType.Owner &&
+                         ou.Type != OrganizationUserType.Admin &&
+                         !(performedBy is StandardUser stdUser && stdUser.UserId == ou.UserId))
+            .ToList();
+
+        if (currentActiveRevocableOrganizationUsers.Count == 0)
+        {
+            return;
+        }
+
+        var organizationUsersTwoFactorEnabled =
+            await _twoFactorIsEnabledQuery.TwoFactorIsEnabledAsync(currentActiveRevocableOrganizationUsers);
+
+        if (NonCompliantMembersWillLoseAccess(currentActiveRevocableOrganizationUsers, organizationUsersTwoFactorEnabled))
+        {
+            throw new BadRequestException(NonCompliantMembersWillLoseAccessMessage);
+        }
+
+        var commandResult = await _revokeNonCompliantOrganizationUserCommand.RevokeNonCompliantOrganizationUsersAsync(
+            new RevokeOrganizationUsersRequest(organizationId, currentActiveRevocableOrganizationUsers, performedBy));
+
+        if (commandResult.HasErrors)
+        {
+            throw new BadRequestException(string.Join(", ", commandResult.ErrorMessages));
+        }
+
+        await Task.WhenAll(currentActiveRevocableOrganizationUsers.Select(x =>
+            _mailService.SendOrganizationUserRevokedForPolicySingleOrgEmailAsync(organization.DisplayName(), x.Email)));
+    }
+
     private async Task RemoveNonCompliantUsersAsync(Guid organizationId)
     {
         var org = await _organizationRepository.GetByIdAsync(organizationId);
@@ -83,5 +141,12 @@ public class TwoFactorAuthenticationPolicyValidator : IPolicyValidator
         }
     }
 
+    private static bool NonCompliantMembersWillLoseAccess(
+        IEnumerable<OrganizationUserUserDetails> orgUserDetails,
+        IEnumerable<(OrganizationUserUserDetails user, bool isTwoFactorEnabled)> organizationUsersTwoFactorEnabled) =>
+            orgUserDetails.Any(x =>
+                !x.HasMasterPassword && !organizationUsersTwoFactorEnabled.FirstOrDefault(u => u.user.Id == x.Id)
+                    .isTwoFactorEnabled);
+
     public Task<string> ValidateAsync(PolicyUpdate policyUpdate, Policy? currentPolicy) => Task.FromResult("");
 }
diff --git a/src/Core/AdminConsole/Repositories/IOrganizationUserRepository.cs b/src/Core/AdminConsole/Repositories/IOrganizationUserRepository.cs
index cb540c212b..516b4614af 100644
--- a/src/Core/AdminConsole/Repositories/IOrganizationUserRepository.cs
+++ b/src/Core/AdminConsole/Repositories/IOrganizationUserRepository.cs
@@ -58,4 +58,6 @@ public interface IOrganizationUserRepository : IRepository<OrganizationUser, Gui
     /// Returns a list of OrganizationUsers with email domains that match one of the Organization's claimed domains.
     /// </summary>
     Task<ICollection<OrganizationUser>> GetManyByOrganizationWithClaimedDomainsAsync(Guid organizationId);
+
+    Task RevokeManyByIdAsync(IEnumerable<Guid> organizationUserIds);
 }
diff --git a/src/Core/AdminConsole/Services/IPolicyService.cs b/src/Core/AdminConsole/Services/IPolicyService.cs
index 16ff2f4fa1..715c3a34d9 100644
--- a/src/Core/AdminConsole/Services/IPolicyService.cs
+++ b/src/Core/AdminConsole/Services/IPolicyService.cs
@@ -9,7 +9,7 @@ namespace Bit.Core.AdminConsole.Services;
 
 public interface IPolicyService
 {
-    Task SaveAsync(Policy policy, Guid? savingUserId);
+    Task SaveAsync(Policy policy, Guid? savingUserId, EventSystemUser? eventSystemUser = null);
 
     /// <summary>
     /// Get the combined master password policy options for the specified user.
diff --git a/src/Core/AdminConsole/Services/Implementations/PolicyService.cs b/src/Core/AdminConsole/Services/Implementations/PolicyService.cs
index 42655040a3..69ec27fd8a 100644
--- a/src/Core/AdminConsole/Services/Implementations/PolicyService.cs
+++ b/src/Core/AdminConsole/Services/Implementations/PolicyService.cs
@@ -1,5 +1,6 @@
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Data;
 using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationDomains.Interfaces;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
@@ -9,6 +10,7 @@ using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Repositories;
 using Bit.Core.Auth.UserFeatures.TwoFactorAuth.Interfaces;
+using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
@@ -34,6 +36,7 @@ public class PolicyService : IPolicyService
     private readonly ISavePolicyCommand _savePolicyCommand;
     private readonly IRemoveOrganizationUserCommand _removeOrganizationUserCommand;
     private readonly IOrganizationHasVerifiedDomainsQuery _organizationHasVerifiedDomainsQuery;
+    private readonly ICurrentContext _currentContext;
 
     public PolicyService(
         IApplicationCacheService applicationCacheService,
@@ -48,7 +51,8 @@ public class PolicyService : IPolicyService
         IFeatureService featureService,
         ISavePolicyCommand savePolicyCommand,
         IRemoveOrganizationUserCommand removeOrganizationUserCommand,
-        IOrganizationHasVerifiedDomainsQuery organizationHasVerifiedDomainsQuery)
+        IOrganizationHasVerifiedDomainsQuery organizationHasVerifiedDomainsQuery,
+        ICurrentContext currentContext)
     {
         _applicationCacheService = applicationCacheService;
         _eventService = eventService;
@@ -63,19 +67,24 @@ public class PolicyService : IPolicyService
         _savePolicyCommand = savePolicyCommand;
         _removeOrganizationUserCommand = removeOrganizationUserCommand;
         _organizationHasVerifiedDomainsQuery = organizationHasVerifiedDomainsQuery;
+        _currentContext = currentContext;
     }
 
-    public async Task SaveAsync(Policy policy, Guid? savingUserId)
+    public async Task SaveAsync(Policy policy, Guid? savingUserId, EventSystemUser? eventSystemUser = null)
     {
         if (_featureService.IsEnabled(FeatureFlagKeys.Pm13322AddPolicyDefinitions))
         {
             // Transitional mapping - this will be moved to callers once the feature flag is removed
+            // TODO make sure to populate with SystemUser if not an actual user
             var policyUpdate = new PolicyUpdate
             {
                 OrganizationId = policy.OrganizationId,
                 Type = policy.Type,
                 Enabled = policy.Enabled,
-                Data = policy.Data
+                Data = policy.Data,
+                PerformedBy = savingUserId.HasValue
+                    ? new StandardUser(savingUserId.Value, await _currentContext.OrganizationOwner(policy.OrganizationId))
+                    : new SystemUser(eventSystemUser ?? EventSystemUser.Unknown)
             };
 
             await _savePolicyCommand.SaveAsync(policyUpdate);
diff --git a/src/Core/MailTemplates/Handlebars/AdminConsole/OrganizationUserRevokedForSingleOrgPolicy.html.hbs b/src/Core/MailTemplates/Handlebars/AdminConsole/OrganizationUserRevokedForSingleOrgPolicy.html.hbs
new file mode 100644
index 0000000000..d04abe86c9
--- /dev/null
+++ b/src/Core/MailTemplates/Handlebars/AdminConsole/OrganizationUserRevokedForSingleOrgPolicy.html.hbs
@@ -0,0 +1,14 @@
+{{#>FullHtmlLayout}}
+    <table width="100%" cellpadding="0" cellspacing="0" style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+        <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+            <td class="content-block" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0 0 10px; -webkit-text-size-adjust: none;" valign="top" align="left">
+                Your user account has been revoked from the <b style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">{{OrganizationName}}</b> organization because your account is part of multiple organizations. Before you can re-join {{OrganizationName}}, you must first leave all other organizations.
+            </td>
+        </tr>
+        <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+            <td class="content-block" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0 0 10px; -webkit-text-size-adjust: none;" valign="top" align="left">
+                To leave an organization, first log into the <a href="https://vault.bitwarden.com/#/login">web app</a>, select the three dot menu next to the organization name, and select Leave.
+            </td>
+        </tr>
+    </table>
+{{/FullHtmlLayout}}
diff --git a/src/Core/MailTemplates/Handlebars/AdminConsole/OrganizationUserRevokedForSingleOrgPolicy.text.hbs b/src/Core/MailTemplates/Handlebars/AdminConsole/OrganizationUserRevokedForSingleOrgPolicy.text.hbs
new file mode 100644
index 0000000000..f933e8cf62
--- /dev/null
+++ b/src/Core/MailTemplates/Handlebars/AdminConsole/OrganizationUserRevokedForSingleOrgPolicy.text.hbs
@@ -0,0 +1,5 @@
+{{#>BasicTextLayout}}
+Your user account has been revoked from the {{OrganizationName}} organization because your account is part of multiple organizations. Before you can rejoin {{OrganizationName}}, you must first leave all other organizations.
+
+To leave an organization, first log in the web app (https://vault.bitwarden.com/#/login), select the three dot menu next to the organization name, and select Leave.
+{{/BasicTextLayout}}
diff --git a/src/Core/MailTemplates/Handlebars/AdminConsole/OrganizationUserRevokedForTwoFactorPolicy.html.hbs b/src/Core/MailTemplates/Handlebars/AdminConsole/OrganizationUserRevokedForTwoFactorPolicy.html.hbs
new file mode 100644
index 0000000000..cf38632a9e
--- /dev/null
+++ b/src/Core/MailTemplates/Handlebars/AdminConsole/OrganizationUserRevokedForTwoFactorPolicy.html.hbs
@@ -0,0 +1,15 @@
+{{#>FullHtmlLayout}}
+    <table width="100%" cellpadding="0" cellspacing="0" style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+        <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+            <td class="content-block" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0 0 10px; -webkit-text-size-adjust: none;" valign="top" align="left">
+                Your user account has been revoked from the <b style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">{{OrganizationName}}</b> organization because you do not have two-step login configured. Before you can re-join {{OrganizationName}}, you need to set up two-step login on your user account.
+            </td>
+        </tr>
+        <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+            <td class="content-block last" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0; -webkit-text-size-adjust: none;" valign="top" align="left">
+                Learn how to enable two-step login on your user account at
+                <a target="_blank" href="https://help.bitwarden.com/article/setup-two-step-login/" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #175DDC; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; text-decoration: underline;">https://help.bitwarden.com/article/setup-two-step-login/</a>
+            </td>
+        </tr>
+    </table>
+{{/FullHtmlLayout}}
diff --git a/src/Core/MailTemplates/Handlebars/AdminConsole/OrganizationUserRevokedForTwoFactorPolicy.text.hbs b/src/Core/MailTemplates/Handlebars/AdminConsole/OrganizationUserRevokedForTwoFactorPolicy.text.hbs
new file mode 100644
index 0000000000..f197f37f00
--- /dev/null
+++ b/src/Core/MailTemplates/Handlebars/AdminConsole/OrganizationUserRevokedForTwoFactorPolicy.text.hbs
@@ -0,0 +1,7 @@
+{{#>BasicTextLayout}}
+    Your user account has been removed from the {{OrganizationName}} organization because you do not have two-step login
+    configured. Before you can re-join this organization you need to set up two-step login on your user account.
+
+    Learn how to enable two-step login on your user account at
+    https://help.bitwarden.com/article/setup-two-step-login/
+{{/BasicTextLayout}}
diff --git a/src/Core/Models/Commands/CommandResult.cs b/src/Core/Models/Commands/CommandResult.cs
new file mode 100644
index 0000000000..4ac2d62499
--- /dev/null
+++ b/src/Core/Models/Commands/CommandResult.cs
@@ -0,0 +1,12 @@
+namespace Bit.Core.Models.Commands;
+
+public class CommandResult(IEnumerable<string> errors)
+{
+    public CommandResult(string error) : this([error]) { }
+
+    public bool Success => ErrorMessages.Count == 0;
+    public bool HasErrors => ErrorMessages.Count > 0;
+    public List<string> ErrorMessages { get; } = errors.ToList();
+
+    public CommandResult() : this([]) { }
+}
diff --git a/src/Core/Models/Mail/OrganizationUserRevokedForPolicySingleOrgViewModel.cs b/src/Core/Models/Mail/OrganizationUserRevokedForPolicySingleOrgViewModel.cs
new file mode 100644
index 0000000000..27c784bd15
--- /dev/null
+++ b/src/Core/Models/Mail/OrganizationUserRevokedForPolicySingleOrgViewModel.cs
@@ -0,0 +1,6 @@
+namespace Bit.Core.Models.Mail;
+
+public class OrganizationUserRevokedForPolicySingleOrgViewModel : BaseMailModel
+{
+    public string OrganizationName { get; set; }
+}
diff --git a/src/Core/Models/Mail/OrganizationUserRevokedForPolicyTwoFactorViewModel.cs b/src/Core/Models/Mail/OrganizationUserRevokedForPolicyTwoFactorViewModel.cs
new file mode 100644
index 0000000000..9286ee74b3
--- /dev/null
+++ b/src/Core/Models/Mail/OrganizationUserRevokedForPolicyTwoFactorViewModel.cs
@@ -0,0 +1,6 @@
+namespace Bit.Core.Models.Mail;
+
+public class OrganizationUserRevokedForPolicyTwoFactorViewModel : BaseMailModel
+{
+    public string OrganizationName { get; set; }
+}
diff --git a/src/Core/OrganizationFeatures/OrganizationServiceCollectionExtensions.cs b/src/Core/OrganizationFeatures/OrganizationServiceCollectionExtensions.cs
index d11da2119a..96fdefcfad 100644
--- a/src/Core/OrganizationFeatures/OrganizationServiceCollectionExtensions.cs
+++ b/src/Core/OrganizationFeatures/OrganizationServiceCollectionExtensions.cs
@@ -91,6 +91,7 @@ public static class OrganizationServiceCollectionExtensions
     private static void AddOrganizationUserCommands(this IServiceCollection services)
     {
         services.AddScoped<IRemoveOrganizationUserCommand, RemoveOrganizationUserCommand>();
+        services.AddScoped<IRevokeNonCompliantOrganizationUserCommand, RevokeNonCompliantOrganizationUserCommand>();
         services.AddScoped<IUpdateOrganizationUserCommand, UpdateOrganizationUserCommand>();
         services.AddScoped<IUpdateOrganizationUserGroupsCommand, UpdateOrganizationUserGroupsCommand>();
         services.AddScoped<IDeleteManagedOrganizationUserAccountCommand, DeleteManagedOrganizationUserAccountCommand>();
diff --git a/src/Core/Services/IMailService.cs b/src/Core/Services/IMailService.cs
index 5514cd507d..bc8d1440f1 100644
--- a/src/Core/Services/IMailService.cs
+++ b/src/Core/Services/IMailService.cs
@@ -35,6 +35,8 @@ public interface IMailService
     Task SendOrganizationAcceptedEmailAsync(Organization organization, string userIdentifier, IEnumerable<string> adminEmails, bool hasAccessSecretsManager = false);
     Task SendOrganizationConfirmedEmailAsync(string organizationName, string email, bool hasAccessSecretsManager = false);
     Task SendOrganizationUserRemovedForPolicyTwoStepEmailAsync(string organizationName, string email);
+    Task SendOrganizationUserRevokedForTwoFactoryPolicyEmailAsync(string organizationName, string email);
+    Task SendOrganizationUserRevokedForPolicySingleOrgEmailAsync(string organizationName, string email);
     Task SendPasswordlessSignInAsync(string returnUrl, string token, string email);
     Task SendInvoiceUpcoming(
         string email,
diff --git a/src/Core/Services/Implementations/HandlebarsMailService.cs b/src/Core/Services/Implementations/HandlebarsMailService.cs
index e1943b0e3c..acc729e53c 100644
--- a/src/Core/Services/Implementations/HandlebarsMailService.cs
+++ b/src/Core/Services/Implementations/HandlebarsMailService.cs
@@ -25,8 +25,7 @@ public class HandlebarsMailService : IMailService
     private readonly GlobalSettings _globalSettings;
     private readonly IMailDeliveryService _mailDeliveryService;
     private readonly IMailEnqueuingService _mailEnqueuingService;
-    private readonly Dictionary<string, HandlebarsTemplate<object, object>> _templateCache =
-        new Dictionary<string, HandlebarsTemplate<object, object>>();
+    private readonly Dictionary<string, HandlebarsTemplate<object, object>> _templateCache = new();
 
     private bool _registeredHelpersAndPartials = false;
 
@@ -295,6 +294,20 @@ public class HandlebarsMailService : IMailService
         await _mailDeliveryService.SendEmailAsync(message);
     }
 
+    public async Task SendOrganizationUserRevokedForTwoFactoryPolicyEmailAsync(string organizationName, string email)
+    {
+        var message = CreateDefaultMessage($"You have been revoked from {organizationName}", email);
+        var model = new OrganizationUserRevokedForPolicyTwoFactorViewModel
+        {
+            OrganizationName = CoreHelpers.SanitizeForEmail(organizationName, false),
+            WebVaultUrl = _globalSettings.BaseServiceUri.VaultWithHash,
+            SiteName = _globalSettings.SiteName
+        };
+        await AddMessageContentAsync(message, "AdminConsole.OrganizationUserRevokedForTwoFactorPolicy", model);
+        message.Category = "OrganizationUserRevokedForTwoFactorPolicy";
+        await _mailDeliveryService.SendEmailAsync(message);
+    }
+
     public async Task SendWelcomeEmailAsync(User user)
     {
         var message = CreateDefaultMessage("Welcome to Bitwarden!", user.Email);
@@ -496,6 +509,20 @@ public class HandlebarsMailService : IMailService
         await _mailDeliveryService.SendEmailAsync(message);
     }
 
+    public async Task SendOrganizationUserRevokedForPolicySingleOrgEmailAsync(string organizationName, string email)
+    {
+        var message = CreateDefaultMessage($"You have been revoked from {organizationName}", email);
+        var model = new OrganizationUserRevokedForPolicySingleOrgViewModel
+        {
+            OrganizationName = CoreHelpers.SanitizeForEmail(organizationName, false),
+            WebVaultUrl = _globalSettings.BaseServiceUri.VaultWithHash,
+            SiteName = _globalSettings.SiteName
+        };
+        await AddMessageContentAsync(message, "AdminConsole.OrganizationUserRevokedForSingleOrgPolicy", model);
+        message.Category = "OrganizationUserRevokedForSingleOrgPolicy";
+        await _mailDeliveryService.SendEmailAsync(message);
+    }
+
     public async Task SendEnqueuedMailMessageAsync(IMailQueueMessage queueMessage)
     {
         var message = CreateDefaultMessage(queueMessage.Subject, queueMessage.ToEmails);
diff --git a/src/Core/Services/NoopImplementations/NoopMailService.cs b/src/Core/Services/NoopImplementations/NoopMailService.cs
index a56858fb96..399874eee7 100644
--- a/src/Core/Services/NoopImplementations/NoopMailService.cs
+++ b/src/Core/Services/NoopImplementations/NoopMailService.cs
@@ -79,6 +79,12 @@ public class NoopMailService : IMailService
         return Task.FromResult(0);
     }
 
+    public Task SendOrganizationUserRevokedForTwoFactoryPolicyEmailAsync(string organizationName, string email) =>
+        Task.CompletedTask;
+
+    public Task SendOrganizationUserRevokedForPolicySingleOrgEmailAsync(string organizationName, string email) =>
+        Task.CompletedTask;
+
     public Task SendTwoFactorEmailAsync(string email, string token)
     {
         return Task.FromResult(0);
diff --git a/src/Infrastructure.Dapper/AdminConsole/Repositories/OrganizationUserRepository.cs b/src/Infrastructure.Dapper/AdminConsole/Repositories/OrganizationUserRepository.cs
index d5bdd3b6a2..42f79852f3 100644
--- a/src/Infrastructure.Dapper/AdminConsole/Repositories/OrganizationUserRepository.cs
+++ b/src/Infrastructure.Dapper/AdminConsole/Repositories/OrganizationUserRepository.cs
@@ -557,4 +557,14 @@ public class OrganizationUserRepository : Repository<OrganizationUser, Guid>, IO
             return results.ToList();
         }
     }
+
+    public async Task RevokeManyByIdAsync(IEnumerable<Guid> organizationUserIds)
+    {
+        await using var connection = new SqlConnection(ConnectionString);
+
+        await connection.ExecuteAsync(
+            "[dbo].[OrganizationUser_SetStatusForUsersById]",
+            new { OrganizationUserIds = JsonSerializer.Serialize(organizationUserIds), Status = OrganizationUserStatusType.Revoked },
+            commandType: CommandType.StoredProcedure);
+    }
 }
diff --git a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationUserRepository.cs b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationUserRepository.cs
index a64c19704d..007ff1a7ff 100644
--- a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationUserRepository.cs
+++ b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationUserRepository.cs
@@ -721,4 +721,16 @@ public class OrganizationUserRepository : Repository<Core.Entities.OrganizationU
             return data;
         }
     }
+
+    public async Task RevokeManyByIdAsync(IEnumerable<Guid> organizationUserIds)
+    {
+        using var scope = ServiceScopeFactory.CreateScope();
+
+        var dbContext = GetDatabaseContext(scope);
+
+        await dbContext.OrganizationUsers.Where(x => organizationUserIds.Contains(x.Id))
+            .ExecuteUpdateAsync(s => s.SetProperty(x => x.Status, OrganizationUserStatusType.Revoked));
+
+        await dbContext.UserBumpAccountRevisionDateByOrganizationUserIdsAsync(organizationUserIds);
+    }
 }
diff --git a/src/Sql/dbo/Stored Procedures/OrganizationUser_SetStatusForUsersById.sql b/src/Sql/dbo/Stored Procedures/OrganizationUser_SetStatusForUsersById.sql
new file mode 100644
index 0000000000..95ed5a3155
--- /dev/null
+++ b/src/Sql/dbo/Stored Procedures/OrganizationUser_SetStatusForUsersById.sql	
@@ -0,0 +1,29 @@
+CREATE PROCEDURE [dbo].[OrganizationUser_SetStatusForUsersById]
+    @OrganizationUserIds AS NVARCHAR(MAX),
+    @Status SMALLINT
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    -- Declare a table variable to hold the parsed JSON data
+    DECLARE @ParsedIds TABLE (Id UNIQUEIDENTIFIER);
+
+    -- Parse the JSON input into the table variable
+    INSERT INTO @ParsedIds (Id)
+    SELECT value
+    FROM OPENJSON(@OrganizationUserIds);
+
+    -- Check if the input table is empty
+    IF (SELECT COUNT(1) FROM @ParsedIds) < 1
+    BEGIN
+        RETURN(-1);
+    END
+
+    UPDATE
+        [dbo].[OrganizationUser]
+    SET [Status] = @Status
+    WHERE [Id] IN (SELECT Id from @ParsedIds)
+
+    EXEC [dbo].[User_BumpAccountRevisionDateByOrganizationUserIds] @OrganizationUserIds
+END
+
diff --git a/test/Core.Test/AdminConsole/AutoFixture/PolicyUpdateFixtures.cs b/test/Core.Test/AdminConsole/AutoFixture/PolicyUpdateFixtures.cs
index dff9b57178..794f6fddf3 100644
--- a/test/Core.Test/AdminConsole/AutoFixture/PolicyUpdateFixtures.cs
+++ b/test/Core.Test/AdminConsole/AutoFixture/PolicyUpdateFixtures.cs
@@ -2,6 +2,7 @@
 using AutoFixture;
 using AutoFixture.Xunit2;
 using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Data;
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies.Models;
 
 namespace Bit.Core.Test.AdminConsole.AutoFixture;
@@ -12,7 +13,8 @@ internal class PolicyUpdateCustomization(PolicyType type, bool enabled) : ICusto
     {
         fixture.Customize<PolicyUpdate>(composer => composer
             .With(o => o.Type, type)
-            .With(o => o.Enabled, enabled));
+            .With(o => o.Enabled, enabled)
+            .With(o => o.PerformedBy, new StandardUser(Guid.NewGuid(), false)));
     }
 }
 
diff --git a/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationDomains/VerifyOrganizationDomainCommandTests.cs b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationDomains/VerifyOrganizationDomainCommandTests.cs
index 2fcaf8134c..8dbe533131 100644
--- a/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationDomains/VerifyOrganizationDomainCommandTests.cs
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationDomains/VerifyOrganizationDomainCommandTests.cs
@@ -2,6 +2,7 @@
 using Bit.Core.AdminConsole.Enums;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationDomains;
 using Bit.Core.AdminConsole.Services;
+using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
@@ -28,7 +29,12 @@ public class VerifyOrganizationDomainCommandTests
             DomainName = "Test Domain",
             Txt = "btw+test18383838383"
         };
+
+        sutProvider.GetDependency<ICurrentContext>()
+            .UserId.Returns(Guid.NewGuid());
+
         expected.SetVerifiedDate();
+
         sutProvider.GetDependency<IOrganizationDomainRepository>()
             .GetByIdAsync(id)
             .Returns(expected);
@@ -53,6 +59,10 @@ public class VerifyOrganizationDomainCommandTests
         sutProvider.GetDependency<IOrganizationDomainRepository>()
             .GetByIdAsync(id)
             .Returns(expected);
+
+        sutProvider.GetDependency<ICurrentContext>()
+            .UserId.Returns(Guid.NewGuid());
+
         sutProvider.GetDependency<IOrganizationDomainRepository>()
             .GetClaimedDomainsByDomainNameAsync(expected.DomainName)
             .Returns(new List<OrganizationDomain> { expected });
@@ -77,9 +87,14 @@ public class VerifyOrganizationDomainCommandTests
         sutProvider.GetDependency<IOrganizationDomainRepository>()
             .GetByIdAsync(id)
             .Returns(expected);
+
+        sutProvider.GetDependency<ICurrentContext>()
+            .UserId.Returns(Guid.NewGuid());
+
         sutProvider.GetDependency<IOrganizationDomainRepository>()
             .GetClaimedDomainsByDomainNameAsync(expected.DomainName)
             .Returns(new List<OrganizationDomain>());
+
         sutProvider.GetDependency<IDnsResolverService>()
             .ResolveAsync(expected.DomainName, Arg.Any<string>())
             .Returns(true);
@@ -107,9 +122,14 @@ public class VerifyOrganizationDomainCommandTests
         sutProvider.GetDependency<IOrganizationDomainRepository>()
             .GetByIdAsync(id)
             .Returns(expected);
+
+        sutProvider.GetDependency<ICurrentContext>()
+            .UserId.Returns(Guid.NewGuid());
+
         sutProvider.GetDependency<IOrganizationDomainRepository>()
             .GetClaimedDomainsByDomainNameAsync(expected.DomainName)
             .Returns(new List<OrganizationDomain>());
+
         sutProvider.GetDependency<IDnsResolverService>()
             .ResolveAsync(expected.DomainName, Arg.Any<string>())
             .Returns(false);
@@ -143,7 +163,7 @@ public class VerifyOrganizationDomainCommandTests
 
     [Theory, BitAutoData]
     public async Task UserVerifyOrganizationDomainAsync_GivenOrganizationDomainWithAccountDeprovisioningEnabled_WhenDomainIsVerified_ThenSingleOrgPolicyShouldBeEnabled(
-        OrganizationDomain domain, SutProvider<VerifyOrganizationDomainCommand> sutProvider)
+        OrganizationDomain domain, Guid userId, SutProvider<VerifyOrganizationDomainCommand> sutProvider)
     {
         sutProvider.GetDependency<IOrganizationDomainRepository>()
             .GetClaimedDomainsByDomainNameAsync(domain.DomainName)
@@ -157,11 +177,14 @@ public class VerifyOrganizationDomainCommandTests
             .IsEnabled(FeatureFlagKeys.AccountDeprovisioning)
             .Returns(true);
 
+        sutProvider.GetDependency<ICurrentContext>()
+            .UserId.Returns(userId);
+
         _ = await sutProvider.Sut.UserVerifyOrganizationDomainAsync(domain);
 
         await sutProvider.GetDependency<IPolicyService>()
             .Received(1)
-            .SaveAsync(Arg.Is<Policy>(x => x.Type == PolicyType.SingleOrg && x.OrganizationId == domain.OrganizationId && x.Enabled), null);
+            .SaveAsync(Arg.Is<Policy>(x => x.Type == PolicyType.SingleOrg && x.OrganizationId == domain.OrganizationId && x.Enabled), userId);
     }
 
     [Theory, BitAutoData]
@@ -176,6 +199,9 @@ public class VerifyOrganizationDomainCommandTests
             .ResolveAsync(domain.DomainName, domain.Txt)
             .Returns(true);
 
+        sutProvider.GetDependency<ICurrentContext>()
+            .UserId.Returns(Guid.NewGuid());
+
         sutProvider.GetDependency<IFeatureService>()
             .IsEnabled(FeatureFlagKeys.AccountDeprovisioning)
             .Returns(false);
@@ -189,7 +215,7 @@ public class VerifyOrganizationDomainCommandTests
 
     [Theory, BitAutoData]
     public async Task UserVerifyOrganizationDomainAsync_GivenOrganizationDomainWithAccountDeprovisioningEnabled_WhenDomainIsNotVerified_ThenSingleOrgPolicyShouldNotBeEnabled(
-    OrganizationDomain domain, SutProvider<VerifyOrganizationDomainCommand> sutProvider)
+        OrganizationDomain domain, SutProvider<VerifyOrganizationDomainCommand> sutProvider)
     {
         sutProvider.GetDependency<IOrganizationDomainRepository>()
             .GetClaimedDomainsByDomainNameAsync(domain.DomainName)
@@ -199,6 +225,9 @@ public class VerifyOrganizationDomainCommandTests
             .ResolveAsync(domain.DomainName, domain.Txt)
             .Returns(false);
 
+        sutProvider.GetDependency<ICurrentContext>()
+            .UserId.Returns(Guid.NewGuid());
+
         sutProvider.GetDependency<IFeatureService>()
             .IsEnabled(FeatureFlagKeys.AccountDeprovisioning)
             .Returns(true);
@@ -223,6 +252,9 @@ public class VerifyOrganizationDomainCommandTests
             .ResolveAsync(domain.DomainName, domain.Txt)
             .Returns(false);
 
+        sutProvider.GetDependency<ICurrentContext>()
+            .UserId.Returns(Guid.NewGuid());
+
         sutProvider.GetDependency<IFeatureService>()
             .IsEnabled(FeatureFlagKeys.AccountDeprovisioning)
             .Returns(true);
diff --git a/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/RevokeNonCompliantOrganizationUserCommandTests.cs b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/RevokeNonCompliantOrganizationUserCommandTests.cs
new file mode 100644
index 0000000000..3653cd27d7
--- /dev/null
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/RevokeNonCompliantOrganizationUserCommandTests.cs
@@ -0,0 +1,185 @@
+using Bit.Core.AdminConsole.Models.Data;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Requests;
+using Bit.Core.Enums;
+using Bit.Core.Models.Data.Organizations.OrganizationUsers;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Core.Test.AdminConsole.OrganizationFeatures.OrganizationUsers;
+
+[SutProviderCustomize]
+public class RevokeNonCompliantOrganizationUserCommandTests
+{
+    [Theory, BitAutoData]
+    public async Task RevokeNonCompliantOrganizationUsersAsync_GivenUnrecognizedUserType_WhenAttemptingToRevoke_ThenErrorShouldBeReturned(
+            Guid organizationId, SutProvider<RevokeNonCompliantOrganizationUserCommand> sutProvider)
+    {
+        var command = new RevokeOrganizationUsersRequest(organizationId, [], new InvalidUser());
+
+        var result = await sutProvider.Sut.RevokeNonCompliantOrganizationUsersAsync(command);
+
+        Assert.True(result.HasErrors);
+        Assert.Contains(RevokeNonCompliantOrganizationUserCommand.ErrorRequestedByWasNotValid, result.ErrorMessages);
+    }
+
+    [Theory, BitAutoData]
+    public async Task RevokeNonCompliantOrganizationUsersAsync_GivenPopulatedRequest_WhenUserAttemptsToRevokeThemselves_ThenErrorShouldBeReturned(
+            Guid organizationId, OrganizationUserUserDetails revokingUser,
+            SutProvider<RevokeNonCompliantOrganizationUserCommand> sutProvider)
+    {
+        var command = new RevokeOrganizationUsersRequest(organizationId, revokingUser,
+            new StandardUser(revokingUser?.UserId ?? Guid.NewGuid(), true));
+
+        var result = await sutProvider.Sut.RevokeNonCompliantOrganizationUsersAsync(command);
+
+        Assert.True(result.HasErrors);
+        Assert.Contains(RevokeNonCompliantOrganizationUserCommand.ErrorCannotRevokeSelf, result.ErrorMessages);
+    }
+
+    [Theory, BitAutoData]
+    public async Task RevokeNonCompliantOrganizationUsersAsync_GivenPopulatedRequest_WhenUserAttemptsToRevokeOrgUsersFromAnotherOrg_ThenErrorShouldBeReturned(
+            Guid organizationId, OrganizationUserUserDetails userFromAnotherOrg,
+            SutProvider<RevokeNonCompliantOrganizationUserCommand> sutProvider)
+    {
+        userFromAnotherOrg.OrganizationId = Guid.NewGuid();
+
+        var command = new RevokeOrganizationUsersRequest(organizationId, userFromAnotherOrg,
+            new StandardUser(Guid.NewGuid(), true));
+
+        var result = await sutProvider.Sut.RevokeNonCompliantOrganizationUsersAsync(command);
+
+        Assert.True(result.HasErrors);
+        Assert.Contains(RevokeNonCompliantOrganizationUserCommand.ErrorInvalidUsers, result.ErrorMessages);
+    }
+
+    [Theory, BitAutoData]
+    public async Task RevokeNonCompliantOrganizationUsersAsync_GivenPopulatedRequest_WhenUserAttemptsToRevokeAllOwnersFromOrg_ThenErrorShouldBeReturned(
+            Guid organizationId, OrganizationUserUserDetails userToRevoke,
+            SutProvider<RevokeNonCompliantOrganizationUserCommand> sutProvider)
+    {
+        userToRevoke.OrganizationId = organizationId;
+
+        var command = new RevokeOrganizationUsersRequest(organizationId, userToRevoke,
+            new StandardUser(Guid.NewGuid(), true));
+
+        sutProvider.GetDependency<IHasConfirmedOwnersExceptQuery>()
+            .HasConfirmedOwnersExceptAsync(organizationId, Arg.Any<IEnumerable<Guid>>())
+            .Returns(false);
+
+        var result = await sutProvider.Sut.RevokeNonCompliantOrganizationUsersAsync(command);
+
+        Assert.True(result.HasErrors);
+        Assert.Contains(RevokeNonCompliantOrganizationUserCommand.ErrorOrgMustHaveAtLeastOneOwner, result.ErrorMessages);
+    }
+
+    [Theory, BitAutoData]
+    public async Task RevokeNonCompliantOrganizationUsersAsync_GivenPopulatedRequest_WhenUserAttemptsToRevokeOwnerWhenNotAnOwner_ThenErrorShouldBeReturned(
+        Guid organizationId, OrganizationUserUserDetails userToRevoke,
+        SutProvider<RevokeNonCompliantOrganizationUserCommand> sutProvider)
+    {
+        userToRevoke.OrganizationId = organizationId;
+        userToRevoke.Type = OrganizationUserType.Owner;
+
+        var command = new RevokeOrganizationUsersRequest(organizationId, userToRevoke,
+            new StandardUser(Guid.NewGuid(), false));
+
+        sutProvider.GetDependency<IHasConfirmedOwnersExceptQuery>()
+            .HasConfirmedOwnersExceptAsync(organizationId, Arg.Any<IEnumerable<Guid>>())
+            .Returns(true);
+
+        var result = await sutProvider.Sut.RevokeNonCompliantOrganizationUsersAsync(command);
+
+        Assert.True(result.HasErrors);
+        Assert.Contains(RevokeNonCompliantOrganizationUserCommand.ErrorOnlyOwnersCanRevokeOtherOwners, result.ErrorMessages);
+    }
+
+    [Theory, BitAutoData]
+    public async Task RevokeNonCompliantOrganizationUsersAsync_GivenPopulatedRequest_WhenUserAttemptsToRevokeUserWhoIsAlreadyRevoked_ThenErrorShouldBeReturned(
+        Guid organizationId, OrganizationUserUserDetails userToRevoke,
+        SutProvider<RevokeNonCompliantOrganizationUserCommand> sutProvider)
+    {
+        userToRevoke.OrganizationId = organizationId;
+        userToRevoke.Status = OrganizationUserStatusType.Revoked;
+
+        var command = new RevokeOrganizationUsersRequest(organizationId, userToRevoke,
+            new StandardUser(Guid.NewGuid(), true));
+
+        sutProvider.GetDependency<IHasConfirmedOwnersExceptQuery>()
+            .HasConfirmedOwnersExceptAsync(organizationId, Arg.Any<IEnumerable<Guid>>())
+            .Returns(true);
+
+        var result = await sutProvider.Sut.RevokeNonCompliantOrganizationUsersAsync(command);
+
+        Assert.True(result.HasErrors);
+        Assert.Contains($"{RevokeNonCompliantOrganizationUserCommand.ErrorUserAlreadyRevoked} Id: {userToRevoke.Id}", result.ErrorMessages);
+    }
+
+    [Theory, BitAutoData]
+    public async Task RevokeNonCompliantOrganizationUsersAsync_GivenPopulatedRequest_WhenUserHasMultipleInvalidUsers_ThenErrorShouldBeReturned(
+        Guid organizationId, IEnumerable<OrganizationUserUserDetails> usersToRevoke,
+        SutProvider<RevokeNonCompliantOrganizationUserCommand> sutProvider)
+    {
+        var revocableUsers = usersToRevoke.ToList();
+        revocableUsers.ForEach(user => user.OrganizationId = organizationId);
+        revocableUsers[0].Type = OrganizationUserType.Owner;
+        revocableUsers[1].Status = OrganizationUserStatusType.Revoked;
+
+        var command = new RevokeOrganizationUsersRequest(organizationId, revocableUsers,
+            new StandardUser(Guid.NewGuid(), false));
+
+        sutProvider.GetDependency<IHasConfirmedOwnersExceptQuery>()
+            .HasConfirmedOwnersExceptAsync(organizationId, Arg.Any<IEnumerable<Guid>>())
+            .Returns(true);
+
+        var result = await sutProvider.Sut.RevokeNonCompliantOrganizationUsersAsync(command);
+
+        Assert.True(result.HasErrors);
+        Assert.True(result.ErrorMessages.Count > 1);
+    }
+
+    [Theory, BitAutoData]
+    public async Task RevokeNonCompliantOrganizationUsersAsync_GivenValidPopulatedRequest_WhenUserAttemptsToRevokeAUser_ThenUserShouldBeRevoked(
+        Guid organizationId, OrganizationUserUserDetails userToRevoke,
+        SutProvider<RevokeNonCompliantOrganizationUserCommand> sutProvider)
+    {
+        userToRevoke.OrganizationId = organizationId;
+        userToRevoke.Type = OrganizationUserType.Admin;
+
+        var command = new RevokeOrganizationUsersRequest(organizationId, userToRevoke,
+            new StandardUser(Guid.NewGuid(), false));
+
+        sutProvider.GetDependency<IHasConfirmedOwnersExceptQuery>()
+            .HasConfirmedOwnersExceptAsync(organizationId, Arg.Any<IEnumerable<Guid>>())
+            .Returns(true);
+
+        var result = await sutProvider.Sut.RevokeNonCompliantOrganizationUsersAsync(command);
+
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .Received(1)
+            .RevokeManyByIdAsync(Arg.Any<IEnumerable<Guid>>());
+
+        Assert.True(result.Success);
+
+        await sutProvider.GetDependency<IEventService>()
+            .Received(1)
+            .LogOrganizationUserEventsAsync(
+                Arg.Is<IEnumerable<(OrganizationUserUserDetails organizationUser, EventType eventType, DateTime? time
+                    )>>(
+                    x => x.Any(y =>
+                        y.organizationUser.Id == userToRevoke.Id && y.eventType == EventType.OrganizationUser_Revoked)
+                ));
+    }
+
+    public class InvalidUser : IActingUser
+    {
+        public Guid? UserId => Guid.Empty;
+        public bool IsOrganizationOwnerOrProvider => false;
+        public EventSystemUser? SystemUserType => null;
+    }
+}
diff --git a/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/SingleOrgPolicyValidatorTests.cs b/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/SingleOrgPolicyValidatorTests.cs
index 76ee574840..0731920757 100644
--- a/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/SingleOrgPolicyValidatorTests.cs
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/SingleOrgPolicyValidatorTests.cs
@@ -1,6 +1,7 @@
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Enums;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Requests;
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies.Models;
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyValidators;
 using Bit.Core.Auth.Entities;
@@ -10,6 +11,7 @@ using Bit.Core.Auth.Repositories;
 using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
+using Bit.Core.Models.Commands;
 using Bit.Core.Models.Data.Organizations.OrganizationUsers;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
@@ -61,6 +63,79 @@ public class SingleOrgPolicyValidatorTests
         Assert.True(string.IsNullOrEmpty(result));
     }
 
+    [Theory, BitAutoData]
+    public async Task OnSaveSideEffectsAsync_RevokesNonCompliantUsers(
+        [PolicyUpdate(PolicyType.SingleOrg)] PolicyUpdate policyUpdate,
+        [Policy(PolicyType.SingleOrg, false)] Policy policy,
+        Guid savingUserId,
+        Guid nonCompliantUserId,
+        Organization organization, SutProvider<SingleOrgPolicyValidator> sutProvider)
+    {
+        policy.OrganizationId = organization.Id = policyUpdate.OrganizationId;
+
+        var compliantUser1 = new OrganizationUserUserDetails
+        {
+            OrganizationId = organization.Id,
+            Type = OrganizationUserType.User,
+            Status = OrganizationUserStatusType.Confirmed,
+            UserId = new Guid(),
+            Email = "user1@example.com"
+        };
+
+        var compliantUser2 = new OrganizationUserUserDetails
+        {
+            OrganizationId = organization.Id,
+            Type = OrganizationUserType.User,
+            Status = OrganizationUserStatusType.Confirmed,
+            UserId = new Guid(),
+            Email = "user2@example.com"
+        };
+
+        var nonCompliantUser = new OrganizationUserUserDetails
+        {
+            OrganizationId = organization.Id,
+            Type = OrganizationUserType.User,
+            Status = OrganizationUserStatusType.Confirmed,
+            UserId = nonCompliantUserId,
+            Email = "user3@example.com"
+        };
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyDetailsByOrganizationAsync(policyUpdate.OrganizationId)
+            .Returns([compliantUser1, compliantUser2, nonCompliantUser]);
+
+        var otherOrganizationUser = new OrganizationUser
+        {
+            OrganizationId = new Guid(),
+            UserId = nonCompliantUserId,
+            Status = OrganizationUserStatusType.Confirmed
+        };
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyByManyUsersAsync(Arg.Is<IEnumerable<Guid>>(ids => ids.Contains(nonCompliantUserId)))
+            .Returns([otherOrganizationUser]);
+
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(savingUserId);
+        sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(policyUpdate.OrganizationId).Returns(organization);
+
+        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.AccountDeprovisioning)
+            .Returns(true);
+
+        sutProvider.GetDependency<IRevokeNonCompliantOrganizationUserCommand>()
+            .RevokeNonCompliantOrganizationUsersAsync(Arg.Any<RevokeOrganizationUsersRequest>())
+            .Returns(new CommandResult());
+
+        await sutProvider.Sut.OnSaveSideEffectsAsync(policyUpdate, policy);
+
+        await sutProvider.GetDependency<IRevokeNonCompliantOrganizationUserCommand>()
+            .Received(1)
+            .RevokeNonCompliantOrganizationUsersAsync(Arg.Any<RevokeOrganizationUsersRequest>());
+        await sutProvider.GetDependency<IMailService>()
+            .Received(1)
+            .SendOrganizationUserRevokedForPolicySingleOrgEmailAsync(organization.DisplayName(),
+                "user3@example.com");
+    }
+
     [Theory, BitAutoData]
     public async Task OnSaveSideEffectsAsync_RemovesNonCompliantUsers(
         [PolicyUpdate(PolicyType.SingleOrg)] PolicyUpdate policyUpdate,
@@ -116,6 +191,13 @@ public class SingleOrgPolicyValidatorTests
         sutProvider.GetDependency<ICurrentContext>().UserId.Returns(savingUserId);
         sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(policyUpdate.OrganizationId).Returns(organization);
 
+        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.AccountDeprovisioning)
+            .Returns(false);
+
+        sutProvider.GetDependency<IRevokeNonCompliantOrganizationUserCommand>()
+            .RevokeNonCompliantOrganizationUsersAsync(Arg.Any<RevokeOrganizationUsersRequest>())
+            .Returns(new CommandResult());
+
         await sutProvider.Sut.OnSaveSideEffectsAsync(policyUpdate, policy);
 
         await sutProvider.GetDependency<IRemoveOrganizationUserCommand>()
@@ -126,4 +208,73 @@ public class SingleOrgPolicyValidatorTests
             .SendOrganizationUserRemovedForPolicySingleOrgEmailAsync(organization.DisplayName(),
                 "user3@example.com");
     }
+
+    [Theory, BitAutoData]
+    public async Task OnSaveSideEffectsAsync_WhenAccountDeprovisioningIsEnabled_ThenUsersAreRevoked(
+        [PolicyUpdate(PolicyType.SingleOrg)] PolicyUpdate policyUpdate,
+        [Policy(PolicyType.SingleOrg, false)] Policy policy,
+        Guid savingUserId,
+        Guid nonCompliantUserId,
+        Organization organization, SutProvider<SingleOrgPolicyValidator> sutProvider)
+    {
+        policy.OrganizationId = organization.Id = policyUpdate.OrganizationId;
+
+        var compliantUser1 = new OrganizationUserUserDetails
+        {
+            OrganizationId = organization.Id,
+            Type = OrganizationUserType.User,
+            Status = OrganizationUserStatusType.Confirmed,
+            UserId = new Guid(),
+            Email = "user1@example.com"
+        };
+
+        var compliantUser2 = new OrganizationUserUserDetails
+        {
+            OrganizationId = organization.Id,
+            Type = OrganizationUserType.User,
+            Status = OrganizationUserStatusType.Confirmed,
+            UserId = new Guid(),
+            Email = "user2@example.com"
+        };
+
+        var nonCompliantUser = new OrganizationUserUserDetails
+        {
+            OrganizationId = organization.Id,
+            Type = OrganizationUserType.User,
+            Status = OrganizationUserStatusType.Confirmed,
+            UserId = nonCompliantUserId,
+            Email = "user3@example.com"
+        };
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyDetailsByOrganizationAsync(policyUpdate.OrganizationId)
+            .Returns([compliantUser1, compliantUser2, nonCompliantUser]);
+
+        var otherOrganizationUser = new OrganizationUser
+        {
+            OrganizationId = new Guid(),
+            UserId = nonCompliantUserId,
+            Status = OrganizationUserStatusType.Confirmed
+        };
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyByManyUsersAsync(Arg.Is<IEnumerable<Guid>>(ids => ids.Contains(nonCompliantUserId)))
+            .Returns([otherOrganizationUser]);
+
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(savingUserId);
+        sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(policyUpdate.OrganizationId)
+            .Returns(organization);
+
+        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.AccountDeprovisioning).Returns(true);
+
+        sutProvider.GetDependency<IRevokeNonCompliantOrganizationUserCommand>()
+            .RevokeNonCompliantOrganizationUsersAsync(Arg.Any<RevokeOrganizationUsersRequest>())
+            .Returns(new CommandResult());
+
+        await sutProvider.Sut.OnSaveSideEffectsAsync(policyUpdate, policy);
+
+        await sutProvider.GetDependency<IRevokeNonCompliantOrganizationUserCommand>()
+            .Received()
+            .RevokeNonCompliantOrganizationUsersAsync(Arg.Any<RevokeOrganizationUsersRequest>());
+    }
 }
diff --git a/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/TwoFactorAuthenticationPolicyValidatorTests.cs b/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/TwoFactorAuthenticationPolicyValidatorTests.cs
index 4dce131749..4e5f1816a5 100644
--- a/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/TwoFactorAuthenticationPolicyValidatorTests.cs
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/TwoFactorAuthenticationPolicyValidatorTests.cs
@@ -1,12 +1,14 @@
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Enums;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Requests;
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies.Models;
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyValidators;
 using Bit.Core.Auth.UserFeatures.TwoFactorAuth.Interfaces;
 using Bit.Core.Context;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
+using Bit.Core.Models.Commands;
 using Bit.Core.Models.Data.Organizations.OrganizationUsers;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
@@ -176,6 +178,10 @@ public class TwoFactorAuthenticationPolicyValidatorTests
             HasMasterPassword = false
         };
 
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.AccountDeprovisioning)
+            .Returns(false);
+
         sutProvider.GetDependency<IOrganizationUserRepository>()
             .GetManyDetailsByOrganizationAsync(policy.OrganizationId)
             .Returns(new List<OrganizationUserUserDetails>
@@ -201,9 +207,151 @@ public class TwoFactorAuthenticationPolicyValidatorTests
         var badRequestException = await Assert.ThrowsAsync<BadRequestException>(
             () => sutProvider.Sut.OnSaveSideEffectsAsync(policyUpdate, policy));
 
-        Assert.Contains("Policy could not be enabled. Non-compliant members will lose access to their accounts. Identify members without two-step login from the policies column in the members page.", badRequestException.Message, StringComparison.OrdinalIgnoreCase);
+        Assert.Equal(TwoFactorAuthenticationPolicyValidator.NonCompliantMembersWillLoseAccessMessage, badRequestException.Message);
 
         await sutProvider.GetDependency<IRemoveOrganizationUserCommand>().DidNotReceiveWithAnyArgs()
             .RemoveUserAsync(organizationId: default, organizationUserId: default, deletingUserId: default);
     }
+
+    [Theory, BitAutoData]
+    public async Task OnSaveSideEffectsAsync_GivenUpdateTo2faPolicy_WhenAccountProvisioningIsDisabled_ThenRevokeUserCommandShouldNotBeCalled(
+            Organization organization,
+            [PolicyUpdate(PolicyType.TwoFactorAuthentication)]
+            PolicyUpdate policyUpdate,
+            [Policy(PolicyType.TwoFactorAuthentication, false)]
+            Policy policy,
+            SutProvider<TwoFactorAuthenticationPolicyValidator> sutProvider)
+    {
+        policy.OrganizationId = organization.Id = policyUpdate.OrganizationId;
+        sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.AccountDeprovisioning)
+            .Returns(false);
+
+        var orgUserDetailUserAcceptedWithout2Fa = new OrganizationUserUserDetails
+        {
+            Id = Guid.NewGuid(),
+            Status = OrganizationUserStatusType.Accepted,
+            Type = OrganizationUserType.User,
+            Email = "user3@test.com",
+            Name = "TEST",
+            UserId = Guid.NewGuid(),
+            HasMasterPassword = true
+        };
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyDetailsByOrganizationAsync(policyUpdate.OrganizationId)
+            .Returns(new List<OrganizationUserUserDetails>
+            {
+                orgUserDetailUserAcceptedWithout2Fa
+            });
+
+
+        sutProvider.GetDependency<ITwoFactorIsEnabledQuery>()
+            .TwoFactorIsEnabledAsync(Arg.Any<IEnumerable<OrganizationUserUserDetails>>())
+            .Returns(new List<(OrganizationUserUserDetails user, bool hasTwoFactor)>()
+            {
+                (orgUserDetailUserAcceptedWithout2Fa, false),
+            });
+
+        await sutProvider.Sut.OnSaveSideEffectsAsync(policyUpdate, policy);
+
+        await sutProvider.GetDependency<IRevokeNonCompliantOrganizationUserCommand>()
+            .DidNotReceive()
+            .RevokeNonCompliantOrganizationUsersAsync(Arg.Any<RevokeOrganizationUsersRequest>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task OnSaveSideEffectsAsync_GivenUpdateTo2faPolicy_WhenAccountProvisioningIsEnabledAndUserDoesNotHaveMasterPassword_ThenNonCompliantMembersErrorMessageWillReturn(
+        Organization organization,
+        [PolicyUpdate(PolicyType.TwoFactorAuthentication)] PolicyUpdate policyUpdate,
+        [Policy(PolicyType.TwoFactorAuthentication, false)] Policy policy,
+        SutProvider<TwoFactorAuthenticationPolicyValidator> sutProvider)
+    {
+        policy.OrganizationId = organization.Id = policyUpdate.OrganizationId;
+        sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.AccountDeprovisioning)
+            .Returns(true);
+
+        var orgUserDetailUserWithout2Fa = new OrganizationUserUserDetails
+        {
+            Id = Guid.NewGuid(),
+            Status = OrganizationUserStatusType.Confirmed,
+            Type = OrganizationUserType.User,
+            Email = "user3@test.com",
+            Name = "TEST",
+            UserId = Guid.NewGuid(),
+            HasMasterPassword = false
+        };
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyDetailsByOrganizationAsync(policyUpdate.OrganizationId)
+            .Returns([orgUserDetailUserWithout2Fa]);
+
+        sutProvider.GetDependency<ITwoFactorIsEnabledQuery>()
+            .TwoFactorIsEnabledAsync(Arg.Any<IEnumerable<OrganizationUserUserDetails>>())
+            .Returns(new List<(OrganizationUserUserDetails user, bool hasTwoFactor)>()
+            {
+                (orgUserDetailUserWithout2Fa, false),
+            });
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.OnSaveSideEffectsAsync(policyUpdate, policy));
+
+        Assert.Equal(TwoFactorAuthenticationPolicyValidator.NonCompliantMembersWillLoseAccessMessage, exception.Message);
+    }
+
+    [Theory, BitAutoData]
+    public async Task OnSaveSideEffectsAsync_WhenAccountProvisioningIsEnabledAndUserHasMasterPassword_ThenUserWillBeRevoked(
+        Organization organization,
+        [PolicyUpdate(PolicyType.TwoFactorAuthentication)] PolicyUpdate policyUpdate,
+        [Policy(PolicyType.TwoFactorAuthentication, false)] Policy policy,
+        SutProvider<TwoFactorAuthenticationPolicyValidator> sutProvider)
+    {
+        policy.OrganizationId = organization.Id = policyUpdate.OrganizationId;
+        sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.AccountDeprovisioning)
+            .Returns(true);
+
+        var orgUserDetailUserWithout2Fa = new OrganizationUserUserDetails
+        {
+            Id = Guid.NewGuid(),
+            Status = OrganizationUserStatusType.Confirmed,
+            Type = OrganizationUserType.User,
+            Email = "user3@test.com",
+            Name = "TEST",
+            UserId = Guid.NewGuid(),
+            HasMasterPassword = true
+        };
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyDetailsByOrganizationAsync(policyUpdate.OrganizationId)
+            .Returns([orgUserDetailUserWithout2Fa]);
+
+        sutProvider.GetDependency<ITwoFactorIsEnabledQuery>()
+            .TwoFactorIsEnabledAsync(Arg.Any<IEnumerable<OrganizationUserUserDetails>>())
+            .Returns(new List<(OrganizationUserUserDetails user, bool hasTwoFactor)>()
+            {
+                (orgUserDetailUserWithout2Fa, true),
+            });
+
+        sutProvider.GetDependency<IRevokeNonCompliantOrganizationUserCommand>()
+            .RevokeNonCompliantOrganizationUsersAsync(Arg.Any<RevokeOrganizationUsersRequest>())
+            .Returns(new CommandResult());
+
+        await sutProvider.Sut.OnSaveSideEffectsAsync(policyUpdate, policy);
+
+        await sutProvider.GetDependency<IRevokeNonCompliantOrganizationUserCommand>()
+            .Received(1)
+            .RevokeNonCompliantOrganizationUsersAsync(Arg.Any<RevokeOrganizationUsersRequest>());
+
+        await sutProvider.GetDependency<IMailService>()
+            .Received(1)
+            .SendOrganizationUserRevokedForPolicySingleOrgEmailAsync(organization.DisplayName(),
+                "user3@test.com");
+    }
 }
diff --git a/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/SavePolicyCommandTests.cs b/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/SavePolicyCommandTests.cs
index 342ede9c82..3ca7004e70 100644
--- a/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/SavePolicyCommandTests.cs
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/SavePolicyCommandTests.cs
@@ -100,7 +100,7 @@ public class SavePolicyCommandTests
     }
 
     [Theory, BitAutoData]
-    public async Task SaveAsync_OrganizationDoesNotExist_ThrowsBadRequest(PolicyUpdate policyUpdate)
+    public async Task SaveAsync_OrganizationDoesNotExist_ThrowsBadRequest([PolicyUpdate(PolicyType.ActivateAutofill)] PolicyUpdate policyUpdate)
     {
         var sutProvider = SutProviderFactory();
         sutProvider.GetDependency<IApplicationCacheService>()
@@ -115,7 +115,7 @@ public class SavePolicyCommandTests
     }
 
     [Theory, BitAutoData]
-    public async Task SaveAsync_OrganizationCannotUsePolicies_ThrowsBadRequest(PolicyUpdate policyUpdate)
+    public async Task SaveAsync_OrganizationCannotUsePolicies_ThrowsBadRequest([PolicyUpdate(PolicyType.ActivateAutofill)] PolicyUpdate policyUpdate)
     {
         var sutProvider = SutProviderFactory();
         sutProvider.GetDependency<IApplicationCacheService>()
diff --git a/test/Core.Test/AdminConsole/Services/EventServiceTests.cs b/test/Core.Test/AdminConsole/Services/EventServiceTests.cs
index 18f5371b49..d064fce2ec 100644
--- a/test/Core.Test/AdminConsole/Services/EventServiceTests.cs
+++ b/test/Core.Test/AdminConsole/Services/EventServiceTests.cs
@@ -169,7 +169,6 @@ public class EventServiceTests
             new EventMessage()
             {
                 IpAddress = ipAddress,
-                DeviceType = DeviceType.Server,
                 OrganizationId = orgUser.OrganizationId,
                 UserId = orgUser.UserId,
                 OrganizationUserId = orgUser.Id,
diff --git a/util/Migrator/DbScripts/2024-11-26-00_OrgUserSetStatusBulk.sql b/util/Migrator/DbScripts/2024-11-26-00_OrgUserSetStatusBulk.sql
new file mode 100644
index 0000000000..95151f90de
--- /dev/null
+++ b/util/Migrator/DbScripts/2024-11-26-00_OrgUserSetStatusBulk.sql
@@ -0,0 +1,28 @@
+CREATE PROCEDURE [dbo].[OrganizationUser_SetStatusForUsersById]
+    @OrganizationUserIds AS NVARCHAR(MAX),
+    @Status SMALLINT
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    -- Declare a table variable to hold the parsed JSON data
+    DECLARE @ParsedIds TABLE (Id UNIQUEIDENTIFIER);
+
+    -- Parse the JSON input into the table variable
+    INSERT INTO @ParsedIds (Id)
+    SELECT value
+    FROM OPENJSON(@OrganizationUserIds);
+
+    -- Check if the input table is empty
+    IF (SELECT COUNT(1) FROM @ParsedIds) < 1
+        BEGIN
+            RETURN(-1);
+        END
+
+    UPDATE
+        [dbo].[OrganizationUser]
+    SET [Status] = @Status
+    WHERE [Id] IN (SELECT Id from @ParsedIds)
+
+    EXEC [dbo].[User_BumpAccountRevisionDateByOrganizationUserIds] @OrganizationUserIds
+END

From 674bd1e495b343e68174165cebb1f2458efcff0a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rui=20Tom=C3=A9?=
 <108268980+r-tome@users.noreply.github.com>
Date: Wed, 27 Nov 2024 12:26:42 +0000
Subject: [PATCH 008/384] [PM-13026] Refactor remove and bulkremove methods to
 throw error if user is managed by an organization (#5034)

* Enhance RemoveOrganizationUserCommand to block removing managed users when account deprovisioning is enabled

* Refactor RemoveUsersAsync method to return just the OrgUserId and update related logic.

* Refactor RemoveOrganizationUserCommand to improve variable naming and remove unused logging method

* Add support for event system user in RemoveUsersAsync method. Refactor unit tests.

* Add xmldoc to IRemoveOrganizationUserCommand methods

* Refactor RemoveOrganizationUserCommand to use TimeProvider for event date retrieval and update unit tests accordingly

* Refactor RemoveOrganizationUserCommand to use constants for error messages

* Refactor unit tests to separate feature flag tests

* refactor: Update parameter names for clarity in RemoveOrganizationUserCommand

* refactor: Rename validation and repository methods for user removal clarity
---
 .../OrganizationUsersController.cs            |   2 +-
 .../IRemoveOrganizationUserCommand.cs         |  49 +-
 .../RemoveOrganizationUserCommand.cs          | 201 +++--
 .../RemoveOrganizationUserCommandTests.cs     | 777 ++++++++++++++----
 4 files changed, 804 insertions(+), 225 deletions(-)

diff --git a/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs b/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs
index 3193962fa9..12d11fbc18 100644
--- a/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs
+++ b/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs
@@ -539,7 +539,7 @@ public class OrganizationUsersController : Controller
         var userId = _userService.GetProperUserId(User);
         var result = await _removeOrganizationUserCommand.RemoveUsersAsync(orgId, model.Ids, userId.Value);
         return new ListResponseModel<OrganizationUserBulkResponseModel>(result.Select(r =>
-            new OrganizationUserBulkResponseModel(r.Item1.Id, r.Item2)));
+            new OrganizationUserBulkResponseModel(r.OrganizationUserId, r.ErrorMessage)));
     }
 
     [RequireFeature(FeatureFlagKeys.AccountDeprovisioning)]
diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Interfaces/IRemoveOrganizationUserCommand.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Interfaces/IRemoveOrganizationUserCommand.cs
index 583645a890..7c1cdf05f8 100644
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Interfaces/IRemoveOrganizationUserCommand.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Interfaces/IRemoveOrganizationUserCommand.cs
@@ -1,14 +1,53 @@
-using Bit.Core.Entities;
-using Bit.Core.Enums;
+using Bit.Core.Enums;
 
 namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
 
 public interface IRemoveOrganizationUserCommand
 {
+    /// <summary>
+    /// Removes a user from an organization.
+    /// </summary>
+    /// <param name="organizationId">The ID of the organization.</param>
+    /// <param name="userId">The ID of the user to remove.</param>
+    Task RemoveUserAsync(Guid organizationId, Guid userId);
+
+    /// <summary>
+    /// Removes a user from an organization with a specified deleting user.
+    /// </summary>
+    /// <param name="organizationId">The ID of the organization.</param>
+    /// <param name="organizationUserId">The ID of the organization user to remove.</param>
+    /// <param name="deletingUserId">The ID of the user performing the removal operation.</param>
     Task RemoveUserAsync(Guid organizationId, Guid organizationUserId, Guid? deletingUserId);
 
+    /// <summary>
+    /// Removes a user from an organization using a system user.
+    /// </summary>
+    /// <param name="organizationId">The ID of the organization.</param>
+    /// <param name="organizationUserId">The ID of the organization user to remove.</param>
+    /// <param name="eventSystemUser">The system user performing the removal operation.</param>
     Task RemoveUserAsync(Guid organizationId, Guid organizationUserId, EventSystemUser eventSystemUser);
-    Task RemoveUserAsync(Guid organizationId, Guid userId);
-    Task<List<Tuple<OrganizationUser, string>>> RemoveUsersAsync(Guid organizationId,
-        IEnumerable<Guid> organizationUserIds, Guid? deletingUserId);
+
+    /// <summary>
+    /// Removes multiple users from an organization with a specified deleting user.
+    /// </summary>
+    /// <param name="organizationId">The ID of the organization.</param>
+    /// <param name="organizationUserIds">The collection of organization user IDs to remove.</param>
+    /// <param name="deletingUserId">The ID of the user performing the removal operation.</param>
+    /// <returns>
+    /// A list of tuples containing the organization user id and the error message for each user that could not be removed, otherwise empty.
+    /// </returns>
+    Task<IEnumerable<(Guid OrganizationUserId, string ErrorMessage)>> RemoveUsersAsync(
+        Guid organizationId, IEnumerable<Guid> organizationUserIds, Guid? deletingUserId);
+
+    /// <summary>
+    /// Removes multiple users from an organization using a system user.
+    /// </summary>
+    /// <param name="organizationId">The ID of the organization.</param>
+    /// <param name="organizationUserIds">The collection of organization user IDs to remove.</param>
+    /// <param name="eventSystemUser">The system user performing the removal operation.</param>
+    /// <returns>
+    /// A list of tuples containing the organization user id and the error message for each user that could not be removed, otherwise empty.
+    /// </returns>
+    Task<IEnumerable<(Guid OrganizationUserId, string ErrorMessage)>> RemoveUsersAsync(
+        Guid organizationId, IEnumerable<Guid> organizationUserIds, EventSystemUser eventSystemUser);
 }
diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RemoveOrganizationUserCommand.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RemoveOrganizationUserCommand.cs
index e6d56ea878..fa027f8e47 100644
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RemoveOrganizationUserCommand.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RemoveOrganizationUserCommand.cs
@@ -17,6 +17,16 @@ public class RemoveOrganizationUserCommand : IRemoveOrganizationUserCommand
     private readonly IPushRegistrationService _pushRegistrationService;
     private readonly ICurrentContext _currentContext;
     private readonly IHasConfirmedOwnersExceptQuery _hasConfirmedOwnersExceptQuery;
+    private readonly IGetOrganizationUsersManagementStatusQuery _getOrganizationUsersManagementStatusQuery;
+    private readonly IFeatureService _featureService;
+    private readonly TimeProvider _timeProvider;
+
+    public const string UserNotFoundErrorMessage = "User not found.";
+    public const string UsersInvalidErrorMessage = "Users invalid.";
+    public const string RemoveYourselfErrorMessage = "You cannot remove yourself.";
+    public const string RemoveOwnerByNonOwnerErrorMessage = "Only owners can delete other owners.";
+    public const string RemoveLastConfirmedOwnerErrorMessage = "Organization must have at least one confirmed owner.";
+    public const string RemoveClaimedAccountErrorMessage = "Cannot remove member accounts claimed by the organization. To offboard a member, revoke or delete the account.";
 
     public RemoveOrganizationUserCommand(
         IDeviceRepository deviceRepository,
@@ -25,7 +35,10 @@ public class RemoveOrganizationUserCommand : IRemoveOrganizationUserCommand
         IPushNotificationService pushNotificationService,
         IPushRegistrationService pushRegistrationService,
         ICurrentContext currentContext,
-        IHasConfirmedOwnersExceptQuery hasConfirmedOwnersExceptQuery)
+        IHasConfirmedOwnersExceptQuery hasConfirmedOwnersExceptQuery,
+        IGetOrganizationUsersManagementStatusQuery getOrganizationUsersManagementStatusQuery,
+        IFeatureService featureService,
+        TimeProvider timeProvider)
     {
         _deviceRepository = deviceRepository;
         _organizationUserRepository = organizationUserRepository;
@@ -34,14 +47,27 @@ public class RemoveOrganizationUserCommand : IRemoveOrganizationUserCommand
         _pushRegistrationService = pushRegistrationService;
         _currentContext = currentContext;
         _hasConfirmedOwnersExceptQuery = hasConfirmedOwnersExceptQuery;
+        _getOrganizationUsersManagementStatusQuery = getOrganizationUsersManagementStatusQuery;
+        _featureService = featureService;
+        _timeProvider = timeProvider;
+    }
+
+    public async Task RemoveUserAsync(Guid organizationId, Guid userId)
+    {
+        var organizationUser = await _organizationUserRepository.GetByOrganizationAsync(organizationId, userId);
+        ValidateRemoveUser(organizationId, organizationUser);
+
+        await RepositoryRemoveUserAsync(organizationUser, deletingUserId: null, eventSystemUser: null);
+
+        await _eventService.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Removed);
     }
 
     public async Task RemoveUserAsync(Guid organizationId, Guid organizationUserId, Guid? deletingUserId)
     {
         var organizationUser = await _organizationUserRepository.GetByIdAsync(organizationUserId);
-        ValidateDeleteUser(organizationId, organizationUser);
+        ValidateRemoveUser(organizationId, organizationUser);
 
-        await RepositoryDeleteUserAsync(organizationUser, deletingUserId);
+        await RepositoryRemoveUserAsync(organizationUser, deletingUserId, eventSystemUser: null);
 
         await _eventService.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Removed);
     }
@@ -49,108 +75,79 @@ public class RemoveOrganizationUserCommand : IRemoveOrganizationUserCommand
     public async Task RemoveUserAsync(Guid organizationId, Guid organizationUserId, EventSystemUser eventSystemUser)
     {
         var organizationUser = await _organizationUserRepository.GetByIdAsync(organizationUserId);
-        ValidateDeleteUser(organizationId, organizationUser);
+        ValidateRemoveUser(organizationId, organizationUser);
 
-        await RepositoryDeleteUserAsync(organizationUser, null);
+        await RepositoryRemoveUserAsync(organizationUser, deletingUserId: null, eventSystemUser);
 
         await _eventService.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Removed, eventSystemUser);
     }
 
-    public async Task RemoveUserAsync(Guid organizationId, Guid userId)
+    public async Task<IEnumerable<(Guid OrganizationUserId, string ErrorMessage)>> RemoveUsersAsync(
+        Guid organizationId, IEnumerable<Guid> organizationUserIds, Guid? deletingUserId)
     {
-        var organizationUser = await _organizationUserRepository.GetByOrganizationAsync(organizationId, userId);
-        ValidateDeleteUser(organizationId, organizationUser);
+        var result = await RemoveUsersInternalAsync(organizationId, organizationUserIds, deletingUserId, eventSystemUser: null);
 
-        await RepositoryDeleteUserAsync(organizationUser, null);
+        var removedUsers = result.Where(r => string.IsNullOrEmpty(r.ErrorMessage)).Select(r => r.OrganizationUser).ToList();
+        if (removedUsers.Any())
+        {
+            DateTime? eventDate = _timeProvider.GetUtcNow().UtcDateTime;
+            await _eventService.LogOrganizationUserEventsAsync(
+                removedUsers.Select(ou => (ou, EventType.OrganizationUser_Removed, eventDate)));
+        }
 
-        await _eventService.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Removed);
+        return result.Select(r => (r.OrganizationUser.Id, r.ErrorMessage));
     }
 
-    public async Task<List<Tuple<OrganizationUser, string>>> RemoveUsersAsync(Guid organizationId,
-        IEnumerable<Guid> organizationUsersId,
-        Guid? deletingUserId)
+    public async Task<IEnumerable<(Guid OrganizationUserId, string ErrorMessage)>> RemoveUsersAsync(
+        Guid organizationId, IEnumerable<Guid> organizationUserIds, EventSystemUser eventSystemUser)
     {
-        var orgUsers = await _organizationUserRepository.GetManyAsync(organizationUsersId);
-        var filteredUsers = orgUsers.Where(u => u.OrganizationId == organizationId)
-            .ToList();
+        var result = await RemoveUsersInternalAsync(organizationId, organizationUserIds, deletingUserId: null, eventSystemUser);
 
-        if (!filteredUsers.Any())
+        var removedUsers = result.Where(r => string.IsNullOrEmpty(r.ErrorMessage)).Select(r => r.OrganizationUser).ToList();
+        if (removedUsers.Any())
         {
-            throw new BadRequestException("Users invalid.");
+            DateTime? eventDate = _timeProvider.GetUtcNow().UtcDateTime;
+            await _eventService.LogOrganizationUserEventsAsync(
+                removedUsers.Select(ou => (ou, EventType.OrganizationUser_Removed, eventSystemUser, eventDate)));
         }
 
-        if (!await _hasConfirmedOwnersExceptQuery.HasConfirmedOwnersExceptAsync(organizationId, organizationUsersId))
-        {
-            throw new BadRequestException("Organization must have at least one confirmed owner.");
-        }
-
-        var deletingUserIsOwner = false;
-        if (deletingUserId.HasValue)
-        {
-            deletingUserIsOwner = await _currentContext.OrganizationOwner(organizationId);
-        }
-
-        var result = new List<Tuple<OrganizationUser, string>>();
-        var deletedUserIds = new List<Guid>();
-        foreach (var orgUser in filteredUsers)
-        {
-            try
-            {
-                if (deletingUserId.HasValue && orgUser.UserId == deletingUserId)
-                {
-                    throw new BadRequestException("You cannot remove yourself.");
-                }
-
-                if (orgUser.Type == OrganizationUserType.Owner && deletingUserId.HasValue && !deletingUserIsOwner)
-                {
-                    throw new BadRequestException("Only owners can delete other owners.");
-                }
-
-                await _eventService.LogOrganizationUserEventAsync(orgUser, EventType.OrganizationUser_Removed);
-
-                if (orgUser.UserId.HasValue)
-                {
-                    await DeleteAndPushUserRegistrationAsync(organizationId, orgUser.UserId.Value);
-                }
-                result.Add(Tuple.Create(orgUser, ""));
-                deletedUserIds.Add(orgUser.Id);
-            }
-            catch (BadRequestException e)
-            {
-                result.Add(Tuple.Create(orgUser, e.Message));
-            }
-
-            await _organizationUserRepository.DeleteManyAsync(deletedUserIds);
-        }
-
-        return result;
+        return result.Select(r => (r.OrganizationUser.Id, r.ErrorMessage));
     }
 
-    private void ValidateDeleteUser(Guid organizationId, OrganizationUser orgUser)
+    private void ValidateRemoveUser(Guid organizationId, OrganizationUser orgUser)
     {
         if (orgUser == null || orgUser.OrganizationId != organizationId)
         {
-            throw new NotFoundException("User not found.");
+            throw new NotFoundException(UserNotFoundErrorMessage);
         }
     }
 
-    private async Task RepositoryDeleteUserAsync(OrganizationUser orgUser, Guid? deletingUserId)
+    private async Task RepositoryRemoveUserAsync(OrganizationUser orgUser, Guid? deletingUserId, EventSystemUser? eventSystemUser)
     {
         if (deletingUserId.HasValue && orgUser.UserId == deletingUserId.Value)
         {
-            throw new BadRequestException("You cannot remove yourself.");
+            throw new BadRequestException(RemoveYourselfErrorMessage);
         }
 
         if (orgUser.Type == OrganizationUserType.Owner)
         {
             if (deletingUserId.HasValue && !await _currentContext.OrganizationOwner(orgUser.OrganizationId))
             {
-                throw new BadRequestException("Only owners can delete other owners.");
+                throw new BadRequestException(RemoveOwnerByNonOwnerErrorMessage);
             }
 
             if (!await _hasConfirmedOwnersExceptQuery.HasConfirmedOwnersExceptAsync(orgUser.OrganizationId, new[] { orgUser.Id }, includeProvider: true))
             {
-                throw new BadRequestException("Organization must have at least one confirmed owner.");
+                throw new BadRequestException(RemoveLastConfirmedOwnerErrorMessage);
+            }
+        }
+
+        if (_featureService.IsEnabled(FeatureFlagKeys.AccountDeprovisioning) && deletingUserId.HasValue && eventSystemUser == null)
+        {
+            var managementStatus = await _getOrganizationUsersManagementStatusQuery.GetUsersOrganizationManagementStatusAsync(orgUser.OrganizationId, new[] { orgUser.Id });
+            if (managementStatus.TryGetValue(orgUser.Id, out var isManaged) && isManaged)
+            {
+                throw new BadRequestException(RemoveClaimedAccountErrorMessage);
             }
         }
 
@@ -177,4 +174,70 @@ public class RemoveOrganizationUserCommand : IRemoveOrganizationUserCommand
             organizationId.ToString());
         await _pushNotificationService.PushSyncOrgKeysAsync(userId);
     }
+
+    private async Task<IEnumerable<(OrganizationUser OrganizationUser, string ErrorMessage)>> RemoveUsersInternalAsync(
+        Guid organizationId, IEnumerable<Guid> organizationUsersId, Guid? deletingUserId, EventSystemUser? eventSystemUser)
+    {
+        var orgUsers = await _organizationUserRepository.GetManyAsync(organizationUsersId);
+        var filteredUsers = orgUsers.Where(u => u.OrganizationId == organizationId).ToList();
+
+        if (!filteredUsers.Any())
+        {
+            throw new BadRequestException(UsersInvalidErrorMessage);
+        }
+
+        if (!await _hasConfirmedOwnersExceptQuery.HasConfirmedOwnersExceptAsync(organizationId, organizationUsersId))
+        {
+            throw new BadRequestException(RemoveLastConfirmedOwnerErrorMessage);
+        }
+
+        var deletingUserIsOwner = false;
+        if (deletingUserId.HasValue)
+        {
+            deletingUserIsOwner = await _currentContext.OrganizationOwner(organizationId);
+        }
+
+        var managementStatus = _featureService.IsEnabled(FeatureFlagKeys.AccountDeprovisioning) && deletingUserId.HasValue && eventSystemUser == null
+            ? await _getOrganizationUsersManagementStatusQuery.GetUsersOrganizationManagementStatusAsync(organizationId, filteredUsers.Select(u => u.Id))
+            : filteredUsers.ToDictionary(u => u.Id, u => false);
+        var result = new List<(OrganizationUser OrganizationUser, string ErrorMessage)>();
+        foreach (var orgUser in filteredUsers)
+        {
+            try
+            {
+                if (deletingUserId.HasValue && orgUser.UserId == deletingUserId)
+                {
+                    throw new BadRequestException(RemoveYourselfErrorMessage);
+                }
+
+                if (orgUser.Type == OrganizationUserType.Owner && deletingUserId.HasValue && !deletingUserIsOwner)
+                {
+                    throw new BadRequestException(RemoveOwnerByNonOwnerErrorMessage);
+                }
+
+                if (managementStatus.TryGetValue(orgUser.Id, out var isManaged) && isManaged)
+                {
+                    throw new BadRequestException(RemoveClaimedAccountErrorMessage);
+                }
+
+                result.Add((orgUser, string.Empty));
+            }
+            catch (BadRequestException e)
+            {
+                result.Add((orgUser, e.Message));
+            }
+        }
+
+        var organizationUsersToRemove = result.Where(r => string.IsNullOrEmpty(r.ErrorMessage)).Select(r => r.OrganizationUser).ToList();
+        if (organizationUsersToRemove.Any())
+        {
+            await _organizationUserRepository.DeleteManyAsync(organizationUsersToRemove.Select(ou => ou.Id));
+            foreach (var orgUser in organizationUsersToRemove.Where(ou => ou.UserId.HasValue))
+            {
+                await DeleteAndPushUserRegistrationAsync(organizationId, orgUser.UserId.Value);
+            }
+        }
+
+        return result;
+    }
 }
diff --git a/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/RemoveOrganizationUserCommandTests.cs b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/RemoveOrganizationUserCommandTests.cs
index 2d10ce626b..61371b756e 100644
--- a/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/RemoveOrganizationUserCommandTests.cs
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/RemoveOrganizationUserCommandTests.cs
@@ -9,6 +9,7 @@ using Bit.Core.Services;
 using Bit.Core.Test.AutoFixture.OrganizationUserFixtures;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
+using Microsoft.Extensions.Time.Testing;
 using NSubstitute;
 using Xunit;
 
@@ -18,38 +19,93 @@ namespace Bit.Core.Test.AdminConsole.OrganizationFeatures.OrganizationUsers;
 public class RemoveOrganizationUserCommandTests
 {
     [Theory, BitAutoData]
-    public async Task RemoveUser_Success(
+    public async Task RemoveUser_WithDeletingUserId_Success(
         [OrganizationUser(type: OrganizationUserType.User)] OrganizationUser organizationUser,
         [OrganizationUser(type: OrganizationUserType.Owner)] OrganizationUser deletingUser,
         SutProvider<RemoveOrganizationUserCommand> sutProvider)
     {
-        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
-        var currentContext = sutProvider.GetDependency<ICurrentContext>();
-
+        // Arrange
         organizationUser.OrganizationId = deletingUser.OrganizationId;
-        organizationUserRepository.GetByIdAsync(organizationUser.Id).Returns(organizationUser);
-        organizationUserRepository.GetByIdAsync(deletingUser.Id).Returns(deletingUser);
-        currentContext.OrganizationOwner(deletingUser.OrganizationId).Returns(true);
 
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetByIdAsync(organizationUser.Id)
+            .Returns(organizationUser);
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetByIdAsync(deletingUser.Id)
+            .Returns(deletingUser);
+        sutProvider.GetDependency<ICurrentContext>()
+            .OrganizationOwner(deletingUser.OrganizationId)
+            .Returns(true);
+
+        // Act
         await sutProvider.Sut.RemoveUserAsync(deletingUser.OrganizationId, organizationUser.Id, deletingUser.UserId);
 
-        await organizationUserRepository.Received(1).DeleteAsync(organizationUser);
-        await sutProvider.GetDependency<IEventService>().Received(1).LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Removed);
+        // Assert
+        await sutProvider.GetDependency<IGetOrganizationUsersManagementStatusQuery>()
+            .DidNotReceiveWithAnyArgs()
+            .GetUsersOrganizationManagementStatusAsync(default, default);
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .Received(1)
+            .DeleteAsync(organizationUser);
+        await sutProvider.GetDependency<IEventService>()
+            .Received(1)
+            .LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Removed);
     }
 
-    [Theory]
-    [BitAutoData]
-    public async Task RemoveUser_NotFound_ThrowsException(SutProvider<RemoveOrganizationUserCommand> sutProvider,
+    [Theory, BitAutoData]
+    public async Task RemoveUser_WithDeletingUserId_WithAccountDeprovisioningEnabled_Success(
+        [OrganizationUser(type: OrganizationUserType.User)] OrganizationUser organizationUser,
+        [OrganizationUser(type: OrganizationUserType.Owner)] OrganizationUser deletingUser,
+        SutProvider<RemoveOrganizationUserCommand> sutProvider)
+    {
+        // Arrange
+        organizationUser.OrganizationId = deletingUser.OrganizationId;
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.AccountDeprovisioning)
+            .Returns(true);
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetByIdAsync(organizationUser.Id)
+            .Returns(organizationUser);
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetByIdAsync(deletingUser.Id)
+            .Returns(deletingUser);
+        sutProvider.GetDependency<ICurrentContext>()
+            .OrganizationOwner(deletingUser.OrganizationId)
+            .Returns(true);
+
+        // Act
+        await sutProvider.Sut.RemoveUserAsync(deletingUser.OrganizationId, organizationUser.Id, deletingUser.UserId);
+
+        // Assert
+        await sutProvider.GetDependency<IGetOrganizationUsersManagementStatusQuery>()
+            .Received(1)
+            .GetUsersOrganizationManagementStatusAsync(
+                organizationUser.OrganizationId,
+                Arg.Is<IEnumerable<Guid>>(i => i.Contains(organizationUser.Id)));
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .Received(1)
+            .DeleteAsync(organizationUser);
+        await sutProvider.GetDependency<IEventService>()
+            .Received(1)
+            .LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Removed);
+    }
+
+    [Theory, BitAutoData]
+    public async Task RemoveUser_WithDeletingUserId_NotFound_ThrowsException(
+        SutProvider<RemoveOrganizationUserCommand> sutProvider,
         Guid organizationId, Guid organizationUserId)
     {
-        await Assert.ThrowsAsync<NotFoundException>(async () => await sutProvider.Sut.RemoveUserAsync(organizationId, organizationUserId, null));
+        // Act & Assert
+        await Assert.ThrowsAsync<NotFoundException>(async () =>
+            await sutProvider.Sut.RemoveUserAsync(organizationId, organizationUserId, null));
     }
 
-    [Theory]
-    [BitAutoData]
-    public async Task RemoveUser_MismatchingOrganizationId_ThrowsException(
+    [Theory, BitAutoData]
+    public async Task RemoveUser_WithDeletingUserId_MismatchingOrganizationId_ThrowsException(
         SutProvider<RemoveOrganizationUserCommand> sutProvider, Guid organizationId, Guid organizationUserId)
     {
+        // Arrange
         sutProvider.GetDependency<IOrganizationUserRepository>()
             .GetByIdAsync(organizationUserId)
             .Returns(new OrganizationUser
@@ -58,92 +114,231 @@ public class RemoveOrganizationUserCommandTests
                 OrganizationId = Guid.NewGuid()
             });
 
-        await Assert.ThrowsAsync<NotFoundException>(async () => await sutProvider.Sut.RemoveUserAsync(organizationId, organizationUserId, null));
+        // Act & Assert
+        await Assert.ThrowsAsync<NotFoundException>(async () =>
+            await sutProvider.Sut.RemoveUserAsync(organizationId, organizationUserId, null));
     }
 
     [Theory, BitAutoData]
-    public async Task RemoveUser_InvalidUser_ThrowsException(
-        OrganizationUser organizationUser, OrganizationUser deletingUser,
-        SutProvider<RemoveOrganizationUserCommand> sutProvider)
+    public async Task RemoveUser_WithDeletingUserId_InvalidUser_ThrowsException(
+        OrganizationUser organizationUser, SutProvider<RemoveOrganizationUserCommand> sutProvider)
     {
-        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
-
-        organizationUserRepository.GetByIdAsync(organizationUser.Id).Returns(organizationUser);
+        // Arrange
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetByIdAsync(organizationUser.Id)
+            .Returns(organizationUser);
 
+        // Act & Assert
         var exception = await Assert.ThrowsAsync<NotFoundException>(
-            () => sutProvider.Sut.RemoveUserAsync(Guid.NewGuid(), organizationUser.Id, deletingUser.UserId));
-        Assert.Contains("User not found.", exception.Message);
+            () => sutProvider.Sut.RemoveUserAsync(Guid.NewGuid(), organizationUser.Id, null));
+        Assert.Contains(RemoveOrganizationUserCommand.UserNotFoundErrorMessage, exception.Message);
     }
 
     [Theory, BitAutoData]
-    public async Task RemoveUser_RemoveYourself_ThrowsException(OrganizationUser deletingUser, SutProvider<RemoveOrganizationUserCommand> sutProvider)
+    public async Task RemoveUser_WithDeletingUserId_RemoveYourself_ThrowsException(
+        OrganizationUser deletingUser, SutProvider<RemoveOrganizationUserCommand> sutProvider)
     {
-        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
-
-        organizationUserRepository.GetByIdAsync(deletingUser.Id).Returns(deletingUser);
+        // Arrange
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetByIdAsync(deletingUser.Id)
+            .Returns(deletingUser);
 
+        // Act & Assert
         var exception = await Assert.ThrowsAsync<BadRequestException>(
             () => sutProvider.Sut.RemoveUserAsync(deletingUser.OrganizationId, deletingUser.Id, deletingUser.UserId));
-        Assert.Contains("You cannot remove yourself.", exception.Message);
+        Assert.Contains(RemoveOrganizationUserCommand.RemoveYourselfErrorMessage, exception.Message);
     }
 
     [Theory, BitAutoData]
-    public async Task RemoveUser_NonOwnerRemoveOwner_ThrowsException(
+    public async Task RemoveUser_WithDeletingUserId_NonOwnerRemoveOwner_ThrowsException(
         [OrganizationUser(type: OrganizationUserType.Owner)] OrganizationUser organizationUser,
         [OrganizationUser(type: OrganizationUserType.Admin)] OrganizationUser deletingUser,
         SutProvider<RemoveOrganizationUserCommand> sutProvider)
     {
-        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
-        var currentContext = sutProvider.GetDependency<ICurrentContext>();
-
+        // Arrange
         organizationUser.OrganizationId = deletingUser.OrganizationId;
-        organizationUserRepository.GetByIdAsync(organizationUser.Id).Returns(organizationUser);
-        currentContext.OrganizationAdmin(deletingUser.OrganizationId).Returns(true);
 
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetByIdAsync(organizationUser.Id)
+            .Returns(organizationUser);
+        sutProvider.GetDependency<ICurrentContext>()
+            .OrganizationAdmin(organizationUser.OrganizationId)
+            .Returns(true);
+
+        // Act & Assert
         var exception = await Assert.ThrowsAsync<BadRequestException>(
-            () => sutProvider.Sut.RemoveUserAsync(deletingUser.OrganizationId, organizationUser.Id, deletingUser.UserId));
-        Assert.Contains("Only owners can delete other owners.", exception.Message);
+            () => sutProvider.Sut.RemoveUserAsync(organizationUser.OrganizationId, organizationUser.Id, deletingUser.UserId));
+        Assert.Contains(RemoveOrganizationUserCommand.RemoveOwnerByNonOwnerErrorMessage, exception.Message);
     }
 
     [Theory, BitAutoData]
-    public async Task RemoveUser_RemovingLastOwner_ThrowsException(
+    public async Task RemoveUser_WithDeletingUserId_RemovingLastOwner_ThrowsException(
         [OrganizationUser(type: OrganizationUserType.Owner)] OrganizationUser organizationUser,
         OrganizationUser deletingUser,
         SutProvider<RemoveOrganizationUserCommand> sutProvider)
     {
-        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
-        var hasConfirmedOwnersExceptQuery = sutProvider.GetDependency<IHasConfirmedOwnersExceptQuery>();
-
+        // Arrange
         organizationUser.OrganizationId = deletingUser.OrganizationId;
-        organizationUserRepository.GetByIdAsync(organizationUser.Id).Returns(organizationUser);
-        hasConfirmedOwnersExceptQuery.HasConfirmedOwnersExceptAsync(
-            deletingUser.OrganizationId,
-            Arg.Is<IEnumerable<Guid>>(i => i.Contains(organizationUser.Id)), Arg.Any<bool>())
-            .Returns(false);
 
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetByIdAsync(organizationUser.Id)
+            .Returns(organizationUser);
+        sutProvider.GetDependency<IHasConfirmedOwnersExceptQuery>()
+            .HasConfirmedOwnersExceptAsync(
+                organizationUser.OrganizationId,
+                Arg.Is<IEnumerable<Guid>>(i => i.Contains(organizationUser.Id)),
+                Arg.Any<bool>())
+            .Returns(false);
+        sutProvider.GetDependency<ICurrentContext>()
+            .OrganizationOwner(deletingUser.OrganizationId)
+            .Returns(true);
+
+        // Act & Assert
         var exception = await Assert.ThrowsAsync<BadRequestException>(
-            () => sutProvider.Sut.RemoveUserAsync(deletingUser.OrganizationId, organizationUser.Id, null));
-        Assert.Contains("Organization must have at least one confirmed owner.", exception.Message);
-        hasConfirmedOwnersExceptQuery
+            () => sutProvider.Sut.RemoveUserAsync(organizationUser.OrganizationId, organizationUser.Id, deletingUser.UserId));
+        Assert.Contains(RemoveOrganizationUserCommand.RemoveLastConfirmedOwnerErrorMessage, exception.Message);
+        await sutProvider.GetDependency<IHasConfirmedOwnersExceptQuery>()
             .Received(1)
             .HasConfirmedOwnersExceptAsync(
                 organizationUser.OrganizationId,
                 Arg.Is<IEnumerable<Guid>>(i => i.Contains(organizationUser.Id)), true);
     }
 
+    [Theory, BitAutoData]
+    public async Task RemoveUserAsync_WithDeletingUserId_WithAccountDeprovisioningEnabled_WhenUserIsManaged_ThrowsException(
+        [OrganizationUser(status: OrganizationUserStatusType.Confirmed)] OrganizationUser orgUser,
+        Guid deletingUserId,
+        SutProvider<RemoveOrganizationUserCommand> sutProvider)
+    {
+        // Arrange
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.AccountDeprovisioning)
+            .Returns(true);
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetByIdAsync(orgUser.Id)
+            .Returns(orgUser);
+        sutProvider.GetDependency<IGetOrganizationUsersManagementStatusQuery>()
+            .GetUsersOrganizationManagementStatusAsync(orgUser.OrganizationId, Arg.Is<IEnumerable<Guid>>(i => i.Contains(orgUser.Id)))
+            .Returns(new Dictionary<Guid, bool> { { orgUser.Id, true } });
+
+        // Act & Assert
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.RemoveUserAsync(orgUser.OrganizationId, orgUser.Id, deletingUserId));
+        Assert.Contains(RemoveOrganizationUserCommand.RemoveClaimedAccountErrorMessage, exception.Message);
+        await sutProvider.GetDependency<IGetOrganizationUsersManagementStatusQuery>()
+            .Received(1)
+            .GetUsersOrganizationManagementStatusAsync(orgUser.OrganizationId, Arg.Is<IEnumerable<Guid>>(i => i.Contains(orgUser.Id)));
+    }
+
     [Theory, BitAutoData]
     public async Task RemoveUser_WithEventSystemUser_Success(
         [OrganizationUser(type: OrganizationUserType.User)] OrganizationUser organizationUser,
+        EventSystemUser eventSystemUser, SutProvider<RemoveOrganizationUserCommand> sutProvider)
+    {
+        // Arrange
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetByIdAsync(organizationUser.Id)
+            .Returns(organizationUser);
+
+        // Act
+        await sutProvider.Sut.RemoveUserAsync(organizationUser.OrganizationId, organizationUser.Id, eventSystemUser);
+
+        // Assert
+        await sutProvider.GetDependency<IGetOrganizationUsersManagementStatusQuery>()
+            .DidNotReceiveWithAnyArgs()
+            .GetUsersOrganizationManagementStatusAsync(default, default);
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .Received(1)
+            .DeleteAsync(organizationUser);
+        await sutProvider.GetDependency<IEventService>()
+            .Received(1)
+            .LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Removed, eventSystemUser);
+    }
+
+    [Theory, BitAutoData]
+    public async Task RemoveUser_WithEventSystemUser_WithAccountDeprovisioningEnabled_Success(
+        [OrganizationUser(type: OrganizationUserType.User)] OrganizationUser organizationUser,
+        EventSystemUser eventSystemUser, SutProvider<RemoveOrganizationUserCommand> sutProvider)
+    {
+        // Arrange
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.AccountDeprovisioning)
+            .Returns(true);
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetByIdAsync(organizationUser.Id)
+            .Returns(organizationUser);
+
+        // Act
+        await sutProvider.Sut.RemoveUserAsync(organizationUser.OrganizationId, organizationUser.Id, eventSystemUser);
+
+        // Assert
+        await sutProvider.GetDependency<IGetOrganizationUsersManagementStatusQuery>()
+            .DidNotReceiveWithAnyArgs()
+            .GetUsersOrganizationManagementStatusAsync(default, default);
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .Received(1)
+            .DeleteAsync(organizationUser);
+        await sutProvider.GetDependency<IEventService>()
+            .Received(1)
+            .LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Removed, eventSystemUser);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task RemoveUser_WithEventSystemUser_NotFound_ThrowsException(
+        SutProvider<RemoveOrganizationUserCommand> sutProvider,
+        Guid organizationId, Guid organizationUserId, EventSystemUser eventSystemUser)
+    {
+        // Act & Assert
+        await Assert.ThrowsAsync<NotFoundException>(async () =>
+            await sutProvider.Sut.RemoveUserAsync(organizationId, organizationUserId, eventSystemUser));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task RemoveUser_WithEventSystemUser_MismatchingOrganizationId_ThrowsException(
+        SutProvider<RemoveOrganizationUserCommand> sutProvider, Guid organizationId, Guid organizationUserId, EventSystemUser eventSystemUser)
+    {
+        // Arrange
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetByIdAsync(organizationUserId)
+            .Returns(new OrganizationUser
+            {
+                Id = organizationUserId,
+                OrganizationId = Guid.NewGuid()
+            });
+
+        // Act & Assert
+        await Assert.ThrowsAsync<NotFoundException>(async () =>
+            await sutProvider.Sut.RemoveUserAsync(organizationId, organizationUserId, eventSystemUser));
+    }
+
+    [Theory, BitAutoData]
+    public async Task RemoveUser_WithEventSystemUser_RemovingLastOwner_ThrowsException(
+        [OrganizationUser(type: OrganizationUserType.Owner)] OrganizationUser organizationUser,
         EventSystemUser eventSystemUser,
         SutProvider<RemoveOrganizationUserCommand> sutProvider)
     {
-        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
+        // Arrange
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetByIdAsync(organizationUser.Id)
+            .Returns(organizationUser);
+        sutProvider.GetDependency<IHasConfirmedOwnersExceptQuery>()
+            .HasConfirmedOwnersExceptAsync(
+                organizationUser.OrganizationId,
+                Arg.Is<IEnumerable<Guid>>(i => i.Contains(organizationUser.Id)),
+                Arg.Any<bool>())
+            .Returns(false);
 
-        organizationUserRepository.GetByIdAsync(organizationUser.Id).Returns(organizationUser);
-
-        await sutProvider.Sut.RemoveUserAsync(organizationUser.OrganizationId, organizationUser.Id, eventSystemUser);
-
-        await sutProvider.GetDependency<IEventService>().Received(1).LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Removed, eventSystemUser);
+        // Act & Assert
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.RemoveUserAsync(organizationUser.OrganizationId, organizationUser.Id, eventSystemUser));
+        Assert.Contains(RemoveOrganizationUserCommand.RemoveLastConfirmedOwnerErrorMessage, exception.Message);
+        await sutProvider.GetDependency<IHasConfirmedOwnersExceptQuery>()
+            .Received(1)
+            .HasConfirmedOwnersExceptAsync(
+                organizationUser.OrganizationId,
+                Arg.Is<IEnumerable<Guid>>(i => i.Contains(organizationUser.Id)), true);
     }
 
     [Theory, BitAutoData]
@@ -170,23 +365,26 @@ public class RemoveOrganizationUserCommandTests
     }
 
     [Theory, BitAutoData]
-    public async Task RemoveUser_ByUserId_NotFound_ThrowsException(SutProvider<RemoveOrganizationUserCommand> sutProvider,
-        Guid organizationId, Guid userId)
+    public async Task RemoveUser_ByUserId_NotFound_ThrowsException(
+        SutProvider<RemoveOrganizationUserCommand> sutProvider, Guid organizationId, Guid userId)
     {
+        // Act & Assert
         await Assert.ThrowsAsync<NotFoundException>(async () => await sutProvider.Sut.RemoveUserAsync(organizationId, userId));
     }
 
     [Theory, BitAutoData]
-    public async Task RemoveUser_ByUserId_InvalidUser_ThrowsException(OrganizationUser organizationUser,
-        SutProvider<RemoveOrganizationUserCommand> sutProvider)
+    public async Task RemoveUser_ByUserId_InvalidUser_ThrowsException(
+        OrganizationUser organizationUser, SutProvider<RemoveOrganizationUserCommand> sutProvider)
     {
-        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
-
-        organizationUserRepository.GetByOrganizationAsync(organizationUser.OrganizationId, organizationUser.UserId!.Value).Returns(organizationUser);
+        // Arrange
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetByOrganizationAsync(organizationUser.OrganizationId, organizationUser.UserId!.Value)
+            .Returns(organizationUser);
 
+        // Act & Assert
         var exception = await Assert.ThrowsAsync<NotFoundException>(
             () => sutProvider.Sut.RemoveUserAsync(Guid.NewGuid(), organizationUser.UserId.Value));
-        Assert.Contains("User not found.", exception.Message);
+        Assert.Contains(RemoveOrganizationUserCommand.UserNotFoundErrorMessage, exception.Message);
     }
 
     [Theory, BitAutoData]
@@ -194,21 +392,22 @@ public class RemoveOrganizationUserCommandTests
         [OrganizationUser(type: OrganizationUserType.Owner)] OrganizationUser organizationUser,
         SutProvider<RemoveOrganizationUserCommand> sutProvider)
     {
-        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
-        var hasConfirmedOwnersExceptQuery = sutProvider.GetDependency<IHasConfirmedOwnersExceptQuery>();
-
-        organizationUserRepository.GetByOrganizationAsync(organizationUser.OrganizationId, organizationUser.UserId!.Value).Returns(organizationUser);
-        hasConfirmedOwnersExceptQuery
+        // Arrange
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetByOrganizationAsync(organizationUser.OrganizationId, organizationUser.UserId!.Value)
+            .Returns(organizationUser);
+        sutProvider.GetDependency<IHasConfirmedOwnersExceptQuery>()
             .HasConfirmedOwnersExceptAsync(
                 organizationUser.OrganizationId,
                 Arg.Is<IEnumerable<Guid>>(i => i.Contains(organizationUser.Id)),
                 Arg.Any<bool>())
             .Returns(false);
 
+        // Act & Assert
         var exception = await Assert.ThrowsAsync<BadRequestException>(
             () => sutProvider.Sut.RemoveUserAsync(organizationUser.OrganizationId, organizationUser.UserId.Value));
-        Assert.Contains("Organization must have at least one confirmed owner.", exception.Message);
-        hasConfirmedOwnersExceptQuery
+        Assert.Contains(RemoveOrganizationUserCommand.RemoveLastConfirmedOwnerErrorMessage, exception.Message);
+        await sutProvider.GetDependency<IHasConfirmedOwnersExceptQuery>()
             .Received(1)
             .HasConfirmedOwnersExceptAsync(
                 organizationUser.OrganizationId,
@@ -217,93 +416,371 @@ public class RemoveOrganizationUserCommandTests
     }
 
     [Theory, BitAutoData]
-    public async Task RemoveUsers_FilterInvalid_ThrowsException(OrganizationUser organizationUser, OrganizationUser deletingUser,
-        SutProvider<RemoveOrganizationUserCommand> sutProvider)
-    {
-        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
-        var organizationUsers = new[] { organizationUser };
-        var organizationUserIds = organizationUsers.Select(u => u.Id);
-        organizationUserRepository.GetManyAsync(default).ReturnsForAnyArgs(organizationUsers);
-
-        var exception = await Assert.ThrowsAsync<BadRequestException>(
-            () => sutProvider.Sut.RemoveUsersAsync(deletingUser.OrganizationId, organizationUserIds, deletingUser.UserId));
-        Assert.Contains("Users invalid.", exception.Message);
-    }
-
-    [Theory, BitAutoData]
-    public async Task RemoveUsers_RemoveYourself_ThrowsException(
-        OrganizationUser deletingUser,
-        SutProvider<RemoveOrganizationUserCommand> sutProvider)
-    {
-        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
-        var organizationUsers = new[] { deletingUser };
-        var organizationUserIds = organizationUsers.Select(u => u.Id);
-        organizationUserRepository.GetManyAsync(default).ReturnsForAnyArgs(organizationUsers);
-        sutProvider.GetDependency<IHasConfirmedOwnersExceptQuery>()
-            .HasConfirmedOwnersExceptAsync(deletingUser.OrganizationId, Arg.Any<IEnumerable<Guid>>())
-            .Returns(true);
-
-        var result = await sutProvider.Sut.RemoveUsersAsync(deletingUser.OrganizationId, organizationUserIds, deletingUser.UserId);
-        Assert.Contains("You cannot remove yourself.", result[0].Item2);
-    }
-
-    [Theory, BitAutoData]
-    public async Task RemoveUsers_NonOwnerRemoveOwner_ThrowsException(
-        [OrganizationUser(type: OrganizationUserType.Admin)] OrganizationUser deletingUser,
-        [OrganizationUser(type: OrganizationUserType.Owner)] OrganizationUser orgUser1,
-        [OrganizationUser(OrganizationUserStatusType.Confirmed)] OrganizationUser orgUser2,
-        SutProvider<RemoveOrganizationUserCommand> sutProvider)
-    {
-        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
-
-        orgUser1.OrganizationId = orgUser2.OrganizationId = deletingUser.OrganizationId;
-        var organizationUsers = new[] { orgUser1 };
-        var organizationUserIds = organizationUsers.Select(u => u.Id);
-        organizationUserRepository.GetManyAsync(default).ReturnsForAnyArgs(organizationUsers);
-        sutProvider.GetDependency<IHasConfirmedOwnersExceptQuery>()
-            .HasConfirmedOwnersExceptAsync(deletingUser.OrganizationId, Arg.Any<IEnumerable<Guid>>())
-            .Returns(true);
-
-        var result = await sutProvider.Sut.RemoveUsersAsync(deletingUser.OrganizationId, organizationUserIds, deletingUser.UserId);
-        Assert.Contains("Only owners can delete other owners.", result[0].Item2);
-    }
-
-    [Theory, BitAutoData]
-    public async Task RemoveUsers_LastOwner_ThrowsException(
-        [OrganizationUser(status: OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser orgUser,
-        SutProvider<RemoveOrganizationUserCommand> sutProvider)
-    {
-        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
-
-        var organizationUsers = new[] { orgUser };
-        var organizationUserIds = organizationUsers.Select(u => u.Id);
-        organizationUserRepository.GetManyAsync(default).ReturnsForAnyArgs(organizationUsers);
-        organizationUserRepository.GetManyByOrganizationAsync(orgUser.OrganizationId, OrganizationUserType.Owner).Returns(organizationUsers);
-
-        var exception = await Assert.ThrowsAsync<BadRequestException>(
-            () => sutProvider.Sut.RemoveUsersAsync(orgUser.OrganizationId, organizationUserIds, null));
-        Assert.Contains("Organization must have at least one confirmed owner.", exception.Message);
-    }
-
-    [Theory, BitAutoData]
-    public async Task RemoveUsers_Success(
+    public async Task RemoveUsers_WithDeletingUserId_Success(
         [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser deletingUser,
-        [OrganizationUser(type: OrganizationUserType.Owner)] OrganizationUser orgUser1, OrganizationUser orgUser2,
-        SutProvider<RemoveOrganizationUserCommand> sutProvider)
+        [OrganizationUser(type: OrganizationUserType.Owner)] OrganizationUser orgUser1, OrganizationUser orgUser2)
     {
-        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
-        var currentContext = sutProvider.GetDependency<ICurrentContext>();
-
+        // Arrange
+        var sutProvider = SutProviderFactory();
+        var eventDate = sutProvider.GetDependency<FakeTimeProvider>().GetUtcNow().UtcDateTime;
         orgUser1.OrganizationId = orgUser2.OrganizationId = deletingUser.OrganizationId;
         var organizationUsers = new[] { orgUser1, orgUser2 };
         var organizationUserIds = organizationUsers.Select(u => u.Id);
-        organizationUserRepository.GetManyAsync(default).ReturnsForAnyArgs(organizationUsers);
-        organizationUserRepository.GetByIdAsync(deletingUser.Id).Returns(deletingUser);
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyAsync(default)
+            .ReturnsForAnyArgs(organizationUsers);
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetByIdAsync(deletingUser.Id)
+            .Returns(deletingUser);
         sutProvider.GetDependency<IHasConfirmedOwnersExceptQuery>()
             .HasConfirmedOwnersExceptAsync(deletingUser.OrganizationId, Arg.Any<IEnumerable<Guid>>())
             .Returns(true);
-        currentContext.OrganizationOwner(deletingUser.OrganizationId).Returns(true);
+        sutProvider.GetDependency<ICurrentContext>()
+            .OrganizationOwner(deletingUser.OrganizationId)
+            .Returns(true);
+        sutProvider.GetDependency<IGetOrganizationUsersManagementStatusQuery>()
+            .GetUsersOrganizationManagementStatusAsync(
+                deletingUser.OrganizationId,
+                Arg.Is<IEnumerable<Guid>>(i => i.Contains(orgUser1.Id) && i.Contains(orgUser2.Id)))
+            .Returns(new Dictionary<Guid, bool> { { orgUser1.Id, false }, { orgUser2.Id, false } });
 
-        await sutProvider.Sut.RemoveUsersAsync(deletingUser.OrganizationId, organizationUserIds, deletingUser.UserId);
+        // Act
+        var result = await sutProvider.Sut.RemoveUsersAsync(deletingUser.OrganizationId, organizationUserIds, deletingUser.UserId);
+
+        // Assert
+        Assert.Equal(2, result.Count());
+        Assert.All(result, r => Assert.Empty(r.ErrorMessage));
+        await sutProvider.GetDependency<IGetOrganizationUsersManagementStatusQuery>()
+            .DidNotReceiveWithAnyArgs()
+            .GetUsersOrganizationManagementStatusAsync(default, default);
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .Received(1)
+            .DeleteManyAsync(Arg.Is<IEnumerable<Guid>>(i => i.Contains(orgUser1.Id) && i.Contains(orgUser2.Id)));
+        await sutProvider.GetDependency<IEventService>()
+            .Received(1)
+            .LogOrganizationUserEventsAsync(
+                Arg.Is<IEnumerable<(OrganizationUser OrganizationUser, EventType EventType, DateTime? DateTime)>>(i =>
+                    i.First().OrganizationUser.Id == orgUser1.Id
+                    && i.Last().OrganizationUser.Id == orgUser2.Id
+                    && i.All(u => u.DateTime == eventDate)));
+    }
+
+    [Theory, BitAutoData]
+    public async Task RemoveUsers_WithDeletingUserId_WithAccountDeprovisioningEnabled_Success(
+        [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser deletingUser,
+        [OrganizationUser(type: OrganizationUserType.Owner)] OrganizationUser orgUser1, OrganizationUser orgUser2)
+    {
+        // Arrange
+        var sutProvider = SutProviderFactory();
+        var eventDate = sutProvider.GetDependency<FakeTimeProvider>().GetUtcNow().UtcDateTime;
+        orgUser1.OrganizationId = orgUser2.OrganizationId = deletingUser.OrganizationId;
+        var organizationUsers = new[] { orgUser1, orgUser2 };
+        var organizationUserIds = organizationUsers.Select(u => u.Id);
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.AccountDeprovisioning)
+            .Returns(true);
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyAsync(default)
+            .ReturnsForAnyArgs(organizationUsers);
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetByIdAsync(deletingUser.Id)
+            .Returns(deletingUser);
+        sutProvider.GetDependency<IHasConfirmedOwnersExceptQuery>()
+            .HasConfirmedOwnersExceptAsync(deletingUser.OrganizationId, Arg.Any<IEnumerable<Guid>>())
+            .Returns(true);
+        sutProvider.GetDependency<ICurrentContext>()
+            .OrganizationOwner(deletingUser.OrganizationId)
+            .Returns(true);
+        sutProvider.GetDependency<IGetOrganizationUsersManagementStatusQuery>()
+            .GetUsersOrganizationManagementStatusAsync(
+                deletingUser.OrganizationId,
+                Arg.Is<IEnumerable<Guid>>(i => i.Contains(orgUser1.Id) && i.Contains(orgUser2.Id)))
+            .Returns(new Dictionary<Guid, bool> { { orgUser1.Id, false }, { orgUser2.Id, false } });
+
+        // Act
+        var result = await sutProvider.Sut.RemoveUsersAsync(deletingUser.OrganizationId, organizationUserIds, deletingUser.UserId);
+
+        // Assert
+        Assert.Equal(2, result.Count());
+        Assert.All(result, r => Assert.Empty(r.ErrorMessage));
+        await sutProvider.GetDependency<IGetOrganizationUsersManagementStatusQuery>()
+            .Received(1)
+            .GetUsersOrganizationManagementStatusAsync(
+                deletingUser.OrganizationId,
+                Arg.Is<IEnumerable<Guid>>(i => i.Contains(orgUser1.Id) && i.Contains(orgUser2.Id)));
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .Received(1)
+            .DeleteManyAsync(Arg.Is<IEnumerable<Guid>>(i => i.Contains(orgUser1.Id) && i.Contains(orgUser2.Id)));
+        await sutProvider.GetDependency<IEventService>()
+            .Received(1)
+            .LogOrganizationUserEventsAsync(
+                Arg.Is<IEnumerable<(OrganizationUser OrganizationUser, EventType EventType, DateTime? DateTime)>>(i =>
+                    i.First().OrganizationUser.Id == orgUser1.Id
+                    && i.Last().OrganizationUser.Id == orgUser2.Id
+                    && i.All(u => u.DateTime == eventDate)));
+    }
+
+    [Theory, BitAutoData]
+    public async Task RemoveUsers_WithDeletingUserId_WithMismatchingOrganizationId_ThrowsException(OrganizationUser organizationUser,
+        OrganizationUser deletingUser, SutProvider<RemoveOrganizationUserCommand> sutProvider)
+    {
+        // Arrange
+        var organizationUsers = new[] { organizationUser };
+        var organizationUserIds = organizationUsers.Select(u => u.Id);
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyAsync(default)
+            .ReturnsForAnyArgs(organizationUsers);
+
+        // Act & Assert
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.RemoveUsersAsync(deletingUser.OrganizationId, organizationUserIds, deletingUser.UserId));
+        Assert.Contains(RemoveOrganizationUserCommand.UsersInvalidErrorMessage, exception.Message);
+    }
+
+    [Theory, BitAutoData]
+    public async Task RemoveUsers_WithDeletingUserId_RemoveYourself_ThrowsException(
+        OrganizationUser deletingUser, SutProvider<RemoveOrganizationUserCommand> sutProvider)
+    {
+        // Arrange
+        var organizationUsers = new[] { deletingUser };
+        var organizationUserIds = organizationUsers.Select(u => u.Id);
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyAsync(default)
+            .ReturnsForAnyArgs(organizationUsers);
+        sutProvider.GetDependency<IHasConfirmedOwnersExceptQuery>()
+            .HasConfirmedOwnersExceptAsync(deletingUser.OrganizationId, Arg.Any<IEnumerable<Guid>>())
+            .Returns(true);
+
+        // Act
+        var result = await sutProvider.Sut.RemoveUsersAsync(deletingUser.OrganizationId, organizationUserIds, deletingUser.UserId);
+
+        // Assert
+        Assert.Contains(RemoveOrganizationUserCommand.RemoveYourselfErrorMessage, result.First().ErrorMessage);
+    }
+
+    [Theory, BitAutoData]
+    public async Task RemoveUsers_WithDeletingUserId_NonOwnerRemoveOwner_ThrowsException(
+        [OrganizationUser(type: OrganizationUserType.Owner)] OrganizationUser orgUser1,
+        [OrganizationUser(OrganizationUserStatusType.Confirmed)] OrganizationUser orgUser2,
+        [OrganizationUser(type: OrganizationUserType.Admin)] OrganizationUser deletingUser,
+        SutProvider<RemoveOrganizationUserCommand> sutProvider)
+    {
+        // Arrange
+        orgUser1.OrganizationId = orgUser2.OrganizationId = deletingUser.OrganizationId;
+        var organizationUsers = new[] { orgUser1, orgUser2 };
+        var organizationUserIds = organizationUsers.Select(u => u.Id);
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyAsync(default)
+            .ReturnsForAnyArgs(organizationUsers);
+        sutProvider.GetDependency<IHasConfirmedOwnersExceptQuery>()
+            .HasConfirmedOwnersExceptAsync(deletingUser.OrganizationId, Arg.Any<IEnumerable<Guid>>())
+            .Returns(true);
+
+        // Act
+        var result = await sutProvider.Sut.RemoveUsersAsync(deletingUser.OrganizationId, organizationUserIds, deletingUser.UserId);
+
+        // Assert
+        Assert.Contains(RemoveOrganizationUserCommand.RemoveOwnerByNonOwnerErrorMessage, result.First().ErrorMessage);
+    }
+
+    [Theory, BitAutoData]
+    public async Task RemoveUsers_WithDeletingUserId_RemovingManagedUser_WithAccountDeprovisioningEnabled_ThrowsException(
+        [OrganizationUser(status: OrganizationUserStatusType.Confirmed, OrganizationUserType.User)] OrganizationUser orgUser,
+        OrganizationUser deletingUser,
+        SutProvider<RemoveOrganizationUserCommand> sutProvider)
+    {
+        // Arrange
+        orgUser.OrganizationId = deletingUser.OrganizationId;
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.AccountDeprovisioning)
+            .Returns(true);
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyAsync(Arg.Is<IEnumerable<Guid>>(i => i.Contains(orgUser.Id)))
+            .Returns(new[] { orgUser });
+
+        sutProvider.GetDependency<IHasConfirmedOwnersExceptQuery>()
+            .HasConfirmedOwnersExceptAsync(orgUser.OrganizationId, Arg.Any<IEnumerable<Guid>>())
+            .Returns(true);
+
+        sutProvider.GetDependency<IGetOrganizationUsersManagementStatusQuery>()
+            .GetUsersOrganizationManagementStatusAsync(orgUser.OrganizationId, Arg.Is<IEnumerable<Guid>>(i => i.Contains(orgUser.Id)))
+            .Returns(new Dictionary<Guid, bool> { { orgUser.Id, true } });
+
+        // Act
+        var result = await sutProvider.Sut.RemoveUsersAsync(orgUser.OrganizationId, new[] { orgUser.Id }, deletingUser.UserId);
+
+        // Assert
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .DidNotReceiveWithAnyArgs()
+            .DeleteManyAsync(default);
+        await sutProvider.GetDependency<IEventService>()
+            .DidNotReceiveWithAnyArgs()
+            .LogOrganizationUserEventsAsync(Arg.Any<IEnumerable<(OrganizationUser OrganizationUser, EventType EventType, DateTime? DateTime)>>());
+        Assert.Contains(RemoveOrganizationUserCommand.RemoveClaimedAccountErrorMessage, result.First().ErrorMessage);
+    }
+
+    [Theory, BitAutoData]
+    public async Task RemoveUsers_WithDeletingUserId_LastOwner_ThrowsException(
+        [OrganizationUser(status: OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser orgUser,
+        SutProvider<RemoveOrganizationUserCommand> sutProvider)
+    {
+        // Arrange
+        var organizationUsers = new[] { orgUser };
+        var organizationUserIds = organizationUsers.Select(u => u.Id);
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyAsync(default)
+            .ReturnsForAnyArgs(organizationUsers);
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyByOrganizationAsync(orgUser.OrganizationId, OrganizationUserType.Owner)
+            .Returns(organizationUsers);
+
+        // Act & Assert
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.RemoveUsersAsync(orgUser.OrganizationId, organizationUserIds, null));
+        Assert.Contains(RemoveOrganizationUserCommand.RemoveLastConfirmedOwnerErrorMessage, exception.Message);
+    }
+
+    [Theory, BitAutoData]
+    public async Task RemoveUsers_WithEventSystemUser_Success(
+        EventSystemUser eventSystemUser,
+        [OrganizationUser(type: OrganizationUserType.Owner)] OrganizationUser orgUser1,
+        OrganizationUser orgUser2)
+    {
+        // Arrange
+        var sutProvider = SutProviderFactory();
+        var eventDate = sutProvider.GetDependency<FakeTimeProvider>().GetUtcNow().UtcDateTime;
+        orgUser1.OrganizationId = orgUser2.OrganizationId;
+        var organizationUsers = new[] { orgUser1, orgUser2 };
+        var organizationUserIds = organizationUsers.Select(u => u.Id);
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyAsync(default)
+            .ReturnsForAnyArgs(organizationUsers);
+        sutProvider.GetDependency<IHasConfirmedOwnersExceptQuery>()
+            .HasConfirmedOwnersExceptAsync(orgUser1.OrganizationId, Arg.Any<IEnumerable<Guid>>())
+            .Returns(true);
+
+        // Act
+        var result = await sutProvider.Sut.RemoveUsersAsync(orgUser1.OrganizationId, organizationUserIds, eventSystemUser);
+
+        // Assert
+        Assert.Equal(2, result.Count());
+        Assert.All(result, r => Assert.Empty(r.ErrorMessage));
+        await sutProvider.GetDependency<IGetOrganizationUsersManagementStatusQuery>()
+            .DidNotReceiveWithAnyArgs()
+            .GetUsersOrganizationManagementStatusAsync(default, default);
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .Received(1)
+            .DeleteManyAsync(Arg.Is<IEnumerable<Guid>>(i => i.Contains(orgUser1.Id) && i.Contains(orgUser2.Id)));
+        await sutProvider.GetDependency<IEventService>()
+            .Received(1)
+            .LogOrganizationUserEventsAsync(
+                Arg.Is<IEnumerable<(OrganizationUser OrganizationUser, EventType EventType, EventSystemUser EventSystemUser, DateTime? DateTime)>>(
+                    i => i.First().OrganizationUser.Id == orgUser1.Id
+                        && i.Last().OrganizationUser.Id == orgUser2.Id
+                        && i.All(u => u.EventSystemUser == eventSystemUser
+                            && u.DateTime == eventDate)));
+    }
+
+    [Theory, BitAutoData]
+    public async Task RemoveUsers_WithEventSystemUser_WithAccountDeprovisioningEnabled_Success(
+        EventSystemUser eventSystemUser,
+        [OrganizationUser(type: OrganizationUserType.Owner)] OrganizationUser orgUser1,
+        OrganizationUser orgUser2)
+    {
+        // Arrange
+        var sutProvider = SutProviderFactory();
+        var eventDate = sutProvider.GetDependency<FakeTimeProvider>().GetUtcNow().UtcDateTime;
+        orgUser1.OrganizationId = orgUser2.OrganizationId;
+        var organizationUsers = new[] { orgUser1, orgUser2 };
+        var organizationUserIds = organizationUsers.Select(u => u.Id);
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.AccountDeprovisioning)
+            .Returns(true);
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyAsync(default)
+            .ReturnsForAnyArgs(organizationUsers);
+        sutProvider.GetDependency<IHasConfirmedOwnersExceptQuery>()
+            .HasConfirmedOwnersExceptAsync(orgUser1.OrganizationId, Arg.Any<IEnumerable<Guid>>())
+            .Returns(true);
+
+        // Act
+        var result = await sutProvider.Sut.RemoveUsersAsync(orgUser1.OrganizationId, organizationUserIds, eventSystemUser);
+
+        // Assert
+        Assert.Equal(2, result.Count());
+        Assert.All(result, r => Assert.Empty(r.ErrorMessage));
+        await sutProvider.GetDependency<IGetOrganizationUsersManagementStatusQuery>()
+            .DidNotReceiveWithAnyArgs()
+            .GetUsersOrganizationManagementStatusAsync(default, default);
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .Received(1)
+            .DeleteManyAsync(Arg.Is<IEnumerable<Guid>>(i => i.Contains(orgUser1.Id) && i.Contains(orgUser2.Id)));
+        await sutProvider.GetDependency<IEventService>()
+            .Received(1)
+            .LogOrganizationUserEventsAsync(
+                Arg.Is<IEnumerable<(OrganizationUser OrganizationUser, EventType EventType, EventSystemUser EventSystemUser, DateTime? DateTime)>>(
+                    i => i.First().OrganizationUser.Id == orgUser1.Id
+                        && i.Last().OrganizationUser.Id == orgUser2.Id
+                        && i.All(u => u.EventSystemUser == eventSystemUser
+                            && u.DateTime == eventDate)));
+    }
+
+    [Theory, BitAutoData]
+    public async Task RemoveUsers_WithEventSystemUser_WithMismatchingOrganizationId_ThrowsException(
+        EventSystemUser eventSystemUser,
+        [OrganizationUser(type: OrganizationUserType.User)] OrganizationUser organizationUser,
+        SutProvider<RemoveOrganizationUserCommand> sutProvider)
+    {
+        // Arrange
+        var organizationUsers = new[] { organizationUser };
+        var organizationUserIds = organizationUsers.Select(u => u.Id);
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyAsync(default)
+            .ReturnsForAnyArgs(organizationUsers);
+
+        // Act & Assert
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.RemoveUsersAsync(Guid.NewGuid(), organizationUserIds, eventSystemUser));
+        Assert.Contains(RemoveOrganizationUserCommand.UsersInvalidErrorMessage, exception.Message);
+    }
+
+    [Theory, BitAutoData]
+    public async Task RemoveUsers_WithEventSystemUser_LastOwner_ThrowsException(
+        [OrganizationUser(status: OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser orgUser,
+        EventSystemUser eventSystemUser, SutProvider<RemoveOrganizationUserCommand> sutProvider)
+    {
+        // Arrange
+        var organizationUsers = new[] { orgUser };
+        var organizationUserIds = organizationUsers.Select(u => u.Id);
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyAsync(default)
+            .ReturnsForAnyArgs(organizationUsers);
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyByOrganizationAsync(orgUser.OrganizationId, OrganizationUserType.Owner)
+            .Returns(organizationUsers);
+
+        // Act & Assert
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.RemoveUsersAsync(orgUser.OrganizationId, organizationUserIds, eventSystemUser));
+        Assert.Contains(RemoveOrganizationUserCommand.RemoveLastConfirmedOwnerErrorMessage, exception.Message);
+    }
+
+    /// <summary>
+    /// Returns a new SutProvider with a FakeTimeProvider registered in the Sut.
+    /// </summary>
+    private static SutProvider<RemoveOrganizationUserCommand> SutProviderFactory()
+    {
+        return new SutProvider<RemoveOrganizationUserCommand>()
+            .WithFakeTimeProvider()
+            .Create();
     }
 }

From c8930d44f26a1003cae1f803215ea61653ab2347 Mon Sep 17 00:00:00 2001
From: Jared McCannon <jmccannon@bitwarden.com>
Date: Wed, 27 Nov 2024 06:47:18 -0600
Subject: [PATCH 009/384] Swapping [] for Array.Empty<string> (#5092)

---
 src/Core/Models/Commands/CommandResult.cs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Core/Models/Commands/CommandResult.cs b/src/Core/Models/Commands/CommandResult.cs
index 4ac2d62499..9e5d91e09c 100644
--- a/src/Core/Models/Commands/CommandResult.cs
+++ b/src/Core/Models/Commands/CommandResult.cs
@@ -8,5 +8,5 @@ public class CommandResult(IEnumerable<string> errors)
     public bool HasErrors => ErrorMessages.Count > 0;
     public List<string> ErrorMessages { get; } = errors.ToList();
 
-    public CommandResult() : this([]) { }
+    public CommandResult() : this(Array.Empty<string>()) { }
 }

From aa364cacef9cd0e3bc3746497d0ed6593143589b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rui=20Tom=C3=A9?=
 <108268980+r-tome@users.noreply.github.com>
Date: Wed, 27 Nov 2024 15:49:20 +0000
Subject: [PATCH 010/384] [PM-14876] Update admin panel copy from 'Domain
 Verified' to 'Claimed Account' and rename associated ViewModel properties
 (#5058)

---
 src/Admin/Models/UserEditModel.cs             | 10 +++-------
 src/Admin/Models/UserViewModel.cs             | 14 +++++++-------
 src/Admin/Views/Users/_ViewInformation.cshtml |  7 ++++---
 test/Admin.Test/Models/UserViewModelTests.cs  | 14 ++++----------
 4 files changed, 18 insertions(+), 27 deletions(-)

diff --git a/src/Admin/Models/UserEditModel.cs b/src/Admin/Models/UserEditModel.cs
index 2ad0b27cbd..ed2d653246 100644
--- a/src/Admin/Models/UserEditModel.cs
+++ b/src/Admin/Models/UserEditModel.cs
@@ -9,10 +9,7 @@ namespace Bit.Admin.Models;
 
 public class UserEditModel
 {
-    public UserEditModel()
-    {
-
-    }
+    public UserEditModel() { }
 
     public UserEditModel(
         User user,
@@ -21,10 +18,9 @@ public class UserEditModel
         BillingInfo billingInfo,
         BillingHistoryInfo billingHistoryInfo,
         GlobalSettings globalSettings,
-        bool? domainVerified
-        )
+        bool? claimedAccount)
     {
-        User = UserViewModel.MapViewModel(user, isTwoFactorEnabled, ciphers, domainVerified);
+        User = UserViewModel.MapViewModel(user, isTwoFactorEnabled, ciphers, claimedAccount);
 
         BillingInfo = billingInfo;
         BillingHistoryInfo = billingHistoryInfo;
diff --git a/src/Admin/Models/UserViewModel.cs b/src/Admin/Models/UserViewModel.cs
index 75c089ee5f..7fddbc0f54 100644
--- a/src/Admin/Models/UserViewModel.cs
+++ b/src/Admin/Models/UserViewModel.cs
@@ -14,7 +14,7 @@ public class UserViewModel
     public bool Premium { get; }
     public short? MaxStorageGb { get; }
     public bool EmailVerified { get; }
-    public bool? DomainVerified { get; }
+    public bool? ClaimedAccount { get; }
     public bool TwoFactorEnabled { get; }
     public DateTime AccountRevisionDate { get; }
     public DateTime RevisionDate { get; }
@@ -36,7 +36,7 @@ public class UserViewModel
         bool premium,
         short? maxStorageGb,
         bool emailVerified,
-        bool? domainVerified,
+        bool? claimedAccount,
         bool twoFactorEnabled,
         DateTime accountRevisionDate,
         DateTime revisionDate,
@@ -58,7 +58,7 @@ public class UserViewModel
         Premium = premium;
         MaxStorageGb = maxStorageGb;
         EmailVerified = emailVerified;
-        DomainVerified = domainVerified;
+        ClaimedAccount = claimedAccount;
         TwoFactorEnabled = twoFactorEnabled;
         AccountRevisionDate = accountRevisionDate;
         RevisionDate = revisionDate;
@@ -79,7 +79,7 @@ public class UserViewModel
         users.Select(user => MapViewModel(user, lookup, false));
 
     public static UserViewModel MapViewModel(User user,
-        IEnumerable<(Guid userId, bool twoFactorIsEnabled)> lookup, bool? domainVerified) =>
+        IEnumerable<(Guid userId, bool twoFactorIsEnabled)> lookup, bool? claimedAccount) =>
         new(
             user.Id,
             user.Name,
@@ -89,7 +89,7 @@ public class UserViewModel
             user.Premium,
             user.MaxStorageGb,
             user.EmailVerified,
-            domainVerified,
+            claimedAccount,
             IsTwoFactorEnabled(user, lookup),
             user.AccountRevisionDate,
             user.RevisionDate,
@@ -106,7 +106,7 @@ public class UserViewModel
     public static UserViewModel MapViewModel(User user, bool isTwoFactorEnabled) =>
         MapViewModel(user, isTwoFactorEnabled, Array.Empty<Cipher>(), false);
 
-    public static UserViewModel MapViewModel(User user, bool isTwoFactorEnabled, IEnumerable<Cipher> ciphers, bool? domainVerified) =>
+    public static UserViewModel MapViewModel(User user, bool isTwoFactorEnabled, IEnumerable<Cipher> ciphers, bool? claimedAccount) =>
         new(
             user.Id,
             user.Name,
@@ -116,7 +116,7 @@ public class UserViewModel
             user.Premium,
             user.MaxStorageGb,
             user.EmailVerified,
-            domainVerified,
+            claimedAccount,
             isTwoFactorEnabled,
             user.AccountRevisionDate,
             user.RevisionDate,
diff --git a/src/Admin/Views/Users/_ViewInformation.cshtml b/src/Admin/Views/Users/_ViewInformation.cshtml
index 00afcc19df..ae8bcb0737 100644
--- a/src/Admin/Views/Users/_ViewInformation.cshtml
+++ b/src/Admin/Views/Users/_ViewInformation.cshtml
@@ -12,9 +12,10 @@
     <dt class="col-sm-4 col-lg-3">Email Verified</dt>
     <dd class="col-sm-8 col-lg-9">@(Model.EmailVerified ? "Yes" : "No")</dd>
 
-    @if(Model.DomainVerified.HasValue){
-    <dt class="col-sm-4 col-lg-3">Domain Verified</dt>
-    <dd class="col-sm-8 col-lg-9">@(Model.DomainVerified.Value == true ? "Yes" : "No")</dd>
+    @if(Model.ClaimedAccount.HasValue)
+    {
+        <dt class="col-sm-4 col-lg-3">Claimed Account</dt>
+        <dd class="col-sm-8 col-lg-9">@(Model.ClaimedAccount.Value ? "Yes" : "No")</dd>
     }
 
     <dt class="col-sm-4 col-lg-3">Using 2FA</dt>
diff --git a/test/Admin.Test/Models/UserViewModelTests.cs b/test/Admin.Test/Models/UserViewModelTests.cs
index fac5d5f0eb..d015b98328 100644
--- a/test/Admin.Test/Models/UserViewModelTests.cs
+++ b/test/Admin.Test/Models/UserViewModelTests.cs
@@ -1,6 +1,4 @@
-#nullable enable
-
-using Bit.Admin.Models;
+using Bit.Admin.Models;
 using Bit.Core.Entities;
 using Bit.Core.Vault.Entities;
 using Bit.Test.Common.AutoFixture.Attributes;
@@ -116,30 +114,26 @@ public class UserViewModelTests
 
         var actual = UserViewModel.MapViewModel(user, true, Array.Empty<Cipher>(), verifiedDomain);
 
-        Assert.True(actual.DomainVerified);
+        Assert.True(actual.ClaimedAccount);
     }
 
     [Theory]
     [BitAutoData]
     public void MapUserViewModel_WithoutVerifiedDomain_ReturnsUserViewModel(User user)
     {
-
         var verifiedDomain = false;
 
         var actual = UserViewModel.MapViewModel(user, true, Array.Empty<Cipher>(), verifiedDomain);
 
-        Assert.False(actual.DomainVerified);
+        Assert.False(actual.ClaimedAccount);
     }
 
     [Theory]
     [BitAutoData]
     public void MapUserViewModel_WithNullVerifiedDomain_ReturnsUserViewModel(User user)
     {
-
         var actual = UserViewModel.MapViewModel(user, true, Array.Empty<Cipher>(), null);
 
-        Assert.Null(actual.DomainVerified);
+        Assert.Null(actual.ClaimedAccount);
     }
-
-
 }

From e9297f85e9593abafb870f833dfcfad4c67e21ab Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rui=20Tom=C3=A9?=
 <108268980+r-tome@users.noreply.github.com>
Date: Wed, 27 Nov 2024 15:55:05 +0000
Subject: [PATCH 011/384] [PM-12684] Remove deprecated feature flag for Members
 TwoFA query optimization (#5076)

---
 src/Core/Constants.cs | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index 8fe3886539..8077494794 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -129,7 +129,6 @@ public static class FeatureFlagKeys
     public const string UnauthenticatedExtensionUIRefresh = "unauth-ui-refresh";
     public const string GenerateIdentityFillScriptRefactor = "generate-identity-fill-script-refactor";
     public const string DelayFido2PageScriptInitWithinMv2 = "delay-fido2-page-script-init-within-mv2";
-    public const string MembersTwoFAQueryOptimization = "ac-1698-members-two-fa-query-optimization";
     public const string NativeCarouselFlow = "native-carousel-flow";
     public const string NativeCreateAccountFlow = "native-create-account-flow";
     public const string AccountDeprovisioning = "pm-10308-account-deprovisioning";

From c703390ba2944621f541e4bd737f27a3fe0136be Mon Sep 17 00:00:00 2001
From: Andreas Coroiu <acoroiu@bitwarden.com>
Date: Thu, 28 Nov 2024 09:49:09 +0100
Subject: [PATCH 012/384] feat: add credential sync feature flag (#5052)

---
 src/Core/Constants.cs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index 8077494794..561f5f27c8 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -155,6 +155,7 @@ public static class FeatureFlagKeys
     public const string SecurityTasks = "security-tasks";
     public const string PM14401_ScaleMSPOnClientOrganizationUpdate = "PM-14401-scale-msp-on-client-organization-update";
     public const string DisableFreeFamiliesSponsorship = "PM-12274-disable-free-families-sponsorship";
+    public const string MacOsNativeCredentialSync = "macos-native-credential-sync";
 
     public static List<string> GetAllKeys()
     {

From 193f8d661216042b2ce423c6d3e5e0a9a1a96eac Mon Sep 17 00:00:00 2001
From: Addison Beck <addison@bitwarden.com>
Date: Mon, 2 Dec 2024 06:42:17 -0500
Subject: [PATCH 013/384] Update version to 2024.12.0 (#5099)

---
 Directory.Build.props | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Directory.Build.props b/Directory.Build.props
index 4e252c82ed..8639ac4a0d 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -3,7 +3,7 @@
   <PropertyGroup>
     <TargetFramework>net8.0</TargetFramework>
 
-    <Version>2024.11.0</Version>
+    <Version>2024.12.0</Version>
 
     <RootNamespace>Bit.$(MSBuildProjectName)</RootNamespace>
     <ImplicitUsings>enable</ImplicitUsings>
@@ -64,4 +64,4 @@
     </ItemGroup>
   </Target>
 
-</Project>
\ No newline at end of file
+</Project>

From ac42b81f7c426db11a8a7fb4632a1fc295cf830c Mon Sep 17 00:00:00 2001
From: Jimmy Vo <huynhmaivo82@gmail.com>
Date: Mon, 2 Dec 2024 10:19:21 -0500
Subject: [PATCH 014/384] [PM-14862] Update documentation response type.
 (#5083)

Update documentation to align with the code's response type.
---
 .../AdminConsole/Public/Controllers/OrganizationController.cs  | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/Api/AdminConsole/Public/Controllers/OrganizationController.cs b/src/Api/AdminConsole/Public/Controllers/OrganizationController.cs
index 9d0b902f89..c1715f471c 100644
--- a/src/Api/AdminConsole/Public/Controllers/OrganizationController.cs
+++ b/src/Api/AdminConsole/Public/Controllers/OrganizationController.cs
@@ -1,6 +1,5 @@
 using System.Net;
 using Bit.Api.AdminConsole.Public.Models.Request;
-using Bit.Api.AdminConsole.Public.Models.Response;
 using Bit.Api.Models.Public.Response;
 using Bit.Core.Context;
 using Bit.Core.Enums;
@@ -38,7 +37,7 @@ public class OrganizationController : Controller
     /// </remarks>
     /// <param name="model">The request model.</param>
     [HttpPost("import")]
-    [ProducesResponseType(typeof(MemberResponseModel), (int)HttpStatusCode.OK)]
+    [ProducesResponseType(typeof(OkResult), (int)HttpStatusCode.OK)]
     [ProducesResponseType(typeof(ErrorResponseModel), (int)HttpStatusCode.BadRequest)]
     public async Task<IActionResult> Import([FromBody] OrganizationImportRequestModel model)
     {

From 6a77a6d8eebace51a8057b3f643135541cfbf589 Mon Sep 17 00:00:00 2001
From: Brandon Treston <btreston@bitwarden.com>
Date: Tue, 3 Dec 2024 09:58:46 -0500
Subject: [PATCH 015/384] [PM-14552] Update error messages copy (#5059)

* update error messages

* fix tests
---
 .../Implementations/OrganizationService.cs    | 32 ++++++--
 .../Services/OrganizationServiceTests.cs      | 78 ++++++++++++++++---
 2 files changed, 94 insertions(+), 16 deletions(-)

diff --git a/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs b/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
index 47c79aa13e..e8756fb325 100644
--- a/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
+++ b/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
@@ -2332,10 +2332,13 @@ public class OrganizationService : IOrganizationService
             PolicyType.SingleOrg, OrganizationUserStatusType.Revoked);
         var singleOrgPolicyApplies = singleOrgPoliciesApplyingToRevokedUsers.Any(p => p.OrganizationId == orgUser.OrganizationId);
 
+        var singleOrgCompliant = true;
+        var belongsToOtherOrgCompliant = true;
+        var twoFactorCompliant = true;
+
         if (hasOtherOrgs && singleOrgPolicyApplies)
         {
-            throw new BadRequestException("You cannot restore this user until " +
-                "they leave or remove all other organizations.");
+            singleOrgCompliant = false;
         }
 
         // Enforce Single Organization Policy of other organizations user is a member of
@@ -2343,8 +2346,7 @@ public class OrganizationService : IOrganizationService
             PolicyType.SingleOrg);
         if (anySingleOrgPolicies)
         {
-            throw new BadRequestException("You cannot restore this user because they are a member of " +
-                "another organization which forbids it");
+            belongsToOtherOrgCompliant = false;
         }
 
         // Enforce Two Factor Authentication Policy of organization user is trying to join
@@ -2354,10 +2356,28 @@ public class OrganizationService : IOrganizationService
                 PolicyType.TwoFactorAuthentication, OrganizationUserStatusType.Invited);
             if (invitedTwoFactorPolicies.Any(p => p.OrganizationId == orgUser.OrganizationId))
             {
-                throw new BadRequestException("You cannot restore this user until they enable " +
-                    "two-step login on their user account.");
+                twoFactorCompliant = false;
             }
         }
+
+        var user = await _userRepository.GetByIdAsync(userId);
+
+        if (!singleOrgCompliant && !twoFactorCompliant)
+        {
+            throw new BadRequestException(user.Email + " is not compliant with the single organization and two-step login polciy");
+        }
+        else if (!singleOrgCompliant)
+        {
+            throw new BadRequestException(user.Email + " is not compliant with the single organization policy");
+        }
+        else if (!belongsToOtherOrgCompliant)
+        {
+            throw new BadRequestException(user.Email + " belongs to an organization that doesn't allow them to join multiple organizations");
+        }
+        else if (!twoFactorCompliant)
+        {
+            throw new BadRequestException(user.Email + " is not compliant with the two-step login policy");
+        }
     }
 
     static OrganizationUserStatusType GetPriorActiveOrganizationUserStatusType(OrganizationUser organizationUser)
diff --git a/test/Core.Test/AdminConsole/Services/OrganizationServiceTests.cs b/test/Core.Test/AdminConsole/Services/OrganizationServiceTests.cs
index e09293f32d..f0b7084fe9 100644
--- a/test/Core.Test/AdminConsole/Services/OrganizationServiceTests.cs
+++ b/test/Core.Test/AdminConsole/Services/OrganizationServiceTests.cs
@@ -1833,11 +1833,14 @@ OrganizationUserInvite invite, SutProvider<OrganizationService> sutProvider)
             .AnyPoliciesApplicableToUserAsync(organizationUser.UserId.Value, PolicyType.SingleOrg, Arg.Any<OrganizationUserStatusType>())
             .Returns(true);
 
+        var user = new User();
+        user.Email = "test@bitwarden.com";
+        sutProvider.GetDependency<IUserRepository>().GetByIdAsync(organizationUser.UserId.Value).Returns(user);
+
         var exception = await Assert.ThrowsAsync<BadRequestException>(
             () => sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id));
 
-        Assert.Contains("you cannot restore this user because they are a member of " +
-                        "another organization which forbids it", exception.Message.ToLowerInvariant());
+        Assert.Contains("test@bitwarden.com belongs to an organization that doesn't allow them to join multiple organizations", exception.Message.ToLowerInvariant());
 
         await organizationUserRepository.DidNotReceiveWithAnyArgs().RestoreAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType>());
         await eventService.DidNotReceiveWithAnyArgs()
@@ -1865,11 +1868,14 @@ OrganizationUserInvite invite, SutProvider<OrganizationService> sutProvider)
             .GetPoliciesApplicableToUserAsync(organizationUser.UserId.Value, PolicyType.TwoFactorAuthentication, Arg.Any<OrganizationUserStatusType>())
             .Returns(new[] { new OrganizationUserPolicyDetails { OrganizationId = organizationUser.OrganizationId, PolicyType = PolicyType.TwoFactorAuthentication } });
 
+        var user = new User();
+        user.Email = "test@bitwarden.com";
+        sutProvider.GetDependency<IUserRepository>().GetByIdAsync(organizationUser.UserId.Value).Returns(user);
+
         var exception = await Assert.ThrowsAsync<BadRequestException>(
             () => sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id));
 
-        Assert.Contains("you cannot restore this user until they enable " +
-                        "two-step login on their user account.", exception.Message.ToLowerInvariant());
+        Assert.Contains("test@bitwarden.com is not compliant with the two-step login policy", exception.Message.ToLowerInvariant());
 
         await organizationUserRepository.DidNotReceiveWithAnyArgs().RestoreAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType>());
         await eventService.DidNotReceiveWithAnyArgs()
@@ -1924,11 +1930,14 @@ OrganizationUserInvite invite, SutProvider<OrganizationService> sutProvider)
                 new OrganizationUserPolicyDetails { OrganizationId = organizationUser.OrganizationId, PolicyType = PolicyType.SingleOrg, OrganizationUserStatus = OrganizationUserStatusType.Revoked }
             });
 
+        var user = new User();
+        user.Email = "test@bitwarden.com";
+        sutProvider.GetDependency<IUserRepository>().GetByIdAsync(organizationUser.UserId.Value).Returns(user);
+
         var exception = await Assert.ThrowsAsync<BadRequestException>(
             () => sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id));
 
-        Assert.Contains("you cannot restore this user until " +
-                        "they leave or remove all other organizations.", exception.Message.ToLowerInvariant());
+        Assert.Contains("test@bitwarden.com is not compliant with the single organization policy", exception.Message.ToLowerInvariant());
 
         await organizationUserRepository.DidNotReceiveWithAnyArgs().RestoreAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType>());
         await eventService.DidNotReceiveWithAnyArgs()
@@ -1958,11 +1967,57 @@ OrganizationUserInvite invite, SutProvider<OrganizationService> sutProvider)
             .AnyPoliciesApplicableToUserAsync(organizationUser.UserId.Value, PolicyType.SingleOrg, Arg.Any<OrganizationUserStatusType>())
             .Returns(true);
 
+        var user = new User();
+        user.Email = "test@bitwarden.com";
+        sutProvider.GetDependency<IUserRepository>().GetByIdAsync(organizationUser.UserId.Value).Returns(user);
+
         var exception = await Assert.ThrowsAsync<BadRequestException>(
             () => sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id));
 
-        Assert.Contains("you cannot restore this user because they are a member of " +
-                        "another organization which forbids it", exception.Message.ToLowerInvariant());
+        Assert.Contains("test@bitwarden.com belongs to an organization that doesn't allow them to join multiple organizations", exception.Message.ToLowerInvariant());
+
+        await organizationUserRepository.DidNotReceiveWithAnyArgs().RestoreAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType>());
+        await eventService.DidNotReceiveWithAnyArgs()
+            .LogOrganizationUserEventAsync(Arg.Any<OrganizationUser>(), Arg.Any<EventType>(), Arg.Any<EventSystemUser>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task RestoreUser_WithSingleOrgPolicyEnabled_And_2FA_Policy_Fails(
+        Organization organization,
+        [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
+        [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser,
+        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser secondOrganizationUser,
+        SutProvider<OrganizationService> sutProvider)
+    {
+        organizationUser.Email = null; // this is required to mock that the user as had already been confirmed before the revoke
+        secondOrganizationUser.UserId = organizationUser.UserId;
+        RestoreRevokeUser_Setup(organization, owner, organizationUser, sutProvider);
+        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
+        var eventService = sutProvider.GetDependency<IEventService>();
+
+        organizationUserRepository.GetManyByUserAsync(organizationUser.UserId.Value).Returns(new[] { organizationUser, secondOrganizationUser });
+        sutProvider.GetDependency<IPolicyService>()
+            .GetPoliciesApplicableToUserAsync(organizationUser.UserId.Value, PolicyType.SingleOrg, Arg.Any<OrganizationUserStatusType>())
+            .Returns(new[]
+            {
+                new OrganizationUserPolicyDetails { OrganizationId = organizationUser.OrganizationId, PolicyType = PolicyType.SingleOrg, OrganizationUserStatus = OrganizationUserStatusType.Revoked }
+            });
+
+        sutProvider.GetDependency<IPolicyService>()
+            .GetPoliciesApplicableToUserAsync(organizationUser.UserId.Value, PolicyType.TwoFactorAuthentication, Arg.Any<OrganizationUserStatusType>())
+            .Returns(new[]
+            {
+                new OrganizationUserPolicyDetails { OrganizationId = organizationUser.OrganizationId, PolicyType = PolicyType.TwoFactorAuthentication, OrganizationUserStatus = OrganizationUserStatusType.Revoked }
+            });
+
+        var user = new User();
+        user.Email = "test@bitwarden.com";
+        sutProvider.GetDependency<IUserRepository>().GetByIdAsync(organizationUser.UserId.Value).Returns(user);
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id));
+
+        Assert.Contains("test@bitwarden.com is not compliant with the single organization and two-step login polciy", exception.Message.ToLowerInvariant());
 
         await organizationUserRepository.DidNotReceiveWithAnyArgs().RestoreAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType>());
         await eventService.DidNotReceiveWithAnyArgs()
@@ -1986,11 +2041,14 @@ OrganizationUserInvite invite, SutProvider<OrganizationService> sutProvider)
             .GetPoliciesApplicableToUserAsync(organizationUser.UserId.Value, PolicyType.TwoFactorAuthentication, Arg.Any<OrganizationUserStatusType>())
             .Returns(new[] { new OrganizationUserPolicyDetails { OrganizationId = organizationUser.OrganizationId, PolicyType = PolicyType.TwoFactorAuthentication } });
 
+        var user = new User();
+        user.Email = "test@bitwarden.com";
+        sutProvider.GetDependency<IUserRepository>().GetByIdAsync(organizationUser.UserId.Value).Returns(user);
+
         var exception = await Assert.ThrowsAsync<BadRequestException>(
             () => sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id));
 
-        Assert.Contains("you cannot restore this user until they enable " +
-                        "two-step login on their user account.", exception.Message.ToLowerInvariant());
+        Assert.Contains("test@bitwarden.com is not compliant with the two-step login policy", exception.Message.ToLowerInvariant());
 
         await organizationUserRepository.DidNotReceiveWithAnyArgs().RestoreAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType>());
         await eventService.DidNotReceiveWithAnyArgs()

From 059e6816f2b24854663e9d0e7304072019cb80ce Mon Sep 17 00:00:00 2001
From: Jared McCannon <jmccannon@bitwarden.com>
Date: Tue, 3 Dec 2024 11:01:45 -0600
Subject: [PATCH 016/384] Fixing migration script. (#5093)

---
 util/Migrator/DbScripts/2024-11-26-00_OrgUserSetStatusBulk.sql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/util/Migrator/DbScripts/2024-11-26-00_OrgUserSetStatusBulk.sql b/util/Migrator/DbScripts/2024-11-26-00_OrgUserSetStatusBulk.sql
index 95151f90de..5c51f9da40 100644
--- a/util/Migrator/DbScripts/2024-11-26-00_OrgUserSetStatusBulk.sql
+++ b/util/Migrator/DbScripts/2024-11-26-00_OrgUserSetStatusBulk.sql
@@ -1,4 +1,4 @@
-CREATE PROCEDURE [dbo].[OrganizationUser_SetStatusForUsersById]
+CREATE OR ALTER PROCEDURE[dbo].[OrganizationUser_SetStatusForUsersById]
     @OrganizationUserIds AS NVARCHAR(MAX),
     @Status SMALLINT
 AS

From b580d7c02210e9d18094f6f713ada52ce387198a Mon Sep 17 00:00:00 2001
From: Conner Turnbull <133619638+cturnbull-bitwarden@users.noreply.github.com>
Date: Tue, 3 Dec 2024 14:06:38 -0500
Subject: [PATCH 017/384] Automatically forwarding ports 1080 and 1433 in VS
 Code/Cursor (#5104)

---
 .devcontainer/internal_dev/devcontainer.json | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.devcontainer/internal_dev/devcontainer.json b/.devcontainer/internal_dev/devcontainer.json
index ee9ab7a96d..78a79180ee 100644
--- a/.devcontainer/internal_dev/devcontainer.json
+++ b/.devcontainer/internal_dev/devcontainer.json
@@ -21,10 +21,15 @@
     }
   },
   "postCreateCommand": "bash .devcontainer/internal_dev/postCreateCommand.sh",
+  "forwardPorts": [1080, 1433],
   "portsAttributes": {
     "1080": {
       "label": "Mail Catcher",
       "onAutoForward": "notify"
+    },
+    "1433": {
+      "label": "SQL Server",
+      "onAutoForward": "notify"
     }
   }
 }

From c9aa61b0cf7382630553782d0301c0f9987fffe5 Mon Sep 17 00:00:00 2001
From: Conner Turnbull <133619638+cturnbull-bitwarden@users.noreply.github.com>
Date: Tue, 3 Dec 2024 15:38:34 -0500
Subject: [PATCH 018/384] Updated dev container to give the option of
 installing the Stripe CLI (#5105)

---
 .devcontainer/internal_dev/postCreateCommand.sh | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/.devcontainer/internal_dev/postCreateCommand.sh b/.devcontainer/internal_dev/postCreateCommand.sh
index b013be1cec..668b776447 100755
--- a/.devcontainer/internal_dev/postCreateCommand.sh
+++ b/.devcontainer/internal_dev/postCreateCommand.sh
@@ -70,6 +70,22 @@ Press <Enter> to continue."
         sleep 5 # wait for DB container to start
         dotnet run --project ./util/MsSqlMigratorUtility "$SQL_CONNECTION_STRING"
     fi
+    read -r -p "Would you like to install the Stripe CLI? [y/N] " stripe_response
+    if [[ "$stripe_response" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
+        install_stripe_cli
+    fi
+}
+
+# Install Stripe CLI
+install_stripe_cli() {
+    echo "Installing Stripe CLI..."
+    # Add Stripe CLI GPG key so that apt can verify the packages authenticity.
+    # If Stripe ever changes the key, we'll need to update this. Visit https://docs.stripe.com/stripe-cli?install-method=apt if so
+    curl -s https://packages.stripe.dev/api/security/keypair/stripe-cli-gpg/public | gpg --dearmor | sudo tee /usr/share/keyrings/stripe.gpg >/dev/null
+    # Add Stripe CLI repository to apt sources
+    echo "deb [signed-by=/usr/share/keyrings/stripe.gpg] https://packages.stripe.dev/stripe-cli-debian-local stable main" | sudo tee -a /etc/apt/sources.list.d/stripe.list >/dev/null
+    sudo apt update
+    sudo apt install -y stripe
 }
 
 # main

From 44b687922d7756e4771e0572a19af596b447a9df Mon Sep 17 00:00:00 2001
From: Thomas Rittson <31796059+eliykat@users.noreply.github.com>
Date: Wed, 4 Dec 2024 11:50:47 +1000
Subject: [PATCH 019/384] [PM-14245] Remove policy definitions feature flag
 (#5095)

* Remove PolicyService.SaveAsync and use command instead

* Delete feature flag definition

* Add public api integration tests
---
 .../Controllers/PoliciesController.cs         |  29 +-
 .../Models/Request/PolicyRequestModel.cs      |  25 +-
 .../Public/Controllers/PoliciesController.cs  |  20 +-
 .../Request/PolicyUpdateRequestModel.cs       |  27 +-
 .../Models/Response/PolicyResponseModel.cs    |   6 +-
 .../VerifyOrganizationDomainCommand.cs        |  21 +-
 .../Policies/ISavePolicyCommand.cs            |   5 +-
 .../Implementations/SavePolicyCommand.cs      |   4 +-
 .../AdminConsole/Services/IPolicyService.cs   |   5 +-
 .../Services/Implementations/PolicyService.cs | 276 +------
 .../Implementations/SsoConfigService.cs       |  47 +-
 src/Core/Constants.cs                         |   1 -
 .../Controllers/PoliciesControllerTests.cs    | 163 ++++
 .../Controllers/PoliciesControllerTests.cs    |  33 -
 .../VerifyOrganizationDomainCommandTests.cs   |  28 +-
 .../Services/PolicyServiceTests.cs            | 701 ------------------
 .../Auth/Services/SsoConfigServiceTests.cs    |  25 +-
 17 files changed, 290 insertions(+), 1126 deletions(-)
 create mode 100644 test/Api.IntegrationTest/AdminConsole/Public/Controllers/PoliciesControllerTests.cs
 delete mode 100644 test/Api.Test/AdminConsole/Public/Controllers/PoliciesControllerTests.cs

diff --git a/src/Api/AdminConsole/Controllers/PoliciesController.cs b/src/Api/AdminConsole/Controllers/PoliciesController.cs
index ee48cdd5d4..1167d7a86c 100644
--- a/src/Api/AdminConsole/Controllers/PoliciesController.cs
+++ b/src/Api/AdminConsole/Controllers/PoliciesController.cs
@@ -6,8 +6,8 @@ using Bit.Core;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Enums;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationDomains.Interfaces;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
 using Bit.Core.AdminConsole.Repositories;
-using Bit.Core.AdminConsole.Services;
 using Bit.Core.Auth.Models.Business.Tokenables;
 using Bit.Core.Context;
 using Bit.Core.Enums;
@@ -28,7 +28,6 @@ namespace Bit.Api.AdminConsole.Controllers;
 public class PoliciesController : Controller
 {
     private readonly IPolicyRepository _policyRepository;
-    private readonly IPolicyService _policyService;
     private readonly IOrganizationUserRepository _organizationUserRepository;
     private readonly IUserService _userService;
     private readonly ICurrentContext _currentContext;
@@ -37,10 +36,10 @@ public class PoliciesController : Controller
     private readonly IDataProtectorTokenFactory<OrgUserInviteTokenable> _orgUserInviteTokenDataFactory;
     private readonly IFeatureService _featureService;
     private readonly IOrganizationHasVerifiedDomainsQuery _organizationHasVerifiedDomainsQuery;
+    private readonly ISavePolicyCommand _savePolicyCommand;
 
     public PoliciesController(
         IPolicyRepository policyRepository,
-        IPolicyService policyService,
         IOrganizationUserRepository organizationUserRepository,
         IUserService userService,
         ICurrentContext currentContext,
@@ -48,10 +47,10 @@ public class PoliciesController : Controller
         IDataProtectionProvider dataProtectionProvider,
         IDataProtectorTokenFactory<OrgUserInviteTokenable> orgUserInviteTokenDataFactory,
         IFeatureService featureService,
-        IOrganizationHasVerifiedDomainsQuery organizationHasVerifiedDomainsQuery)
+        IOrganizationHasVerifiedDomainsQuery organizationHasVerifiedDomainsQuery,
+        ISavePolicyCommand savePolicyCommand)
     {
         _policyRepository = policyRepository;
-        _policyService = policyService;
         _organizationUserRepository = organizationUserRepository;
         _userService = userService;
         _currentContext = currentContext;
@@ -62,6 +61,7 @@ public class PoliciesController : Controller
         _orgUserInviteTokenDataFactory = orgUserInviteTokenDataFactory;
         _featureService = featureService;
         _organizationHasVerifiedDomainsQuery = organizationHasVerifiedDomainsQuery;
+        _savePolicyCommand = savePolicyCommand;
     }
 
     [HttpGet("{type}")]
@@ -178,25 +178,20 @@ public class PoliciesController : Controller
     }
 
     [HttpPut("{type}")]
-    public async Task<PolicyResponseModel> Put(string orgId, int type, [FromBody] PolicyRequestModel model)
+    public async Task<PolicyResponseModel> Put(Guid orgId, PolicyType type, [FromBody] PolicyRequestModel model)
     {
-        var orgIdGuid = new Guid(orgId);
-        if (!await _currentContext.ManagePolicies(orgIdGuid))
+        if (!await _currentContext.ManagePolicies(orgId))
         {
             throw new NotFoundException();
         }
-        var policy = await _policyRepository.GetByOrganizationIdTypeAsync(new Guid(orgId), (PolicyType)type);
-        if (policy == null)
+
+        if (type != model.Type)
         {
-            policy = model.ToPolicy(orgIdGuid);
-        }
-        else
-        {
-            policy = model.ToPolicy(policy);
+            throw new BadRequestException("Mismatched policy type");
         }
 
-        var userId = _userService.GetProperUserId(User);
-        await _policyService.SaveAsync(policy, userId);
+        var policyUpdate = await model.ToPolicyUpdateAsync(orgId, _currentContext);
+        var policy = await _savePolicyCommand.SaveAsync(policyUpdate);
         return new PolicyResponseModel(policy);
     }
 }
diff --git a/src/Api/AdminConsole/Models/Request/PolicyRequestModel.cs b/src/Api/AdminConsole/Models/Request/PolicyRequestModel.cs
index db191194d7..a243f46b2e 100644
--- a/src/Api/AdminConsole/Models/Request/PolicyRequestModel.cs
+++ b/src/Api/AdminConsole/Models/Request/PolicyRequestModel.cs
@@ -1,7 +1,9 @@
 using System.ComponentModel.DataAnnotations;
 using System.Text.Json;
-using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Data;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.Models;
+using Bit.Core.Context;
 
 namespace Bit.Api.AdminConsole.Models.Request;
 
@@ -13,19 +15,12 @@ public class PolicyRequestModel
     public bool? Enabled { get; set; }
     public Dictionary<string, object> Data { get; set; }
 
-    public Policy ToPolicy(Guid orgId)
+    public async Task<PolicyUpdate> ToPolicyUpdateAsync(Guid organizationId, ICurrentContext currentContext) => new()
     {
-        return ToPolicy(new Policy
-        {
-            Type = Type.Value,
-            OrganizationId = orgId
-        });
-    }
-
-    public Policy ToPolicy(Policy existingPolicy)
-    {
-        existingPolicy.Enabled = Enabled.GetValueOrDefault();
-        existingPolicy.Data = Data != null ? JsonSerializer.Serialize(Data) : null;
-        return existingPolicy;
-    }
+        Type = Type!.Value,
+        OrganizationId = organizationId,
+        Data = Data != null ? JsonSerializer.Serialize(Data) : null,
+        Enabled = Enabled.GetValueOrDefault(),
+        PerformedBy = new StandardUser(currentContext.UserId!.Value, await currentContext.OrganizationOwner(organizationId))
+    };
 }
diff --git a/src/Api/AdminConsole/Public/Controllers/PoliciesController.cs b/src/Api/AdminConsole/Public/Controllers/PoliciesController.cs
index f2e7c35d24..a22c05ed62 100644
--- a/src/Api/AdminConsole/Public/Controllers/PoliciesController.cs
+++ b/src/Api/AdminConsole/Public/Controllers/PoliciesController.cs
@@ -3,6 +3,7 @@ using Bit.Api.AdminConsole.Public.Models.Request;
 using Bit.Api.AdminConsole.Public.Models.Response;
 using Bit.Api.Models.Public.Response;
 using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.AdminConsole.Services;
 using Bit.Core.Context;
@@ -18,15 +19,18 @@ public class PoliciesController : Controller
     private readonly IPolicyRepository _policyRepository;
     private readonly IPolicyService _policyService;
     private readonly ICurrentContext _currentContext;
+    private readonly ISavePolicyCommand _savePolicyCommand;
 
     public PoliciesController(
         IPolicyRepository policyRepository,
         IPolicyService policyService,
-        ICurrentContext currentContext)
+        ICurrentContext currentContext,
+        ISavePolicyCommand savePolicyCommand)
     {
         _policyRepository = policyRepository;
         _policyService = policyService;
         _currentContext = currentContext;
+        _savePolicyCommand = savePolicyCommand;
     }
 
     /// <summary>
@@ -80,17 +84,9 @@ public class PoliciesController : Controller
     [ProducesResponseType((int)HttpStatusCode.NotFound)]
     public async Task<IActionResult> Put(PolicyType type, [FromBody] PolicyUpdateRequestModel model)
     {
-        var policy = await _policyRepository.GetByOrganizationIdTypeAsync(
-            _currentContext.OrganizationId.Value, type);
-        if (policy == null)
-        {
-            policy = model.ToPolicy(_currentContext.OrganizationId.Value, type);
-        }
-        else
-        {
-            policy = model.ToPolicy(policy);
-        }
-        await _policyService.SaveAsync(policy, null);
+        var policyUpdate = model.ToPolicyUpdate(_currentContext.OrganizationId!.Value, type);
+        var policy = await _savePolicyCommand.SaveAsync(policyUpdate);
+
         var response = new PolicyResponseModel(policy);
         return new JsonResult(response);
     }
diff --git a/src/Api/AdminConsole/Public/Models/Request/PolicyUpdateRequestModel.cs b/src/Api/AdminConsole/Public/Models/Request/PolicyUpdateRequestModel.cs
index f859686b81..eb56690462 100644
--- a/src/Api/AdminConsole/Public/Models/Request/PolicyUpdateRequestModel.cs
+++ b/src/Api/AdminConsole/Public/Models/Request/PolicyUpdateRequestModel.cs
@@ -1,26 +1,19 @@
 using System.Text.Json;
-using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Data;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.Models;
+using Bit.Core.Enums;
 
 namespace Bit.Api.AdminConsole.Public.Models.Request;
 
 public class PolicyUpdateRequestModel : PolicyBaseModel
 {
-    public Policy ToPolicy(Guid orgId, PolicyType type)
+    public PolicyUpdate ToPolicyUpdate(Guid organizationId, PolicyType type) => new()
     {
-        return ToPolicy(new Policy
-        {
-            OrganizationId = orgId,
-            Enabled = Enabled.GetValueOrDefault(),
-            Data = Data != null ? JsonSerializer.Serialize(Data) : null,
-            Type = type
-        });
-    }
-
-    public virtual Policy ToPolicy(Policy existingPolicy)
-    {
-        existingPolicy.Enabled = Enabled.GetValueOrDefault();
-        existingPolicy.Data = Data != null ? JsonSerializer.Serialize(Data) : null;
-        return existingPolicy;
-    }
+        Type = type,
+        OrganizationId = organizationId,
+        Data = Data != null ? JsonSerializer.Serialize(Data) : null,
+        Enabled = Enabled.GetValueOrDefault(),
+        PerformedBy = new SystemUser(EventSystemUser.PublicApi)
+    };
 }
diff --git a/src/Api/AdminConsole/Public/Models/Response/PolicyResponseModel.cs b/src/Api/AdminConsole/Public/Models/Response/PolicyResponseModel.cs
index 27da5cc561..8da7d93cf1 100644
--- a/src/Api/AdminConsole/Public/Models/Response/PolicyResponseModel.cs
+++ b/src/Api/AdminConsole/Public/Models/Response/PolicyResponseModel.cs
@@ -1,8 +1,9 @@
 using System.ComponentModel.DataAnnotations;
-using System.Text.Json;
 using Bit.Api.Models.Public.Response;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Enums;
+using Newtonsoft.Json;
+using JsonSerializer = System.Text.Json.JsonSerializer;
 
 namespace Bit.Api.AdminConsole.Public.Models.Response;
 
@@ -11,6 +12,9 @@ namespace Bit.Api.AdminConsole.Public.Models.Response;
 /// </summary>
 public class PolicyResponseModel : PolicyBaseModel, IResponseModel
 {
+    [JsonConstructor]
+    public PolicyResponseModel() { }
+
     public PolicyResponseModel(Policy policy)
     {
         if (policy == null)
diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationDomains/VerifyOrganizationDomainCommand.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationDomains/VerifyOrganizationDomainCommand.cs
index dd6add669f..375c6326ef 100644
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationDomains/VerifyOrganizationDomainCommand.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationDomains/VerifyOrganizationDomainCommand.cs
@@ -1,8 +1,8 @@
-using Bit.Core.AdminConsole.Entities;
-using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Enums;
 using Bit.Core.AdminConsole.Models.Data;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationDomains.Interfaces;
-using Bit.Core.AdminConsole.Services;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.Models;
 using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
@@ -19,9 +19,9 @@ public class VerifyOrganizationDomainCommand(
     IDnsResolverService dnsResolverService,
     IEventService eventService,
     IGlobalSettings globalSettings,
-    IPolicyService policyService,
     IFeatureService featureService,
     ICurrentContext currentContext,
+    ISavePolicyCommand savePolicyCommand,
     ILogger<VerifyOrganizationDomainCommand> logger)
     : IVerifyOrganizationDomainCommand
 {
@@ -125,10 +125,15 @@ public class VerifyOrganizationDomainCommand(
     {
         if (featureService.IsEnabled(FeatureFlagKeys.AccountDeprovisioning))
         {
-            await policyService.SaveAsync(
-                new Policy { OrganizationId = organizationId, Type = PolicyType.SingleOrg, Enabled = true },
-                savingUserId: actingUser is StandardUser standardUser ? standardUser.UserId : null,
-                eventSystemUser: actingUser is SystemUser systemUser ? systemUser.SystemUserType : null);
+            var policyUpdate = new PolicyUpdate
+            {
+                OrganizationId = organizationId,
+                Type = PolicyType.SingleOrg,
+                Enabled = true,
+                PerformedBy = actingUser
+            };
+
+            await savePolicyCommand.SaveAsync(policyUpdate);
         }
     }
 }
diff --git a/src/Core/AdminConsole/OrganizationFeatures/Policies/ISavePolicyCommand.cs b/src/Core/AdminConsole/OrganizationFeatures/Policies/ISavePolicyCommand.cs
index 5bfdfc6aa7..6ca842686e 100644
--- a/src/Core/AdminConsole/OrganizationFeatures/Policies/ISavePolicyCommand.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Policies/ISavePolicyCommand.cs
@@ -1,8 +1,9 @@
-using Bit.Core.AdminConsole.OrganizationFeatures.Policies.Models;
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.Models;
 
 namespace Bit.Core.AdminConsole.OrganizationFeatures.Policies;
 
 public interface ISavePolicyCommand
 {
-    Task SaveAsync(PolicyUpdate policy);
+    Task<Policy> SaveAsync(PolicyUpdate policy);
 }
diff --git a/src/Core/AdminConsole/OrganizationFeatures/Policies/Implementations/SavePolicyCommand.cs b/src/Core/AdminConsole/OrganizationFeatures/Policies/Implementations/SavePolicyCommand.cs
index f193aeabd1..cf332e689a 100644
--- a/src/Core/AdminConsole/OrganizationFeatures/Policies/Implementations/SavePolicyCommand.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Policies/Implementations/SavePolicyCommand.cs
@@ -42,7 +42,7 @@ public class SavePolicyCommand : ISavePolicyCommand
         _policyValidators = policyValidatorsDict;
     }
 
-    public async Task SaveAsync(PolicyUpdate policyUpdate)
+    public async Task<Policy> SaveAsync(PolicyUpdate policyUpdate)
     {
         var org = await _applicationCacheService.GetOrganizationAbilityAsync(policyUpdate.OrganizationId);
         if (org == null)
@@ -74,6 +74,8 @@ public class SavePolicyCommand : ISavePolicyCommand
 
         await _policyRepository.UpsertAsync(policy);
         await _eventService.LogPolicyEventAsync(policy, EventType.Policy_Updated);
+
+        return policy;
     }
 
     private async Task RunValidatorAsync(IPolicyValidator validator, PolicyUpdate policyUpdate)
diff --git a/src/Core/AdminConsole/Services/IPolicyService.cs b/src/Core/AdminConsole/Services/IPolicyService.cs
index 715c3a34d9..4f9a25f904 100644
--- a/src/Core/AdminConsole/Services/IPolicyService.cs
+++ b/src/Core/AdminConsole/Services/IPolicyService.cs
@@ -1,5 +1,4 @@
-using Bit.Core.AdminConsole.Entities;
-using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Enums;
 using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
@@ -9,8 +8,6 @@ namespace Bit.Core.AdminConsole.Services;
 
 public interface IPolicyService
 {
-    Task SaveAsync(Policy policy, Guid? savingUserId, EventSystemUser? eventSystemUser = null);
-
     /// <summary>
     /// Get the combined master password policy options for the specified user.
     /// </summary>
diff --git a/src/Core/AdminConsole/Services/Implementations/PolicyService.cs b/src/Core/AdminConsole/Services/Implementations/PolicyService.cs
index 69ec27fd8a..c3eb2272d0 100644
--- a/src/Core/AdminConsole/Services/Implementations/PolicyService.cs
+++ b/src/Core/AdminConsole/Services/Implementations/PolicyService.cs
@@ -1,19 +1,8 @@
-using Bit.Core.AdminConsole.Entities;
-using Bit.Core.AdminConsole.Enums;
-using Bit.Core.AdminConsole.Models.Data;
+using Bit.Core.AdminConsole.Enums;
 using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
-using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationDomains.Interfaces;
-using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
-using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
-using Bit.Core.AdminConsole.OrganizationFeatures.Policies.Models;
 using Bit.Core.AdminConsole.Repositories;
-using Bit.Core.Auth.Enums;
-using Bit.Core.Auth.Repositories;
-using Bit.Core.Auth.UserFeatures.TwoFactorAuth.Interfaces;
-using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
-using Bit.Core.Exceptions;
 using Bit.Core.Models.Data.Organizations.OrganizationUsers;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
@@ -24,107 +13,20 @@ namespace Bit.Core.AdminConsole.Services.Implementations;
 public class PolicyService : IPolicyService
 {
     private readonly IApplicationCacheService _applicationCacheService;
-    private readonly IEventService _eventService;
-    private readonly IOrganizationRepository _organizationRepository;
     private readonly IOrganizationUserRepository _organizationUserRepository;
     private readonly IPolicyRepository _policyRepository;
-    private readonly ISsoConfigRepository _ssoConfigRepository;
-    private readonly IMailService _mailService;
     private readonly GlobalSettings _globalSettings;
-    private readonly ITwoFactorIsEnabledQuery _twoFactorIsEnabledQuery;
-    private readonly IFeatureService _featureService;
-    private readonly ISavePolicyCommand _savePolicyCommand;
-    private readonly IRemoveOrganizationUserCommand _removeOrganizationUserCommand;
-    private readonly IOrganizationHasVerifiedDomainsQuery _organizationHasVerifiedDomainsQuery;
-    private readonly ICurrentContext _currentContext;
 
     public PolicyService(
         IApplicationCacheService applicationCacheService,
-        IEventService eventService,
-        IOrganizationRepository organizationRepository,
         IOrganizationUserRepository organizationUserRepository,
         IPolicyRepository policyRepository,
-        ISsoConfigRepository ssoConfigRepository,
-        IMailService mailService,
-        GlobalSettings globalSettings,
-        ITwoFactorIsEnabledQuery twoFactorIsEnabledQuery,
-        IFeatureService featureService,
-        ISavePolicyCommand savePolicyCommand,
-        IRemoveOrganizationUserCommand removeOrganizationUserCommand,
-        IOrganizationHasVerifiedDomainsQuery organizationHasVerifiedDomainsQuery,
-        ICurrentContext currentContext)
+        GlobalSettings globalSettings)
     {
         _applicationCacheService = applicationCacheService;
-        _eventService = eventService;
-        _organizationRepository = organizationRepository;
         _organizationUserRepository = organizationUserRepository;
         _policyRepository = policyRepository;
-        _ssoConfigRepository = ssoConfigRepository;
-        _mailService = mailService;
         _globalSettings = globalSettings;
-        _twoFactorIsEnabledQuery = twoFactorIsEnabledQuery;
-        _featureService = featureService;
-        _savePolicyCommand = savePolicyCommand;
-        _removeOrganizationUserCommand = removeOrganizationUserCommand;
-        _organizationHasVerifiedDomainsQuery = organizationHasVerifiedDomainsQuery;
-        _currentContext = currentContext;
-    }
-
-    public async Task SaveAsync(Policy policy, Guid? savingUserId, EventSystemUser? eventSystemUser = null)
-    {
-        if (_featureService.IsEnabled(FeatureFlagKeys.Pm13322AddPolicyDefinitions))
-        {
-            // Transitional mapping - this will be moved to callers once the feature flag is removed
-            // TODO make sure to populate with SystemUser if not an actual user
-            var policyUpdate = new PolicyUpdate
-            {
-                OrganizationId = policy.OrganizationId,
-                Type = policy.Type,
-                Enabled = policy.Enabled,
-                Data = policy.Data,
-                PerformedBy = savingUserId.HasValue
-                    ? new StandardUser(savingUserId.Value, await _currentContext.OrganizationOwner(policy.OrganizationId))
-                    : new SystemUser(eventSystemUser ?? EventSystemUser.Unknown)
-            };
-
-            await _savePolicyCommand.SaveAsync(policyUpdate);
-            return;
-        }
-
-        var org = await _organizationRepository.GetByIdAsync(policy.OrganizationId);
-        if (org == null)
-        {
-            throw new BadRequestException("Organization not found");
-        }
-
-        if (!org.UsePolicies)
-        {
-            throw new BadRequestException("This organization cannot use policies.");
-        }
-
-        // FIXME: This method will throw a bunch of errors based on if the
-        // policy that is being applied requires some other policy that is
-        // not enabled. It may be advisable to refactor this into a domain
-        // object and get this kind of stuff out of the service.
-        await HandleDependentPoliciesAsync(policy, org);
-
-        var now = DateTime.UtcNow;
-        if (policy.Id == default(Guid))
-        {
-            policy.CreationDate = now;
-        }
-
-        policy.RevisionDate = now;
-
-        // We can exit early for disable operations, because they are
-        // simpler.
-        if (!policy.Enabled)
-        {
-            await SetPolicyConfiguration(policy);
-            return;
-        }
-
-        await EnablePolicyAsync(policy, org, savingUserId);
     }
 
     public async Task<MasterPasswordPolicyData> GetMasterPasswordPolicyForUserAsync(User user)
@@ -190,178 +92,4 @@ public class PolicyService : IPolicyService
 
         return new[] { OrganizationUserType.Owner, OrganizationUserType.Admin };
     }
-
-    private async Task DependsOnSingleOrgAsync(Organization org)
-    {
-        var singleOrg = await _policyRepository.GetByOrganizationIdTypeAsync(org.Id, PolicyType.SingleOrg);
-        if (singleOrg?.Enabled != true)
-        {
-            throw new BadRequestException("Single Organization policy not enabled.");
-        }
-    }
-
-    private async Task RequiredBySsoAsync(Organization org)
-    {
-        var requireSso = await _policyRepository.GetByOrganizationIdTypeAsync(org.Id, PolicyType.RequireSso);
-        if (requireSso?.Enabled == true)
-        {
-            throw new BadRequestException("Single Sign-On Authentication policy is enabled.");
-        }
-    }
-
-    private async Task RequiredByKeyConnectorAsync(Organization org)
-    {
-        var ssoConfig = await _ssoConfigRepository.GetByOrganizationIdAsync(org.Id);
-        if (ssoConfig?.GetData()?.MemberDecryptionType == MemberDecryptionType.KeyConnector)
-        {
-            throw new BadRequestException("Key Connector is enabled.");
-        }
-    }
-
-    private async Task RequiredByAccountRecoveryAsync(Organization org)
-    {
-        var requireSso = await _policyRepository.GetByOrganizationIdTypeAsync(org.Id, PolicyType.ResetPassword);
-        if (requireSso?.Enabled == true)
-        {
-            throw new BadRequestException("Account recovery policy is enabled.");
-        }
-    }
-
-    private async Task RequiredByVaultTimeoutAsync(Organization org)
-    {
-        var vaultTimeout = await _policyRepository.GetByOrganizationIdTypeAsync(org.Id, PolicyType.MaximumVaultTimeout);
-        if (vaultTimeout?.Enabled == true)
-        {
-            throw new BadRequestException("Maximum Vault Timeout policy is enabled.");
-        }
-    }
-
-    private async Task RequiredBySsoTrustedDeviceEncryptionAsync(Organization org)
-    {
-        var ssoConfig = await _ssoConfigRepository.GetByOrganizationIdAsync(org.Id);
-        if (ssoConfig?.GetData()?.MemberDecryptionType == MemberDecryptionType.TrustedDeviceEncryption)
-        {
-            throw new BadRequestException("Trusted device encryption is on and requires this policy.");
-        }
-    }
-
-    private async Task HandleDependentPoliciesAsync(Policy policy, Organization org)
-    {
-        switch (policy.Type)
-        {
-            case PolicyType.SingleOrg:
-                if (!policy.Enabled)
-                {
-                    await HasVerifiedDomainsAsync(org);
-                    await RequiredBySsoAsync(org);
-                    await RequiredByVaultTimeoutAsync(org);
-                    await RequiredByKeyConnectorAsync(org);
-                    await RequiredByAccountRecoveryAsync(org);
-                }
-                break;
-
-            case PolicyType.RequireSso:
-                if (policy.Enabled)
-                {
-                    await DependsOnSingleOrgAsync(org);
-                }
-                else
-                {
-                    await RequiredByKeyConnectorAsync(org);
-                    await RequiredBySsoTrustedDeviceEncryptionAsync(org);
-                }
-                break;
-
-            case PolicyType.ResetPassword:
-                if (!policy.Enabled || policy.GetDataModel<ResetPasswordDataModel>()?.AutoEnrollEnabled == false)
-                {
-                    await RequiredBySsoTrustedDeviceEncryptionAsync(org);
-                }
-
-                if (policy.Enabled)
-                {
-                    await DependsOnSingleOrgAsync(org);
-                }
-                break;
-
-            case PolicyType.MaximumVaultTimeout:
-                if (policy.Enabled)
-                {
-                    await DependsOnSingleOrgAsync(org);
-                }
-                break;
-        }
-    }
-
-    private async Task HasVerifiedDomainsAsync(Organization org)
-    {
-        if (_featureService.IsEnabled(FeatureFlagKeys.AccountDeprovisioning)
-            && await _organizationHasVerifiedDomainsQuery.HasVerifiedDomainsAsync(org.Id))
-        {
-            throw new BadRequestException("The Single organization policy is required for organizations that have enabled domain verification.");
-        }
-    }
-
-    private async Task SetPolicyConfiguration(Policy policy)
-    {
-        await _policyRepository.UpsertAsync(policy);
-        await _eventService.LogPolicyEventAsync(policy, EventType.Policy_Updated);
-    }
-
-    private async Task EnablePolicyAsync(Policy policy, Organization org, Guid? savingUserId)
-    {
-        var currentPolicy = await _policyRepository.GetByIdAsync(policy.Id);
-        if (!currentPolicy?.Enabled ?? true)
-        {
-            var orgUsers = await _organizationUserRepository.GetManyDetailsByOrganizationAsync(policy.OrganizationId);
-            var organizationUsersTwoFactorEnabled = await _twoFactorIsEnabledQuery.TwoFactorIsEnabledAsync(orgUsers);
-            var removableOrgUsers = orgUsers.Where(ou =>
-                ou.Status != OrganizationUserStatusType.Invited && ou.Status != OrganizationUserStatusType.Revoked &&
-                ou.Type != OrganizationUserType.Owner && ou.Type != OrganizationUserType.Admin &&
-                ou.UserId != savingUserId);
-            switch (policy.Type)
-            {
-                case PolicyType.TwoFactorAuthentication:
-                    // Reorder by HasMasterPassword to prioritize checking users without a master if they have 2FA enabled
-                    foreach (var orgUser in removableOrgUsers.OrderBy(ou => ou.HasMasterPassword))
-                    {
-                        var userTwoFactorEnabled = organizationUsersTwoFactorEnabled.FirstOrDefault(u => u.user.Id == orgUser.Id).twoFactorIsEnabled;
-                        if (!userTwoFactorEnabled)
-                        {
-                            if (!orgUser.HasMasterPassword)
-                            {
-                                throw new BadRequestException(
-                                    "Policy could not be enabled. Non-compliant members will lose access to their accounts. Identify members without two-step login from the policies column in the members page.");
-                            }
-
-                            await _removeOrganizationUserCommand.RemoveUserAsync(policy.OrganizationId, orgUser.Id,
-                                savingUserId);
-                            await _mailService.SendOrganizationUserRemovedForPolicyTwoStepEmailAsync(
-                                org.DisplayName(), orgUser.Email);
-                        }
-                    }
-                    break;
-                case PolicyType.SingleOrg:
-                    var userOrgs = await _organizationUserRepository.GetManyByManyUsersAsync(
-                            removableOrgUsers.Select(ou => ou.UserId.Value));
-                    foreach (var orgUser in removableOrgUsers)
-                    {
-                        if (userOrgs.Any(ou => ou.UserId == orgUser.UserId
-                                    && ou.OrganizationId != org.Id
-                                    && ou.Status != OrganizationUserStatusType.Invited))
-                        {
-                            await _removeOrganizationUserCommand.RemoveUserAsync(policy.OrganizationId, orgUser.Id,
-                                savingUserId);
-                            await _mailService.SendOrganizationUserRemovedForPolicySingleOrgEmailAsync(
-                                org.DisplayName(), orgUser.Email);
-                        }
-                    }
-                    break;
-                default:
-                    break;
-            }
-        }
-
-        await SetPolicyConfiguration(policy);
-    }
 }
diff --git a/src/Core/Auth/Services/Implementations/SsoConfigService.cs b/src/Core/Auth/Services/Implementations/SsoConfigService.cs
index 532f000394..bf7e2d56fe 100644
--- a/src/Core/Auth/Services/Implementations/SsoConfigService.cs
+++ b/src/Core/Auth/Services/Implementations/SsoConfigService.cs
@@ -1,8 +1,9 @@
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Enums;
 using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.Models;
 using Bit.Core.AdminConsole.Repositories;
-using Bit.Core.AdminConsole.Services;
 using Bit.Core.Auth.Entities;
 using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Repositories;
@@ -17,25 +18,25 @@ public class SsoConfigService : ISsoConfigService
 {
     private readonly ISsoConfigRepository _ssoConfigRepository;
     private readonly IPolicyRepository _policyRepository;
-    private readonly IPolicyService _policyService;
     private readonly IOrganizationRepository _organizationRepository;
     private readonly IOrganizationUserRepository _organizationUserRepository;
     private readonly IEventService _eventService;
+    private readonly ISavePolicyCommand _savePolicyCommand;
 
     public SsoConfigService(
         ISsoConfigRepository ssoConfigRepository,
         IPolicyRepository policyRepository,
-        IPolicyService policyService,
         IOrganizationRepository organizationRepository,
         IOrganizationUserRepository organizationUserRepository,
-        IEventService eventService)
+        IEventService eventService,
+        ISavePolicyCommand savePolicyCommand)
     {
         _ssoConfigRepository = ssoConfigRepository;
         _policyRepository = policyRepository;
-        _policyService = policyService;
         _organizationRepository = organizationRepository;
         _organizationUserRepository = organizationUserRepository;
         _eventService = eventService;
+        _savePolicyCommand = savePolicyCommand;
     }
 
     public async Task SaveAsync(SsoConfig config, Organization organization)
@@ -63,25 +64,29 @@ public class SsoConfigService : ISsoConfigService
         // Automatically enable account recovery, SSO required, and single org policies if trusted device encryption is selected
         if (config.GetData().MemberDecryptionType == MemberDecryptionType.TrustedDeviceEncryption)
         {
-            var singleOrgPolicy = await _policyRepository.GetByOrganizationIdTypeAsync(config.OrganizationId, PolicyType.SingleOrg) ??
-                                  new Policy { OrganizationId = config.OrganizationId, Type = PolicyType.SingleOrg };
 
-            singleOrgPolicy.Enabled = true;
+            await _savePolicyCommand.SaveAsync(new()
+            {
+                OrganizationId = config.OrganizationId,
+                Type = PolicyType.SingleOrg,
+                Enabled = true
+            });
 
-            await _policyService.SaveAsync(singleOrgPolicy, null);
+            var resetPasswordPolicy = new PolicyUpdate
+            {
+                OrganizationId = config.OrganizationId,
+                Type = PolicyType.ResetPassword,
+                Enabled = true,
+            };
+            resetPasswordPolicy.SetDataModel(new ResetPasswordDataModel { AutoEnrollEnabled = true });
+            await _savePolicyCommand.SaveAsync(resetPasswordPolicy);
 
-            var resetPolicy = await _policyRepository.GetByOrganizationIdTypeAsync(config.OrganizationId, PolicyType.ResetPassword) ??
-                              new Policy { OrganizationId = config.OrganizationId, Type = PolicyType.ResetPassword, };
-
-            resetPolicy.Enabled = true;
-            resetPolicy.SetDataModel(new ResetPasswordDataModel { AutoEnrollEnabled = true });
-            await _policyService.SaveAsync(resetPolicy, null);
-
-            var ssoRequiredPolicy = await _policyRepository.GetByOrganizationIdTypeAsync(config.OrganizationId, PolicyType.RequireSso) ??
-                              new Policy { OrganizationId = config.OrganizationId, Type = PolicyType.RequireSso, };
-
-            ssoRequiredPolicy.Enabled = true;
-            await _policyService.SaveAsync(ssoRequiredPolicy, null);
+            await _savePolicyCommand.SaveAsync(new()
+            {
+                OrganizationId = config.OrganizationId,
+                Type = PolicyType.RequireSso,
+                Enabled = true
+            });
         }
 
         await LogEventsAsync(config, oldConfig);
diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index 561f5f27c8..6efdedfeed 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -144,7 +144,6 @@ public static class FeatureFlagKeys
     public const string AccessIntelligence = "pm-13227-access-intelligence";
     public const string VerifiedSsoDomainEndpoint = "pm-12337-refactor-sso-details-endpoint";
     public const string PM12275_MultiOrganizationEnterprises = "pm-12275-multi-organization-enterprises";
-    public const string Pm13322AddPolicyDefinitions = "pm-13322-add-policy-definitions";
     public const string LimitCollectionCreationDeletionSplit = "pm-10863-limit-collection-creation-deletion-split";
     public const string GeneratorToolsModernization = "generator-tools-modernization";
     public const string NewDeviceVerification = "new-device-verification";
diff --git a/test/Api.IntegrationTest/AdminConsole/Public/Controllers/PoliciesControllerTests.cs b/test/Api.IntegrationTest/AdminConsole/Public/Controllers/PoliciesControllerTests.cs
new file mode 100644
index 0000000000..f034426f98
--- /dev/null
+++ b/test/Api.IntegrationTest/AdminConsole/Public/Controllers/PoliciesControllerTests.cs
@@ -0,0 +1,163 @@
+using System.Net;
+using System.Text.Json;
+using Bit.Api.AdminConsole.Public.Models.Request;
+using Bit.Api.AdminConsole.Public.Models.Response;
+using Bit.Api.IntegrationTest.Factories;
+using Bit.Api.IntegrationTest.Helpers;
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
+using Bit.Core.AdminConsole.Repositories;
+using Bit.Core.Billing.Enums;
+using Bit.Core.Enums;
+using Bit.Test.Common.Helpers;
+using Xunit;
+
+namespace Bit.Api.IntegrationTest.AdminConsole.Public.Controllers;
+
+public class PoliciesControllerTests : IClassFixture<ApiApplicationFactory>, IAsyncLifetime
+{
+    private readonly HttpClient _client;
+    private readonly ApiApplicationFactory _factory;
+    private readonly LoginHelper _loginHelper;
+
+    // These will get set in `InitializeAsync` which is ran before all tests
+    private Organization _organization = null!;
+    private string _ownerEmail = null!;
+
+    public PoliciesControllerTests(ApiApplicationFactory factory)
+    {
+        _factory = factory;
+        _client = factory.CreateClient();
+        _loginHelper = new LoginHelper(_factory, _client);
+    }
+
+    public async Task InitializeAsync()
+    {
+        // Create the owner account
+        _ownerEmail = $"integration-test{Guid.NewGuid()}@bitwarden.com";
+        await _factory.LoginWithNewAccount(_ownerEmail);
+
+        // Create the organization
+        (_organization, _) = await OrganizationTestHelpers.SignUpAsync(_factory, plan: PlanType.EnterpriseAnnually2023,
+            ownerEmail: _ownerEmail, passwordManagerSeats: 10, paymentMethod: PaymentMethodType.Card);
+
+        // Authorize with the organization api key
+        await _loginHelper.LoginWithOrganizationApiKeyAsync(_organization.Id);
+    }
+
+    public Task DisposeAsync()
+    {
+        _client.Dispose();
+        return Task.CompletedTask;
+    }
+
+    [Fact]
+    public async Task Post_NewPolicy()
+    {
+        var policyType = PolicyType.MasterPassword;
+        var request = new PolicyUpdateRequestModel
+        {
+            Enabled = true,
+            Data = new Dictionary<string, object>
+            {
+                { "minComplexity", 15},
+                { "requireLower", true}
+            }
+        };
+
+        var response = await _client.PutAsync($"/public/policies/{policyType}", JsonContent.Create(request));
+
+        // Assert against the response
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+        var result = await response.Content.ReadFromJsonAsync<PolicyResponseModel>();
+        Assert.NotNull(result);
+
+        Assert.True(result.Enabled);
+        Assert.Equal(policyType, result.Type);
+        Assert.IsType<Guid>(result.Id);
+        Assert.NotEqual(default, result.Id);
+        Assert.NotNull(result.Data);
+        Assert.Equal(15, ((JsonElement)result.Data["minComplexity"]).GetInt32());
+        Assert.True(((JsonElement)result.Data["requireLower"]).GetBoolean());
+
+        // Assert against the database values
+        var policyRepository = _factory.GetService<IPolicyRepository>();
+        var policy = await policyRepository.GetByOrganizationIdTypeAsync(_organization.Id, policyType);
+        Assert.NotNull(policy);
+
+        Assert.True(policy.Enabled);
+        Assert.Equal(policyType, policy.Type);
+        Assert.IsType<Guid>(policy.Id);
+        Assert.NotEqual(default, policy.Id);
+        Assert.Equal(_organization.Id, policy.OrganizationId);
+
+        Assert.NotNull(policy.Data);
+        var data = policy.GetDataModel<MasterPasswordPolicyData>();
+        var expectedData = new MasterPasswordPolicyData { MinComplexity = 15, RequireLower = true };
+        AssertHelper.AssertPropertyEqual(expectedData, data);
+    }
+
+    [Fact]
+    public async Task Post_UpdatePolicy()
+    {
+        var policyType = PolicyType.MasterPassword;
+        var existingPolicy = new Policy
+        {
+            OrganizationId = _organization.Id,
+            Enabled = true,
+            Type = policyType
+        };
+        existingPolicy.SetDataModel(new MasterPasswordPolicyData
+        {
+            EnforceOnLogin = true,
+            MinLength = 22,
+            RequireSpecial = true
+        });
+
+        var policyRepository = _factory.GetService<IPolicyRepository>();
+        await policyRepository.UpsertAsync(existingPolicy);
+
+        // The Id isn't set until it's created in the database, get it back out to get the id
+        var createdPolicy = await policyRepository.GetByOrganizationIdTypeAsync(_organization.Id, policyType);
+        var expectedId = createdPolicy!.Id;
+
+        var request = new PolicyUpdateRequestModel
+        {
+            Enabled = false,
+            Data = new Dictionary<string, object>
+            {
+                { "minLength", 15},
+                { "requireUpper", true}
+            }
+        };
+
+        var response = await _client.PutAsync($"/public/policies/{policyType}", JsonContent.Create(request));
+
+        // Assert against the response
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+        var result = await response.Content.ReadFromJsonAsync<PolicyResponseModel>();
+        Assert.NotNull(result);
+
+        Assert.False(result.Enabled);
+        Assert.Equal(policyType, result.Type);
+        Assert.Equal(expectedId, result.Id);
+        Assert.NotNull(result.Data);
+        Assert.Equal(15, ((JsonElement)result.Data["minLength"]).GetInt32());
+        Assert.True(((JsonElement)result.Data["requireUpper"]).GetBoolean());
+
+        // Assert against the database values
+        var policy = await policyRepository.GetByOrganizationIdTypeAsync(_organization.Id, policyType);
+        Assert.NotNull(policy);
+
+        Assert.False(policy.Enabled);
+        Assert.Equal(policyType, policy.Type);
+        Assert.Equal(expectedId, policy.Id);
+        Assert.Equal(_organization.Id, policy.OrganizationId);
+
+        Assert.NotNull(policy.Data);
+        var data = policy.GetDataModel<MasterPasswordPolicyData>();
+        Assert.Equal(15, data.MinLength);
+        Assert.Equal(true, data.RequireUpper);
+    }
+}
diff --git a/test/Api.Test/AdminConsole/Public/Controllers/PoliciesControllerTests.cs b/test/Api.Test/AdminConsole/Public/Controllers/PoliciesControllerTests.cs
deleted file mode 100644
index 71d04cae33..0000000000
--- a/test/Api.Test/AdminConsole/Public/Controllers/PoliciesControllerTests.cs
+++ /dev/null
@@ -1,33 +0,0 @@
-using Bit.Api.AdminConsole.Public.Controllers;
-using Bit.Api.AdminConsole.Public.Models.Request;
-using Bit.Api.AdminConsole.Public.Models.Response;
-using Bit.Core.AdminConsole.Entities;
-using Bit.Core.AdminConsole.Enums;
-using Bit.Core.AdminConsole.Repositories;
-using Bit.Core.Context;
-using Bit.Test.Common.AutoFixture;
-using Bit.Test.Common.AutoFixture.Attributes;
-using Microsoft.AspNetCore.Mvc;
-using NSubstitute;
-using Xunit;
-
-namespace Bit.Api.Test.AdminConsole.Public.Controllers;
-
-[ControllerCustomize(typeof(PoliciesController))]
-[SutProviderCustomize]
-public class PoliciesControllerTests
-{
-    [Theory]
-    [BitAutoData]
-    [BitAutoData(PolicyType.SendOptions)]
-    public async Task Put_NewPolicy_AppliesCorrectType(PolicyType type, Organization organization, PolicyUpdateRequestModel model, SutProvider<PoliciesController> sutProvider)
-    {
-        sutProvider.GetDependency<ICurrentContext>().OrganizationId.Returns(organization.Id);
-        sutProvider.GetDependency<IPolicyRepository>().GetByOrganizationIdTypeAsync(organization.Id, type).Returns((Policy)null);
-
-        var response = await sutProvider.Sut.Put(type, model) as JsonResult;
-        var responseValue = response.Value as PolicyResponseModel;
-
-        Assert.Equal(type, responseValue.Type);
-    }
-}
diff --git a/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationDomains/VerifyOrganizationDomainCommandTests.cs b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationDomains/VerifyOrganizationDomainCommandTests.cs
index 8dbe533131..700df88d54 100644
--- a/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationDomains/VerifyOrganizationDomainCommandTests.cs
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationDomains/VerifyOrganizationDomainCommandTests.cs
@@ -1,7 +1,8 @@
-using Bit.Core.AdminConsole.Entities;
-using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Data;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationDomains;
-using Bit.Core.AdminConsole.Services;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.Models;
 using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
@@ -182,9 +183,13 @@ public class VerifyOrganizationDomainCommandTests
 
         _ = await sutProvider.Sut.UserVerifyOrganizationDomainAsync(domain);
 
-        await sutProvider.GetDependency<IPolicyService>()
+        await sutProvider.GetDependency<ISavePolicyCommand>()
             .Received(1)
-            .SaveAsync(Arg.Is<Policy>(x => x.Type == PolicyType.SingleOrg && x.OrganizationId == domain.OrganizationId && x.Enabled), userId);
+            .SaveAsync(Arg.Is<PolicyUpdate>(x => x.Type == PolicyType.SingleOrg &&
+                x.OrganizationId == domain.OrganizationId &&
+                x.Enabled &&
+                x.PerformedBy is StandardUser &&
+                x.PerformedBy.UserId == userId));
     }
 
     [Theory, BitAutoData]
@@ -208,9 +213,9 @@ public class VerifyOrganizationDomainCommandTests
 
         _ = await sutProvider.Sut.UserVerifyOrganizationDomainAsync(domain);
 
-        await sutProvider.GetDependency<IPolicyService>()
+        await sutProvider.GetDependency<ISavePolicyCommand>()
             .DidNotReceive()
-            .SaveAsync(Arg.Any<Policy>(), null);
+            .SaveAsync(Arg.Any<PolicyUpdate>());
     }
 
     [Theory, BitAutoData]
@@ -234,10 +239,9 @@ public class VerifyOrganizationDomainCommandTests
 
         _ = await sutProvider.Sut.UserVerifyOrganizationDomainAsync(domain);
 
-        await sutProvider.GetDependency<IPolicyService>()
+        await sutProvider.GetDependency<ISavePolicyCommand>()
             .DidNotReceive()
-            .SaveAsync(Arg.Any<Policy>(), null);
-
+            .SaveAsync(Arg.Any<PolicyUpdate>());
     }
 
     [Theory, BitAutoData]
@@ -261,8 +265,8 @@ public class VerifyOrganizationDomainCommandTests
 
         _ = await sutProvider.Sut.UserVerifyOrganizationDomainAsync(domain);
 
-        await sutProvider.GetDependency<IPolicyService>()
+        await sutProvider.GetDependency<ISavePolicyCommand>()
             .DidNotReceive()
-            .SaveAsync(Arg.Any<Policy>(), null);
+            .SaveAsync(Arg.Any<PolicyUpdate>());
     }
 }
diff --git a/test/Core.Test/AdminConsole/Services/PolicyServiceTests.cs b/test/Core.Test/AdminConsole/Services/PolicyServiceTests.cs
index 68f36e37ce..62ab584c4b 100644
--- a/test/Core.Test/AdminConsole/Services/PolicyServiceTests.cs
+++ b/test/Core.Test/AdminConsole/Services/PolicyServiceTests.cs
@@ -1,25 +1,13 @@
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Enums;
-using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
-using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationDomains.Interfaces;
-using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
-using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.AdminConsole.Services.Implementations;
-using Bit.Core.Auth.Entities;
-using Bit.Core.Auth.Enums;
-using Bit.Core.Auth.Models.Data;
-using Bit.Core.Auth.Repositories;
-using Bit.Core.Auth.UserFeatures.TwoFactorAuth.Interfaces;
 using Bit.Core.Enums;
-using Bit.Core.Exceptions;
 using Bit.Core.Models.Data.Organizations.OrganizationUsers;
 using Bit.Core.Repositories;
-using Bit.Core.Services;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
 using NSubstitute;
 using Xunit;
-using AdminConsoleFixtures = Bit.Core.Test.AdminConsole.AutoFixture;
 using GlobalSettings = Bit.Core.Settings.GlobalSettings;
 
 namespace Bit.Core.Test.AdminConsole.Services;
@@ -27,667 +15,6 @@ namespace Bit.Core.Test.AdminConsole.Services;
 [SutProviderCustomize]
 public class PolicyServiceTests
 {
-    [Theory, BitAutoData]
-    public async Task SaveAsync_OrganizationDoesNotExist_ThrowsBadRequest(
-        [AdminConsoleFixtures.Policy(PolicyType.DisableSend)] Policy policy, SutProvider<PolicyService> sutProvider)
-    {
-        SetupOrg(sutProvider, policy.OrganizationId, null);
-
-        var badRequestException = await Assert.ThrowsAsync<BadRequestException>(
-            () => sutProvider.Sut.SaveAsync(policy,
-                Guid.NewGuid()));
-
-        Assert.Contains("Organization not found", badRequestException.Message, StringComparison.OrdinalIgnoreCase);
-
-        await sutProvider.GetDependency<IPolicyRepository>()
-            .DidNotReceiveWithAnyArgs()
-            .UpsertAsync(default);
-
-        await sutProvider.GetDependency<IEventService>()
-            .DidNotReceiveWithAnyArgs()
-            .LogPolicyEventAsync(default, default, default);
-    }
-
-    [Theory, BitAutoData]
-    public async Task SaveAsync_OrganizationCannotUsePolicies_ThrowsBadRequest(
-        [AdminConsoleFixtures.Policy(PolicyType.DisableSend)] Policy policy, SutProvider<PolicyService> sutProvider)
-    {
-        var orgId = Guid.NewGuid();
-
-        SetupOrg(sutProvider, policy.OrganizationId, new Organization
-        {
-            UsePolicies = false,
-        });
-
-        var badRequestException = await Assert.ThrowsAsync<BadRequestException>(
-            () => sutProvider.Sut.SaveAsync(policy,
-                Guid.NewGuid()));
-
-        Assert.Contains("cannot use policies", badRequestException.Message, StringComparison.OrdinalIgnoreCase);
-
-        await sutProvider.GetDependency<IPolicyRepository>()
-            .DidNotReceiveWithAnyArgs()
-            .UpsertAsync(default);
-
-        await sutProvider.GetDependency<IEventService>()
-            .DidNotReceiveWithAnyArgs()
-            .LogPolicyEventAsync(default, default, default);
-    }
-
-    [Theory, BitAutoData]
-    public async Task SaveAsync_SingleOrg_RequireSsoEnabled_ThrowsBadRequest(
-        [AdminConsoleFixtures.Policy(PolicyType.SingleOrg)] Policy policy, SutProvider<PolicyService> sutProvider)
-    {
-        policy.Enabled = false;
-
-        SetupOrg(sutProvider, policy.OrganizationId, new Organization
-        {
-            Id = policy.OrganizationId,
-            UsePolicies = true,
-        });
-
-        sutProvider.GetDependency<IPolicyRepository>()
-            .GetByOrganizationIdTypeAsync(policy.OrganizationId, PolicyType.RequireSso)
-            .Returns(Task.FromResult(new Policy { Enabled = true }));
-
-        var badRequestException = await Assert.ThrowsAsync<BadRequestException>(
-            () => sutProvider.Sut.SaveAsync(policy,
-                Guid.NewGuid()));
-
-        Assert.Contains("Single Sign-On Authentication policy is enabled.", badRequestException.Message, StringComparison.OrdinalIgnoreCase);
-
-        await sutProvider.GetDependency<IPolicyRepository>()
-            .DidNotReceiveWithAnyArgs()
-            .UpsertAsync(default);
-
-        await sutProvider.GetDependency<IEventService>()
-            .DidNotReceiveWithAnyArgs()
-            .LogPolicyEventAsync(default, default, default);
-    }
-
-    [Theory, BitAutoData]
-    public async Task SaveAsync_SingleOrg_VaultTimeoutEnabled_ThrowsBadRequest([AdminConsoleFixtures.Policy(PolicyType.SingleOrg)] Policy policy, SutProvider<PolicyService> sutProvider)
-    {
-        policy.Enabled = false;
-
-        SetupOrg(sutProvider, policy.OrganizationId, new Organization
-        {
-            Id = policy.OrganizationId,
-            UsePolicies = true,
-        });
-
-        sutProvider.GetDependency<IPolicyRepository>()
-            .GetByOrganizationIdTypeAsync(policy.OrganizationId, PolicyType.MaximumVaultTimeout)
-            .Returns(new Policy { Enabled = true });
-
-        var badRequestException = await Assert.ThrowsAsync<BadRequestException>(
-            () => sutProvider.Sut.SaveAsync(policy,
-                Guid.NewGuid()));
-
-        Assert.Contains("Maximum Vault Timeout policy is enabled.", badRequestException.Message, StringComparison.OrdinalIgnoreCase);
-
-        await sutProvider.GetDependency<IPolicyRepository>()
-            .DidNotReceiveWithAnyArgs()
-            .UpsertAsync(default);
-    }
-
-    [Theory]
-    [BitAutoData(PolicyType.SingleOrg)]
-    [BitAutoData(PolicyType.RequireSso)]
-    public async Task SaveAsync_PolicyRequiredByKeyConnector_DisablePolicy_ThrowsBadRequest(
-        PolicyType policyType,
-        Policy policy,
-        SutProvider<PolicyService> sutProvider)
-    {
-        policy.Enabled = false;
-        policy.Type = policyType;
-
-        SetupOrg(sutProvider, policy.OrganizationId, new Organization
-        {
-            Id = policy.OrganizationId,
-            UsePolicies = true,
-        });
-
-        var ssoConfig = new SsoConfig { Enabled = true };
-        var data = new SsoConfigurationData { MemberDecryptionType = MemberDecryptionType.KeyConnector };
-        ssoConfig.SetData(data);
-
-        sutProvider.GetDependency<ISsoConfigRepository>()
-            .GetByOrganizationIdAsync(policy.OrganizationId)
-            .Returns(ssoConfig);
-
-        var badRequestException = await Assert.ThrowsAsync<BadRequestException>(
-            () => sutProvider.Sut.SaveAsync(policy,
-                Guid.NewGuid()));
-
-        Assert.Contains("Key Connector is enabled.", badRequestException.Message, StringComparison.OrdinalIgnoreCase);
-
-        await sutProvider.GetDependency<IPolicyRepository>()
-            .DidNotReceiveWithAnyArgs()
-            .UpsertAsync(default);
-    }
-
-    [Theory, BitAutoData]
-    public async Task SaveAsync_RequireSsoPolicy_NotEnabled_ThrowsBadRequestAsync(
-        [AdminConsoleFixtures.Policy(PolicyType.RequireSso)] Policy policy, SutProvider<PolicyService> sutProvider)
-    {
-        policy.Enabled = true;
-
-        SetupOrg(sutProvider, policy.OrganizationId, new Organization
-        {
-            Id = policy.OrganizationId,
-            UsePolicies = true,
-        });
-
-        sutProvider.GetDependency<IPolicyRepository>()
-            .GetByOrganizationIdTypeAsync(policy.OrganizationId, PolicyType.SingleOrg)
-            .Returns(Task.FromResult(new Policy { Enabled = false }));
-
-        var badRequestException = await Assert.ThrowsAsync<BadRequestException>(
-            () => sutProvider.Sut.SaveAsync(policy,
-                Guid.NewGuid()));
-
-        Assert.Contains("Single Organization policy not enabled.", badRequestException.Message, StringComparison.OrdinalIgnoreCase);
-
-        await sutProvider.GetDependency<IPolicyRepository>()
-            .DidNotReceiveWithAnyArgs()
-            .UpsertAsync(default);
-
-        await sutProvider.GetDependency<IEventService>()
-            .DidNotReceiveWithAnyArgs()
-            .LogPolicyEventAsync(default, default, default);
-    }
-
-    [Theory, BitAutoData]
-    public async Task SaveAsync_NewPolicy_Created(
-        [AdminConsoleFixtures.Policy(PolicyType.ResetPassword)] Policy policy, SutProvider<PolicyService> sutProvider)
-    {
-        policy.Id = default;
-        policy.Data = null;
-
-        SetupOrg(sutProvider, policy.OrganizationId, new Organization
-        {
-            Id = policy.OrganizationId,
-            UsePolicies = true,
-        });
-
-        sutProvider.GetDependency<IPolicyRepository>()
-            .GetByOrganizationIdTypeAsync(policy.OrganizationId, PolicyType.SingleOrg)
-            .Returns(Task.FromResult(new Policy { Enabled = true }));
-
-        var utcNow = DateTime.UtcNow;
-
-        await sutProvider.Sut.SaveAsync(policy, Guid.NewGuid());
-
-        await sutProvider.GetDependency<IEventService>().Received()
-            .LogPolicyEventAsync(policy, EventType.Policy_Updated);
-
-        await sutProvider.GetDependency<IPolicyRepository>().Received()
-            .UpsertAsync(policy);
-
-        Assert.True(policy.CreationDate - utcNow < TimeSpan.FromSeconds(1));
-        Assert.True(policy.RevisionDate - utcNow < TimeSpan.FromSeconds(1));
-    }
-
-    [Theory, BitAutoData]
-    public async Task SaveAsync_VaultTimeoutPolicy_NotEnabled_ThrowsBadRequestAsync(
-        [AdminConsoleFixtures.Policy(PolicyType.MaximumVaultTimeout)] Policy policy, SutProvider<PolicyService> sutProvider)
-    {
-        policy.Enabled = true;
-
-        SetupOrg(sutProvider, policy.OrganizationId, new Organization
-        {
-            Id = policy.OrganizationId,
-            UsePolicies = true,
-        });
-
-        sutProvider.GetDependency<IPolicyRepository>()
-            .GetByOrganizationIdTypeAsync(policy.OrganizationId, PolicyType.SingleOrg)
-            .Returns(Task.FromResult(new Policy { Enabled = false }));
-
-        var badRequestException = await Assert.ThrowsAsync<BadRequestException>(
-            () => sutProvider.Sut.SaveAsync(policy,
-                Guid.NewGuid()));
-
-        Assert.Contains("Single Organization policy not enabled.", badRequestException.Message, StringComparison.OrdinalIgnoreCase);
-
-        await sutProvider.GetDependency<IPolicyRepository>()
-            .DidNotReceiveWithAnyArgs()
-            .UpsertAsync(default);
-
-        await sutProvider.GetDependency<IEventService>()
-            .DidNotReceiveWithAnyArgs()
-            .LogPolicyEventAsync(default, default, default);
-    }
-
-    [Theory, BitAutoData]
-    public async Task SaveAsync_ExistingPolicy_UpdateTwoFactor(
-        Organization organization,
-        [AdminConsoleFixtures.Policy(PolicyType.TwoFactorAuthentication)] Policy policy,
-        SutProvider<PolicyService> sutProvider)
-    {
-        // If the policy that this is updating isn't enabled then do some work now that the current one is enabled
-
-        organization.UsePolicies = true;
-        policy.OrganizationId = organization.Id;
-
-        SetupOrg(sutProvider, organization.Id, organization);
-
-        sutProvider.GetDependency<IPolicyRepository>()
-            .GetByIdAsync(policy.Id)
-            .Returns(new Policy
-            {
-                Id = policy.Id,
-                Type = PolicyType.TwoFactorAuthentication,
-                Enabled = false
-            });
-
-        var orgUserDetailUserInvited = new OrganizationUserUserDetails
-        {
-            Id = Guid.NewGuid(),
-            Status = OrganizationUserStatusType.Invited,
-            Type = OrganizationUserType.User,
-            // Needs to be different from what is passed in as the savingUserId to Sut.SaveAsync
-            Email = "user1@test.com",
-            Name = "TEST",
-            UserId = Guid.NewGuid(),
-            HasMasterPassword = false
-        };
-        var orgUserDetailUserAcceptedWith2FA = new OrganizationUserUserDetails
-        {
-            Id = Guid.NewGuid(),
-            Status = OrganizationUserStatusType.Accepted,
-            Type = OrganizationUserType.User,
-            // Needs to be different from what is passed in as the savingUserId to Sut.SaveAsync
-            Email = "user2@test.com",
-            Name = "TEST",
-            UserId = Guid.NewGuid(),
-            HasMasterPassword = true
-        };
-        var orgUserDetailUserAcceptedWithout2FA = new OrganizationUserUserDetails
-        {
-            Id = Guid.NewGuid(),
-            Status = OrganizationUserStatusType.Accepted,
-            Type = OrganizationUserType.User,
-            // Needs to be different from what is passed in as the savingUserId to Sut.SaveAsync
-            Email = "user3@test.com",
-            Name = "TEST",
-            UserId = Guid.NewGuid(),
-            HasMasterPassword = true
-        };
-        var orgUserDetailAdmin = new OrganizationUserUserDetails
-        {
-            Id = Guid.NewGuid(),
-            Status = OrganizationUserStatusType.Confirmed,
-            Type = OrganizationUserType.Admin,
-            // Needs to be different from what is passed in as the savingUserId to Sut.SaveAsync
-            Email = "admin@test.com",
-            Name = "ADMIN",
-            UserId = Guid.NewGuid(),
-            HasMasterPassword = false
-        };
-
-        sutProvider.GetDependency<IOrganizationUserRepository>()
-            .GetManyDetailsByOrganizationAsync(policy.OrganizationId)
-            .Returns(new List<OrganizationUserUserDetails>
-            {
-                orgUserDetailUserInvited,
-                orgUserDetailUserAcceptedWith2FA,
-                orgUserDetailUserAcceptedWithout2FA,
-                orgUserDetailAdmin
-            });
-
-        sutProvider.GetDependency<ITwoFactorIsEnabledQuery>()
-            .TwoFactorIsEnabledAsync(Arg.Any<IEnumerable<OrganizationUserUserDetails>>())
-            .Returns(new List<(OrganizationUserUserDetails user, bool hasTwoFactor)>()
-            {
-                (orgUserDetailUserInvited, false),
-                (orgUserDetailUserAcceptedWith2FA, true),
-                (orgUserDetailUserAcceptedWithout2FA, false),
-                (orgUserDetailAdmin, false),
-            });
-
-        var removeOrganizationUserCommand = sutProvider.GetDependency<IRemoveOrganizationUserCommand>();
-
-        var utcNow = DateTime.UtcNow;
-
-        var savingUserId = Guid.NewGuid();
-
-        await sutProvider.Sut.SaveAsync(policy, savingUserId);
-
-        await removeOrganizationUserCommand.Received()
-            .RemoveUserAsync(policy.OrganizationId, orgUserDetailUserAcceptedWithout2FA.Id, savingUserId);
-        await sutProvider.GetDependency<IMailService>().Received()
-            .SendOrganizationUserRemovedForPolicyTwoStepEmailAsync(organization.DisplayName(), orgUserDetailUserAcceptedWithout2FA.Email);
-
-        await removeOrganizationUserCommand.DidNotReceive()
-            .RemoveUserAsync(policy.OrganizationId, orgUserDetailUserInvited.Id, savingUserId);
-        await sutProvider.GetDependency<IMailService>().DidNotReceive()
-            .SendOrganizationUserRemovedForPolicyTwoStepEmailAsync(organization.DisplayName(), orgUserDetailUserInvited.Email);
-        await removeOrganizationUserCommand.DidNotReceive()
-            .RemoveUserAsync(policy.OrganizationId, orgUserDetailUserAcceptedWith2FA.Id, savingUserId);
-        await sutProvider.GetDependency<IMailService>().DidNotReceive()
-            .SendOrganizationUserRemovedForPolicyTwoStepEmailAsync(organization.DisplayName(), orgUserDetailUserAcceptedWith2FA.Email);
-        await removeOrganizationUserCommand.DidNotReceive()
-            .RemoveUserAsync(policy.OrganizationId, orgUserDetailAdmin.Id, savingUserId);
-        await sutProvider.GetDependency<IMailService>().DidNotReceive()
-            .SendOrganizationUserRemovedForPolicyTwoStepEmailAsync(organization.DisplayName(), orgUserDetailAdmin.Email);
-
-        await sutProvider.GetDependency<IEventService>().Received()
-            .LogPolicyEventAsync(policy, EventType.Policy_Updated);
-
-        await sutProvider.GetDependency<IPolicyRepository>().Received()
-            .UpsertAsync(policy);
-
-        Assert.True(policy.CreationDate - utcNow < TimeSpan.FromSeconds(1));
-        Assert.True(policy.RevisionDate - utcNow < TimeSpan.FromSeconds(1));
-    }
-
-    [Theory, BitAutoData]
-    public async Task SaveAsync_EnableTwoFactor_WithoutMasterPasswordOr2FA_ThrowsBadRequest(
-        Organization organization,
-        [AdminConsoleFixtures.Policy(PolicyType.TwoFactorAuthentication)] Policy policy,
-        SutProvider<PolicyService> sutProvider)
-    {
-        organization.UsePolicies = true;
-        policy.OrganizationId = organization.Id;
-
-        SetupOrg(sutProvider, organization.Id, organization);
-
-        var orgUserDetailUserWith2FAAndMP = new OrganizationUserUserDetails
-        {
-            Id = Guid.NewGuid(),
-            Status = OrganizationUserStatusType.Confirmed,
-            Type = OrganizationUserType.User,
-            // Needs to be different from what is passed in as the savingUserId to Sut.SaveAsync
-            Email = "user1@test.com",
-            Name = "TEST",
-            UserId = Guid.NewGuid(),
-            HasMasterPassword = true
-        };
-        var orgUserDetailUserWith2FANoMP = new OrganizationUserUserDetails
-        {
-            Id = Guid.NewGuid(),
-            Status = OrganizationUserStatusType.Confirmed,
-            Type = OrganizationUserType.User,
-            // Needs to be different from what is passed in as the savingUserId to Sut.SaveAsync
-            Email = "user2@test.com",
-            Name = "TEST",
-            UserId = Guid.NewGuid(),
-            HasMasterPassword = false
-        };
-        var orgUserDetailUserWithout2FA = new OrganizationUserUserDetails
-        {
-            Id = Guid.NewGuid(),
-            Status = OrganizationUserStatusType.Confirmed,
-            Type = OrganizationUserType.User,
-            // Needs to be different from what is passed in as the savingUserId to Sut.SaveAsync
-            Email = "user3@test.com",
-            Name = "TEST",
-            UserId = Guid.NewGuid(),
-            HasMasterPassword = false
-        };
-        var orgUserDetailAdmin = new OrganizationUserUserDetails
-        {
-            Id = Guid.NewGuid(),
-            Status = OrganizationUserStatusType.Confirmed,
-            Type = OrganizationUserType.Admin,
-            // Needs to be different from what is passed in as the savingUserId to Sut.SaveAsync
-            Email = "admin@test.com",
-            Name = "ADMIN",
-            UserId = Guid.NewGuid(),
-            HasMasterPassword = false
-        };
-
-        sutProvider.GetDependency<IOrganizationUserRepository>()
-            .GetManyDetailsByOrganizationAsync(policy.OrganizationId)
-            .Returns(new List<OrganizationUserUserDetails>
-            {
-                orgUserDetailUserWith2FAAndMP,
-                orgUserDetailUserWith2FANoMP,
-                orgUserDetailUserWithout2FA,
-                orgUserDetailAdmin
-            });
-
-        sutProvider.GetDependency<ITwoFactorIsEnabledQuery>()
-            .TwoFactorIsEnabledAsync(Arg.Is<IEnumerable<Guid>>(ids =>
-                ids.Contains(orgUserDetailUserWith2FANoMP.UserId.Value)
-                && ids.Contains(orgUserDetailUserWithout2FA.UserId.Value)
-                && ids.Contains(orgUserDetailAdmin.UserId.Value)))
-            .Returns(new List<(Guid userId, bool hasTwoFactor)>()
-            {
-                (orgUserDetailUserWith2FANoMP.UserId.Value, true),
-                (orgUserDetailUserWithout2FA.UserId.Value, false),
-                (orgUserDetailAdmin.UserId.Value, false),
-            });
-
-        var removeOrganizationUserCommand = sutProvider.GetDependency<IRemoveOrganizationUserCommand>();
-
-        var savingUserId = Guid.NewGuid();
-
-        var badRequestException = await Assert.ThrowsAsync<BadRequestException>(
-            () => sutProvider.Sut.SaveAsync(policy, savingUserId));
-
-        Assert.Contains("Policy could not be enabled. Non-compliant members will lose access to their accounts. Identify members without two-step login from the policies column in the members page.", badRequestException.Message, StringComparison.OrdinalIgnoreCase);
-
-        await removeOrganizationUserCommand.DidNotReceiveWithAnyArgs()
-            .RemoveUserAsync(organizationId: default, organizationUserId: default, deletingUserId: default);
-
-        await sutProvider.GetDependency<IMailService>().DidNotReceiveWithAnyArgs()
-            .SendOrganizationUserRemovedForPolicyTwoStepEmailAsync(default, default);
-
-        await sutProvider.GetDependency<IEventService>().DidNotReceiveWithAnyArgs()
-            .LogPolicyEventAsync(default, default);
-
-        await sutProvider.GetDependency<IPolicyRepository>().DidNotReceiveWithAnyArgs()
-            .UpsertAsync(default);
-    }
-
-    [Theory, BitAutoData]
-    public async Task SaveAsync_ExistingPolicy_UpdateSingleOrg(
-        [AdminConsoleFixtures.Policy(PolicyType.TwoFactorAuthentication)] Policy policy, SutProvider<PolicyService> sutProvider)
-    {
-        // If the policy that this is updating isn't enabled then do some work now that the current one is enabled
-
-        var org = new Organization
-        {
-            Id = policy.OrganizationId,
-            UsePolicies = true,
-            Name = "TEST",
-        };
-
-        SetupOrg(sutProvider, policy.OrganizationId, org);
-
-        sutProvider.GetDependency<IPolicyRepository>()
-            .GetByIdAsync(policy.Id)
-            .Returns(new Policy
-            {
-                Id = policy.Id,
-                Type = PolicyType.SingleOrg,
-                Enabled = false,
-            });
-
-        var orgUserDetail = new Core.Models.Data.Organizations.OrganizationUsers.OrganizationUserUserDetails
-        {
-            Id = Guid.NewGuid(),
-            Status = OrganizationUserStatusType.Accepted,
-            Type = OrganizationUserType.User,
-            // Needs to be different from what is passed in as the savingUserId to Sut.SaveAsync
-            Email = "test@bitwarden.com",
-            Name = "TEST",
-            UserId = Guid.NewGuid(),
-            HasMasterPassword = true
-        };
-
-        sutProvider.GetDependency<IOrganizationUserRepository>()
-            .GetManyDetailsByOrganizationAsync(policy.OrganizationId)
-            .Returns(new List<Core.Models.Data.Organizations.OrganizationUsers.OrganizationUserUserDetails>
-            {
-                orgUserDetail,
-            });
-
-        sutProvider.GetDependency<ITwoFactorIsEnabledQuery>()
-            .TwoFactorIsEnabledAsync(Arg.Is<IEnumerable<Guid>>(ids => ids.Contains(orgUserDetail.UserId.Value)))
-            .Returns(new List<(Guid userId, bool hasTwoFactor)>()
-            {
-                (orgUserDetail.UserId.Value, false),
-            });
-
-        var utcNow = DateTime.UtcNow;
-
-        var savingUserId = Guid.NewGuid();
-
-        await sutProvider.Sut.SaveAsync(policy, savingUserId);
-
-        await sutProvider.GetDependency<IEventService>().Received()
-            .LogPolicyEventAsync(policy, EventType.Policy_Updated);
-
-        await sutProvider.GetDependency<IPolicyRepository>().Received()
-            .UpsertAsync(policy);
-
-        Assert.True(policy.CreationDate - utcNow < TimeSpan.FromSeconds(1));
-        Assert.True(policy.RevisionDate - utcNow < TimeSpan.FromSeconds(1));
-    }
-
-    [Theory]
-    [BitAutoData(true, false)]
-    [BitAutoData(false, true)]
-    [BitAutoData(false, false)]
-    public async Task SaveAsync_ResetPasswordPolicyRequiredByTrustedDeviceEncryption_DisablePolicyOrDisableAutomaticEnrollment_ThrowsBadRequest(
-        bool policyEnabled,
-        bool autoEnrollEnabled,
-        [AdminConsoleFixtures.Policy(PolicyType.ResetPassword)] Policy policy,
-        SutProvider<PolicyService> sutProvider)
-    {
-        policy.Enabled = policyEnabled;
-        policy.SetDataModel(new ResetPasswordDataModel
-        {
-            AutoEnrollEnabled = autoEnrollEnabled
-        });
-
-        SetupOrg(sutProvider, policy.OrganizationId, new Organization
-        {
-            Id = policy.OrganizationId,
-            UsePolicies = true,
-        });
-
-        var ssoConfig = new SsoConfig { Enabled = true };
-        ssoConfig.SetData(new SsoConfigurationData { MemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption });
-
-        sutProvider.GetDependency<ISsoConfigRepository>()
-            .GetByOrganizationIdAsync(policy.OrganizationId)
-            .Returns(ssoConfig);
-
-        var badRequestException = await Assert.ThrowsAsync<BadRequestException>(
-            () => sutProvider.Sut.SaveAsync(policy,
-                Guid.NewGuid()));
-
-        Assert.Contains("Trusted device encryption is on and requires this policy.", badRequestException.Message, StringComparison.OrdinalIgnoreCase);
-
-        await sutProvider.GetDependency<IPolicyRepository>()
-            .DidNotReceiveWithAnyArgs()
-            .UpsertAsync(default);
-
-        await sutProvider.GetDependency<IEventService>()
-            .DidNotReceiveWithAnyArgs()
-            .LogPolicyEventAsync(default, default, default);
-    }
-
-    [Theory, BitAutoData]
-    public async Task SaveAsync_RequireSsoPolicyRequiredByTrustedDeviceEncryption_DisablePolicy_ThrowsBadRequest(
-        [AdminConsoleFixtures.Policy(PolicyType.RequireSso)] Policy policy,
-        SutProvider<PolicyService> sutProvider)
-    {
-        policy.Enabled = false;
-
-        SetupOrg(sutProvider, policy.OrganizationId, new Organization
-        {
-            Id = policy.OrganizationId,
-            UsePolicies = true,
-        });
-
-        var ssoConfig = new SsoConfig { Enabled = true };
-        ssoConfig.SetData(new SsoConfigurationData { MemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption });
-
-        sutProvider.GetDependency<ISsoConfigRepository>()
-            .GetByOrganizationIdAsync(policy.OrganizationId)
-            .Returns(ssoConfig);
-
-        var badRequestException = await Assert.ThrowsAsync<BadRequestException>(
-            () => sutProvider.Sut.SaveAsync(policy,
-                Guid.NewGuid()));
-
-        Assert.Contains("Trusted device encryption is on and requires this policy.", badRequestException.Message, StringComparison.OrdinalIgnoreCase);
-
-        await sutProvider.GetDependency<IPolicyRepository>()
-            .DidNotReceiveWithAnyArgs()
-            .UpsertAsync(default);
-
-        await sutProvider.GetDependency<IEventService>()
-            .DidNotReceiveWithAnyArgs()
-            .LogPolicyEventAsync(default, default, default);
-    }
-
-    [Theory, BitAutoData]
-    public async Task SaveAsync_PolicyRequiredForAccountRecovery_NotEnabled_ThrowsBadRequestAsync(
-        [AdminConsoleFixtures.Policy(PolicyType.ResetPassword)] Policy policy, SutProvider<PolicyService> sutProvider)
-    {
-        policy.Enabled = true;
-        policy.SetDataModel(new ResetPasswordDataModel());
-
-        SetupOrg(sutProvider, policy.OrganizationId, new Organization
-        {
-            Id = policy.OrganizationId,
-            UsePolicies = true,
-        });
-
-        sutProvider.GetDependency<IPolicyRepository>()
-            .GetByOrganizationIdTypeAsync(policy.OrganizationId, PolicyType.SingleOrg)
-            .Returns(Task.FromResult(new Policy { Enabled = false }));
-
-        var badRequestException = await Assert.ThrowsAsync<BadRequestException>(
-            () => sutProvider.Sut.SaveAsync(policy,
-                Guid.NewGuid()));
-
-        Assert.Contains("Single Organization policy not enabled.", badRequestException.Message, StringComparison.OrdinalIgnoreCase);
-
-        await sutProvider.GetDependency<IPolicyRepository>()
-            .DidNotReceiveWithAnyArgs()
-            .UpsertAsync(default);
-
-        await sutProvider.GetDependency<IEventService>()
-            .DidNotReceiveWithAnyArgs()
-            .LogPolicyEventAsync(default, default, default);
-    }
-
-
-    [Theory, BitAutoData]
-    public async Task SaveAsync_SingleOrg_AccountRecoveryEnabled_ThrowsBadRequest(
-        [AdminConsoleFixtures.Policy(PolicyType.SingleOrg)] Policy policy, SutProvider<PolicyService> sutProvider)
-    {
-        policy.Enabled = false;
-
-        SetupOrg(sutProvider, policy.OrganizationId, new Organization
-        {
-            Id = policy.OrganizationId,
-            UsePolicies = true,
-        });
-
-        sutProvider.GetDependency<IPolicyRepository>()
-            .GetByOrganizationIdTypeAsync(policy.OrganizationId, PolicyType.ResetPassword)
-            .Returns(new Policy { Enabled = true });
-
-        var badRequestException = await Assert.ThrowsAsync<BadRequestException>(
-            () => sutProvider.Sut.SaveAsync(policy,
-                Guid.NewGuid()));
-
-        Assert.Contains("Account recovery policy is enabled.", badRequestException.Message, StringComparison.OrdinalIgnoreCase);
-
-        await sutProvider.GetDependency<IPolicyRepository>()
-            .DidNotReceiveWithAnyArgs()
-            .UpsertAsync(default);
-    }
-
     [Theory, BitAutoData]
     public async Task GetPoliciesApplicableToUserAsync_WithRequireSsoTypeFilter_WithDefaultOrganizationUserStatusFilter_ReturnsNoPolicies(Guid userId, SutProvider<PolicyService> sutProvider)
     {
@@ -816,32 +143,4 @@ public class PolicyServiceTests
                 new() { OrganizationId = Guid.NewGuid(), PolicyType = PolicyType.DisableSend, PolicyEnabled = true, OrganizationUserType = OrganizationUserType.User, OrganizationUserStatus = OrganizationUserStatusType.Invited, IsProvider = true }
             });
     }
-
-
-    [Theory, BitAutoData]
-    public async Task SaveAsync_GivenOrganizationUsingPoliciesAndHasVerifiedDomains_WhenSingleOrgPolicyIsDisabled_ThenAnErrorShouldBeThrownOrganizationHasVerifiedDomains(
-        [AdminConsoleFixtures.Policy(PolicyType.SingleOrg)] Policy policy, Organization org, SutProvider<PolicyService> sutProvider)
-    {
-        org.Id = policy.OrganizationId;
-        org.UsePolicies = true;
-
-        policy.Enabled = false;
-
-        sutProvider.GetDependency<IFeatureService>()
-            .IsEnabled(FeatureFlagKeys.AccountDeprovisioning)
-            .Returns(true);
-
-        sutProvider.GetDependency<IOrganizationRepository>()
-            .GetByIdAsync(policy.OrganizationId)
-            .Returns(org);
-
-        sutProvider.GetDependency<IOrganizationHasVerifiedDomainsQuery>()
-            .HasVerifiedDomainsAsync(org.Id)
-            .Returns(true);
-
-        var badRequestException = await Assert.ThrowsAsync<BadRequestException>(
-            () => sutProvider.Sut.SaveAsync(policy, null));
-
-        Assert.Equal("The Single organization policy is required for organizations that have enabled domain verification.", badRequestException.Message);
-    }
 }
diff --git a/test/Core.Test/Auth/Services/SsoConfigServiceTests.cs b/test/Core.Test/Auth/Services/SsoConfigServiceTests.cs
index e397c838c6..7beb772b95 100644
--- a/test/Core.Test/Auth/Services/SsoConfigServiceTests.cs
+++ b/test/Core.Test/Auth/Services/SsoConfigServiceTests.cs
@@ -1,8 +1,9 @@
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Enums;
 using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.Models;
 using Bit.Core.AdminConsole.Repositories;
-using Bit.Core.AdminConsole.Services;
 using Bit.Core.Auth.Entities;
 using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Models.Data;
@@ -338,16 +339,26 @@ public class SsoConfigServiceTests
 
         await sutProvider.Sut.SaveAsync(ssoConfig, organization);
 
-        await sutProvider.GetDependency<IPolicyService>().Received(1)
+        await sutProvider.GetDependency<ISavePolicyCommand>().Received(1)
             .SaveAsync(
-                Arg.Is<Policy>(t => t.Type == PolicyType.SingleOrg),
-                null
+                Arg.Is<PolicyUpdate>(t => t.Type == PolicyType.SingleOrg &&
+                    t.OrganizationId == organization.Id &&
+                    t.Enabled)
             );
 
-        await sutProvider.GetDependency<IPolicyService>().Received(1)
+        await sutProvider.GetDependency<ISavePolicyCommand>().Received(1)
             .SaveAsync(
-                Arg.Is<Policy>(t => t.Type == PolicyType.ResetPassword && t.GetDataModel<ResetPasswordDataModel>().AutoEnrollEnabled),
-                null
+                Arg.Is<PolicyUpdate>(t => t.Type == PolicyType.ResetPassword &&
+                    t.GetDataModel<ResetPasswordDataModel>().AutoEnrollEnabled &&
+                    t.OrganizationId == organization.Id &&
+                    t.Enabled)
+            );
+
+        await sutProvider.GetDependency<ISavePolicyCommand>().Received(1)
+            .SaveAsync(
+                Arg.Is<PolicyUpdate>(t => t.Type == PolicyType.RequireSso &&
+                    t.OrganizationId == organization.Id &&
+                    t.Enabled)
             );
 
         await sutProvider.GetDependency<ISsoConfigRepository>().ReceivedWithAnyArgs()

From 94fdfa40e8af9c9b788aafe2cf89eacc2913eeea Mon Sep 17 00:00:00 2001
From: Jonas Hendrickx <jhendrickx@bitwarden.com>
Date: Wed, 4 Dec 2024 11:45:11 +0100
Subject: [PATCH 020/384] [PM-13999] Show estimated tax for taxable countries
 (#5077)

---
 .../Billing/TaxServiceTests.cs                | 151 +++
 .../Controllers/AccountsBillingController.cs  |  15 +
 .../Billing/Controllers/InvoicesController.cs |  42 +
 .../Controllers/ProviderBillingController.cs  |   1 +
 .../Billing/Controllers/StripeController.cs   |  14 +-
 .../Requests/TaxInformationRequestBody.cs     |   2 +
 .../Billing/Extensions/CurrencyExtensions.cs  |  33 +
 .../Extensions/ServiceCollectionExtensions.cs |   1 +
 .../PreviewIndividualInvoiceRequestModel.cs   |  18 +
 .../PreviewOrganizationInvoiceRequestModel.cs |  37 +
 .../Requests/TaxInformationRequestModel.cs    |  14 +
 .../Responses/PreviewInvoiceResponseModel.cs  |   7 +
 src/Core/Billing/Models/PreviewInvoiceInfo.cs |   7 +
 .../Billing/Models/Sales/OrganizationSale.cs  |   1 +
 src/Core/Billing/Models/TaxIdType.cs          |  22 +
 src/Core/Billing/Models/TaxInformation.cs     | 160 +---
 src/Core/Billing/Services/ITaxService.cs      |  22 +
 .../OrganizationBillingService.cs             |  35 +-
 .../PremiumUserBillingService.cs              |  37 +-
 .../Implementations/SubscriberService.cs      |  51 +-
 src/Core/Billing/Services/TaxService.cs       | 901 ++++++++++++++++++
 src/Core/Billing/Utilities.cs                 |   1 +
 src/Core/Models/Business/TaxInfo.cs           | 208 +---
 src/Core/Services/IPaymentService.cs          |   6 +
 src/Core/Services/IStripeAdapter.cs           |   2 +
 .../Services/Implementations/StripeAdapter.cs |  12 +
 .../Implementations/StripePaymentService.cs   | 389 +++++++-
 .../Services/SubscriberServiceTests.cs        |   3 +-
 .../Core.Test/Models/Business/TaxInfoTests.cs | 114 ---
 .../Services/StripePaymentServiceTests.cs     |  18 +-
 30 files changed, 1793 insertions(+), 531 deletions(-)
 create mode 100644 bitwarden_license/test/Commercial.Core.Test/Billing/TaxServiceTests.cs
 create mode 100644 src/Api/Billing/Controllers/InvoicesController.cs
 create mode 100644 src/Core/Billing/Extensions/CurrencyExtensions.cs
 create mode 100644 src/Core/Billing/Models/Api/Requests/Accounts/PreviewIndividualInvoiceRequestModel.cs
 create mode 100644 src/Core/Billing/Models/Api/Requests/Organizations/PreviewOrganizationInvoiceRequestModel.cs
 create mode 100644 src/Core/Billing/Models/Api/Requests/TaxInformationRequestModel.cs
 create mode 100644 src/Core/Billing/Models/Api/Responses/PreviewInvoiceResponseModel.cs
 create mode 100644 src/Core/Billing/Models/PreviewInvoiceInfo.cs
 create mode 100644 src/Core/Billing/Models/TaxIdType.cs
 create mode 100644 src/Core/Billing/Services/ITaxService.cs
 create mode 100644 src/Core/Billing/Services/TaxService.cs
 delete mode 100644 test/Core.Test/Models/Business/TaxInfoTests.cs

diff --git a/bitwarden_license/test/Commercial.Core.Test/Billing/TaxServiceTests.cs b/bitwarden_license/test/Commercial.Core.Test/Billing/TaxServiceTests.cs
new file mode 100644
index 0000000000..3995fb9de6
--- /dev/null
+++ b/bitwarden_license/test/Commercial.Core.Test/Billing/TaxServiceTests.cs
@@ -0,0 +1,151 @@
+using Bit.Core.Billing.Services;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using Xunit;
+
+namespace Bit.Commercial.Core.Test.Billing;
+
+[SutProviderCustomize]
+public class TaxServiceTests
+{
+    [Theory]
+    [BitAutoData("AD", "A-123456-Z", "ad_nrt")]
+    [BitAutoData("AD", "A123456Z", "ad_nrt")]
+    [BitAutoData("AR", "20-12345678-9", "ar_cuit")]
+    [BitAutoData("AR", "20123456789", "ar_cuit")]
+    [BitAutoData("AU", "01259983598", "au_abn")]
+    [BitAutoData("AU", "123456789123", "au_arn")]
+    [BitAutoData("AT", "ATU12345678", "eu_vat")]
+    [BitAutoData("BH", "123456789012345", "bh_vat")]
+    [BitAutoData("BY", "123456789", "by_tin")]
+    [BitAutoData("BE", "BE0123456789", "eu_vat")]
+    [BitAutoData("BO", "123456789", "bo_tin")]
+    [BitAutoData("BR", "01.234.456/5432-10", "br_cnpj")]
+    [BitAutoData("BR", "01234456543210", "br_cnpj")]
+    [BitAutoData("BR", "123.456.789-87", "br_cpf")]
+    [BitAutoData("BR", "12345678987", "br_cpf")]
+    [BitAutoData("BG", "123456789", "bg_uic")]
+    [BitAutoData("BG", "BG012100705", "eu_vat")]
+    [BitAutoData("CA", "100728494", "ca_bn")]
+    [BitAutoData("CA", "123456789RT0001", "ca_gst_hst")]
+    [BitAutoData("CA", "PST-1234-1234", "ca_pst_bc")]
+    [BitAutoData("CA", "123456-7", "ca_pst_mb")]
+    [BitAutoData("CA", "1234567", "ca_pst_sk")]
+    [BitAutoData("CA", "1234567890TQ1234", "ca_qst")]
+    [BitAutoData("CL", "11.121.326-1", "cl_tin")]
+    [BitAutoData("CL", "11121326-1", "cl_tin")]
+    [BitAutoData("CL", "23.121.326-K", "cl_tin")]
+    [BitAutoData("CL", "43651326-K", "cl_tin")]
+    [BitAutoData("CN", "123456789012345678", "cn_tin")]
+    [BitAutoData("CN", "123456789012345", "cn_tin")]
+    [BitAutoData("CO", "123.456.789-0", "co_nit")]
+    [BitAutoData("CO", "1234567890", "co_nit")]
+    [BitAutoData("CR", "1-234-567890", "cr_tin")]
+    [BitAutoData("CR", "1234567890", "cr_tin")]
+    [BitAutoData("HR", "HR12345678912", "eu_vat")]
+    [BitAutoData("HR", "12345678901", "hr_oib")]
+    [BitAutoData("CY", "CY12345678X", "eu_vat")]
+    [BitAutoData("CZ", "CZ12345678", "eu_vat")]
+    [BitAutoData("DK", "DK12345678", "eu_vat")]
+    [BitAutoData("DO", "123-4567890-1", "do_rcn")]
+    [BitAutoData("DO", "12345678901", "do_rcn")]
+    [BitAutoData("EC", "1234567890001", "ec_ruc")]
+    [BitAutoData("EG", "123456789", "eg_tin")]
+    [BitAutoData("SV", "1234-567890-123-4", "sv_nit")]
+    [BitAutoData("SV", "12345678901234", "sv_nit")]
+    [BitAutoData("EE", "EE123456789", "eu_vat")]
+    [BitAutoData("EU", "EU123456789", "eu_oss_vat")]
+    [BitAutoData("FI", "FI12345678", "eu_vat")]
+    [BitAutoData("FR", "FR12345678901", "eu_vat")]
+    [BitAutoData("GE", "123456789", "ge_vat")]
+    [BitAutoData("DE", "1234567890", "de_stn")]
+    [BitAutoData("DE", "DE123456789", "eu_vat")]
+    [BitAutoData("GR", "EL123456789", "eu_vat")]
+    [BitAutoData("HK", "12345678", "hk_br")]
+    [BitAutoData("HU", "HU12345678", "eu_vat")]
+    [BitAutoData("HU", "12345678-1-23", "hu_tin")]
+    [BitAutoData("HU", "12345678123", "hu_tin")]
+    [BitAutoData("IS", "123456", "is_vat")]
+    [BitAutoData("IN", "12ABCDE1234F1Z5", "in_gst")]
+    [BitAutoData("IN", "12ABCDE3456FGZH", "in_gst")]
+    [BitAutoData("ID", "012.345.678.9-012.345", "id_npwp")]
+    [BitAutoData("ID", "0123456789012345", "id_npwp")]
+    [BitAutoData("IE", "IE1234567A", "eu_vat")]
+    [BitAutoData("IE", "IE1234567AB", "eu_vat")]
+    [BitAutoData("IL", "000012345", "il_vat")]
+    [BitAutoData("IL", "123456789", "il_vat")]
+    [BitAutoData("IT", "IT12345678901", "eu_vat")]
+    [BitAutoData("JP", "1234567890123", "jp_cn")]
+    [BitAutoData("JP", "12345", "jp_rn")]
+    [BitAutoData("KZ", "123456789012", "kz_bin")]
+    [BitAutoData("KE", "P000111111A", "ke_pin")]
+    [BitAutoData("LV", "LV12345678912", "eu_vat")]
+    [BitAutoData("LI", "CHE123456789", "li_uid")]
+    [BitAutoData("LI", "12345", "li_vat")]
+    [BitAutoData("LT", "LT123456789123", "eu_vat")]
+    [BitAutoData("LU", "LU12345678", "eu_vat")]
+    [BitAutoData("MY", "12345678", "my_frp")]
+    [BitAutoData("MY", "C 1234567890", "my_itn")]
+    [BitAutoData("MY", "C1234567890", "my_itn")]
+    [BitAutoData("MY", "A12-3456-78912345", "my_sst")]
+    [BitAutoData("MY", "A12345678912345", "my_sst")]
+    [BitAutoData("MT", "MT12345678", "eu_vat")]
+    [BitAutoData("MX", "ABC010203AB9", "mx_rfc")]
+    [BitAutoData("MD", "1003600", "md_vat")]
+    [BitAutoData("MA", "12345678", "ma_vat")]
+    [BitAutoData("NL", "NL123456789B12", "eu_vat")]
+    [BitAutoData("NZ", "123456789", "nz_gst")]
+    [BitAutoData("NG", "12345678-0001", "ng_tin")]
+    [BitAutoData("NO", "123456789MVA", "no_vat")]
+    [BitAutoData("NO", "1234567", "no_voec")]
+    [BitAutoData("OM", "OM1234567890", "om_vat")]
+    [BitAutoData("PE", "12345678901", "pe_ruc")]
+    [BitAutoData("PH", "123456789012", "ph_tin")]
+    [BitAutoData("PL", "PL1234567890", "eu_vat")]
+    [BitAutoData("PT", "PT123456789", "eu_vat")]
+    [BitAutoData("RO", "RO1234567891", "eu_vat")]
+    [BitAutoData("RO", "1234567890123", "ro_tin")]
+    [BitAutoData("RU", "1234567891", "ru_inn")]
+    [BitAutoData("RU", "123456789", "ru_kpp")]
+    [BitAutoData("SA", "123456789012345", "sa_vat")]
+    [BitAutoData("RS", "123456789", "rs_pib")]
+    [BitAutoData("SG", "M12345678X", "sg_gst")]
+    [BitAutoData("SG", "123456789F", "sg_uen")]
+    [BitAutoData("SK", "SK1234567891", "eu_vat")]
+    [BitAutoData("SI", "SI12345678", "eu_vat")]
+    [BitAutoData("SI", "12345678", "si_tin")]
+    [BitAutoData("ZA", "4123456789", "za_vat")]
+    [BitAutoData("KR", "123-45-67890", "kr_brn")]
+    [BitAutoData("KR", "1234567890", "kr_brn")]
+    [BitAutoData("ES", "A12345678", "es_cif")]
+    [BitAutoData("ES", "ESX1234567X", "eu_vat")]
+    [BitAutoData("SE", "SE123456789012", "eu_vat")]
+    [BitAutoData("CH", "CHE-123.456.789 HR", "ch_uid")]
+    [BitAutoData("CH", "CHE123456789HR", "ch_uid")]
+    [BitAutoData("CH", "CHE-123.456.789 MWST", "ch_vat")]
+    [BitAutoData("CH", "CHE123456789MWST", "ch_vat")]
+    [BitAutoData("TW", "12345678", "tw_vat")]
+    [BitAutoData("TH", "1234567890123", "th_vat")]
+    [BitAutoData("TR", "0123456789", "tr_tin")]
+    [BitAutoData("UA", "123456789", "ua_vat")]
+    [BitAutoData("AE", "123456789012345", "ae_trn")]
+    [BitAutoData("GB", "XI123456789", "eu_vat")]
+    [BitAutoData("GB", "GB123456789", "gb_vat")]
+    [BitAutoData("US", "12-3456789", "us_ein")]
+    [BitAutoData("UY", "123456789012", "uy_ruc")]
+    [BitAutoData("UZ", "123456789", "uz_tin")]
+    [BitAutoData("UZ", "123456789012", "uz_vat")]
+    [BitAutoData("VE", "A-12345678-9", "ve_rif")]
+    [BitAutoData("VE", "A123456789", "ve_rif")]
+    [BitAutoData("VN", "1234567890", "vn_tin")]
+    public void GetStripeTaxCode_WithValidCountryAndTaxId_ReturnsExpectedTaxIdType(
+        string country,
+        string taxId,
+        string expected,
+        SutProvider<TaxService> sutProvider)
+    {
+        var result = sutProvider.Sut.GetStripeTaxCode(country, taxId);
+
+        Assert.Equal(expected, result);
+    }
+}
diff --git a/src/Api/Billing/Controllers/AccountsBillingController.cs b/src/Api/Billing/Controllers/AccountsBillingController.cs
index 574ac3e65e..fcb89226e7 100644
--- a/src/Api/Billing/Controllers/AccountsBillingController.cs
+++ b/src/Api/Billing/Controllers/AccountsBillingController.cs
@@ -1,5 +1,6 @@
 #nullable enable
 using Bit.Api.Billing.Models.Responses;
+using Bit.Core.Billing.Models.Api.Requests.Accounts;
 using Bit.Core.Billing.Services;
 using Bit.Core.Services;
 using Bit.Core.Utilities;
@@ -77,4 +78,18 @@ public class AccountsBillingController(
 
         return TypedResults.Ok(transactions);
     }
+
+    [HttpPost("preview-invoice")]
+    public async Task<IResult> PreviewInvoiceAsync([FromBody] PreviewIndividualInvoiceRequestBody model)
+    {
+        var user = await userService.GetUserByPrincipalAsync(User);
+        if (user == null)
+        {
+            throw new UnauthorizedAccessException();
+        }
+
+        var invoice = await paymentService.PreviewInvoiceAsync(model, user.GatewayCustomerId, user.GatewaySubscriptionId);
+
+        return TypedResults.Ok(invoice);
+    }
 }
diff --git a/src/Api/Billing/Controllers/InvoicesController.cs b/src/Api/Billing/Controllers/InvoicesController.cs
new file mode 100644
index 0000000000..686d9b9643
--- /dev/null
+++ b/src/Api/Billing/Controllers/InvoicesController.cs
@@ -0,0 +1,42 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.Billing.Models.Api.Requests.Organizations;
+using Bit.Core.Context;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+
+namespace Bit.Api.Billing.Controllers;
+
+[Route("invoices")]
+[Authorize("Application")]
+public class InvoicesController : BaseBillingController
+{
+    [HttpPost("preview-organization")]
+    public async Task<IResult> PreviewInvoiceAsync(
+        [FromBody] PreviewOrganizationInvoiceRequestBody model,
+        [FromServices] ICurrentContext currentContext,
+        [FromServices] IOrganizationRepository organizationRepository,
+        [FromServices] IPaymentService paymentService)
+    {
+        Organization organization = null;
+        if (model.OrganizationId != default)
+        {
+            if (!await currentContext.EditPaymentMethods(model.OrganizationId))
+            {
+                return Error.Unauthorized();
+            }
+
+            organization = await organizationRepository.GetByIdAsync(model.OrganizationId);
+            if (organization == null)
+            {
+                return Error.NotFound();
+            }
+        }
+
+        var invoice = await paymentService.PreviewInvoiceAsync(model, organization?.GatewayCustomerId,
+            organization?.GatewaySubscriptionId);
+
+        return TypedResults.Ok(invoice);
+    }
+}
diff --git a/src/Api/Billing/Controllers/ProviderBillingController.cs b/src/Api/Billing/Controllers/ProviderBillingController.cs
index f7ddf0853e..c5de63c69b 100644
--- a/src/Api/Billing/Controllers/ProviderBillingController.cs
+++ b/src/Api/Billing/Controllers/ProviderBillingController.cs
@@ -119,6 +119,7 @@ public class ProviderBillingController(
             requestBody.Country,
             requestBody.PostalCode,
             requestBody.TaxId,
+            requestBody.TaxIdType,
             requestBody.Line1,
             requestBody.Line2,
             requestBody.City,
diff --git a/src/Api/Billing/Controllers/StripeController.cs b/src/Api/Billing/Controllers/StripeController.cs
index a4a974bb99..f5e8253bfa 100644
--- a/src/Api/Billing/Controllers/StripeController.cs
+++ b/src/Api/Billing/Controllers/StripeController.cs
@@ -1,4 +1,5 @@
-using Bit.Core.Services;
+using Bit.Core.Billing.Services;
+using Bit.Core.Services;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Http.HttpResults;
 using Microsoft.AspNetCore.Mvc;
@@ -46,4 +47,15 @@ public class StripeController(
 
         return TypedResults.Ok(setupIntent.ClientSecret);
     }
+
+    [HttpGet]
+    [Route("~/tax/is-country-supported")]
+    public IResult IsCountrySupported(
+        [FromQuery] string country,
+        [FromServices] ITaxService taxService)
+    {
+        var isSupported = taxService.IsSupported(country);
+
+        return TypedResults.Ok(isSupported);
+    }
 }
diff --git a/src/Api/Billing/Models/Requests/TaxInformationRequestBody.cs b/src/Api/Billing/Models/Requests/TaxInformationRequestBody.cs
index c5c0fde00b..32ba2effb2 100644
--- a/src/Api/Billing/Models/Requests/TaxInformationRequestBody.cs
+++ b/src/Api/Billing/Models/Requests/TaxInformationRequestBody.cs
@@ -10,6 +10,7 @@ public class TaxInformationRequestBody
     [Required]
     public string PostalCode { get; set; }
     public string TaxId { get; set; }
+    public string TaxIdType { get; set; }
     public string Line1 { get; set; }
     public string Line2 { get; set; }
     public string City { get; set; }
@@ -19,6 +20,7 @@ public class TaxInformationRequestBody
         Country,
         PostalCode,
         TaxId,
+        TaxIdType,
         Line1,
         Line2,
         City,
diff --git a/src/Core/Billing/Extensions/CurrencyExtensions.cs b/src/Core/Billing/Extensions/CurrencyExtensions.cs
new file mode 100644
index 0000000000..cde1a7bea8
--- /dev/null
+++ b/src/Core/Billing/Extensions/CurrencyExtensions.cs
@@ -0,0 +1,33 @@
+namespace Bit.Core.Billing.Extensions;
+
+public static class CurrencyExtensions
+{
+    /// <summary>
+    /// Converts a currency amount in major units to minor units.
+    /// </summary>
+    /// <example>123.99 USD returns 12399 in minor units.</example>
+    public static long ToMinor(this decimal amount)
+    {
+        return Convert.ToInt64(amount * 100);
+    }
+
+    /// <summary>
+    /// Converts a currency amount in minor units to major units.
+    /// </summary>
+    /// <param name="amount"></param>
+    /// <example>12399 in minor units returns 123.99 USD.</example>
+    public static decimal? ToMajor(this long? amount)
+    {
+        return amount?.ToMajor();
+    }
+
+    /// <summary>
+    /// Converts a currency amount in minor units to major units.
+    /// </summary>
+    /// <param name="amount"></param>
+    /// <example>12399 in minor units returns 123.99 USD.</example>
+    public static decimal ToMajor(this long amount)
+    {
+        return Convert.ToDecimal(amount) / 100;
+    }
+}
diff --git a/src/Core/Billing/Extensions/ServiceCollectionExtensions.cs b/src/Core/Billing/Extensions/ServiceCollectionExtensions.cs
index abfceac736..8f2803d920 100644
--- a/src/Core/Billing/Extensions/ServiceCollectionExtensions.cs
+++ b/src/Core/Billing/Extensions/ServiceCollectionExtensions.cs
@@ -11,6 +11,7 @@ public static class ServiceCollectionExtensions
 {
     public static void AddBillingOperations(this IServiceCollection services)
     {
+        services.AddSingleton<ITaxService, TaxService>();
         services.AddTransient<IOrganizationBillingService, OrganizationBillingService>();
         services.AddTransient<IPremiumUserBillingService, PremiumUserBillingService>();
         services.AddTransient<ISetupIntentCache, SetupIntentDistributedCache>();
diff --git a/src/Core/Billing/Models/Api/Requests/Accounts/PreviewIndividualInvoiceRequestModel.cs b/src/Core/Billing/Models/Api/Requests/Accounts/PreviewIndividualInvoiceRequestModel.cs
new file mode 100644
index 0000000000..6dfb9894d5
--- /dev/null
+++ b/src/Core/Billing/Models/Api/Requests/Accounts/PreviewIndividualInvoiceRequestModel.cs
@@ -0,0 +1,18 @@
+using System.ComponentModel.DataAnnotations;
+
+namespace Bit.Core.Billing.Models.Api.Requests.Accounts;
+
+public class PreviewIndividualInvoiceRequestBody
+{
+    [Required]
+    public PasswordManagerRequestModel PasswordManager { get; set; }
+
+    [Required]
+    public TaxInformationRequestModel TaxInformation { get; set; }
+}
+
+public class PasswordManagerRequestModel
+{
+    [Range(0, int.MaxValue)]
+    public int AdditionalStorage { get; set; }
+}
diff --git a/src/Core/Billing/Models/Api/Requests/Organizations/PreviewOrganizationInvoiceRequestModel.cs b/src/Core/Billing/Models/Api/Requests/Organizations/PreviewOrganizationInvoiceRequestModel.cs
new file mode 100644
index 0000000000..18d9c352d7
--- /dev/null
+++ b/src/Core/Billing/Models/Api/Requests/Organizations/PreviewOrganizationInvoiceRequestModel.cs
@@ -0,0 +1,37 @@
+using System.ComponentModel.DataAnnotations;
+using Bit.Core.Billing.Enums;
+
+namespace Bit.Core.Billing.Models.Api.Requests.Organizations;
+
+public class PreviewOrganizationInvoiceRequestBody
+{
+    public Guid OrganizationId { get; set; }
+
+    [Required]
+    public PasswordManagerRequestModel PasswordManager { get; set; }
+
+    public SecretsManagerRequestModel SecretsManager { get; set; }
+
+    [Required]
+    public TaxInformationRequestModel TaxInformation { get; set; }
+}
+
+public class PasswordManagerRequestModel
+{
+    public PlanType Plan { get; set; }
+
+    [Range(0, int.MaxValue)]
+    public int Seats { get; set; }
+
+    [Range(0, int.MaxValue)]
+    public int AdditionalStorage { get; set; }
+}
+
+public class SecretsManagerRequestModel
+{
+    [Range(0, int.MaxValue)]
+    public int Seats { get; set; }
+
+    [Range(0, int.MaxValue)]
+    public int AdditionalMachineAccounts { get; set; }
+}
diff --git a/src/Core/Billing/Models/Api/Requests/TaxInformationRequestModel.cs b/src/Core/Billing/Models/Api/Requests/TaxInformationRequestModel.cs
new file mode 100644
index 0000000000..9cb43645c6
--- /dev/null
+++ b/src/Core/Billing/Models/Api/Requests/TaxInformationRequestModel.cs
@@ -0,0 +1,14 @@
+using System.ComponentModel.DataAnnotations;
+
+namespace Bit.Core.Billing.Models.Api.Requests;
+
+public class TaxInformationRequestModel
+{
+    [Length(2, 2), Required]
+    public string Country { get; set; }
+
+    [Required]
+    public string PostalCode { get; set; }
+
+    public string TaxId { get; set; }
+}
diff --git a/src/Core/Billing/Models/Api/Responses/PreviewInvoiceResponseModel.cs b/src/Core/Billing/Models/Api/Responses/PreviewInvoiceResponseModel.cs
new file mode 100644
index 0000000000..fdde7dae1e
--- /dev/null
+++ b/src/Core/Billing/Models/Api/Responses/PreviewInvoiceResponseModel.cs
@@ -0,0 +1,7 @@
+namespace Bit.Core.Billing.Models.Api.Responses;
+
+public record PreviewInvoiceResponseModel(
+    decimal EffectiveTaxRate,
+    decimal TaxableBaseAmount,
+    decimal TaxAmount,
+    decimal TotalAmount);
diff --git a/src/Core/Billing/Models/PreviewInvoiceInfo.cs b/src/Core/Billing/Models/PreviewInvoiceInfo.cs
new file mode 100644
index 0000000000..16a2019c20
--- /dev/null
+++ b/src/Core/Billing/Models/PreviewInvoiceInfo.cs
@@ -0,0 +1,7 @@
+namespace Bit.Core.Billing.Models;
+
+public record PreviewInvoiceInfo(
+    decimal EffectiveTaxRate,
+    decimal TaxableBaseAmount,
+    decimal TaxAmount,
+    decimal TotalAmount);
diff --git a/src/Core/Billing/Models/Sales/OrganizationSale.cs b/src/Core/Billing/Models/Sales/OrganizationSale.cs
index a19c278c68..43852bb320 100644
--- a/src/Core/Billing/Models/Sales/OrganizationSale.cs
+++ b/src/Core/Billing/Models/Sales/OrganizationSale.cs
@@ -65,6 +65,7 @@ public class OrganizationSale
             signup.TaxInfo.BillingAddressCountry,
             signup.TaxInfo.BillingAddressPostalCode,
             signup.TaxInfo.TaxIdNumber,
+            signup.TaxInfo.TaxIdType,
             signup.TaxInfo.BillingAddressLine1,
             signup.TaxInfo.BillingAddressLine2,
             signup.TaxInfo.BillingAddressCity,
diff --git a/src/Core/Billing/Models/TaxIdType.cs b/src/Core/Billing/Models/TaxIdType.cs
new file mode 100644
index 0000000000..3fc246d68b
--- /dev/null
+++ b/src/Core/Billing/Models/TaxIdType.cs
@@ -0,0 +1,22 @@
+using System.Text.RegularExpressions;
+
+namespace Bit.Core.Billing.Models;
+
+public class TaxIdType
+{
+    /// <summary>
+    /// ISO-3166-2 code for the country.
+    /// </summary>
+    public string Country { get; set; }
+
+    /// <summary>
+    /// The identifier in Stripe for the tax ID type.
+    /// </summary>
+    public string Code { get; set; }
+
+    public Regex ValidationExpression { get; set; }
+
+    public string Description { get; set; }
+
+    public string Example { get; set; }
+}
diff --git a/src/Core/Billing/Models/TaxInformation.cs b/src/Core/Billing/Models/TaxInformation.cs
index 5403f94690..23ed3e5faa 100644
--- a/src/Core/Billing/Models/TaxInformation.cs
+++ b/src/Core/Billing/Models/TaxInformation.cs
@@ -1,5 +1,4 @@
 using Bit.Core.Models.Business;
-using Stripe;
 
 namespace Bit.Core.Billing.Models;
 
@@ -7,6 +6,7 @@ public record TaxInformation(
     string Country,
     string PostalCode,
     string TaxId,
+    string TaxIdType,
     string Line1,
     string Line2,
     string City,
@@ -16,165 +16,9 @@ public record TaxInformation(
         taxInfo.BillingAddressCountry,
         taxInfo.BillingAddressPostalCode,
         taxInfo.TaxIdNumber,
+        taxInfo.TaxIdType,
         taxInfo.BillingAddressLine1,
         taxInfo.BillingAddressLine2,
         taxInfo.BillingAddressCity,
         taxInfo.BillingAddressState);
-
-    public (AddressOptions, List<CustomerTaxIdDataOptions>) GetStripeOptions()
-    {
-        var address = new AddressOptions
-        {
-            Country = Country,
-            PostalCode = PostalCode,
-            Line1 = Line1,
-            Line2 = Line2,
-            City = City,
-            State = State
-        };
-
-        var customerTaxIdDataOptionsList = !string.IsNullOrEmpty(TaxId)
-            ? new List<CustomerTaxIdDataOptions> { new() { Type = GetTaxIdType(), Value = TaxId } }
-            : null;
-
-        return (address, customerTaxIdDataOptionsList);
-    }
-
-    public string GetTaxIdType()
-    {
-        if (string.IsNullOrEmpty(Country) || string.IsNullOrEmpty(TaxId))
-        {
-            return null;
-        }
-
-        switch (Country.ToUpper())
-        {
-            case "AD":
-                return "ad_nrt";
-            case "AE":
-                return "ae_trn";
-            case "AR":
-                return "ar_cuit";
-            case "AU":
-                return "au_abn";
-            case "BO":
-                return "bo_tin";
-            case "BR":
-                return "br_cnpj";
-            case "CA":
-                // May break for those in Québec given the assumption of QST
-                if (State?.Contains("bec") ?? false)
-                {
-                    return "ca_qst";
-                }
-                return "ca_bn";
-            case "CH":
-                return "ch_vat";
-            case "CL":
-                return "cl_tin";
-            case "CN":
-                return "cn_tin";
-            case "CO":
-                return "co_nit";
-            case "CR":
-                return "cr_tin";
-            case "DO":
-                return "do_rcn";
-            case "EC":
-                return "ec_ruc";
-            case "EG":
-                return "eg_tin";
-            case "GE":
-                return "ge_vat";
-            case "ID":
-                return "id_npwp";
-            case "IL":
-                return "il_vat";
-            case "IS":
-                return "is_vat";
-            case "KE":
-                return "ke_pin";
-            case "AT":
-            case "BE":
-            case "BG":
-            case "CY":
-            case "CZ":
-            case "DE":
-            case "DK":
-            case "EE":
-            case "ES":
-            case "FI":
-            case "FR":
-            case "GB":
-            case "GR":
-            case "HR":
-            case "HU":
-            case "IE":
-            case "IT":
-            case "LT":
-            case "LU":
-            case "LV":
-            case "MT":
-            case "NL":
-            case "PL":
-            case "PT":
-            case "RO":
-            case "SE":
-            case "SI":
-            case "SK":
-                return "eu_vat";
-            case "HK":
-                return "hk_br";
-            case "IN":
-                return "in_gst";
-            case "JP":
-                return "jp_cn";
-            case "KR":
-                return "kr_brn";
-            case "LI":
-                return "li_uid";
-            case "MX":
-                return "mx_rfc";
-            case "MY":
-                return "my_sst";
-            case "NO":
-                return "no_vat";
-            case "NZ":
-                return "nz_gst";
-            case "PE":
-                return "pe_ruc";
-            case "PH":
-                return "ph_tin";
-            case "RS":
-                return "rs_pib";
-            case "RU":
-                return "ru_inn";
-            case "SA":
-                return "sa_vat";
-            case "SG":
-                return "sg_gst";
-            case "SV":
-                return "sv_nit";
-            case "TH":
-                return "th_vat";
-            case "TR":
-                return "tr_tin";
-            case "TW":
-                return "tw_vat";
-            case "UA":
-                return "ua_vat";
-            case "US":
-                return "us_ein";
-            case "UY":
-                return "uy_ruc";
-            case "VE":
-                return "ve_rif";
-            case "VN":
-                return "vn_tin";
-            case "ZA":
-                return "za_vat";
-            default:
-                return null;
-        }
-    }
 }
diff --git a/src/Core/Billing/Services/ITaxService.cs b/src/Core/Billing/Services/ITaxService.cs
new file mode 100644
index 0000000000..beee113d17
--- /dev/null
+++ b/src/Core/Billing/Services/ITaxService.cs
@@ -0,0 +1,22 @@
+namespace Bit.Core.Billing.Services;
+
+public interface ITaxService
+{
+    /// <summary>
+    /// Retrieves the Stripe tax code for a given country and tax ID.
+    /// </summary>
+    /// <param name="country"></param>
+    /// <param name="taxId"></param>
+    /// <returns>
+    /// Returns the Stripe tax code if the tax ID is valid for the country.
+    /// Returns null if the tax ID is invalid or the country is not supported.
+    /// </returns>
+    string GetStripeTaxCode(string country, string taxId);
+
+    /// <summary>
+    /// Returns true or false whether charging or storing tax is supported for the given country.
+    /// </summary>
+    /// <param name="country"></param>
+    /// <returns></returns>
+    bool IsSupported(string country);
+}
diff --git a/src/Core/Billing/Services/Implementations/OrganizationBillingService.cs b/src/Core/Billing/Services/Implementations/OrganizationBillingService.cs
index eadc589625..b186a99d93 100644
--- a/src/Core/Billing/Services/Implementations/OrganizationBillingService.cs
+++ b/src/Core/Billing/Services/Implementations/OrganizationBillingService.cs
@@ -28,7 +28,8 @@ public class OrganizationBillingService(
     IOrganizationRepository organizationRepository,
     ISetupIntentCache setupIntentCache,
     IStripeAdapter stripeAdapter,
-    ISubscriberService subscriberService) : IOrganizationBillingService
+    ISubscriberService subscriberService,
+    ITaxService taxService) : IOrganizationBillingService
 {
     public async Task Finalize(OrganizationSale sale)
     {
@@ -167,14 +168,38 @@ public class OrganizationBillingService(
                 throw new BillingException();
             }
 
-            var (address, taxIdData) = customerSetup.TaxInformation.GetStripeOptions();
-
-            customerCreateOptions.Address = address;
+            customerCreateOptions.Address = new AddressOptions
+            {
+                Line1 = customerSetup.TaxInformation.Line1,
+                Line2 = customerSetup.TaxInformation.Line2,
+                City = customerSetup.TaxInformation.City,
+                PostalCode = customerSetup.TaxInformation.PostalCode,
+                State = customerSetup.TaxInformation.State,
+                Country = customerSetup.TaxInformation.Country,
+            };
             customerCreateOptions.Tax = new CustomerTaxOptions
             {
                 ValidateLocation = StripeConstants.ValidateTaxLocationTiming.Immediately
             };
-            customerCreateOptions.TaxIdData = taxIdData;
+
+            if (!string.IsNullOrEmpty(customerSetup.TaxInformation.TaxId))
+            {
+                var taxIdType = taxService.GetStripeTaxCode(customerSetup.TaxInformation.Country,
+                    customerSetup.TaxInformation.TaxId);
+
+                if (taxIdType == null)
+                {
+                    logger.LogWarning("Could not determine tax ID type for organization '{OrganizationID}' in country '{Country}' with tax ID '{TaxID}'.",
+                        organization.Id,
+                        customerSetup.TaxInformation.Country,
+                        customerSetup.TaxInformation.TaxId);
+                }
+
+                customerCreateOptions.TaxIdData =
+                [
+                    new() { Type = taxIdType, Value = customerSetup.TaxInformation.TaxId }
+                ];
+            }
 
             var (paymentMethodType, paymentMethodToken) = customerSetup.TokenizedPaymentSource;
 
diff --git a/src/Core/Billing/Services/Implementations/PremiumUserBillingService.cs b/src/Core/Billing/Services/Implementations/PremiumUserBillingService.cs
index 92c81dae1c..5351888ad9 100644
--- a/src/Core/Billing/Services/Implementations/PremiumUserBillingService.cs
+++ b/src/Core/Billing/Services/Implementations/PremiumUserBillingService.cs
@@ -24,7 +24,8 @@ public class PremiumUserBillingService(
     ISetupIntentCache setupIntentCache,
     IStripeAdapter stripeAdapter,
     ISubscriberService subscriberService,
-    IUserRepository userRepository) : IPremiumUserBillingService
+    IUserRepository userRepository,
+    ITaxService taxService) : IPremiumUserBillingService
 {
     public async Task Finalize(PremiumUserSale sale)
     {
@@ -82,13 +83,19 @@ public class PremiumUserBillingService(
             throw new BillingException();
         }
 
-        var (address, taxIdData) = customerSetup.TaxInformation.GetStripeOptions();
-
         var subscriberName = user.SubscriberName();
 
         var customerCreateOptions = new CustomerCreateOptions
         {
-            Address = address,
+            Address = new AddressOptions
+            {
+                Line1 = customerSetup.TaxInformation.Line1,
+                Line2 = customerSetup.TaxInformation.Line2,
+                City = customerSetup.TaxInformation.City,
+                PostalCode = customerSetup.TaxInformation.PostalCode,
+                State = customerSetup.TaxInformation.State,
+                Country = customerSetup.TaxInformation.Country,
+            },
             Description = user.Name,
             Email = user.Email,
             Expand = ["tax"],
@@ -113,10 +120,28 @@ public class PremiumUserBillingService(
             Tax = new CustomerTaxOptions
             {
                 ValidateLocation = StripeConstants.ValidateTaxLocationTiming.Immediately
-            },
-            TaxIdData = taxIdData
+            }
         };
 
+        if (!string.IsNullOrEmpty(customerSetup.TaxInformation.TaxId))
+        {
+            var taxIdType = taxService.GetStripeTaxCode(customerSetup.TaxInformation.Country,
+                customerSetup.TaxInformation.TaxId);
+
+            if (taxIdType == null)
+            {
+                logger.LogWarning("Could not infer tax ID type in country '{Country}' with tax ID '{TaxID}'.",
+                    customerSetup.TaxInformation.Country,
+                    customerSetup.TaxInformation.TaxId);
+                throw new Exceptions.BadRequestException("billingTaxIdTypeInferenceError");
+            }
+
+            customerCreateOptions.TaxIdData =
+            [
+                new() { Type = taxIdType, Value = customerSetup.TaxInformation.TaxId }
+            ];
+        }
+
         var (paymentMethodType, paymentMethodToken) = customerSetup.TokenizedPaymentSource;
 
         var braintreeCustomerId = "";
diff --git a/src/Core/Billing/Services/Implementations/SubscriberService.cs b/src/Core/Billing/Services/Implementations/SubscriberService.cs
index 9b8f64be82..6125d15419 100644
--- a/src/Core/Billing/Services/Implementations/SubscriberService.cs
+++ b/src/Core/Billing/Services/Implementations/SubscriberService.cs
@@ -23,7 +23,8 @@ public class SubscriberService(
     IGlobalSettings globalSettings,
     ILogger<SubscriberService> logger,
     ISetupIntentCache setupIntentCache,
-    IStripeAdapter stripeAdapter) : ISubscriberService
+    IStripeAdapter stripeAdapter,
+    ITaxService taxService) : ISubscriberService
 {
     public async Task CancelSubscription(
         ISubscriber subscriber,
@@ -618,16 +619,47 @@ public class SubscriberService(
                 await stripeAdapter.TaxIdDeleteAsync(customer.Id, taxId.Id);
             }
 
-            var taxIdType = taxInformation.GetTaxIdType();
-
-            if (!string.IsNullOrWhiteSpace(taxInformation.TaxId) &&
-                !string.IsNullOrWhiteSpace(taxIdType))
+            if (string.IsNullOrWhiteSpace(taxInformation.TaxId))
             {
-                await stripeAdapter.TaxIdCreateAsync(customer.Id, new TaxIdCreateOptions
+                return;
+            }
+
+            var taxIdType = taxInformation.TaxIdType;
+            if (string.IsNullOrWhiteSpace(taxIdType))
+            {
+                taxIdType = taxService.GetStripeTaxCode(taxInformation.Country,
+                    taxInformation.TaxId);
+
+                if (taxIdType == null)
                 {
-                    Type = taxIdType,
-                    Value = taxInformation.TaxId,
-                });
+                    logger.LogWarning("Could not infer tax ID type in country '{Country}' with tax ID '{TaxID}'.",
+                        taxInformation.Country,
+                        taxInformation.TaxId);
+                    throw new Exceptions.BadRequestException("billingTaxIdTypeInferenceError");
+                }
+            }
+
+            try
+            {
+                await stripeAdapter.TaxIdCreateAsync(customer.Id,
+                    new TaxIdCreateOptions { Type = taxIdType, Value = taxInformation.TaxId });
+            }
+            catch (StripeException e)
+            {
+                switch (e.StripeError.Code)
+                {
+                    case StripeConstants.ErrorCodes.TaxIdInvalid:
+                        logger.LogWarning("Invalid tax ID '{TaxID}' for country '{Country}'.",
+                            taxInformation.TaxId,
+                            taxInformation.Country);
+                        throw new Exceptions.BadRequestException("billingInvalidTaxIdError");
+                    default:
+                        logger.LogError(e, "Error creating tax ID '{TaxId}' in country '{Country}' for customer '{CustomerID}'.",
+                            taxInformation.TaxId,
+                            taxInformation.Country,
+                            customer.Id);
+                        throw new Exceptions.BadRequestException("billingTaxIdCreationError");
+                }
             }
         }
 
@@ -770,6 +802,7 @@ public class SubscriberService(
             customer.Address.Country,
             customer.Address.PostalCode,
             customer.TaxIds?.FirstOrDefault()?.Value,
+            customer.TaxIds?.FirstOrDefault()?.Type,
             customer.Address.Line1,
             customer.Address.Line2,
             customer.Address.City,
diff --git a/src/Core/Billing/Services/TaxService.cs b/src/Core/Billing/Services/TaxService.cs
new file mode 100644
index 0000000000..3066be92d1
--- /dev/null
+++ b/src/Core/Billing/Services/TaxService.cs
@@ -0,0 +1,901 @@
+using System.Text.RegularExpressions;
+using Bit.Core.Billing.Models;
+
+namespace Bit.Core.Billing.Services;
+
+public class TaxService : ITaxService
+{
+    /// <summary>
+    /// Retrieves a list of supported tax ID types for customers.
+    /// </summary>
+    /// <remarks>Compiled list from <see href="https://docs.stripe.com/billing/customer/tax-ids">Stripe</see></remarks>
+    private static readonly IEnumerable<TaxIdType> _taxIdTypes =
+    [
+        new()
+        {
+            Country = "AD",
+            Code = "ad_nrt",
+            Description = "Andorran NRT number",
+            Example = "A-123456-Z",
+            ValidationExpression = new Regex("^([A-Z]{1})-?([0-9]{6})-?([A-Z]{1})$")
+        },
+        new()
+        {
+            Country = "AR",
+            Code = "ar_cuit",
+            Description = "Argentinian tax ID number",
+            Example = "12-34567890-1",
+            ValidationExpression = new Regex("^([0-9]{2})-?([0-9]{8})-?([0-9]{1})$")
+        },
+        new()
+        {
+            Country = "AU",
+            Code = "au_abn",
+            Description = "Australian Business Number (AU ABN)",
+            Example = "123456789012",
+            ValidationExpression = new Regex("^[0-9]{11}$")
+        },
+        new()
+        {
+            Country = "AU",
+            Code = "au_arn",
+            Description = "Australian Taxation Office Reference Number",
+            Example = "123456789123",
+            ValidationExpression = new Regex("^[0-9]{12}$")
+        },
+        new()
+        {
+            Country = "AT",
+            Code = "eu_vat",
+            Description = "European VAT number (Austria)",
+            Example = "ATU12345678",
+            ValidationExpression = new Regex("^ATU[0-9]{8}$")
+        },
+        new()
+        {
+            Country = "BH",
+            Code = "bh_vat",
+            Description = "Bahraini VAT Number",
+            Example = "123456789012345",
+            ValidationExpression = new Regex("^[0-9]{15}$")
+        },
+        new()
+        {
+            Country = "BY",
+            Code = "by_tin",
+            Description = "Belarus TIN Number",
+            Example = "123456789",
+            ValidationExpression = new Regex("^[0-9]{9}$")
+        },
+        new()
+        {
+            Country = "BE",
+            Code = "eu_vat",
+            Description = "European VAT number (Belgium)",
+            Example = "BE0123456789",
+            ValidationExpression = new Regex("^BE[0-9]{10}$")
+        },
+        new()
+        {
+            Country = "BO",
+            Code = "bo_tin",
+            Description = "Bolivian tax ID",
+            Example = "123456789",
+            ValidationExpression = new Regex("^[0-9]{9}$")
+        },
+        new()
+        {
+            Country = "BR",
+            Code = "br_cnpj",
+            Description = "Brazilian CNPJ number",
+            Example = "01.234.456/5432-10",
+            ValidationExpression = new Regex("^[0-9]{2}.?[0-9]{3}.?[0-9]{3}/?[0-9]{4}-?[0-9]{2}$")
+        },
+        new()
+        {
+            Country = "BR",
+            Code = "br_cpf",
+            Description = "Brazilian CPF number",
+            Example = "123.456.789-87",
+            ValidationExpression = new Regex("^[0-9]{3}.?[0-9]{3}.?[0-9]{3}-?[0-9]{2}$")
+        },
+        new()
+        {
+            Country = "BG",
+            Code = "bg_uic",
+            Description = "Bulgaria Unified Identification Code",
+            Example = "123456789",
+            ValidationExpression = new Regex("^[0-9]{9}$")
+        },
+        new()
+        {
+            Country = "BG",
+            Code = "eu_vat",
+            Description = "European VAT number (Bulgaria)",
+            Example = "BG0123456789",
+            ValidationExpression = new Regex("^BG[0-9]{9,10}$")
+        },
+        new()
+        {
+            Country = "CA",
+            Code = "ca_bn",
+            Description = "Canadian BN",
+            Example = "123456789",
+            ValidationExpression = new Regex("^[0-9]{9}$")
+        },
+        new()
+        {
+            Country = "CA",
+            Code = "ca_gst_hst",
+            Description = "Canadian GST/HST number",
+            Example = "123456789RT0002",
+            ValidationExpression = new Regex("^[0-9]{9}RT[0-9]{4}$")
+        },
+        new()
+        {
+            Country = "CA",
+            Code = "ca_pst_bc",
+            Description = "Canadian PST number (British Columbia)",
+            Example = "PST-1234-5678",
+            ValidationExpression = new Regex("^PST-[0-9]{4}-[0-9]{4}$")
+        },
+        new()
+        {
+            Country = "CA",
+            Code = "ca_pst_mb",
+            Description = "Canadian PST number (Manitoba)",
+            Example = "123456-7",
+            ValidationExpression = new Regex("^[0-9]{6}-[0-9]{1}$")
+        },
+        new()
+        {
+            Country = "CA",
+            Code = "ca_pst_sk",
+            Description = "Canadian PST number (Saskatchewan)",
+            Example = "1234567",
+            ValidationExpression = new Regex("^[0-9]{7}$")
+        },
+        new()
+        {
+            Country = "CA",
+            Code = "ca_qst",
+            Description = "Canadian QST number (Québec)",
+            Example = "1234567890TQ1234",
+            ValidationExpression = new Regex("^[0-9]{10}TQ[0-9]{4}$")
+        },
+        new()
+        {
+            Country = "CL",
+            Code = "cl_tin",
+            Description = "Chilean TIN",
+            Example = "12.345.678-K",
+            ValidationExpression = new Regex("^[0-9]{2}.?[0-9]{3}.?[0-9]{3}-?[0-9A-Z]{1}$")
+        },
+        new()
+        {
+            Country = "CN",
+            Code = "cn_tin",
+            Description = "Chinese tax ID",
+            Example = "123456789012345678",
+            ValidationExpression = new Regex("^[0-9]{15,18}$")
+        },
+        new()
+        {
+            Country = "CO",
+            Code = "co_nit",
+            Description = "Colombian NIT number",
+            Example = "123.456.789-0",
+            ValidationExpression = new Regex("^[0-9]{3}.?[0-9]{3}.?[0-9]{3}-?[0-9]{1}$")
+        },
+        new()
+        {
+            Country = "CR",
+            Code = "cr_tin",
+            Description = "Costa Rican tax ID",
+            Example = "1-234-567890",
+            ValidationExpression = new Regex("^[0-9]{1}-?[0-9]{3}-?[0-9]{6}$")
+        },
+        new()
+        {
+            Country = "HR",
+            Code = "eu_vat",
+            Description = "European VAT number (Croatia)",
+            Example = "HR12345678912",
+            ValidationExpression = new Regex("^HR[0-9]{11}$")
+        },
+        new()
+        {
+            Country = "HR",
+            Code = "hr_oib",
+            Description = "Croatian Personal Identification Number",
+            Example = "12345678901",
+            ValidationExpression = new Regex("^[0-9]{11}$")
+        },
+        new()
+        {
+            Country = "CY",
+            Code = "eu_vat",
+            Description = "European VAT number (Cyprus)",
+            Example = "CY12345678X",
+            ValidationExpression = new Regex("^CY[0-9]{8}[A-Z]{1}$")
+        },
+        new()
+        {
+            Country = "CZ",
+            Code = "eu_vat",
+            Description = "European VAT number (Czech Republic)",
+            Example = "CZ12345678",
+            ValidationExpression = new Regex("^CZ[0-9]{8,10}$")
+        },
+        new()
+        {
+            Country = "DK",
+            Code = "eu_vat",
+            Description = "European VAT number (Denmark)",
+            Example = "DK12345678",
+            ValidationExpression = new Regex("^DK[0-9]{8}$")
+        },
+        new()
+        {
+            Country = "DO",
+            Code = "do_rcn",
+            Description = "Dominican RCN number",
+            Example = "123-4567890-1",
+            ValidationExpression = new Regex("^[0-9]{3}-?[0-9]{7}-?[0-9]{1}$")
+        },
+        new()
+        {
+            Country = "EC",
+            Code = "ec_ruc",
+            Description = "Ecuadorian RUC number",
+            Example = "1234567890001",
+            ValidationExpression = new Regex("^[0-9]{13}$")
+        },
+        new()
+        {
+            Country = "EG",
+            Code = "eg_tin",
+            Description = "Egyptian Tax Identification Number",
+            Example = "123456789",
+            ValidationExpression = new Regex("^[0-9]{9}$")
+        },
+
+        new()
+        {
+            Country = "SV",
+            Code = "sv_nit",
+            Description = "El Salvadorian NIT number",
+            Example = "1234-567890-123-4",
+            ValidationExpression = new Regex("^[0-9]{4}-?[0-9]{6}-?[0-9]{3}-?[0-9]{1}$")
+        },
+
+        new()
+        {
+            Country = "EE",
+            Code = "eu_vat",
+            Description = "European VAT number (Estonia)",
+            Example = "EE123456789",
+            ValidationExpression = new Regex("^EE[0-9]{9}$")
+        },
+
+        new()
+        {
+            Country = "EU",
+            Code = "eu_oss_vat",
+            Description = "European One Stop Shop VAT number for non-Union scheme",
+            Example = "EU123456789",
+            ValidationExpression = new Regex("^EU[0-9]{9}$")
+        },
+        new()
+        {
+            Country = "FI",
+            Code = "eu_vat",
+            Description = "European VAT number (Finland)",
+            Example = "FI12345678",
+            ValidationExpression = new Regex("^FI[0-9]{8}$")
+        },
+        new()
+        {
+            Country = "FR",
+            Code = "eu_vat",
+            Description = "European VAT number (France)",
+            Example = "FR12345678901",
+            ValidationExpression = new Regex("^FR[0-9A-Z]{2}[0-9]{9}$")
+        },
+        new()
+        {
+            Country = "GE",
+            Code = "ge_vat",
+            Description = "Georgian VAT",
+            Example = "123456789",
+            ValidationExpression = new Regex("^[0-9]{9}$")
+        },
+        new()
+        {
+            Country = "DE",
+            Code = "de_stn",
+            Description = "German Tax Number (Steuernummer)",
+            Example = "1234567890",
+            ValidationExpression = new Regex("^[0-9]{10}$")
+        },
+        new()
+        {
+            Country = "DE",
+            Code = "eu_vat",
+            Description = "European VAT number (Germany)",
+            Example = "DE123456789",
+            ValidationExpression = new Regex("^DE[0-9]{9}$")
+        },
+        new()
+        {
+            Country = "GR",
+            Code = "eu_vat",
+            Description = "European VAT number (Greece)",
+            Example = "EL123456789",
+            ValidationExpression = new Regex("^EL[0-9]{9}$")
+        },
+        new()
+        {
+            Country = "HK",
+            Code = "hk_br",
+            Description = "Hong Kong BR number",
+            Example = "12345678",
+            ValidationExpression = new Regex("^[0-9]{8}$")
+        },
+        new()
+        {
+            Country = "HU",
+            Code = "eu_vat",
+            Description = "European VAT number (Hungaria)",
+            Example = "HU12345678",
+            ValidationExpression = new Regex("^HU[0-9]{8}$")
+        },
+        new()
+        {
+            Country = "HU",
+            Code = "hu_tin",
+            Description = "Hungary tax number (adószám)",
+            Example = "12345678-1-23",
+            ValidationExpression = new Regex("^[0-9]{8}-?[0-9]-?[0-9]{2}$")
+        },
+        new()
+        {
+            Country = "IS",
+            Code = "is_vat",
+            Description = "Icelandic VAT",
+            Example = "123456",
+            ValidationExpression = new Regex("^[0-9]{6}$")
+        },
+        new()
+        {
+            Country = "IN",
+            Code = "in_gst",
+            Description = "Indian GST number",
+            Example = "12ABCDE3456FGZH",
+            ValidationExpression = new Regex("^[0-9]{2}[A-Z]{5}[0-9]{4}[A-Z]{1}[1-9A-Z]{1}Z[0-9A-Z]{1}$")
+        },
+        new()
+        {
+            Country = "ID",
+            Code = "id_npwp",
+            Description = "Indonesian NPWP number",
+            Example = "012.345.678.9-012.345",
+            ValidationExpression = new Regex("^[0-9]{3}.?[0-9]{3}.?[0-9]{3}.?[0-9]{1}-?[0-9]{3}.?[0-9]{3}$")
+        },
+        new()
+        {
+            Country = "IE",
+            Code = "eu_vat",
+            Description = "European VAT number (Ireland)",
+            Example = "IE1234567AB",
+            ValidationExpression = new Regex("^IE[0-9]{7}[A-Z]{1,2}$")
+        },
+        new()
+        {
+            Country = "IL",
+            Code = "il_vat",
+            Description = "Israel VAT",
+            Example = "000012345",
+            ValidationExpression = new Regex("^[0-9]{9}$")
+        },
+        new()
+        {
+            Country = "IT",
+            Code = "eu_vat",
+            Description = "European VAT number (Italy)",
+            Example = "IT12345678912",
+            ValidationExpression = new Regex("^IT[0-9]{11}$")
+        },
+        new()
+        {
+            Country = "JP",
+            Code = "jp_cn",
+            Description = "Japanese Corporate Number (*Hōjin Bangō*)",
+            Example = "1234567891234",
+            ValidationExpression = new Regex("^[0-9]{13}$")
+        },
+        new()
+        {
+            Country = "JP",
+            Code = "jp_rn",
+            Description =
+                "Japanese Registered Foreign Businesses' Registration Number (*Tōroku Kokugai Jigyōsha no Tōroku Bangō*)",
+            Example = "12345",
+            ValidationExpression = new Regex("^[0-9]{5}$")
+        },
+        new()
+        {
+            Country = "JP",
+            Code = "jp_trn",
+            Description = "Japanese Tax Registration Number (*Tōroku Bangō*)",
+            Example = "T1234567891234",
+            ValidationExpression = new Regex("^T[0-9]{13}$")
+        },
+        new()
+        {
+            Country = "KZ",
+            Code = "kz_bin",
+            Description = "Kazakhstani Business Identification Number",
+            Example = "123456789012",
+            ValidationExpression = new Regex("^[0-9]{12}$")
+        },
+        new()
+        {
+            Country = "KE",
+            Code = "ke_pin",
+            Description = "Kenya Revenue Authority Personal Identification Number",
+            Example = "P000111111A",
+            ValidationExpression = new Regex("^[A-Z]{1}[0-9]{9}[A-Z]{1}$")
+        },
+        new()
+        {
+            Country = "LV",
+            Code = "eu_vat",
+            Description = "European VAT number",
+            Example = "LV12345678912",
+            ValidationExpression = new Regex("^LV[0-9]{11}$")
+        },
+        new()
+        {
+            Country = "LI",
+            Code = "li_uid",
+            Description = "Liechtensteinian UID number",
+            Example = "CHE123456789",
+            ValidationExpression = new Regex("^CHE[0-9]{9}$")
+        },
+        new()
+        {
+            Country = "LI",
+            Code = "li_vat",
+            Description = "Liechtensteinian VAT number",
+            Example = "12345",
+            ValidationExpression = new Regex("^[0-9]{5}$")
+        },
+        new()
+        {
+            Country = "LT",
+            Code = "eu_vat",
+            Description = "European VAT number (Lithuania)",
+            Example = "LT123456789123",
+            ValidationExpression = new Regex("^LT[0-9]{9,12}$")
+        },
+        new()
+        {
+            Country = "LU",
+            Code = "eu_vat",
+            Description = "European VAT number (Luxembourg)",
+            Example = "LU12345678",
+            ValidationExpression = new Regex("^LU[0-9]{8}$")
+        },
+        new()
+        {
+            Country = "MY",
+            Code = "my_frp",
+            Description = "Malaysian FRP number",
+            Example = "12345678",
+            ValidationExpression = new Regex("^[0-9]{8}$")
+        },
+        new()
+        {
+            Country = "MY",
+            Code = "my_itn",
+            Description = "Malaysian ITN",
+            Example = "C 1234567890",
+            ValidationExpression = new Regex("^[A-Z]{1} ?[0-9]{10}$")
+        },
+        new()
+        {
+            Country = "MY",
+            Code = "my_sst",
+            Description = "Malaysian SST number",
+            Example = "A12-3456-78912345",
+            ValidationExpression = new Regex("^[A-Z]{1}[0-9]{2}-?[0-9]{4}-?[0-9]{8}$")
+        },
+        new()
+        {
+            Country = "MT",
+            Code = "eu_vat",
+            Description = "European VAT number (Malta)",
+            Example = "MT12345678",
+            ValidationExpression = new Regex("^MT[0-9]{8}$")
+        },
+        new()
+        {
+            Country = "MX",
+            Code = "mx_rfc",
+            Description = "Mexican RFC number",
+            Example = "ABC010203AB9",
+            ValidationExpression = new Regex("^[A-Z]{3}[0-9]{6}[A-Z0-9]{3}$")
+        },
+        new()
+        {
+            Country = "MD",
+            Code = "md_vat",
+            Description = "Moldova VAT Number",
+            Example = "1234567",
+            ValidationExpression = new Regex("^[0-9]{7}$")
+        },
+        new()
+        {
+            Country = "MA",
+            Code = "ma_vat",
+            Description = "Morocco VAT Number",
+            Example = "12345678",
+            ValidationExpression = new Regex("^[0-9]{8}$")
+        },
+        new()
+        {
+            Country = "NL",
+            Code = "eu_vat",
+            Description = "European VAT number (Netherlands)",
+            Example = "NL123456789B12",
+            ValidationExpression = new Regex("^NL[0-9]{9}B[0-9]{2}$")
+        },
+        new()
+        {
+            Country = "NZ",
+            Code = "nz_gst",
+            Description = "New Zealand GST number",
+            Example = "123456789",
+            ValidationExpression = new Regex("^[0-9]{9}$")
+        },
+        new()
+        {
+            Country = "NG",
+            Code = "ng_tin",
+            Description = "Nigerian TIN Number",
+            Example = "12345678-0001",
+            ValidationExpression = new Regex("^[0-9]{8}-[0-9]{4}$")
+        },
+        new()
+        {
+            Country = "NO",
+            Code = "no_vat",
+            Description = "Norwegian VAT number",
+            Example = "123456789MVA",
+            ValidationExpression = new Regex("^[0-9]{9}MVA$")
+        },
+        new()
+        {
+            Country = "NO",
+            Code = "no_voec",
+            Description = "Norwegian VAT on e-commerce number",
+            Example = "1234567",
+            ValidationExpression = new Regex("^[0-9]{7}$")
+        },
+        new()
+        {
+            Country = "OM",
+            Code = "om_vat",
+            Description = "Omani VAT Number",
+            Example = "OM1234567890",
+            ValidationExpression = new Regex("^OM[0-9]{10}$")
+        },
+        new()
+        {
+            Country = "PE",
+            Code = "pe_ruc",
+            Description = "Peruvian RUC number",
+            Example = "12345678901",
+            ValidationExpression = new Regex("^[0-9]{11}$")
+        },
+        new()
+        {
+            Country = "PH",
+            Code = "ph_tin",
+            Description = "Philippines Tax Identification Number",
+            Example = "123456789012",
+            ValidationExpression = new Regex("^[0-9]{12}$")
+        },
+        new()
+        {
+            Country = "PL",
+            Code = "eu_vat",
+            Description = "European VAT number (Poland)",
+            Example = "PL1234567890",
+            ValidationExpression = new Regex("^PL[0-9]{10}$")
+        },
+        new()
+        {
+            Country = "PT",
+            Code = "eu_vat",
+            Description = "European VAT number (Portugal)",
+            Example = "PT123456789",
+            ValidationExpression = new Regex("^PT[0-9]{9}$")
+        },
+        new()
+        {
+            Country = "RO",
+            Code = "eu_vat",
+            Description = "European VAT number (Romania)",
+            Example = "RO1234567891",
+            ValidationExpression = new Regex("^RO[0-9]{2,10}$")
+        },
+        new()
+        {
+            Country = "RO",
+            Code = "ro_tin",
+            Description = "Romanian tax ID number",
+            Example = "1234567890123",
+            ValidationExpression = new Regex("^[0-9]{13}$")
+        },
+        new()
+        {
+            Country = "RU",
+            Code = "ru_inn",
+            Description = "Russian INN",
+            Example = "1234567891",
+            ValidationExpression = new Regex("^[0-9]{10,12}$")
+        },
+        new()
+        {
+            Country = "RU",
+            Code = "ru_kpp",
+            Description = "Russian KPP",
+            Example = "123456789",
+            ValidationExpression = new Regex("^[0-9]{9}$")
+        },
+        new()
+        {
+            Country = "SA",
+            Code = "sa_vat",
+            Description = "Saudi Arabia VAT",
+            Example = "123456789012345",
+            ValidationExpression = new Regex("^[0-9]{15}$")
+        },
+        new()
+        {
+            Country = "RS",
+            Code = "rs_pib",
+            Description = "Serbian PIB number",
+            Example = "123456789",
+            ValidationExpression = new Regex("^[0-9]{9}$")
+        },
+        new()
+        {
+            Country = "SG",
+            Code = "sg_gst",
+            Description = "Singaporean GST",
+            Example = "M12345678X",
+            ValidationExpression = new Regex("^[A-Z]{1}[0-9]{8}[A-Z]{1}$")
+        },
+        new()
+        {
+            Country = "SG",
+            Code = "sg_uen",
+            Description = "Singaporean UEN",
+            Example = "123456789F",
+            ValidationExpression = new Regex("^[0-9]{9}[A-Z]{1}$")
+        },
+        new()
+        {
+            Country = "SK",
+            Code = "eu_vat",
+            Description = "European VAT number (Slovakia)",
+            Example = "SK1234567891",
+            ValidationExpression = new Regex("^SK[0-9]{10}$")
+        },
+        new()
+        {
+            Country = "SI",
+            Code = "eu_vat",
+            Description = "European VAT number (Slovenia)",
+            Example = "SI12345678",
+            ValidationExpression = new Regex("^SI[0-9]{8}$")
+        },
+        new()
+        {
+            Country = "SI",
+            Code = "si_tin",
+            Description = "Slovenia tax number (davčna številka)",
+            Example = "12345678",
+            ValidationExpression = new Regex("^[0-9]{8}$")
+        },
+        new()
+        {
+            Country = "ZA",
+            Code = "za_vat",
+            Description = "South African VAT number",
+            Example = "4123456789",
+            ValidationExpression = new Regex("^[0-9]{10}$")
+        },
+        new()
+        {
+            Country = "KR",
+            Code = "kr_brn",
+            Description = "Korean BRN",
+            Example = "123-45-67890",
+            ValidationExpression = new Regex("^[0-9]{3}-?[0-9]{2}-?[0-9]{5}$")
+        },
+        new()
+        {
+            Country = "ES",
+            Code = "es_cif",
+            Description = "Spanish NIF/CIF number",
+            Example = "A12345678",
+            ValidationExpression = new Regex("^[A-Z]{1}[0-9]{8}$")
+        },
+        new()
+        {
+            Country = "ES",
+            Code = "eu_vat",
+            Description = "European VAT number (Spain)",
+            Example = "ESA1234567Z",
+            ValidationExpression = new Regex("^ES[A-Z]{1}[0-9]{7}[A-Z]{1}$")
+        },
+        new()
+        {
+            Country = "SE",
+            Code = "eu_vat",
+            Description = "European VAT number (Sweden)",
+            Example = "SE123456789123",
+            ValidationExpression = new Regex("^SE[0-9]{12}$")
+        },
+        new()
+        {
+            Country = "CH",
+            Code = "ch_uid",
+            Description = "Switzerland UID number",
+            Example = "CHE-123.456.789 HR",
+            ValidationExpression = new Regex("^CHE-?[0-9]{3}.?[0-9]{3}.?[0-9]{3} ?HR$")
+        },
+        new()
+        {
+            Country = "CH",
+            Code = "ch_vat",
+            Description = "Switzerland VAT number",
+            Example = "CHE-123.456.789 MWST",
+            ValidationExpression = new Regex("^CHE-?[0-9]{3}.?[0-9]{3}.?[0-9]{3} ?MWST$")
+        },
+        new()
+        {
+            Country = "TW",
+            Code = "tw_vat",
+            Description = "Taiwanese VAT",
+            Example = "12345678",
+            ValidationExpression = new Regex("^[0-9]{8}$")
+        },
+        new()
+        {
+            Country = "TZ",
+            Code = "tz_vat",
+            Description = "Tanzania VAT Number",
+            Example = "12345678A",
+            ValidationExpression = new Regex("^[0-9]{8}[A-Z]{1}$")
+        },
+        new()
+        {
+            Country = "TH",
+            Code = "th_vat",
+            Description = "Thai VAT",
+            Example = "1234567891234",
+            ValidationExpression = new Regex("^[0-9]{13}$")
+        },
+        new()
+        {
+            Country = "TR",
+            Code = "tr_tin",
+            Description = "Turkish TIN Number",
+            Example = "0123456789",
+            ValidationExpression = new Regex("^[0-9]{10}$")
+        },
+        new()
+        {
+            Country = "UA",
+            Code = "ua_vat",
+            Description = "Ukrainian VAT",
+            Example = "123456789",
+            ValidationExpression = new Regex("^[0-9]{9}$")
+        },
+        new()
+        {
+            Country = "AE",
+            Code = "ae_trn",
+            Description = "United Arab Emirates TRN",
+            Example = "123456789012345",
+            ValidationExpression = new Regex("^[0-9]{15}$")
+        },
+        new()
+        {
+            Country = "GB",
+            Code = "eu_vat",
+            Description = "Northern Ireland VAT number",
+            Example = "XI123456789",
+            ValidationExpression = new Regex("^XI[0-9]{9}$")
+        },
+        new()
+        {
+            Country = "GB",
+            Code = "gb_vat",
+            Description = "United Kingdom VAT number",
+            Example = "GB123456789",
+            ValidationExpression = new Regex("^GB[0-9]{9}$")
+        },
+        new()
+        {
+            Country = "US",
+            Code = "us_ein",
+            Description = "United States EIN",
+            Example = "12-3456789",
+            ValidationExpression = new Regex("^[0-9]{2}-?[0-9]{7}$")
+        },
+        new()
+        {
+            Country = "UY",
+            Code = "uy_ruc",
+            Description = "Uruguayan RUC number",
+            Example = "123456789012",
+            ValidationExpression = new Regex("^[0-9]{12}$")
+        },
+        new()
+        {
+            Country = "UZ",
+            Code = "uz_tin",
+            Description = "Uzbekistan TIN Number",
+            Example = "123456789",
+            ValidationExpression = new Regex("^[0-9]{9}$")
+        },
+        new()
+        {
+            Country = "UZ",
+            Code = "uz_vat",
+            Description = "Uzbekistan VAT Number",
+            Example = "123456789012",
+            ValidationExpression = new Regex("^[0-9]{12}$")
+        },
+        new()
+        {
+            Country = "VE",
+            Code = "ve_rif",
+            Description = "Venezuelan RIF number",
+            Example = "A-12345678-9",
+            ValidationExpression = new Regex("^[A-Z]{1}-?[0-9]{8}-?[0-9]{1}$")
+        },
+        new()
+        {
+            Country = "VN",
+            Code = "vn_tin",
+            Description = "Vietnamese tax ID number",
+            Example = "1234567890",
+            ValidationExpression = new Regex("^[0-9]{10}$")
+        }
+    ];
+
+    public string GetStripeTaxCode(string country, string taxId)
+    {
+        foreach (var taxIdType in _taxIdTypes.Where(x => x.Country == country))
+        {
+            if (taxIdType.ValidationExpression.IsMatch(taxId))
+            {
+                return taxIdType.Code;
+            }
+        }
+
+        return null;
+    }
+
+    public bool IsSupported(string country)
+    {
+        return _taxIdTypes.Any(x => x.Country == country);
+    }
+}
diff --git a/src/Core/Billing/Utilities.cs b/src/Core/Billing/Utilities.cs
index 28527af0c0..695a3b1bb4 100644
--- a/src/Core/Billing/Utilities.cs
+++ b/src/Core/Billing/Utilities.cs
@@ -83,6 +83,7 @@ public static class Utilities
             customer.Address.Country,
             customer.Address.PostalCode,
             customer.TaxIds?.FirstOrDefault()?.Value,
+            customer.TaxIds?.FirstOrDefault()?.Type,
             customer.Address.Line1,
             customer.Address.Line2,
             customer.Address.City,
diff --git a/src/Core/Models/Business/TaxInfo.cs b/src/Core/Models/Business/TaxInfo.cs
index 4424576ec9..b12c5229b3 100644
--- a/src/Core/Models/Business/TaxInfo.cs
+++ b/src/Core/Models/Business/TaxInfo.cs
@@ -2,18 +2,9 @@
 
 public class TaxInfo
 {
-    private string _taxIdNumber = null;
-    private string _taxIdType = null;
+    public string TaxIdNumber { get; set; }
+    public string TaxIdType { get; set; }
 
-    public string TaxIdNumber
-    {
-        get => _taxIdNumber;
-        set
-        {
-            _taxIdNumber = value;
-            _taxIdType = null;
-        }
-    }
     public string StripeTaxRateId { get; set; }
     public string BillingAddressLine1 { get; set; }
     public string BillingAddressLine2 { get; set; }
@@ -21,201 +12,6 @@ public class TaxInfo
     public string BillingAddressState { get; set; }
     public string BillingAddressPostalCode { get; set; }
     public string BillingAddressCountry { get; set; } = "US";
-    public string TaxIdType
-    {
-        get
-        {
-            if (string.IsNullOrWhiteSpace(BillingAddressCountry) ||
-                string.IsNullOrWhiteSpace(TaxIdNumber))
-            {
-                return null;
-            }
-            if (!string.IsNullOrWhiteSpace(_taxIdType))
-            {
-                return _taxIdType;
-            }
-
-            switch (BillingAddressCountry.ToUpper())
-            {
-                case "AD":
-                    _taxIdType = "ad_nrt";
-                    break;
-                case "AE":
-                    _taxIdType = "ae_trn";
-                    break;
-                case "AR":
-                    _taxIdType = "ar_cuit";
-                    break;
-                case "AU":
-                    _taxIdType = "au_abn";
-                    break;
-                case "BO":
-                    _taxIdType = "bo_tin";
-                    break;
-                case "BR":
-                    _taxIdType = "br_cnpj";
-                    break;
-                case "CA":
-                    // May break for those in Québec given the assumption of QST
-                    if (BillingAddressState?.Contains("bec") ?? false)
-                    {
-                        _taxIdType = "ca_qst";
-                        break;
-                    }
-                    _taxIdType = "ca_bn";
-                    break;
-                case "CH":
-                    _taxIdType = "ch_vat";
-                    break;
-                case "CL":
-                    _taxIdType = "cl_tin";
-                    break;
-                case "CN":
-                    _taxIdType = "cn_tin";
-                    break;
-                case "CO":
-                    _taxIdType = "co_nit";
-                    break;
-                case "CR":
-                    _taxIdType = "cr_tin";
-                    break;
-                case "DO":
-                    _taxIdType = "do_rcn";
-                    break;
-                case "EC":
-                    _taxIdType = "ec_ruc";
-                    break;
-                case "EG":
-                    _taxIdType = "eg_tin";
-                    break;
-                case "GE":
-                    _taxIdType = "ge_vat";
-                    break;
-                case "ID":
-                    _taxIdType = "id_npwp";
-                    break;
-                case "IL":
-                    _taxIdType = "il_vat";
-                    break;
-                case "IS":
-                    _taxIdType = "is_vat";
-                    break;
-                case "KE":
-                    _taxIdType = "ke_pin";
-                    break;
-                case "AT":
-                case "BE":
-                case "BG":
-                case "CY":
-                case "CZ":
-                case "DE":
-                case "DK":
-                case "EE":
-                case "ES":
-                case "FI":
-                case "FR":
-                case "GB":
-                case "GR":
-                case "HR":
-                case "HU":
-                case "IE":
-                case "IT":
-                case "LT":
-                case "LU":
-                case "LV":
-                case "MT":
-                case "NL":
-                case "PL":
-                case "PT":
-                case "RO":
-                case "SE":
-                case "SI":
-                case "SK":
-                    _taxIdType = "eu_vat";
-                    break;
-                case "HK":
-                    _taxIdType = "hk_br";
-                    break;
-                case "IN":
-                    _taxIdType = "in_gst";
-                    break;
-                case "JP":
-                    _taxIdType = "jp_cn";
-                    break;
-                case "KR":
-                    _taxIdType = "kr_brn";
-                    break;
-                case "LI":
-                    _taxIdType = "li_uid";
-                    break;
-                case "MX":
-                    _taxIdType = "mx_rfc";
-                    break;
-                case "MY":
-                    _taxIdType = "my_sst";
-                    break;
-                case "NO":
-                    _taxIdType = "no_vat";
-                    break;
-                case "NZ":
-                    _taxIdType = "nz_gst";
-                    break;
-                case "PE":
-                    _taxIdType = "pe_ruc";
-                    break;
-                case "PH":
-                    _taxIdType = "ph_tin";
-                    break;
-                case "RS":
-                    _taxIdType = "rs_pib";
-                    break;
-                case "RU":
-                    _taxIdType = "ru_inn";
-                    break;
-                case "SA":
-                    _taxIdType = "sa_vat";
-                    break;
-                case "SG":
-                    _taxIdType = "sg_gst";
-                    break;
-                case "SV":
-                    _taxIdType = "sv_nit";
-                    break;
-                case "TH":
-                    _taxIdType = "th_vat";
-                    break;
-                case "TR":
-                    _taxIdType = "tr_tin";
-                    break;
-                case "TW":
-                    _taxIdType = "tw_vat";
-                    break;
-                case "UA":
-                    _taxIdType = "ua_vat";
-                    break;
-                case "US":
-                    _taxIdType = "us_ein";
-                    break;
-                case "UY":
-                    _taxIdType = "uy_ruc";
-                    break;
-                case "VE":
-                    _taxIdType = "ve_rif";
-                    break;
-                case "VN":
-                    _taxIdType = "vn_tin";
-                    break;
-                case "ZA":
-                    _taxIdType = "za_vat";
-                    break;
-                default:
-                    _taxIdType = null;
-                    break;
-            }
-
-            return _taxIdType;
-        }
-    }
 
     public bool HasTaxId
     {
diff --git a/src/Core/Services/IPaymentService.cs b/src/Core/Services/IPaymentService.cs
index bf9d047029..7d0f9d3c63 100644
--- a/src/Core/Services/IPaymentService.cs
+++ b/src/Core/Services/IPaymentService.cs
@@ -1,6 +1,9 @@
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Entities.Provider;
 using Bit.Core.Billing.Models;
+using Bit.Core.Billing.Models.Api.Requests.Accounts;
+using Bit.Core.Billing.Models.Api.Requests.Organizations;
+using Bit.Core.Billing.Models.Api.Responses;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Models.Business;
@@ -59,4 +62,7 @@ public interface IPaymentService
     Task<bool> RisksSubscriptionFailure(Organization organization);
     Task<bool> HasSecretsManagerStandalone(Organization organization);
     Task<(DateTime?, DateTime?)> GetSuspensionDateAsync(Stripe.Subscription subscription);
+    Task<PreviewInvoiceResponseModel> PreviewInvoiceAsync(PreviewIndividualInvoiceRequestBody parameters, string gatewayCustomerId, string gatewaySubscriptionId);
+    Task<PreviewInvoiceResponseModel> PreviewInvoiceAsync(PreviewOrganizationInvoiceRequestBody parameters, string gatewayCustomerId, string gatewaySubscriptionId);
+
 }
diff --git a/src/Core/Services/IStripeAdapter.cs b/src/Core/Services/IStripeAdapter.cs
index 30583ef0b3..ef2e3ab766 100644
--- a/src/Core/Services/IStripeAdapter.cs
+++ b/src/Core/Services/IStripeAdapter.cs
@@ -31,6 +31,7 @@ public interface IStripeAdapter
     Task<Stripe.Invoice> InvoiceUpcomingAsync(Stripe.UpcomingInvoiceOptions options);
     Task<Stripe.Invoice> InvoiceGetAsync(string id, Stripe.InvoiceGetOptions options);
     Task<List<Stripe.Invoice>> InvoiceListAsync(StripeInvoiceListOptions options);
+    Task<Stripe.Invoice> InvoiceCreatePreviewAsync(InvoiceCreatePreviewOptions options);
     Task<List<Stripe.Invoice>> InvoiceSearchAsync(InvoiceSearchOptions options);
     Task<Stripe.Invoice> InvoiceUpdateAsync(string id, Stripe.InvoiceUpdateOptions options);
     Task<Stripe.Invoice> InvoiceFinalizeInvoiceAsync(string id, Stripe.InvoiceFinalizeOptions options);
@@ -42,6 +43,7 @@ public interface IStripeAdapter
     IAsyncEnumerable<Stripe.PaymentMethod> PaymentMethodListAutoPagingAsync(Stripe.PaymentMethodListOptions options);
     Task<Stripe.PaymentMethod> PaymentMethodAttachAsync(string id, Stripe.PaymentMethodAttachOptions options = null);
     Task<Stripe.PaymentMethod> PaymentMethodDetachAsync(string id, Stripe.PaymentMethodDetachOptions options = null);
+    Task<Stripe.Plan> PlanGetAsync(string id, Stripe.PlanGetOptions options = null);
     Task<Stripe.TaxRate> TaxRateCreateAsync(Stripe.TaxRateCreateOptions options);
     Task<Stripe.TaxRate> TaxRateUpdateAsync(string id, Stripe.TaxRateUpdateOptions options);
     Task<Stripe.TaxId> TaxIdCreateAsync(string id, Stripe.TaxIdCreateOptions options);
diff --git a/src/Core/Services/Implementations/StripeAdapter.cs b/src/Core/Services/Implementations/StripeAdapter.cs
index 8d18331456..f4f8efe75f 100644
--- a/src/Core/Services/Implementations/StripeAdapter.cs
+++ b/src/Core/Services/Implementations/StripeAdapter.cs
@@ -15,6 +15,7 @@ public class StripeAdapter : IStripeAdapter
     private readonly Stripe.RefundService _refundService;
     private readonly Stripe.CardService _cardService;
     private readonly Stripe.BankAccountService _bankAccountService;
+    private readonly Stripe.PlanService _planService;
     private readonly Stripe.PriceService _priceService;
     private readonly Stripe.SetupIntentService _setupIntentService;
     private readonly Stripe.TestHelpers.TestClockService _testClockService;
@@ -33,6 +34,7 @@ public class StripeAdapter : IStripeAdapter
         _cardService = new Stripe.CardService();
         _bankAccountService = new Stripe.BankAccountService();
         _priceService = new Stripe.PriceService();
+        _planService = new Stripe.PlanService();
         _setupIntentService = new SetupIntentService();
         _testClockService = new Stripe.TestHelpers.TestClockService();
         _customerBalanceTransactionService = new CustomerBalanceTransactionService();
@@ -133,6 +135,11 @@ public class StripeAdapter : IStripeAdapter
         return invoices;
     }
 
+    public Task<Invoice> InvoiceCreatePreviewAsync(InvoiceCreatePreviewOptions options)
+    {
+        return _invoiceService.CreatePreviewAsync(options);
+    }
+
     public async Task<List<Stripe.Invoice>> InvoiceSearchAsync(InvoiceSearchOptions options)
         => (await _invoiceService.SearchAsync(options)).Data;
 
@@ -184,6 +191,11 @@ public class StripeAdapter : IStripeAdapter
         return _paymentMethodService.DetachAsync(id, options);
     }
 
+    public Task<Stripe.Plan> PlanGetAsync(string id, Stripe.PlanGetOptions options = null)
+    {
+        return _planService.GetAsync(id, options);
+    }
+
     public Task<Stripe.TaxRate> TaxRateCreateAsync(Stripe.TaxRateCreateOptions options)
     {
         return _taxRateService.CreateAsync(options);
diff --git a/src/Core/Services/Implementations/StripePaymentService.cs b/src/Core/Services/Implementations/StripePaymentService.cs
index 259a4eb757..c32dcd43ad 100644
--- a/src/Core/Services/Implementations/StripePaymentService.cs
+++ b/src/Core/Services/Implementations/StripePaymentService.cs
@@ -1,8 +1,13 @@
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Entities.Provider;
 using Bit.Core.Billing.Constants;
+using Bit.Core.Billing.Extensions;
 using Bit.Core.Billing.Models;
+using Bit.Core.Billing.Models.Api.Requests.Accounts;
+using Bit.Core.Billing.Models.Api.Requests.Organizations;
+using Bit.Core.Billing.Models.Api.Responses;
 using Bit.Core.Billing.Models.Business;
+using Bit.Core.Billing.Services;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
@@ -32,6 +37,7 @@ public class StripePaymentService : IPaymentService
     private readonly IStripeAdapter _stripeAdapter;
     private readonly IGlobalSettings _globalSettings;
     private readonly IFeatureService _featureService;
+    private readonly ITaxService _taxService;
 
     public StripePaymentService(
         ITransactionRepository transactionRepository,
@@ -40,7 +46,8 @@ public class StripePaymentService : IPaymentService
         IStripeAdapter stripeAdapter,
         Braintree.IBraintreeGateway braintreeGateway,
         IGlobalSettings globalSettings,
-        IFeatureService featureService)
+        IFeatureService featureService,
+        ITaxService taxService)
     {
         _transactionRepository = transactionRepository;
         _logger = logger;
@@ -49,6 +56,7 @@ public class StripePaymentService : IPaymentService
         _btGateway = braintreeGateway;
         _globalSettings = globalSettings;
         _featureService = featureService;
+        _taxService = taxService;
     }
 
     public async Task<string> PurchaseOrganizationAsync(Organization org, PaymentMethodType paymentMethodType,
@@ -112,6 +120,20 @@ public class StripePaymentService : IPaymentService
         Subscription subscription;
         try
         {
+            if (taxInfo.TaxIdNumber != null && taxInfo.TaxIdType == null)
+            {
+                taxInfo.TaxIdType = _taxService.GetStripeTaxCode(taxInfo.BillingAddressCountry,
+                    taxInfo.TaxIdNumber);
+
+                if (taxInfo.TaxIdType == null)
+                {
+                    _logger.LogWarning("Could not infer tax ID type in country '{Country}' with tax ID '{TaxID}'.",
+                        taxInfo.BillingAddressCountry,
+                        taxInfo.TaxIdNumber);
+                    throw new BadRequestException("billingTaxIdTypeInferenceError");
+                }
+            }
+
             var customerCreateOptions = new CustomerCreateOptions
             {
                 Description = org.DisplayBusinessName(),
@@ -146,12 +168,9 @@ public class StripePaymentService : IPaymentService
                     City = taxInfo?.BillingAddressCity,
                     State = taxInfo?.BillingAddressState,
                 },
-                TaxIdData = taxInfo?.HasTaxId != true
-                    ? null
-                    :
-                    [
-                        new CustomerTaxIdDataOptions { Type = taxInfo.TaxIdType, Value = taxInfo.TaxIdNumber, }
-                    ],
+                TaxIdData = taxInfo.HasTaxId
+                    ? [new CustomerTaxIdDataOptions { Type = taxInfo.TaxIdType, Value = taxInfo.TaxIdNumber }]
+                    : null
             };
 
             customerCreateOptions.AddExpand("tax");
@@ -1659,6 +1678,7 @@ public class StripePaymentService : IPaymentService
         return new TaxInfo
         {
             TaxIdNumber = taxId?.Value,
+            TaxIdType = taxId?.Type,
             BillingAddressLine1 = address?.Line1,
             BillingAddressLine2 = address?.Line2,
             BillingAddressCity = address?.City,
@@ -1670,9 +1690,13 @@ public class StripePaymentService : IPaymentService
 
     public async Task SaveTaxInfoAsync(ISubscriber subscriber, TaxInfo taxInfo)
     {
-        if (subscriber != null && !string.IsNullOrWhiteSpace(subscriber.GatewayCustomerId))
+        if (string.IsNullOrWhiteSpace(subscriber?.GatewayCustomerId) || subscriber.IsUser())
         {
-            var customer = await _stripeAdapter.CustomerUpdateAsync(subscriber.GatewayCustomerId, new CustomerUpdateOptions
+            return;
+        }
+
+        var customer = await _stripeAdapter.CustomerUpdateAsync(subscriber.GatewayCustomerId,
+            new CustomerUpdateOptions
             {
                 Address = new AddressOptions
                 {
@@ -1686,23 +1710,59 @@ public class StripePaymentService : IPaymentService
                 Expand = ["tax_ids"]
             });
 
-            if (!subscriber.IsUser() && customer != null)
-            {
-                var taxId = customer.TaxIds?.FirstOrDefault();
+        if (customer == null)
+        {
+            return;
+        }
 
-                if (taxId != null)
-                {
-                    await _stripeAdapter.TaxIdDeleteAsync(customer.Id, taxId.Id);
-                }
-                if (!string.IsNullOrWhiteSpace(taxInfo.TaxIdNumber) &&
-                    !string.IsNullOrWhiteSpace(taxInfo.TaxIdType))
-                {
-                    await _stripeAdapter.TaxIdCreateAsync(customer.Id, new TaxIdCreateOptions
-                    {
-                        Type = taxInfo.TaxIdType,
-                        Value = taxInfo.TaxIdNumber,
-                    });
-                }
+        var taxId = customer.TaxIds?.FirstOrDefault();
+
+        if (taxId != null)
+        {
+            await _stripeAdapter.TaxIdDeleteAsync(customer.Id, taxId.Id);
+        }
+
+        if (string.IsNullOrWhiteSpace(taxInfo.TaxIdNumber))
+        {
+            return;
+        }
+
+        var taxIdType = taxInfo.TaxIdType;
+
+        if (string.IsNullOrWhiteSpace(taxIdType))
+        {
+            taxIdType = _taxService.GetStripeTaxCode(taxInfo.BillingAddressCountry, taxInfo.TaxIdNumber);
+
+            if (taxIdType == null)
+            {
+                _logger.LogWarning("Could not infer tax ID type in country '{Country}' with tax ID '{TaxID}'.",
+                    taxInfo.BillingAddressCountry,
+                    taxInfo.TaxIdNumber);
+                throw new BadRequestException("billingTaxIdTypeInferenceError");
+            }
+        }
+
+        try
+        {
+            await _stripeAdapter.TaxIdCreateAsync(customer.Id,
+                new TaxIdCreateOptions { Type = taxInfo.TaxIdType, Value = taxInfo.TaxIdNumber, });
+        }
+        catch (StripeException e)
+        {
+            switch (e.StripeError.Code)
+            {
+                case StripeConstants.ErrorCodes.TaxIdInvalid:
+                    _logger.LogWarning("Invalid tax ID '{TaxID}' for country '{Country}'.",
+                        taxInfo.TaxIdNumber,
+                        taxInfo.BillingAddressCountry);
+                    throw new BadRequestException("billingInvalidTaxIdError");
+                default:
+                    _logger.LogError(e,
+                        "Error creating tax ID '{TaxId}' in country '{Country}' for customer '{CustomerID}'.",
+                        taxInfo.TaxIdNumber,
+                        taxInfo.BillingAddressCountry,
+                        customer.Id);
+                    throw new BadRequestException("billingTaxIdCreationError");
             }
         }
     }
@@ -1835,6 +1895,285 @@ public class StripePaymentService : IPaymentService
         }
     }
 
+    public async Task<PreviewInvoiceResponseModel> PreviewInvoiceAsync(
+        PreviewIndividualInvoiceRequestBody parameters,
+        string gatewayCustomerId,
+        string gatewaySubscriptionId)
+    {
+        var options = new InvoiceCreatePreviewOptions
+        {
+            AutomaticTax = new InvoiceAutomaticTaxOptions
+            {
+                Enabled = true,
+            },
+            Currency = "usd",
+            Discounts = new List<InvoiceDiscountOptions>(),
+            SubscriptionDetails = new InvoiceSubscriptionDetailsOptions
+            {
+                Items =
+                [
+                    new()
+                    {
+                        Quantity = 1,
+                        Plan = "premium-annually"
+                    },
+
+                    new()
+                    {
+                        Quantity = parameters.PasswordManager.AdditionalStorage,
+                        Plan = "storage-gb-annually"
+                    }
+                ]
+            },
+            CustomerDetails = new InvoiceCustomerDetailsOptions
+            {
+                Address = new AddressOptions
+                {
+                    PostalCode = parameters.TaxInformation.PostalCode,
+                    Country = parameters.TaxInformation.Country,
+                }
+            },
+        };
+
+        if (!string.IsNullOrEmpty(parameters.TaxInformation.TaxId))
+        {
+            var taxIdType = _taxService.GetStripeTaxCode(
+                options.CustomerDetails.Address.Country,
+                parameters.TaxInformation.TaxId);
+
+            if (taxIdType == null)
+            {
+                _logger.LogWarning("Invalid tax ID '{TaxID}' for country '{Country}'.",
+                    parameters.TaxInformation.TaxId,
+                    parameters.TaxInformation.Country);
+                throw new BadRequestException("billingPreviewInvalidTaxIdError");
+            }
+
+            options.CustomerDetails.TaxIds = [
+                new InvoiceCustomerDetailsTaxIdOptions
+                {
+                    Type = taxIdType,
+                    Value = parameters.TaxInformation.TaxId
+                }
+            ];
+        }
+
+        if (gatewayCustomerId != null)
+        {
+            var gatewayCustomer = await _stripeAdapter.CustomerGetAsync(gatewayCustomerId);
+
+            if (gatewayCustomer.Discount != null)
+            {
+                options.Discounts.Add(new InvoiceDiscountOptions
+                {
+                    Discount = gatewayCustomer.Discount.Id
+                });
+            }
+
+            if (gatewaySubscriptionId != null)
+            {
+                var gatewaySubscription = await _stripeAdapter.SubscriptionGetAsync(gatewaySubscriptionId);
+
+                if (gatewaySubscription?.Discount != null)
+                {
+                    options.Discounts.Add(new InvoiceDiscountOptions
+                    {
+                        Discount = gatewaySubscription.Discount.Id
+                    });
+                }
+            }
+        }
+
+        try
+        {
+            var invoice = await _stripeAdapter.InvoiceCreatePreviewAsync(options);
+
+            var effectiveTaxRate = invoice.Tax != null && invoice.TotalExcludingTax != null
+                ? invoice.Tax.Value.ToMajor() / invoice.TotalExcludingTax.Value.ToMajor()
+                : 0M;
+
+            var result = new PreviewInvoiceResponseModel(
+                effectiveTaxRate,
+                invoice.TotalExcludingTax.ToMajor() ?? 0,
+                invoice.Tax.ToMajor() ?? 0,
+                invoice.Total.ToMajor());
+            return result;
+        }
+        catch (StripeException e)
+        {
+            switch (e.StripeError.Code)
+            {
+                case StripeConstants.ErrorCodes.TaxIdInvalid:
+                    _logger.LogWarning("Invalid tax ID '{TaxID}' for country '{Country}'.",
+                        parameters.TaxInformation.TaxId,
+                        parameters.TaxInformation.Country);
+                    throw new BadRequestException("billingPreviewInvalidTaxIdError");
+                default:
+                    _logger.LogError(e, "Unexpected error previewing invoice with tax ID '{TaxId}' in country '{Country}'.",
+                        parameters.TaxInformation.TaxId,
+                        parameters.TaxInformation.Country);
+                    throw new BadRequestException("billingPreviewInvoiceError");
+            }
+        }
+    }
+
+    public async Task<PreviewInvoiceResponseModel> PreviewInvoiceAsync(
+        PreviewOrganizationInvoiceRequestBody parameters,
+        string gatewayCustomerId,
+        string gatewaySubscriptionId)
+    {
+        var plan = Utilities.StaticStore.GetPlan(parameters.PasswordManager.Plan);
+
+        var options = new InvoiceCreatePreviewOptions
+        {
+            AutomaticTax = new InvoiceAutomaticTaxOptions
+            {
+                Enabled = true,
+            },
+            Currency = "usd",
+            Discounts = new List<InvoiceDiscountOptions>(),
+            SubscriptionDetails = new InvoiceSubscriptionDetailsOptions
+            {
+                Items =
+                [
+                    new()
+                    {
+                        Quantity = parameters.PasswordManager.AdditionalStorage,
+                        Plan = plan.PasswordManager.StripeStoragePlanId
+                    }
+                ]
+            },
+            CustomerDetails = new InvoiceCustomerDetailsOptions
+            {
+                Address = new AddressOptions
+                {
+                    PostalCode = parameters.TaxInformation.PostalCode,
+                    Country = parameters.TaxInformation.Country,
+                }
+            },
+        };
+
+        if (plan.PasswordManager.HasAdditionalSeatsOption)
+        {
+            options.SubscriptionDetails.Items.Add(
+                new()
+                {
+                    Quantity = parameters.PasswordManager.Seats,
+                    Plan = plan.PasswordManager.StripeSeatPlanId
+                }
+            );
+        }
+        else
+        {
+            options.SubscriptionDetails.Items.Add(
+                new()
+                {
+                    Quantity = 1,
+                    Plan = plan.PasswordManager.StripePlanId
+                }
+            );
+        }
+
+        if (plan.SupportsSecretsManager)
+        {
+            if (plan.SecretsManager.HasAdditionalSeatsOption)
+            {
+                options.SubscriptionDetails.Items.Add(new()
+                {
+                    Quantity = parameters.SecretsManager?.Seats ?? 0,
+                    Plan = plan.SecretsManager.StripeSeatPlanId
+                });
+            }
+
+            if (plan.SecretsManager.HasAdditionalServiceAccountOption)
+            {
+                options.SubscriptionDetails.Items.Add(new()
+                {
+                    Quantity = parameters.SecretsManager?.AdditionalMachineAccounts ?? 0,
+                    Plan = plan.SecretsManager.StripeServiceAccountPlanId
+                });
+            }
+        }
+
+        if (!string.IsNullOrEmpty(parameters.TaxInformation.TaxId))
+        {
+            var taxIdType = _taxService.GetStripeTaxCode(
+                options.CustomerDetails.Address.Country,
+                parameters.TaxInformation.TaxId);
+
+            if (taxIdType == null)
+            {
+                _logger.LogWarning("Invalid tax ID '{TaxID}' for country '{Country}'.",
+                    parameters.TaxInformation.TaxId,
+                    parameters.TaxInformation.Country);
+                throw new BadRequestException("billingTaxIdTypeInferenceError");
+            }
+
+            options.CustomerDetails.TaxIds = [
+                new InvoiceCustomerDetailsTaxIdOptions
+                {
+                    Type = taxIdType,
+                    Value = parameters.TaxInformation.TaxId
+                }
+            ];
+        }
+
+        if (gatewayCustomerId != null)
+        {
+            var gatewayCustomer = await _stripeAdapter.CustomerGetAsync(gatewayCustomerId);
+
+            if (gatewayCustomer.Discount != null)
+            {
+                options.Discounts.Add(new InvoiceDiscountOptions
+                {
+                    Discount = gatewayCustomer.Discount.Id
+                });
+            }
+
+            var gatewaySubscription = await _stripeAdapter.SubscriptionGetAsync(gatewaySubscriptionId);
+
+            if (gatewaySubscription?.Discount != null)
+            {
+                options.Discounts.Add(new InvoiceDiscountOptions
+                {
+                    Discount = gatewaySubscription.Discount.Id
+                });
+            }
+        }
+
+        try
+        {
+            var invoice = await _stripeAdapter.InvoiceCreatePreviewAsync(options);
+
+            var effectiveTaxRate = invoice.Tax != null && invoice.TotalExcludingTax != null
+                ? invoice.Tax.Value.ToMajor() / invoice.TotalExcludingTax.Value.ToMajor()
+                : 0M;
+
+            var result = new PreviewInvoiceResponseModel(
+                effectiveTaxRate,
+                invoice.TotalExcludingTax.ToMajor() ?? 0,
+                invoice.Tax.ToMajor() ?? 0,
+                invoice.Total.ToMajor());
+            return result;
+        }
+        catch (StripeException e)
+        {
+            switch (e.StripeError.Code)
+            {
+                case StripeConstants.ErrorCodes.TaxIdInvalid:
+                    _logger.LogWarning("Invalid tax ID '{TaxID}' for country '{Country}'.",
+                        parameters.TaxInformation.TaxId,
+                        parameters.TaxInformation.Country);
+                    throw new BadRequestException("billingPreviewInvalidTaxIdError");
+                default:
+                    _logger.LogError(e, "Unexpected error previewing invoice with tax ID '{TaxId}' in country '{Country}'.",
+                        parameters.TaxInformation.TaxId,
+                        parameters.TaxInformation.Country);
+                    throw new BadRequestException("billingPreviewInvoiceError");
+            }
+        }
+    }
+
     private PaymentMethod GetLatestCardPaymentMethod(string customerId)
     {
         var cardPaymentMethods = _stripeAdapter.PaymentMethodListAutoPaging(
diff --git a/test/Core.Test/Billing/Services/SubscriberServiceTests.cs b/test/Core.Test/Billing/Services/SubscriberServiceTests.cs
index 385b185ffe..9c25ffdc55 100644
--- a/test/Core.Test/Billing/Services/SubscriberServiceTests.cs
+++ b/test/Core.Test/Billing/Services/SubscriberServiceTests.cs
@@ -1545,7 +1545,7 @@ public class SubscriberServiceTests
     {
         var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
 
-        var customer = new Customer { Id = provider.GatewayCustomerId, TaxIds = new StripeList<TaxId> { Data = [new TaxId { Id = "tax_id_1" }] } };
+        var customer = new Customer { Id = provider.GatewayCustomerId, TaxIds = new StripeList<TaxId> { Data = [new TaxId { Id = "tax_id_1", Type = "us_ein" }] } };
 
         stripeAdapter.CustomerGetAsync(provider.GatewayCustomerId, Arg.Is<CustomerGetOptions>(
             options => options.Expand.Contains("tax_ids"))).Returns(customer);
@@ -1554,6 +1554,7 @@ public class SubscriberServiceTests
             "US",
             "12345",
             "123456789",
+            "us_ein",
             "123 Example St.",
             null,
             "Example Town",
diff --git a/test/Core.Test/Models/Business/TaxInfoTests.cs b/test/Core.Test/Models/Business/TaxInfoTests.cs
deleted file mode 100644
index 197948006e..0000000000
--- a/test/Core.Test/Models/Business/TaxInfoTests.cs
+++ /dev/null
@@ -1,114 +0,0 @@
-using Bit.Core.Models.Business;
-using Xunit;
-
-namespace Bit.Core.Test.Models.Business;
-
-public class TaxInfoTests
-{
-    // PH = Placeholder
-    [Theory]
-    [InlineData(null, null, null, null)]
-    [InlineData("", "", null, null)]
-    [InlineData("PH", "", null, null)]
-    [InlineData("", "PH", null, null)]
-    [InlineData("AE", "PH", null, "ae_trn")]
-    [InlineData("AU", "PH", null, "au_abn")]
-    [InlineData("BR", "PH", null, "br_cnpj")]
-    [InlineData("CA", "PH", "bec", "ca_qst")]
-    [InlineData("CA", "PH", null, "ca_bn")]
-    [InlineData("CL", "PH", null, "cl_tin")]
-    [InlineData("AT", "PH", null, "eu_vat")]
-    [InlineData("BE", "PH", null, "eu_vat")]
-    [InlineData("BG", "PH", null, "eu_vat")]
-    [InlineData("CY", "PH", null, "eu_vat")]
-    [InlineData("CZ", "PH", null, "eu_vat")]
-    [InlineData("DE", "PH", null, "eu_vat")]
-    [InlineData("DK", "PH", null, "eu_vat")]
-    [InlineData("EE", "PH", null, "eu_vat")]
-    [InlineData("ES", "PH", null, "eu_vat")]
-    [InlineData("FI", "PH", null, "eu_vat")]
-    [InlineData("FR", "PH", null, "eu_vat")]
-    [InlineData("GB", "PH", null, "eu_vat")]
-    [InlineData("GR", "PH", null, "eu_vat")]
-    [InlineData("HR", "PH", null, "eu_vat")]
-    [InlineData("HU", "PH", null, "eu_vat")]
-    [InlineData("IE", "PH", null, "eu_vat")]
-    [InlineData("IT", "PH", null, "eu_vat")]
-    [InlineData("LT", "PH", null, "eu_vat")]
-    [InlineData("LU", "PH", null, "eu_vat")]
-    [InlineData("LV", "PH", null, "eu_vat")]
-    [InlineData("MT", "PH", null, "eu_vat")]
-    [InlineData("NL", "PH", null, "eu_vat")]
-    [InlineData("PL", "PH", null, "eu_vat")]
-    [InlineData("PT", "PH", null, "eu_vat")]
-    [InlineData("RO", "PH", null, "eu_vat")]
-    [InlineData("SE", "PH", null, "eu_vat")]
-    [InlineData("SI", "PH", null, "eu_vat")]
-    [InlineData("SK", "PH", null, "eu_vat")]
-    [InlineData("HK", "PH", null, "hk_br")]
-    [InlineData("IN", "PH", null, "in_gst")]
-    [InlineData("JP", "PH", null, "jp_cn")]
-    [InlineData("KR", "PH", null, "kr_brn")]
-    [InlineData("LI", "PH", null, "li_uid")]
-    [InlineData("MX", "PH", null, "mx_rfc")]
-    [InlineData("MY", "PH", null, "my_sst")]
-    [InlineData("NO", "PH", null, "no_vat")]
-    [InlineData("NZ", "PH", null, "nz_gst")]
-    [InlineData("RU", "PH", null, "ru_inn")]
-    [InlineData("SA", "PH", null, "sa_vat")]
-    [InlineData("SG", "PH", null, "sg_gst")]
-    [InlineData("TH", "PH", null, "th_vat")]
-    [InlineData("TW", "PH", null, "tw_vat")]
-    [InlineData("US", "PH", null, "us_ein")]
-    [InlineData("ZA", "PH", null, "za_vat")]
-    [InlineData("ABCDEF", "PH", null, null)]
-    public void GetTaxIdType_Success(string billingAddressCountry,
-        string taxIdNumber,
-        string billingAddressState,
-        string expectedTaxIdType)
-    {
-        var taxInfo = new TaxInfo
-        {
-            BillingAddressCountry = billingAddressCountry,
-            TaxIdNumber = taxIdNumber,
-            BillingAddressState = billingAddressState,
-        };
-
-        Assert.Equal(expectedTaxIdType, taxInfo.TaxIdType);
-    }
-
-    [Fact]
-    public void GetTaxIdType_CreateOnce_ReturnCacheSecondTime()
-    {
-        var taxInfo = new TaxInfo
-        {
-            BillingAddressCountry = "US",
-            TaxIdNumber = "PH",
-            BillingAddressState = null,
-        };
-
-        Assert.Equal("us_ein", taxInfo.TaxIdType);
-
-        // Per the current spec even if the values change to something other than null it
-        // will return the cached version of TaxIdType.
-        taxInfo.BillingAddressCountry = "ZA";
-
-        Assert.Equal("us_ein", taxInfo.TaxIdType);
-    }
-
-    [Theory]
-    [InlineData(null, null, false)]
-    [InlineData("123", "US", true)]
-    [InlineData("123", "ZQ12", false)]
-    [InlineData("    ", "US", false)]
-    public void HasTaxId_ReturnsExpected(string taxIdNumber, string billingAddressCountry, bool expected)
-    {
-        var taxInfo = new TaxInfo
-        {
-            TaxIdNumber = taxIdNumber,
-            BillingAddressCountry = billingAddressCountry,
-        };
-
-        Assert.Equal(expected, taxInfo.HasTaxId);
-    }
-}
diff --git a/test/Core.Test/Services/StripePaymentServiceTests.cs b/test/Core.Test/Services/StripePaymentServiceTests.cs
index e15f07b113..35e1901a2f 100644
--- a/test/Core.Test/Services/StripePaymentServiceTests.cs
+++ b/test/Core.Test/Services/StripePaymentServiceTests.cs
@@ -77,7 +77,8 @@ public class StripePaymentServiceTests
             c.Address.Line2 == taxInfo.BillingAddressLine2 &&
             c.Address.City == taxInfo.BillingAddressCity &&
             c.Address.State == taxInfo.BillingAddressState &&
-            c.TaxIdData == null
+            c.TaxIdData.First().Value == taxInfo.TaxIdNumber &&
+            c.TaxIdData.First().Type == taxInfo.TaxIdType
         ));
 
         await stripeAdapter.Received().SubscriptionCreateAsync(Arg.Is<Stripe.SubscriptionCreateOptions>(s =>
@@ -134,7 +135,8 @@ public class StripePaymentServiceTests
             c.Address.Line2 == taxInfo.BillingAddressLine2 &&
             c.Address.City == taxInfo.BillingAddressCity &&
             c.Address.State == taxInfo.BillingAddressState &&
-            c.TaxIdData == null
+            c.TaxIdData.First().Value == taxInfo.TaxIdNumber &&
+            c.TaxIdData.First().Type == taxInfo.TaxIdType
         ));
 
         await stripeAdapter.Received().SubscriptionCreateAsync(Arg.Is<Stripe.SubscriptionCreateOptions>(s =>
@@ -190,7 +192,8 @@ public class StripePaymentServiceTests
             c.Address.Line2 == taxInfo.BillingAddressLine2 &&
             c.Address.City == taxInfo.BillingAddressCity &&
             c.Address.State == taxInfo.BillingAddressState &&
-            c.TaxIdData == null
+            c.TaxIdData.First().Value == taxInfo.TaxIdNumber &&
+            c.TaxIdData.First().Type == taxInfo.TaxIdType
         ));
 
         await stripeAdapter.Received().SubscriptionCreateAsync(Arg.Is<Stripe.SubscriptionCreateOptions>(s =>
@@ -247,7 +250,8 @@ public class StripePaymentServiceTests
             c.Address.Line2 == taxInfo.BillingAddressLine2 &&
             c.Address.City == taxInfo.BillingAddressCity &&
             c.Address.State == taxInfo.BillingAddressState &&
-            c.TaxIdData == null
+            c.TaxIdData.First().Value == taxInfo.TaxIdNumber &&
+            c.TaxIdData.First().Type == taxInfo.TaxIdType
         ));
 
         await stripeAdapter.Received().SubscriptionCreateAsync(Arg.Is<Stripe.SubscriptionCreateOptions>(s =>
@@ -441,7 +445,8 @@ public class StripePaymentServiceTests
             c.Address.Line2 == taxInfo.BillingAddressLine2 &&
             c.Address.City == taxInfo.BillingAddressCity &&
             c.Address.State == taxInfo.BillingAddressState &&
-            c.TaxIdData == null
+            c.TaxIdData.First().Value == taxInfo.TaxIdNumber &&
+            c.TaxIdData.First().Type == taxInfo.TaxIdType
         ));
 
         await stripeAdapter.Received().SubscriptionCreateAsync(Arg.Is<Stripe.SubscriptionCreateOptions>(s =>
@@ -510,7 +515,8 @@ public class StripePaymentServiceTests
             c.Address.Line2 == taxInfo.BillingAddressLine2 &&
             c.Address.City == taxInfo.BillingAddressCity &&
             c.Address.State == taxInfo.BillingAddressState &&
-            c.TaxIdData == null
+            c.TaxIdData.First().Value == taxInfo.TaxIdNumber &&
+            c.TaxIdData.First().Type == taxInfo.TaxIdType
         ));
 
         await stripeAdapter.Received().SubscriptionCreateAsync(Arg.Is<Stripe.SubscriptionCreateOptions>(s =>

From 470a12640ee9f42b725cdf4d2587a59ec4dc121b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Ch=C4=99ci=C5=84ski?=
 <mchecinski@bitwarden.com>
Date: Wed, 4 Dec 2024 14:18:58 +0100
Subject: [PATCH 021/384] Trigger unified build on rc and hotfix-rc branches
 (#5108)

---
 .github/workflows/build.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 1d092d8b4d..0fa03312b8 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -530,7 +530,9 @@ jobs:
 
   self-host-build:
     name: Trigger self-host build
-    if: github.event_name != 'pull_request_target' && github.ref == 'refs/heads/main'
+    if: |
+      github.event_name != 'pull_request_target'
+      && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc')
     runs-on: ubuntu-22.04
     needs:
       - build-docker

From 90a9473a5ecf4e0d2e912bfb7dd7209b310a9673 Mon Sep 17 00:00:00 2001
From: Jonas Hendrickx <jhendrickx@bitwarden.com>
Date: Wed, 4 Dec 2024 15:36:11 +0100
Subject: [PATCH 022/384] Revert "[PM-13999] Show estimated tax for taxable
 countries (#5077)" (#5109)

This reverts commit 94fdfa40e8af9c9b788aafe2cf89eacc2913eeea.

Co-authored-by: Conner Turnbull <133619638+cturnbull-bitwarden@users.noreply.github.com>
---
 .../Billing/TaxServiceTests.cs                | 151 ---
 .../Controllers/AccountsBillingController.cs  |  15 -
 .../Billing/Controllers/InvoicesController.cs |  42 -
 .../Controllers/ProviderBillingController.cs  |   1 -
 .../Billing/Controllers/StripeController.cs   |  14 +-
 .../Requests/TaxInformationRequestBody.cs     |   2 -
 .../Billing/Extensions/CurrencyExtensions.cs  |  33 -
 .../Extensions/ServiceCollectionExtensions.cs |   1 -
 .../PreviewIndividualInvoiceRequestModel.cs   |  18 -
 .../PreviewOrganizationInvoiceRequestModel.cs |  37 -
 .../Requests/TaxInformationRequestModel.cs    |  14 -
 .../Responses/PreviewInvoiceResponseModel.cs  |   7 -
 src/Core/Billing/Models/PreviewInvoiceInfo.cs |   7 -
 .../Billing/Models/Sales/OrganizationSale.cs  |   1 -
 src/Core/Billing/Models/TaxIdType.cs          |  22 -
 src/Core/Billing/Models/TaxInformation.cs     | 160 +++-
 src/Core/Billing/Services/ITaxService.cs      |  22 -
 .../OrganizationBillingService.cs             |  35 +-
 .../PremiumUserBillingService.cs              |  37 +-
 .../Implementations/SubscriberService.cs      |  49 +-
 src/Core/Billing/Services/TaxService.cs       | 901 ------------------
 src/Core/Billing/Utilities.cs                 |   1 -
 src/Core/Models/Business/TaxInfo.cs           | 208 +++-
 src/Core/Services/IPaymentService.cs          |   6 -
 src/Core/Services/IStripeAdapter.cs           |   2 -
 .../Services/Implementations/StripeAdapter.cs |  12 -
 .../Implementations/StripePaymentService.cs   | 387 +-------
 .../Services/SubscriberServiceTests.cs        |   3 +-
 .../Core.Test/Models/Business/TaxInfoTests.cs | 114 +++
 .../Services/StripePaymentServiceTests.cs     |  18 +-
 30 files changed, 529 insertions(+), 1791 deletions(-)
 delete mode 100644 bitwarden_license/test/Commercial.Core.Test/Billing/TaxServiceTests.cs
 delete mode 100644 src/Api/Billing/Controllers/InvoicesController.cs
 delete mode 100644 src/Core/Billing/Extensions/CurrencyExtensions.cs
 delete mode 100644 src/Core/Billing/Models/Api/Requests/Accounts/PreviewIndividualInvoiceRequestModel.cs
 delete mode 100644 src/Core/Billing/Models/Api/Requests/Organizations/PreviewOrganizationInvoiceRequestModel.cs
 delete mode 100644 src/Core/Billing/Models/Api/Requests/TaxInformationRequestModel.cs
 delete mode 100644 src/Core/Billing/Models/Api/Responses/PreviewInvoiceResponseModel.cs
 delete mode 100644 src/Core/Billing/Models/PreviewInvoiceInfo.cs
 delete mode 100644 src/Core/Billing/Models/TaxIdType.cs
 delete mode 100644 src/Core/Billing/Services/ITaxService.cs
 delete mode 100644 src/Core/Billing/Services/TaxService.cs
 create mode 100644 test/Core.Test/Models/Business/TaxInfoTests.cs

diff --git a/bitwarden_license/test/Commercial.Core.Test/Billing/TaxServiceTests.cs b/bitwarden_license/test/Commercial.Core.Test/Billing/TaxServiceTests.cs
deleted file mode 100644
index 3995fb9de6..0000000000
--- a/bitwarden_license/test/Commercial.Core.Test/Billing/TaxServiceTests.cs
+++ /dev/null
@@ -1,151 +0,0 @@
-using Bit.Core.Billing.Services;
-using Bit.Test.Common.AutoFixture;
-using Bit.Test.Common.AutoFixture.Attributes;
-using Xunit;
-
-namespace Bit.Commercial.Core.Test.Billing;
-
-[SutProviderCustomize]
-public class TaxServiceTests
-{
-    [Theory]
-    [BitAutoData("AD", "A-123456-Z", "ad_nrt")]
-    [BitAutoData("AD", "A123456Z", "ad_nrt")]
-    [BitAutoData("AR", "20-12345678-9", "ar_cuit")]
-    [BitAutoData("AR", "20123456789", "ar_cuit")]
-    [BitAutoData("AU", "01259983598", "au_abn")]
-    [BitAutoData("AU", "123456789123", "au_arn")]
-    [BitAutoData("AT", "ATU12345678", "eu_vat")]
-    [BitAutoData("BH", "123456789012345", "bh_vat")]
-    [BitAutoData("BY", "123456789", "by_tin")]
-    [BitAutoData("BE", "BE0123456789", "eu_vat")]
-    [BitAutoData("BO", "123456789", "bo_tin")]
-    [BitAutoData("BR", "01.234.456/5432-10", "br_cnpj")]
-    [BitAutoData("BR", "01234456543210", "br_cnpj")]
-    [BitAutoData("BR", "123.456.789-87", "br_cpf")]
-    [BitAutoData("BR", "12345678987", "br_cpf")]
-    [BitAutoData("BG", "123456789", "bg_uic")]
-    [BitAutoData("BG", "BG012100705", "eu_vat")]
-    [BitAutoData("CA", "100728494", "ca_bn")]
-    [BitAutoData("CA", "123456789RT0001", "ca_gst_hst")]
-    [BitAutoData("CA", "PST-1234-1234", "ca_pst_bc")]
-    [BitAutoData("CA", "123456-7", "ca_pst_mb")]
-    [BitAutoData("CA", "1234567", "ca_pst_sk")]
-    [BitAutoData("CA", "1234567890TQ1234", "ca_qst")]
-    [BitAutoData("CL", "11.121.326-1", "cl_tin")]
-    [BitAutoData("CL", "11121326-1", "cl_tin")]
-    [BitAutoData("CL", "23.121.326-K", "cl_tin")]
-    [BitAutoData("CL", "43651326-K", "cl_tin")]
-    [BitAutoData("CN", "123456789012345678", "cn_tin")]
-    [BitAutoData("CN", "123456789012345", "cn_tin")]
-    [BitAutoData("CO", "123.456.789-0", "co_nit")]
-    [BitAutoData("CO", "1234567890", "co_nit")]
-    [BitAutoData("CR", "1-234-567890", "cr_tin")]
-    [BitAutoData("CR", "1234567890", "cr_tin")]
-    [BitAutoData("HR", "HR12345678912", "eu_vat")]
-    [BitAutoData("HR", "12345678901", "hr_oib")]
-    [BitAutoData("CY", "CY12345678X", "eu_vat")]
-    [BitAutoData("CZ", "CZ12345678", "eu_vat")]
-    [BitAutoData("DK", "DK12345678", "eu_vat")]
-    [BitAutoData("DO", "123-4567890-1", "do_rcn")]
-    [BitAutoData("DO", "12345678901", "do_rcn")]
-    [BitAutoData("EC", "1234567890001", "ec_ruc")]
-    [BitAutoData("EG", "123456789", "eg_tin")]
-    [BitAutoData("SV", "1234-567890-123-4", "sv_nit")]
-    [BitAutoData("SV", "12345678901234", "sv_nit")]
-    [BitAutoData("EE", "EE123456789", "eu_vat")]
-    [BitAutoData("EU", "EU123456789", "eu_oss_vat")]
-    [BitAutoData("FI", "FI12345678", "eu_vat")]
-    [BitAutoData("FR", "FR12345678901", "eu_vat")]
-    [BitAutoData("GE", "123456789", "ge_vat")]
-    [BitAutoData("DE", "1234567890", "de_stn")]
-    [BitAutoData("DE", "DE123456789", "eu_vat")]
-    [BitAutoData("GR", "EL123456789", "eu_vat")]
-    [BitAutoData("HK", "12345678", "hk_br")]
-    [BitAutoData("HU", "HU12345678", "eu_vat")]
-    [BitAutoData("HU", "12345678-1-23", "hu_tin")]
-    [BitAutoData("HU", "12345678123", "hu_tin")]
-    [BitAutoData("IS", "123456", "is_vat")]
-    [BitAutoData("IN", "12ABCDE1234F1Z5", "in_gst")]
-    [BitAutoData("IN", "12ABCDE3456FGZH", "in_gst")]
-    [BitAutoData("ID", "012.345.678.9-012.345", "id_npwp")]
-    [BitAutoData("ID", "0123456789012345", "id_npwp")]
-    [BitAutoData("IE", "IE1234567A", "eu_vat")]
-    [BitAutoData("IE", "IE1234567AB", "eu_vat")]
-    [BitAutoData("IL", "000012345", "il_vat")]
-    [BitAutoData("IL", "123456789", "il_vat")]
-    [BitAutoData("IT", "IT12345678901", "eu_vat")]
-    [BitAutoData("JP", "1234567890123", "jp_cn")]
-    [BitAutoData("JP", "12345", "jp_rn")]
-    [BitAutoData("KZ", "123456789012", "kz_bin")]
-    [BitAutoData("KE", "P000111111A", "ke_pin")]
-    [BitAutoData("LV", "LV12345678912", "eu_vat")]
-    [BitAutoData("LI", "CHE123456789", "li_uid")]
-    [BitAutoData("LI", "12345", "li_vat")]
-    [BitAutoData("LT", "LT123456789123", "eu_vat")]
-    [BitAutoData("LU", "LU12345678", "eu_vat")]
-    [BitAutoData("MY", "12345678", "my_frp")]
-    [BitAutoData("MY", "C 1234567890", "my_itn")]
-    [BitAutoData("MY", "C1234567890", "my_itn")]
-    [BitAutoData("MY", "A12-3456-78912345", "my_sst")]
-    [BitAutoData("MY", "A12345678912345", "my_sst")]
-    [BitAutoData("MT", "MT12345678", "eu_vat")]
-    [BitAutoData("MX", "ABC010203AB9", "mx_rfc")]
-    [BitAutoData("MD", "1003600", "md_vat")]
-    [BitAutoData("MA", "12345678", "ma_vat")]
-    [BitAutoData("NL", "NL123456789B12", "eu_vat")]
-    [BitAutoData("NZ", "123456789", "nz_gst")]
-    [BitAutoData("NG", "12345678-0001", "ng_tin")]
-    [BitAutoData("NO", "123456789MVA", "no_vat")]
-    [BitAutoData("NO", "1234567", "no_voec")]
-    [BitAutoData("OM", "OM1234567890", "om_vat")]
-    [BitAutoData("PE", "12345678901", "pe_ruc")]
-    [BitAutoData("PH", "123456789012", "ph_tin")]
-    [BitAutoData("PL", "PL1234567890", "eu_vat")]
-    [BitAutoData("PT", "PT123456789", "eu_vat")]
-    [BitAutoData("RO", "RO1234567891", "eu_vat")]
-    [BitAutoData("RO", "1234567890123", "ro_tin")]
-    [BitAutoData("RU", "1234567891", "ru_inn")]
-    [BitAutoData("RU", "123456789", "ru_kpp")]
-    [BitAutoData("SA", "123456789012345", "sa_vat")]
-    [BitAutoData("RS", "123456789", "rs_pib")]
-    [BitAutoData("SG", "M12345678X", "sg_gst")]
-    [BitAutoData("SG", "123456789F", "sg_uen")]
-    [BitAutoData("SK", "SK1234567891", "eu_vat")]
-    [BitAutoData("SI", "SI12345678", "eu_vat")]
-    [BitAutoData("SI", "12345678", "si_tin")]
-    [BitAutoData("ZA", "4123456789", "za_vat")]
-    [BitAutoData("KR", "123-45-67890", "kr_brn")]
-    [BitAutoData("KR", "1234567890", "kr_brn")]
-    [BitAutoData("ES", "A12345678", "es_cif")]
-    [BitAutoData("ES", "ESX1234567X", "eu_vat")]
-    [BitAutoData("SE", "SE123456789012", "eu_vat")]
-    [BitAutoData("CH", "CHE-123.456.789 HR", "ch_uid")]
-    [BitAutoData("CH", "CHE123456789HR", "ch_uid")]
-    [BitAutoData("CH", "CHE-123.456.789 MWST", "ch_vat")]
-    [BitAutoData("CH", "CHE123456789MWST", "ch_vat")]
-    [BitAutoData("TW", "12345678", "tw_vat")]
-    [BitAutoData("TH", "1234567890123", "th_vat")]
-    [BitAutoData("TR", "0123456789", "tr_tin")]
-    [BitAutoData("UA", "123456789", "ua_vat")]
-    [BitAutoData("AE", "123456789012345", "ae_trn")]
-    [BitAutoData("GB", "XI123456789", "eu_vat")]
-    [BitAutoData("GB", "GB123456789", "gb_vat")]
-    [BitAutoData("US", "12-3456789", "us_ein")]
-    [BitAutoData("UY", "123456789012", "uy_ruc")]
-    [BitAutoData("UZ", "123456789", "uz_tin")]
-    [BitAutoData("UZ", "123456789012", "uz_vat")]
-    [BitAutoData("VE", "A-12345678-9", "ve_rif")]
-    [BitAutoData("VE", "A123456789", "ve_rif")]
-    [BitAutoData("VN", "1234567890", "vn_tin")]
-    public void GetStripeTaxCode_WithValidCountryAndTaxId_ReturnsExpectedTaxIdType(
-        string country,
-        string taxId,
-        string expected,
-        SutProvider<TaxService> sutProvider)
-    {
-        var result = sutProvider.Sut.GetStripeTaxCode(country, taxId);
-
-        Assert.Equal(expected, result);
-    }
-}
diff --git a/src/Api/Billing/Controllers/AccountsBillingController.cs b/src/Api/Billing/Controllers/AccountsBillingController.cs
index fcb89226e7..574ac3e65e 100644
--- a/src/Api/Billing/Controllers/AccountsBillingController.cs
+++ b/src/Api/Billing/Controllers/AccountsBillingController.cs
@@ -1,6 +1,5 @@
 #nullable enable
 using Bit.Api.Billing.Models.Responses;
-using Bit.Core.Billing.Models.Api.Requests.Accounts;
 using Bit.Core.Billing.Services;
 using Bit.Core.Services;
 using Bit.Core.Utilities;
@@ -78,18 +77,4 @@ public class AccountsBillingController(
 
         return TypedResults.Ok(transactions);
     }
-
-    [HttpPost("preview-invoice")]
-    public async Task<IResult> PreviewInvoiceAsync([FromBody] PreviewIndividualInvoiceRequestBody model)
-    {
-        var user = await userService.GetUserByPrincipalAsync(User);
-        if (user == null)
-        {
-            throw new UnauthorizedAccessException();
-        }
-
-        var invoice = await paymentService.PreviewInvoiceAsync(model, user.GatewayCustomerId, user.GatewaySubscriptionId);
-
-        return TypedResults.Ok(invoice);
-    }
 }
diff --git a/src/Api/Billing/Controllers/InvoicesController.cs b/src/Api/Billing/Controllers/InvoicesController.cs
deleted file mode 100644
index 686d9b9643..0000000000
--- a/src/Api/Billing/Controllers/InvoicesController.cs
+++ /dev/null
@@ -1,42 +0,0 @@
-using Bit.Core.AdminConsole.Entities;
-using Bit.Core.Billing.Models.Api.Requests.Organizations;
-using Bit.Core.Context;
-using Bit.Core.Repositories;
-using Bit.Core.Services;
-using Microsoft.AspNetCore.Authorization;
-using Microsoft.AspNetCore.Mvc;
-
-namespace Bit.Api.Billing.Controllers;
-
-[Route("invoices")]
-[Authorize("Application")]
-public class InvoicesController : BaseBillingController
-{
-    [HttpPost("preview-organization")]
-    public async Task<IResult> PreviewInvoiceAsync(
-        [FromBody] PreviewOrganizationInvoiceRequestBody model,
-        [FromServices] ICurrentContext currentContext,
-        [FromServices] IOrganizationRepository organizationRepository,
-        [FromServices] IPaymentService paymentService)
-    {
-        Organization organization = null;
-        if (model.OrganizationId != default)
-        {
-            if (!await currentContext.EditPaymentMethods(model.OrganizationId))
-            {
-                return Error.Unauthorized();
-            }
-
-            organization = await organizationRepository.GetByIdAsync(model.OrganizationId);
-            if (organization == null)
-            {
-                return Error.NotFound();
-            }
-        }
-
-        var invoice = await paymentService.PreviewInvoiceAsync(model, organization?.GatewayCustomerId,
-            organization?.GatewaySubscriptionId);
-
-        return TypedResults.Ok(invoice);
-    }
-}
diff --git a/src/Api/Billing/Controllers/ProviderBillingController.cs b/src/Api/Billing/Controllers/ProviderBillingController.cs
index c5de63c69b..f7ddf0853e 100644
--- a/src/Api/Billing/Controllers/ProviderBillingController.cs
+++ b/src/Api/Billing/Controllers/ProviderBillingController.cs
@@ -119,7 +119,6 @@ public class ProviderBillingController(
             requestBody.Country,
             requestBody.PostalCode,
             requestBody.TaxId,
-            requestBody.TaxIdType,
             requestBody.Line1,
             requestBody.Line2,
             requestBody.City,
diff --git a/src/Api/Billing/Controllers/StripeController.cs b/src/Api/Billing/Controllers/StripeController.cs
index f5e8253bfa..a4a974bb99 100644
--- a/src/Api/Billing/Controllers/StripeController.cs
+++ b/src/Api/Billing/Controllers/StripeController.cs
@@ -1,5 +1,4 @@
-using Bit.Core.Billing.Services;
-using Bit.Core.Services;
+using Bit.Core.Services;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Http.HttpResults;
 using Microsoft.AspNetCore.Mvc;
@@ -47,15 +46,4 @@ public class StripeController(
 
         return TypedResults.Ok(setupIntent.ClientSecret);
     }
-
-    [HttpGet]
-    [Route("~/tax/is-country-supported")]
-    public IResult IsCountrySupported(
-        [FromQuery] string country,
-        [FromServices] ITaxService taxService)
-    {
-        var isSupported = taxService.IsSupported(country);
-
-        return TypedResults.Ok(isSupported);
-    }
 }
diff --git a/src/Api/Billing/Models/Requests/TaxInformationRequestBody.cs b/src/Api/Billing/Models/Requests/TaxInformationRequestBody.cs
index 32ba2effb2..c5c0fde00b 100644
--- a/src/Api/Billing/Models/Requests/TaxInformationRequestBody.cs
+++ b/src/Api/Billing/Models/Requests/TaxInformationRequestBody.cs
@@ -10,7 +10,6 @@ public class TaxInformationRequestBody
     [Required]
     public string PostalCode { get; set; }
     public string TaxId { get; set; }
-    public string TaxIdType { get; set; }
     public string Line1 { get; set; }
     public string Line2 { get; set; }
     public string City { get; set; }
@@ -20,7 +19,6 @@ public class TaxInformationRequestBody
         Country,
         PostalCode,
         TaxId,
-        TaxIdType,
         Line1,
         Line2,
         City,
diff --git a/src/Core/Billing/Extensions/CurrencyExtensions.cs b/src/Core/Billing/Extensions/CurrencyExtensions.cs
deleted file mode 100644
index cde1a7bea8..0000000000
--- a/src/Core/Billing/Extensions/CurrencyExtensions.cs
+++ /dev/null
@@ -1,33 +0,0 @@
-namespace Bit.Core.Billing.Extensions;
-
-public static class CurrencyExtensions
-{
-    /// <summary>
-    /// Converts a currency amount in major units to minor units.
-    /// </summary>
-    /// <example>123.99 USD returns 12399 in minor units.</example>
-    public static long ToMinor(this decimal amount)
-    {
-        return Convert.ToInt64(amount * 100);
-    }
-
-    /// <summary>
-    /// Converts a currency amount in minor units to major units.
-    /// </summary>
-    /// <param name="amount"></param>
-    /// <example>12399 in minor units returns 123.99 USD.</example>
-    public static decimal? ToMajor(this long? amount)
-    {
-        return amount?.ToMajor();
-    }
-
-    /// <summary>
-    /// Converts a currency amount in minor units to major units.
-    /// </summary>
-    /// <param name="amount"></param>
-    /// <example>12399 in minor units returns 123.99 USD.</example>
-    public static decimal ToMajor(this long amount)
-    {
-        return Convert.ToDecimal(amount) / 100;
-    }
-}
diff --git a/src/Core/Billing/Extensions/ServiceCollectionExtensions.cs b/src/Core/Billing/Extensions/ServiceCollectionExtensions.cs
index 8f2803d920..abfceac736 100644
--- a/src/Core/Billing/Extensions/ServiceCollectionExtensions.cs
+++ b/src/Core/Billing/Extensions/ServiceCollectionExtensions.cs
@@ -11,7 +11,6 @@ public static class ServiceCollectionExtensions
 {
     public static void AddBillingOperations(this IServiceCollection services)
     {
-        services.AddSingleton<ITaxService, TaxService>();
         services.AddTransient<IOrganizationBillingService, OrganizationBillingService>();
         services.AddTransient<IPremiumUserBillingService, PremiumUserBillingService>();
         services.AddTransient<ISetupIntentCache, SetupIntentDistributedCache>();
diff --git a/src/Core/Billing/Models/Api/Requests/Accounts/PreviewIndividualInvoiceRequestModel.cs b/src/Core/Billing/Models/Api/Requests/Accounts/PreviewIndividualInvoiceRequestModel.cs
deleted file mode 100644
index 6dfb9894d5..0000000000
--- a/src/Core/Billing/Models/Api/Requests/Accounts/PreviewIndividualInvoiceRequestModel.cs
+++ /dev/null
@@ -1,18 +0,0 @@
-using System.ComponentModel.DataAnnotations;
-
-namespace Bit.Core.Billing.Models.Api.Requests.Accounts;
-
-public class PreviewIndividualInvoiceRequestBody
-{
-    [Required]
-    public PasswordManagerRequestModel PasswordManager { get; set; }
-
-    [Required]
-    public TaxInformationRequestModel TaxInformation { get; set; }
-}
-
-public class PasswordManagerRequestModel
-{
-    [Range(0, int.MaxValue)]
-    public int AdditionalStorage { get; set; }
-}
diff --git a/src/Core/Billing/Models/Api/Requests/Organizations/PreviewOrganizationInvoiceRequestModel.cs b/src/Core/Billing/Models/Api/Requests/Organizations/PreviewOrganizationInvoiceRequestModel.cs
deleted file mode 100644
index 18d9c352d7..0000000000
--- a/src/Core/Billing/Models/Api/Requests/Organizations/PreviewOrganizationInvoiceRequestModel.cs
+++ /dev/null
@@ -1,37 +0,0 @@
-using System.ComponentModel.DataAnnotations;
-using Bit.Core.Billing.Enums;
-
-namespace Bit.Core.Billing.Models.Api.Requests.Organizations;
-
-public class PreviewOrganizationInvoiceRequestBody
-{
-    public Guid OrganizationId { get; set; }
-
-    [Required]
-    public PasswordManagerRequestModel PasswordManager { get; set; }
-
-    public SecretsManagerRequestModel SecretsManager { get; set; }
-
-    [Required]
-    public TaxInformationRequestModel TaxInformation { get; set; }
-}
-
-public class PasswordManagerRequestModel
-{
-    public PlanType Plan { get; set; }
-
-    [Range(0, int.MaxValue)]
-    public int Seats { get; set; }
-
-    [Range(0, int.MaxValue)]
-    public int AdditionalStorage { get; set; }
-}
-
-public class SecretsManagerRequestModel
-{
-    [Range(0, int.MaxValue)]
-    public int Seats { get; set; }
-
-    [Range(0, int.MaxValue)]
-    public int AdditionalMachineAccounts { get; set; }
-}
diff --git a/src/Core/Billing/Models/Api/Requests/TaxInformationRequestModel.cs b/src/Core/Billing/Models/Api/Requests/TaxInformationRequestModel.cs
deleted file mode 100644
index 9cb43645c6..0000000000
--- a/src/Core/Billing/Models/Api/Requests/TaxInformationRequestModel.cs
+++ /dev/null
@@ -1,14 +0,0 @@
-using System.ComponentModel.DataAnnotations;
-
-namespace Bit.Core.Billing.Models.Api.Requests;
-
-public class TaxInformationRequestModel
-{
-    [Length(2, 2), Required]
-    public string Country { get; set; }
-
-    [Required]
-    public string PostalCode { get; set; }
-
-    public string TaxId { get; set; }
-}
diff --git a/src/Core/Billing/Models/Api/Responses/PreviewInvoiceResponseModel.cs b/src/Core/Billing/Models/Api/Responses/PreviewInvoiceResponseModel.cs
deleted file mode 100644
index fdde7dae1e..0000000000
--- a/src/Core/Billing/Models/Api/Responses/PreviewInvoiceResponseModel.cs
+++ /dev/null
@@ -1,7 +0,0 @@
-namespace Bit.Core.Billing.Models.Api.Responses;
-
-public record PreviewInvoiceResponseModel(
-    decimal EffectiveTaxRate,
-    decimal TaxableBaseAmount,
-    decimal TaxAmount,
-    decimal TotalAmount);
diff --git a/src/Core/Billing/Models/PreviewInvoiceInfo.cs b/src/Core/Billing/Models/PreviewInvoiceInfo.cs
deleted file mode 100644
index 16a2019c20..0000000000
--- a/src/Core/Billing/Models/PreviewInvoiceInfo.cs
+++ /dev/null
@@ -1,7 +0,0 @@
-namespace Bit.Core.Billing.Models;
-
-public record PreviewInvoiceInfo(
-    decimal EffectiveTaxRate,
-    decimal TaxableBaseAmount,
-    decimal TaxAmount,
-    decimal TotalAmount);
diff --git a/src/Core/Billing/Models/Sales/OrganizationSale.cs b/src/Core/Billing/Models/Sales/OrganizationSale.cs
index 43852bb320..a19c278c68 100644
--- a/src/Core/Billing/Models/Sales/OrganizationSale.cs
+++ b/src/Core/Billing/Models/Sales/OrganizationSale.cs
@@ -65,7 +65,6 @@ public class OrganizationSale
             signup.TaxInfo.BillingAddressCountry,
             signup.TaxInfo.BillingAddressPostalCode,
             signup.TaxInfo.TaxIdNumber,
-            signup.TaxInfo.TaxIdType,
             signup.TaxInfo.BillingAddressLine1,
             signup.TaxInfo.BillingAddressLine2,
             signup.TaxInfo.BillingAddressCity,
diff --git a/src/Core/Billing/Models/TaxIdType.cs b/src/Core/Billing/Models/TaxIdType.cs
deleted file mode 100644
index 3fc246d68b..0000000000
--- a/src/Core/Billing/Models/TaxIdType.cs
+++ /dev/null
@@ -1,22 +0,0 @@
-using System.Text.RegularExpressions;
-
-namespace Bit.Core.Billing.Models;
-
-public class TaxIdType
-{
-    /// <summary>
-    /// ISO-3166-2 code for the country.
-    /// </summary>
-    public string Country { get; set; }
-
-    /// <summary>
-    /// The identifier in Stripe for the tax ID type.
-    /// </summary>
-    public string Code { get; set; }
-
-    public Regex ValidationExpression { get; set; }
-
-    public string Description { get; set; }
-
-    public string Example { get; set; }
-}
diff --git a/src/Core/Billing/Models/TaxInformation.cs b/src/Core/Billing/Models/TaxInformation.cs
index 23ed3e5faa..5403f94690 100644
--- a/src/Core/Billing/Models/TaxInformation.cs
+++ b/src/Core/Billing/Models/TaxInformation.cs
@@ -1,4 +1,5 @@
 using Bit.Core.Models.Business;
+using Stripe;
 
 namespace Bit.Core.Billing.Models;
 
@@ -6,7 +7,6 @@ public record TaxInformation(
     string Country,
     string PostalCode,
     string TaxId,
-    string TaxIdType,
     string Line1,
     string Line2,
     string City,
@@ -16,9 +16,165 @@ public record TaxInformation(
         taxInfo.BillingAddressCountry,
         taxInfo.BillingAddressPostalCode,
         taxInfo.TaxIdNumber,
-        taxInfo.TaxIdType,
         taxInfo.BillingAddressLine1,
         taxInfo.BillingAddressLine2,
         taxInfo.BillingAddressCity,
         taxInfo.BillingAddressState);
+
+    public (AddressOptions, List<CustomerTaxIdDataOptions>) GetStripeOptions()
+    {
+        var address = new AddressOptions
+        {
+            Country = Country,
+            PostalCode = PostalCode,
+            Line1 = Line1,
+            Line2 = Line2,
+            City = City,
+            State = State
+        };
+
+        var customerTaxIdDataOptionsList = !string.IsNullOrEmpty(TaxId)
+            ? new List<CustomerTaxIdDataOptions> { new() { Type = GetTaxIdType(), Value = TaxId } }
+            : null;
+
+        return (address, customerTaxIdDataOptionsList);
+    }
+
+    public string GetTaxIdType()
+    {
+        if (string.IsNullOrEmpty(Country) || string.IsNullOrEmpty(TaxId))
+        {
+            return null;
+        }
+
+        switch (Country.ToUpper())
+        {
+            case "AD":
+                return "ad_nrt";
+            case "AE":
+                return "ae_trn";
+            case "AR":
+                return "ar_cuit";
+            case "AU":
+                return "au_abn";
+            case "BO":
+                return "bo_tin";
+            case "BR":
+                return "br_cnpj";
+            case "CA":
+                // May break for those in Québec given the assumption of QST
+                if (State?.Contains("bec") ?? false)
+                {
+                    return "ca_qst";
+                }
+                return "ca_bn";
+            case "CH":
+                return "ch_vat";
+            case "CL":
+                return "cl_tin";
+            case "CN":
+                return "cn_tin";
+            case "CO":
+                return "co_nit";
+            case "CR":
+                return "cr_tin";
+            case "DO":
+                return "do_rcn";
+            case "EC":
+                return "ec_ruc";
+            case "EG":
+                return "eg_tin";
+            case "GE":
+                return "ge_vat";
+            case "ID":
+                return "id_npwp";
+            case "IL":
+                return "il_vat";
+            case "IS":
+                return "is_vat";
+            case "KE":
+                return "ke_pin";
+            case "AT":
+            case "BE":
+            case "BG":
+            case "CY":
+            case "CZ":
+            case "DE":
+            case "DK":
+            case "EE":
+            case "ES":
+            case "FI":
+            case "FR":
+            case "GB":
+            case "GR":
+            case "HR":
+            case "HU":
+            case "IE":
+            case "IT":
+            case "LT":
+            case "LU":
+            case "LV":
+            case "MT":
+            case "NL":
+            case "PL":
+            case "PT":
+            case "RO":
+            case "SE":
+            case "SI":
+            case "SK":
+                return "eu_vat";
+            case "HK":
+                return "hk_br";
+            case "IN":
+                return "in_gst";
+            case "JP":
+                return "jp_cn";
+            case "KR":
+                return "kr_brn";
+            case "LI":
+                return "li_uid";
+            case "MX":
+                return "mx_rfc";
+            case "MY":
+                return "my_sst";
+            case "NO":
+                return "no_vat";
+            case "NZ":
+                return "nz_gst";
+            case "PE":
+                return "pe_ruc";
+            case "PH":
+                return "ph_tin";
+            case "RS":
+                return "rs_pib";
+            case "RU":
+                return "ru_inn";
+            case "SA":
+                return "sa_vat";
+            case "SG":
+                return "sg_gst";
+            case "SV":
+                return "sv_nit";
+            case "TH":
+                return "th_vat";
+            case "TR":
+                return "tr_tin";
+            case "TW":
+                return "tw_vat";
+            case "UA":
+                return "ua_vat";
+            case "US":
+                return "us_ein";
+            case "UY":
+                return "uy_ruc";
+            case "VE":
+                return "ve_rif";
+            case "VN":
+                return "vn_tin";
+            case "ZA":
+                return "za_vat";
+            default:
+                return null;
+        }
+    }
 }
diff --git a/src/Core/Billing/Services/ITaxService.cs b/src/Core/Billing/Services/ITaxService.cs
deleted file mode 100644
index beee113d17..0000000000
--- a/src/Core/Billing/Services/ITaxService.cs
+++ /dev/null
@@ -1,22 +0,0 @@
-namespace Bit.Core.Billing.Services;
-
-public interface ITaxService
-{
-    /// <summary>
-    /// Retrieves the Stripe tax code for a given country and tax ID.
-    /// </summary>
-    /// <param name="country"></param>
-    /// <param name="taxId"></param>
-    /// <returns>
-    /// Returns the Stripe tax code if the tax ID is valid for the country.
-    /// Returns null if the tax ID is invalid or the country is not supported.
-    /// </returns>
-    string GetStripeTaxCode(string country, string taxId);
-
-    /// <summary>
-    /// Returns true or false whether charging or storing tax is supported for the given country.
-    /// </summary>
-    /// <param name="country"></param>
-    /// <returns></returns>
-    bool IsSupported(string country);
-}
diff --git a/src/Core/Billing/Services/Implementations/OrganizationBillingService.cs b/src/Core/Billing/Services/Implementations/OrganizationBillingService.cs
index b186a99d93..eadc589625 100644
--- a/src/Core/Billing/Services/Implementations/OrganizationBillingService.cs
+++ b/src/Core/Billing/Services/Implementations/OrganizationBillingService.cs
@@ -28,8 +28,7 @@ public class OrganizationBillingService(
     IOrganizationRepository organizationRepository,
     ISetupIntentCache setupIntentCache,
     IStripeAdapter stripeAdapter,
-    ISubscriberService subscriberService,
-    ITaxService taxService) : IOrganizationBillingService
+    ISubscriberService subscriberService) : IOrganizationBillingService
 {
     public async Task Finalize(OrganizationSale sale)
     {
@@ -168,38 +167,14 @@ public class OrganizationBillingService(
                 throw new BillingException();
             }
 
-            customerCreateOptions.Address = new AddressOptions
-            {
-                Line1 = customerSetup.TaxInformation.Line1,
-                Line2 = customerSetup.TaxInformation.Line2,
-                City = customerSetup.TaxInformation.City,
-                PostalCode = customerSetup.TaxInformation.PostalCode,
-                State = customerSetup.TaxInformation.State,
-                Country = customerSetup.TaxInformation.Country,
-            };
+            var (address, taxIdData) = customerSetup.TaxInformation.GetStripeOptions();
+
+            customerCreateOptions.Address = address;
             customerCreateOptions.Tax = new CustomerTaxOptions
             {
                 ValidateLocation = StripeConstants.ValidateTaxLocationTiming.Immediately
             };
-
-            if (!string.IsNullOrEmpty(customerSetup.TaxInformation.TaxId))
-            {
-                var taxIdType = taxService.GetStripeTaxCode(customerSetup.TaxInformation.Country,
-                    customerSetup.TaxInformation.TaxId);
-
-                if (taxIdType == null)
-                {
-                    logger.LogWarning("Could not determine tax ID type for organization '{OrganizationID}' in country '{Country}' with tax ID '{TaxID}'.",
-                        organization.Id,
-                        customerSetup.TaxInformation.Country,
-                        customerSetup.TaxInformation.TaxId);
-                }
-
-                customerCreateOptions.TaxIdData =
-                [
-                    new() { Type = taxIdType, Value = customerSetup.TaxInformation.TaxId }
-                ];
-            }
+            customerCreateOptions.TaxIdData = taxIdData;
 
             var (paymentMethodType, paymentMethodToken) = customerSetup.TokenizedPaymentSource;
 
diff --git a/src/Core/Billing/Services/Implementations/PremiumUserBillingService.cs b/src/Core/Billing/Services/Implementations/PremiumUserBillingService.cs
index 5351888ad9..92c81dae1c 100644
--- a/src/Core/Billing/Services/Implementations/PremiumUserBillingService.cs
+++ b/src/Core/Billing/Services/Implementations/PremiumUserBillingService.cs
@@ -24,8 +24,7 @@ public class PremiumUserBillingService(
     ISetupIntentCache setupIntentCache,
     IStripeAdapter stripeAdapter,
     ISubscriberService subscriberService,
-    IUserRepository userRepository,
-    ITaxService taxService) : IPremiumUserBillingService
+    IUserRepository userRepository) : IPremiumUserBillingService
 {
     public async Task Finalize(PremiumUserSale sale)
     {
@@ -83,19 +82,13 @@ public class PremiumUserBillingService(
             throw new BillingException();
         }
 
+        var (address, taxIdData) = customerSetup.TaxInformation.GetStripeOptions();
+
         var subscriberName = user.SubscriberName();
 
         var customerCreateOptions = new CustomerCreateOptions
         {
-            Address = new AddressOptions
-            {
-                Line1 = customerSetup.TaxInformation.Line1,
-                Line2 = customerSetup.TaxInformation.Line2,
-                City = customerSetup.TaxInformation.City,
-                PostalCode = customerSetup.TaxInformation.PostalCode,
-                State = customerSetup.TaxInformation.State,
-                Country = customerSetup.TaxInformation.Country,
-            },
+            Address = address,
             Description = user.Name,
             Email = user.Email,
             Expand = ["tax"],
@@ -120,28 +113,10 @@ public class PremiumUserBillingService(
             Tax = new CustomerTaxOptions
             {
                 ValidateLocation = StripeConstants.ValidateTaxLocationTiming.Immediately
-            }
+            },
+            TaxIdData = taxIdData
         };
 
-        if (!string.IsNullOrEmpty(customerSetup.TaxInformation.TaxId))
-        {
-            var taxIdType = taxService.GetStripeTaxCode(customerSetup.TaxInformation.Country,
-                customerSetup.TaxInformation.TaxId);
-
-            if (taxIdType == null)
-            {
-                logger.LogWarning("Could not infer tax ID type in country '{Country}' with tax ID '{TaxID}'.",
-                    customerSetup.TaxInformation.Country,
-                    customerSetup.TaxInformation.TaxId);
-                throw new Exceptions.BadRequestException("billingTaxIdTypeInferenceError");
-            }
-
-            customerCreateOptions.TaxIdData =
-            [
-                new() { Type = taxIdType, Value = customerSetup.TaxInformation.TaxId }
-            ];
-        }
-
         var (paymentMethodType, paymentMethodToken) = customerSetup.TokenizedPaymentSource;
 
         var braintreeCustomerId = "";
diff --git a/src/Core/Billing/Services/Implementations/SubscriberService.cs b/src/Core/Billing/Services/Implementations/SubscriberService.cs
index 6125d15419..9b8f64be82 100644
--- a/src/Core/Billing/Services/Implementations/SubscriberService.cs
+++ b/src/Core/Billing/Services/Implementations/SubscriberService.cs
@@ -23,8 +23,7 @@ public class SubscriberService(
     IGlobalSettings globalSettings,
     ILogger<SubscriberService> logger,
     ISetupIntentCache setupIntentCache,
-    IStripeAdapter stripeAdapter,
-    ITaxService taxService) : ISubscriberService
+    IStripeAdapter stripeAdapter) : ISubscriberService
 {
     public async Task CancelSubscription(
         ISubscriber subscriber,
@@ -619,47 +618,16 @@ public class SubscriberService(
                 await stripeAdapter.TaxIdDeleteAsync(customer.Id, taxId.Id);
             }
 
-            if (string.IsNullOrWhiteSpace(taxInformation.TaxId))
-            {
-                return;
-            }
+            var taxIdType = taxInformation.GetTaxIdType();
 
-            var taxIdType = taxInformation.TaxIdType;
-            if (string.IsNullOrWhiteSpace(taxIdType))
+            if (!string.IsNullOrWhiteSpace(taxInformation.TaxId) &&
+                !string.IsNullOrWhiteSpace(taxIdType))
             {
-                taxIdType = taxService.GetStripeTaxCode(taxInformation.Country,
-                    taxInformation.TaxId);
-
-                if (taxIdType == null)
+                await stripeAdapter.TaxIdCreateAsync(customer.Id, new TaxIdCreateOptions
                 {
-                    logger.LogWarning("Could not infer tax ID type in country '{Country}' with tax ID '{TaxID}'.",
-                        taxInformation.Country,
-                        taxInformation.TaxId);
-                    throw new Exceptions.BadRequestException("billingTaxIdTypeInferenceError");
-                }
-            }
-
-            try
-            {
-                await stripeAdapter.TaxIdCreateAsync(customer.Id,
-                    new TaxIdCreateOptions { Type = taxIdType, Value = taxInformation.TaxId });
-            }
-            catch (StripeException e)
-            {
-                switch (e.StripeError.Code)
-                {
-                    case StripeConstants.ErrorCodes.TaxIdInvalid:
-                        logger.LogWarning("Invalid tax ID '{TaxID}' for country '{Country}'.",
-                            taxInformation.TaxId,
-                            taxInformation.Country);
-                        throw new Exceptions.BadRequestException("billingInvalidTaxIdError");
-                    default:
-                        logger.LogError(e, "Error creating tax ID '{TaxId}' in country '{Country}' for customer '{CustomerID}'.",
-                            taxInformation.TaxId,
-                            taxInformation.Country,
-                            customer.Id);
-                        throw new Exceptions.BadRequestException("billingTaxIdCreationError");
-                }
+                    Type = taxIdType,
+                    Value = taxInformation.TaxId,
+                });
             }
         }
 
@@ -802,7 +770,6 @@ public class SubscriberService(
             customer.Address.Country,
             customer.Address.PostalCode,
             customer.TaxIds?.FirstOrDefault()?.Value,
-            customer.TaxIds?.FirstOrDefault()?.Type,
             customer.Address.Line1,
             customer.Address.Line2,
             customer.Address.City,
diff --git a/src/Core/Billing/Services/TaxService.cs b/src/Core/Billing/Services/TaxService.cs
deleted file mode 100644
index 3066be92d1..0000000000
--- a/src/Core/Billing/Services/TaxService.cs
+++ /dev/null
@@ -1,901 +0,0 @@
-using System.Text.RegularExpressions;
-using Bit.Core.Billing.Models;
-
-namespace Bit.Core.Billing.Services;
-
-public class TaxService : ITaxService
-{
-    /// <summary>
-    /// Retrieves a list of supported tax ID types for customers.
-    /// </summary>
-    /// <remarks>Compiled list from <see href="https://docs.stripe.com/billing/customer/tax-ids">Stripe</see></remarks>
-    private static readonly IEnumerable<TaxIdType> _taxIdTypes =
-    [
-        new()
-        {
-            Country = "AD",
-            Code = "ad_nrt",
-            Description = "Andorran NRT number",
-            Example = "A-123456-Z",
-            ValidationExpression = new Regex("^([A-Z]{1})-?([0-9]{6})-?([A-Z]{1})$")
-        },
-        new()
-        {
-            Country = "AR",
-            Code = "ar_cuit",
-            Description = "Argentinian tax ID number",
-            Example = "12-34567890-1",
-            ValidationExpression = new Regex("^([0-9]{2})-?([0-9]{8})-?([0-9]{1})$")
-        },
-        new()
-        {
-            Country = "AU",
-            Code = "au_abn",
-            Description = "Australian Business Number (AU ABN)",
-            Example = "123456789012",
-            ValidationExpression = new Regex("^[0-9]{11}$")
-        },
-        new()
-        {
-            Country = "AU",
-            Code = "au_arn",
-            Description = "Australian Taxation Office Reference Number",
-            Example = "123456789123",
-            ValidationExpression = new Regex("^[0-9]{12}$")
-        },
-        new()
-        {
-            Country = "AT",
-            Code = "eu_vat",
-            Description = "European VAT number (Austria)",
-            Example = "ATU12345678",
-            ValidationExpression = new Regex("^ATU[0-9]{8}$")
-        },
-        new()
-        {
-            Country = "BH",
-            Code = "bh_vat",
-            Description = "Bahraini VAT Number",
-            Example = "123456789012345",
-            ValidationExpression = new Regex("^[0-9]{15}$")
-        },
-        new()
-        {
-            Country = "BY",
-            Code = "by_tin",
-            Description = "Belarus TIN Number",
-            Example = "123456789",
-            ValidationExpression = new Regex("^[0-9]{9}$")
-        },
-        new()
-        {
-            Country = "BE",
-            Code = "eu_vat",
-            Description = "European VAT number (Belgium)",
-            Example = "BE0123456789",
-            ValidationExpression = new Regex("^BE[0-9]{10}$")
-        },
-        new()
-        {
-            Country = "BO",
-            Code = "bo_tin",
-            Description = "Bolivian tax ID",
-            Example = "123456789",
-            ValidationExpression = new Regex("^[0-9]{9}$")
-        },
-        new()
-        {
-            Country = "BR",
-            Code = "br_cnpj",
-            Description = "Brazilian CNPJ number",
-            Example = "01.234.456/5432-10",
-            ValidationExpression = new Regex("^[0-9]{2}.?[0-9]{3}.?[0-9]{3}/?[0-9]{4}-?[0-9]{2}$")
-        },
-        new()
-        {
-            Country = "BR",
-            Code = "br_cpf",
-            Description = "Brazilian CPF number",
-            Example = "123.456.789-87",
-            ValidationExpression = new Regex("^[0-9]{3}.?[0-9]{3}.?[0-9]{3}-?[0-9]{2}$")
-        },
-        new()
-        {
-            Country = "BG",
-            Code = "bg_uic",
-            Description = "Bulgaria Unified Identification Code",
-            Example = "123456789",
-            ValidationExpression = new Regex("^[0-9]{9}$")
-        },
-        new()
-        {
-            Country = "BG",
-            Code = "eu_vat",
-            Description = "European VAT number (Bulgaria)",
-            Example = "BG0123456789",
-            ValidationExpression = new Regex("^BG[0-9]{9,10}$")
-        },
-        new()
-        {
-            Country = "CA",
-            Code = "ca_bn",
-            Description = "Canadian BN",
-            Example = "123456789",
-            ValidationExpression = new Regex("^[0-9]{9}$")
-        },
-        new()
-        {
-            Country = "CA",
-            Code = "ca_gst_hst",
-            Description = "Canadian GST/HST number",
-            Example = "123456789RT0002",
-            ValidationExpression = new Regex("^[0-9]{9}RT[0-9]{4}$")
-        },
-        new()
-        {
-            Country = "CA",
-            Code = "ca_pst_bc",
-            Description = "Canadian PST number (British Columbia)",
-            Example = "PST-1234-5678",
-            ValidationExpression = new Regex("^PST-[0-9]{4}-[0-9]{4}$")
-        },
-        new()
-        {
-            Country = "CA",
-            Code = "ca_pst_mb",
-            Description = "Canadian PST number (Manitoba)",
-            Example = "123456-7",
-            ValidationExpression = new Regex("^[0-9]{6}-[0-9]{1}$")
-        },
-        new()
-        {
-            Country = "CA",
-            Code = "ca_pst_sk",
-            Description = "Canadian PST number (Saskatchewan)",
-            Example = "1234567",
-            ValidationExpression = new Regex("^[0-9]{7}$")
-        },
-        new()
-        {
-            Country = "CA",
-            Code = "ca_qst",
-            Description = "Canadian QST number (Québec)",
-            Example = "1234567890TQ1234",
-            ValidationExpression = new Regex("^[0-9]{10}TQ[0-9]{4}$")
-        },
-        new()
-        {
-            Country = "CL",
-            Code = "cl_tin",
-            Description = "Chilean TIN",
-            Example = "12.345.678-K",
-            ValidationExpression = new Regex("^[0-9]{2}.?[0-9]{3}.?[0-9]{3}-?[0-9A-Z]{1}$")
-        },
-        new()
-        {
-            Country = "CN",
-            Code = "cn_tin",
-            Description = "Chinese tax ID",
-            Example = "123456789012345678",
-            ValidationExpression = new Regex("^[0-9]{15,18}$")
-        },
-        new()
-        {
-            Country = "CO",
-            Code = "co_nit",
-            Description = "Colombian NIT number",
-            Example = "123.456.789-0",
-            ValidationExpression = new Regex("^[0-9]{3}.?[0-9]{3}.?[0-9]{3}-?[0-9]{1}$")
-        },
-        new()
-        {
-            Country = "CR",
-            Code = "cr_tin",
-            Description = "Costa Rican tax ID",
-            Example = "1-234-567890",
-            ValidationExpression = new Regex("^[0-9]{1}-?[0-9]{3}-?[0-9]{6}$")
-        },
-        new()
-        {
-            Country = "HR",
-            Code = "eu_vat",
-            Description = "European VAT number (Croatia)",
-            Example = "HR12345678912",
-            ValidationExpression = new Regex("^HR[0-9]{11}$")
-        },
-        new()
-        {
-            Country = "HR",
-            Code = "hr_oib",
-            Description = "Croatian Personal Identification Number",
-            Example = "12345678901",
-            ValidationExpression = new Regex("^[0-9]{11}$")
-        },
-        new()
-        {
-            Country = "CY",
-            Code = "eu_vat",
-            Description = "European VAT number (Cyprus)",
-            Example = "CY12345678X",
-            ValidationExpression = new Regex("^CY[0-9]{8}[A-Z]{1}$")
-        },
-        new()
-        {
-            Country = "CZ",
-            Code = "eu_vat",
-            Description = "European VAT number (Czech Republic)",
-            Example = "CZ12345678",
-            ValidationExpression = new Regex("^CZ[0-9]{8,10}$")
-        },
-        new()
-        {
-            Country = "DK",
-            Code = "eu_vat",
-            Description = "European VAT number (Denmark)",
-            Example = "DK12345678",
-            ValidationExpression = new Regex("^DK[0-9]{8}$")
-        },
-        new()
-        {
-            Country = "DO",
-            Code = "do_rcn",
-            Description = "Dominican RCN number",
-            Example = "123-4567890-1",
-            ValidationExpression = new Regex("^[0-9]{3}-?[0-9]{7}-?[0-9]{1}$")
-        },
-        new()
-        {
-            Country = "EC",
-            Code = "ec_ruc",
-            Description = "Ecuadorian RUC number",
-            Example = "1234567890001",
-            ValidationExpression = new Regex("^[0-9]{13}$")
-        },
-        new()
-        {
-            Country = "EG",
-            Code = "eg_tin",
-            Description = "Egyptian Tax Identification Number",
-            Example = "123456789",
-            ValidationExpression = new Regex("^[0-9]{9}$")
-        },
-
-        new()
-        {
-            Country = "SV",
-            Code = "sv_nit",
-            Description = "El Salvadorian NIT number",
-            Example = "1234-567890-123-4",
-            ValidationExpression = new Regex("^[0-9]{4}-?[0-9]{6}-?[0-9]{3}-?[0-9]{1}$")
-        },
-
-        new()
-        {
-            Country = "EE",
-            Code = "eu_vat",
-            Description = "European VAT number (Estonia)",
-            Example = "EE123456789",
-            ValidationExpression = new Regex("^EE[0-9]{9}$")
-        },
-
-        new()
-        {
-            Country = "EU",
-            Code = "eu_oss_vat",
-            Description = "European One Stop Shop VAT number for non-Union scheme",
-            Example = "EU123456789",
-            ValidationExpression = new Regex("^EU[0-9]{9}$")
-        },
-        new()
-        {
-            Country = "FI",
-            Code = "eu_vat",
-            Description = "European VAT number (Finland)",
-            Example = "FI12345678",
-            ValidationExpression = new Regex("^FI[0-9]{8}$")
-        },
-        new()
-        {
-            Country = "FR",
-            Code = "eu_vat",
-            Description = "European VAT number (France)",
-            Example = "FR12345678901",
-            ValidationExpression = new Regex("^FR[0-9A-Z]{2}[0-9]{9}$")
-        },
-        new()
-        {
-            Country = "GE",
-            Code = "ge_vat",
-            Description = "Georgian VAT",
-            Example = "123456789",
-            ValidationExpression = new Regex("^[0-9]{9}$")
-        },
-        new()
-        {
-            Country = "DE",
-            Code = "de_stn",
-            Description = "German Tax Number (Steuernummer)",
-            Example = "1234567890",
-            ValidationExpression = new Regex("^[0-9]{10}$")
-        },
-        new()
-        {
-            Country = "DE",
-            Code = "eu_vat",
-            Description = "European VAT number (Germany)",
-            Example = "DE123456789",
-            ValidationExpression = new Regex("^DE[0-9]{9}$")
-        },
-        new()
-        {
-            Country = "GR",
-            Code = "eu_vat",
-            Description = "European VAT number (Greece)",
-            Example = "EL123456789",
-            ValidationExpression = new Regex("^EL[0-9]{9}$")
-        },
-        new()
-        {
-            Country = "HK",
-            Code = "hk_br",
-            Description = "Hong Kong BR number",
-            Example = "12345678",
-            ValidationExpression = new Regex("^[0-9]{8}$")
-        },
-        new()
-        {
-            Country = "HU",
-            Code = "eu_vat",
-            Description = "European VAT number (Hungaria)",
-            Example = "HU12345678",
-            ValidationExpression = new Regex("^HU[0-9]{8}$")
-        },
-        new()
-        {
-            Country = "HU",
-            Code = "hu_tin",
-            Description = "Hungary tax number (adószám)",
-            Example = "12345678-1-23",
-            ValidationExpression = new Regex("^[0-9]{8}-?[0-9]-?[0-9]{2}$")
-        },
-        new()
-        {
-            Country = "IS",
-            Code = "is_vat",
-            Description = "Icelandic VAT",
-            Example = "123456",
-            ValidationExpression = new Regex("^[0-9]{6}$")
-        },
-        new()
-        {
-            Country = "IN",
-            Code = "in_gst",
-            Description = "Indian GST number",
-            Example = "12ABCDE3456FGZH",
-            ValidationExpression = new Regex("^[0-9]{2}[A-Z]{5}[0-9]{4}[A-Z]{1}[1-9A-Z]{1}Z[0-9A-Z]{1}$")
-        },
-        new()
-        {
-            Country = "ID",
-            Code = "id_npwp",
-            Description = "Indonesian NPWP number",
-            Example = "012.345.678.9-012.345",
-            ValidationExpression = new Regex("^[0-9]{3}.?[0-9]{3}.?[0-9]{3}.?[0-9]{1}-?[0-9]{3}.?[0-9]{3}$")
-        },
-        new()
-        {
-            Country = "IE",
-            Code = "eu_vat",
-            Description = "European VAT number (Ireland)",
-            Example = "IE1234567AB",
-            ValidationExpression = new Regex("^IE[0-9]{7}[A-Z]{1,2}$")
-        },
-        new()
-        {
-            Country = "IL",
-            Code = "il_vat",
-            Description = "Israel VAT",
-            Example = "000012345",
-            ValidationExpression = new Regex("^[0-9]{9}$")
-        },
-        new()
-        {
-            Country = "IT",
-            Code = "eu_vat",
-            Description = "European VAT number (Italy)",
-            Example = "IT12345678912",
-            ValidationExpression = new Regex("^IT[0-9]{11}$")
-        },
-        new()
-        {
-            Country = "JP",
-            Code = "jp_cn",
-            Description = "Japanese Corporate Number (*Hōjin Bangō*)",
-            Example = "1234567891234",
-            ValidationExpression = new Regex("^[0-9]{13}$")
-        },
-        new()
-        {
-            Country = "JP",
-            Code = "jp_rn",
-            Description =
-                "Japanese Registered Foreign Businesses' Registration Number (*Tōroku Kokugai Jigyōsha no Tōroku Bangō*)",
-            Example = "12345",
-            ValidationExpression = new Regex("^[0-9]{5}$")
-        },
-        new()
-        {
-            Country = "JP",
-            Code = "jp_trn",
-            Description = "Japanese Tax Registration Number (*Tōroku Bangō*)",
-            Example = "T1234567891234",
-            ValidationExpression = new Regex("^T[0-9]{13}$")
-        },
-        new()
-        {
-            Country = "KZ",
-            Code = "kz_bin",
-            Description = "Kazakhstani Business Identification Number",
-            Example = "123456789012",
-            ValidationExpression = new Regex("^[0-9]{12}$")
-        },
-        new()
-        {
-            Country = "KE",
-            Code = "ke_pin",
-            Description = "Kenya Revenue Authority Personal Identification Number",
-            Example = "P000111111A",
-            ValidationExpression = new Regex("^[A-Z]{1}[0-9]{9}[A-Z]{1}$")
-        },
-        new()
-        {
-            Country = "LV",
-            Code = "eu_vat",
-            Description = "European VAT number",
-            Example = "LV12345678912",
-            ValidationExpression = new Regex("^LV[0-9]{11}$")
-        },
-        new()
-        {
-            Country = "LI",
-            Code = "li_uid",
-            Description = "Liechtensteinian UID number",
-            Example = "CHE123456789",
-            ValidationExpression = new Regex("^CHE[0-9]{9}$")
-        },
-        new()
-        {
-            Country = "LI",
-            Code = "li_vat",
-            Description = "Liechtensteinian VAT number",
-            Example = "12345",
-            ValidationExpression = new Regex("^[0-9]{5}$")
-        },
-        new()
-        {
-            Country = "LT",
-            Code = "eu_vat",
-            Description = "European VAT number (Lithuania)",
-            Example = "LT123456789123",
-            ValidationExpression = new Regex("^LT[0-9]{9,12}$")
-        },
-        new()
-        {
-            Country = "LU",
-            Code = "eu_vat",
-            Description = "European VAT number (Luxembourg)",
-            Example = "LU12345678",
-            ValidationExpression = new Regex("^LU[0-9]{8}$")
-        },
-        new()
-        {
-            Country = "MY",
-            Code = "my_frp",
-            Description = "Malaysian FRP number",
-            Example = "12345678",
-            ValidationExpression = new Regex("^[0-9]{8}$")
-        },
-        new()
-        {
-            Country = "MY",
-            Code = "my_itn",
-            Description = "Malaysian ITN",
-            Example = "C 1234567890",
-            ValidationExpression = new Regex("^[A-Z]{1} ?[0-9]{10}$")
-        },
-        new()
-        {
-            Country = "MY",
-            Code = "my_sst",
-            Description = "Malaysian SST number",
-            Example = "A12-3456-78912345",
-            ValidationExpression = new Regex("^[A-Z]{1}[0-9]{2}-?[0-9]{4}-?[0-9]{8}$")
-        },
-        new()
-        {
-            Country = "MT",
-            Code = "eu_vat",
-            Description = "European VAT number (Malta)",
-            Example = "MT12345678",
-            ValidationExpression = new Regex("^MT[0-9]{8}$")
-        },
-        new()
-        {
-            Country = "MX",
-            Code = "mx_rfc",
-            Description = "Mexican RFC number",
-            Example = "ABC010203AB9",
-            ValidationExpression = new Regex("^[A-Z]{3}[0-9]{6}[A-Z0-9]{3}$")
-        },
-        new()
-        {
-            Country = "MD",
-            Code = "md_vat",
-            Description = "Moldova VAT Number",
-            Example = "1234567",
-            ValidationExpression = new Regex("^[0-9]{7}$")
-        },
-        new()
-        {
-            Country = "MA",
-            Code = "ma_vat",
-            Description = "Morocco VAT Number",
-            Example = "12345678",
-            ValidationExpression = new Regex("^[0-9]{8}$")
-        },
-        new()
-        {
-            Country = "NL",
-            Code = "eu_vat",
-            Description = "European VAT number (Netherlands)",
-            Example = "NL123456789B12",
-            ValidationExpression = new Regex("^NL[0-9]{9}B[0-9]{2}$")
-        },
-        new()
-        {
-            Country = "NZ",
-            Code = "nz_gst",
-            Description = "New Zealand GST number",
-            Example = "123456789",
-            ValidationExpression = new Regex("^[0-9]{9}$")
-        },
-        new()
-        {
-            Country = "NG",
-            Code = "ng_tin",
-            Description = "Nigerian TIN Number",
-            Example = "12345678-0001",
-            ValidationExpression = new Regex("^[0-9]{8}-[0-9]{4}$")
-        },
-        new()
-        {
-            Country = "NO",
-            Code = "no_vat",
-            Description = "Norwegian VAT number",
-            Example = "123456789MVA",
-            ValidationExpression = new Regex("^[0-9]{9}MVA$")
-        },
-        new()
-        {
-            Country = "NO",
-            Code = "no_voec",
-            Description = "Norwegian VAT on e-commerce number",
-            Example = "1234567",
-            ValidationExpression = new Regex("^[0-9]{7}$")
-        },
-        new()
-        {
-            Country = "OM",
-            Code = "om_vat",
-            Description = "Omani VAT Number",
-            Example = "OM1234567890",
-            ValidationExpression = new Regex("^OM[0-9]{10}$")
-        },
-        new()
-        {
-            Country = "PE",
-            Code = "pe_ruc",
-            Description = "Peruvian RUC number",
-            Example = "12345678901",
-            ValidationExpression = new Regex("^[0-9]{11}$")
-        },
-        new()
-        {
-            Country = "PH",
-            Code = "ph_tin",
-            Description = "Philippines Tax Identification Number",
-            Example = "123456789012",
-            ValidationExpression = new Regex("^[0-9]{12}$")
-        },
-        new()
-        {
-            Country = "PL",
-            Code = "eu_vat",
-            Description = "European VAT number (Poland)",
-            Example = "PL1234567890",
-            ValidationExpression = new Regex("^PL[0-9]{10}$")
-        },
-        new()
-        {
-            Country = "PT",
-            Code = "eu_vat",
-            Description = "European VAT number (Portugal)",
-            Example = "PT123456789",
-            ValidationExpression = new Regex("^PT[0-9]{9}$")
-        },
-        new()
-        {
-            Country = "RO",
-            Code = "eu_vat",
-            Description = "European VAT number (Romania)",
-            Example = "RO1234567891",
-            ValidationExpression = new Regex("^RO[0-9]{2,10}$")
-        },
-        new()
-        {
-            Country = "RO",
-            Code = "ro_tin",
-            Description = "Romanian tax ID number",
-            Example = "1234567890123",
-            ValidationExpression = new Regex("^[0-9]{13}$")
-        },
-        new()
-        {
-            Country = "RU",
-            Code = "ru_inn",
-            Description = "Russian INN",
-            Example = "1234567891",
-            ValidationExpression = new Regex("^[0-9]{10,12}$")
-        },
-        new()
-        {
-            Country = "RU",
-            Code = "ru_kpp",
-            Description = "Russian KPP",
-            Example = "123456789",
-            ValidationExpression = new Regex("^[0-9]{9}$")
-        },
-        new()
-        {
-            Country = "SA",
-            Code = "sa_vat",
-            Description = "Saudi Arabia VAT",
-            Example = "123456789012345",
-            ValidationExpression = new Regex("^[0-9]{15}$")
-        },
-        new()
-        {
-            Country = "RS",
-            Code = "rs_pib",
-            Description = "Serbian PIB number",
-            Example = "123456789",
-            ValidationExpression = new Regex("^[0-9]{9}$")
-        },
-        new()
-        {
-            Country = "SG",
-            Code = "sg_gst",
-            Description = "Singaporean GST",
-            Example = "M12345678X",
-            ValidationExpression = new Regex("^[A-Z]{1}[0-9]{8}[A-Z]{1}$")
-        },
-        new()
-        {
-            Country = "SG",
-            Code = "sg_uen",
-            Description = "Singaporean UEN",
-            Example = "123456789F",
-            ValidationExpression = new Regex("^[0-9]{9}[A-Z]{1}$")
-        },
-        new()
-        {
-            Country = "SK",
-            Code = "eu_vat",
-            Description = "European VAT number (Slovakia)",
-            Example = "SK1234567891",
-            ValidationExpression = new Regex("^SK[0-9]{10}$")
-        },
-        new()
-        {
-            Country = "SI",
-            Code = "eu_vat",
-            Description = "European VAT number (Slovenia)",
-            Example = "SI12345678",
-            ValidationExpression = new Regex("^SI[0-9]{8}$")
-        },
-        new()
-        {
-            Country = "SI",
-            Code = "si_tin",
-            Description = "Slovenia tax number (davčna številka)",
-            Example = "12345678",
-            ValidationExpression = new Regex("^[0-9]{8}$")
-        },
-        new()
-        {
-            Country = "ZA",
-            Code = "za_vat",
-            Description = "South African VAT number",
-            Example = "4123456789",
-            ValidationExpression = new Regex("^[0-9]{10}$")
-        },
-        new()
-        {
-            Country = "KR",
-            Code = "kr_brn",
-            Description = "Korean BRN",
-            Example = "123-45-67890",
-            ValidationExpression = new Regex("^[0-9]{3}-?[0-9]{2}-?[0-9]{5}$")
-        },
-        new()
-        {
-            Country = "ES",
-            Code = "es_cif",
-            Description = "Spanish NIF/CIF number",
-            Example = "A12345678",
-            ValidationExpression = new Regex("^[A-Z]{1}[0-9]{8}$")
-        },
-        new()
-        {
-            Country = "ES",
-            Code = "eu_vat",
-            Description = "European VAT number (Spain)",
-            Example = "ESA1234567Z",
-            ValidationExpression = new Regex("^ES[A-Z]{1}[0-9]{7}[A-Z]{1}$")
-        },
-        new()
-        {
-            Country = "SE",
-            Code = "eu_vat",
-            Description = "European VAT number (Sweden)",
-            Example = "SE123456789123",
-            ValidationExpression = new Regex("^SE[0-9]{12}$")
-        },
-        new()
-        {
-            Country = "CH",
-            Code = "ch_uid",
-            Description = "Switzerland UID number",
-            Example = "CHE-123.456.789 HR",
-            ValidationExpression = new Regex("^CHE-?[0-9]{3}.?[0-9]{3}.?[0-9]{3} ?HR$")
-        },
-        new()
-        {
-            Country = "CH",
-            Code = "ch_vat",
-            Description = "Switzerland VAT number",
-            Example = "CHE-123.456.789 MWST",
-            ValidationExpression = new Regex("^CHE-?[0-9]{3}.?[0-9]{3}.?[0-9]{3} ?MWST$")
-        },
-        new()
-        {
-            Country = "TW",
-            Code = "tw_vat",
-            Description = "Taiwanese VAT",
-            Example = "12345678",
-            ValidationExpression = new Regex("^[0-9]{8}$")
-        },
-        new()
-        {
-            Country = "TZ",
-            Code = "tz_vat",
-            Description = "Tanzania VAT Number",
-            Example = "12345678A",
-            ValidationExpression = new Regex("^[0-9]{8}[A-Z]{1}$")
-        },
-        new()
-        {
-            Country = "TH",
-            Code = "th_vat",
-            Description = "Thai VAT",
-            Example = "1234567891234",
-            ValidationExpression = new Regex("^[0-9]{13}$")
-        },
-        new()
-        {
-            Country = "TR",
-            Code = "tr_tin",
-            Description = "Turkish TIN Number",
-            Example = "0123456789",
-            ValidationExpression = new Regex("^[0-9]{10}$")
-        },
-        new()
-        {
-            Country = "UA",
-            Code = "ua_vat",
-            Description = "Ukrainian VAT",
-            Example = "123456789",
-            ValidationExpression = new Regex("^[0-9]{9}$")
-        },
-        new()
-        {
-            Country = "AE",
-            Code = "ae_trn",
-            Description = "United Arab Emirates TRN",
-            Example = "123456789012345",
-            ValidationExpression = new Regex("^[0-9]{15}$")
-        },
-        new()
-        {
-            Country = "GB",
-            Code = "eu_vat",
-            Description = "Northern Ireland VAT number",
-            Example = "XI123456789",
-            ValidationExpression = new Regex("^XI[0-9]{9}$")
-        },
-        new()
-        {
-            Country = "GB",
-            Code = "gb_vat",
-            Description = "United Kingdom VAT number",
-            Example = "GB123456789",
-            ValidationExpression = new Regex("^GB[0-9]{9}$")
-        },
-        new()
-        {
-            Country = "US",
-            Code = "us_ein",
-            Description = "United States EIN",
-            Example = "12-3456789",
-            ValidationExpression = new Regex("^[0-9]{2}-?[0-9]{7}$")
-        },
-        new()
-        {
-            Country = "UY",
-            Code = "uy_ruc",
-            Description = "Uruguayan RUC number",
-            Example = "123456789012",
-            ValidationExpression = new Regex("^[0-9]{12}$")
-        },
-        new()
-        {
-            Country = "UZ",
-            Code = "uz_tin",
-            Description = "Uzbekistan TIN Number",
-            Example = "123456789",
-            ValidationExpression = new Regex("^[0-9]{9}$")
-        },
-        new()
-        {
-            Country = "UZ",
-            Code = "uz_vat",
-            Description = "Uzbekistan VAT Number",
-            Example = "123456789012",
-            ValidationExpression = new Regex("^[0-9]{12}$")
-        },
-        new()
-        {
-            Country = "VE",
-            Code = "ve_rif",
-            Description = "Venezuelan RIF number",
-            Example = "A-12345678-9",
-            ValidationExpression = new Regex("^[A-Z]{1}-?[0-9]{8}-?[0-9]{1}$")
-        },
-        new()
-        {
-            Country = "VN",
-            Code = "vn_tin",
-            Description = "Vietnamese tax ID number",
-            Example = "1234567890",
-            ValidationExpression = new Regex("^[0-9]{10}$")
-        }
-    ];
-
-    public string GetStripeTaxCode(string country, string taxId)
-    {
-        foreach (var taxIdType in _taxIdTypes.Where(x => x.Country == country))
-        {
-            if (taxIdType.ValidationExpression.IsMatch(taxId))
-            {
-                return taxIdType.Code;
-            }
-        }
-
-        return null;
-    }
-
-    public bool IsSupported(string country)
-    {
-        return _taxIdTypes.Any(x => x.Country == country);
-    }
-}
diff --git a/src/Core/Billing/Utilities.cs b/src/Core/Billing/Utilities.cs
index 695a3b1bb4..28527af0c0 100644
--- a/src/Core/Billing/Utilities.cs
+++ b/src/Core/Billing/Utilities.cs
@@ -83,7 +83,6 @@ public static class Utilities
             customer.Address.Country,
             customer.Address.PostalCode,
             customer.TaxIds?.FirstOrDefault()?.Value,
-            customer.TaxIds?.FirstOrDefault()?.Type,
             customer.Address.Line1,
             customer.Address.Line2,
             customer.Address.City,
diff --git a/src/Core/Models/Business/TaxInfo.cs b/src/Core/Models/Business/TaxInfo.cs
index b12c5229b3..4424576ec9 100644
--- a/src/Core/Models/Business/TaxInfo.cs
+++ b/src/Core/Models/Business/TaxInfo.cs
@@ -2,9 +2,18 @@
 
 public class TaxInfo
 {
-    public string TaxIdNumber { get; set; }
-    public string TaxIdType { get; set; }
+    private string _taxIdNumber = null;
+    private string _taxIdType = null;
 
+    public string TaxIdNumber
+    {
+        get => _taxIdNumber;
+        set
+        {
+            _taxIdNumber = value;
+            _taxIdType = null;
+        }
+    }
     public string StripeTaxRateId { get; set; }
     public string BillingAddressLine1 { get; set; }
     public string BillingAddressLine2 { get; set; }
@@ -12,6 +21,201 @@ public class TaxInfo
     public string BillingAddressState { get; set; }
     public string BillingAddressPostalCode { get; set; }
     public string BillingAddressCountry { get; set; } = "US";
+    public string TaxIdType
+    {
+        get
+        {
+            if (string.IsNullOrWhiteSpace(BillingAddressCountry) ||
+                string.IsNullOrWhiteSpace(TaxIdNumber))
+            {
+                return null;
+            }
+            if (!string.IsNullOrWhiteSpace(_taxIdType))
+            {
+                return _taxIdType;
+            }
+
+            switch (BillingAddressCountry.ToUpper())
+            {
+                case "AD":
+                    _taxIdType = "ad_nrt";
+                    break;
+                case "AE":
+                    _taxIdType = "ae_trn";
+                    break;
+                case "AR":
+                    _taxIdType = "ar_cuit";
+                    break;
+                case "AU":
+                    _taxIdType = "au_abn";
+                    break;
+                case "BO":
+                    _taxIdType = "bo_tin";
+                    break;
+                case "BR":
+                    _taxIdType = "br_cnpj";
+                    break;
+                case "CA":
+                    // May break for those in Québec given the assumption of QST
+                    if (BillingAddressState?.Contains("bec") ?? false)
+                    {
+                        _taxIdType = "ca_qst";
+                        break;
+                    }
+                    _taxIdType = "ca_bn";
+                    break;
+                case "CH":
+                    _taxIdType = "ch_vat";
+                    break;
+                case "CL":
+                    _taxIdType = "cl_tin";
+                    break;
+                case "CN":
+                    _taxIdType = "cn_tin";
+                    break;
+                case "CO":
+                    _taxIdType = "co_nit";
+                    break;
+                case "CR":
+                    _taxIdType = "cr_tin";
+                    break;
+                case "DO":
+                    _taxIdType = "do_rcn";
+                    break;
+                case "EC":
+                    _taxIdType = "ec_ruc";
+                    break;
+                case "EG":
+                    _taxIdType = "eg_tin";
+                    break;
+                case "GE":
+                    _taxIdType = "ge_vat";
+                    break;
+                case "ID":
+                    _taxIdType = "id_npwp";
+                    break;
+                case "IL":
+                    _taxIdType = "il_vat";
+                    break;
+                case "IS":
+                    _taxIdType = "is_vat";
+                    break;
+                case "KE":
+                    _taxIdType = "ke_pin";
+                    break;
+                case "AT":
+                case "BE":
+                case "BG":
+                case "CY":
+                case "CZ":
+                case "DE":
+                case "DK":
+                case "EE":
+                case "ES":
+                case "FI":
+                case "FR":
+                case "GB":
+                case "GR":
+                case "HR":
+                case "HU":
+                case "IE":
+                case "IT":
+                case "LT":
+                case "LU":
+                case "LV":
+                case "MT":
+                case "NL":
+                case "PL":
+                case "PT":
+                case "RO":
+                case "SE":
+                case "SI":
+                case "SK":
+                    _taxIdType = "eu_vat";
+                    break;
+                case "HK":
+                    _taxIdType = "hk_br";
+                    break;
+                case "IN":
+                    _taxIdType = "in_gst";
+                    break;
+                case "JP":
+                    _taxIdType = "jp_cn";
+                    break;
+                case "KR":
+                    _taxIdType = "kr_brn";
+                    break;
+                case "LI":
+                    _taxIdType = "li_uid";
+                    break;
+                case "MX":
+                    _taxIdType = "mx_rfc";
+                    break;
+                case "MY":
+                    _taxIdType = "my_sst";
+                    break;
+                case "NO":
+                    _taxIdType = "no_vat";
+                    break;
+                case "NZ":
+                    _taxIdType = "nz_gst";
+                    break;
+                case "PE":
+                    _taxIdType = "pe_ruc";
+                    break;
+                case "PH":
+                    _taxIdType = "ph_tin";
+                    break;
+                case "RS":
+                    _taxIdType = "rs_pib";
+                    break;
+                case "RU":
+                    _taxIdType = "ru_inn";
+                    break;
+                case "SA":
+                    _taxIdType = "sa_vat";
+                    break;
+                case "SG":
+                    _taxIdType = "sg_gst";
+                    break;
+                case "SV":
+                    _taxIdType = "sv_nit";
+                    break;
+                case "TH":
+                    _taxIdType = "th_vat";
+                    break;
+                case "TR":
+                    _taxIdType = "tr_tin";
+                    break;
+                case "TW":
+                    _taxIdType = "tw_vat";
+                    break;
+                case "UA":
+                    _taxIdType = "ua_vat";
+                    break;
+                case "US":
+                    _taxIdType = "us_ein";
+                    break;
+                case "UY":
+                    _taxIdType = "uy_ruc";
+                    break;
+                case "VE":
+                    _taxIdType = "ve_rif";
+                    break;
+                case "VN":
+                    _taxIdType = "vn_tin";
+                    break;
+                case "ZA":
+                    _taxIdType = "za_vat";
+                    break;
+                default:
+                    _taxIdType = null;
+                    break;
+            }
+
+            return _taxIdType;
+        }
+    }
 
     public bool HasTaxId
     {
diff --git a/src/Core/Services/IPaymentService.cs b/src/Core/Services/IPaymentService.cs
index 7d0f9d3c63..bf9d047029 100644
--- a/src/Core/Services/IPaymentService.cs
+++ b/src/Core/Services/IPaymentService.cs
@@ -1,9 +1,6 @@
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Entities.Provider;
 using Bit.Core.Billing.Models;
-using Bit.Core.Billing.Models.Api.Requests.Accounts;
-using Bit.Core.Billing.Models.Api.Requests.Organizations;
-using Bit.Core.Billing.Models.Api.Responses;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Models.Business;
@@ -62,7 +59,4 @@ public interface IPaymentService
     Task<bool> RisksSubscriptionFailure(Organization organization);
     Task<bool> HasSecretsManagerStandalone(Organization organization);
     Task<(DateTime?, DateTime?)> GetSuspensionDateAsync(Stripe.Subscription subscription);
-    Task<PreviewInvoiceResponseModel> PreviewInvoiceAsync(PreviewIndividualInvoiceRequestBody parameters, string gatewayCustomerId, string gatewaySubscriptionId);
-    Task<PreviewInvoiceResponseModel> PreviewInvoiceAsync(PreviewOrganizationInvoiceRequestBody parameters, string gatewayCustomerId, string gatewaySubscriptionId);
-
 }
diff --git a/src/Core/Services/IStripeAdapter.cs b/src/Core/Services/IStripeAdapter.cs
index ef2e3ab766..30583ef0b3 100644
--- a/src/Core/Services/IStripeAdapter.cs
+++ b/src/Core/Services/IStripeAdapter.cs
@@ -31,7 +31,6 @@ public interface IStripeAdapter
     Task<Stripe.Invoice> InvoiceUpcomingAsync(Stripe.UpcomingInvoiceOptions options);
     Task<Stripe.Invoice> InvoiceGetAsync(string id, Stripe.InvoiceGetOptions options);
     Task<List<Stripe.Invoice>> InvoiceListAsync(StripeInvoiceListOptions options);
-    Task<Stripe.Invoice> InvoiceCreatePreviewAsync(InvoiceCreatePreviewOptions options);
     Task<List<Stripe.Invoice>> InvoiceSearchAsync(InvoiceSearchOptions options);
     Task<Stripe.Invoice> InvoiceUpdateAsync(string id, Stripe.InvoiceUpdateOptions options);
     Task<Stripe.Invoice> InvoiceFinalizeInvoiceAsync(string id, Stripe.InvoiceFinalizeOptions options);
@@ -43,7 +42,6 @@ public interface IStripeAdapter
     IAsyncEnumerable<Stripe.PaymentMethod> PaymentMethodListAutoPagingAsync(Stripe.PaymentMethodListOptions options);
     Task<Stripe.PaymentMethod> PaymentMethodAttachAsync(string id, Stripe.PaymentMethodAttachOptions options = null);
     Task<Stripe.PaymentMethod> PaymentMethodDetachAsync(string id, Stripe.PaymentMethodDetachOptions options = null);
-    Task<Stripe.Plan> PlanGetAsync(string id, Stripe.PlanGetOptions options = null);
     Task<Stripe.TaxRate> TaxRateCreateAsync(Stripe.TaxRateCreateOptions options);
     Task<Stripe.TaxRate> TaxRateUpdateAsync(string id, Stripe.TaxRateUpdateOptions options);
     Task<Stripe.TaxId> TaxIdCreateAsync(string id, Stripe.TaxIdCreateOptions options);
diff --git a/src/Core/Services/Implementations/StripeAdapter.cs b/src/Core/Services/Implementations/StripeAdapter.cs
index f4f8efe75f..8d18331456 100644
--- a/src/Core/Services/Implementations/StripeAdapter.cs
+++ b/src/Core/Services/Implementations/StripeAdapter.cs
@@ -15,7 +15,6 @@ public class StripeAdapter : IStripeAdapter
     private readonly Stripe.RefundService _refundService;
     private readonly Stripe.CardService _cardService;
     private readonly Stripe.BankAccountService _bankAccountService;
-    private readonly Stripe.PlanService _planService;
     private readonly Stripe.PriceService _priceService;
     private readonly Stripe.SetupIntentService _setupIntentService;
     private readonly Stripe.TestHelpers.TestClockService _testClockService;
@@ -34,7 +33,6 @@ public class StripeAdapter : IStripeAdapter
         _cardService = new Stripe.CardService();
         _bankAccountService = new Stripe.BankAccountService();
         _priceService = new Stripe.PriceService();
-        _planService = new Stripe.PlanService();
         _setupIntentService = new SetupIntentService();
         _testClockService = new Stripe.TestHelpers.TestClockService();
         _customerBalanceTransactionService = new CustomerBalanceTransactionService();
@@ -135,11 +133,6 @@ public class StripeAdapter : IStripeAdapter
         return invoices;
     }
 
-    public Task<Invoice> InvoiceCreatePreviewAsync(InvoiceCreatePreviewOptions options)
-    {
-        return _invoiceService.CreatePreviewAsync(options);
-    }
-
     public async Task<List<Stripe.Invoice>> InvoiceSearchAsync(InvoiceSearchOptions options)
         => (await _invoiceService.SearchAsync(options)).Data;
 
@@ -191,11 +184,6 @@ public class StripeAdapter : IStripeAdapter
         return _paymentMethodService.DetachAsync(id, options);
     }
 
-    public Task<Stripe.Plan> PlanGetAsync(string id, Stripe.PlanGetOptions options = null)
-    {
-        return _planService.GetAsync(id, options);
-    }
-
     public Task<Stripe.TaxRate> TaxRateCreateAsync(Stripe.TaxRateCreateOptions options)
     {
         return _taxRateService.CreateAsync(options);
diff --git a/src/Core/Services/Implementations/StripePaymentService.cs b/src/Core/Services/Implementations/StripePaymentService.cs
index c32dcd43ad..259a4eb757 100644
--- a/src/Core/Services/Implementations/StripePaymentService.cs
+++ b/src/Core/Services/Implementations/StripePaymentService.cs
@@ -1,13 +1,8 @@
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Entities.Provider;
 using Bit.Core.Billing.Constants;
-using Bit.Core.Billing.Extensions;
 using Bit.Core.Billing.Models;
-using Bit.Core.Billing.Models.Api.Requests.Accounts;
-using Bit.Core.Billing.Models.Api.Requests.Organizations;
-using Bit.Core.Billing.Models.Api.Responses;
 using Bit.Core.Billing.Models.Business;
-using Bit.Core.Billing.Services;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
@@ -37,7 +32,6 @@ public class StripePaymentService : IPaymentService
     private readonly IStripeAdapter _stripeAdapter;
     private readonly IGlobalSettings _globalSettings;
     private readonly IFeatureService _featureService;
-    private readonly ITaxService _taxService;
 
     public StripePaymentService(
         ITransactionRepository transactionRepository,
@@ -46,8 +40,7 @@ public class StripePaymentService : IPaymentService
         IStripeAdapter stripeAdapter,
         Braintree.IBraintreeGateway braintreeGateway,
         IGlobalSettings globalSettings,
-        IFeatureService featureService,
-        ITaxService taxService)
+        IFeatureService featureService)
     {
         _transactionRepository = transactionRepository;
         _logger = logger;
@@ -56,7 +49,6 @@ public class StripePaymentService : IPaymentService
         _btGateway = braintreeGateway;
         _globalSettings = globalSettings;
         _featureService = featureService;
-        _taxService = taxService;
     }
 
     public async Task<string> PurchaseOrganizationAsync(Organization org, PaymentMethodType paymentMethodType,
@@ -120,20 +112,6 @@ public class StripePaymentService : IPaymentService
         Subscription subscription;
         try
         {
-            if (taxInfo.TaxIdNumber != null && taxInfo.TaxIdType == null)
-            {
-                taxInfo.TaxIdType = _taxService.GetStripeTaxCode(taxInfo.BillingAddressCountry,
-                    taxInfo.TaxIdNumber);
-
-                if (taxInfo.TaxIdType == null)
-                {
-                    _logger.LogWarning("Could not infer tax ID type in country '{Country}' with tax ID '{TaxID}'.",
-                        taxInfo.BillingAddressCountry,
-                        taxInfo.TaxIdNumber);
-                    throw new BadRequestException("billingTaxIdTypeInferenceError");
-                }
-            }
-
             var customerCreateOptions = new CustomerCreateOptions
             {
                 Description = org.DisplayBusinessName(),
@@ -168,9 +146,12 @@ public class StripePaymentService : IPaymentService
                     City = taxInfo?.BillingAddressCity,
                     State = taxInfo?.BillingAddressState,
                 },
-                TaxIdData = taxInfo.HasTaxId
-                    ? [new CustomerTaxIdDataOptions { Type = taxInfo.TaxIdType, Value = taxInfo.TaxIdNumber }]
-                    : null
+                TaxIdData = taxInfo?.HasTaxId != true
+                    ? null
+                    :
+                    [
+                        new CustomerTaxIdDataOptions { Type = taxInfo.TaxIdType, Value = taxInfo.TaxIdNumber, }
+                    ],
             };
 
             customerCreateOptions.AddExpand("tax");
@@ -1678,7 +1659,6 @@ public class StripePaymentService : IPaymentService
         return new TaxInfo
         {
             TaxIdNumber = taxId?.Value,
-            TaxIdType = taxId?.Type,
             BillingAddressLine1 = address?.Line1,
             BillingAddressLine2 = address?.Line2,
             BillingAddressCity = address?.City,
@@ -1690,13 +1670,9 @@ public class StripePaymentService : IPaymentService
 
     public async Task SaveTaxInfoAsync(ISubscriber subscriber, TaxInfo taxInfo)
     {
-        if (string.IsNullOrWhiteSpace(subscriber?.GatewayCustomerId) || subscriber.IsUser())
+        if (subscriber != null && !string.IsNullOrWhiteSpace(subscriber.GatewayCustomerId))
         {
-            return;
-        }
-
-        var customer = await _stripeAdapter.CustomerUpdateAsync(subscriber.GatewayCustomerId,
-            new CustomerUpdateOptions
+            var customer = await _stripeAdapter.CustomerUpdateAsync(subscriber.GatewayCustomerId, new CustomerUpdateOptions
             {
                 Address = new AddressOptions
                 {
@@ -1710,59 +1686,23 @@ public class StripePaymentService : IPaymentService
                 Expand = ["tax_ids"]
             });
 
-        if (customer == null)
-        {
-            return;
-        }
-
-        var taxId = customer.TaxIds?.FirstOrDefault();
-
-        if (taxId != null)
-        {
-            await _stripeAdapter.TaxIdDeleteAsync(customer.Id, taxId.Id);
-        }
-
-        if (string.IsNullOrWhiteSpace(taxInfo.TaxIdNumber))
-        {
-            return;
-        }
-
-        var taxIdType = taxInfo.TaxIdType;
-
-        if (string.IsNullOrWhiteSpace(taxIdType))
-        {
-            taxIdType = _taxService.GetStripeTaxCode(taxInfo.BillingAddressCountry, taxInfo.TaxIdNumber);
-
-            if (taxIdType == null)
+            if (!subscriber.IsUser() && customer != null)
             {
-                _logger.LogWarning("Could not infer tax ID type in country '{Country}' with tax ID '{TaxID}'.",
-                    taxInfo.BillingAddressCountry,
-                    taxInfo.TaxIdNumber);
-                throw new BadRequestException("billingTaxIdTypeInferenceError");
-            }
-        }
+                var taxId = customer.TaxIds?.FirstOrDefault();
 
-        try
-        {
-            await _stripeAdapter.TaxIdCreateAsync(customer.Id,
-                new TaxIdCreateOptions { Type = taxInfo.TaxIdType, Value = taxInfo.TaxIdNumber, });
-        }
-        catch (StripeException e)
-        {
-            switch (e.StripeError.Code)
-            {
-                case StripeConstants.ErrorCodes.TaxIdInvalid:
-                    _logger.LogWarning("Invalid tax ID '{TaxID}' for country '{Country}'.",
-                        taxInfo.TaxIdNumber,
-                        taxInfo.BillingAddressCountry);
-                    throw new BadRequestException("billingInvalidTaxIdError");
-                default:
-                    _logger.LogError(e,
-                        "Error creating tax ID '{TaxId}' in country '{Country}' for customer '{CustomerID}'.",
-                        taxInfo.TaxIdNumber,
-                        taxInfo.BillingAddressCountry,
-                        customer.Id);
-                    throw new BadRequestException("billingTaxIdCreationError");
+                if (taxId != null)
+                {
+                    await _stripeAdapter.TaxIdDeleteAsync(customer.Id, taxId.Id);
+                }
+                if (!string.IsNullOrWhiteSpace(taxInfo.TaxIdNumber) &&
+                    !string.IsNullOrWhiteSpace(taxInfo.TaxIdType))
+                {
+                    await _stripeAdapter.TaxIdCreateAsync(customer.Id, new TaxIdCreateOptions
+                    {
+                        Type = taxInfo.TaxIdType,
+                        Value = taxInfo.TaxIdNumber,
+                    });
+                }
             }
         }
     }
@@ -1895,285 +1835,6 @@ public class StripePaymentService : IPaymentService
         }
     }
 
-    public async Task<PreviewInvoiceResponseModel> PreviewInvoiceAsync(
-        PreviewIndividualInvoiceRequestBody parameters,
-        string gatewayCustomerId,
-        string gatewaySubscriptionId)
-    {
-        var options = new InvoiceCreatePreviewOptions
-        {
-            AutomaticTax = new InvoiceAutomaticTaxOptions
-            {
-                Enabled = true,
-            },
-            Currency = "usd",
-            Discounts = new List<InvoiceDiscountOptions>(),
-            SubscriptionDetails = new InvoiceSubscriptionDetailsOptions
-            {
-                Items =
-                [
-                    new()
-                    {
-                        Quantity = 1,
-                        Plan = "premium-annually"
-                    },
-
-                    new()
-                    {
-                        Quantity = parameters.PasswordManager.AdditionalStorage,
-                        Plan = "storage-gb-annually"
-                    }
-                ]
-            },
-            CustomerDetails = new InvoiceCustomerDetailsOptions
-            {
-                Address = new AddressOptions
-                {
-                    PostalCode = parameters.TaxInformation.PostalCode,
-                    Country = parameters.TaxInformation.Country,
-                }
-            },
-        };
-
-        if (!string.IsNullOrEmpty(parameters.TaxInformation.TaxId))
-        {
-            var taxIdType = _taxService.GetStripeTaxCode(
-                options.CustomerDetails.Address.Country,
-                parameters.TaxInformation.TaxId);
-
-            if (taxIdType == null)
-            {
-                _logger.LogWarning("Invalid tax ID '{TaxID}' for country '{Country}'.",
-                    parameters.TaxInformation.TaxId,
-                    parameters.TaxInformation.Country);
-                throw new BadRequestException("billingPreviewInvalidTaxIdError");
-            }
-
-            options.CustomerDetails.TaxIds = [
-                new InvoiceCustomerDetailsTaxIdOptions
-                {
-                    Type = taxIdType,
-                    Value = parameters.TaxInformation.TaxId
-                }
-            ];
-        }
-
-        if (gatewayCustomerId != null)
-        {
-            var gatewayCustomer = await _stripeAdapter.CustomerGetAsync(gatewayCustomerId);
-
-            if (gatewayCustomer.Discount != null)
-            {
-                options.Discounts.Add(new InvoiceDiscountOptions
-                {
-                    Discount = gatewayCustomer.Discount.Id
-                });
-            }
-
-            if (gatewaySubscriptionId != null)
-            {
-                var gatewaySubscription = await _stripeAdapter.SubscriptionGetAsync(gatewaySubscriptionId);
-
-                if (gatewaySubscription?.Discount != null)
-                {
-                    options.Discounts.Add(new InvoiceDiscountOptions
-                    {
-                        Discount = gatewaySubscription.Discount.Id
-                    });
-                }
-            }
-        }
-
-        try
-        {
-            var invoice = await _stripeAdapter.InvoiceCreatePreviewAsync(options);
-
-            var effectiveTaxRate = invoice.Tax != null && invoice.TotalExcludingTax != null
-                ? invoice.Tax.Value.ToMajor() / invoice.TotalExcludingTax.Value.ToMajor()
-                : 0M;
-
-            var result = new PreviewInvoiceResponseModel(
-                effectiveTaxRate,
-                invoice.TotalExcludingTax.ToMajor() ?? 0,
-                invoice.Tax.ToMajor() ?? 0,
-                invoice.Total.ToMajor());
-            return result;
-        }
-        catch (StripeException e)
-        {
-            switch (e.StripeError.Code)
-            {
-                case StripeConstants.ErrorCodes.TaxIdInvalid:
-                    _logger.LogWarning("Invalid tax ID '{TaxID}' for country '{Country}'.",
-                        parameters.TaxInformation.TaxId,
-                        parameters.TaxInformation.Country);
-                    throw new BadRequestException("billingPreviewInvalidTaxIdError");
-                default:
-                    _logger.LogError(e, "Unexpected error previewing invoice with tax ID '{TaxId}' in country '{Country}'.",
-                        parameters.TaxInformation.TaxId,
-                        parameters.TaxInformation.Country);
-                    throw new BadRequestException("billingPreviewInvoiceError");
-            }
-        }
-    }
-
-    public async Task<PreviewInvoiceResponseModel> PreviewInvoiceAsync(
-        PreviewOrganizationInvoiceRequestBody parameters,
-        string gatewayCustomerId,
-        string gatewaySubscriptionId)
-    {
-        var plan = Utilities.StaticStore.GetPlan(parameters.PasswordManager.Plan);
-
-        var options = new InvoiceCreatePreviewOptions
-        {
-            AutomaticTax = new InvoiceAutomaticTaxOptions
-            {
-                Enabled = true,
-            },
-            Currency = "usd",
-            Discounts = new List<InvoiceDiscountOptions>(),
-            SubscriptionDetails = new InvoiceSubscriptionDetailsOptions
-            {
-                Items =
-                [
-                    new()
-                    {
-                        Quantity = parameters.PasswordManager.AdditionalStorage,
-                        Plan = plan.PasswordManager.StripeStoragePlanId
-                    }
-                ]
-            },
-            CustomerDetails = new InvoiceCustomerDetailsOptions
-            {
-                Address = new AddressOptions
-                {
-                    PostalCode = parameters.TaxInformation.PostalCode,
-                    Country = parameters.TaxInformation.Country,
-                }
-            },
-        };
-
-        if (plan.PasswordManager.HasAdditionalSeatsOption)
-        {
-            options.SubscriptionDetails.Items.Add(
-                new()
-                {
-                    Quantity = parameters.PasswordManager.Seats,
-                    Plan = plan.PasswordManager.StripeSeatPlanId
-                }
-            );
-        }
-        else
-        {
-            options.SubscriptionDetails.Items.Add(
-                new()
-                {
-                    Quantity = 1,
-                    Plan = plan.PasswordManager.StripePlanId
-                }
-            );
-        }
-
-        if (plan.SupportsSecretsManager)
-        {
-            if (plan.SecretsManager.HasAdditionalSeatsOption)
-            {
-                options.SubscriptionDetails.Items.Add(new()
-                {
-                    Quantity = parameters.SecretsManager?.Seats ?? 0,
-                    Plan = plan.SecretsManager.StripeSeatPlanId
-                });
-            }
-
-            if (plan.SecretsManager.HasAdditionalServiceAccountOption)
-            {
-                options.SubscriptionDetails.Items.Add(new()
-                {
-                    Quantity = parameters.SecretsManager?.AdditionalMachineAccounts ?? 0,
-                    Plan = plan.SecretsManager.StripeServiceAccountPlanId
-                });
-            }
-        }
-
-        if (!string.IsNullOrEmpty(parameters.TaxInformation.TaxId))
-        {
-            var taxIdType = _taxService.GetStripeTaxCode(
-                options.CustomerDetails.Address.Country,
-                parameters.TaxInformation.TaxId);
-
-            if (taxIdType == null)
-            {
-                _logger.LogWarning("Invalid tax ID '{TaxID}' for country '{Country}'.",
-                    parameters.TaxInformation.TaxId,
-                    parameters.TaxInformation.Country);
-                throw new BadRequestException("billingTaxIdTypeInferenceError");
-            }
-
-            options.CustomerDetails.TaxIds = [
-                new InvoiceCustomerDetailsTaxIdOptions
-                {
-                    Type = taxIdType,
-                    Value = parameters.TaxInformation.TaxId
-                }
-            ];
-        }
-
-        if (gatewayCustomerId != null)
-        {
-            var gatewayCustomer = await _stripeAdapter.CustomerGetAsync(gatewayCustomerId);
-
-            if (gatewayCustomer.Discount != null)
-            {
-                options.Discounts.Add(new InvoiceDiscountOptions
-                {
-                    Discount = gatewayCustomer.Discount.Id
-                });
-            }
-
-            var gatewaySubscription = await _stripeAdapter.SubscriptionGetAsync(gatewaySubscriptionId);
-
-            if (gatewaySubscription?.Discount != null)
-            {
-                options.Discounts.Add(new InvoiceDiscountOptions
-                {
-                    Discount = gatewaySubscription.Discount.Id
-                });
-            }
-        }
-
-        try
-        {
-            var invoice = await _stripeAdapter.InvoiceCreatePreviewAsync(options);
-
-            var effectiveTaxRate = invoice.Tax != null && invoice.TotalExcludingTax != null
-                ? invoice.Tax.Value.ToMajor() / invoice.TotalExcludingTax.Value.ToMajor()
-                : 0M;
-
-            var result = new PreviewInvoiceResponseModel(
-                effectiveTaxRate,
-                invoice.TotalExcludingTax.ToMajor() ?? 0,
-                invoice.Tax.ToMajor() ?? 0,
-                invoice.Total.ToMajor());
-            return result;
-        }
-        catch (StripeException e)
-        {
-            switch (e.StripeError.Code)
-            {
-                case StripeConstants.ErrorCodes.TaxIdInvalid:
-                    _logger.LogWarning("Invalid tax ID '{TaxID}' for country '{Country}'.",
-                        parameters.TaxInformation.TaxId,
-                        parameters.TaxInformation.Country);
-                    throw new BadRequestException("billingPreviewInvalidTaxIdError");
-                default:
-                    _logger.LogError(e, "Unexpected error previewing invoice with tax ID '{TaxId}' in country '{Country}'.",
-                        parameters.TaxInformation.TaxId,
-                        parameters.TaxInformation.Country);
-                    throw new BadRequestException("billingPreviewInvoiceError");
-            }
-        }
-    }
-
     private PaymentMethod GetLatestCardPaymentMethod(string customerId)
     {
         var cardPaymentMethods = _stripeAdapter.PaymentMethodListAutoPaging(
diff --git a/test/Core.Test/Billing/Services/SubscriberServiceTests.cs b/test/Core.Test/Billing/Services/SubscriberServiceTests.cs
index 9c25ffdc55..385b185ffe 100644
--- a/test/Core.Test/Billing/Services/SubscriberServiceTests.cs
+++ b/test/Core.Test/Billing/Services/SubscriberServiceTests.cs
@@ -1545,7 +1545,7 @@ public class SubscriberServiceTests
     {
         var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
 
-        var customer = new Customer { Id = provider.GatewayCustomerId, TaxIds = new StripeList<TaxId> { Data = [new TaxId { Id = "tax_id_1", Type = "us_ein" }] } };
+        var customer = new Customer { Id = provider.GatewayCustomerId, TaxIds = new StripeList<TaxId> { Data = [new TaxId { Id = "tax_id_1" }] } };
 
         stripeAdapter.CustomerGetAsync(provider.GatewayCustomerId, Arg.Is<CustomerGetOptions>(
             options => options.Expand.Contains("tax_ids"))).Returns(customer);
@@ -1554,7 +1554,6 @@ public class SubscriberServiceTests
             "US",
             "12345",
             "123456789",
-            "us_ein",
             "123 Example St.",
             null,
             "Example Town",
diff --git a/test/Core.Test/Models/Business/TaxInfoTests.cs b/test/Core.Test/Models/Business/TaxInfoTests.cs
new file mode 100644
index 0000000000..197948006e
--- /dev/null
+++ b/test/Core.Test/Models/Business/TaxInfoTests.cs
@@ -0,0 +1,114 @@
+using Bit.Core.Models.Business;
+using Xunit;
+
+namespace Bit.Core.Test.Models.Business;
+
+public class TaxInfoTests
+{
+    // PH = Placeholder
+    [Theory]
+    [InlineData(null, null, null, null)]
+    [InlineData("", "", null, null)]
+    [InlineData("PH", "", null, null)]
+    [InlineData("", "PH", null, null)]
+    [InlineData("AE", "PH", null, "ae_trn")]
+    [InlineData("AU", "PH", null, "au_abn")]
+    [InlineData("BR", "PH", null, "br_cnpj")]
+    [InlineData("CA", "PH", "bec", "ca_qst")]
+    [InlineData("CA", "PH", null, "ca_bn")]
+    [InlineData("CL", "PH", null, "cl_tin")]
+    [InlineData("AT", "PH", null, "eu_vat")]
+    [InlineData("BE", "PH", null, "eu_vat")]
+    [InlineData("BG", "PH", null, "eu_vat")]
+    [InlineData("CY", "PH", null, "eu_vat")]
+    [InlineData("CZ", "PH", null, "eu_vat")]
+    [InlineData("DE", "PH", null, "eu_vat")]
+    [InlineData("DK", "PH", null, "eu_vat")]
+    [InlineData("EE", "PH", null, "eu_vat")]
+    [InlineData("ES", "PH", null, "eu_vat")]
+    [InlineData("FI", "PH", null, "eu_vat")]
+    [InlineData("FR", "PH", null, "eu_vat")]
+    [InlineData("GB", "PH", null, "eu_vat")]
+    [InlineData("GR", "PH", null, "eu_vat")]
+    [InlineData("HR", "PH", null, "eu_vat")]
+    [InlineData("HU", "PH", null, "eu_vat")]
+    [InlineData("IE", "PH", null, "eu_vat")]
+    [InlineData("IT", "PH", null, "eu_vat")]
+    [InlineData("LT", "PH", null, "eu_vat")]
+    [InlineData("LU", "PH", null, "eu_vat")]
+    [InlineData("LV", "PH", null, "eu_vat")]
+    [InlineData("MT", "PH", null, "eu_vat")]
+    [InlineData("NL", "PH", null, "eu_vat")]
+    [InlineData("PL", "PH", null, "eu_vat")]
+    [InlineData("PT", "PH", null, "eu_vat")]
+    [InlineData("RO", "PH", null, "eu_vat")]
+    [InlineData("SE", "PH", null, "eu_vat")]
+    [InlineData("SI", "PH", null, "eu_vat")]
+    [InlineData("SK", "PH", null, "eu_vat")]
+    [InlineData("HK", "PH", null, "hk_br")]
+    [InlineData("IN", "PH", null, "in_gst")]
+    [InlineData("JP", "PH", null, "jp_cn")]
+    [InlineData("KR", "PH", null, "kr_brn")]
+    [InlineData("LI", "PH", null, "li_uid")]
+    [InlineData("MX", "PH", null, "mx_rfc")]
+    [InlineData("MY", "PH", null, "my_sst")]
+    [InlineData("NO", "PH", null, "no_vat")]
+    [InlineData("NZ", "PH", null, "nz_gst")]
+    [InlineData("RU", "PH", null, "ru_inn")]
+    [InlineData("SA", "PH", null, "sa_vat")]
+    [InlineData("SG", "PH", null, "sg_gst")]
+    [InlineData("TH", "PH", null, "th_vat")]
+    [InlineData("TW", "PH", null, "tw_vat")]
+    [InlineData("US", "PH", null, "us_ein")]
+    [InlineData("ZA", "PH", null, "za_vat")]
+    [InlineData("ABCDEF", "PH", null, null)]
+    public void GetTaxIdType_Success(string billingAddressCountry,
+        string taxIdNumber,
+        string billingAddressState,
+        string expectedTaxIdType)
+    {
+        var taxInfo = new TaxInfo
+        {
+            BillingAddressCountry = billingAddressCountry,
+            TaxIdNumber = taxIdNumber,
+            BillingAddressState = billingAddressState,
+        };
+
+        Assert.Equal(expectedTaxIdType, taxInfo.TaxIdType);
+    }
+
+    [Fact]
+    public void GetTaxIdType_CreateOnce_ReturnCacheSecondTime()
+    {
+        var taxInfo = new TaxInfo
+        {
+            BillingAddressCountry = "US",
+            TaxIdNumber = "PH",
+            BillingAddressState = null,
+        };
+
+        Assert.Equal("us_ein", taxInfo.TaxIdType);
+
+        // Per the current spec even if the values change to something other than null it
+        // will return the cached version of TaxIdType.
+        taxInfo.BillingAddressCountry = "ZA";
+
+        Assert.Equal("us_ein", taxInfo.TaxIdType);
+    }
+
+    [Theory]
+    [InlineData(null, null, false)]
+    [InlineData("123", "US", true)]
+    [InlineData("123", "ZQ12", false)]
+    [InlineData("    ", "US", false)]
+    public void HasTaxId_ReturnsExpected(string taxIdNumber, string billingAddressCountry, bool expected)
+    {
+        var taxInfo = new TaxInfo
+        {
+            TaxIdNumber = taxIdNumber,
+            BillingAddressCountry = billingAddressCountry,
+        };
+
+        Assert.Equal(expected, taxInfo.HasTaxId);
+    }
+}
diff --git a/test/Core.Test/Services/StripePaymentServiceTests.cs b/test/Core.Test/Services/StripePaymentServiceTests.cs
index 35e1901a2f..e15f07b113 100644
--- a/test/Core.Test/Services/StripePaymentServiceTests.cs
+++ b/test/Core.Test/Services/StripePaymentServiceTests.cs
@@ -77,8 +77,7 @@ public class StripePaymentServiceTests
             c.Address.Line2 == taxInfo.BillingAddressLine2 &&
             c.Address.City == taxInfo.BillingAddressCity &&
             c.Address.State == taxInfo.BillingAddressState &&
-            c.TaxIdData.First().Value == taxInfo.TaxIdNumber &&
-            c.TaxIdData.First().Type == taxInfo.TaxIdType
+            c.TaxIdData == null
         ));
 
         await stripeAdapter.Received().SubscriptionCreateAsync(Arg.Is<Stripe.SubscriptionCreateOptions>(s =>
@@ -135,8 +134,7 @@ public class StripePaymentServiceTests
             c.Address.Line2 == taxInfo.BillingAddressLine2 &&
             c.Address.City == taxInfo.BillingAddressCity &&
             c.Address.State == taxInfo.BillingAddressState &&
-            c.TaxIdData.First().Value == taxInfo.TaxIdNumber &&
-            c.TaxIdData.First().Type == taxInfo.TaxIdType
+            c.TaxIdData == null
         ));
 
         await stripeAdapter.Received().SubscriptionCreateAsync(Arg.Is<Stripe.SubscriptionCreateOptions>(s =>
@@ -192,8 +190,7 @@ public class StripePaymentServiceTests
             c.Address.Line2 == taxInfo.BillingAddressLine2 &&
             c.Address.City == taxInfo.BillingAddressCity &&
             c.Address.State == taxInfo.BillingAddressState &&
-            c.TaxIdData.First().Value == taxInfo.TaxIdNumber &&
-            c.TaxIdData.First().Type == taxInfo.TaxIdType
+            c.TaxIdData == null
         ));
 
         await stripeAdapter.Received().SubscriptionCreateAsync(Arg.Is<Stripe.SubscriptionCreateOptions>(s =>
@@ -250,8 +247,7 @@ public class StripePaymentServiceTests
             c.Address.Line2 == taxInfo.BillingAddressLine2 &&
             c.Address.City == taxInfo.BillingAddressCity &&
             c.Address.State == taxInfo.BillingAddressState &&
-            c.TaxIdData.First().Value == taxInfo.TaxIdNumber &&
-            c.TaxIdData.First().Type == taxInfo.TaxIdType
+            c.TaxIdData == null
         ));
 
         await stripeAdapter.Received().SubscriptionCreateAsync(Arg.Is<Stripe.SubscriptionCreateOptions>(s =>
@@ -445,8 +441,7 @@ public class StripePaymentServiceTests
             c.Address.Line2 == taxInfo.BillingAddressLine2 &&
             c.Address.City == taxInfo.BillingAddressCity &&
             c.Address.State == taxInfo.BillingAddressState &&
-            c.TaxIdData.First().Value == taxInfo.TaxIdNumber &&
-            c.TaxIdData.First().Type == taxInfo.TaxIdType
+            c.TaxIdData == null
         ));
 
         await stripeAdapter.Received().SubscriptionCreateAsync(Arg.Is<Stripe.SubscriptionCreateOptions>(s =>
@@ -515,8 +510,7 @@ public class StripePaymentServiceTests
             c.Address.Line2 == taxInfo.BillingAddressLine2 &&
             c.Address.City == taxInfo.BillingAddressCity &&
             c.Address.State == taxInfo.BillingAddressState &&
-            c.TaxIdData.First().Value == taxInfo.TaxIdNumber &&
-            c.TaxIdData.First().Type == taxInfo.TaxIdType
+            c.TaxIdData == null
         ));
 
         await stripeAdapter.Received().SubscriptionCreateAsync(Arg.Is<Stripe.SubscriptionCreateOptions>(s =>

From 3c75ff335b3faee4f924aa97ea089a8454cc4698 Mon Sep 17 00:00:00 2001
From: Alex Morask <144709477+amorask-bitwarden@users.noreply.github.com>
Date: Wed, 4 Dec 2024 11:36:37 -0500
Subject: [PATCH 023/384] [PM-15536] Allow reseller to add organization (#5111)

* Allow reseller to add organization

* Run dotnet format
---
 .../AdminConsole/Services/ProviderService.cs    | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/bitwarden_license/src/Commercial.Core/AdminConsole/Services/ProviderService.cs b/bitwarden_license/src/Commercial.Core/AdminConsole/Services/ProviderService.cs
index e384d71df9..864466ad45 100644
--- a/bitwarden_license/src/Commercial.Core/AdminConsole/Services/ProviderService.cs
+++ b/bitwarden_license/src/Commercial.Core/AdminConsole/Services/ProviderService.cs
@@ -27,7 +27,11 @@ namespace Bit.Commercial.Core.AdminConsole.Services;
 
 public class ProviderService : IProviderService
 {
-    public static PlanType[] ProviderDisallowedOrganizationTypes = new[] { PlanType.Free, PlanType.FamiliesAnnually, PlanType.FamiliesAnnually2019 };
+    private static readonly PlanType[] _resellerDisallowedOrganizationTypes = [
+        PlanType.Free,
+        PlanType.FamiliesAnnually,
+        PlanType.FamiliesAnnually2019
+    ];
 
     private readonly IDataProtector _dataProtector;
     private readonly IMailService _mailService;
@@ -690,13 +694,14 @@ public class ProviderService : IProviderService
                     throw new BadRequestException($"Multi-organization Enterprise Providers cannot manage organizations with the plan type {requestedType}. Only Enterprise (Monthly) and Enterprise (Annually) are allowed.");
                 }
                 break;
+            case ProviderType.Reseller:
+                if (_resellerDisallowedOrganizationTypes.Contains(requestedType))
+                {
+                    throw new BadRequestException($"Providers cannot manage organizations with the requested plan type ({requestedType}). Only Teams and Enterprise accounts are allowed.");
+                }
+                break;
             default:
                 throw new BadRequestException($"Unsupported provider type {providerType}.");
         }
-
-        if (ProviderDisallowedOrganizationTypes.Contains(requestedType))
-        {
-            throw new BadRequestException($"Providers cannot manage organizations with the requested plan type ({requestedType}). Only Teams and Enterprise accounts are allowed.");
-        }
     }
 }

From 74e86935a45dee256154a6fad92f80f54f3a4887 Mon Sep 17 00:00:00 2001
From: Nick Krantz <125900171+nick-livefront@users.noreply.github.com>
Date: Wed, 4 Dec 2024 11:19:10 -0600
Subject: [PATCH 024/384] add `PM9111ExtensionPersistAddEditForm` feature flag
 (#5106)

---
 src/Core/Constants.cs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index 6efdedfeed..1d807149a9 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -155,6 +155,7 @@ public static class FeatureFlagKeys
     public const string PM14401_ScaleMSPOnClientOrganizationUpdate = "PM-14401-scale-msp-on-client-organization-update";
     public const string DisableFreeFamiliesSponsorship = "PM-12274-disable-free-families-sponsorship";
     public const string MacOsNativeCredentialSync = "macos-native-credential-sync";
+    public const string PM9111ExtensionPersistAddEditForm = "pm-9111-extension-persist-add-edit-form";
 
     public static List<string> GetAllKeys()
     {

From 0e32dcccadd759e938542dc8069bc7be9b4e297b Mon Sep 17 00:00:00 2001
From: Robyn MacCallum <robyntmaccallum@gmail.com>
Date: Wed, 4 Dec 2024 14:42:12 -0500
Subject: [PATCH 025/384] Update Constants.cs (#5112)

---
 src/Core/Constants.cs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index 1d807149a9..46ed985cb8 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -156,6 +156,7 @@ public static class FeatureFlagKeys
     public const string DisableFreeFamiliesSponsorship = "PM-12274-disable-free-families-sponsorship";
     public const string MacOsNativeCredentialSync = "macos-native-credential-sync";
     public const string PM9111ExtensionPersistAddEditForm = "pm-9111-extension-persist-add-edit-form";
+    public const string InlineMenuTotp = "inline-menu-totp";
 
     public static List<string> GetAllKeys()
     {

From 04cf513d7868085e0c954b5bd2220991e75cd19a Mon Sep 17 00:00:00 2001
From: Conner Turnbull <133619638+cturnbull-bitwarden@users.noreply.github.com>
Date: Thu, 5 Dec 2024 09:31:14 -0500
Subject: [PATCH 026/384] [PM-11516] Initial license file refactor (#5002)

* Added the ability to create a JWT on an organization license that contains all license properties as claims

* Added the ability to create a JWT on a user license that contains all license properties as claims

* Added ability to consume JWT licenses

* Resolved generic type issues when getting claim value

* Now validating the jwt signature, exp, and iat

* Moved creation of ClaimsPrincipal outside of licenses given dependecy on cert

* Ran dotnet format. Resolved identity error

* Updated claim types to use string constants

* Updated jwt expires to be one year

* Fixed bug requiring email verification to be on the token

* dotnet format

* Patch build process

---------

Co-authored-by: Matt Bishop <mbishop@bitwarden.com>
---
 .../Implementations/OrganizationService.cs    |   3 +-
 .../Extensions/ServiceCollectionExtensions.cs |   2 +
 .../Licenses/Extensions/LicenseExtensions.cs  | 151 ++++++++++
 .../LicenseServiceCollectionExtensions.cs     |  16 +
 src/Core/Billing/Licenses/LicenseConstants.cs |  58 ++++
 .../Billing/Licenses/Models/LicenseContext.cs |  10 +
 .../Services/ILicenseClaimsFactory.cs         |   9 +
 .../OrganizationLicenseClaimsFactory.cs       |  75 +++++
 .../UserLicenseClaimsFactory.cs               |  37 +++
 src/Core/Constants.cs                         |   1 +
 src/Core/Models/Business/ILicense.cs          |   1 +
 .../Models/Business/OrganizationLicense.cs    | 273 +++++++++++++-----
 src/Core/Models/Business/UserLicense.cs       |  83 +++++-
 .../Cloud/CloudGetOrganizationLicenseQuery.cs |   6 +-
 .../UpdateOrganizationLicenseCommand.cs       |   3 +-
 src/Core/Services/ILicensingService.cs        |  10 +-
 .../Implementations/LicensingService.cs       | 145 +++++++++-
 .../Services/Implementations/UserService.cs   |  21 +-
 .../NoopLicensingService.cs                   |  18 +-
 .../Utilities/ServiceCollectionExtensions.cs  |   2 +-
 .../Business/OrganizationLicenseTests.cs      |   7 +-
 .../UpdateOrganizationLicenseCommandTests.cs  |  15 +-
 test/Core.Test/Services/UserServiceTests.cs   |   6 +-
 23 files changed, 846 insertions(+), 106 deletions(-)
 create mode 100644 src/Core/Billing/Licenses/Extensions/LicenseExtensions.cs
 create mode 100644 src/Core/Billing/Licenses/Extensions/LicenseServiceCollectionExtensions.cs
 create mode 100644 src/Core/Billing/Licenses/LicenseConstants.cs
 create mode 100644 src/Core/Billing/Licenses/Models/LicenseContext.cs
 create mode 100644 src/Core/Billing/Licenses/Services/ILicenseClaimsFactory.cs
 create mode 100644 src/Core/Billing/Licenses/Services/Implementations/OrganizationLicenseClaimsFactory.cs
 create mode 100644 src/Core/Billing/Licenses/Services/Implementations/UserLicenseClaimsFactory.cs

diff --git a/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs b/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
index e8756fb325..862b566c91 100644
--- a/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
+++ b/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
@@ -642,7 +642,8 @@ public class OrganizationService : IOrganizationService
         OrganizationLicense license, User owner, string ownerKey, string collectionName, string publicKey,
         string privateKey)
     {
-        var canUse = license.CanUse(_globalSettings, _licensingService, out var exception);
+        var claimsPrincipal = _licensingService.GetClaimsPrincipalFromLicense(license);
+        var canUse = license.CanUse(_globalSettings, _licensingService, claimsPrincipal, out var exception);
         if (!canUse)
         {
             throw new BadRequestException(exception);
diff --git a/src/Core/Billing/Extensions/ServiceCollectionExtensions.cs b/src/Core/Billing/Extensions/ServiceCollectionExtensions.cs
index abfceac736..78253f7399 100644
--- a/src/Core/Billing/Extensions/ServiceCollectionExtensions.cs
+++ b/src/Core/Billing/Extensions/ServiceCollectionExtensions.cs
@@ -1,5 +1,6 @@
 using Bit.Core.Billing.Caches;
 using Bit.Core.Billing.Caches.Implementations;
+using Bit.Core.Billing.Licenses.Extensions;
 using Bit.Core.Billing.Services;
 using Bit.Core.Billing.Services.Implementations;
 
@@ -15,5 +16,6 @@ public static class ServiceCollectionExtensions
         services.AddTransient<IPremiumUserBillingService, PremiumUserBillingService>();
         services.AddTransient<ISetupIntentCache, SetupIntentDistributedCache>();
         services.AddTransient<ISubscriberService, SubscriberService>();
+        services.AddLicenseServices();
     }
 }
diff --git a/src/Core/Billing/Licenses/Extensions/LicenseExtensions.cs b/src/Core/Billing/Licenses/Extensions/LicenseExtensions.cs
new file mode 100644
index 0000000000..184d8dad23
--- /dev/null
+++ b/src/Core/Billing/Licenses/Extensions/LicenseExtensions.cs
@@ -0,0 +1,151 @@
+using System.Security.Claims;
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.Billing.Enums;
+using Bit.Core.Models.Business;
+
+namespace Bit.Core.Billing.Licenses.Extensions;
+
+public static class LicenseExtensions
+{
+    public static DateTime CalculateFreshExpirationDate(this Organization org, SubscriptionInfo subscriptionInfo)
+    {
+        if (subscriptionInfo?.Subscription == null)
+        {
+            if (org.PlanType == PlanType.Custom && org.ExpirationDate.HasValue)
+            {
+                return org.ExpirationDate.Value;
+            }
+
+            return DateTime.UtcNow.AddDays(7);
+        }
+
+        var subscription = subscriptionInfo.Subscription;
+
+        if (subscription.TrialEndDate > DateTime.UtcNow)
+        {
+            return subscription.TrialEndDate.Value;
+        }
+
+        if (org.ExpirationDate.HasValue && org.ExpirationDate.Value < DateTime.UtcNow)
+        {
+            return org.ExpirationDate.Value;
+        }
+
+        if (subscription.PeriodEndDate.HasValue && subscription.PeriodDuration > TimeSpan.FromDays(180))
+        {
+            return subscription.PeriodEndDate
+                .Value
+                .AddDays(Bit.Core.Constants.OrganizationSelfHostSubscriptionGracePeriodDays);
+        }
+
+        return org.ExpirationDate?.AddMonths(11) ?? DateTime.UtcNow.AddYears(1);
+    }
+
+    public static DateTime CalculateFreshRefreshDate(this Organization org, SubscriptionInfo subscriptionInfo, DateTime expirationDate)
+    {
+        if (subscriptionInfo?.Subscription == null ||
+            subscriptionInfo.Subscription.TrialEndDate > DateTime.UtcNow ||
+            org.ExpirationDate < DateTime.UtcNow)
+        {
+            return expirationDate;
+        }
+
+        return subscriptionInfo.Subscription.PeriodDuration > TimeSpan.FromDays(180) ||
+            DateTime.UtcNow - expirationDate > TimeSpan.FromDays(30)
+            ? DateTime.UtcNow.AddDays(30)
+            : expirationDate;
+    }
+
+    public static DateTime CalculateFreshExpirationDateWithoutGracePeriod(this Organization org, SubscriptionInfo subscriptionInfo, DateTime expirationDate)
+    {
+        if (subscriptionInfo?.Subscription is null)
+        {
+            return expirationDate;
+        }
+
+        var subscription = subscriptionInfo.Subscription;
+
+        if (subscription.TrialEndDate <= DateTime.UtcNow &&
+            org.ExpirationDate >= DateTime.UtcNow &&
+            subscription.PeriodEndDate.HasValue &&
+            subscription.PeriodDuration > TimeSpan.FromDays(180))
+        {
+            return subscription.PeriodEndDate.Value;
+        }
+
+        return expirationDate;
+    }
+
+    public static T GetValue<T>(this ClaimsPrincipal principal, string claimType)
+    {
+        var claim = principal.FindFirst(claimType);
+
+        if (claim is null)
+        {
+            return default;
+        }
+
+        // Handle Guid
+        if (typeof(T) == typeof(Guid))
+        {
+            return Guid.TryParse(claim.Value, out var guid)
+                ? (T)(object)guid
+                : default;
+        }
+
+        // Handle DateTime
+        if (typeof(T) == typeof(DateTime))
+        {
+            return DateTime.TryParse(claim.Value, out var dateTime)
+                ? (T)(object)dateTime
+                : default;
+        }
+
+        // Handle TimeSpan
+        if (typeof(T) == typeof(TimeSpan))
+        {
+            return TimeSpan.TryParse(claim.Value, out var timeSpan)
+                ? (T)(object)timeSpan
+                : default;
+        }
+
+        // Check for Nullable Types
+        var underlyingType = Nullable.GetUnderlyingType(typeof(T)) ?? typeof(T);
+
+        // Handle Enums
+        if (underlyingType.IsEnum)
+        {
+            if (Enum.TryParse(underlyingType, claim.Value, true, out var enumValue))
+            {
+                return (T)enumValue; // Cast back to T
+            }
+
+            return default; // Return default value for non-nullable enums or null for nullable enums
+        }
+
+        // Handle other Nullable Types (e.g., int?, bool?)
+        if (underlyingType == typeof(int))
+        {
+            return int.TryParse(claim.Value, out var intValue)
+                ? (T)(object)intValue
+                : default;
+        }
+
+        if (underlyingType == typeof(bool))
+        {
+            return bool.TryParse(claim.Value, out var boolValue)
+                ? (T)(object)boolValue
+                : default;
+        }
+
+        if (underlyingType == typeof(double))
+        {
+            return double.TryParse(claim.Value, out var doubleValue)
+                ? (T)(object)doubleValue
+                : default;
+        }
+
+        // Fallback to Convert.ChangeType for other types including strings
+        return (T)Convert.ChangeType(claim.Value, underlyingType);
+    }
+}
diff --git a/src/Core/Billing/Licenses/Extensions/LicenseServiceCollectionExtensions.cs b/src/Core/Billing/Licenses/Extensions/LicenseServiceCollectionExtensions.cs
new file mode 100644
index 0000000000..b08adbd004
--- /dev/null
+++ b/src/Core/Billing/Licenses/Extensions/LicenseServiceCollectionExtensions.cs
@@ -0,0 +1,16 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.Billing.Licenses.Services;
+using Bit.Core.Billing.Licenses.Services.Implementations;
+using Bit.Core.Entities;
+using Microsoft.Extensions.DependencyInjection;
+
+namespace Bit.Core.Billing.Licenses.Extensions;
+
+public static class LicenseServiceCollectionExtensions
+{
+    public static void AddLicenseServices(this IServiceCollection services)
+    {
+        services.AddTransient<ILicenseClaimsFactory<Organization>, OrganizationLicenseClaimsFactory>();
+        services.AddTransient<ILicenseClaimsFactory<User>, UserLicenseClaimsFactory>();
+    }
+}
diff --git a/src/Core/Billing/Licenses/LicenseConstants.cs b/src/Core/Billing/Licenses/LicenseConstants.cs
new file mode 100644
index 0000000000..564019affc
--- /dev/null
+++ b/src/Core/Billing/Licenses/LicenseConstants.cs
@@ -0,0 +1,58 @@
+namespace Bit.Core.Billing.Licenses;
+
+public static class OrganizationLicenseConstants
+{
+    public const string LicenseType = nameof(LicenseType);
+    public const string LicenseKey = nameof(LicenseKey);
+    public const string InstallationId = nameof(InstallationId);
+    public const string Id = nameof(Id);
+    public const string Name = nameof(Name);
+    public const string BusinessName = nameof(BusinessName);
+    public const string BillingEmail = nameof(BillingEmail);
+    public const string Enabled = nameof(Enabled);
+    public const string Plan = nameof(Plan);
+    public const string PlanType = nameof(PlanType);
+    public const string Seats = nameof(Seats);
+    public const string MaxCollections = nameof(MaxCollections);
+    public const string UsePolicies = nameof(UsePolicies);
+    public const string UseSso = nameof(UseSso);
+    public const string UseKeyConnector = nameof(UseKeyConnector);
+    public const string UseScim = nameof(UseScim);
+    public const string UseGroups = nameof(UseGroups);
+    public const string UseEvents = nameof(UseEvents);
+    public const string UseDirectory = nameof(UseDirectory);
+    public const string UseTotp = nameof(UseTotp);
+    public const string Use2fa = nameof(Use2fa);
+    public const string UseApi = nameof(UseApi);
+    public const string UseResetPassword = nameof(UseResetPassword);
+    public const string MaxStorageGb = nameof(MaxStorageGb);
+    public const string SelfHost = nameof(SelfHost);
+    public const string UsersGetPremium = nameof(UsersGetPremium);
+    public const string UseCustomPermissions = nameof(UseCustomPermissions);
+    public const string Issued = nameof(Issued);
+    public const string UsePasswordManager = nameof(UsePasswordManager);
+    public const string UseSecretsManager = nameof(UseSecretsManager);
+    public const string SmSeats = nameof(SmSeats);
+    public const string SmServiceAccounts = nameof(SmServiceAccounts);
+    public const string LimitCollectionCreationDeletion = nameof(LimitCollectionCreationDeletion);
+    public const string AllowAdminAccessToAllCollectionItems = nameof(AllowAdminAccessToAllCollectionItems);
+    public const string Expires = nameof(Expires);
+    public const string Refresh = nameof(Refresh);
+    public const string ExpirationWithoutGracePeriod = nameof(ExpirationWithoutGracePeriod);
+    public const string Trial = nameof(Trial);
+}
+
+public static class UserLicenseConstants
+{
+    public const string LicenseType = nameof(LicenseType);
+    public const string LicenseKey = nameof(LicenseKey);
+    public const string Id = nameof(Id);
+    public const string Name = nameof(Name);
+    public const string Email = nameof(Email);
+    public const string Premium = nameof(Premium);
+    public const string MaxStorageGb = nameof(MaxStorageGb);
+    public const string Issued = nameof(Issued);
+    public const string Expires = nameof(Expires);
+    public const string Refresh = nameof(Refresh);
+    public const string Trial = nameof(Trial);
+}
diff --git a/src/Core/Billing/Licenses/Models/LicenseContext.cs b/src/Core/Billing/Licenses/Models/LicenseContext.cs
new file mode 100644
index 0000000000..8dcc24e939
--- /dev/null
+++ b/src/Core/Billing/Licenses/Models/LicenseContext.cs
@@ -0,0 +1,10 @@
+#nullable enable
+using Bit.Core.Models.Business;
+
+namespace Bit.Core.Billing.Licenses.Models;
+
+public class LicenseContext
+{
+    public Guid? InstallationId { get; init; }
+    public required SubscriptionInfo SubscriptionInfo { get; init; }
+}
diff --git a/src/Core/Billing/Licenses/Services/ILicenseClaimsFactory.cs b/src/Core/Billing/Licenses/Services/ILicenseClaimsFactory.cs
new file mode 100644
index 0000000000..926ad04683
--- /dev/null
+++ b/src/Core/Billing/Licenses/Services/ILicenseClaimsFactory.cs
@@ -0,0 +1,9 @@
+using System.Security.Claims;
+using Bit.Core.Billing.Licenses.Models;
+
+namespace Bit.Core.Billing.Licenses.Services;
+
+public interface ILicenseClaimsFactory<in T>
+{
+    Task<List<Claim>> GenerateClaims(T entity, LicenseContext licenseContext);
+}
diff --git a/src/Core/Billing/Licenses/Services/Implementations/OrganizationLicenseClaimsFactory.cs b/src/Core/Billing/Licenses/Services/Implementations/OrganizationLicenseClaimsFactory.cs
new file mode 100644
index 0000000000..300b87dcca
--- /dev/null
+++ b/src/Core/Billing/Licenses/Services/Implementations/OrganizationLicenseClaimsFactory.cs
@@ -0,0 +1,75 @@
+using System.Globalization;
+using System.Security.Claims;
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.Billing.Enums;
+using Bit.Core.Billing.Licenses.Extensions;
+using Bit.Core.Billing.Licenses.Models;
+using Bit.Core.Enums;
+using Bit.Core.Models.Business;
+
+namespace Bit.Core.Billing.Licenses.Services.Implementations;
+
+public class OrganizationLicenseClaimsFactory : ILicenseClaimsFactory<Organization>
+{
+    public Task<List<Claim>> GenerateClaims(Organization entity, LicenseContext licenseContext)
+    {
+        var subscriptionInfo = licenseContext.SubscriptionInfo;
+        var expires = entity.CalculateFreshExpirationDate(subscriptionInfo);
+        var refresh = entity.CalculateFreshRefreshDate(subscriptionInfo, expires);
+        var expirationWithoutGracePeriod = entity.CalculateFreshExpirationDateWithoutGracePeriod(subscriptionInfo, expires);
+        var trial = IsTrialing(entity, subscriptionInfo);
+
+        var claims = new List<Claim>
+        {
+            new(nameof(OrganizationLicenseConstants.LicenseType), LicenseType.Organization.ToString()),
+            new Claim(nameof(OrganizationLicenseConstants.LicenseKey), entity.LicenseKey),
+            new(nameof(OrganizationLicenseConstants.InstallationId), licenseContext.InstallationId.ToString()),
+            new(nameof(OrganizationLicenseConstants.Id), entity.Id.ToString()),
+            new(nameof(OrganizationLicenseConstants.Name), entity.Name),
+            new(nameof(OrganizationLicenseConstants.BillingEmail), entity.BillingEmail),
+            new(nameof(OrganizationLicenseConstants.Enabled), entity.Enabled.ToString()),
+            new(nameof(OrganizationLicenseConstants.Plan), entity.Plan),
+            new(nameof(OrganizationLicenseConstants.PlanType), entity.PlanType.ToString()),
+            new(nameof(OrganizationLicenseConstants.Seats), entity.Seats.ToString()),
+            new(nameof(OrganizationLicenseConstants.MaxCollections), entity.MaxCollections.ToString()),
+            new(nameof(OrganizationLicenseConstants.UsePolicies), entity.UsePolicies.ToString()),
+            new(nameof(OrganizationLicenseConstants.UseSso), entity.UseSso.ToString()),
+            new(nameof(OrganizationLicenseConstants.UseKeyConnector), entity.UseKeyConnector.ToString()),
+            new(nameof(OrganizationLicenseConstants.UseScim), entity.UseScim.ToString()),
+            new(nameof(OrganizationLicenseConstants.UseGroups), entity.UseGroups.ToString()),
+            new(nameof(OrganizationLicenseConstants.UseEvents), entity.UseEvents.ToString()),
+            new(nameof(OrganizationLicenseConstants.UseDirectory), entity.UseDirectory.ToString()),
+            new(nameof(OrganizationLicenseConstants.UseTotp), entity.UseTotp.ToString()),
+            new(nameof(OrganizationLicenseConstants.Use2fa), entity.Use2fa.ToString()),
+            new(nameof(OrganizationLicenseConstants.UseApi), entity.UseApi.ToString()),
+            new(nameof(OrganizationLicenseConstants.UseResetPassword), entity.UseResetPassword.ToString()),
+            new(nameof(OrganizationLicenseConstants.MaxStorageGb), entity.MaxStorageGb.ToString()),
+            new(nameof(OrganizationLicenseConstants.SelfHost), entity.SelfHost.ToString()),
+            new(nameof(OrganizationLicenseConstants.UsersGetPremium), entity.UsersGetPremium.ToString()),
+            new(nameof(OrganizationLicenseConstants.UseCustomPermissions), entity.UseCustomPermissions.ToString()),
+            new(nameof(OrganizationLicenseConstants.Issued), DateTime.UtcNow.ToString(CultureInfo.InvariantCulture)),
+            new(nameof(OrganizationLicenseConstants.UsePasswordManager), entity.UsePasswordManager.ToString()),
+            new(nameof(OrganizationLicenseConstants.UseSecretsManager), entity.UseSecretsManager.ToString()),
+            new(nameof(OrganizationLicenseConstants.SmSeats), entity.SmSeats.ToString()),
+            new(nameof(OrganizationLicenseConstants.SmServiceAccounts), entity.SmServiceAccounts.ToString()),
+            new(nameof(OrganizationLicenseConstants.LimitCollectionCreationDeletion), entity.LimitCollectionCreationDeletion.ToString()),
+            new(nameof(OrganizationLicenseConstants.AllowAdminAccessToAllCollectionItems), entity.AllowAdminAccessToAllCollectionItems.ToString()),
+            new(nameof(OrganizationLicenseConstants.Expires), expires.ToString(CultureInfo.InvariantCulture)),
+            new(nameof(OrganizationLicenseConstants.Refresh), refresh.ToString(CultureInfo.InvariantCulture)),
+            new(nameof(OrganizationLicenseConstants.ExpirationWithoutGracePeriod), expirationWithoutGracePeriod.ToString(CultureInfo.InvariantCulture)),
+            new(nameof(OrganizationLicenseConstants.Trial), trial.ToString()),
+        };
+
+        if (entity.BusinessName is not null)
+        {
+            claims.Add(new Claim(nameof(OrganizationLicenseConstants.BusinessName), entity.BusinessName));
+        }
+
+        return Task.FromResult(claims);
+    }
+
+    private static bool IsTrialing(Organization org, SubscriptionInfo subscriptionInfo) =>
+        subscriptionInfo?.Subscription is null
+            ? org.PlanType != PlanType.Custom || !org.ExpirationDate.HasValue
+            : subscriptionInfo.Subscription.TrialEndDate > DateTime.UtcNow;
+}
diff --git a/src/Core/Billing/Licenses/Services/Implementations/UserLicenseClaimsFactory.cs b/src/Core/Billing/Licenses/Services/Implementations/UserLicenseClaimsFactory.cs
new file mode 100644
index 0000000000..28c779c3d6
--- /dev/null
+++ b/src/Core/Billing/Licenses/Services/Implementations/UserLicenseClaimsFactory.cs
@@ -0,0 +1,37 @@
+using System.Globalization;
+using System.Security.Claims;
+using Bit.Core.Billing.Licenses.Models;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+
+namespace Bit.Core.Billing.Licenses.Services.Implementations;
+
+public class UserLicenseClaimsFactory : ILicenseClaimsFactory<User>
+{
+    public Task<List<Claim>> GenerateClaims(User entity, LicenseContext licenseContext)
+    {
+        var subscriptionInfo = licenseContext.SubscriptionInfo;
+
+        var expires = subscriptionInfo.UpcomingInvoice?.Date?.AddDays(7) ?? entity.PremiumExpirationDate?.AddDays(7);
+        var refresh = subscriptionInfo.UpcomingInvoice?.Date ?? entity.PremiumExpirationDate;
+        var trial = (subscriptionInfo.Subscription?.TrialEndDate.HasValue ?? false) &&
+                    subscriptionInfo.Subscription.TrialEndDate.Value > DateTime.UtcNow;
+
+        var claims = new List<Claim>
+        {
+            new(nameof(UserLicenseConstants.LicenseType), LicenseType.User.ToString()),
+            new(nameof(UserLicenseConstants.LicenseKey), entity.LicenseKey),
+            new(nameof(UserLicenseConstants.Id), entity.Id.ToString()),
+            new(nameof(UserLicenseConstants.Name), entity.Name),
+            new(nameof(UserLicenseConstants.Email), entity.Email),
+            new(nameof(UserLicenseConstants.Premium), entity.Premium.ToString()),
+            new(nameof(UserLicenseConstants.MaxStorageGb), entity.MaxStorageGb.ToString()),
+            new(nameof(UserLicenseConstants.Issued), DateTime.UtcNow.ToString(CultureInfo.InvariantCulture)),
+            new(nameof(UserLicenseConstants.Expires), expires.ToString()),
+            new(nameof(UserLicenseConstants.Refresh), refresh.ToString()),
+            new(nameof(UserLicenseConstants.Trial), trial.ToString()),
+        };
+
+        return Task.FromResult(claims);
+    }
+}
diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index 46ed985cb8..14258353d6 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -157,6 +157,7 @@ public static class FeatureFlagKeys
     public const string MacOsNativeCredentialSync = "macos-native-credential-sync";
     public const string PM9111ExtensionPersistAddEditForm = "pm-9111-extension-persist-add-edit-form";
     public const string InlineMenuTotp = "inline-menu-totp";
+    public const string SelfHostLicenseRefactor = "pm-11516-self-host-license-refactor";
 
     public static List<string> GetAllKeys()
     {
diff --git a/src/Core/Models/Business/ILicense.cs b/src/Core/Models/Business/ILicense.cs
index ad389b0a12..b0e295bdd9 100644
--- a/src/Core/Models/Business/ILicense.cs
+++ b/src/Core/Models/Business/ILicense.cs
@@ -12,6 +12,7 @@ public interface ILicense
     bool Trial { get; set; }
     string Hash { get; set; }
     string Signature { get; set; }
+    string Token { get; set; }
     byte[] SignatureBytes { get; }
     byte[] GetDataBytes(bool forHash = false);
     byte[] ComputeHash();
diff --git a/src/Core/Models/Business/OrganizationLicense.cs b/src/Core/Models/Business/OrganizationLicense.cs
index ea51273645..37a086646c 100644
--- a/src/Core/Models/Business/OrganizationLicense.cs
+++ b/src/Core/Models/Business/OrganizationLicense.cs
@@ -1,10 +1,12 @@
 using System.Reflection;
+using System.Security.Claims;
 using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
 using System.Text;
 using System.Text.Json.Serialization;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.Billing.Enums;
+using Bit.Core.Billing.Licenses.Extensions;
 using Bit.Core.Enums;
 using Bit.Core.Services;
 using Bit.Core.Settings;
@@ -151,6 +153,7 @@ public class OrganizationLicense : ILicense
     public LicenseType? LicenseType { get; set; }
     public string Hash { get; set; }
     public string Signature { get; set; }
+    public string Token { get; set; }
     [JsonIgnore] public byte[] SignatureBytes => Convert.FromBase64String(Signature);
 
     /// <summary>
@@ -176,6 +179,7 @@ public class OrganizationLicense : ILicense
                     !p.Name.Equals(nameof(Signature)) &&
                     !p.Name.Equals(nameof(SignatureBytes)) &&
                     !p.Name.Equals(nameof(LicenseType)) &&
+                    !p.Name.Equals(nameof(Token)) &&
                     // UsersGetPremium was added in Version 2
                     (Version >= 2 || !p.Name.Equals(nameof(UsersGetPremium))) &&
                     // UseEvents was added in Version 3
@@ -236,8 +240,65 @@ public class OrganizationLicense : ILicense
         }
     }
 
-    public bool CanUse(IGlobalSettings globalSettings, ILicensingService licensingService, out string exception)
+    public bool CanUse(
+        IGlobalSettings globalSettings,
+        ILicensingService licensingService,
+        ClaimsPrincipal claimsPrincipal,
+        out string exception)
     {
+        if (string.IsNullOrWhiteSpace(Token) || claimsPrincipal is null)
+        {
+            return ObsoleteCanUse(globalSettings, licensingService, out exception);
+        }
+
+        var errorMessages = new StringBuilder();
+
+        var enabled = claimsPrincipal.GetValue<bool>(nameof(Enabled));
+        if (!enabled)
+        {
+            errorMessages.AppendLine("Your cloud-hosted organization is currently disabled.");
+        }
+
+        var installationId = claimsPrincipal.GetValue<Guid>(nameof(InstallationId));
+        if (installationId != globalSettings.Installation.Id)
+        {
+            errorMessages.AppendLine("The installation ID does not match the current installation.");
+        }
+
+        var selfHost = claimsPrincipal.GetValue<bool>(nameof(SelfHost));
+        if (!selfHost)
+        {
+            errorMessages.AppendLine("The license does not allow for on-premise hosting of organizations.");
+        }
+
+        var licenseType = claimsPrincipal.GetValue<LicenseType>(nameof(LicenseType));
+        if (licenseType != Enums.LicenseType.Organization)
+        {
+            errorMessages.AppendLine("Premium licenses cannot be applied to an organization. " +
+                                     "Upload this license from your personal account settings page.");
+        }
+
+        if (errorMessages.Length > 0)
+        {
+            exception = $"Invalid license. {errorMessages.ToString().TrimEnd()}";
+            return false;
+        }
+
+        exception = "";
+        return true;
+    }
+
+    /// <summary>
+    /// Do not extend this method. It is only here for backwards compatibility with old licenses.
+    /// Instead, extend the CanUse method using the ClaimsPrincipal.
+    /// </summary>
+    /// <param name="globalSettings"></param>
+    /// <param name="licensingService"></param>
+    /// <param name="exception"></param>
+    /// <returns></returns>
+    private bool ObsoleteCanUse(IGlobalSettings globalSettings, ILicensingService licensingService, out string exception)
+    {
+        // Do not extend this method. It is only here for backwards compatibility with old licenses.
         var errorMessages = new StringBuilder();
 
         if (!Enabled)
@@ -291,101 +352,177 @@ public class OrganizationLicense : ILicense
         return true;
     }
 
-    public bool VerifyData(Organization organization, IGlobalSettings globalSettings)
+    public bool VerifyData(
+        Organization organization,
+        ClaimsPrincipal claimsPrincipal,
+        IGlobalSettings globalSettings)
     {
+        if (string.IsNullOrWhiteSpace(Token))
+        {
+            return ObsoleteVerifyData(organization, globalSettings);
+        }
+
+        var issued = claimsPrincipal.GetValue<DateTime>(nameof(Issued));
+        var expires = claimsPrincipal.GetValue<DateTime>(nameof(Expires));
+        var installationId = claimsPrincipal.GetValue<Guid>(nameof(InstallationId));
+        var licenseKey = claimsPrincipal.GetValue<string>(nameof(LicenseKey));
+        var enabled = claimsPrincipal.GetValue<bool>(nameof(Enabled));
+        var planType = claimsPrincipal.GetValue<PlanType>(nameof(PlanType));
+        var seats = claimsPrincipal.GetValue<int?>(nameof(Seats));
+        var maxCollections = claimsPrincipal.GetValue<short?>(nameof(MaxCollections));
+        var useGroups = claimsPrincipal.GetValue<bool>(nameof(UseGroups));
+        var useDirectory = claimsPrincipal.GetValue<bool>(nameof(UseDirectory));
+        var useTotp = claimsPrincipal.GetValue<bool>(nameof(UseTotp));
+        var selfHost = claimsPrincipal.GetValue<bool>(nameof(SelfHost));
+        var name = claimsPrincipal.GetValue<string>(nameof(Name));
+        var usersGetPremium = claimsPrincipal.GetValue<bool>(nameof(UsersGetPremium));
+        var useEvents = claimsPrincipal.GetValue<bool>(nameof(UseEvents));
+        var use2fa = claimsPrincipal.GetValue<bool>(nameof(Use2fa));
+        var useApi = claimsPrincipal.GetValue<bool>(nameof(UseApi));
+        var usePolicies = claimsPrincipal.GetValue<bool>(nameof(UsePolicies));
+        var useSso = claimsPrincipal.GetValue<bool>(nameof(UseSso));
+        var useResetPassword = claimsPrincipal.GetValue<bool>(nameof(UseResetPassword));
+        var useKeyConnector = claimsPrincipal.GetValue<bool>(nameof(UseKeyConnector));
+        var useScim = claimsPrincipal.GetValue<bool>(nameof(UseScim));
+        var useCustomPermissions = claimsPrincipal.GetValue<bool>(nameof(UseCustomPermissions));
+        var useSecretsManager = claimsPrincipal.GetValue<bool>(nameof(UseSecretsManager));
+        var usePasswordManager = claimsPrincipal.GetValue<bool>(nameof(UsePasswordManager));
+        var smSeats = claimsPrincipal.GetValue<int?>(nameof(SmSeats));
+        var smServiceAccounts = claimsPrincipal.GetValue<int?>(nameof(SmServiceAccounts));
+
+        return issued <= DateTime.UtcNow &&
+               expires >= DateTime.UtcNow &&
+               installationId == globalSettings.Installation.Id &&
+               licenseKey == organization.LicenseKey &&
+               enabled == organization.Enabled &&
+               planType == organization.PlanType &&
+               seats == organization.Seats &&
+               maxCollections == organization.MaxCollections &&
+               useGroups == organization.UseGroups &&
+               useDirectory == organization.UseDirectory &&
+               useTotp == organization.UseTotp &&
+               selfHost == organization.SelfHost &&
+               name == organization.Name &&
+               usersGetPremium == organization.UsersGetPremium &&
+               useEvents == organization.UseEvents &&
+               use2fa == organization.Use2fa &&
+               useApi == organization.UseApi &&
+               usePolicies == organization.UsePolicies &&
+               useSso == organization.UseSso &&
+               useResetPassword == organization.UseResetPassword &&
+               useKeyConnector == organization.UseKeyConnector &&
+               useScim == organization.UseScim &&
+               useCustomPermissions == organization.UseCustomPermissions &&
+               useSecretsManager == organization.UseSecretsManager &&
+               usePasswordManager == organization.UsePasswordManager &&
+               smSeats == organization.SmSeats &&
+               smServiceAccounts == organization.SmServiceAccounts;
+    }
+
+    /// <summary>
+    /// Do not extend this method. It is only here for backwards compatibility with old licenses.
+    /// Instead, extend the VerifyData method using the ClaimsPrincipal.
+    /// </summary>
+    /// <param name="organization"></param>
+    /// <param name="globalSettings"></param>
+    /// <returns></returns>
+    /// <exception cref="NotSupportedException"></exception>
+    private bool ObsoleteVerifyData(Organization organization, IGlobalSettings globalSettings)
+    {
+        // Do not extend this method. It is only here for backwards compatibility with old licenses.
         if (Issued > DateTime.UtcNow || Expires < DateTime.UtcNow)
         {
             return false;
         }
 
-        if (ValidLicenseVersion)
+        if (!ValidLicenseVersion)
         {
-            var valid =
-                globalSettings.Installation.Id == InstallationId &&
-                organization.LicenseKey != null && organization.LicenseKey.Equals(LicenseKey) &&
-                organization.Enabled == Enabled &&
-                organization.PlanType == PlanType &&
-                organization.Seats == Seats &&
-                organization.MaxCollections == MaxCollections &&
-                organization.UseGroups == UseGroups &&
-                organization.UseDirectory == UseDirectory &&
-                organization.UseTotp == UseTotp &&
-                organization.SelfHost == SelfHost &&
-                organization.Name.Equals(Name);
+            throw new NotSupportedException($"Version {Version} is not supported.");
+        }
 
-            if (valid && Version >= 2)
-            {
-                valid = organization.UsersGetPremium == UsersGetPremium;
-            }
+        var valid =
+            globalSettings.Installation.Id == InstallationId &&
+            organization.LicenseKey != null && organization.LicenseKey.Equals(LicenseKey) &&
+            organization.Enabled == Enabled &&
+            organization.PlanType == PlanType &&
+            organization.Seats == Seats &&
+            organization.MaxCollections == MaxCollections &&
+            organization.UseGroups == UseGroups &&
+            organization.UseDirectory == UseDirectory &&
+            organization.UseTotp == UseTotp &&
+            organization.SelfHost == SelfHost &&
+            organization.Name.Equals(Name);
 
-            if (valid && Version >= 3)
-            {
-                valid = organization.UseEvents == UseEvents;
-            }
+        if (valid && Version >= 2)
+        {
+            valid = organization.UsersGetPremium == UsersGetPremium;
+        }
 
-            if (valid && Version >= 4)
-            {
-                valid = organization.Use2fa == Use2fa;
-            }
+        if (valid && Version >= 3)
+        {
+            valid = organization.UseEvents == UseEvents;
+        }
 
-            if (valid && Version >= 5)
-            {
-                valid = organization.UseApi == UseApi;
-            }
+        if (valid && Version >= 4)
+        {
+            valid = organization.Use2fa == Use2fa;
+        }
 
-            if (valid && Version >= 6)
-            {
-                valid = organization.UsePolicies == UsePolicies;
-            }
+        if (valid && Version >= 5)
+        {
+            valid = organization.UseApi == UseApi;
+        }
 
-            if (valid && Version >= 7)
-            {
-                valid = organization.UseSso == UseSso;
-            }
+        if (valid && Version >= 6)
+        {
+            valid = organization.UsePolicies == UsePolicies;
+        }
 
-            if (valid && Version >= 8)
-            {
-                valid = organization.UseResetPassword == UseResetPassword;
-            }
+        if (valid && Version >= 7)
+        {
+            valid = organization.UseSso == UseSso;
+        }
 
-            if (valid && Version >= 9)
-            {
-                valid = organization.UseKeyConnector == UseKeyConnector;
-            }
+        if (valid && Version >= 8)
+        {
+            valid = organization.UseResetPassword == UseResetPassword;
+        }
 
-            if (valid && Version >= 10)
-            {
-                valid = organization.UseScim == UseScim;
-            }
+        if (valid && Version >= 9)
+        {
+            valid = organization.UseKeyConnector == UseKeyConnector;
+        }
 
-            if (valid && Version >= 11)
-            {
-                valid = organization.UseCustomPermissions == UseCustomPermissions;
-            }
+        if (valid && Version >= 10)
+        {
+            valid = organization.UseScim == UseScim;
+        }
 
-            /*Version 12 added ExpirationWithoutDatePeriod, but that property is informational only and is not saved
+        if (valid && Version >= 11)
+        {
+            valid = organization.UseCustomPermissions == UseCustomPermissions;
+        }
+
+        /*Version 12 added ExpirationWithoutDatePeriod, but that property is informational only and is not saved
             to the Organization object. It's validated as part of the hash but does not need to be validated here.
             */
 
-            if (valid && Version >= 13)
-            {
-                valid = organization.UseSecretsManager == UseSecretsManager &&
-                        organization.UsePasswordManager == UsePasswordManager &&
-                        organization.SmSeats == SmSeats &&
-                        organization.SmServiceAccounts == SmServiceAccounts;
-            }
+        if (valid && Version >= 13)
+        {
+            valid = organization.UseSecretsManager == UseSecretsManager &&
+                    organization.UsePasswordManager == UsePasswordManager &&
+                    organization.SmSeats == SmSeats &&
+                    organization.SmServiceAccounts == SmServiceAccounts;
+        }
 
-            /*
+        /*
             * Version 14 added LimitCollectionCreationDeletion and Version
             * 15 added AllowAdminAccessToAllCollectionItems, however they
             * are no longer used and are intentionally excluded from
             * validation.
             */
 
-            return valid;
-        }
-
-        throw new NotSupportedException($"Version {Version} is not supported.");
+        return valid;
     }
 
     public bool VerifySignature(X509Certificate2 certificate)
diff --git a/src/Core/Models/Business/UserLicense.cs b/src/Core/Models/Business/UserLicense.cs
index 0f1b191a1d..797aa6692a 100644
--- a/src/Core/Models/Business/UserLicense.cs
+++ b/src/Core/Models/Business/UserLicense.cs
@@ -1,8 +1,10 @@
 using System.Reflection;
+using System.Security.Claims;
 using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
 using System.Text;
 using System.Text.Json.Serialization;
+using Bit.Core.Billing.Licenses.Extensions;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Services;
@@ -70,6 +72,7 @@ public class UserLicense : ILicense
     public LicenseType? LicenseType { get; set; }
     public string Hash { get; set; }
     public string Signature { get; set; }
+    public string Token { get; set; }
     [JsonIgnore]
     public byte[] SignatureBytes => Convert.FromBase64String(Signature);
 
@@ -84,6 +87,7 @@ public class UserLicense : ILicense
                     !p.Name.Equals(nameof(Signature)) &&
                     !p.Name.Equals(nameof(SignatureBytes)) &&
                     !p.Name.Equals(nameof(LicenseType)) &&
+                    !p.Name.Equals(nameof(Token)) &&
                     (
                         !forHash ||
                         (
@@ -113,8 +117,47 @@ public class UserLicense : ILicense
         }
     }
 
-    public bool CanUse(User user, out string exception)
+    public bool CanUse(User user, ClaimsPrincipal claimsPrincipal, out string exception)
     {
+        if (string.IsNullOrWhiteSpace(Token) || claimsPrincipal is null)
+        {
+            return ObsoleteCanUse(user, out exception);
+        }
+
+        var errorMessages = new StringBuilder();
+
+        if (!user.EmailVerified)
+        {
+            errorMessages.AppendLine("The user's email is not verified.");
+        }
+
+        var email = claimsPrincipal.GetValue<string>(nameof(Email));
+        if (!email.Equals(user.Email, StringComparison.InvariantCultureIgnoreCase))
+        {
+            errorMessages.AppendLine("The user's email does not match the license email.");
+        }
+
+        if (errorMessages.Length > 0)
+        {
+            exception = $"Invalid license. {errorMessages.ToString().TrimEnd()}";
+            return false;
+        }
+
+        exception = "";
+        return true;
+    }
+
+    /// <summary>
+    /// Do not extend this method. It is only here for backwards compatibility with old licenses.
+    /// Instead, extend the CanUse method using the ClaimsPrincipal.
+    /// </summary>
+    /// <param name="user"></param>
+    /// <param name="exception"></param>
+    /// <returns></returns>
+    /// <exception cref="NotSupportedException"></exception>
+    private bool ObsoleteCanUse(User user, out string exception)
+    {
+        // Do not extend this method. It is only here for backwards compatibility with old licenses.
         var errorMessages = new StringBuilder();
 
         if (Issued > DateTime.UtcNow)
@@ -152,22 +195,46 @@ public class UserLicense : ILicense
         return true;
     }
 
-    public bool VerifyData(User user)
+    public bool VerifyData(User user, ClaimsPrincipal claimsPrincipal)
     {
+        if (string.IsNullOrWhiteSpace(Token) || claimsPrincipal is null)
+        {
+            return ObsoleteVerifyData(user);
+        }
+
+        var licenseKey = claimsPrincipal.GetValue<string>(nameof(LicenseKey));
+        var premium = claimsPrincipal.GetValue<bool>(nameof(Premium));
+        var email = claimsPrincipal.GetValue<string>(nameof(Email));
+
+        return licenseKey == user.LicenseKey &&
+               premium == user.Premium &&
+               email.Equals(user.Email, StringComparison.InvariantCultureIgnoreCase);
+    }
+
+    /// <summary>
+    /// Do not extend this method. It is only here for backwards compatibility with old licenses.
+    /// Instead, extend the VerifyData method using the ClaimsPrincipal.
+    /// </summary>
+    /// <param name="user"></param>
+    /// <returns></returns>
+    /// <exception cref="NotSupportedException"></exception>
+    private bool ObsoleteVerifyData(User user)
+    {
+        // Do not extend this method. It is only here for backwards compatibility with old licenses.
         if (Issued > DateTime.UtcNow || Expires < DateTime.UtcNow)
         {
             return false;
         }
 
-        if (Version == 1)
+        if (Version != 1)
         {
-            return
-                user.LicenseKey != null && user.LicenseKey.Equals(LicenseKey) &&
-                user.Premium == Premium &&
-                user.Email.Equals(Email, StringComparison.InvariantCultureIgnoreCase);
+            throw new NotSupportedException($"Version {Version} is not supported.");
         }
 
-        throw new NotSupportedException($"Version {Version} is not supported.");
+        return
+            user.LicenseKey != null && user.LicenseKey.Equals(LicenseKey) &&
+            user.Premium == Premium &&
+            user.Email.Equals(Email, StringComparison.InvariantCultureIgnoreCase);
     }
 
     public bool VerifySignature(X509Certificate2 certificate)
diff --git a/src/Core/OrganizationFeatures/OrganizationLicenses/Cloud/CloudGetOrganizationLicenseQuery.cs b/src/Core/OrganizationFeatures/OrganizationLicenses/Cloud/CloudGetOrganizationLicenseQuery.cs
index b8fad451e2..a4b08736c2 100644
--- a/src/Core/OrganizationFeatures/OrganizationLicenses/Cloud/CloudGetOrganizationLicenseQuery.cs
+++ b/src/Core/OrganizationFeatures/OrganizationLicenses/Cloud/CloudGetOrganizationLicenseQuery.cs
@@ -33,6 +33,10 @@ public class CloudGetOrganizationLicenseQuery : ICloudGetOrganizationLicenseQuer
         }
 
         var subscriptionInfo = await _paymentService.GetSubscriptionAsync(organization);
-        return new OrganizationLicense(organization, subscriptionInfo, installationId, _licensingService, version);
+
+        return new OrganizationLicense(organization, subscriptionInfo, installationId, _licensingService, version)
+        {
+            Token = await _licensingService.CreateOrganizationTokenAsync(organization, installationId, subscriptionInfo)
+        };
     }
 }
diff --git a/src/Core/OrganizationFeatures/OrganizationLicenses/UpdateOrganizationLicenseCommand.cs b/src/Core/OrganizationFeatures/OrganizationLicenses/UpdateOrganizationLicenseCommand.cs
index 1f8c6604b8..ffeee39c07 100644
--- a/src/Core/OrganizationFeatures/OrganizationLicenses/UpdateOrganizationLicenseCommand.cs
+++ b/src/Core/OrganizationFeatures/OrganizationLicenses/UpdateOrganizationLicenseCommand.cs
@@ -39,7 +39,8 @@ public class UpdateOrganizationLicenseCommand : IUpdateOrganizationLicenseComman
             throw new BadRequestException("License is already in use by another organization.");
         }
 
-        var canUse = license.CanUse(_globalSettings, _licensingService, out var exception) &&
+        var claimsPrincipal = _licensingService.GetClaimsPrincipalFromLicense(license);
+        var canUse = license.CanUse(_globalSettings, _licensingService, claimsPrincipal, out var exception) &&
             selfHostedOrganization.CanUseLicense(license, out exception);
 
         if (!canUse)
diff --git a/src/Core/Services/ILicensingService.cs b/src/Core/Services/ILicensingService.cs
index e92fa87fd6..7301f7c689 100644
--- a/src/Core/Services/ILicensingService.cs
+++ b/src/Core/Services/ILicensingService.cs
@@ -1,4 +1,5 @@
-using Bit.Core.AdminConsole.Entities;
+using System.Security.Claims;
+using Bit.Core.AdminConsole.Entities;
 using Bit.Core.Entities;
 using Bit.Core.Models.Business;
 
@@ -13,5 +14,12 @@ public interface ILicensingService
     byte[] SignLicense(ILicense license);
     Task<OrganizationLicense> ReadOrganizationLicenseAsync(Organization organization);
     Task<OrganizationLicense> ReadOrganizationLicenseAsync(Guid organizationId);
+    ClaimsPrincipal GetClaimsPrincipalFromLicense(ILicense license);
 
+    Task<string> CreateOrganizationTokenAsync(
+        Organization organization,
+        Guid installationId,
+        SubscriptionInfo subscriptionInfo);
+
+    Task<string> CreateUserTokenAsync(User user, SubscriptionInfo subscriptionInfo);
 }
diff --git a/src/Core/Services/Implementations/LicensingService.cs b/src/Core/Services/Implementations/LicensingService.cs
index 85b8f31200..866f0bb6e1 100644
--- a/src/Core/Services/Implementations/LicensingService.cs
+++ b/src/Core/Services/Implementations/LicensingService.cs
@@ -1,15 +1,22 @@
-using System.Security.Cryptography.X509Certificates;
+using System.IdentityModel.Tokens.Jwt;
+using System.Security.Claims;
+using System.Security.Cryptography.X509Certificates;
 using System.Text;
 using System.Text.Json;
 using Bit.Core.AdminConsole.Entities;
+using Bit.Core.Billing.Licenses.Models;
+using Bit.Core.Billing.Licenses.Services;
 using Bit.Core.Entities;
+using Bit.Core.Exceptions;
 using Bit.Core.Models.Business;
 using Bit.Core.Repositories;
 using Bit.Core.Settings;
 using Bit.Core.Utilities;
+using IdentityModel;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.Extensions.Hosting;
 using Microsoft.Extensions.Logging;
+using Microsoft.IdentityModel.Tokens;
 
 namespace Bit.Core.Services;
 
@@ -19,27 +26,33 @@ public class LicensingService : ILicensingService
     private readonly IGlobalSettings _globalSettings;
     private readonly IUserRepository _userRepository;
     private readonly IOrganizationRepository _organizationRepository;
-    private readonly IOrganizationUserRepository _organizationUserRepository;
     private readonly IMailService _mailService;
     private readonly ILogger<LicensingService> _logger;
+    private readonly ILicenseClaimsFactory<Organization> _organizationLicenseClaimsFactory;
+    private readonly ILicenseClaimsFactory<User> _userLicenseClaimsFactory;
+    private readonly IFeatureService _featureService;
 
     private IDictionary<Guid, DateTime> _userCheckCache = new Dictionary<Guid, DateTime>();
 
     public LicensingService(
         IUserRepository userRepository,
         IOrganizationRepository organizationRepository,
-        IOrganizationUserRepository organizationUserRepository,
         IMailService mailService,
         IWebHostEnvironment environment,
         ILogger<LicensingService> logger,
-        IGlobalSettings globalSettings)
+        IGlobalSettings globalSettings,
+        ILicenseClaimsFactory<Organization> organizationLicenseClaimsFactory,
+        IFeatureService featureService,
+        ILicenseClaimsFactory<User> userLicenseClaimsFactory)
     {
         _userRepository = userRepository;
         _organizationRepository = organizationRepository;
-        _organizationUserRepository = organizationUserRepository;
         _mailService = mailService;
         _logger = logger;
         _globalSettings = globalSettings;
+        _organizationLicenseClaimsFactory = organizationLicenseClaimsFactory;
+        _featureService = featureService;
+        _userLicenseClaimsFactory = userLicenseClaimsFactory;
 
         var certThumbprint = environment.IsDevelopment() ?
             "207E64A231E8AA32AAF68A61037C075EBEBD553F" :
@@ -104,13 +117,13 @@ public class LicensingService : ILicensingService
                     continue;
                 }
 
-                if (!license.VerifyData(org, _globalSettings))
+                if (!license.VerifyData(org, GetClaimsPrincipalFromLicense(license), _globalSettings))
                 {
                     await DisableOrganizationAsync(org, license, "Invalid data.");
                     continue;
                 }
 
-                if (!license.VerifySignature(_certificate))
+                if (string.IsNullOrWhiteSpace(license.Token) && !license.VerifySignature(_certificate))
                 {
                     await DisableOrganizationAsync(org, license, "Invalid signature.");
                     continue;
@@ -203,13 +216,14 @@ public class LicensingService : ILicensingService
             return false;
         }
 
-        if (!license.VerifyData(user))
+        var claimsPrincipal = GetClaimsPrincipalFromLicense(license);
+        if (!license.VerifyData(user, claimsPrincipal))
         {
             await DisablePremiumAsync(user, license, "Invalid data.");
             return false;
         }
 
-        if (!license.VerifySignature(_certificate))
+        if (string.IsNullOrWhiteSpace(license.Token) && !license.VerifySignature(_certificate))
         {
             await DisablePremiumAsync(user, license, "Invalid signature.");
             return false;
@@ -234,7 +248,21 @@ public class LicensingService : ILicensingService
 
     public bool VerifyLicense(ILicense license)
     {
-        return license.VerifySignature(_certificate);
+        if (string.IsNullOrWhiteSpace(license.Token))
+        {
+            return license.VerifySignature(_certificate);
+        }
+
+        try
+        {
+            _ = GetClaimsPrincipalFromLicense(license);
+            return true;
+        }
+        catch (Exception e)
+        {
+            _logger.LogWarning(e, "Invalid token.");
+            return false;
+        }
     }
 
     public byte[] SignLicense(ILicense license)
@@ -272,4 +300,101 @@ public class LicensingService : ILicensingService
         using var fs = File.OpenRead(filePath);
         return await JsonSerializer.DeserializeAsync<OrganizationLicense>(fs);
     }
+
+    public ClaimsPrincipal GetClaimsPrincipalFromLicense(ILicense license)
+    {
+        if (string.IsNullOrWhiteSpace(license.Token))
+        {
+            return null;
+        }
+
+        var audience = license switch
+        {
+            OrganizationLicense orgLicense => $"organization:{orgLicense.Id}",
+            UserLicense userLicense => $"user:{userLicense.Id}",
+            _ => throw new ArgumentException("Unsupported license type.", nameof(license)),
+        };
+
+        var token = license.Token;
+        var tokenHandler = new JwtSecurityTokenHandler();
+        var validationParameters = new TokenValidationParameters
+        {
+            ValidateIssuerSigningKey = true,
+            IssuerSigningKey = new X509SecurityKey(_certificate),
+            ValidateIssuer = true,
+            ValidIssuer = "bitwarden",
+            ValidateAudience = true,
+            ValidAudience = audience,
+            ValidateLifetime = true,
+            ClockSkew = TimeSpan.Zero,
+            RequireExpirationTime = true
+        };
+
+        try
+        {
+            return tokenHandler.ValidateToken(token, validationParameters, out _);
+        }
+        catch (Exception ex)
+        {
+            // Token exceptions thrown are interpreted by the client as Identity errors and cause the user to logout
+            // Mask them by rethrowing as BadRequestException
+            throw new BadRequestException($"Invalid license. {ex.Message}");
+        }
+    }
+
+    public async Task<string> CreateOrganizationTokenAsync(Organization organization, Guid installationId, SubscriptionInfo subscriptionInfo)
+    {
+        if (!_featureService.IsEnabled(FeatureFlagKeys.SelfHostLicenseRefactor))
+        {
+            return null;
+        }
+
+        var licenseContext = new LicenseContext
+        {
+            InstallationId = installationId,
+            SubscriptionInfo = subscriptionInfo,
+        };
+
+        var claims = await _organizationLicenseClaimsFactory.GenerateClaims(organization, licenseContext);
+        var audience = $"organization:{organization.Id}";
+
+        return GenerateToken(claims, audience);
+    }
+
+    public async Task<string> CreateUserTokenAsync(User user, SubscriptionInfo subscriptionInfo)
+    {
+        if (!_featureService.IsEnabled(FeatureFlagKeys.SelfHostLicenseRefactor))
+        {
+            return null;
+        }
+
+        var licenseContext = new LicenseContext { SubscriptionInfo = subscriptionInfo };
+        var claims = await _userLicenseClaimsFactory.GenerateClaims(user, licenseContext);
+        var audience = $"user:{user.Id}";
+
+        return GenerateToken(claims, audience);
+    }
+
+    private string GenerateToken(List<Claim> claims, string audience)
+    {
+        if (claims.All(claim => claim.Type != JwtClaimTypes.JwtId))
+        {
+            claims.Add(new Claim(JwtClaimTypes.JwtId, Guid.NewGuid().ToString()));
+        }
+
+        var securityKey = new RsaSecurityKey(_certificate.GetRSAPrivateKey());
+        var tokenDescriptor = new SecurityTokenDescriptor
+        {
+            Subject = new ClaimsIdentity(claims),
+            Issuer = "bitwarden",
+            Audience = audience,
+            NotBefore = DateTime.UtcNow,
+            Expires = DateTime.UtcNow.AddYears(1), // Org expiration is a claim
+            SigningCredentials = new SigningCredentials(securityKey, SecurityAlgorithms.RsaSha256Signature)
+        };
+
+        var tokenHandler = new JwtSecurityTokenHandler();
+        var token = tokenHandler.CreateToken(tokenDescriptor);
+        return tokenHandler.WriteToken(token);
+    }
 }
diff --git a/src/Core/Services/Implementations/UserService.cs b/src/Core/Services/Implementations/UserService.cs
index 2199d0a7af..fa8cd3cef8 100644
--- a/src/Core/Services/Implementations/UserService.cs
+++ b/src/Core/Services/Implementations/UserService.cs
@@ -908,7 +908,9 @@ public class UserService : UserManager<User>, IUserService, IDisposable
                 throw new BadRequestException("Invalid license.");
             }
 
-            if (!license.CanUse(user, out var exceptionMessage))
+            var claimsPrincipal = _licenseService.GetClaimsPrincipalFromLicense(license);
+
+            if (!license.CanUse(user, claimsPrincipal, out var exceptionMessage))
             {
                 throw new BadRequestException(exceptionMessage);
             }
@@ -987,7 +989,9 @@ public class UserService : UserManager<User>, IUserService, IDisposable
             throw new BadRequestException("Invalid license.");
         }
 
-        if (!license.CanUse(user, out var exceptionMessage))
+        var claimsPrincipal = _licenseService.GetClaimsPrincipalFromLicense(license);
+
+        if (!license.CanUse(user, claimsPrincipal, out var exceptionMessage))
         {
             throw new BadRequestException(exceptionMessage);
         }
@@ -1111,7 +1115,9 @@ public class UserService : UserManager<User>, IUserService, IDisposable
         }
     }
 
-    public async Task<UserLicense> GenerateLicenseAsync(User user, SubscriptionInfo subscriptionInfo = null,
+    public async Task<UserLicense> GenerateLicenseAsync(
+        User user,
+        SubscriptionInfo subscriptionInfo = null,
         int? version = null)
     {
         if (user == null)
@@ -1124,8 +1130,13 @@ public class UserService : UserManager<User>, IUserService, IDisposable
             subscriptionInfo = await _paymentService.GetSubscriptionAsync(user);
         }
 
-        return subscriptionInfo == null ? new UserLicense(user, _licenseService) :
-            new UserLicense(user, subscriptionInfo, _licenseService);
+        var userLicense = subscriptionInfo == null
+            ? new UserLicense(user, _licenseService)
+            : new UserLicense(user, subscriptionInfo, _licenseService);
+
+        userLicense.Token = await _licenseService.CreateUserTokenAsync(user, subscriptionInfo);
+
+        return userLicense;
     }
 
     public override async Task<bool> CheckPasswordAsync(User user, string password)
diff --git a/src/Core/Services/NoopImplementations/NoopLicensingService.cs b/src/Core/Services/NoopImplementations/NoopLicensingService.cs
index 8eb42a318c..dc733e9a33 100644
--- a/src/Core/Services/NoopImplementations/NoopLicensingService.cs
+++ b/src/Core/Services/NoopImplementations/NoopLicensingService.cs
@@ -1,4 +1,5 @@
-using Bit.Core.AdminConsole.Entities;
+using System.Security.Claims;
+using Bit.Core.AdminConsole.Entities;
 using Bit.Core.Entities;
 using Bit.Core.Models.Business;
 using Bit.Core.Settings;
@@ -53,4 +54,19 @@ public class NoopLicensingService : ILicensingService
     {
         return Task.FromResult<OrganizationLicense>(null);
     }
+
+    public ClaimsPrincipal GetClaimsPrincipalFromLicense(ILicense license)
+    {
+        return null;
+    }
+
+    public Task<string> CreateOrganizationTokenAsync(Organization organization, Guid installationId, SubscriptionInfo subscriptionInfo)
+    {
+        return Task.FromResult<string>(null);
+    }
+
+    public Task<string> CreateUserTokenAsync(User user, SubscriptionInfo subscriptionInfo)
+    {
+        return Task.FromResult<string>(null);
+    }
 }
diff --git a/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs b/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
index ab4108bfef..7585739d82 100644
--- a/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
+++ b/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
@@ -230,7 +230,7 @@ public static class ServiceCollectionExtensions
         services.AddScoped<IPaymentHistoryService, PaymentHistoryService>();
         services.AddSingleton<IStripeSyncService, StripeSyncService>();
         services.AddSingleton<IMailService, HandlebarsMailService>();
-        services.AddSingleton<ILicensingService, LicensingService>();
+        services.AddScoped<ILicensingService, LicensingService>();
         services.AddSingleton<ILookupClient>(_ =>
         {
             var options = new LookupClientOptions { Timeout = TimeSpan.FromSeconds(15), UseTcpOnly = true };
diff --git a/test/Core.Test/Models/Business/OrganizationLicenseTests.cs b/test/Core.Test/Models/Business/OrganizationLicenseTests.cs
index c2eb0dd934..26945f533e 100644
--- a/test/Core.Test/Models/Business/OrganizationLicenseTests.cs
+++ b/test/Core.Test/Models/Business/OrganizationLicenseTests.cs
@@ -1,4 +1,5 @@
-using System.Text.Json;
+using System.Security.Claims;
+using System.Text.Json;
 using Bit.Core.Models.Business;
 using Bit.Core.Services;
 using Bit.Core.Settings;
@@ -36,7 +37,7 @@ public class OrganizationLicenseTests
     [Theory]
     [BitAutoData(OrganizationLicense.CurrentLicenseFileVersion)] // Previous version (this property is 1 behind)
     [BitAutoData(OrganizationLicense.CurrentLicenseFileVersion + 1)] // Current version
-    public void OrganizationLicense_LoadedFromDisk_VerifyData_Passes(int licenseVersion)
+    public void OrganizationLicense_LoadedFromDisk_VerifyData_Passes(int licenseVersion, ClaimsPrincipal claimsPrincipal)
     {
         var license = OrganizationLicenseFileFixtures.GetVersion(licenseVersion);
 
@@ -49,7 +50,7 @@ public class OrganizationLicenseTests
         {
             Id = new Guid(OrganizationLicenseFileFixtures.InstallationId)
         });
-        Assert.True(license.VerifyData(organization, globalSettings));
+        Assert.True(license.VerifyData(organization, claimsPrincipal, globalSettings));
     }
 
     /// <summary>
diff --git a/test/Core.Test/OrganizationFeatures/OrganizationLicenses/UpdateOrganizationLicenseCommandTests.cs b/test/Core.Test/OrganizationFeatures/OrganizationLicenses/UpdateOrganizationLicenseCommandTests.cs
index 565f2f32c4..b8e677177c 100644
--- a/test/Core.Test/OrganizationFeatures/OrganizationLicenses/UpdateOrganizationLicenseCommandTests.cs
+++ b/test/Core.Test/OrganizationFeatures/OrganizationLicenses/UpdateOrganizationLicenseCommandTests.cs
@@ -1,4 +1,5 @@
-using Bit.Core.AdminConsole.Entities;
+using System.Security.Claims;
+using Bit.Core.AdminConsole.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Models.Business;
 using Bit.Core.Models.Data.Organizations;
@@ -48,6 +49,9 @@ public class UpdateOrganizationLicenseCommandTests
         license.InstallationId = globalSettings.Installation.Id;
         license.LicenseType = LicenseType.Organization;
         sutProvider.GetDependency<ILicensingService>().VerifyLicense(license).Returns(true);
+        sutProvider.GetDependency<ILicensingService>()
+            .GetClaimsPrincipalFromLicense(license)
+            .Returns((ClaimsPrincipal)null);
 
         // Passing values for SelfHostedOrganizationDetails.CanUseLicense
         // NSubstitute cannot override non-virtual members so we have to ensure the real method passes
@@ -79,10 +83,11 @@ public class UpdateOrganizationLicenseCommandTests
                 .Received(1)
                 .ReplaceAndUpdateCacheAsync(Arg.Is<Organization>(
                     org => AssertPropertyEqual(license, org,
-                        "Id", "MaxStorageGb", "Issued", "Refresh", "Version", "Trial", "LicenseType",
-                        "Hash", "Signature", "SignatureBytes", "InstallationId", "Expires", "ExpirationWithoutGracePeriod") &&
-                         // Same property but different name, use explicit mapping
-                         org.ExpirationDate == license.Expires));
+                               "Id", "MaxStorageGb", "Issued", "Refresh", "Version", "Trial", "LicenseType",
+                               "Hash", "Signature", "SignatureBytes", "InstallationId", "Expires",
+                               "ExpirationWithoutGracePeriod", "Token") &&
+                           // Same property but different name, use explicit mapping
+                           org.ExpirationDate == license.Expires));
         }
         finally
         {
diff --git a/test/Core.Test/Services/UserServiceTests.cs b/test/Core.Test/Services/UserServiceTests.cs
index aa2c0a5cc9..71cceb86ad 100644
--- a/test/Core.Test/Services/UserServiceTests.cs
+++ b/test/Core.Test/Services/UserServiceTests.cs
@@ -1,4 +1,5 @@
-using System.Text.Json;
+using System.Security.Claims;
+using System.Text.Json;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
 using Bit.Core.AdminConsole.Repositories;
@@ -62,6 +63,9 @@ public class UserServiceTests
         sutProvider.GetDependency<ILicensingService>()
             .VerifyLicense(userLicense)
             .Returns(true);
+        sutProvider.GetDependency<ILicensingService>()
+            .GetClaimsPrincipalFromLicense(userLicense)
+            .Returns((ClaimsPrincipal)null);
 
         await sutProvider.Sut.UpdateLicenseAsync(user, userLicense);
 

From 04f9d7dd8e952d0820cbf3a0784b398fd36562f7 Mon Sep 17 00:00:00 2001
From: Robyn MacCallum <robyntmaccallum@gmail.com>
Date: Thu, 5 Dec 2024 09:40:55 -0500
Subject: [PATCH 027/384] Remove SM team from CODEOWNERS (#5117)

---
 .github/CODEOWNERS | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index 47d3525def..1d142016f2 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -38,7 +38,6 @@ src/Identity @bitwarden/team-auth-dev
 # Key Management team
 **/KeyManagement @bitwarden/team-key-management-dev
 
-**/SecretsManager @bitwarden/team-secrets-manager-dev
 **/Tools @bitwarden/team-tools-dev
 
 # Vault team

From f471fffe42a2a5c73448c720f36255354091a1ea Mon Sep 17 00:00:00 2001
From: Jared McCannon <jmccannon@bitwarden.com>
Date: Thu, 5 Dec 2024 08:59:35 -0600
Subject: [PATCH 028/384] [PM-10317] Email Users For Org Claiming Domain
 (#5094)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Revoking users when enabling single org and 2fa policies. Fixing tests.

* Added migration.

* Wrote tests and fixed bugs found.

* Patch build process

* Fixing tests.

* Added unit test around disabling the feature flag.

* Updated error message to be public and added test for validating the request.

* formatting

* Added some tests for single org policy validator.

* Fix issues from merge.

* Added sending emails to revoked non-compliant users.

* Fixing name. Adding two factor policy email.

* Send email when user has been revoked.

* Correcting migration name.

* Fixing templates and logic issue in Revoke command.

* Moving interface into its own file.

* Correcting namespaces for email templates.

* correcting logic that would not allow normal users to revoke non owners.

* Actually correcting the test and logic.

* dotnet format. Added exec to bottom of bulk sproc

* Update src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RevokeNonCompliantOrganizationUserCommand.cs

Co-authored-by: Rui Tomé <108268980+r-tome@users.noreply.github.com>

* Updated OrgIds to be a json string

* Fixing errors.

* Updating test

* Moving command result.

* Formatting and request rename

* Realized this would throw a null error from the system domain verification. Adding unknown type to event system user. Adding optional parameter to SaveAsync in policy service in order to pass in event system user.

* Code review changes

* Removing todos

* Corrected test name.

* Syncing filename to record name.

* Fixing up the tests.

* Added happy path test

* Naming corrections. And corrected EF query.

* added check against event service

* Code review changes.

* Fixing tests.

* splitting up tests

* Added templates and email side effect for claiming a domain.

* bringing changes from nc user changes.

* Switched to enqueue mail message.

* Filled in DomainClaimedByOrganization.html.hbs

* Added text document for domain claiming

* Fixing migration script.

* Remove old sproc

* Limiting sending of the email down to users who are a part of the domain being claimed.

* Added test for change

* Renames and fixed up email.

* Fixing up CSS

---------

Co-authored-by: Matt Bishop <mbishop@bitwarden.com>
Co-authored-by: Rui Tomé <108268980+r-tome@users.noreply.github.com>
Co-authored-by: Rui Tome <rtome@bitwarden.com>
---
 .../VerifyOrganizationDomainCommand.cs        | 36 ++++++++++---
 .../DomainClaimedByOrganization.html.hbs      | 24 +++++++++
 .../DomainClaimedByOrganization.text.hbs      |  8 +++
 .../ManagedUserDomainClaimedEmails.cs         |  5 ++
 .../ClaimedDomainUserNotificationViewModel.cs |  6 +++
 src/Core/Services/IMailService.cs             |  2 +
 .../Implementations/HandlebarsMailService.cs  | 17 ++++++
 .../NoopImplementations/NoopMailService.cs    |  2 +
 .../VerifyOrganizationDomainCommandTests.cs   | 54 ++++++++++++++++++-
 9 files changed, 145 insertions(+), 9 deletions(-)
 create mode 100644 src/Core/MailTemplates/Handlebars/AdminConsole/DomainClaimedByOrganization.html.hbs
 create mode 100644 src/Core/MailTemplates/Handlebars/AdminConsole/DomainClaimedByOrganization.text.hbs
 create mode 100644 src/Core/Models/Data/Organizations/ManagedUserDomainClaimedEmails.cs
 create mode 100644 src/Core/Models/Mail/ClaimedDomainUserNotificationViewModel.cs

diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationDomains/VerifyOrganizationDomainCommand.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationDomains/VerifyOrganizationDomainCommand.cs
index 375c6326ef..e011819f0f 100644
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationDomains/VerifyOrganizationDomainCommand.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationDomains/VerifyOrganizationDomainCommand.cs
@@ -7,6 +7,7 @@ using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
+using Bit.Core.Models.Data.Organizations;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Settings;
@@ -22,11 +23,12 @@ public class VerifyOrganizationDomainCommand(
     IFeatureService featureService,
     ICurrentContext currentContext,
     ISavePolicyCommand savePolicyCommand,
+    IMailService mailService,
+    IOrganizationUserRepository organizationUserRepository,
+    IOrganizationRepository organizationRepository,
     ILogger<VerifyOrganizationDomainCommand> logger)
     : IVerifyOrganizationDomainCommand
 {
-
-
     public async Task<OrganizationDomain> UserVerifyOrganizationDomainAsync(OrganizationDomain organizationDomain)
     {
         if (currentContext.UserId is null)
@@ -109,7 +111,7 @@ public class VerifyOrganizationDomainCommand(
             {
                 domain.SetVerifiedDate();
 
-                await EnableSingleOrganizationPolicyAsync(domain.OrganizationId, actingUser);
+                await DomainVerificationSideEffectsAsync(domain, actingUser);
             }
         }
         catch (Exception e)
@@ -121,19 +123,37 @@ public class VerifyOrganizationDomainCommand(
         return domain;
     }
 
-    private async Task EnableSingleOrganizationPolicyAsync(Guid organizationId, IActingUser actingUser)
+    private async Task DomainVerificationSideEffectsAsync(OrganizationDomain domain, IActingUser actingUser)
     {
         if (featureService.IsEnabled(FeatureFlagKeys.AccountDeprovisioning))
         {
-            var policyUpdate = new PolicyUpdate
+            await EnableSingleOrganizationPolicyAsync(domain.OrganizationId, actingUser);
+            await SendVerifiedDomainUserEmailAsync(domain);
+        }
+    }
+
+    private async Task EnableSingleOrganizationPolicyAsync(Guid organizationId, IActingUser actingUser) =>
+        await savePolicyCommand.SaveAsync(
+            new PolicyUpdate
             {
                 OrganizationId = organizationId,
                 Type = PolicyType.SingleOrg,
                 Enabled = true,
                 PerformedBy = actingUser
-            };
+            });
 
-            await savePolicyCommand.SaveAsync(policyUpdate);
-        }
+    private async Task SendVerifiedDomainUserEmailAsync(OrganizationDomain domain)
+    {
+        var orgUserUsers = await organizationUserRepository.GetManyDetailsByOrganizationAsync(domain.OrganizationId);
+
+        var domainUserEmails = orgUserUsers
+            .Where(ou => ou.Email.ToLower().EndsWith($"@{domain.DomainName.ToLower()}") &&
+                         ou.Status != OrganizationUserStatusType.Revoked &&
+                         ou.Status != OrganizationUserStatusType.Invited)
+            .Select(ou => ou.Email);
+
+        var organization = await organizationRepository.GetByIdAsync(domain.OrganizationId);
+
+        await mailService.SendClaimedDomainUserEmailAsync(new ManagedUserDomainClaimedEmails(domainUserEmails, organization));
     }
 }
diff --git a/src/Core/MailTemplates/Handlebars/AdminConsole/DomainClaimedByOrganization.html.hbs b/src/Core/MailTemplates/Handlebars/AdminConsole/DomainClaimedByOrganization.html.hbs
new file mode 100644
index 0000000000..05ca170a50
--- /dev/null
+++ b/src/Core/MailTemplates/Handlebars/AdminConsole/DomainClaimedByOrganization.html.hbs
@@ -0,0 +1,24 @@
+{{#>TitleContactUsHtmlLayout}}
+    <table width="100%" border="0" cellpadding="0" cellspacing="0" style="display: table; width:100%; padding: 30px; text-align: left;" align="center">
+        <tr>
+            <td display="display: table-cell">
+                As a member of {{OrganizationName}}, your Bitwarden account is claimed and owned by your organization.
+            </td>
+        </tr>
+        <tr>
+            <td style="font-family:'Helvetica Neue', Helvetica, Arial, sans-serif; font-style: normal; font-weight: 400; font-size: 16px; line-height: 24px; margin-top: 30px; margin-bottom: 25px; margin-left: 35px; margin-right: 35px;">
+                <b>Here's what that means:</b>
+                <ul>
+                    <li>This account should only be used to store items related to {{OrganizationName}}</li>
+                    <li>Admins managing your Bitwarden organization manage your email address and other account settings</li>
+                    <li>Admins can also revoke or delete your account at any time</li>
+                </ul>
+            </td>
+        </tr>
+        <tr>
+            <td style="font-family:'Helvetica Neue', Helvetica, Arial, sans-serif; font-style: normal; font-weight: 400; font-size: 16px; line-height: 24px; margin-top: 30px; margin-bottom: 25px; margin-left: 35px; margin-right: 35px;">
+                For more information, please refer to the following help article: <a href="https://bitwarden.com/help/claimed-accounts">Claimed Accounts</a>
+            </td>
+        </tr>
+    </table>
+{{/TitleContactUsHtmlLayout}}
diff --git a/src/Core/MailTemplates/Handlebars/AdminConsole/DomainClaimedByOrganization.text.hbs b/src/Core/MailTemplates/Handlebars/AdminConsole/DomainClaimedByOrganization.text.hbs
new file mode 100644
index 0000000000..c0078d389d
--- /dev/null
+++ b/src/Core/MailTemplates/Handlebars/AdminConsole/DomainClaimedByOrganization.text.hbs
@@ -0,0 +1,8 @@
+As a member of {{OrganizationName}}, your Bitwarden account is claimed and owned by your organization.
+
+Here's what that means:
+- This account should only be used to store items related to {{OrganizationName}}
+- Your admins managing your Bitwarden organization manages your email address and other account settings
+- Your admins can also revoke or delete your account at any time
+
+For more information, please refer to the following help article: Claimed Accounts (https://bitwarden.com/help/claimed-accounts)
diff --git a/src/Core/Models/Data/Organizations/ManagedUserDomainClaimedEmails.cs b/src/Core/Models/Data/Organizations/ManagedUserDomainClaimedEmails.cs
new file mode 100644
index 0000000000..429257e266
--- /dev/null
+++ b/src/Core/Models/Data/Organizations/ManagedUserDomainClaimedEmails.cs
@@ -0,0 +1,5 @@
+using Bit.Core.AdminConsole.Entities;
+
+namespace Bit.Core.Models.Data.Organizations;
+
+public record ManagedUserDomainClaimedEmails(IEnumerable<string> EmailList, Organization Organization);
diff --git a/src/Core/Models/Mail/ClaimedDomainUserNotificationViewModel.cs b/src/Core/Models/Mail/ClaimedDomainUserNotificationViewModel.cs
new file mode 100644
index 0000000000..97591b51bc
--- /dev/null
+++ b/src/Core/Models/Mail/ClaimedDomainUserNotificationViewModel.cs
@@ -0,0 +1,6 @@
+namespace Bit.Core.Models.Mail;
+
+public class ClaimedDomainUserNotificationViewModel : BaseTitleContactUsMailModel
+{
+    public string OrganizationName { get; init; }
+}
diff --git a/src/Core/Services/IMailService.cs b/src/Core/Services/IMailService.cs
index bc8d1440f1..c6c9dc7948 100644
--- a/src/Core/Services/IMailService.cs
+++ b/src/Core/Services/IMailService.cs
@@ -3,6 +3,7 @@ using Bit.Core.AdminConsole.Entities.Provider;
 using Bit.Core.Auth.Entities;
 using Bit.Core.Billing.Enums;
 using Bit.Core.Entities;
+using Bit.Core.Models.Data.Organizations;
 using Bit.Core.Models.Mail;
 
 namespace Bit.Core.Services;
@@ -93,5 +94,6 @@ public interface IMailService
     Task SendRequestSMAccessToAdminEmailAsync(IEnumerable<string> adminEmails, string organizationName, string userRequestingAccess, string emailContent);
     Task SendFamiliesForEnterpriseRemoveSponsorshipsEmailAsync(string email, string offerAcceptanceDate, string organizationId,
         string organizationName);
+    Task SendClaimedDomainUserEmailAsync(ManagedUserDomainClaimedEmails emailList);
 }
 
diff --git a/src/Core/Services/Implementations/HandlebarsMailService.cs b/src/Core/Services/Implementations/HandlebarsMailService.cs
index acc729e53c..c220df18a1 100644
--- a/src/Core/Services/Implementations/HandlebarsMailService.cs
+++ b/src/Core/Services/Implementations/HandlebarsMailService.cs
@@ -7,6 +7,7 @@ using Bit.Core.Auth.Models.Mail;
 using Bit.Core.Billing.Enums;
 using Bit.Core.Billing.Models.Mail;
 using Bit.Core.Entities;
+using Bit.Core.Models.Data.Organizations;
 using Bit.Core.Models.Mail;
 using Bit.Core.Models.Mail.FamiliesForEnterprise;
 using Bit.Core.Models.Mail.Provider;
@@ -460,6 +461,22 @@ public class HandlebarsMailService : IMailService
         await _mailDeliveryService.SendEmailAsync(message);
     }
 
+    public async Task SendClaimedDomainUserEmailAsync(ManagedUserDomainClaimedEmails emailList)
+    {
+        await EnqueueMailAsync(emailList.EmailList.Select(email =>
+            CreateMessage(email, emailList.Organization)));
+        return;
+
+        MailQueueMessage CreateMessage(string emailAddress, Organization org) =>
+            new(CreateDefaultMessage($"Your Bitwarden account is claimed by {org.DisplayName()}", emailAddress),
+                "AdminConsole.DomainClaimedByOrganization",
+                new ClaimedDomainUserNotificationViewModel
+                {
+                    TitleFirst = $"Hey {emailAddress}, here is a heads up on your claimed account:",
+                    OrganizationName = CoreHelpers.SanitizeForEmail(org.DisplayName(), false)
+                });
+    }
+
     public async Task SendNewDeviceLoggedInEmail(string email, string deviceType, DateTime timestamp, string ip)
     {
         var message = CreateDefaultMessage($"New Device Logged In From {deviceType}", email);
diff --git a/src/Core/Services/NoopImplementations/NoopMailService.cs b/src/Core/Services/NoopImplementations/NoopMailService.cs
index 399874eee7..e8ea8d9863 100644
--- a/src/Core/Services/NoopImplementations/NoopMailService.cs
+++ b/src/Core/Services/NoopImplementations/NoopMailService.cs
@@ -3,6 +3,7 @@ using Bit.Core.AdminConsole.Entities.Provider;
 using Bit.Core.Auth.Entities;
 using Bit.Core.Billing.Enums;
 using Bit.Core.Entities;
+using Bit.Core.Models.Data.Organizations;
 using Bit.Core.Models.Mail;
 
 namespace Bit.Core.Services;
@@ -309,5 +310,6 @@ public class NoopMailService : IMailService
     {
         return Task.FromResult(0);
     }
+    public Task SendClaimedDomainUserEmailAsync(ManagedUserDomainClaimedEmails emailList) => Task.CompletedTask;
 }
 
diff --git a/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationDomains/VerifyOrganizationDomainCommandTests.cs b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationDomains/VerifyOrganizationDomainCommandTests.cs
index 700df88d54..6c6d0e35f0 100644
--- a/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationDomains/VerifyOrganizationDomainCommandTests.cs
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationDomains/VerifyOrganizationDomainCommandTests.cs
@@ -1,4 +1,5 @@
-using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Enums;
 using Bit.Core.AdminConsole.Models.Data;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationDomains;
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
@@ -7,6 +8,8 @@ using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
+using Bit.Core.Models.Data.Organizations;
+using Bit.Core.Models.Data.Organizations.OrganizationUsers;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Test.Common.AutoFixture;
@@ -269,4 +272,53 @@ public class VerifyOrganizationDomainCommandTests
             .DidNotReceive()
             .SaveAsync(Arg.Any<PolicyUpdate>());
     }
+
+    [Theory, BitAutoData]
+    public async Task UserVerifyOrganizationDomainAsync_GivenOrganizationDomainWithAccountDeprovisioningEnabled_WhenDomainIsVerified_ThenEmailShouldBeSentToUsersWhoBelongToTheDomain(
+        ICollection<OrganizationUserUserDetails> organizationUsers,
+        OrganizationDomain domain,
+        Organization organization,
+        SutProvider<VerifyOrganizationDomainCommand> sutProvider)
+    {
+        foreach (var organizationUser in organizationUsers)
+        {
+            organizationUser.Email = $"{organizationUser.Name}@{domain.DomainName}";
+        }
+
+        var mockedUsers = organizationUsers
+            .Where(x => x.Status != OrganizationUserStatusType.Invited &&
+                        x.Status != OrganizationUserStatusType.Revoked).ToList();
+
+        organization.Id = domain.OrganizationId;
+
+        sutProvider.GetDependency<IOrganizationDomainRepository>()
+            .GetClaimedDomainsByDomainNameAsync(domain.DomainName)
+            .Returns([]);
+
+        sutProvider.GetDependency<IOrganizationRepository>()
+            .GetByIdAsync(domain.OrganizationId)
+            .Returns(organization);
+
+        sutProvider.GetDependency<IDnsResolverService>()
+            .ResolveAsync(domain.DomainName, domain.Txt)
+            .Returns(true);
+
+        sutProvider.GetDependency<ICurrentContext>()
+            .UserId.Returns(Guid.NewGuid());
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.AccountDeprovisioning)
+            .Returns(true);
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyDetailsByOrganizationAsync(domain.OrganizationId)
+            .Returns(mockedUsers);
+
+        _ = await sutProvider.Sut.UserVerifyOrganizationDomainAsync(domain);
+
+        await sutProvider.GetDependency<IMailService>().Received().SendClaimedDomainUserEmailAsync(
+            Arg.Is<ManagedUserDomainClaimedEmails>(x =>
+                x.EmailList.Count(e => e.EndsWith(domain.DomainName)) == mockedUsers.Count &&
+                x.Organization.Id == organization.Id));
+    }
 }

From 1f1510f4d48f68adb9c6f1babba8bef44293bfee Mon Sep 17 00:00:00 2001
From: Vijay Oommen <voommen@livefront.com>
Date: Thu, 5 Dec 2024 10:46:01 -0600
Subject: [PATCH 029/384] PM-15091 Add Feature Flag to DB called
 UseRiskInsights (#5088)

Add a new column called UseRiskInsights to `dbo.Organization`
---
 .../Controllers/OrganizationsController.cs    |    1 +
 .../Models/OrganizationEditModel.cs           |    4 +
 .../Models/OrganizationViewModel.cs           |    1 +
 .../Views/Shared/_OrganizationForm.cshtml     |   13 +-
 .../OrganizationResponseModel.cs              |    2 +
 .../ProfileOrganizationResponseModel.cs       |    2 +
 ...rofileProviderOrganizationResponseModel.cs |    1 +
 .../AdminConsole/Entities/Organization.cs     |    5 +
 .../Data/Organizations/OrganizationAbility.cs |    2 +
 .../OrganizationUserOrganizationDetails.cs    |    1 +
 .../ProviderUserOrganizationDetails.cs        |    1 +
 .../Repositories/OrganizationRepository.cs    |    3 +-
 ...izationUserOrganizationDetailsViewQuery.cs |    1 +
 ...roviderUserOrganizationDetailsViewQuery.cs |    1 +
 .../Stored Procedures/Organization_Create.sql |    9 +-
 .../Organization_ReadAbilities.sql            |    3 +-
 .../Stored Procedures/Organization_Update.sql |    6 +-
 src/Sql/dbo/Tables/Organization.sql           |    1 +
 ...rganizationUserOrganizationDetailsView.sql |    3 +-
 ...derUserProviderOrganizationDetailsView.sql |    3 +-
 .../OrganizationUserRepositoryTests.cs        |    1 +
 ...25_00_AddUseRiskInsightsToOrganization.sql |  356 ++
 ...024-11-25_01_AddUseRiskInsightsToViews.sql |  142 +
 ...5185627_AddUseRiskInsightsFlag.Designer.cs | 2943 ++++++++++++++++
 .../20241125185627_AddUseRiskInsightsFlag.cs  |   28 +
 .../DatabaseContextModelSnapshot.cs           |    3 +
 ...5185635_AddUseRiskInsightsFlag.Designer.cs | 2949 +++++++++++++++++
 .../20241125185635_AddUseRiskInsightsFlag.cs  |   28 +
 .../DatabaseContextModelSnapshot.cs           |    3 +
 ...5185632_AddUseRiskInsightsFlag.Designer.cs | 2932 ++++++++++++++++
 .../20241125185632_AddUseRiskInsightsFlag.cs  |   28 +
 .../DatabaseContextModelSnapshot.cs           |    3 +
 32 files changed, 9467 insertions(+), 12 deletions(-)
 create mode 100644 util/Migrator/DbScripts/2024-11-25_00_AddUseRiskInsightsToOrganization.sql
 create mode 100644 util/Migrator/DbScripts/2024-11-25_01_AddUseRiskInsightsToViews.sql
 create mode 100644 util/MySqlMigrations/Migrations/20241125185627_AddUseRiskInsightsFlag.Designer.cs
 create mode 100644 util/MySqlMigrations/Migrations/20241125185627_AddUseRiskInsightsFlag.cs
 create mode 100644 util/PostgresMigrations/Migrations/20241125185635_AddUseRiskInsightsFlag.Designer.cs
 create mode 100644 util/PostgresMigrations/Migrations/20241125185635_AddUseRiskInsightsFlag.cs
 create mode 100644 util/SqliteMigrations/Migrations/20241125185632_AddUseRiskInsightsFlag.Designer.cs
 create mode 100644 util/SqliteMigrations/Migrations/20241125185632_AddUseRiskInsightsFlag.cs

diff --git a/src/Admin/AdminConsole/Controllers/OrganizationsController.cs b/src/Admin/AdminConsole/Controllers/OrganizationsController.cs
index 67a80a3754..4c4df3d15b 100644
--- a/src/Admin/AdminConsole/Controllers/OrganizationsController.cs
+++ b/src/Admin/AdminConsole/Controllers/OrganizationsController.cs
@@ -448,6 +448,7 @@ public class OrganizationsController : Controller
             organization.UseTotp = model.UseTotp;
             organization.UsersGetPremium = model.UsersGetPremium;
             organization.UseSecretsManager = model.UseSecretsManager;
+            organization.UseRiskInsights = model.UseRiskInsights;
 
             //secrets
             organization.SmSeats = model.SmSeats;
diff --git a/src/Admin/AdminConsole/Models/OrganizationEditModel.cs b/src/Admin/AdminConsole/Models/OrganizationEditModel.cs
index 48340df708..be191ddb8d 100644
--- a/src/Admin/AdminConsole/Models/OrganizationEditModel.cs
+++ b/src/Admin/AdminConsole/Models/OrganizationEditModel.cs
@@ -80,6 +80,7 @@ public class OrganizationEditModel : OrganizationViewModel
         Use2fa = org.Use2fa;
         UseApi = org.UseApi;
         UseSecretsManager = org.UseSecretsManager;
+        UseRiskInsights = org.UseRiskInsights;
         UseResetPassword = org.UseResetPassword;
         SelfHost = org.SelfHost;
         UsersGetPremium = org.UsersGetPremium;
@@ -144,6 +145,8 @@ public class OrganizationEditModel : OrganizationViewModel
     public bool UseScim { get; set; }
     [Display(Name = "Secrets Manager")]
     public new bool UseSecretsManager { get; set; }
+    [Display(Name = "Risk Insights")]
+    public new bool UseRiskInsights { get; set; }
     [Display(Name = "Self Host")]
     public bool SelfHost { get; set; }
     [Display(Name = "Users Get Premium")]
@@ -284,6 +287,7 @@ public class OrganizationEditModel : OrganizationViewModel
         existingOrganization.Use2fa = Use2fa;
         existingOrganization.UseApi = UseApi;
         existingOrganization.UseSecretsManager = UseSecretsManager;
+        existingOrganization.UseRiskInsights = UseRiskInsights;
         existingOrganization.UseResetPassword = UseResetPassword;
         existingOrganization.SelfHost = SelfHost;
         existingOrganization.UsersGetPremium = UsersGetPremium;
diff --git a/src/Admin/AdminConsole/Models/OrganizationViewModel.cs b/src/Admin/AdminConsole/Models/OrganizationViewModel.cs
index b58d3aa52e..69486bdcd2 100644
--- a/src/Admin/AdminConsole/Models/OrganizationViewModel.cs
+++ b/src/Admin/AdminConsole/Models/OrganizationViewModel.cs
@@ -69,4 +69,5 @@ public class OrganizationViewModel
     public int ServiceAccountsCount { get; set; }
     public int OccupiedSmSeatsCount { get; set; }
     public bool UseSecretsManager => Organization.UseSecretsManager;
+    public bool UseRiskInsights => Organization.UseRiskInsights;
 }
diff --git a/src/Admin/AdminConsole/Views/Shared/_OrganizationForm.cshtml b/src/Admin/AdminConsole/Views/Shared/_OrganizationForm.cshtml
index 5187b6690a..23d2057d07 100644
--- a/src/Admin/AdminConsole/Views/Shared/_OrganizationForm.cshtml
+++ b/src/Admin/AdminConsole/Views/Shared/_OrganizationForm.cshtml
@@ -94,7 +94,7 @@
             </div>
         </div>
         <h2>Features</h2>
-        <div class="row mb-3">
+        <div class="row mb-4">
             <div class="col-4">
                 <h3>General</h3>
                 <div class="form-check mb-2">
@@ -146,7 +146,7 @@
                     <label class="form-check-label" asp-for="UseCustomPermissions"></label>
                 </div>
             </div>
-            <div class="col-4">
+            <div class="col-3">
                 <h3>Password Manager</h3>
                 <div class="form-check">
                     <input type="checkbox" class="form-check-input" asp-for="UseTotp" disabled='@(canEditPlan ? null : "disabled")'>
@@ -157,13 +157,20 @@
                     <label class="form-check-label" asp-for="UsersGetPremium"></label>
                 </div>
             </div>
-            <div class="col-4">
+            <div class="col-3">
                 <h3>Secrets Manager</h3>
                 <div class="form-check">
                     <input type="checkbox" class="form-check-input" asp-for="UseSecretsManager" disabled='@(canEditPlan ? null : "disabled")'>
                     <label class="form-check-label" asp-for="UseSecretsManager"></label>
                 </div>
             </div>
+            <div class="col-2">
+                <h3>Access Insights</h3>
+                <div class="form-check">
+                    <input type="checkbox" class="form-check-input" asp-for="UseRiskInsights" disabled='@(canEditPlan ? null : "disabled")'>
+                    <label class="form-check-label" asp-for="UseRiskInsights"></label>
+                </div>
+            </div>
         </div>
     }
 
diff --git a/src/Api/AdminConsole/Models/Response/Organizations/OrganizationResponseModel.cs b/src/Api/AdminConsole/Models/Response/Organizations/OrganizationResponseModel.cs
index 7808b564a8..908a3a9385 100644
--- a/src/Api/AdminConsole/Models/Response/Organizations/OrganizationResponseModel.cs
+++ b/src/Api/AdminConsole/Models/Response/Organizations/OrganizationResponseModel.cs
@@ -60,6 +60,7 @@ public class OrganizationResponseModel : ResponseModel
         // Deprecated: https://bitwarden.atlassian.net/browse/PM-10863
         LimitCollectionCreationDeletion = organization.LimitCollectionCreationDeletion;
         AllowAdminAccessToAllCollectionItems = organization.AllowAdminAccessToAllCollectionItems;
+        UseRiskInsights = organization.UseRiskInsights;
     }
 
     public Guid Id { get; set; }
@@ -106,6 +107,7 @@ public class OrganizationResponseModel : ResponseModel
     // Deperectated: https://bitwarden.atlassian.net/browse/PM-10863
     public bool LimitCollectionCreationDeletion { get; set; }
     public bool AllowAdminAccessToAllCollectionItems { get; set; }
+    public bool UseRiskInsights { get; set; }
 }
 
 public class OrganizationSubscriptionResponseModel : OrganizationResponseModel
diff --git a/src/Api/AdminConsole/Models/Response/ProfileOrganizationResponseModel.cs b/src/Api/AdminConsole/Models/Response/ProfileOrganizationResponseModel.cs
index 1fcaba5f93..96b86de164 100644
--- a/src/Api/AdminConsole/Models/Response/ProfileOrganizationResponseModel.cs
+++ b/src/Api/AdminConsole/Models/Response/ProfileOrganizationResponseModel.cs
@@ -71,6 +71,7 @@ public class ProfileOrganizationResponseModel : ResponseModel
         LimitCollectionCreationDeletion = organization.LimitCollectionCreationDeletion;
         AllowAdminAccessToAllCollectionItems = organization.AllowAdminAccessToAllCollectionItems;
         UserIsManagedByOrganization = organizationIdsManagingUser.Contains(organization.OrganizationId);
+        UseRiskInsights = organization.UseRiskInsights;
 
         if (organization.SsoConfig != null)
         {
@@ -143,4 +144,5 @@ public class ProfileOrganizationResponseModel : ResponseModel
     /// False if the Account Deprovisioning feature flag is disabled.
     /// </returns>
     public bool UserIsManagedByOrganization { get; set; }
+    public bool UseRiskInsights { get; set; }
 }
diff --git a/src/Api/AdminConsole/Models/Response/ProfileProviderOrganizationResponseModel.cs b/src/Api/AdminConsole/Models/Response/ProfileProviderOrganizationResponseModel.cs
index 92498834db..4ec86a29a4 100644
--- a/src/Api/AdminConsole/Models/Response/ProfileProviderOrganizationResponseModel.cs
+++ b/src/Api/AdminConsole/Models/Response/ProfileProviderOrganizationResponseModel.cs
@@ -49,5 +49,6 @@ public class ProfileProviderOrganizationResponseModel : ProfileOrganizationRespo
         // https://bitwarden.atlassian.net/browse/PM-10863
         LimitCollectionCreationDeletion = organization.LimitCollectionCreationDeletion;
         AllowAdminAccessToAllCollectionItems = organization.AllowAdminAccessToAllCollectionItems;
+        UseRiskInsights = organization.UseRiskInsights;
     }
 }
diff --git a/src/Core/AdminConsole/Entities/Organization.cs b/src/Core/AdminConsole/Entities/Organization.cs
index c556dfe601..720a77d6a4 100644
--- a/src/Core/AdminConsole/Entities/Organization.cs
+++ b/src/Core/AdminConsole/Entities/Organization.cs
@@ -115,6 +115,11 @@ public class Organization : ITableObject<Guid>, IStorableSubscriber, IRevisable,
     /// </summary>
     public bool AllowAdminAccessToAllCollectionItems { get; set; }
 
+    /// <summary>
+    /// Risk Insights is a reporting feature that provides insights into the security of an organization's vault.
+    /// </summary>
+    public bool UseRiskInsights { get; set; }
+
     public void SetNewId()
     {
         if (Id == default(Guid))
diff --git a/src/Core/AdminConsole/Models/Data/Organizations/OrganizationAbility.cs b/src/Core/AdminConsole/Models/Data/Organizations/OrganizationAbility.cs
index a91b960839..0da0928dbe 100644
--- a/src/Core/AdminConsole/Models/Data/Organizations/OrganizationAbility.cs
+++ b/src/Core/AdminConsole/Models/Data/Organizations/OrganizationAbility.cs
@@ -26,6 +26,7 @@ public class OrganizationAbility
         // Deprecated: https://bitwarden.atlassian.net/browse/PM-10863
         LimitCollectionCreationDeletion = organization.LimitCollectionCreationDeletion;
         AllowAdminAccessToAllCollectionItems = organization.AllowAdminAccessToAllCollectionItems;
+        UseRiskInsights = organization.UseRiskInsights;
     }
 
     public Guid Id { get; set; }
@@ -45,4 +46,5 @@ public class OrganizationAbility
     // Deprecated: https://bitwarden.atlassian.net/browse/PM-10863
     public bool LimitCollectionCreationDeletion { get; set; }
     public bool AllowAdminAccessToAllCollectionItems { get; set; }
+    public bool UseRiskInsights { get; set; }
 }
diff --git a/src/Core/AdminConsole/Models/Data/Organizations/OrganizationUsers/OrganizationUserOrganizationDetails.cs b/src/Core/AdminConsole/Models/Data/Organizations/OrganizationUsers/OrganizationUserOrganizationDetails.cs
index 435369e77a..7b9ea971d3 100644
--- a/src/Core/AdminConsole/Models/Data/Organizations/OrganizationUsers/OrganizationUserOrganizationDetails.cs
+++ b/src/Core/AdminConsole/Models/Data/Organizations/OrganizationUsers/OrganizationUserOrganizationDetails.cs
@@ -59,4 +59,5 @@ public class OrganizationUserOrganizationDetails
     // Deprecated: https://bitwarden.atlassian.net/browse/PM-10863
     public bool LimitCollectionCreationDeletion { get; set; }
     public bool AllowAdminAccessToAllCollectionItems { get; set; }
+    public bool UseRiskInsights { get; set; }
 }
diff --git a/src/Core/AdminConsole/Models/Data/Provider/ProviderUserOrganizationDetails.cs b/src/Core/AdminConsole/Models/Data/Provider/ProviderUserOrganizationDetails.cs
index a2ac622539..c2880b543f 100644
--- a/src/Core/AdminConsole/Models/Data/Provider/ProviderUserOrganizationDetails.cs
+++ b/src/Core/AdminConsole/Models/Data/Provider/ProviderUserOrganizationDetails.cs
@@ -44,4 +44,5 @@ public class ProviderUserOrganizationDetails
     public bool LimitCollectionDeletion { get; set; }
     public bool LimitCollectionCreationDeletion { get; set; }
     public bool AllowAdminAccessToAllCollectionItems { get; set; }
+    public bool UseRiskInsights { get; set; }
 }
diff --git a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationRepository.cs b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationRepository.cs
index b3ee254889..7a667db8f5 100644
--- a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationRepository.cs
+++ b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationRepository.cs
@@ -103,7 +103,8 @@ public class OrganizationRepository : Repository<Core.AdminConsole.Entities.Orga
                 LimitCollectionDeletion = e.LimitCollectionDeletion,
                 // Deprecated: https://bitwarden.atlassian.net/browse/PM-10863
                 LimitCollectionCreationDeletion = e.LimitCollectionCreationDeletion,
-                AllowAdminAccessToAllCollectionItems = e.AllowAdminAccessToAllCollectionItems
+                AllowAdminAccessToAllCollectionItems = e.AllowAdminAccessToAllCollectionItems,
+                UseRiskInsights = e.UseRiskInsights,
             }).ToListAsync();
         }
     }
diff --git a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/Queries/OrganizationUserOrganizationDetailsViewQuery.cs b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/Queries/OrganizationUserOrganizationDetailsViewQuery.cs
index ba278fc915..7e71557dcb 100644
--- a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/Queries/OrganizationUserOrganizationDetailsViewQuery.cs
+++ b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/Queries/OrganizationUserOrganizationDetailsViewQuery.cs
@@ -71,6 +71,7 @@ public class OrganizationUserOrganizationDetailsViewQuery : IQuery<OrganizationU
                         // Deprecated: https://bitwarden.atlassian.net/browse/PM-10863
                         LimitCollectionCreationDeletion = o.LimitCollectionCreationDeletion,
                         AllowAdminAccessToAllCollectionItems = o.AllowAdminAccessToAllCollectionItems,
+                        UseRiskInsights = o.UseRiskInsights,
                     };
         return query;
     }
diff --git a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/Queries/ProviderUserOrganizationDetailsViewQuery.cs b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/Queries/ProviderUserOrganizationDetailsViewQuery.cs
index 1a9f8e347d..2697f06fb5 100644
--- a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/Queries/ProviderUserOrganizationDetailsViewQuery.cs
+++ b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/Queries/ProviderUserOrganizationDetailsViewQuery.cs
@@ -49,6 +49,7 @@ public class ProviderUserOrganizationDetailsViewQuery : IQuery<ProviderUserOrgan
             // Deprecated: https://bitwarden.atlassian.net/browse/PM-10863
             LimitCollectionCreationDeletion = x.o.LimitCollectionCreationDeletion,
             AllowAdminAccessToAllCollectionItems = x.o.AllowAdminAccessToAllCollectionItems,
+            UseRiskInsights = x.o.UseRiskInsights,
         });
     }
 }
diff --git a/src/Sql/dbo/Stored Procedures/Organization_Create.sql b/src/Sql/dbo/Stored Procedures/Organization_Create.sql
index 9084f0dffc..d33269063f 100644
--- a/src/Sql/dbo/Stored Procedures/Organization_Create.sql	
+++ b/src/Sql/dbo/Stored Procedures/Organization_Create.sql	
@@ -54,7 +54,8 @@ CREATE PROCEDURE [dbo].[Organization_Create]
     @LimitCollectionCreationDeletion BIT = NULL, -- Deprecated https://bitwarden.atlassian.net/browse/PM-10863
     @LimitCollectionCreation BIT = NULL,
     @LimitCollectionDeletion BIT = NULL,
-    @AllowAdminAccessToAllCollectionItems BIT = 0
+    @AllowAdminAccessToAllCollectionItems BIT = 0,
+    @UseRiskInsights BIT = 0
 AS
 BEGIN
     SET NOCOUNT ON
@@ -119,7 +120,8 @@ BEGIN
         [LimitCollectionCreationDeletion], -- Deprecated https://bitwarden.atlassian.net/browse/PM-10863
         [LimitCollectionCreation],
         [LimitCollectionDeletion],
-        [AllowAdminAccessToAllCollectionItems]
+        [AllowAdminAccessToAllCollectionItems],
+        [UseRiskInsights]
     )
     VALUES
     (
@@ -178,6 +180,7 @@ BEGIN
         COALESCE(@LimitCollectionCreation, @LimitCollectionDeletion, 0), -- Deprecated https://bitwarden.atlassian.net/browse/PM-10863)
         @LimitCollectionCreation,
         @LimitCollectionDeletion,
-        @AllowAdminAccessToAllCollectionItems
+        @AllowAdminAccessToAllCollectionItems,
+        @UseRiskInsights
     )
 END
diff --git a/src/Sql/dbo/Stored Procedures/Organization_ReadAbilities.sql b/src/Sql/dbo/Stored Procedures/Organization_ReadAbilities.sql
index fc85dad248..056bc1416c 100644
--- a/src/Sql/dbo/Stored Procedures/Organization_ReadAbilities.sql	
+++ b/src/Sql/dbo/Stored Procedures/Organization_ReadAbilities.sql	
@@ -24,7 +24,8 @@ BEGIN
         [LimitCollectionCreationDeletion], -- Deprecated https://bitwarden.atlassian.net/browse/PM-10863
         [LimitCollectionCreation],
         [LimitCollectionDeletion],
-        [AllowAdminAccessToAllCollectionItems]
+        [AllowAdminAccessToAllCollectionItems],
+        [UseRiskInsights]
     FROM
         [dbo].[Organization]
 END
diff --git a/src/Sql/dbo/Stored Procedures/Organization_Update.sql b/src/Sql/dbo/Stored Procedures/Organization_Update.sql
index 630f48d2ae..1bbcb7ebc8 100644
--- a/src/Sql/dbo/Stored Procedures/Organization_Update.sql	
+++ b/src/Sql/dbo/Stored Procedures/Organization_Update.sql	
@@ -54,7 +54,8 @@ CREATE PROCEDURE [dbo].[Organization_Update]
     @LimitCollectionCreationDeletion BIT = null, -- Deprecated https://bitwarden.atlassian.net/browse/PM-10863
     @LimitCollectionCreation BIT = null,
     @LimitCollectionDeletion BIT = null,
-    @AllowAdminAccessToAllCollectionItems BIT = 0
+    @AllowAdminAccessToAllCollectionItems BIT = 0,
+    @UseRiskInsights BIT = 0
 AS
 BEGIN
     SET NOCOUNT ON
@@ -119,7 +120,8 @@ BEGIN
         [LimitCollectionCreationDeletion] = COALESCE(@LimitCollectionCreation, @LimitCollectionDeletion, 0),
         [LimitCollectionCreation] = @LimitCollectionCreation,
         [LimitCollectionDeletion] = @LimitCollectionDeletion,
-        [AllowAdminAccessToAllCollectionItems] = @AllowAdminAccessToAllCollectionItems
+        [AllowAdminAccessToAllCollectionItems] = @AllowAdminAccessToAllCollectionItems,
+        [UseRiskInsights] = @UseRiskInsights
     WHERE
         [Id] = @Id
 END
diff --git a/src/Sql/dbo/Tables/Organization.sql b/src/Sql/dbo/Tables/Organization.sql
index 1f181e5ee6..279b78bfc1 100644
--- a/src/Sql/dbo/Tables/Organization.sql
+++ b/src/Sql/dbo/Tables/Organization.sql
@@ -55,6 +55,7 @@ CREATE TABLE [dbo].[Organization] (
     [LimitCollectionCreation]       BIT              NOT NULL CONSTRAINT [DF_Organization_LimitCollectionCreation] DEFAULT (0),
     [LimitCollectionDeletion]       BIT              NOT NULL CONSTRAINT [DF_Organization_LimitCollectionDeletion] DEFAULT (0),
     [AllowAdminAccessToAllCollectionItems]   BIT              NOT NULL CONSTRAINT [DF_Organization_AllowAdminAccessToAllCollectionItems] DEFAULT (0),
+    [UseRiskInsights]               BIT              NOT NULL CONSTRAINT [DF_Organization_UseRiskInsights] DEFAULT (0),
     CONSTRAINT [PK_Organization] PRIMARY KEY CLUSTERED ([Id] ASC)
 );
 
diff --git a/src/Sql/dbo/Views/OrganizationUserOrganizationDetailsView.sql b/src/Sql/dbo/Views/OrganizationUserOrganizationDetailsView.sql
index cbc54aeeb4..c4f79e0c69 100644
--- a/src/Sql/dbo/Views/OrganizationUserOrganizationDetailsView.sql
+++ b/src/Sql/dbo/Views/OrganizationUserOrganizationDetailsView.sql
@@ -49,7 +49,8 @@ SELECT
     O.[LimitCollectionCreationDeletion], -- Deprecated https://bitwarden.atlassian.net/browse/PM-10863
     O.[LimitCollectionCreation],
     O.[LimitCollectionDeletion],
-    O.[AllowAdminAccessToAllCollectionItems]
+    O.[AllowAdminAccessToAllCollectionItems],
+    O.[UseRiskInsights]
 FROM
     [dbo].[OrganizationUser] OU
 LEFT JOIN
diff --git a/src/Sql/dbo/Views/ProviderUserProviderOrganizationDetailsView.sql b/src/Sql/dbo/Views/ProviderUserProviderOrganizationDetailsView.sql
index e90d4ad6f2..a6c96299c2 100644
--- a/src/Sql/dbo/Views/ProviderUserProviderOrganizationDetailsView.sql
+++ b/src/Sql/dbo/Views/ProviderUserProviderOrganizationDetailsView.sql
@@ -35,7 +35,8 @@ SELECT
     O.[LimitCollectionCreationDeletion], -- Deprecated https://bitwarden.atlassian.net/browse/PM-10863
     O.[LimitCollectionCreation],
     O.[LimitCollectionDeletion],
-    O.[AllowAdminAccessToAllCollectionItems]
+    O.[AllowAdminAccessToAllCollectionItems],
+    O.[UseRiskInsights]
 FROM
     [dbo].[ProviderUser] PU
 INNER JOIN
diff --git a/test/Infrastructure.IntegrationTest/AdminConsole/Repositories/OrganizationUserRepositoryTests.cs b/test/Infrastructure.IntegrationTest/AdminConsole/Repositories/OrganizationUserRepositoryTests.cs
index dba511074e..4732d8a474 100644
--- a/test/Infrastructure.IntegrationTest/AdminConsole/Repositories/OrganizationUserRepositoryTests.cs
+++ b/test/Infrastructure.IntegrationTest/AdminConsole/Repositories/OrganizationUserRepositoryTests.cs
@@ -258,6 +258,7 @@ public class OrganizationUserRepositoryTests
         // Deprecated: https://bitwarden.atlassian.net/browse/PM-10863
         Assert.Equal(organization.LimitCollectionCreationDeletion, result.LimitCollectionCreationDeletion);
         Assert.Equal(organization.AllowAdminAccessToAllCollectionItems, result.AllowAdminAccessToAllCollectionItems);
+        Assert.Equal(organization.UseRiskInsights, result.UseRiskInsights);
     }
 
     [DatabaseTheory, DatabaseData]
diff --git a/util/Migrator/DbScripts/2024-11-25_00_AddUseRiskInsightsToOrganization.sql b/util/Migrator/DbScripts/2024-11-25_00_AddUseRiskInsightsToOrganization.sql
new file mode 100644
index 0000000000..3a69e9a77f
--- /dev/null
+++ b/util/Migrator/DbScripts/2024-11-25_00_AddUseRiskInsightsToOrganization.sql
@@ -0,0 +1,356 @@
+    /* Introduce new column 'UseRiskInsights' not nullable with default of 0  */
+    ALTER TABLE [dbo].[Organization] ADD [UseRiskInsights] bit NOT NULL CONSTRAINT [DF_Organization_UseRiskInsights] default (0)
+    GO
+
+    /* Add UseRiskInsights as a column to Organization_create */
+    CREATE OR ALTER PROCEDURE [dbo].[Organization_Create]
+        @Id UNIQUEIDENTIFIER OUTPUT,
+        @Identifier NVARCHAR(50),
+        @Name NVARCHAR(50),
+        @BusinessName NVARCHAR(50),
+        @BusinessAddress1 NVARCHAR(50),
+        @BusinessAddress2 NVARCHAR(50),
+        @BusinessAddress3 NVARCHAR(50),
+        @BusinessCountry VARCHAR(2),
+        @BusinessTaxNumber NVARCHAR(30),
+        @BillingEmail NVARCHAR(256),
+        @Plan NVARCHAR(50),
+        @PlanType TINYINT,
+        @Seats INT,
+        @MaxCollections SMALLINT,
+        @UsePolicies BIT,
+        @UseSso BIT,
+        @UseGroups BIT,
+        @UseDirectory BIT,
+        @UseEvents BIT,
+        @UseTotp BIT,
+        @Use2fa BIT,
+        @UseApi BIT,
+        @UseResetPassword BIT,
+        @SelfHost BIT,
+        @UsersGetPremium BIT,
+        @Storage BIGINT,
+        @MaxStorageGb SMALLINT,
+        @Gateway TINYINT,
+        @GatewayCustomerId VARCHAR(50),
+        @GatewaySubscriptionId VARCHAR(50),
+        @ReferenceData VARCHAR(MAX),
+        @Enabled BIT,
+        @LicenseKey VARCHAR(100),
+        @PublicKey VARCHAR(MAX),
+        @PrivateKey VARCHAR(MAX),
+        @TwoFactorProviders NVARCHAR(MAX),
+        @ExpirationDate DATETIME2(7),
+        @CreationDate DATETIME2(7),
+        @RevisionDate DATETIME2(7),
+        @OwnersNotifiedOfAutoscaling DATETIME2(7),
+        @MaxAutoscaleSeats INT,
+        @UseKeyConnector BIT = 0,
+        @UseScim BIT = 0,
+        @UseCustomPermissions BIT = 0,
+        @UseSecretsManager BIT = 0,
+        @Status TINYINT = 0,
+        @UsePasswordManager BIT = 1,
+        @SmSeats INT = null,
+        @SmServiceAccounts INT = null,
+        @MaxAutoscaleSmSeats INT= null,
+        @MaxAutoscaleSmServiceAccounts INT = null,
+        @SecretsManagerBeta BIT = 0,
+        @LimitCollectionCreationDeletion BIT = NULL, -- Deprecated https://bitwarden.atlassian.net/browse/PM-10863
+        @LimitCollectionCreation BIT = NULL,
+        @LimitCollectionDeletion BIT = NULL,
+        @AllowAdminAccessToAllCollectionItems BIT = 0,
+        @UseRiskInsights BIT = 0
+    AS
+    BEGIN
+        SET NOCOUNT ON
+
+        SET @LimitCollectionCreation = COALESCE(@LimitCollectionCreation, @LimitCollectionCreationDeletion, 0);
+        SET @LimitCollectionDeletion = COALESCE(@LimitCollectionDeletion, @LimitCollectionCreationDeletion, 0);
+
+        INSERT INTO [dbo].[Organization]
+        (
+            [Id],
+            [Identifier],
+            [Name],
+            [BusinessName],
+            [BusinessAddress1],
+            [BusinessAddress2],
+            [BusinessAddress3],
+            [BusinessCountry],
+            [BusinessTaxNumber],
+            [BillingEmail],
+            [Plan],
+            [PlanType],
+            [Seats],
+            [MaxCollections],
+            [UsePolicies],
+            [UseSso],
+            [UseGroups],
+            [UseDirectory],
+            [UseEvents],
+            [UseTotp],
+            [Use2fa],
+            [UseApi],
+            [UseResetPassword],
+            [SelfHost],
+            [UsersGetPremium],
+            [Storage],
+            [MaxStorageGb],
+            [Gateway],
+            [GatewayCustomerId],
+            [GatewaySubscriptionId],
+            [ReferenceData],
+            [Enabled],
+            [LicenseKey],
+            [PublicKey],
+            [PrivateKey],
+            [TwoFactorProviders],
+            [ExpirationDate],
+            [CreationDate],
+            [RevisionDate],
+            [OwnersNotifiedOfAutoscaling],
+            [MaxAutoscaleSeats],
+            [UseKeyConnector],
+            [UseScim],
+            [UseCustomPermissions],
+            [UseSecretsManager],
+            [Status],
+            [UsePasswordManager],
+            [SmSeats],
+            [SmServiceAccounts],
+            [MaxAutoscaleSmSeats],
+            [MaxAutoscaleSmServiceAccounts],
+            [SecretsManagerBeta],
+            [LimitCollectionCreationDeletion], -- Deprecated https://bitwarden.atlassian.net/browse/PM-10863
+            [LimitCollectionCreation],
+            [LimitCollectionDeletion],
+            [AllowAdminAccessToAllCollectionItems],
+            [UseRiskInsights]
+        )
+        VALUES
+        (
+            @Id,
+            @Identifier,
+            @Name,
+            @BusinessName,
+            @BusinessAddress1,
+            @BusinessAddress2,
+            @BusinessAddress3,
+            @BusinessCountry,
+            @BusinessTaxNumber,
+            @BillingEmail,
+            @Plan,
+            @PlanType,
+            @Seats,
+            @MaxCollections,
+            @UsePolicies,
+            @UseSso,
+            @UseGroups,
+            @UseDirectory,
+            @UseEvents,
+            @UseTotp,
+            @Use2fa,
+            @UseApi,
+            @UseResetPassword,
+            @SelfHost,
+            @UsersGetPremium,
+            @Storage,
+            @MaxStorageGb,
+            @Gateway,
+            @GatewayCustomerId,
+            @GatewaySubscriptionId,
+            @ReferenceData,
+            @Enabled,
+            @LicenseKey,
+            @PublicKey,
+            @PrivateKey,
+            @TwoFactorProviders,
+            @ExpirationDate,
+            @CreationDate,
+            @RevisionDate,
+            @OwnersNotifiedOfAutoscaling,
+            @MaxAutoscaleSeats,
+            @UseKeyConnector,
+            @UseScim,
+            @UseCustomPermissions,
+            @UseSecretsManager,
+            @Status,
+            @UsePasswordManager,
+            @SmSeats,
+            @SmServiceAccounts,
+            @MaxAutoscaleSmSeats,
+            @MaxAutoscaleSmServiceAccounts,
+            @SecretsManagerBeta,
+            COALESCE(@LimitCollectionCreation, @LimitCollectionDeletion, 0), -- Deprecated https://bitwarden.atlassian.net/browse/PM-10863)
+            @LimitCollectionCreation,
+            @LimitCollectionDeletion,
+            @AllowAdminAccessToAllCollectionItems,
+            @UseRiskInsights
+        )
+    END
+    GO
+
+    /* Add UseRiskInsights to Organization_readAbilities */
+    CREATE OR ALTER PROCEDURE [dbo].[Organization_ReadAbilities]
+    AS
+    BEGIN
+        SET NOCOUNT ON
+
+        SELECT
+            [Id],
+            [UseEvents],
+            [Use2fa],
+            CASE
+            WHEN [Use2fa] = 1 AND [TwoFactorProviders] IS NOT NULL AND [TwoFactorProviders] != '{}' THEN
+                1
+            ELSE
+                0
+            END AS [Using2fa],
+            [UsersGetPremium],
+            [UseCustomPermissions],
+            [UseSso],
+            [UseKeyConnector],
+            [UseScim],
+            [UseResetPassword],
+            [UsePolicies],
+            [Enabled],
+            [LimitCollectionCreationDeletion], -- Deprecated https://bitwarden.atlassian.net/browse/PM-10863
+            [LimitCollectionCreation],
+            [LimitCollectionDeletion],
+            [AllowAdminAccessToAllCollectionItems],
+            [UseRiskInsights]
+        FROM
+            [dbo].[Organization]
+    END
+    GO
+
+    /* Add UseRiskInsights to Organization_Update */
+    CREATE OR ALTER PROCEDURE [dbo].[Organization_Update]
+        @Id UNIQUEIDENTIFIER,
+        @Identifier NVARCHAR(50),
+        @Name NVARCHAR(50),
+        @BusinessName NVARCHAR(50),
+        @BusinessAddress1 NVARCHAR(50),
+        @BusinessAddress2 NVARCHAR(50),
+        @BusinessAddress3 NVARCHAR(50),
+        @BusinessCountry VARCHAR(2),
+        @BusinessTaxNumber NVARCHAR(30),
+        @BillingEmail NVARCHAR(256),
+        @Plan NVARCHAR(50),
+        @PlanType TINYINT,
+        @Seats INT,
+        @MaxCollections SMALLINT,
+        @UsePolicies BIT,
+        @UseSso BIT,
+        @UseGroups BIT,
+        @UseDirectory BIT,
+        @UseEvents BIT,
+        @UseTotp BIT,
+        @Use2fa BIT,
+        @UseApi BIT,
+        @UseResetPassword BIT,
+        @SelfHost BIT,
+        @UsersGetPremium BIT,
+        @Storage BIGINT,
+        @MaxStorageGb SMALLINT,
+        @Gateway TINYINT,
+        @GatewayCustomerId VARCHAR(50),
+        @GatewaySubscriptionId VARCHAR(50),
+        @ReferenceData VARCHAR(MAX),
+        @Enabled BIT,
+        @LicenseKey VARCHAR(100),
+        @PublicKey VARCHAR(MAX),
+        @PrivateKey VARCHAR(MAX),
+        @TwoFactorProviders NVARCHAR(MAX),
+        @ExpirationDate DATETIME2(7),
+        @CreationDate DATETIME2(7),
+        @RevisionDate DATETIME2(7),
+        @OwnersNotifiedOfAutoscaling DATETIME2(7),
+        @MaxAutoscaleSeats INT,
+        @UseKeyConnector BIT = 0,
+        @UseScim BIT = 0,
+        @UseCustomPermissions BIT = 0,
+        @UseSecretsManager BIT = 0,
+        @Status TINYINT = 0,
+        @UsePasswordManager BIT = 1,
+        @SmSeats INT = null,
+        @SmServiceAccounts INT = null,
+        @MaxAutoscaleSmSeats INT = null,
+        @MaxAutoscaleSmServiceAccounts INT = null,
+        @SecretsManagerBeta BIT = 0,
+        @LimitCollectionCreationDeletion BIT = null, -- Deprecated https://bitwarden.atlassian.net/browse/PM-10863
+        @LimitCollectionCreation BIT = null,
+        @LimitCollectionDeletion BIT = null,
+        @AllowAdminAccessToAllCollectionItems BIT = 0,
+        @UseRiskInsights BIT = 0
+    AS
+    BEGIN
+        SET NOCOUNT ON
+
+        SET @LimitCollectionCreation = COALESCE(@LimitCollectionCreation, @LimitCollectionCreationDeletion, 0);
+        SET @LimitCollectionDeletion = COALESCE(@LimitCollectionDeletion, @LimitCollectionCreationDeletion, 0);
+
+        UPDATE
+            [dbo].[Organization]
+        SET
+            [Identifier] = @Identifier,
+            [Name] = @Name,
+            [BusinessName] = @BusinessName,
+            [BusinessAddress1] = @BusinessAddress1,
+            [BusinessAddress2] = @BusinessAddress2,
+            [BusinessAddress3] = @BusinessAddress3,
+            [BusinessCountry] = @BusinessCountry,
+            [BusinessTaxNumber] = @BusinessTaxNumber,
+            [BillingEmail] = @BillingEmail,
+            [Plan] = @Plan,
+            [PlanType] = @PlanType,
+            [Seats] = @Seats,
+            [MaxCollections] = @MaxCollections,
+            [UsePolicies] = @UsePolicies,
+            [UseSso] = @UseSso,
+            [UseGroups] = @UseGroups,
+            [UseDirectory] = @UseDirectory,
+            [UseEvents] = @UseEvents,
+            [UseTotp] = @UseTotp,
+            [Use2fa] = @Use2fa,
+            [UseApi] = @UseApi,
+            [UseResetPassword] = @UseResetPassword,
+            [SelfHost] = @SelfHost,
+            [UsersGetPremium] = @UsersGetPremium,
+            [Storage] = @Storage,
+            [MaxStorageGb] = @MaxStorageGb,
+            [Gateway] = @Gateway,
+            [GatewayCustomerId] = @GatewayCustomerId,
+            [GatewaySubscriptionId] = @GatewaySubscriptionId,
+            [ReferenceData] = @ReferenceData,
+            [Enabled] = @Enabled,
+            [LicenseKey] = @LicenseKey,
+            [PublicKey] = @PublicKey,
+            [PrivateKey] = @PrivateKey,
+            [TwoFactorProviders] = @TwoFactorProviders,
+            [ExpirationDate] = @ExpirationDate,
+            [CreationDate] = @CreationDate,
+            [RevisionDate] = @RevisionDate,
+            [OwnersNotifiedOfAutoscaling] = @OwnersNotifiedOfAutoscaling,
+            [MaxAutoscaleSeats] = @MaxAutoscaleSeats,
+            [UseKeyConnector] = @UseKeyConnector,
+            [UseScim] = @UseScim,
+            [UseCustomPermissions] = @UseCustomPermissions,
+            [UseSecretsManager] = @UseSecretsManager,
+            [Status] = @Status,
+            [UsePasswordManager] = @UsePasswordManager,
+            [SmSeats] = @SmSeats,
+            [SmServiceAccounts] = @SmServiceAccounts,
+            [MaxAutoscaleSmSeats] = @MaxAutoscaleSmSeats,
+            [MaxAutoscaleSmServiceAccounts] = @MaxAutoscaleSmServiceAccounts,
+            [SecretsManagerBeta] = @SecretsManagerBeta,
+            [LimitCollectionCreationDeletion] = COALESCE(@LimitCollectionCreation, @LimitCollectionDeletion, 0),
+            [LimitCollectionCreation] = @LimitCollectionCreation,
+            [LimitCollectionDeletion] = @LimitCollectionDeletion,
+            [AllowAdminAccessToAllCollectionItems] = @AllowAdminAccessToAllCollectionItems,
+            [UseRiskInsights] = @UseRiskInsights
+        WHERE
+            [Id] = @Id
+    END
+    GO
diff --git a/util/Migrator/DbScripts/2024-11-25_01_AddUseRiskInsightsToViews.sql b/util/Migrator/DbScripts/2024-11-25_01_AddUseRiskInsightsToViews.sql
new file mode 100644
index 0000000000..4941193498
--- /dev/null
+++ b/util/Migrator/DbScripts/2024-11-25_01_AddUseRiskInsightsToViews.sql
@@ -0,0 +1,142 @@
+    /* Alter view to include UseRiskInsights */
+    CREATE OR ALTER VIEW [dbo].[OrganizationUserOrganizationDetailsView]
+    AS
+    SELECT
+        OU.[UserId],
+        OU.[OrganizationId],
+        OU.[Id] OrganizationUserId,
+        O.[Name],
+        O.[Enabled],
+        O.[PlanType],
+        O.[UsePolicies],
+        O.[UseSso],
+        O.[UseKeyConnector],
+        O.[UseScim],
+        O.[UseGroups],
+        O.[UseDirectory],
+        O.[UseEvents],
+        O.[UseTotp],
+        O.[Use2fa],
+        O.[UseApi],
+        O.[UseResetPassword],
+        O.[SelfHost],
+        O.[UsersGetPremium],
+        O.[UseCustomPermissions],
+        O.[UseSecretsManager],
+        O.[Seats],
+        O.[MaxCollections],
+        O.[MaxStorageGb],
+        O.[Identifier],
+        OU.[Key],
+        OU.[ResetPasswordKey],
+        O.[PublicKey],
+        O.[PrivateKey],
+        OU.[Status],
+        OU.[Type],
+        SU.[ExternalId] SsoExternalId,
+        OU.[Permissions],
+        PO.[ProviderId],
+        P.[Name] ProviderName,
+        P.[Type] ProviderType,
+        SS.[Data] SsoConfig,
+        OS.[FriendlyName] FamilySponsorshipFriendlyName,
+        OS.[LastSyncDate] FamilySponsorshipLastSyncDate,
+        OS.[ToDelete] FamilySponsorshipToDelete,
+        OS.[ValidUntil] FamilySponsorshipValidUntil,
+        OU.[AccessSecretsManager],
+        O.[UsePasswordManager],
+        O.[SmSeats],
+        O.[SmServiceAccounts],
+        O.[LimitCollectionCreationDeletion], -- Deprecated https://bitwarden.atlassian.net/browse/PM-10863
+        O.[LimitCollectionCreation],
+        O.[LimitCollectionDeletion],
+        O.[AllowAdminAccessToAllCollectionItems],
+        O.[UseRiskInsights]
+    FROM
+        [dbo].[OrganizationUser] OU
+    LEFT JOIN
+        [dbo].[Organization] O ON O.[Id] = OU.[OrganizationId]
+    LEFT JOIN
+        [dbo].[SsoUser] SU ON SU.[UserId] = OU.[UserId] AND SU.[OrganizationId] = OU.[OrganizationId]
+    LEFT JOIN
+        [dbo].[ProviderOrganization] PO ON PO.[OrganizationId] = O.[Id]
+    LEFT JOIN
+        [dbo].[Provider] P ON P.[Id] = PO.[ProviderId]
+    LEFT JOIN
+        [dbo].[SsoConfig] SS ON SS.[OrganizationId] = OU.[OrganizationId]
+    LEFT JOIN
+        [dbo].[OrganizationSponsorship] OS ON OS.[SponsoringOrganizationUserID] = OU.[Id]
+    GO
+
+    /* Alter this view to include UseRiskInsights column to the query */
+    CREATE OR ALTER VIEW [dbo].[ProviderUserProviderOrganizationDetailsView]
+    AS
+    SELECT
+        PU.[UserId],
+        PO.[OrganizationId],
+        O.[Name],
+        O.[Enabled],
+        O.[UsePolicies],
+        O.[UseSso],
+        O.[UseKeyConnector],
+        O.[UseScim],
+        O.[UseGroups],
+        O.[UseDirectory],
+        O.[UseEvents],
+        O.[UseTotp],
+        O.[Use2fa],
+        O.[UseApi],
+        O.[UseResetPassword],
+        O.[SelfHost],
+        O.[UsersGetPremium],
+        O.[UseCustomPermissions],
+        O.[Seats],
+        O.[MaxCollections],
+        O.[MaxStorageGb],
+        O.[Identifier],
+        PO.[Key],
+        O.[PublicKey],
+        O.[PrivateKey],
+        PU.[Status],
+        PU.[Type],
+        PO.[ProviderId],
+        PU.[Id] ProviderUserId,
+        P.[Name] ProviderName,
+        O.[PlanType],
+        O.[LimitCollectionCreationDeletion], -- Deprecated https://bitwarden.atlassian.net/browse/PM-10863
+        O.[LimitCollectionCreation],
+        O.[LimitCollectionDeletion],
+        O.[AllowAdminAccessToAllCollectionItems],
+        O.[UseRiskInsights]
+    FROM
+        [dbo].[ProviderUser] PU
+    INNER JOIN
+        [dbo].[ProviderOrganization] PO ON PO.[ProviderId] = PU.[ProviderId]
+    INNER JOIN
+        [dbo].[Organization] O ON O.[Id] = PO.[OrganizationId]
+    INNER JOIN
+        [dbo].[Provider] P ON P.[Id] = PU.[ProviderId]
+    GO
+
+
+    --Manually refresh [dbo].[OrganizationUserOrganizationDetailsView]
+    IF OBJECT_ID('[dbo].[OrganizationUserOrganizationDetailsView]') IS NOT NULL
+        BEGIN
+            EXECUTE sp_refreshsqlmodule N'[dbo].[OrganizationUserOrganizationDetailsView]';
+        END
+    GO
+
+    --Manually refresh [dbo].[ProviderUserProviderOrganizationDetailsView]
+    IF OBJECT_ID('[dbo].[ProviderUserProviderOrganizationDetailsView]') IS NOT NULL
+        BEGIN
+            EXECUTE sp_refreshsqlmodule N'[dbo].[ProviderUserProviderOrganizationDetailsView]';
+        END
+    GO
+
+    --Manually refresh [dbo].[OrganizationView]
+    IF OBJECT_ID('[dbo].[OrganizationView]') IS NOT NULL
+        BEGIN
+            EXECUTE sp_refreshsqlmodule N'[dbo].[OrganizationView]';
+        END
+    GO
+    
\ No newline at end of file
diff --git a/util/MySqlMigrations/Migrations/20241125185627_AddUseRiskInsightsFlag.Designer.cs b/util/MySqlMigrations/Migrations/20241125185627_AddUseRiskInsightsFlag.Designer.cs
new file mode 100644
index 0000000000..7357ccf651
--- /dev/null
+++ b/util/MySqlMigrations/Migrations/20241125185627_AddUseRiskInsightsFlag.Designer.cs
@@ -0,0 +1,2943 @@
+// <auto-generated />
+using System;
+using Bit.Infrastructure.EntityFramework.Repositories;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Metadata;
+using Microsoft.EntityFrameworkCore.Migrations;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
+
+#nullable disable
+
+namespace Bit.MySqlMigrations.Migrations
+{
+    [DbContext(typeof(DatabaseContext))]
+    [Migration("20241125185627_AddUseRiskInsightsFlag")]
+    partial class AddUseRiskInsightsFlag
+    {
+        /// <inheritdoc />
+        protected override void BuildTargetModel(ModelBuilder modelBuilder)
+        {
+#pragma warning disable 612, 618
+            modelBuilder
+                .HasAnnotation("ProductVersion", "8.0.8")
+                .HasAnnotation("Relational:MaxIdentifierLength", 64);
+
+            MySqlModelBuilderExtensions.AutoIncrementColumns(modelBuilder);
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("AllowAdminAccessToAllCollectionItems")
+                        .HasColumnType("tinyint(1)")
+                        .HasDefaultValue(true);
+
+                    b.Property<string>("BillingEmail")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasMaxLength(2)
+                        .HasColumnType("varchar(2)");
+
+                    b.Property<string>("BusinessName")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasMaxLength(30)
+                        .HasColumnType("varchar(30)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("Identifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("varchar(100)");
+
+                    b.Property<bool>("LimitCollectionCreation")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("LimitCollectionCreationDeletion")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("LimitCollectionDeletion")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("MaxAutoscaleSmSeats")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("MaxAutoscaleSmServiceAccounts")
+                        .HasColumnType("int");
+
+                    b.Property<short?>("MaxCollections")
+                        .HasColumnType("smallint");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<DateTime?>("OwnersNotifiedOfAutoscaling")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Plan")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<int?>("Seats")
+                        .HasColumnType("int");
+
+                    b.Property<bool>("SelfHost")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<int?>("SmSeats")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("SmServiceAccounts")
+                        .HasColumnType("int");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("bigint");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("longtext");
+
+                    b.Property<bool>("Use2fa")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseApi")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseCustomPermissions")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseDirectory")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseGroups")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseKeyConnector")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UsePasswordManager")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UsePolicies")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseResetPassword")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseRiskInsights")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseScim")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseSecretsManager")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseSso")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseTotp")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UsersGetPremium")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id", "Enabled")
+                        .HasAnnotation("Npgsql:IndexInclude", new[] { "UseTotp" });
+
+                    b.ToTable("Organization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("longtext");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "Type")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Policy", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("BillingEmail")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BillingPhone")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessName")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Provider", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Settings")
+                        .HasColumnType("longtext");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderOrganization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Email")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("ProviderUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("AccessCode")
+                        .HasMaxLength(25)
+                        .HasColumnType("varchar(25)");
+
+                    b.Property<bool?>("Approved")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime?>("AuthenticationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("MasterPasswordHash")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("RequestDeviceIdentifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<byte>("RequestDeviceType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("RequestIpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<DateTime?>("ResponseDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid?>("ResponseDeviceId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ResponseDeviceId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("AuthRequest", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<Guid?>("GranteeId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("GrantorId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("KeyEncrypted")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime?>("LastNotificationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("RecoveryInitiatedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<int>("WaitTimeDays")
+                        .HasColumnType("int");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("GranteeId");
+
+                    b.HasIndex("GrantorId");
+
+                    b.ToTable("EmergencyAccess", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.Grant", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("int");
+
+                    MySqlPropertyBuilderExtensions.UseMySqlIdentityColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("ClientId")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("varchar(200)");
+
+                    b.Property<DateTime?>("ConsumedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Data")
+                        .IsRequired()
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Description")
+                        .HasMaxLength(200)
+                        .HasColumnType("varchar(200)");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("varchar(200)");
+
+                    b.Property<string>("SessionId")
+                        .HasMaxLength(100)
+                        .HasColumnType("varchar(100)");
+
+                    b.Property<string>("SubjectId")
+                        .HasMaxLength(200)
+                        .HasColumnType("varchar(200)");
+
+                    b.Property<string>("Type")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.HasKey("Id")
+                        .HasName("PK_Grant")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpirationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Key")
+                        .IsUnique();
+
+                    b.ToTable("Grant", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    MySqlPropertyBuilderExtensions.UseMySqlIdentityColumn(b.Property<long>("Id"));
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("longtext");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("SsoConfig", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    MySqlPropertyBuilderExtensions.UseMySqlIdentityColumn(b.Property<long>("Id"));
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId");
+
+                    b.HasIndex("OrganizationId", "ExternalId")
+                        .IsUnique()
+                        .HasAnnotation("Npgsql:IndexInclude", new[] { "UserId" })
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "UserId")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SsoUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("AaGuid")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int>("Counter")
+                        .HasColumnType("int");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("CredentialId")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("varchar(2000)");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("varchar(2000)");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("varchar(2000)");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("PublicKey")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("SupportsPrf")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<string>("Type")
+                        .HasMaxLength(20)
+                        .HasColumnType("varchar(20)");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("WebAuthnCredential", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ClientOrganizationMigrationRecord", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("int");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int>("Seats")
+                        .HasColumnType("int");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId", "OrganizationId")
+                        .IsUnique();
+
+                    b.ToTable("ClientOrganizationMigrationRecord", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int>("AssignedSeats")
+                        .HasColumnType("int");
+
+                    b.Property<Guid?>("ClientId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("ClientName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<DateTime>("Created")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("InvoiceId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("InvoiceNumber")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("PlanName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<decimal>("Total")
+                        .HasColumnType("decimal(65,30)");
+
+                    b.Property<int>("UsedSeats")
+                        .HasColumnType("int");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderInvoiceItem", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int?>("AllocatedSeats")
+                        .HasColumnType("int");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int?>("PurchasedSeats")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("SeatMinimum")
+                        .HasColumnType("int");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("Id", "PlanType")
+                        .IsUnique();
+
+                    b.ToTable("ProviderPlan", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Cache", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(449)
+                        .HasColumnType("varchar(449)");
+
+                    b.Property<DateTime?>("AbsoluteExpiration")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("ExpiresAtTime")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<long?>("SlidingExpirationInSeconds")
+                        .HasColumnType("bigint");
+
+                    b.Property<byte[]>("Value")
+                        .IsRequired()
+                        .HasColumnType("longblob");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpiresAtTime")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Cache", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("varchar(300)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Collection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("CipherId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("CollectionId", "CipherId");
+
+                    b.HasIndex("CipherId");
+
+                    b.ToTable("CollectionCipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("CollectionId", "GroupId");
+
+                    b.HasIndex("GroupId");
+
+                    b.ToTable("CollectionGroups");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("CollectionId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("tinyint(1)")
+                        .HasDefaultValue(true);
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Identifier")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("PushToken")
+                        .HasMaxLength(255)
+                        .HasColumnType("varchar(255)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Identifier")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "Identifier")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Device", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Event", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("ActingUserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("CollectionId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("Date")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte?>("DeviceType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("DomainName")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid?>("GroupId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("InstallationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("IpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("PolicyId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("ProviderOrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("ProviderUserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("SecretId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte?>("SystemUser")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<int>("Type")
+                        .HasColumnType("int");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Date", "OrganizationId", "ActingUserId", "CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Event", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("varchar(300)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(100)
+                        .HasColumnType("varchar(100)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Group", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("GroupId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("GroupUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Installation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(150)
+                        .HasColumnType("varchar(150)");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Installation", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("varchar(30)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Config")
+                        .HasColumnType("longtext");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationConnection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("DomainName")
+                        .IsRequired()
+                        .HasMaxLength(255)
+                        .HasColumnType("varchar(255)");
+
+                    b.Property<int>("JobRunCount")
+                        .HasColumnType("int");
+
+                    b.Property<DateTime?>("LastCheckedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("NextRunDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Txt")
+                        .IsRequired()
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime?>("VerifiedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationDomain", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("FriendlyName")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<DateTime?>("LastSyncDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("OfferedToEmail")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<byte?>("PlanSponsorshipType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("SponsoredOrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("SponsoringOrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("SponsoringOrganizationUserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("ToDelete")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime?>("ValidUntil")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SponsoredOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationUserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationSponsorship", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("AccessSecretsManager")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("varchar(300)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("ResetPasswordKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<short>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int>("AccessCount")
+                        .HasColumnType("int");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("DeletionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("Disabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool?>("HideEmail")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<int?>("MaxAccessCount")
+                        .HasColumnType("int");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Password")
+                        .HasMaxLength(300)
+                        .HasColumnType("varchar(300)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("DeletionDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Send", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.TaxRate", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(40)
+                        .HasColumnType("varchar(40)");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<string>("Country")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("PostalCode")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("varchar(10)");
+
+                    b.Property<decimal>("Rate")
+                        .HasColumnType("decimal(65,30)");
+
+                    b.Property<string>("State")
+                        .HasMaxLength(2)
+                        .HasColumnType("varchar(2)");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("TaxRate", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<decimal>("Amount")
+                        .HasColumnType("decimal(65,30)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Details")
+                        .HasMaxLength(100)
+                        .HasColumnType("varchar(100)");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("GatewayId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte?>("PaymentMethodType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool?>("Refunded")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<decimal?>("RefundedAmount")
+                        .HasColumnType("decimal(65,30)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId", "CreationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Transaction", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("AccountRevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("varchar(30)");
+
+                    b.Property<string>("AvatarColor")
+                        .HasMaxLength(7)
+                        .HasColumnType("varchar(7)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Culture")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("varchar(10)");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<bool>("EmailVerified")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<string>("EquivalentDomains")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("ExcludedGlobalEquivalentDomains")
+                        .HasColumnType("longtext");
+
+                    b.Property<int>("FailedLoginCount")
+                        .HasColumnType("int");
+
+                    b.Property<bool>("ForcePasswordReset")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<byte>("Kdf")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<int>("KdfIterations")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("KdfMemory")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("KdfParallelism")
+                        .HasColumnType("int");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime?>("LastEmailChangeDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("LastFailedLoginDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("LastKdfChangeDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("LastKeyRotationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("LastPasswordChangeDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("varchar(100)");
+
+                    b.Property<string>("MasterPassword")
+                        .HasMaxLength(300)
+                        .HasColumnType("varchar(300)");
+
+                    b.Property<string>("MasterPasswordHint")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<bool>("Premium")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime?>("PremiumExpirationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime?>("RenewalReminderDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("SecurityStamp")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("bigint");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("TwoFactorRecoveryCode")
+                        .HasMaxLength(32)
+                        .HasColumnType("varchar(32)");
+
+                    b.Property<bool>("UsesKeyConnector")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Email")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Premium", "PremiumExpirationDate", "RenewalReminderDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("User", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Body")
+                        .HasColumnType("longtext");
+
+                    b.Property<byte>("ClientType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("Global")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte>("Priority")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Title")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("ClientType", "Global", "UserId", "OrganizationId", "Priority", "CreationDate")
+                        .IsDescending(false, false, false, false, true, true)
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Notification", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("NotificationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("ReadDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("UserId", "NotificationId")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("NotificationId");
+
+                    b.ToTable("NotificationStatus", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Discriminator")
+                        .IsRequired()
+                        .HasMaxLength(34)
+                        .HasColumnType("varchar(34)");
+
+                    b.Property<bool>("Read")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("Write")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.ToTable("AccessPolicy", (string)null);
+
+                    b.HasDiscriminator().HasValue("AccessPolicy");
+
+                    b.UseTphMappingStrategy();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("ClientSecretHash")
+                        .HasMaxLength(128)
+                        .HasColumnType("varchar(128)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("EncryptedPayload")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("varchar(4000)");
+
+                    b.Property<DateTime?>("ExpireAt")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("varchar(200)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Scope")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("varchar(4000)");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ServiceAccountId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Project", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Note")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Value")
+                        .HasColumnType("longtext");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Secret", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ServiceAccount", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Uri")
+                        .HasColumnType("longtext");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("PasswordHealthReportApplication", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Attachments")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Favorites")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Folders")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte?>("Reprompt")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Cipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Folder", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SecurityTask", (string)null);
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.Property<Guid>("ProjectsId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("SecretsId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("ProjectsId", "SecretsId");
+
+                    b.HasIndex("SecretsId");
+
+                    b.ToTable("ProjectSecret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Policies")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Device", "ResponseDevice")
+                        .WithMany()
+                        .HasForeignKey("ResponseDeviceId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("ResponseDevice");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantee")
+                        .WithMany()
+                        .HasForeignKey("GranteeId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantor")
+                        .WithMany()
+                        .HasForeignKey("GrantorId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Grantee");
+
+                    b.Navigation("Grantor");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoConfigs")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Collections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CipherId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Collection");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionGroups")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Groups")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Group");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Connections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Domains")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoredOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoredOrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoringOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoringOrganizationId");
+
+                    b.Navigation("SponsoredOrganization");
+
+                    b.Navigation("SponsoringOrganization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Transactions")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Transactions")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", "Notification")
+                        .WithMany()
+                        .HasForeignKey("NotificationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Notification");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Folders")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany()
+                        .HasForeignKey("CipherId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", null)
+                        .WithMany()
+                        .HasForeignKey("ProjectsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", null)
+                        .WithMany()
+                        .HasForeignKey("SecretsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ProjectAccessPolicies")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany()
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Collections");
+
+                    b.Navigation("Connections");
+
+                    b.Navigation("Domains");
+
+                    b.Navigation("Groups");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("Policies");
+
+                    b.Navigation("SsoConfigs");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+
+                    b.Navigation("CollectionGroups");
+
+                    b.Navigation("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Navigation("CollectionUsers");
+
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Folders");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ProjectAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+                });
+#pragma warning restore 612, 618
+        }
+    }
+}
diff --git a/util/MySqlMigrations/Migrations/20241125185627_AddUseRiskInsightsFlag.cs b/util/MySqlMigrations/Migrations/20241125185627_AddUseRiskInsightsFlag.cs
new file mode 100644
index 0000000000..7036c9aaae
--- /dev/null
+++ b/util/MySqlMigrations/Migrations/20241125185627_AddUseRiskInsightsFlag.cs
@@ -0,0 +1,28 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace Bit.MySqlMigrations.Migrations;
+
+/// <inheritdoc />
+public partial class AddUseRiskInsightsFlag : Migration
+{
+    /// <inheritdoc />
+    protected override void Up(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.AddColumn<bool>(
+            name: "UseRiskInsights",
+            table: "Organization",
+            type: "tinyint(1)",
+            nullable: false,
+            defaultValue: false);
+    }
+
+    /// <inheritdoc />
+    protected override void Down(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.DropColumn(
+            name: "UseRiskInsights",
+            table: "Organization");
+    }
+}
diff --git a/util/MySqlMigrations/Migrations/DatabaseContextModelSnapshot.cs b/util/MySqlMigrations/Migrations/DatabaseContextModelSnapshot.cs
index 36c46f629f..5927762791 100644
--- a/util/MySqlMigrations/Migrations/DatabaseContextModelSnapshot.cs
+++ b/util/MySqlMigrations/Migrations/DatabaseContextModelSnapshot.cs
@@ -191,6 +191,9 @@ namespace Bit.MySqlMigrations.Migrations
                     b.Property<bool>("UseResetPassword")
                         .HasColumnType("tinyint(1)");
 
+                    b.Property<bool>("UseRiskInsights")
+                        .HasColumnType("tinyint(1)");
+
                     b.Property<bool>("UseScim")
                         .HasColumnType("tinyint(1)");
 
diff --git a/util/PostgresMigrations/Migrations/20241125185635_AddUseRiskInsightsFlag.Designer.cs b/util/PostgresMigrations/Migrations/20241125185635_AddUseRiskInsightsFlag.Designer.cs
new file mode 100644
index 0000000000..895a4765d8
--- /dev/null
+++ b/util/PostgresMigrations/Migrations/20241125185635_AddUseRiskInsightsFlag.Designer.cs
@@ -0,0 +1,2949 @@
+// <auto-generated />
+using System;
+using Bit.Infrastructure.EntityFramework.Repositories;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Migrations;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
+using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata;
+
+#nullable disable
+
+namespace Bit.PostgresMigrations.Migrations
+{
+    [DbContext(typeof(DatabaseContext))]
+    [Migration("20241125185635_AddUseRiskInsightsFlag")]
+    partial class AddUseRiskInsightsFlag
+    {
+        /// <inheritdoc />
+        protected override void BuildTargetModel(ModelBuilder modelBuilder)
+        {
+#pragma warning disable 612, 618
+            modelBuilder
+                .HasAnnotation("Npgsql:CollationDefinition:postgresIndetermanisticCollation", "en-u-ks-primary,en-u-ks-primary,icu,False")
+                .HasAnnotation("ProductVersion", "8.0.8")
+                .HasAnnotation("Relational:MaxIdentifierLength", 63);
+
+            NpgsqlModelBuilderExtensions.UseIdentityByDefaultColumns(modelBuilder);
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("AllowAdminAccessToAllCollectionItems")
+                        .HasColumnType("boolean")
+                        .HasDefaultValue(true);
+
+                    b.Property<string>("BillingEmail")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasMaxLength(2)
+                        .HasColumnType("character varying(2)");
+
+                    b.Property<string>("BusinessName")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasMaxLength(30)
+                        .HasColumnType("character varying(30)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("Identifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)")
+                        .UseCollation("postgresIndetermanisticCollation");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<bool>("LimitCollectionCreation")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("LimitCollectionCreationDeletion")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("LimitCollectionDeletion")
+                        .HasColumnType("boolean");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("MaxAutoscaleSmSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("MaxAutoscaleSmServiceAccounts")
+                        .HasColumnType("integer");
+
+                    b.Property<short?>("MaxCollections")
+                        .HasColumnType("smallint");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<DateTime?>("OwnersNotifiedOfAutoscaling")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Plan")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<int?>("Seats")
+                        .HasColumnType("integer");
+
+                    b.Property<bool>("SelfHost")
+                        .HasColumnType("boolean");
+
+                    b.Property<int?>("SmSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("SmServiceAccounts")
+                        .HasColumnType("integer");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("bigint");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("text");
+
+                    b.Property<bool>("Use2fa")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseApi")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseCustomPermissions")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseDirectory")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseGroups")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseKeyConnector")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UsePasswordManager")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UsePolicies")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseResetPassword")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseRiskInsights")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseScim")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseSecretsManager")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseSso")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseTotp")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UsersGetPremium")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id", "Enabled");
+
+                    NpgsqlIndexBuilderExtensions.IncludeProperties(b.HasIndex("Id", "Enabled"), new[] { "UseTotp" });
+
+                    b.ToTable("Organization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("text");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "Type")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Policy", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("BillingEmail")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BillingPhone")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessName")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasColumnType("text");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Provider", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Settings")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderOrganization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Email")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("ProviderUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("AccessCode")
+                        .HasMaxLength(25)
+                        .HasColumnType("character varying(25)");
+
+                    b.Property<bool?>("Approved")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("AuthenticationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<string>("MasterPasswordHash")
+                        .HasColumnType("text");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("RequestDeviceIdentifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<byte>("RequestDeviceType")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("RequestIpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<DateTime?>("ResponseDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid?>("ResponseDeviceId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ResponseDeviceId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("AuthRequest", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<Guid?>("GranteeId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("GrantorId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("KeyEncrypted")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("LastNotificationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("RecoveryInitiatedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<int>("WaitTimeDays")
+                        .HasColumnType("integer");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("GranteeId");
+
+                    b.HasIndex("GrantorId");
+
+                    b.ToTable("EmergencyAccess", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.Grant", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("ClientId")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<DateTime?>("ConsumedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Data")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("Description")
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<string>("SessionId")
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<string>("SubjectId")
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<string>("Type")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.HasKey("Id")
+                        .HasName("PK_Grant")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpirationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Key")
+                        .IsUnique();
+
+                    b.ToTable("Grant", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("Id"));
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("text");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("SsoConfig", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("Id"));
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)")
+                        .UseCollation("postgresIndetermanisticCollation");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId");
+
+                    b.HasIndex("OrganizationId", "ExternalId")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    NpgsqlIndexBuilderExtensions.IncludeProperties(b.HasIndex("OrganizationId", "ExternalId"), new[] { "UserId" });
+
+                    b.HasIndex("OrganizationId", "UserId")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SsoUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("AaGuid")
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("Counter")
+                        .HasColumnType("integer");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("CredentialId")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("character varying(2000)");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("character varying(2000)");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("character varying(2000)");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("PublicKey")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("SupportsPrf")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("Type")
+                        .HasMaxLength(20)
+                        .HasColumnType("character varying(20)");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("WebAuthnCredential", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ClientOrganizationMigrationRecord", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("Seats")
+                        .HasColumnType("integer");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId", "OrganizationId")
+                        .IsUnique();
+
+                    b.ToTable("ClientOrganizationMigrationRecord", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("AssignedSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<Guid?>("ClientId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("ClientName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<DateTime>("Created")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("InvoiceId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("InvoiceNumber")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("PlanName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<decimal>("Total")
+                        .HasColumnType("numeric");
+
+                    b.Property<int>("UsedSeats")
+                        .HasColumnType("integer");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderInvoiceItem", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<int?>("AllocatedSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<int?>("PurchasedSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("SeatMinimum")
+                        .HasColumnType("integer");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("Id", "PlanType")
+                        .IsUnique();
+
+                    b.ToTable("ProviderPlan", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Cache", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(449)
+                        .HasColumnType("character varying(449)");
+
+                    b.Property<DateTime?>("AbsoluteExpiration")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("ExpiresAtTime")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<long?>("SlidingExpirationInSeconds")
+                        .HasColumnType("bigint");
+
+                    b.Property<byte[]>("Value")
+                        .IsRequired()
+                        .HasColumnType("bytea");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpiresAtTime")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Cache", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("character varying(300)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Collection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("CipherId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("CollectionId", "CipherId");
+
+                    b.HasIndex("CipherId");
+
+                    b.ToTable("CollectionCipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("CollectionId", "GroupId");
+
+                    b.HasIndex("GroupId");
+
+                    b.ToTable("CollectionGroups");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("CollectionId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("boolean")
+                        .HasDefaultValue(true);
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Identifier")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("PushToken")
+                        .HasMaxLength(255)
+                        .HasColumnType("character varying(255)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Identifier")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "Identifier")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Device", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Event", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("ActingUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("CollectionId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("Date")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte?>("DeviceType")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("DomainName")
+                        .HasColumnType("text");
+
+                    b.Property<Guid?>("GroupId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("InstallationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("IpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("PolicyId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("ProviderOrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("ProviderUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("SecretId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte?>("SystemUser")
+                        .HasColumnType("smallint");
+
+                    b.Property<int>("Type")
+                        .HasColumnType("integer");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Date", "OrganizationId", "ActingUserId", "CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Event", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("character varying(300)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Group", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("GroupId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("GroupUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Installation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(150)
+                        .HasColumnType("character varying(150)");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Installation", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("character varying(30)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Config")
+                        .HasColumnType("text");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationConnection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("DomainName")
+                        .IsRequired()
+                        .HasMaxLength(255)
+                        .HasColumnType("character varying(255)");
+
+                    b.Property<int>("JobRunCount")
+                        .HasColumnType("integer");
+
+                    b.Property<DateTime?>("LastCheckedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("NextRunDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Txt")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("VerifiedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationDomain", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("FriendlyName")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<DateTime?>("LastSyncDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("OfferedToEmail")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<byte?>("PlanSponsorshipType")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("SponsoredOrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("SponsoringOrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("SponsoringOrganizationUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("ToDelete")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("ValidUntil")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SponsoredOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationUserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationSponsorship", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("AccessSecretsManager")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("character varying(300)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ResetPasswordKey")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<short>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("AccessCount")
+                        .HasColumnType("integer");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("DeletionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("Disabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool?>("HideEmail")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<int?>("MaxAccessCount")
+                        .HasColumnType("integer");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Password")
+                        .HasMaxLength(300)
+                        .HasColumnType("character varying(300)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("DeletionDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Send", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.TaxRate", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(40)
+                        .HasColumnType("character varying(40)");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("Country")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("PostalCode")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("character varying(10)");
+
+                    b.Property<decimal>("Rate")
+                        .HasColumnType("numeric");
+
+                    b.Property<string>("State")
+                        .HasMaxLength(2)
+                        .HasColumnType("character varying(2)");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("TaxRate", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<decimal>("Amount")
+                        .HasColumnType("numeric");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Details")
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("GatewayId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte?>("PaymentMethodType")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool?>("Refunded")
+                        .HasColumnType("boolean");
+
+                    b.Property<decimal?>("RefundedAmount")
+                        .HasColumnType("numeric");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId", "CreationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Transaction", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("AccountRevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("character varying(30)");
+
+                    b.Property<string>("AvatarColor")
+                        .HasMaxLength(7)
+                        .HasColumnType("character varying(7)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Culture")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("character varying(10)");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)")
+                        .UseCollation("postgresIndetermanisticCollation");
+
+                    b.Property<bool>("EmailVerified")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("EquivalentDomains")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ExcludedGlobalEquivalentDomains")
+                        .HasColumnType("text");
+
+                    b.Property<int>("FailedLoginCount")
+                        .HasColumnType("integer");
+
+                    b.Property<bool>("ForcePasswordReset")
+                        .HasColumnType("boolean");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<byte>("Kdf")
+                        .HasColumnType("smallint");
+
+                    b.Property<int>("KdfIterations")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("KdfMemory")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("KdfParallelism")
+                        .HasColumnType("integer");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("LastEmailChangeDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("LastFailedLoginDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("LastKdfChangeDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("LastKeyRotationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("LastPasswordChangeDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<string>("MasterPassword")
+                        .HasMaxLength(300)
+                        .HasColumnType("character varying(300)");
+
+                    b.Property<string>("MasterPasswordHint")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<bool>("Premium")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("PremiumExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("RenewalReminderDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("SecurityStamp")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("bigint");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("text");
+
+                    b.Property<string>("TwoFactorRecoveryCode")
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<bool>("UsesKeyConnector")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Email")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Premium", "PremiumExpirationDate", "RenewalReminderDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("User", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Body")
+                        .HasColumnType("text");
+
+                    b.Property<byte>("ClientType")
+                        .HasColumnType("smallint");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("Global")
+                        .HasColumnType("boolean");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte>("Priority")
+                        .HasColumnType("smallint");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Title")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("ClientType", "Global", "UserId", "OrganizationId", "Priority", "CreationDate")
+                        .IsDescending(false, false, false, false, true, true)
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Notification", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("NotificationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("ReadDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("UserId", "NotificationId")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("NotificationId");
+
+                    b.ToTable("NotificationStatus", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Discriminator")
+                        .IsRequired()
+                        .HasMaxLength(34)
+                        .HasColumnType("character varying(34)");
+
+                    b.Property<bool>("Read")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("Write")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.ToTable("AccessPolicy", (string)null);
+
+                    b.HasDiscriminator().HasValue("AccessPolicy");
+
+                    b.UseTphMappingStrategy();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("ClientSecretHash")
+                        .HasMaxLength(128)
+                        .HasColumnType("character varying(128)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("EncryptedPayload")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("character varying(4000)");
+
+                    b.Property<DateTime?>("ExpireAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Scope")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("character varying(4000)");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ServiceAccountId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Project", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Note")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Value")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Secret", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ServiceAccount", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Uri")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("PasswordHealthReportApplication", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Attachments")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Favorites")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Folders")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte?>("Reprompt")
+                        .HasColumnType("smallint");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Cipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Folder", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SecurityTask", (string)null);
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.Property<Guid>("ProjectsId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("SecretsId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("ProjectsId", "SecretsId");
+
+                    b.HasIndex("SecretsId");
+
+                    b.ToTable("ProjectSecret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Policies")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Device", "ResponseDevice")
+                        .WithMany()
+                        .HasForeignKey("ResponseDeviceId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("ResponseDevice");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantee")
+                        .WithMany()
+                        .HasForeignKey("GranteeId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantor")
+                        .WithMany()
+                        .HasForeignKey("GrantorId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Grantee");
+
+                    b.Navigation("Grantor");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoConfigs")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Collections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CipherId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Collection");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionGroups")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Groups")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Group");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Connections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Domains")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoredOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoredOrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoringOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoringOrganizationId");
+
+                    b.Navigation("SponsoredOrganization");
+
+                    b.Navigation("SponsoringOrganization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Transactions")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Transactions")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", "Notification")
+                        .WithMany()
+                        .HasForeignKey("NotificationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Notification");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Folders")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany()
+                        .HasForeignKey("CipherId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", null)
+                        .WithMany()
+                        .HasForeignKey("ProjectsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", null)
+                        .WithMany()
+                        .HasForeignKey("SecretsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ProjectAccessPolicies")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany()
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Collections");
+
+                    b.Navigation("Connections");
+
+                    b.Navigation("Domains");
+
+                    b.Navigation("Groups");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("Policies");
+
+                    b.Navigation("SsoConfigs");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+
+                    b.Navigation("CollectionGroups");
+
+                    b.Navigation("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Navigation("CollectionUsers");
+
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Folders");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ProjectAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+                });
+#pragma warning restore 612, 618
+        }
+    }
+}
diff --git a/util/PostgresMigrations/Migrations/20241125185635_AddUseRiskInsightsFlag.cs b/util/PostgresMigrations/Migrations/20241125185635_AddUseRiskInsightsFlag.cs
new file mode 100644
index 0000000000..36d7c77e44
--- /dev/null
+++ b/util/PostgresMigrations/Migrations/20241125185635_AddUseRiskInsightsFlag.cs
@@ -0,0 +1,28 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace Bit.PostgresMigrations.Migrations;
+
+/// <inheritdoc />
+public partial class AddUseRiskInsightsFlag : Migration
+{
+    /// <inheritdoc />
+    protected override void Up(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.AddColumn<bool>(
+            name: "UseRiskInsights",
+            table: "Organization",
+            type: "boolean",
+            nullable: false,
+            defaultValue: false);
+    }
+
+    /// <inheritdoc />
+    protected override void Down(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.DropColumn(
+            name: "UseRiskInsights",
+            table: "Organization");
+    }
+}
diff --git a/util/PostgresMigrations/Migrations/DatabaseContextModelSnapshot.cs b/util/PostgresMigrations/Migrations/DatabaseContextModelSnapshot.cs
index 69c9dae160..4259d1aed8 100644
--- a/util/PostgresMigrations/Migrations/DatabaseContextModelSnapshot.cs
+++ b/util/PostgresMigrations/Migrations/DatabaseContextModelSnapshot.cs
@@ -193,6 +193,9 @@ namespace Bit.PostgresMigrations.Migrations
                     b.Property<bool>("UseResetPassword")
                         .HasColumnType("boolean");
 
+                    b.Property<bool>("UseRiskInsights")
+                        .HasColumnType("boolean");
+
                     b.Property<bool>("UseScim")
                         .HasColumnType("boolean");
 
diff --git a/util/SqliteMigrations/Migrations/20241125185632_AddUseRiskInsightsFlag.Designer.cs b/util/SqliteMigrations/Migrations/20241125185632_AddUseRiskInsightsFlag.Designer.cs
new file mode 100644
index 0000000000..9120ba9715
--- /dev/null
+++ b/util/SqliteMigrations/Migrations/20241125185632_AddUseRiskInsightsFlag.Designer.cs
@@ -0,0 +1,2932 @@
+// <auto-generated />
+using System;
+using Bit.Infrastructure.EntityFramework.Repositories;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Migrations;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
+
+#nullable disable
+
+namespace Bit.SqliteMigrations.Migrations
+{
+    [DbContext(typeof(DatabaseContext))]
+    [Migration("20241125185632_AddUseRiskInsightsFlag")]
+    partial class AddUseRiskInsightsFlag
+    {
+        /// <inheritdoc />
+        protected override void BuildTargetModel(ModelBuilder modelBuilder)
+        {
+#pragma warning disable 612, 618
+            modelBuilder.HasAnnotation("ProductVersion", "8.0.8");
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("AllowAdminAccessToAllCollectionItems")
+                        .HasColumnType("INTEGER")
+                        .HasDefaultValue(true);
+
+                    b.Property<string>("BillingEmail")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasMaxLength(2)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessName")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasMaxLength(30)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Identifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("LimitCollectionCreation")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("LimitCollectionCreationDeletion")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("LimitCollectionDeletion")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("MaxAutoscaleSmSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("MaxAutoscaleSmServiceAccounts")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<short?>("MaxCollections")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("OwnersNotifiedOfAutoscaling")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Plan")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int?>("Seats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("SelfHost")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("SmSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("SmServiceAccounts")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Use2fa")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseApi")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseCustomPermissions")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseDirectory")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseGroups")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseKeyConnector")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UsePasswordManager")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UsePolicies")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseResetPassword")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseRiskInsights")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseScim")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseSecretsManager")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseSso")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseTotp")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UsersGetPremium")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id", "Enabled")
+                        .HasAnnotation("Npgsql:IndexInclude", new[] { "UseTotp" });
+
+                    b.ToTable("Organization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "Type")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Policy", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BillingEmail")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BillingPhone")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessName")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Provider", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Settings")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderOrganization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Email")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("ProviderUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("AccessCode")
+                        .HasMaxLength(25)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool?>("Approved")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("AuthenticationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("MasterPasswordHash")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("RequestDeviceIdentifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("RequestDeviceType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("RequestIpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ResponseDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ResponseDeviceId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ResponseDeviceId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("AuthRequest", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("GranteeId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("GrantorId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("KeyEncrypted")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastNotificationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("RecoveryInitiatedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int>("WaitTimeDays")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("GranteeId");
+
+                    b.HasIndex("GrantorId");
+
+                    b.ToTable("EmergencyAccess", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.Grant", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("ClientId")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ConsumedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Data")
+                        .IsRequired()
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Description")
+                        .HasMaxLength(200)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("SessionId")
+                        .HasMaxLength(100)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("SubjectId")
+                        .HasMaxLength(200)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Type")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasName("PK_Grant")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpirationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Key")
+                        .IsUnique();
+
+                    b.ToTable("Grant", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("SsoConfig", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId");
+
+                    b.HasIndex("OrganizationId", "ExternalId")
+                        .IsUnique()
+                        .HasAnnotation("Npgsql:IndexInclude", new[] { "UserId" })
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "UserId")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SsoUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("AaGuid")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("Counter")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("CredentialId")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PublicKey")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("SupportsPrf")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Type")
+                        .HasMaxLength(20)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("WebAuthnCredential", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ClientOrganizationMigrationRecord", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("Seats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId", "OrganizationId")
+                        .IsUnique();
+
+                    b.ToTable("ClientOrganizationMigrationRecord", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("AssignedSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("ClientId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ClientName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("Created")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("InvoiceId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("InvoiceNumber")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PlanName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<decimal>("Total")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("UsedSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderInvoiceItem", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int?>("AllocatedSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int?>("PurchasedSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("SeatMinimum")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("Id", "PlanType")
+                        .IsUnique();
+
+                    b.ToTable("ProviderPlan", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Cache", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(449)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("AbsoluteExpiration")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("ExpiresAtTime")
+                        .HasColumnType("TEXT");
+
+                    b.Property<long?>("SlidingExpirationInSeconds")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte[]>("Value")
+                        .IsRequired()
+                        .HasColumnType("BLOB");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpiresAtTime")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Cache", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Collection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("CipherId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("CollectionId", "CipherId");
+
+                    b.HasIndex("CipherId");
+
+                    b.ToTable("CollectionCipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("CollectionId", "GroupId");
+
+                    b.HasIndex("GroupId");
+
+                    b.ToTable("CollectionGroups");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("CollectionId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("INTEGER")
+                        .HasDefaultValue(true);
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Identifier")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PushToken")
+                        .HasMaxLength(255)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Identifier")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "Identifier")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Device", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Event", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ActingUserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("CollectionId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("Date")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("DeviceType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("DomainName")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("GroupId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("InstallationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("IpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("PolicyId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ProviderOrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ProviderUserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("SecretId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("SystemUser")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Date", "OrganizationId", "ActingUserId", "CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Event", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(100)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Group", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("GroupId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("GroupUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Installation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(150)
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Installation", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Config")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationConnection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("DomainName")
+                        .IsRequired()
+                        .HasMaxLength(255)
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("JobRunCount")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("LastCheckedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("NextRunDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Txt")
+                        .IsRequired()
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("VerifiedDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationDomain", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("FriendlyName")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastSyncDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("OfferedToEmail")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("PlanSponsorshipType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("SponsoredOrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("SponsoringOrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("SponsoringOrganizationUserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("ToDelete")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("ValidUntil")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SponsoredOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationUserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationSponsorship", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("AccessSecretsManager")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ResetPasswordKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<short>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("AccessCount")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("DeletionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Disabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool?>("HideEmail")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int?>("MaxAccessCount")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Password")
+                        .HasMaxLength(300)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("DeletionDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Send", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.TaxRate", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(40)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Country")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PostalCode")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("TEXT");
+
+                    b.Property<decimal>("Rate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("State")
+                        .HasMaxLength(2)
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("TaxRate", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<decimal>("Amount")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Details")
+                        .HasMaxLength(100)
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("GatewayId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("PaymentMethodType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool?>("Refunded")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<decimal?>("RefundedAmount")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId", "CreationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Transaction", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("AccountRevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("AvatarColor")
+                        .HasMaxLength(7)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Culture")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("EmailVerified")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("EquivalentDomains")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ExcludedGlobalEquivalentDomains")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("FailedLoginCount")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("ForcePasswordReset")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Kdf")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int>("KdfIterations")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("KdfMemory")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("KdfParallelism")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastEmailChangeDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastFailedLoginDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastKdfChangeDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastKeyRotationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastPasswordChangeDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("MasterPassword")
+                        .HasMaxLength(300)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("MasterPasswordHint")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Premium")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("PremiumExpirationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("RenewalReminderDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("SecurityStamp")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("TwoFactorRecoveryCode")
+                        .HasMaxLength(32)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("UsesKeyConnector")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Email")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Premium", "PremiumExpirationDate", "RenewalReminderDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("User", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Body")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("ClientType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Global")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Priority")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Title")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("ClientType", "Global", "UserId", "OrganizationId", "Priority", "CreationDate")
+                        .IsDescending(false, false, false, false, true, true)
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Notification", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("NotificationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ReadDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("UserId", "NotificationId")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("NotificationId");
+
+                    b.ToTable("NotificationStatus", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Discriminator")
+                        .IsRequired()
+                        .HasMaxLength(34)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Read")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Write")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.ToTable("AccessPolicy", (string)null);
+
+                    b.HasDiscriminator().HasValue("AccessPolicy");
+
+                    b.UseTphMappingStrategy();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ClientSecretHash")
+                        .HasMaxLength(128)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedPayload")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ExpireAt")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Scope")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ServiceAccountId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Project", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Note")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Value")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Secret", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ServiceAccount", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Uri")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("PasswordHealthReportApplication", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Attachments")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Favorites")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Folders")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("Reprompt")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Cipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Folder", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SecurityTask", (string)null);
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.Property<Guid>("ProjectsId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("SecretsId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("ProjectsId", "SecretsId");
+
+                    b.HasIndex("SecretsId");
+
+                    b.ToTable("ProjectSecret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Policies")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Device", "ResponseDevice")
+                        .WithMany()
+                        .HasForeignKey("ResponseDeviceId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("ResponseDevice");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantee")
+                        .WithMany()
+                        .HasForeignKey("GranteeId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantor")
+                        .WithMany()
+                        .HasForeignKey("GrantorId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Grantee");
+
+                    b.Navigation("Grantor");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoConfigs")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Collections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CipherId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Collection");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionGroups")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Groups")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Group");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Connections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Domains")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoredOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoredOrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoringOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoringOrganizationId");
+
+                    b.Navigation("SponsoredOrganization");
+
+                    b.Navigation("SponsoringOrganization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Transactions")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Transactions")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", "Notification")
+                        .WithMany()
+                        .HasForeignKey("NotificationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Notification");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Folders")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany()
+                        .HasForeignKey("CipherId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", null)
+                        .WithMany()
+                        .HasForeignKey("ProjectsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", null)
+                        .WithMany()
+                        .HasForeignKey("SecretsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ProjectAccessPolicies")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany()
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Collections");
+
+                    b.Navigation("Connections");
+
+                    b.Navigation("Domains");
+
+                    b.Navigation("Groups");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("Policies");
+
+                    b.Navigation("SsoConfigs");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+
+                    b.Navigation("CollectionGroups");
+
+                    b.Navigation("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Navigation("CollectionUsers");
+
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Folders");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ProjectAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+                });
+#pragma warning restore 612, 618
+        }
+    }
+}
diff --git a/util/SqliteMigrations/Migrations/20241125185632_AddUseRiskInsightsFlag.cs b/util/SqliteMigrations/Migrations/20241125185632_AddUseRiskInsightsFlag.cs
new file mode 100644
index 0000000000..86ff055fc5
--- /dev/null
+++ b/util/SqliteMigrations/Migrations/20241125185632_AddUseRiskInsightsFlag.cs
@@ -0,0 +1,28 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace Bit.SqliteMigrations.Migrations;
+
+/// <inheritdoc />
+public partial class AddUseRiskInsightsFlag : Migration
+{
+    /// <inheritdoc />
+    protected override void Up(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.AddColumn<bool>(
+            name: "UseRiskInsights",
+            table: "Organization",
+            type: "INTEGER",
+            nullable: false,
+            defaultValue: false);
+    }
+
+    /// <inheritdoc />
+    protected override void Down(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.DropColumn(
+            name: "UseRiskInsights",
+            table: "Organization");
+    }
+}
diff --git a/util/SqliteMigrations/Migrations/DatabaseContextModelSnapshot.cs b/util/SqliteMigrations/Migrations/DatabaseContextModelSnapshot.cs
index 67390bcbcb..f906543254 100644
--- a/util/SqliteMigrations/Migrations/DatabaseContextModelSnapshot.cs
+++ b/util/SqliteMigrations/Migrations/DatabaseContextModelSnapshot.cs
@@ -186,6 +186,9 @@ namespace Bit.SqliteMigrations.Migrations
                     b.Property<bool>("UseResetPassword")
                         .HasColumnType("INTEGER");
 
+                    b.Property<bool>("UseRiskInsights")
+                        .HasColumnType("INTEGER");
+
                     b.Property<bool>("UseScim")
                         .HasColumnType("INTEGER");
 

From 6a9b7ece2bbfbabbc9f33d7a440f6c892c30011d Mon Sep 17 00:00:00 2001
From: Thomas Rittson <31796059+eliykat@users.noreply.github.com>
Date: Fri, 6 Dec 2024 08:07:04 +1000
Subject: [PATCH 030/384] [PM-11360] Remove export permission for providers
 (#5051)

- also fix managed collections export from CLI
---
 .../VaultExportAuthorizationHandler.cs        | 38 ++++++++
 .../Authorization/VaultExportOperations.cs    | 20 ++++
 .../OrganizationExportController.cs           | 54 ++++++++++-
 .../OrganizationExportResponseModel.cs        | 10 ++
 .../Utilities/ServiceCollectionExtensions.cs  |  4 +-
 .../Models/Response/CipherResponseModel.cs    |  7 ++
 src/Core/Constants.cs                         |  1 +
 .../Queries/IOrganizationCiphersQuery.cs      | 10 ++
 .../Vault/Queries/OrganizationCiphersQuery.cs |  9 ++
 .../VaultExportAuthorizationHandlerTests.cs   | 95 +++++++++++++++++++
 .../Helpers/AuthorizationHelpers.cs           | 52 ++++++++++
 .../Helpers/AuthorizationHelpersTests.cs      | 38 ++++++++
 .../Queries/OrganizationCiphersQueryTests.cs  | 92 ++++++++++++++++++
 13 files changed, 428 insertions(+), 2 deletions(-)
 create mode 100644 src/Api/Tools/Authorization/VaultExportAuthorizationHandler.cs
 create mode 100644 src/Api/Tools/Authorization/VaultExportOperations.cs
 create mode 100644 test/Api.Test/Tools/Authorization/VaultExportAuthorizationHandlerTests.cs
 create mode 100644 test/Core.Test/AdminConsole/Helpers/AuthorizationHelpers.cs
 create mode 100644 test/Core.Test/AdminConsole/Helpers/AuthorizationHelpersTests.cs
 create mode 100644 test/Core.Test/Vault/Queries/OrganizationCiphersQueryTests.cs

diff --git a/src/Api/Tools/Authorization/VaultExportAuthorizationHandler.cs b/src/Api/Tools/Authorization/VaultExportAuthorizationHandler.cs
new file mode 100644
index 0000000000..337a0dc1e5
--- /dev/null
+++ b/src/Api/Tools/Authorization/VaultExportAuthorizationHandler.cs
@@ -0,0 +1,38 @@
+using Bit.Core.AdminConsole.OrganizationFeatures.Shared.Authorization;
+using Bit.Core.Context;
+using Bit.Core.Enums;
+using Microsoft.AspNetCore.Authorization;
+
+namespace Bit.Api.Tools.Authorization;
+
+public class VaultExportAuthorizationHandler(ICurrentContext currentContext)
+    : AuthorizationHandler<VaultExportOperationRequirement, OrganizationScope>
+{
+    protected override Task HandleRequirementAsync(AuthorizationHandlerContext context,
+        VaultExportOperationRequirement requirement, OrganizationScope organizationScope)
+    {
+        var org = currentContext.GetOrganization(organizationScope);
+
+        var authorized = requirement switch
+        {
+            not null when requirement == VaultExportOperations.ExportWholeVault =>
+                CanExportWholeVault(org),
+            not null when requirement == VaultExportOperations.ExportManagedCollections =>
+                CanExportManagedCollections(org),
+            _ => false
+        };
+
+        if (authorized)
+        {
+            context.Succeed(requirement);
+        }
+
+        return Task.FromResult(0);
+    }
+
+    private bool CanExportWholeVault(CurrentContextOrganization organization) => organization is
+    { Type: OrganizationUserType.Owner or OrganizationUserType.Admin } or
+    { Type: OrganizationUserType.Custom, Permissions.AccessImportExport: true };
+
+    private bool CanExportManagedCollections(CurrentContextOrganization organization) => organization is not null;
+}
diff --git a/src/Api/Tools/Authorization/VaultExportOperations.cs b/src/Api/Tools/Authorization/VaultExportOperations.cs
new file mode 100644
index 0000000000..c88d2c80b1
--- /dev/null
+++ b/src/Api/Tools/Authorization/VaultExportOperations.cs
@@ -0,0 +1,20 @@
+using Microsoft.AspNetCore.Authorization.Infrastructure;
+
+namespace Bit.Api.Tools.Authorization;
+
+public class VaultExportOperationRequirement : OperationAuthorizationRequirement;
+
+public static class VaultExportOperations
+{
+    /// <summary>
+    /// Exporting the entire organization vault.
+    /// </summary>
+    public static readonly VaultExportOperationRequirement ExportWholeVault =
+        new() { Name = nameof(ExportWholeVault) };
+
+    /// <summary>
+    /// Exporting only the organization items that the user has Can Manage permissions for
+    /// </summary>
+    public static readonly VaultExportOperationRequirement ExportManagedCollections =
+        new() { Name = nameof(ExportManagedCollections) };
+}
diff --git a/src/Api/Tools/Controllers/OrganizationExportController.cs b/src/Api/Tools/Controllers/OrganizationExportController.cs
index b3c0643b28..144e1be69e 100644
--- a/src/Api/Tools/Controllers/OrganizationExportController.cs
+++ b/src/Api/Tools/Controllers/OrganizationExportController.cs
@@ -1,11 +1,17 @@
 using Bit.Api.Models.Response;
+using Bit.Api.Tools.Authorization;
 using Bit.Api.Tools.Models.Response;
 using Bit.Api.Vault.Models.Response;
+using Bit.Core;
+using Bit.Core.AdminConsole.OrganizationFeatures.Shared.Authorization;
 using Bit.Core.Context;
 using Bit.Core.Entities;
+using Bit.Core.Exceptions;
+using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Settings;
 using Bit.Core.Vault.Models.Data;
+using Bit.Core.Vault.Queries;
 using Bit.Core.Vault.Services;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
@@ -21,24 +27,41 @@ public class OrganizationExportController : Controller
     private readonly ICollectionService _collectionService;
     private readonly ICipherService _cipherService;
     private readonly GlobalSettings _globalSettings;
+    private readonly IFeatureService _featureService;
+    private readonly IAuthorizationService _authorizationService;
+    private readonly IOrganizationCiphersQuery _organizationCiphersQuery;
+    private readonly ICollectionRepository _collectionRepository;
 
     public OrganizationExportController(
         ICurrentContext currentContext,
         ICipherService cipherService,
         ICollectionService collectionService,
         IUserService userService,
-        GlobalSettings globalSettings)
+        GlobalSettings globalSettings,
+        IFeatureService featureService,
+        IAuthorizationService authorizationService,
+        IOrganizationCiphersQuery organizationCiphersQuery,
+        ICollectionRepository collectionRepository)
     {
         _currentContext = currentContext;
         _cipherService = cipherService;
         _collectionService = collectionService;
         _userService = userService;
         _globalSettings = globalSettings;
+        _featureService = featureService;
+        _authorizationService = authorizationService;
+        _organizationCiphersQuery = organizationCiphersQuery;
+        _collectionRepository = collectionRepository;
     }
 
     [HttpGet("export")]
     public async Task<IActionResult> Export(Guid organizationId)
     {
+        if (_featureService.IsEnabled(FeatureFlagKeys.PM11360RemoveProviderExportPermission))
+        {
+            return await Export_vNext(organizationId);
+        }
+
         var userId = _userService.GetProperUserId(User).Value;
 
         IEnumerable<Collection> orgCollections = await _collectionService.GetOrganizationCollectionsAsync(organizationId);
@@ -65,6 +88,35 @@ public class OrganizationExportController : Controller
         return Ok(organizationExportListResponseModel);
     }
 
+    private async Task<IActionResult> Export_vNext(Guid organizationId)
+    {
+        var canExportAll = await _authorizationService.AuthorizeAsync(User, new OrganizationScope(organizationId),
+            VaultExportOperations.ExportWholeVault);
+        if (canExportAll.Succeeded)
+        {
+            var allOrganizationCiphers = await _organizationCiphersQuery.GetAllOrganizationCiphers(organizationId);
+            var allCollections = await _collectionRepository.GetManyByOrganizationIdAsync(organizationId);
+            return Ok(new OrganizationExportResponseModel(allOrganizationCiphers, allCollections, _globalSettings));
+        }
+
+        var canExportManaged = await _authorizationService.AuthorizeAsync(User, new OrganizationScope(organizationId),
+            VaultExportOperations.ExportManagedCollections);
+        if (canExportManaged.Succeeded)
+        {
+            var userId = _userService.GetProperUserId(User)!.Value;
+
+            var allUserCollections = await _collectionRepository.GetManyByUserIdAsync(userId);
+            var managedOrgCollections = allUserCollections.Where(c => c.OrganizationId == organizationId && c.Manage).ToList();
+            var managedCiphers =
+                await _organizationCiphersQuery.GetOrganizationCiphersByCollectionIds(organizationId, managedOrgCollections.Select(c => c.Id));
+
+            return Ok(new OrganizationExportResponseModel(managedCiphers, managedOrgCollections, _globalSettings));
+        }
+
+        // Unauthorized
+        throw new NotFoundException();
+    }
+
     private ListResponseModel<CollectionResponseModel> GetOrganizationCollectionsResponse(IEnumerable<Collection> orgCollections)
     {
         var collections = orgCollections.Select(c => new CollectionResponseModel(c));
diff --git a/src/Api/Tools/Models/Response/OrganizationExportResponseModel.cs b/src/Api/Tools/Models/Response/OrganizationExportResponseModel.cs
index a4b35d8de1..5fd7e821cf 100644
--- a/src/Api/Tools/Models/Response/OrganizationExportResponseModel.cs
+++ b/src/Api/Tools/Models/Response/OrganizationExportResponseModel.cs
@@ -1,6 +1,9 @@
 using Bit.Api.Models.Response;
 using Bit.Api.Vault.Models.Response;
+using Bit.Core.Entities;
 using Bit.Core.Models.Api;
+using Bit.Core.Settings;
+using Bit.Core.Vault.Models.Data;
 
 namespace Bit.Api.Tools.Models.Response;
 
@@ -10,6 +13,13 @@ public class OrganizationExportResponseModel : ResponseModel
     {
     }
 
+    public OrganizationExportResponseModel(IEnumerable<CipherOrganizationDetailsWithCollections> ciphers,
+        IEnumerable<Collection> collections, GlobalSettings globalSettings) : this()
+    {
+        Ciphers = ciphers.Select(c => new CipherMiniDetailsResponseModel(c, globalSettings));
+        Collections = collections.Select(c => new CollectionResponseModel(c));
+    }
+
     public IEnumerable<CollectionResponseModel> Collections { get; set; }
 
     public IEnumerable<CipherMiniDetailsResponseModel> Ciphers { get; set; }
diff --git a/src/Api/Utilities/ServiceCollectionExtensions.cs b/src/Api/Utilities/ServiceCollectionExtensions.cs
index 8a58a5f236..3d206fd887 100644
--- a/src/Api/Utilities/ServiceCollectionExtensions.cs
+++ b/src/Api/Utilities/ServiceCollectionExtensions.cs
@@ -1,4 +1,5 @@
-using Bit.Api.Vault.AuthorizationHandlers.Collections;
+using Bit.Api.Tools.Authorization;
+using Bit.Api.Vault.AuthorizationHandlers.Collections;
 using Bit.Core.AdminConsole.OrganizationFeatures.Groups.Authorization;
 using Bit.Core.IdentityServer;
 using Bit.Core.Settings;
@@ -99,5 +100,6 @@ public static class ServiceCollectionExtensions
         services.AddScoped<IAuthorizationHandler, BulkCollectionAuthorizationHandler>();
         services.AddScoped<IAuthorizationHandler, CollectionAuthorizationHandler>();
         services.AddScoped<IAuthorizationHandler, GroupAuthorizationHandler>();
+        services.AddScoped<IAuthorizationHandler, VaultExportAuthorizationHandler>();
     }
 }
diff --git a/src/Api/Vault/Models/Response/CipherResponseModel.cs b/src/Api/Vault/Models/Response/CipherResponseModel.cs
index 10b77274b5..207017227a 100644
--- a/src/Api/Vault/Models/Response/CipherResponseModel.cs
+++ b/src/Api/Vault/Models/Response/CipherResponseModel.cs
@@ -166,5 +166,12 @@ public class CipherMiniDetailsResponseModel : CipherMiniResponseModel
         CollectionIds = cipher.CollectionIds ?? new List<Guid>();
     }
 
+    public CipherMiniDetailsResponseModel(CipherOrganizationDetailsWithCollections cipher,
+        GlobalSettings globalSettings, string obj = "cipherMiniDetails")
+        : base(cipher, globalSettings, cipher.OrganizationUseTotp, obj)
+    {
+        CollectionIds = cipher.CollectionIds ?? new List<Guid>();
+    }
+
     public IEnumerable<Guid> CollectionIds { get; set; }
 }
diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index 14258353d6..8c1456793d 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -153,6 +153,7 @@ public static class FeatureFlagKeys
     public const string NewDeviceVerificationPermanentDismiss = "new-device-permanent-dismiss";
     public const string SecurityTasks = "security-tasks";
     public const string PM14401_ScaleMSPOnClientOrganizationUpdate = "PM-14401-scale-msp-on-client-organization-update";
+    public const string PM11360RemoveProviderExportPermission = "pm-11360-remove-provider-export-permission";
     public const string DisableFreeFamiliesSponsorship = "PM-12274-disable-free-families-sponsorship";
     public const string MacOsNativeCredentialSync = "macos-native-credential-sync";
     public const string PM9111ExtensionPersistAddEditForm = "pm-9111-extension-persist-add-edit-form";
diff --git a/src/Core/Vault/Queries/IOrganizationCiphersQuery.cs b/src/Core/Vault/Queries/IOrganizationCiphersQuery.cs
index 680743088e..1756cad3c7 100644
--- a/src/Core/Vault/Queries/IOrganizationCiphersQuery.cs
+++ b/src/Core/Vault/Queries/IOrganizationCiphersQuery.cs
@@ -27,4 +27,14 @@ public interface IOrganizationCiphersQuery
     /// </summary>
     /// <exception cref="FeatureUnavailableException"></exception>
     Task<IEnumerable<CipherOrganizationDetails>> GetUnassignedOrganizationCiphers(Guid organizationId);
+
+    /// <summary>
+    /// Returns ciphers belonging to the organization that are in the specified collections.
+    /// </summary>
+    /// <remarks>
+    /// Note that the <see cref="CipherOrganizationDetailsWithCollections.CollectionIds"/> will include all collections
+    /// the cipher belongs to even if it is not in the <paramref name="collectionIds"/> parameter.
+    /// </remarks>
+    public Task<IEnumerable<CipherOrganizationDetailsWithCollections>> GetOrganizationCiphersByCollectionIds(
+        Guid organizationId, IEnumerable<Guid> collectionIds);
 }
diff --git a/src/Core/Vault/Queries/OrganizationCiphersQuery.cs b/src/Core/Vault/Queries/OrganizationCiphersQuery.cs
index f91e3cbbbb..deed121216 100644
--- a/src/Core/Vault/Queries/OrganizationCiphersQuery.cs
+++ b/src/Core/Vault/Queries/OrganizationCiphersQuery.cs
@@ -52,4 +52,13 @@ public class OrganizationCiphersQuery : IOrganizationCiphersQuery
     {
         return await _cipherRepository.GetManyUnassignedOrganizationDetailsByOrganizationIdAsync(organizationId);
     }
+
+    /// <inheritdoc />
+    public async Task<IEnumerable<CipherOrganizationDetailsWithCollections>> GetOrganizationCiphersByCollectionIds(
+        Guid organizationId, IEnumerable<Guid> collectionIds)
+    {
+        var managedCollectionIds = collectionIds.ToHashSet();
+        var allOrganizationCiphers = await GetAllOrganizationCiphers(organizationId);
+        return allOrganizationCiphers.Where(c => c.CollectionIds.Intersect(managedCollectionIds).Any());
+    }
 }
diff --git a/test/Api.Test/Tools/Authorization/VaultExportAuthorizationHandlerTests.cs b/test/Api.Test/Tools/Authorization/VaultExportAuthorizationHandlerTests.cs
new file mode 100644
index 0000000000..6c42205b1a
--- /dev/null
+++ b/test/Api.Test/Tools/Authorization/VaultExportAuthorizationHandlerTests.cs
@@ -0,0 +1,95 @@
+using System.Security.Claims;
+using Bit.Api.Tools.Authorization;
+using Bit.Core.AdminConsole.OrganizationFeatures.Shared.Authorization;
+using Bit.Core.Context;
+using Bit.Core.Enums;
+using Bit.Core.Models.Data;
+using Bit.Core.Test.AdminConsole.Helpers;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using Microsoft.AspNetCore.Authorization;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Api.Test.Tools.Authorization;
+
+[SutProviderCustomize]
+public class VaultExportAuthorizationHandlerTests
+{
+    public static IEnumerable<object[]> CanExportWholeVault => new List<CurrentContextOrganization>
+    {
+        new () { Type = OrganizationUserType.Owner },
+        new () { Type = OrganizationUserType.Admin },
+        new ()
+        {
+            Type = OrganizationUserType.Custom, Permissions = new Permissions { AccessImportExport = true }
+        }
+    }.Select(org => new[] { org });
+
+    [Theory]
+    [BitMemberAutoData(nameof(CanExportWholeVault))]
+    public async Task ExportAll_PermittedRoles_Success(CurrentContextOrganization org, OrganizationScope orgScope, ClaimsPrincipal user,
+        SutProvider<VaultExportAuthorizationHandler> sutProvider)
+    {
+        org.Id = orgScope;
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(orgScope).Returns(org);
+
+        var authContext = new AuthorizationHandlerContext(new[] { VaultExportOperations.ExportWholeVault }, user, orgScope);
+        await sutProvider.Sut.HandleAsync(authContext);
+
+        Assert.True(authContext.HasSucceeded);
+    }
+
+    public static IEnumerable<object[]> CannotExportWholeVault => new List<CurrentContextOrganization>
+    {
+        new () { Type = OrganizationUserType.User },
+        new ()
+        {
+            Type = OrganizationUserType.Custom, Permissions = new Permissions { AccessImportExport = true }.Invert()
+        }
+    }.Select(org => new[] { org });
+
+    [Theory]
+    [BitMemberAutoData(nameof(CannotExportWholeVault))]
+    public async Task ExportAll_NotPermitted_Failure(CurrentContextOrganization org, OrganizationScope orgScope, ClaimsPrincipal user,
+        SutProvider<VaultExportAuthorizationHandler> sutProvider)
+    {
+        org.Id = orgScope;
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(orgScope).Returns(org);
+
+        var authContext = new AuthorizationHandlerContext(new[] { VaultExportOperations.ExportWholeVault }, user, orgScope);
+        await sutProvider.Sut.HandleAsync(authContext);
+
+        Assert.False(authContext.HasSucceeded);
+    }
+
+    public static IEnumerable<object[]> CanExportManagedCollections =>
+        AuthorizationHelpers.AllRoles().Select(o => new[] { o });
+
+    [Theory]
+    [BitMemberAutoData(nameof(CanExportManagedCollections))]
+    public async Task ExportManagedCollections_PermittedRoles_Success(CurrentContextOrganization org, OrganizationScope orgScope, ClaimsPrincipal user,
+        SutProvider<VaultExportAuthorizationHandler> sutProvider)
+    {
+        org.Id = orgScope;
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(orgScope).Returns(org);
+
+        var authContext = new AuthorizationHandlerContext(new[] { VaultExportOperations.ExportManagedCollections }, user, orgScope);
+        await sutProvider.Sut.HandleAsync(authContext);
+
+        Assert.True(authContext.HasSucceeded);
+    }
+
+    [Theory]
+    [BitAutoData([null])]
+    public async Task ExportManagedCollections_NotPermitted_Failure(CurrentContextOrganization org, OrganizationScope orgScope, ClaimsPrincipal user,
+        SutProvider<VaultExportAuthorizationHandler> sutProvider)
+    {
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(orgScope).Returns(org);
+
+        var authContext = new AuthorizationHandlerContext(new[] { VaultExportOperations.ExportManagedCollections }, user, orgScope);
+        await sutProvider.Sut.HandleAsync(authContext);
+
+        Assert.False(authContext.HasSucceeded);
+    }
+}
diff --git a/test/Core.Test/AdminConsole/Helpers/AuthorizationHelpers.cs b/test/Core.Test/AdminConsole/Helpers/AuthorizationHelpers.cs
new file mode 100644
index 0000000000..854cdcb3c8
--- /dev/null
+++ b/test/Core.Test/AdminConsole/Helpers/AuthorizationHelpers.cs
@@ -0,0 +1,52 @@
+using Bit.Core.Context;
+using Bit.Core.Enums;
+using Bit.Core.Models.Data;
+
+namespace Bit.Core.Test.AdminConsole.Helpers;
+
+public static class AuthorizationHelpers
+{
+    /// <summary>
+    /// Return a new Permission object with inverted permissions.
+    /// This is useful to test negative cases, e.g. "all other permissions should fail".
+    /// </summary>
+    /// <param name="permissions"></param>
+    /// <returns></returns>
+    public static Permissions Invert(this Permissions permissions)
+    {
+        // Get all false boolean properties of input object
+        var inputsToFlip = permissions
+            .GetType()
+            .GetProperties()
+            .Where(p =>
+                p.PropertyType == typeof(bool) &&
+                (bool)p.GetValue(permissions, null)! == false)
+            .Select(p => p.Name);
+
+        var result = new Permissions();
+
+        // Set these to true on the result object
+        result
+            .GetType()
+            .GetProperties()
+            .Where(p => inputsToFlip.Contains(p.Name))
+            .ToList()
+            .ForEach(p => p.SetValue(result, true));
+
+        return result;
+    }
+
+    /// <summary>
+    /// Returns a sequence of all possible roles and permissions represented as CurrentContextOrganization objects.
+    /// Used largely for authorization testing.
+    /// </summary>
+    /// <returns></returns>
+    public static IEnumerable<CurrentContextOrganization> AllRoles() => new List<CurrentContextOrganization>
+    {
+        new () { Type = OrganizationUserType.Owner },
+        new () { Type = OrganizationUserType.Admin },
+        new () { Type = OrganizationUserType.Custom, Permissions = new Permissions() },
+        new () { Type = OrganizationUserType.Custom, Permissions = new Permissions().Invert() },
+        new () { Type = OrganizationUserType.User },
+    };
+}
diff --git a/test/Core.Test/AdminConsole/Helpers/AuthorizationHelpersTests.cs b/test/Core.Test/AdminConsole/Helpers/AuthorizationHelpersTests.cs
new file mode 100644
index 0000000000..db128ffc4b
--- /dev/null
+++ b/test/Core.Test/AdminConsole/Helpers/AuthorizationHelpersTests.cs
@@ -0,0 +1,38 @@
+using Bit.Core.Models.Data;
+using Xunit;
+
+namespace Bit.Core.Test.AdminConsole.Helpers;
+
+public class AuthorizationHelpersTests
+{
+    [Fact]
+    public void Permissions_Invert_InvertsAllPermissions()
+    {
+        var sut = new Permissions
+        {
+            AccessEventLogs = true,
+            AccessReports = true,
+            DeleteAnyCollection = true,
+            ManagePolicies = true,
+            ManageScim = true
+        };
+
+        var result = sut.Invert();
+
+        Assert.True(result is
+        {
+            AccessEventLogs: false,
+            AccessImportExport: true,
+            AccessReports: false,
+            CreateNewCollections: true,
+            EditAnyCollection: true,
+            DeleteAnyCollection: false,
+            ManageGroups: true,
+            ManagePolicies: false,
+            ManageSso: true,
+            ManageUsers: true,
+            ManageResetPassword: true,
+            ManageScim: false
+        });
+    }
+}
diff --git a/test/Core.Test/Vault/Queries/OrganizationCiphersQueryTests.cs b/test/Core.Test/Vault/Queries/OrganizationCiphersQueryTests.cs
new file mode 100644
index 0000000000..01539fe7d7
--- /dev/null
+++ b/test/Core.Test/Vault/Queries/OrganizationCiphersQueryTests.cs
@@ -0,0 +1,92 @@
+using AutoFixture;
+using Bit.Core.Entities;
+using Bit.Core.Repositories;
+using Bit.Core.Vault.Models.Data;
+using Bit.Core.Vault.Queries;
+using Bit.Core.Vault.Repositories;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Core.Test.Vault.Queries;
+
+[SutProviderCustomize]
+public class OrganizationCiphersQueryTests
+{
+    [Theory, BitAutoData]
+    public async Task GetOrganizationCiphersInCollections_ReturnsFilteredCiphers(
+        Guid organizationId, SutProvider<OrganizationCiphersQuery> sutProvider)
+    {
+        var fixture = new Fixture();
+
+        var otherCollectionId = Guid.NewGuid();
+        var targetCollectionId = Guid.NewGuid();
+
+        var otherCipher = fixture.Create<CipherOrganizationDetails>();
+        var targetCipher = fixture.Create<CipherOrganizationDetails>();
+        var bothCipher = fixture.Create<CipherOrganizationDetails>();
+        var noCipher = fixture.Create<CipherOrganizationDetails>();
+
+        var ciphers = new List<CipherOrganizationDetails>
+        {
+            otherCipher,    // not in the target collection
+            targetCipher,   // in the target collection
+            bothCipher,     // in both collections
+            noCipher        // not in any collection
+        };
+        ciphers.ForEach(c =>
+        {
+            c.OrganizationId = organizationId;
+            c.UserId = null;
+        });
+
+        var otherCollectionCipher = new CollectionCipher
+        {
+            CollectionId = otherCollectionId,
+            CipherId = otherCipher.Id
+        };
+        var targetCollectionCipher = new CollectionCipher
+        {
+            CollectionId = targetCollectionId,
+            CipherId = targetCipher.Id
+        };
+        var bothCollectionCipher1 = new CollectionCipher
+        {
+            CollectionId = targetCollectionId,
+            CipherId = bothCipher.Id
+        };
+        var bothCollectionCipher2 = new CollectionCipher
+        {
+            CollectionId = otherCollectionId,
+            CipherId = bothCipher.Id
+        };
+
+        sutProvider.GetDependency<ICipherRepository>().GetManyOrganizationDetailsByOrganizationIdAsync(organizationId)
+            .Returns(ciphers);
+
+        sutProvider.GetDependency<ICollectionCipherRepository>().GetManyByOrganizationIdAsync(organizationId).Returns(
+        [
+            targetCollectionCipher,
+            otherCollectionCipher,
+            bothCollectionCipher1,
+            bothCollectionCipher2
+        ]);
+
+        var result = await sutProvider
+            .Sut
+            .GetOrganizationCiphersByCollectionIds(organizationId, [targetCollectionId]);
+        result = result.ToList();
+
+        Assert.Equal(2, result.Count());
+        Assert.Contains(result, c =>
+            c.Id == targetCipher.Id &&
+            c.CollectionIds.Count() == 1 &&
+            c.CollectionIds.Any(cId => cId == targetCollectionId));
+        Assert.Contains(result, c =>
+            c.Id == bothCipher.Id &&
+            c.CollectionIds.Count() == 2 &&
+            c.CollectionIds.Any(cId => cId == targetCollectionId) &&
+            c.CollectionIds.Any(cId => cId == otherCollectionId));
+    }
+}

From 2333a934a97320bc189b6e37c47067953f398c40 Mon Sep 17 00:00:00 2001
From: Jared McCannon <jmccannon@bitwarden.com>
Date: Thu, 5 Dec 2024 21:18:02 -0600
Subject: [PATCH 031/384] [PM-12488] Migrating Cloud Org Sign Up to Command
 (#5078)

---
 .../Controllers/OrganizationsController.cs    |  17 +-
 .../CloudOrganizationSignUpCommand.cs         | 368 ++++++++++++++++++
 .../Services/IOrganizationService.cs          |   6 -
 .../Implementations/OrganizationService.cs    | 124 ------
 ...OrganizationServiceCollectionExtensions.cs |   5 +
 .../Helpers/OrganizationTestHelpers.cs        |  10 +-
 .../OrganizationsControllerTests.cs           |   9 +-
 .../CloudOrganizationSignUpCommandTests.cs    | 238 +++++++++++
 .../Services/OrganizationServiceTests.cs      | 216 ----------
 9 files changed, 630 insertions(+), 363 deletions(-)
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/Organizations/CloudOrganizationSignUpCommand.cs
 create mode 100644 test/Core.Test/AdminConsole/OrganizationFeatures/Organizations/OrganizationSignUp/CloudOrganizationSignUpCommandTests.cs

diff --git a/src/Api/AdminConsole/Controllers/OrganizationsController.cs b/src/Api/AdminConsole/Controllers/OrganizationsController.cs
index 0ac750e665..6ffd60e425 100644
--- a/src/Api/AdminConsole/Controllers/OrganizationsController.cs
+++ b/src/Api/AdminConsole/Controllers/OrganizationsController.cs
@@ -13,6 +13,7 @@ using Bit.Core.AdminConsole.Enums;
 using Bit.Core.AdminConsole.Models.Business.Tokenables;
 using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationApiKeys.Interfaces;
+using Bit.Core.AdminConsole.OrganizationFeatures.Organizations;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Auth.Enums;
@@ -52,11 +53,11 @@ public class OrganizationsController : Controller
     private readonly IOrganizationApiKeyRepository _organizationApiKeyRepository;
     private readonly IFeatureService _featureService;
     private readonly GlobalSettings _globalSettings;
-    private readonly IPushNotificationService _pushNotificationService;
     private readonly IProviderRepository _providerRepository;
     private readonly IProviderBillingService _providerBillingService;
     private readonly IDataProtectorTokenFactory<OrgDeleteTokenable> _orgDeleteTokenDataFactory;
     private readonly IRemoveOrganizationUserCommand _removeOrganizationUserCommand;
+    private readonly ICloudOrganizationSignUpCommand _cloudOrganizationSignUpCommand;
 
     public OrganizationsController(
         IOrganizationRepository organizationRepository,
@@ -73,11 +74,11 @@ public class OrganizationsController : Controller
         IOrganizationApiKeyRepository organizationApiKeyRepository,
         IFeatureService featureService,
         GlobalSettings globalSettings,
-        IPushNotificationService pushNotificationService,
         IProviderRepository providerRepository,
         IProviderBillingService providerBillingService,
         IDataProtectorTokenFactory<OrgDeleteTokenable> orgDeleteTokenDataFactory,
-        IRemoveOrganizationUserCommand removeOrganizationUserCommand)
+        IRemoveOrganizationUserCommand removeOrganizationUserCommand,
+        ICloudOrganizationSignUpCommand cloudOrganizationSignUpCommand)
     {
         _organizationRepository = organizationRepository;
         _organizationUserRepository = organizationUserRepository;
@@ -93,11 +94,11 @@ public class OrganizationsController : Controller
         _organizationApiKeyRepository = organizationApiKeyRepository;
         _featureService = featureService;
         _globalSettings = globalSettings;
-        _pushNotificationService = pushNotificationService;
         _providerRepository = providerRepository;
         _providerBillingService = providerBillingService;
         _orgDeleteTokenDataFactory = orgDeleteTokenDataFactory;
         _removeOrganizationUserCommand = removeOrganizationUserCommand;
+        _cloudOrganizationSignUpCommand = cloudOrganizationSignUpCommand;
     }
 
     [HttpGet("{id}")]
@@ -175,8 +176,8 @@ public class OrganizationsController : Controller
         }
 
         var organizationSignup = model.ToOrganizationSignup(user);
-        var result = await _organizationService.SignUpAsync(organizationSignup);
-        return new OrganizationResponseModel(result.Item1);
+        var result = await _cloudOrganizationSignUpCommand.SignUpOrganizationAsync(organizationSignup);
+        return new OrganizationResponseModel(result.Organization);
     }
 
     [HttpPost("create-without-payment")]
@@ -190,8 +191,8 @@ public class OrganizationsController : Controller
         }
 
         var organizationSignup = model.ToOrganizationSignup(user);
-        var result = await _organizationService.SignUpAsync(organizationSignup);
-        return new OrganizationResponseModel(result.Item1);
+        var result = await _cloudOrganizationSignUpCommand.SignUpOrganizationAsync(organizationSignup);
+        return new OrganizationResponseModel(result.Organization);
     }
 
     [HttpPut("{id}")]
diff --git a/src/Core/AdminConsole/OrganizationFeatures/Organizations/CloudOrganizationSignUpCommand.cs b/src/Core/AdminConsole/OrganizationFeatures/Organizations/CloudOrganizationSignUpCommand.cs
new file mode 100644
index 0000000000..3eb4d35ef1
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/Organizations/CloudOrganizationSignUpCommand.cs
@@ -0,0 +1,368 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Services;
+using Bit.Core.Billing.Enums;
+using Bit.Core.Billing.Models.Sales;
+using Bit.Core.Billing.Services;
+using Bit.Core.Context;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Exceptions;
+using Bit.Core.Models.Business;
+using Bit.Core.Models.Data;
+using Bit.Core.Models.StaticStore;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.Core.Tools.Enums;
+using Bit.Core.Tools.Models.Business;
+using Bit.Core.Tools.Services;
+using Bit.Core.Utilities;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.Organizations;
+
+public record SignUpOrganizationResponse(
+    Organization Organization,
+    OrganizationUser OrganizationUser,
+    Collection DefaultCollection);
+
+public interface ICloudOrganizationSignUpCommand
+{
+    Task<SignUpOrganizationResponse> SignUpOrganizationAsync(OrganizationSignup signup);
+}
+
+public class CloudOrganizationSignUpCommand(
+    IOrganizationUserRepository organizationUserRepository,
+    IFeatureService featureService,
+    IOrganizationBillingService organizationBillingService,
+    IPaymentService paymentService,
+    IPolicyService policyService,
+    IReferenceEventService referenceEventService,
+    ICurrentContext currentContext,
+    IOrganizationRepository organizationRepository,
+    IOrganizationApiKeyRepository organizationApiKeyRepository,
+    IApplicationCacheService applicationCacheService,
+    IPushRegistrationService pushRegistrationService,
+    IPushNotificationService pushNotificationService,
+    ICollectionRepository collectionRepository,
+    IDeviceRepository deviceRepository) : ICloudOrganizationSignUpCommand
+{
+    public async Task<SignUpOrganizationResponse> SignUpOrganizationAsync(OrganizationSignup signup)
+    {
+        var plan = StaticStore.GetPlan(signup.Plan);
+
+        ValidatePasswordManagerPlan(plan, signup);
+
+        if (signup.UseSecretsManager)
+        {
+            if (signup.IsFromProvider)
+            {
+                throw new BadRequestException(
+                    "Organizations with a Managed Service Provider do not support Secrets Manager.");
+            }
+            ValidateSecretsManagerPlan(plan, signup);
+        }
+
+        if (!signup.IsFromProvider)
+        {
+            await ValidateSignUpPoliciesAsync(signup.Owner.Id);
+        }
+
+        var organization = new Organization
+        {
+            // Pre-generate the org id so that we can save it with the Stripe subscription
+            Id = CoreHelpers.GenerateComb(),
+            Name = signup.Name,
+            BillingEmail = signup.BillingEmail,
+            BusinessName = signup.BusinessName,
+            PlanType = plan!.Type,
+            Seats = (short)(plan.PasswordManager.BaseSeats + signup.AdditionalSeats),
+            MaxCollections = plan.PasswordManager.MaxCollections,
+            MaxStorageGb = !plan.PasswordManager.BaseStorageGb.HasValue ?
+                (short?)null : (short)(plan.PasswordManager.BaseStorageGb.Value + signup.AdditionalStorageGb),
+            UsePolicies = plan.HasPolicies,
+            UseSso = plan.HasSso,
+            UseGroups = plan.HasGroups,
+            UseEvents = plan.HasEvents,
+            UseDirectory = plan.HasDirectory,
+            UseTotp = plan.HasTotp,
+            Use2fa = plan.Has2fa,
+            UseApi = plan.HasApi,
+            UseResetPassword = plan.HasResetPassword,
+            SelfHost = plan.HasSelfHost,
+            UsersGetPremium = plan.UsersGetPremium || signup.PremiumAccessAddon,
+            UseCustomPermissions = plan.HasCustomPermissions,
+            UseScim = plan.HasScim,
+            Plan = plan.Name,
+            Gateway = null,
+            ReferenceData = signup.Owner.ReferenceData,
+            Enabled = true,
+            LicenseKey = CoreHelpers.SecureRandomString(20),
+            PublicKey = signup.PublicKey,
+            PrivateKey = signup.PrivateKey,
+            CreationDate = DateTime.UtcNow,
+            RevisionDate = DateTime.UtcNow,
+            Status = OrganizationStatusType.Created,
+            UsePasswordManager = true,
+            UseSecretsManager = signup.UseSecretsManager
+        };
+
+        if (signup.UseSecretsManager)
+        {
+            organization.SmSeats = plan.SecretsManager.BaseSeats + signup.AdditionalSmSeats.GetValueOrDefault();
+            organization.SmServiceAccounts = plan.SecretsManager.BaseServiceAccount +
+                                             signup.AdditionalServiceAccounts.GetValueOrDefault();
+        }
+
+        if (plan.Type == PlanType.Free && !signup.IsFromProvider)
+        {
+            var adminCount =
+                await organizationUserRepository.GetCountByFreeOrganizationAdminUserAsync(signup.Owner.Id);
+            if (adminCount > 0)
+            {
+                throw new BadRequestException("You can only be an admin of one free organization.");
+            }
+        }
+        else if (plan.Type != PlanType.Free)
+        {
+            if (featureService.IsEnabled(FeatureFlagKeys.AC2476_DeprecateStripeSourcesAPI))
+            {
+                var sale = OrganizationSale.From(organization, signup);
+                await organizationBillingService.Finalize(sale);
+            }
+            else
+            {
+                if (signup.PaymentMethodType != null)
+                {
+                    await paymentService.PurchaseOrganizationAsync(organization, signup.PaymentMethodType.Value,
+                        signup.PaymentToken, plan, signup.AdditionalStorageGb, signup.AdditionalSeats,
+                        signup.PremiumAccessAddon, signup.TaxInfo, signup.IsFromProvider, signup.AdditionalSmSeats.GetValueOrDefault(),
+                        signup.AdditionalServiceAccounts.GetValueOrDefault(), signup.IsFromSecretsManagerTrial);
+                }
+                else
+                {
+                    await paymentService.PurchaseOrganizationNoPaymentMethod(organization, plan, signup.AdditionalSeats,
+                        signup.PremiumAccessAddon, signup.AdditionalSmSeats.GetValueOrDefault(),
+                        signup.AdditionalServiceAccounts.GetValueOrDefault(), signup.IsFromSecretsManagerTrial);
+                }
+
+            }
+        }
+
+        var ownerId = signup.IsFromProvider ? default : signup.Owner.Id;
+        var returnValue = await SignUpAsync(organization, ownerId, signup.OwnerKey, signup.CollectionName, true);
+        await referenceEventService.RaiseEventAsync(
+            new ReferenceEvent(ReferenceEventType.Signup, organization, currentContext)
+            {
+                PlanName = plan.Name,
+                PlanType = plan.Type,
+                Seats = returnValue.Item1.Seats,
+                SignupInitiationPath = signup.InitiationPath,
+                Storage = returnValue.Item1.MaxStorageGb,
+                // TODO: add reference events for SmSeats and Service Accounts - see AC-1481
+            });
+
+        return new SignUpOrganizationResponse(returnValue.organization, returnValue.organizationUser, returnValue.defaultCollection);
+    }
+
+    public void ValidatePasswordManagerPlan(Plan plan, OrganizationUpgrade upgrade)
+    {
+        ValidatePlan(plan, upgrade.AdditionalSeats, "Password Manager");
+
+        if (plan.PasswordManager.BaseSeats + upgrade.AdditionalSeats <= 0)
+        {
+            throw new BadRequestException($"You do not have any Password Manager seats!");
+        }
+
+        if (upgrade.AdditionalSeats < 0)
+        {
+            throw new BadRequestException($"You can't subtract Password Manager seats!");
+        }
+
+        if (!plan.PasswordManager.HasAdditionalStorageOption && upgrade.AdditionalStorageGb > 0)
+        {
+            throw new BadRequestException("Plan does not allow additional storage.");
+        }
+
+        if (upgrade.AdditionalStorageGb < 0)
+        {
+            throw new BadRequestException("You can't subtract storage!");
+        }
+
+        if (!plan.PasswordManager.HasPremiumAccessOption && upgrade.PremiumAccessAddon)
+        {
+            throw new BadRequestException("This plan does not allow you to buy the premium access addon.");
+        }
+
+        if (!plan.PasswordManager.HasAdditionalSeatsOption && upgrade.AdditionalSeats > 0)
+        {
+            throw new BadRequestException("Plan does not allow additional users.");
+        }
+
+        if (plan.PasswordManager.HasAdditionalSeatsOption && plan.PasswordManager.MaxAdditionalSeats.HasValue &&
+            upgrade.AdditionalSeats > plan.PasswordManager.MaxAdditionalSeats.Value)
+        {
+            throw new BadRequestException($"Selected plan allows a maximum of " +
+                                          $"{plan.PasswordManager.MaxAdditionalSeats.GetValueOrDefault(0)} additional users.");
+        }
+    }
+
+    public void ValidateSecretsManagerPlan(Plan plan, OrganizationUpgrade upgrade)
+    {
+        if (plan.SupportsSecretsManager == false)
+        {
+            throw new BadRequestException("Invalid Secrets Manager plan selected.");
+        }
+
+        ValidatePlan(plan, upgrade.AdditionalSmSeats.GetValueOrDefault(), "Secrets Manager");
+
+        if (plan.SecretsManager.BaseSeats + upgrade.AdditionalSmSeats <= 0)
+        {
+            throw new BadRequestException($"You do not have any Secrets Manager seats!");
+        }
+
+        if (!plan.SecretsManager.HasAdditionalServiceAccountOption && upgrade.AdditionalServiceAccounts > 0)
+        {
+            throw new BadRequestException("Plan does not allow additional Machine Accounts.");
+        }
+
+        if ((plan.ProductTier == ProductTierType.TeamsStarter &&
+            upgrade.AdditionalSmSeats.GetValueOrDefault() > plan.PasswordManager.BaseSeats) ||
+            (plan.ProductTier != ProductTierType.TeamsStarter &&
+             upgrade.AdditionalSmSeats.GetValueOrDefault() > upgrade.AdditionalSeats))
+        {
+            throw new BadRequestException("You cannot have more Secrets Manager seats than Password Manager seats.");
+        }
+
+        if (upgrade.AdditionalServiceAccounts.GetValueOrDefault() < 0)
+        {
+            throw new BadRequestException("You can't subtract Machine Accounts!");
+        }
+
+        switch (plan.SecretsManager.HasAdditionalSeatsOption)
+        {
+            case false when upgrade.AdditionalSmSeats > 0:
+                throw new BadRequestException("Plan does not allow additional users.");
+            case true when plan.SecretsManager.MaxAdditionalSeats.HasValue &&
+                           upgrade.AdditionalSmSeats > plan.SecretsManager.MaxAdditionalSeats.Value:
+                throw new BadRequestException($"Selected plan allows a maximum of " +
+                                              $"{plan.SecretsManager.MaxAdditionalSeats.GetValueOrDefault(0)} additional users.");
+        }
+    }
+
+    private static void ValidatePlan(Plan plan, int additionalSeats, string productType)
+    {
+        if (plan is null)
+        {
+            throw new BadRequestException($"{productType} Plan was null.");
+        }
+
+        if (plan.Disabled)
+        {
+            throw new BadRequestException($"{productType} Plan not found.");
+        }
+
+        if (additionalSeats < 0)
+        {
+            throw new BadRequestException($"You can't subtract {productType} seats!");
+        }
+    }
+
+    private async Task ValidateSignUpPoliciesAsync(Guid ownerId)
+    {
+        var anySingleOrgPolicies = await policyService.AnyPoliciesApplicableToUserAsync(ownerId, PolicyType.SingleOrg);
+        if (anySingleOrgPolicies)
+        {
+            throw new BadRequestException("You may not create an organization. You belong to an organization " +
+                                          "which has a policy that prohibits you from being a member of any other organization.");
+        }
+    }
+
+    private async Task<(Organization organization, OrganizationUser organizationUser, Collection defaultCollection)> SignUpAsync(Organization organization,
+    Guid ownerId, string ownerKey, string collectionName, bool withPayment)
+    {
+        try
+        {
+            await organizationRepository.CreateAsync(organization);
+            await organizationApiKeyRepository.CreateAsync(new OrganizationApiKey
+            {
+                OrganizationId = organization.Id,
+                ApiKey = CoreHelpers.SecureRandomString(30),
+                Type = OrganizationApiKeyType.Default,
+                RevisionDate = DateTime.UtcNow,
+            });
+            await applicationCacheService.UpsertOrganizationAbilityAsync(organization);
+
+            // ownerId == default if the org is created by a provider - in this case it's created without an
+            // owner and the first owner is immediately invited afterwards
+            OrganizationUser orgUser = null;
+            if (ownerId != default)
+            {
+                orgUser = new OrganizationUser
+                {
+                    OrganizationId = organization.Id,
+                    UserId = ownerId,
+                    Key = ownerKey,
+                    AccessSecretsManager = organization.UseSecretsManager,
+                    Type = OrganizationUserType.Owner,
+                    Status = OrganizationUserStatusType.Confirmed,
+                    CreationDate = organization.CreationDate,
+                    RevisionDate = organization.CreationDate
+                };
+                orgUser.SetNewId();
+
+                await organizationUserRepository.CreateAsync(orgUser);
+
+                var devices = await GetUserDeviceIdsAsync(orgUser.UserId.Value);
+                await pushRegistrationService.AddUserRegistrationOrganizationAsync(devices, organization.Id.ToString());
+                await pushNotificationService.PushSyncOrgKeysAsync(ownerId);
+            }
+
+            Collection defaultCollection = null;
+            if (!string.IsNullOrWhiteSpace(collectionName))
+            {
+                defaultCollection = new Collection
+                {
+                    Name = collectionName,
+                    OrganizationId = organization.Id,
+                    CreationDate = organization.CreationDate,
+                    RevisionDate = organization.CreationDate
+                };
+
+                // Give the owner Can Manage access over the default collection
+                List<CollectionAccessSelection> defaultOwnerAccess = null;
+                if (orgUser != null)
+                {
+                    defaultOwnerAccess =
+                        [new CollectionAccessSelection { Id = orgUser.Id, HidePasswords = false, ReadOnly = false, Manage = true }];
+                }
+
+                await collectionRepository.CreateAsync(defaultCollection, null, defaultOwnerAccess);
+            }
+
+            return (organization, orgUser, defaultCollection);
+        }
+        catch
+        {
+            if (withPayment)
+            {
+                await paymentService.CancelAndRecoverChargesAsync(organization);
+            }
+
+            if (organization.Id != default(Guid))
+            {
+                await organizationRepository.DeleteAsync(organization);
+                await applicationCacheService.DeleteOrganizationAbilityAsync(organization.Id);
+            }
+
+            throw;
+        }
+    }
+
+    private async Task<IEnumerable<string>> GetUserDeviceIdsAsync(Guid userId)
+    {
+        var devices = await deviceRepository.GetManyByUserIdAsync(userId);
+        return devices
+            .Where(d => !string.IsNullOrWhiteSpace(d.PushToken))
+            .Select(d => d.Id.ToString());
+    }
+}
diff --git a/src/Core/AdminConsole/Services/IOrganizationService.cs b/src/Core/AdminConsole/Services/IOrganizationService.cs
index 646ae66166..0495c4c76e 100644
--- a/src/Core/AdminConsole/Services/IOrganizationService.cs
+++ b/src/Core/AdminConsole/Services/IOrganizationService.cs
@@ -20,13 +20,7 @@ public interface IOrganizationService
     Task AutoAddSeatsAsync(Organization organization, int seatsToAdd);
     Task<string> AdjustSeatsAsync(Guid organizationId, int seatAdjustment);
     Task VerifyBankAsync(Guid organizationId, int amount1, int amount2);
-    /// <summary>
-    /// Create a new organization in a cloud environment
-    /// </summary>
-    /// <returns>A tuple containing the new organization, the initial organizationUser (if any) and the default collection (if any)</returns>
 #nullable enable
-    Task<(Organization organization, OrganizationUser? organizationUser, Collection? defaultCollection)> SignUpAsync(OrganizationSignup organizationSignup);
-
     Task<(Organization organization, OrganizationUser organizationUser, Collection defaultCollection)> SignupClientAsync(OrganizationSignup signup);
 #nullable disable
     /// <summary>
diff --git a/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs b/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
index 862b566c91..1ca047aa47 100644
--- a/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
+++ b/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
@@ -16,7 +16,6 @@ using Bit.Core.Auth.Repositories;
 using Bit.Core.Auth.UserFeatures.TwoFactorAuth.Interfaces;
 using Bit.Core.Billing.Enums;
 using Bit.Core.Billing.Extensions;
-using Bit.Core.Billing.Models.Sales;
 using Bit.Core.Billing.Services;
 using Bit.Core.Context;
 using Bit.Core.Entities;
@@ -502,129 +501,6 @@ public class OrganizationService : IOrganizationService
         return returnValue;
     }
 
-    /// <summary>
-    /// Create a new organization in a cloud environment
-    /// </summary>
-    public async Task<(Organization organization, OrganizationUser organizationUser, Collection defaultCollection)> SignUpAsync(OrganizationSignup signup)
-    {
-        var plan = StaticStore.GetPlan(signup.Plan);
-
-        ValidatePasswordManagerPlan(plan, signup);
-
-        if (signup.UseSecretsManager)
-        {
-            if (signup.IsFromProvider)
-            {
-                throw new BadRequestException(
-                    "Organizations with a Managed Service Provider do not support Secrets Manager.");
-            }
-            ValidateSecretsManagerPlan(plan, signup);
-        }
-
-        if (!signup.IsFromProvider)
-        {
-            await ValidateSignUpPoliciesAsync(signup.Owner.Id);
-        }
-
-        var organization = new Organization
-        {
-            // Pre-generate the org id so that we can save it with the Stripe subscription..
-            Id = CoreHelpers.GenerateComb(),
-            Name = signup.Name,
-            BillingEmail = signup.BillingEmail,
-            BusinessName = signup.BusinessName,
-            PlanType = plan!.Type,
-            Seats = (short)(plan.PasswordManager.BaseSeats + signup.AdditionalSeats),
-            MaxCollections = plan.PasswordManager.MaxCollections,
-            MaxStorageGb = !plan.PasswordManager.BaseStorageGb.HasValue ?
-                (short?)null : (short)(plan.PasswordManager.BaseStorageGb.Value + signup.AdditionalStorageGb),
-            UsePolicies = plan.HasPolicies,
-            UseSso = plan.HasSso,
-            UseGroups = plan.HasGroups,
-            UseEvents = plan.HasEvents,
-            UseDirectory = plan.HasDirectory,
-            UseTotp = plan.HasTotp,
-            Use2fa = plan.Has2fa,
-            UseApi = plan.HasApi,
-            UseResetPassword = plan.HasResetPassword,
-            SelfHost = plan.HasSelfHost,
-            UsersGetPremium = plan.UsersGetPremium || signup.PremiumAccessAddon,
-            UseCustomPermissions = plan.HasCustomPermissions,
-            UseScim = plan.HasScim,
-            Plan = plan.Name,
-            Gateway = null,
-            ReferenceData = signup.Owner.ReferenceData,
-            Enabled = true,
-            LicenseKey = CoreHelpers.SecureRandomString(20),
-            PublicKey = signup.PublicKey,
-            PrivateKey = signup.PrivateKey,
-            CreationDate = DateTime.UtcNow,
-            RevisionDate = DateTime.UtcNow,
-            Status = OrganizationStatusType.Created,
-            UsePasswordManager = true,
-            UseSecretsManager = signup.UseSecretsManager
-        };
-
-        if (signup.UseSecretsManager)
-        {
-            organization.SmSeats = plan.SecretsManager.BaseSeats + signup.AdditionalSmSeats.GetValueOrDefault();
-            organization.SmServiceAccounts = plan.SecretsManager.BaseServiceAccount +
-                                             signup.AdditionalServiceAccounts.GetValueOrDefault();
-        }
-
-        if (plan.Type == PlanType.Free && !signup.IsFromProvider)
-        {
-            var adminCount =
-                await _organizationUserRepository.GetCountByFreeOrganizationAdminUserAsync(signup.Owner.Id);
-            if (adminCount > 0)
-            {
-                throw new BadRequestException("You can only be an admin of one free organization.");
-            }
-        }
-        else if (plan.Type != PlanType.Free)
-        {
-            var deprecateStripeSourcesAPI = _featureService.IsEnabled(FeatureFlagKeys.AC2476_DeprecateStripeSourcesAPI);
-
-            if (deprecateStripeSourcesAPI)
-            {
-                var sale = OrganizationSale.From(organization, signup);
-                await _organizationBillingService.Finalize(sale);
-            }
-            else
-            {
-                if (signup.PaymentMethodType != null)
-                {
-                    await _paymentService.PurchaseOrganizationAsync(organization, signup.PaymentMethodType.Value,
-                        signup.PaymentToken, plan, signup.AdditionalStorageGb, signup.AdditionalSeats,
-                        signup.PremiumAccessAddon, signup.TaxInfo, signup.IsFromProvider, signup.AdditionalSmSeats.GetValueOrDefault(),
-                        signup.AdditionalServiceAccounts.GetValueOrDefault(), signup.IsFromSecretsManagerTrial);
-                }
-                else
-                {
-                    await _paymentService.PurchaseOrganizationNoPaymentMethod(organization, plan, signup.AdditionalSeats,
-                        signup.PremiumAccessAddon, signup.AdditionalSmSeats.GetValueOrDefault(),
-                        signup.AdditionalServiceAccounts.GetValueOrDefault(), signup.IsFromSecretsManagerTrial);
-                }
-
-            }
-        }
-
-        var ownerId = signup.IsFromProvider ? default : signup.Owner.Id;
-        var returnValue = await SignUpAsync(organization, ownerId, signup.OwnerKey, signup.CollectionName, true);
-        await _referenceEventService.RaiseEventAsync(
-            new ReferenceEvent(ReferenceEventType.Signup, organization, _currentContext)
-            {
-                PlanName = plan.Name,
-                PlanType = plan.Type,
-                Seats = returnValue.Item1.Seats,
-                SignupInitiationPath = signup.InitiationPath,
-                Storage = returnValue.Item1.MaxStorageGb,
-                // TODO: add reference events for SmSeats and Service Accounts - see AC-1481
-            });
-
-        return returnValue;
-    }
-
     private async Task ValidateSignUpPoliciesAsync(Guid ownerId)
     {
         var anySingleOrgPolicies = await _policyService.AnyPoliciesApplicableToUserAsync(ownerId, PolicyType.SingleOrg);
diff --git a/src/Core/OrganizationFeatures/OrganizationServiceCollectionExtensions.cs b/src/Core/OrganizationFeatures/OrganizationServiceCollectionExtensions.cs
index 96fdefcfad..5586273520 100644
--- a/src/Core/OrganizationFeatures/OrganizationServiceCollectionExtensions.cs
+++ b/src/Core/OrganizationFeatures/OrganizationServiceCollectionExtensions.cs
@@ -8,6 +8,7 @@ using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationConnections;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationConnections.Interfaces;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationDomains;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationDomains.Interfaces;
+using Bit.Core.AdminConsole.OrganizationFeatures.Organizations;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Authorization;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
@@ -50,12 +51,16 @@ public static class OrganizationServiceCollectionExtensions
         services.AddOrganizationGroupCommands();
         services.AddOrganizationLicenseCommandsQueries();
         services.AddOrganizationDomainCommandsQueries();
+        services.AddOrganizationSignUpCommands();
         services.AddOrganizationAuthCommands();
         services.AddOrganizationUserCommands();
         services.AddOrganizationUserCommandsQueries();
         services.AddBaseOrganizationSubscriptionCommandsQueries();
     }
 
+    private static IServiceCollection AddOrganizationSignUpCommands(this IServiceCollection services) =>
+        services.AddScoped<ICloudOrganizationSignUpCommand, CloudOrganizationSignUpCommand>();
+
     private static void AddOrganizationConnectionCommands(this IServiceCollection services)
     {
         services.AddScoped<ICreateOrganizationConnectionCommand, CreateOrganizationConnectionCommand>();
diff --git a/test/Api.IntegrationTest/Helpers/OrganizationTestHelpers.cs b/test/Api.IntegrationTest/Helpers/OrganizationTestHelpers.cs
index 64f719e82e..dd514803fe 100644
--- a/test/Api.IntegrationTest/Helpers/OrganizationTestHelpers.cs
+++ b/test/Api.IntegrationTest/Helpers/OrganizationTestHelpers.cs
@@ -1,13 +1,13 @@
 using System.Diagnostics;
 using Bit.Api.IntegrationTest.Factories;
 using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.OrganizationFeatures.Organizations;
 using Bit.Core.Billing.Enums;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Models.Business;
 using Bit.Core.Models.Data;
 using Bit.Core.Repositories;
-using Bit.Core.Services;
 using Bit.IntegrationTestCommon.Factories;
 
 namespace Bit.Api.IntegrationTest.Helpers;
@@ -24,11 +24,11 @@ public static class OrganizationTestHelpers
         PaymentMethodType paymentMethod = PaymentMethodType.None) where T : class
     {
         var userRepository = factory.GetService<IUserRepository>();
-        var organizationService = factory.GetService<IOrganizationService>();
+        var organizationSignUpCommand = factory.GetService<ICloudOrganizationSignUpCommand>();
 
         var owner = await userRepository.GetByEmailAsync(ownerEmail);
 
-        var signUpResult = await organizationService.SignUpAsync(new OrganizationSignup
+        var signUpResult = await organizationSignUpCommand.SignUpOrganizationAsync(new OrganizationSignup
         {
             Name = name,
             BillingEmail = billingEmail,
@@ -39,9 +39,9 @@ public static class OrganizationTestHelpers
             PaymentMethodType = paymentMethod
         });
 
-        Debug.Assert(signUpResult.organizationUser is not null);
+        Debug.Assert(signUpResult.OrganizationUser is not null);
 
-        return new Tuple<Organization, OrganizationUser>(signUpResult.organization, signUpResult.organizationUser);
+        return new Tuple<Organization, OrganizationUser>(signUpResult.Organization, signUpResult.OrganizationUser);
     }
 
     /// <summary>
diff --git a/test/Api.Test/AdminConsole/Controllers/OrganizationsControllerTests.cs b/test/Api.Test/AdminConsole/Controllers/OrganizationsControllerTests.cs
index 27c0f7a7c3..e58cd05b9d 100644
--- a/test/Api.Test/AdminConsole/Controllers/OrganizationsControllerTests.cs
+++ b/test/Api.Test/AdminConsole/Controllers/OrganizationsControllerTests.cs
@@ -7,6 +7,7 @@ using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Enums.Provider;
 using Bit.Core.AdminConsole.Models.Business.Tokenables;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationApiKeys.Interfaces;
+using Bit.Core.AdminConsole.OrganizationFeatures.Organizations;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Auth.Entities;
@@ -46,11 +47,11 @@ public class OrganizationsControllerTests : IDisposable
     private readonly IOrganizationApiKeyRepository _organizationApiKeyRepository;
     private readonly ICreateOrganizationApiKeyCommand _createOrganizationApiKeyCommand;
     private readonly IFeatureService _featureService;
-    private readonly IPushNotificationService _pushNotificationService;
     private readonly IProviderRepository _providerRepository;
     private readonly IProviderBillingService _providerBillingService;
     private readonly IDataProtectorTokenFactory<OrgDeleteTokenable> _orgDeleteTokenDataFactory;
     private readonly IRemoveOrganizationUserCommand _removeOrganizationUserCommand;
+    private readonly ICloudOrganizationSignUpCommand _cloudOrganizationSignUpCommand;
     private readonly OrganizationsController _sut;
 
     public OrganizationsControllerTests()
@@ -69,11 +70,11 @@ public class OrganizationsControllerTests : IDisposable
         _userService = Substitute.For<IUserService>();
         _createOrganizationApiKeyCommand = Substitute.For<ICreateOrganizationApiKeyCommand>();
         _featureService = Substitute.For<IFeatureService>();
-        _pushNotificationService = Substitute.For<IPushNotificationService>();
         _providerRepository = Substitute.For<IProviderRepository>();
         _providerBillingService = Substitute.For<IProviderBillingService>();
         _orgDeleteTokenDataFactory = Substitute.For<IDataProtectorTokenFactory<OrgDeleteTokenable>>();
         _removeOrganizationUserCommand = Substitute.For<IRemoveOrganizationUserCommand>();
+        _cloudOrganizationSignUpCommand = Substitute.For<ICloudOrganizationSignUpCommand>();
 
         _sut = new OrganizationsController(
             _organizationRepository,
@@ -90,11 +91,11 @@ public class OrganizationsControllerTests : IDisposable
             _organizationApiKeyRepository,
             _featureService,
             _globalSettings,
-            _pushNotificationService,
             _providerRepository,
             _providerBillingService,
             _orgDeleteTokenDataFactory,
-            _removeOrganizationUserCommand);
+            _removeOrganizationUserCommand,
+            _cloudOrganizationSignUpCommand);
     }
 
     public void Dispose()
diff --git a/test/Core.Test/AdminConsole/OrganizationFeatures/Organizations/OrganizationSignUp/CloudOrganizationSignUpCommandTests.cs b/test/Core.Test/AdminConsole/OrganizationFeatures/Organizations/OrganizationSignUp/CloudOrganizationSignUpCommandTests.cs
new file mode 100644
index 0000000000..2c32f0504b
--- /dev/null
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/Organizations/OrganizationSignUp/CloudOrganizationSignUpCommandTests.cs
@@ -0,0 +1,238 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.OrganizationFeatures.Organizations;
+using Bit.Core.Billing.Enums;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Exceptions;
+using Bit.Core.Models.Business;
+using Bit.Core.Models.Data;
+using Bit.Core.Models.StaticStore;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.Core.Tools.Enums;
+using Bit.Core.Tools.Models.Business;
+using Bit.Core.Tools.Services;
+using Bit.Core.Utilities;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Core.Test.AdminConsole.OrganizationFeatures.Organizations.OrganizationSignUp;
+
+[SutProviderCustomize]
+public class CloudICloudOrganizationSignUpCommandTests
+{
+    [Theory]
+    [BitAutoData(PlanType.FamiliesAnnually)]
+    public async Task SignUp_PM_Family_Passes(PlanType planType, OrganizationSignup signup, SutProvider<CloudOrganizationSignUpCommand> sutProvider)
+    {
+        signup.Plan = planType;
+
+        var plan = StaticStore.GetPlan(signup.Plan);
+
+        signup.AdditionalSeats = 0;
+        signup.PaymentMethodType = PaymentMethodType.Card;
+        signup.PremiumAccessAddon = false;
+        signup.UseSecretsManager = false;
+        signup.IsFromSecretsManagerTrial = false;
+
+        var result = await sutProvider.Sut.SignUpOrganizationAsync(signup);
+
+        await sutProvider.GetDependency<IOrganizationRepository>().Received(1).CreateAsync(
+            Arg.Is<Organization>(o =>
+                o.Seats == plan.PasswordManager.BaseSeats + signup.AdditionalSeats
+                && o.SmSeats == null
+                && o.SmServiceAccounts == null));
+        await sutProvider.GetDependency<IOrganizationUserRepository>().Received(1).CreateAsync(
+            Arg.Is<OrganizationUser>(o => o.AccessSecretsManager == signup.UseSecretsManager));
+
+        await sutProvider.GetDependency<IReferenceEventService>().Received(1)
+            .RaiseEventAsync(Arg.Is<ReferenceEvent>(referenceEvent =>
+                referenceEvent.Type == ReferenceEventType.Signup &&
+                referenceEvent.PlanName == plan.Name &&
+                referenceEvent.PlanType == plan.Type &&
+                referenceEvent.Seats == result.Organization.Seats &&
+                referenceEvent.Storage == result.Organization.MaxStorageGb));
+        // TODO: add reference events for SmSeats and Service Accounts - see AC-1481
+
+        Assert.NotNull(result.Organization);
+        Assert.NotNull(result.OrganizationUser);
+
+        await sutProvider.GetDependency<IPaymentService>().Received(1).PurchaseOrganizationAsync(
+            Arg.Any<Organization>(),
+            signup.PaymentMethodType.Value,
+            signup.PaymentToken,
+            plan,
+            signup.AdditionalStorageGb,
+            signup.AdditionalSeats,
+            signup.PremiumAccessAddon,
+            signup.TaxInfo,
+            false,
+            signup.AdditionalSmSeats.GetValueOrDefault(),
+            signup.AdditionalServiceAccounts.GetValueOrDefault(),
+            signup.UseSecretsManager
+        );
+    }
+
+    [Theory]
+    [BitAutoData(PlanType.FamiliesAnnually)]
+    public async Task SignUp_AssignsOwnerToDefaultCollection
+        (PlanType planType, OrganizationSignup signup, SutProvider<CloudOrganizationSignUpCommand> sutProvider)
+    {
+        signup.Plan = planType;
+        signup.AdditionalSeats = 0;
+        signup.PaymentMethodType = PaymentMethodType.Card;
+        signup.PremiumAccessAddon = false;
+        signup.UseSecretsManager = false;
+
+        // Extract orgUserId when created
+        Guid? orgUserId = null;
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .CreateAsync(Arg.Do<OrganizationUser>(ou => orgUserId = ou.Id));
+
+        var result = await sutProvider.Sut.SignUpOrganizationAsync(signup);
+
+        // Assert: created a Can Manage association for the default collection
+        Assert.NotNull(orgUserId);
+        await sutProvider.GetDependency<ICollectionRepository>().Received(1).CreateAsync(
+            Arg.Any<Collection>(),
+            Arg.Is<IEnumerable<CollectionAccessSelection>>(cas => cas == null),
+            Arg.Is<IEnumerable<CollectionAccessSelection>>(cas =>
+                cas.Count() == 1 &&
+                cas.All(c =>
+                    c.Id == orgUserId &&
+                    !c.ReadOnly &&
+                    !c.HidePasswords &&
+                    c.Manage)));
+
+        Assert.NotNull(result.Organization);
+        Assert.NotNull(result.OrganizationUser);
+    }
+
+    [Theory]
+    [BitAutoData(PlanType.EnterpriseAnnually)]
+    [BitAutoData(PlanType.EnterpriseMonthly)]
+    [BitAutoData(PlanType.TeamsAnnually)]
+    [BitAutoData(PlanType.TeamsMonthly)]
+    public async Task SignUp_SM_Passes(PlanType planType, OrganizationSignup signup, SutProvider<CloudOrganizationSignUpCommand> sutProvider)
+    {
+        signup.Plan = planType;
+
+        var plan = StaticStore.GetPlan(signup.Plan);
+
+        signup.UseSecretsManager = true;
+        signup.AdditionalSeats = 15;
+        signup.AdditionalSmSeats = 10;
+        signup.AdditionalServiceAccounts = 20;
+        signup.PaymentMethodType = PaymentMethodType.Card;
+        signup.PremiumAccessAddon = false;
+        signup.IsFromSecretsManagerTrial = false;
+
+        var result = await sutProvider.Sut.SignUpOrganizationAsync(signup);
+
+        await sutProvider.GetDependency<IOrganizationRepository>().Received(1).CreateAsync(
+            Arg.Is<Organization>(o =>
+                o.Seats == plan.PasswordManager.BaseSeats + signup.AdditionalSeats
+                && o.SmSeats == plan.SecretsManager.BaseSeats + signup.AdditionalSmSeats
+                && o.SmServiceAccounts == plan.SecretsManager.BaseServiceAccount + signup.AdditionalServiceAccounts));
+        await sutProvider.GetDependency<IOrganizationUserRepository>().Received(1).CreateAsync(
+            Arg.Is<OrganizationUser>(o => o.AccessSecretsManager == signup.UseSecretsManager));
+
+        await sutProvider.GetDependency<IReferenceEventService>().Received(1)
+            .RaiseEventAsync(Arg.Is<ReferenceEvent>(referenceEvent =>
+                referenceEvent.Type == ReferenceEventType.Signup &&
+                referenceEvent.PlanName == plan.Name &&
+                referenceEvent.PlanType == plan.Type &&
+                referenceEvent.Seats == result.Organization.Seats &&
+                referenceEvent.Storage == result.Organization.MaxStorageGb));
+        // TODO: add reference events for SmSeats and Service Accounts - see AC-1481
+
+        Assert.NotNull(result.Organization);
+        Assert.NotNull(result.OrganizationUser);
+
+        await sutProvider.GetDependency<IPaymentService>().Received(1).PurchaseOrganizationAsync(
+            Arg.Any<Organization>(),
+            signup.PaymentMethodType.Value,
+            signup.PaymentToken,
+            Arg.Is<Plan>(plan),
+            signup.AdditionalStorageGb,
+            signup.AdditionalSeats,
+            signup.PremiumAccessAddon,
+            signup.TaxInfo,
+            false,
+            signup.AdditionalSmSeats.GetValueOrDefault(),
+            signup.AdditionalServiceAccounts.GetValueOrDefault(),
+            signup.IsFromSecretsManagerTrial
+        );
+    }
+
+    [Theory]
+    [BitAutoData(PlanType.EnterpriseAnnually)]
+    public async Task SignUp_SM_Throws_WhenManagedByMSP(PlanType planType, OrganizationSignup signup, SutProvider<CloudOrganizationSignUpCommand> sutProvider)
+    {
+        signup.Plan = planType;
+        signup.UseSecretsManager = true;
+        signup.AdditionalSeats = 15;
+        signup.AdditionalSmSeats = 10;
+        signup.AdditionalServiceAccounts = 20;
+        signup.PaymentMethodType = PaymentMethodType.Card;
+        signup.PremiumAccessAddon = false;
+        signup.IsFromProvider = true;
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.SignUpOrganizationAsync(signup));
+        Assert.Contains("Organizations with a Managed Service Provider do not support Secrets Manager.", exception.Message);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task SignUpAsync_SecretManager_AdditionalServiceAccounts_NotAllowedByPlan_ShouldThrowException(OrganizationSignup signup, SutProvider<CloudOrganizationSignUpCommand> sutProvider)
+    {
+        signup.AdditionalSmSeats = 0;
+        signup.AdditionalSeats = 0;
+        signup.Plan = PlanType.Free;
+        signup.UseSecretsManager = true;
+        signup.PaymentMethodType = PaymentMethodType.Card;
+        signup.PremiumAccessAddon = false;
+        signup.AdditionalServiceAccounts = 10;
+        signup.AdditionalStorageGb = 0;
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.SignUpOrganizationAsync(signup));
+        Assert.Contains("Plan does not allow additional Machine Accounts.", exception.Message);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task SignUpAsync_SMSeatsGreatThanPMSeat_ShouldThrowException(OrganizationSignup signup, SutProvider<CloudOrganizationSignUpCommand> sutProvider)
+    {
+        signup.AdditionalSmSeats = 100;
+        signup.AdditionalSeats = 10;
+        signup.Plan = PlanType.EnterpriseAnnually;
+        signup.UseSecretsManager = true;
+        signup.PaymentMethodType = PaymentMethodType.Card;
+        signup.PremiumAccessAddon = false;
+        signup.AdditionalServiceAccounts = 10;
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+           () => sutProvider.Sut.SignUpOrganizationAsync(signup));
+        Assert.Contains("You cannot have more Secrets Manager seats than Password Manager seats", exception.Message);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task SignUpAsync_InvalidateServiceAccount_ShouldThrowException(OrganizationSignup signup, SutProvider<CloudOrganizationSignUpCommand> sutProvider)
+    {
+        signup.AdditionalSmSeats = 10;
+        signup.AdditionalSeats = 10;
+        signup.Plan = PlanType.EnterpriseAnnually;
+        signup.UseSecretsManager = true;
+        signup.PaymentMethodType = PaymentMethodType.Card;
+        signup.PremiumAccessAddon = false;
+        signup.AdditionalServiceAccounts = -10;
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.SignUpOrganizationAsync(signup));
+        Assert.Contains("You can't subtract Machine Accounts!", exception.Message);
+    }
+}
diff --git a/test/Core.Test/AdminConsole/Services/OrganizationServiceTests.cs b/test/Core.Test/AdminConsole/Services/OrganizationServiceTests.cs
index f0b7084fe9..fc839030aa 100644
--- a/test/Core.Test/AdminConsole/Services/OrganizationServiceTests.cs
+++ b/test/Core.Test/AdminConsole/Services/OrganizationServiceTests.cs
@@ -20,7 +20,6 @@ using Bit.Core.Models.Business;
 using Bit.Core.Models.Data;
 using Bit.Core.Models.Data.Organizations.OrganizationUsers;
 using Bit.Core.Models.Mail;
-using Bit.Core.Models.StaticStore;
 using Bit.Core.OrganizationFeatures.OrganizationSubscriptions.Interface;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
@@ -200,221 +199,6 @@ public class OrganizationServiceTests
             referenceEvent.Users == expectedNewUsersCount));
     }
 
-    [Theory]
-    [BitAutoData(PlanType.FamiliesAnnually)]
-    public async Task SignUp_PM_Family_Passes(PlanType planType, OrganizationSignup signup, SutProvider<OrganizationService> sutProvider)
-    {
-        signup.Plan = planType;
-
-        var plan = StaticStore.GetPlan(signup.Plan);
-
-        signup.AdditionalSeats = 0;
-        signup.PaymentMethodType = PaymentMethodType.Card;
-        signup.PremiumAccessAddon = false;
-        signup.UseSecretsManager = false;
-        signup.IsFromSecretsManagerTrial = false;
-
-        var purchaseOrganizationPlan = StaticStore.GetPlan(signup.Plan);
-
-        var result = await sutProvider.Sut.SignUpAsync(signup);
-
-        await sutProvider.GetDependency<IOrganizationRepository>().Received(1).CreateAsync(
-            Arg.Is<Organization>(o =>
-                o.Seats == plan.PasswordManager.BaseSeats + signup.AdditionalSeats
-                && o.SmSeats == null
-                && o.SmServiceAccounts == null));
-        await sutProvider.GetDependency<IOrganizationUserRepository>().Received(1).CreateAsync(
-            Arg.Is<OrganizationUser>(o => o.AccessSecretsManager == signup.UseSecretsManager));
-
-        await sutProvider.GetDependency<IReferenceEventService>().Received(1)
-            .RaiseEventAsync(Arg.Is<ReferenceEvent>(referenceEvent =>
-                referenceEvent.Type == ReferenceEventType.Signup &&
-                referenceEvent.PlanName == plan.Name &&
-                referenceEvent.PlanType == plan.Type &&
-                referenceEvent.Seats == result.Item1.Seats &&
-                referenceEvent.Storage == result.Item1.MaxStorageGb));
-        // TODO: add reference events for SmSeats and Service Accounts - see AC-1481
-
-        Assert.NotNull(result.Item1);
-        Assert.NotNull(result.Item2);
-
-        await sutProvider.GetDependency<IPaymentService>().Received(1).PurchaseOrganizationAsync(
-            Arg.Any<Organization>(),
-            signup.PaymentMethodType.Value,
-            signup.PaymentToken,
-            plan,
-            signup.AdditionalStorageGb,
-            signup.AdditionalSeats,
-            signup.PremiumAccessAddon,
-            signup.TaxInfo,
-            false,
-            signup.AdditionalSmSeats.GetValueOrDefault(),
-            signup.AdditionalServiceAccounts.GetValueOrDefault(),
-            signup.UseSecretsManager
-        );
-    }
-
-    [Theory]
-    [BitAutoData(PlanType.FamiliesAnnually)]
-    public async Task SignUp_AssignsOwnerToDefaultCollection
-        (PlanType planType, OrganizationSignup signup, SutProvider<OrganizationService> sutProvider)
-    {
-        signup.Plan = planType;
-        signup.AdditionalSeats = 0;
-        signup.PaymentMethodType = PaymentMethodType.Card;
-        signup.PremiumAccessAddon = false;
-        signup.UseSecretsManager = false;
-
-        // Extract orgUserId when created
-        Guid? orgUserId = null;
-        await sutProvider.GetDependency<IOrganizationUserRepository>()
-            .CreateAsync(Arg.Do<OrganizationUser>(ou => orgUserId = ou.Id));
-
-        var result = await sutProvider.Sut.SignUpAsync(signup);
-
-        // Assert: created a Can Manage association for the default collection
-        Assert.NotNull(orgUserId);
-        await sutProvider.GetDependency<ICollectionRepository>().Received(1).CreateAsync(
-            Arg.Any<Collection>(),
-            Arg.Is<IEnumerable<CollectionAccessSelection>>(cas => cas == null),
-            Arg.Is<IEnumerable<CollectionAccessSelection>>(cas =>
-                cas.Count() == 1 &&
-                cas.All(c =>
-                    c.Id == orgUserId &&
-                    !c.ReadOnly &&
-                    !c.HidePasswords &&
-                    c.Manage)));
-
-        Assert.NotNull(result.Item1);
-        Assert.NotNull(result.Item2);
-    }
-
-    [Theory]
-    [BitAutoData(PlanType.EnterpriseAnnually)]
-    [BitAutoData(PlanType.EnterpriseMonthly)]
-    [BitAutoData(PlanType.TeamsAnnually)]
-    [BitAutoData(PlanType.TeamsMonthly)]
-    public async Task SignUp_SM_Passes(PlanType planType, OrganizationSignup signup, SutProvider<OrganizationService> sutProvider)
-    {
-        signup.Plan = planType;
-
-        var plan = StaticStore.GetPlan(signup.Plan);
-
-        signup.UseSecretsManager = true;
-        signup.AdditionalSeats = 15;
-        signup.AdditionalSmSeats = 10;
-        signup.AdditionalServiceAccounts = 20;
-        signup.PaymentMethodType = PaymentMethodType.Card;
-        signup.PremiumAccessAddon = false;
-        signup.IsFromSecretsManagerTrial = false;
-
-        var result = await sutProvider.Sut.SignUpAsync(signup);
-
-        await sutProvider.GetDependency<IOrganizationRepository>().Received(1).CreateAsync(
-            Arg.Is<Organization>(o =>
-                o.Seats == plan.PasswordManager.BaseSeats + signup.AdditionalSeats
-                && o.SmSeats == plan.SecretsManager.BaseSeats + signup.AdditionalSmSeats
-                && o.SmServiceAccounts == plan.SecretsManager.BaseServiceAccount + signup.AdditionalServiceAccounts));
-        await sutProvider.GetDependency<IOrganizationUserRepository>().Received(1).CreateAsync(
-            Arg.Is<OrganizationUser>(o => o.AccessSecretsManager == signup.UseSecretsManager));
-
-        await sutProvider.GetDependency<IReferenceEventService>().Received(1)
-            .RaiseEventAsync(Arg.Is<ReferenceEvent>(referenceEvent =>
-                referenceEvent.Type == ReferenceEventType.Signup &&
-                referenceEvent.PlanName == plan.Name &&
-                referenceEvent.PlanType == plan.Type &&
-                referenceEvent.Seats == result.Item1.Seats &&
-                referenceEvent.Storage == result.Item1.MaxStorageGb));
-        // TODO: add reference events for SmSeats and Service Accounts - see AC-1481
-
-        Assert.NotNull(result.Item1);
-        Assert.NotNull(result.Item2);
-
-        await sutProvider.GetDependency<IPaymentService>().Received(1).PurchaseOrganizationAsync(
-            Arg.Any<Organization>(),
-            signup.PaymentMethodType.Value,
-            signup.PaymentToken,
-            Arg.Is<Plan>(plan),
-            signup.AdditionalStorageGb,
-            signup.AdditionalSeats,
-            signup.PremiumAccessAddon,
-            signup.TaxInfo,
-            false,
-            signup.AdditionalSmSeats.GetValueOrDefault(),
-            signup.AdditionalServiceAccounts.GetValueOrDefault(),
-            signup.IsFromSecretsManagerTrial
-        );
-    }
-
-    [Theory]
-    [BitAutoData(PlanType.EnterpriseAnnually)]
-    public async Task SignUp_SM_Throws_WhenManagedByMSP(PlanType planType, OrganizationSignup signup, SutProvider<OrganizationService> sutProvider)
-    {
-        signup.Plan = planType;
-        signup.UseSecretsManager = true;
-        signup.AdditionalSeats = 15;
-        signup.AdditionalSmSeats = 10;
-        signup.AdditionalServiceAccounts = 20;
-        signup.PaymentMethodType = PaymentMethodType.Card;
-        signup.PremiumAccessAddon = false;
-        signup.IsFromProvider = true;
-
-        var exception = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.SignUpAsync(signup));
-        Assert.Contains("Organizations with a Managed Service Provider do not support Secrets Manager.", exception.Message);
-    }
-
-    [Theory]
-    [BitAutoData]
-    public async Task SignUpAsync_SecretManager_AdditionalServiceAccounts_NotAllowedByPlan_ShouldThrowException(OrganizationSignup signup, SutProvider<OrganizationService> sutProvider)
-    {
-        signup.AdditionalSmSeats = 0;
-        signup.AdditionalSeats = 0;
-        signup.Plan = PlanType.Free;
-        signup.UseSecretsManager = true;
-        signup.PaymentMethodType = PaymentMethodType.Card;
-        signup.PremiumAccessAddon = false;
-        signup.AdditionalServiceAccounts = 10;
-        signup.AdditionalStorageGb = 0;
-
-        var exception = await Assert.ThrowsAsync<BadRequestException>(
-            () => sutProvider.Sut.SignUpAsync(signup));
-        Assert.Contains("Plan does not allow additional Machine Accounts.", exception.Message);
-    }
-
-    [Theory]
-    [BitAutoData]
-    public async Task SignUpAsync_SMSeatsGreatThanPMSeat_ShouldThrowException(OrganizationSignup signup, SutProvider<OrganizationService> sutProvider)
-    {
-        signup.AdditionalSmSeats = 100;
-        signup.AdditionalSeats = 10;
-        signup.Plan = PlanType.EnterpriseAnnually;
-        signup.UseSecretsManager = true;
-        signup.PaymentMethodType = PaymentMethodType.Card;
-        signup.PremiumAccessAddon = false;
-        signup.AdditionalServiceAccounts = 10;
-
-        var exception = await Assert.ThrowsAsync<BadRequestException>(
-           () => sutProvider.Sut.SignUpAsync(signup));
-        Assert.Contains("You cannot have more Secrets Manager seats than Password Manager seats", exception.Message);
-    }
-
-    [Theory]
-    [BitAutoData]
-    public async Task SignUpAsync_InvalidateServiceAccount_ShouldThrowException(OrganizationSignup signup, SutProvider<OrganizationService> sutProvider)
-    {
-        signup.AdditionalSmSeats = 10;
-        signup.AdditionalSeats = 10;
-        signup.Plan = PlanType.EnterpriseAnnually;
-        signup.UseSecretsManager = true;
-        signup.PaymentMethodType = PaymentMethodType.Card;
-        signup.PremiumAccessAddon = false;
-        signup.AdditionalServiceAccounts = -10;
-
-        var exception = await Assert.ThrowsAsync<BadRequestException>(
-            () => sutProvider.Sut.SignUpAsync(signup));
-        Assert.Contains("You can't subtract Machine Accounts!", exception.Message);
-    }
-
     [Theory, BitAutoData]
     public async Task SignupClientAsync_Succeeds(
         OrganizationSignup signup,

From 092b0b8bd2ad8a335e5f5af52bab4046017517cc Mon Sep 17 00:00:00 2001
From: Addison Beck <addison@bitwarden.com>
Date: Fri, 6 Dec 2024 05:46:17 -0500
Subject: [PATCH 032/384] Remove `LimitCollectionCreationDeletionSplit` feature
 flag (#4809)

* Remove references to feature flag

* Demote entity property to an EF shadow property

* Add a few excludes to license file tests
---
 .../Organizations/_ViewInformation.cshtml     |  16 +-
 .../Controllers/OrganizationsController.cs    |   8 -
 .../OrganizationResponseModel.cs              |   4 -
 .../ProfileOrganizationResponseModel.cs       |   4 -
 ...rofileProviderOrganizationResponseModel.cs |   2 -
 ...nCollectionManagementUpdateRequestModel.cs |  17 +-
 .../BulkCollectionAuthorizationHandler.cs     |  54 +-
 .../AdminConsole/Entities/Organization.cs     |  18 -
 .../Data/Organizations/OrganizationAbility.cs |   4 -
 .../OrganizationUserOrganizationDetails.cs    |   2 -
 .../SelfHostedOrganizationDetails.cs          |   2 -
 .../ProviderUserOrganizationDetails.cs        |   1 -
 .../Implementations/OrganizationService.cs    |   8 -
 .../OrganizationLicenseClaimsFactory.cs       |   6 +-
 src/Core/Constants.cs                         |   2 +-
 .../Models/Business/OrganizationLicense.cs    |   2 +-
 .../AdminConsole/Models/Organization.cs       |   6 +
 .../Repositories/OrganizationRepository.cs    |   4 +-
 ...izationUserOrganizationDetailsViewQuery.cs |   2 -
 ...roviderUserOrganizationDetailsViewQuery.cs |   2 -
 ...BulkCollectionAuthorizationHandlerTests.cs | 545 +-----------------
 .../OrganizationLicenseFileFixtures.cs        |   3 +-
 .../UpdateOrganizationLicenseCommandTests.cs  |  11 +-
 .../OrganizationUserRepositoryTests.cs        |   2 -
 24 files changed, 74 insertions(+), 651 deletions(-)

diff --git a/src/Admin/AdminConsole/Views/Organizations/_ViewInformation.cshtml b/src/Admin/AdminConsole/Views/Organizations/_ViewInformation.cshtml
index f3853e16a9..a0d421235d 100644
--- a/src/Admin/AdminConsole/Views/Organizations/_ViewInformation.cshtml
+++ b/src/Admin/AdminConsole/Views/Organizations/_ViewInformation.cshtml
@@ -55,19 +55,11 @@
     <dt class="col-sm-4 col-lg-3">Administrators manage all collections</dt>
     <dd id="pm-manage-collections" class="col-sm-8 col-lg-9">@(Model.Organization.AllowAdminAccessToAllCollectionItems ? "On" : "Off")</dd>
 
-    @if (!FeatureService.IsEnabled(Bit.Core.FeatureFlagKeys.LimitCollectionCreationDeletionSplit))
-    {
-      <dt class="col-sm-4 col-lg-3">Limit collection creation to administrators</dt>
-      <dd id="pm-collection-creation" class="col-sm-8 col-lg-9">@(Model.Organization.LimitCollectionCreationDeletion ? "On" : "Off")</dd>
-    }
-    else
-    {
-      <dt class="col-sm-4 col-lg-3">Limit collection creation to administrators</dt>
-      <dd id="pm-collection-creation" class="col-sm-8 col-lg-9">@(Model.Organization.LimitCollectionCreation ? "On" : "Off")</dd>
+    <dt class="col-sm-4 col-lg-3">Limit collection creation to administrators</dt>
+    <dd id="pm-collection-creation" class="col-sm-8 col-lg-9">@(Model.Organization.LimitCollectionCreation ? "On" : "Off")</dd>
 
-      <dt class="col-sm-4 col-lg-3">Limit collection deletion to administrators</dt>
-      <dd id="pm-collection-deletion" class="col-sm-8 col-lg-9">@(Model.Organization.LimitCollectionDeletion ? "On" : "Off")</dd>
-    }
+    <dt class="col-sm-4 col-lg-3">Limit collection deletion to administrators</dt>
+    <dd id="pm-collection-deletion" class="col-sm-8 col-lg-9">@(Model.Organization.LimitCollectionDeletion ? "On" : "Off")</dd>
 </dl>
 
 <h2>Secrets Manager</h2>
diff --git a/src/Api/AdminConsole/Controllers/OrganizationsController.cs b/src/Api/AdminConsole/Controllers/OrganizationsController.cs
index 6ffd60e425..4421af3a9a 100644
--- a/src/Api/AdminConsole/Controllers/OrganizationsController.cs
+++ b/src/Api/AdminConsole/Controllers/OrganizationsController.cs
@@ -526,14 +526,6 @@ public class OrganizationsController : Controller
     [HttpPut("{id}/collection-management")]
     public async Task<OrganizationResponseModel> PutCollectionManagement(Guid id, [FromBody] OrganizationCollectionManagementUpdateRequestModel model)
     {
-        if (
-          _globalSettings.SelfHosted &&
-          !_featureService.IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit)
-        )
-        {
-            throw new BadRequestException("Only allowed when not self hosted.");
-        }
-
         var organization = await _organizationRepository.GetByIdAsync(id);
         if (organization == null)
         {
diff --git a/src/Api/AdminConsole/Models/Response/Organizations/OrganizationResponseModel.cs b/src/Api/AdminConsole/Models/Response/Organizations/OrganizationResponseModel.cs
index 908a3a9385..116b4b1238 100644
--- a/src/Api/AdminConsole/Models/Response/Organizations/OrganizationResponseModel.cs
+++ b/src/Api/AdminConsole/Models/Response/Organizations/OrganizationResponseModel.cs
@@ -57,8 +57,6 @@ public class OrganizationResponseModel : ResponseModel
         MaxAutoscaleSmServiceAccounts = organization.MaxAutoscaleSmServiceAccounts;
         LimitCollectionCreation = organization.LimitCollectionCreation;
         LimitCollectionDeletion = organization.LimitCollectionDeletion;
-        // Deprecated: https://bitwarden.atlassian.net/browse/PM-10863
-        LimitCollectionCreationDeletion = organization.LimitCollectionCreationDeletion;
         AllowAdminAccessToAllCollectionItems = organization.AllowAdminAccessToAllCollectionItems;
         UseRiskInsights = organization.UseRiskInsights;
     }
@@ -104,8 +102,6 @@ public class OrganizationResponseModel : ResponseModel
     public int? MaxAutoscaleSmServiceAccounts { get; set; }
     public bool LimitCollectionCreation { get; set; }
     public bool LimitCollectionDeletion { get; set; }
-    // Deperectated: https://bitwarden.atlassian.net/browse/PM-10863
-    public bool LimitCollectionCreationDeletion { get; set; }
     public bool AllowAdminAccessToAllCollectionItems { get; set; }
     public bool UseRiskInsights { get; set; }
 }
diff --git a/src/Api/AdminConsole/Models/Response/ProfileOrganizationResponseModel.cs b/src/Api/AdminConsole/Models/Response/ProfileOrganizationResponseModel.cs
index 96b86de164..75e4c44a6d 100644
--- a/src/Api/AdminConsole/Models/Response/ProfileOrganizationResponseModel.cs
+++ b/src/Api/AdminConsole/Models/Response/ProfileOrganizationResponseModel.cs
@@ -67,8 +67,6 @@ public class ProfileOrganizationResponseModel : ResponseModel
         AccessSecretsManager = organization.AccessSecretsManager;
         LimitCollectionCreation = organization.LimitCollectionCreation;
         LimitCollectionDeletion = organization.LimitCollectionDeletion;
-        // Deprecated: https://bitwarden.atlassian.net/browse/PM-10863
-        LimitCollectionCreationDeletion = organization.LimitCollectionCreationDeletion;
         AllowAdminAccessToAllCollectionItems = organization.AllowAdminAccessToAllCollectionItems;
         UserIsManagedByOrganization = organizationIdsManagingUser.Contains(organization.OrganizationId);
         UseRiskInsights = organization.UseRiskInsights;
@@ -130,8 +128,6 @@ public class ProfileOrganizationResponseModel : ResponseModel
     public bool AccessSecretsManager { get; set; }
     public bool LimitCollectionCreation { get; set; }
     public bool LimitCollectionDeletion { get; set; }
-    // Deprecated: https://bitwarden.atlassian.net/browse/PM-10863
-    public bool LimitCollectionCreationDeletion { get; set; }
     public bool AllowAdminAccessToAllCollectionItems { get; set; }
     /// <summary>
     /// Indicates if the organization manages the user.
diff --git a/src/Api/AdminConsole/Models/Response/ProfileProviderOrganizationResponseModel.cs b/src/Api/AdminConsole/Models/Response/ProfileProviderOrganizationResponseModel.cs
index 4ec86a29a4..7227d7a11a 100644
--- a/src/Api/AdminConsole/Models/Response/ProfileProviderOrganizationResponseModel.cs
+++ b/src/Api/AdminConsole/Models/Response/ProfileProviderOrganizationResponseModel.cs
@@ -46,8 +46,6 @@ public class ProfileProviderOrganizationResponseModel : ProfileOrganizationRespo
         ProductTierType = StaticStore.GetPlan(organization.PlanType).ProductTier;
         LimitCollectionCreation = organization.LimitCollectionCreation;
         LimitCollectionDeletion = organization.LimitCollectionDeletion;
-        // https://bitwarden.atlassian.net/browse/PM-10863
-        LimitCollectionCreationDeletion = organization.LimitCollectionCreationDeletion;
         AllowAdminAccessToAllCollectionItems = organization.AllowAdminAccessToAllCollectionItems;
         UseRiskInsights = organization.UseRiskInsights;
     }
diff --git a/src/Api/Models/Request/Organizations/OrganizationCollectionManagementUpdateRequestModel.cs b/src/Api/Models/Request/Organizations/OrganizationCollectionManagementUpdateRequestModel.cs
index a5a6f1f74f..94f842ca1e 100644
--- a/src/Api/Models/Request/Organizations/OrganizationCollectionManagementUpdateRequestModel.cs
+++ b/src/Api/Models/Request/Organizations/OrganizationCollectionManagementUpdateRequestModel.cs
@@ -1,5 +1,4 @@
-using Bit.Core;
-using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Entities;
 using Bit.Core.Services;
 
 namespace Bit.Api.Models.Request.Organizations;
@@ -8,22 +7,12 @@ public class OrganizationCollectionManagementUpdateRequestModel
 {
     public bool LimitCollectionCreation { get; set; }
     public bool LimitCollectionDeletion { get; set; }
-    // Deprecated: https://bitwarden.atlassian.net/browse/PM-10863
-    public bool LimitCreateDeleteOwnerAdmin { get; set; }
     public bool AllowAdminAccessToAllCollectionItems { get; set; }
 
     public virtual Organization ToOrganization(Organization existingOrganization, IFeatureService featureService)
     {
-        if (featureService.IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit))
-        {
-            existingOrganization.LimitCollectionCreation = LimitCollectionCreation;
-            existingOrganization.LimitCollectionDeletion = LimitCollectionDeletion;
-        }
-        else
-        {
-            existingOrganization.LimitCollectionCreationDeletion = LimitCreateDeleteOwnerAdmin || LimitCollectionCreation || LimitCollectionDeletion;
-        }
-
+        existingOrganization.LimitCollectionCreation = LimitCollectionCreation;
+        existingOrganization.LimitCollectionDeletion = LimitCollectionDeletion;
         existingOrganization.AllowAdminAccessToAllCollectionItems = AllowAdminAccessToAllCollectionItems;
         return existingOrganization;
     }
diff --git a/src/Api/Vault/AuthorizationHandlers/Collections/BulkCollectionAuthorizationHandler.cs b/src/Api/Vault/AuthorizationHandlers/Collections/BulkCollectionAuthorizationHandler.cs
index c26d5b5952..909064c522 100644
--- a/src/Api/Vault/AuthorizationHandlers/Collections/BulkCollectionAuthorizationHandler.cs
+++ b/src/Api/Vault/AuthorizationHandlers/Collections/BulkCollectionAuthorizationHandler.cs
@@ -1,6 +1,5 @@
 #nullable enable
 using System.Diagnostics;
-using Bit.Core;
 using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
@@ -124,24 +123,15 @@ public class BulkCollectionAuthorizationHandler : BulkAuthorizationHandler<BulkC
             return true;
         }
 
-        if (_featureService.IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit))
+        var organizationAbility = await GetOrganizationAbilityAsync(org);
+
+        var userIsMemberOfOrg = org is not null;
+        var limitCollectionCreationEnabled = await GetOrganizationAbilityAsync(org) is { LimitCollectionCreation: true };
+        var userIsOrgOwnerOrAdmin = org is { Type: OrganizationUserType.Owner or OrganizationUserType.Admin };
+        // If the limit collection management setting is disabled, allow any user to create collections
+        if (userIsMemberOfOrg && (!limitCollectionCreationEnabled || userIsOrgOwnerOrAdmin))
         {
-            var userIsMemberOfOrg = org is not null;
-            var limitCollectionCreationEnabled = await GetOrganizationAbilityAsync(org) is { LimitCollectionCreation: true };
-            var userIsOrgOwnerOrAdmin = org is { Type: OrganizationUserType.Owner or OrganizationUserType.Admin };
-            // If the limit collection management setting is disabled, allow any user to create collections
-            if (userIsMemberOfOrg && (!limitCollectionCreationEnabled || userIsOrgOwnerOrAdmin))
-            {
-                return true;
-            }
-        }
-        else
-        {
-            // If the limit collection management setting is disabled, allow any user to create collections
-            if (await GetOrganizationAbilityAsync(org) is { LimitCollectionCreationDeletion: false })
-            {
-                return true;
-            }
+            return true;
         }
 
         // Allow provider users to create collections if they are a provider for the target organization
@@ -267,29 +257,13 @@ public class BulkCollectionAuthorizationHandler : BulkAuthorizationHandler<BulkC
             return true;
         }
 
-        if (_featureService.IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit))
+        var userIsMemberOfOrg = org is not null;
+        var limitCollectionDeletionEnabled = await GetOrganizationAbilityAsync(org) is { LimitCollectionDeletion: true };
+        var userIsOrgOwnerOrAdmin = org is { Type: OrganizationUserType.Owner or OrganizationUserType.Admin };
+        // If the limit collection management setting is disabled, allow any user to delete collections
+        if (userIsMemberOfOrg && (!limitCollectionDeletionEnabled || userIsOrgOwnerOrAdmin) && await CanManageCollectionsAsync(resources, org))
         {
-            var userIsMemberOfOrg = org is not null;
-            var limitCollectionDeletionEnabled = await GetOrganizationAbilityAsync(org) is { LimitCollectionDeletion: true };
-            var userIsOrgOwnerOrAdmin = org is { Type: OrganizationUserType.Owner or OrganizationUserType.Admin };
-            // If the limit collection management setting is disabled, allow any user to delete collections
-            if (userIsMemberOfOrg && (!limitCollectionDeletionEnabled || userIsOrgOwnerOrAdmin) && await CanManageCollectionsAsync(resources, org))
-            {
-                return true;
-            }
-        }
-        else
-        {
-            // If LimitCollectionCreationDeletion is false, AllowAdminAccessToAllCollectionItems setting is irrelevant.
-            // Ensure acting user has manage permissions for all collections being deleted
-            // If LimitCollectionCreationDeletion is true, only Owners and Admins can delete collections they manage
-            var organizationAbility = await GetOrganizationAbilityAsync(org);
-            var canDeleteManagedCollections = organizationAbility is { LimitCollectionCreationDeletion: false } ||
-                                              org is { Type: OrganizationUserType.Owner or OrganizationUserType.Admin };
-            if (canDeleteManagedCollections && await CanManageCollectionsAsync(resources, org))
-            {
-                return true;
-            }
+            return true;
         }
 
         // Allow providers to delete collections if they are a provider for the target organization
diff --git a/src/Core/AdminConsole/Entities/Organization.cs b/src/Core/AdminConsole/Entities/Organization.cs
index 720a77d6a4..37e21d7f57 100644
--- a/src/Core/AdminConsole/Entities/Organization.cs
+++ b/src/Core/AdminConsole/Entities/Organization.cs
@@ -96,18 +96,6 @@ public class Organization : ITableObject<Guid>, IStorableSubscriber, IRevisable,
     /// </summary>
     public bool LimitCollectionCreation { get; set; }
     public bool LimitCollectionDeletion { get; set; }
-    // Deprecated by https://bitwarden.atlassian.net/browse/PM-10863. This
-    // was replaced with `LimitCollectionCreation` and
-    // `LimitCollectionDeletion`.
-    public bool LimitCollectionCreationDeletion
-    {
-        get => LimitCollectionCreation || LimitCollectionDeletion;
-        set
-        {
-            LimitCollectionCreation = value;
-            LimitCollectionDeletion = value;
-        }
-    }
 
     /// <summary>
     /// If set to true, admins, owners, and some custom users can read/write all collections and items in the Admin Console.
@@ -319,11 +307,5 @@ public class Organization : ITableObject<Guid>, IStorableSubscriber, IRevisable,
         UseSecretsManager = license.UseSecretsManager;
         SmSeats = license.SmSeats;
         SmServiceAccounts = license.SmServiceAccounts;
-
-        if (!featureService.IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit))
-        {
-            LimitCollectionCreationDeletion = license.LimitCollectionCreationDeletion;
-            AllowAdminAccessToAllCollectionItems = license.AllowAdminAccessToAllCollectionItems;
-        }
     }
 }
diff --git a/src/Core/AdminConsole/Models/Data/Organizations/OrganizationAbility.cs b/src/Core/AdminConsole/Models/Data/Organizations/OrganizationAbility.cs
index 0da0928dbe..6392e483ce 100644
--- a/src/Core/AdminConsole/Models/Data/Organizations/OrganizationAbility.cs
+++ b/src/Core/AdminConsole/Models/Data/Organizations/OrganizationAbility.cs
@@ -23,8 +23,6 @@ public class OrganizationAbility
         UsePolicies = organization.UsePolicies;
         LimitCollectionCreation = organization.LimitCollectionCreation;
         LimitCollectionDeletion = organization.LimitCollectionDeletion;
-        // Deprecated: https://bitwarden.atlassian.net/browse/PM-10863
-        LimitCollectionCreationDeletion = organization.LimitCollectionCreationDeletion;
         AllowAdminAccessToAllCollectionItems = organization.AllowAdminAccessToAllCollectionItems;
         UseRiskInsights = organization.UseRiskInsights;
     }
@@ -43,8 +41,6 @@ public class OrganizationAbility
     public bool UsePolicies { get; set; }
     public bool LimitCollectionCreation { get; set; }
     public bool LimitCollectionDeletion { get; set; }
-    // Deprecated: https://bitwarden.atlassian.net/browse/PM-10863
-    public bool LimitCollectionCreationDeletion { get; set; }
     public bool AllowAdminAccessToAllCollectionItems { get; set; }
     public bool UseRiskInsights { get; set; }
 }
diff --git a/src/Core/AdminConsole/Models/Data/Organizations/OrganizationUsers/OrganizationUserOrganizationDetails.cs b/src/Core/AdminConsole/Models/Data/Organizations/OrganizationUsers/OrganizationUserOrganizationDetails.cs
index 7b9ea971d3..e06b6bd66a 100644
--- a/src/Core/AdminConsole/Models/Data/Organizations/OrganizationUsers/OrganizationUserOrganizationDetails.cs
+++ b/src/Core/AdminConsole/Models/Data/Organizations/OrganizationUsers/OrganizationUserOrganizationDetails.cs
@@ -56,8 +56,6 @@ public class OrganizationUserOrganizationDetails
     public int? SmServiceAccounts { get; set; }
     public bool LimitCollectionCreation { get; set; }
     public bool LimitCollectionDeletion { get; set; }
-    // Deprecated: https://bitwarden.atlassian.net/browse/PM-10863
-    public bool LimitCollectionCreationDeletion { get; set; }
     public bool AllowAdminAccessToAllCollectionItems { get; set; }
     public bool UseRiskInsights { get; set; }
 }
diff --git a/src/Core/AdminConsole/Models/Data/Organizations/SelfHostedOrganizationDetails.cs b/src/Core/AdminConsole/Models/Data/Organizations/SelfHostedOrganizationDetails.cs
index 1fa547d98b..bd727f707b 100644
--- a/src/Core/AdminConsole/Models/Data/Organizations/SelfHostedOrganizationDetails.cs
+++ b/src/Core/AdminConsole/Models/Data/Organizations/SelfHostedOrganizationDetails.cs
@@ -146,8 +146,6 @@ public class SelfHostedOrganizationDetails : Organization
             OwnersNotifiedOfAutoscaling = OwnersNotifiedOfAutoscaling,
             LimitCollectionCreation = LimitCollectionCreation,
             LimitCollectionDeletion = LimitCollectionDeletion,
-            // Deprecated: https://bitwarden.atlassian.net/browse/PM-10863
-            LimitCollectionCreationDeletion = LimitCollectionCreationDeletion,
             AllowAdminAccessToAllCollectionItems = AllowAdminAccessToAllCollectionItems,
             Status = Status
         };
diff --git a/src/Core/AdminConsole/Models/Data/Provider/ProviderUserOrganizationDetails.cs b/src/Core/AdminConsole/Models/Data/Provider/ProviderUserOrganizationDetails.cs
index c2880b543f..f37cc644d4 100644
--- a/src/Core/AdminConsole/Models/Data/Provider/ProviderUserOrganizationDetails.cs
+++ b/src/Core/AdminConsole/Models/Data/Provider/ProviderUserOrganizationDetails.cs
@@ -42,7 +42,6 @@ public class ProviderUserOrganizationDetails
     public PlanType PlanType { get; set; }
     public bool LimitCollectionCreation { get; set; }
     public bool LimitCollectionDeletion { get; set; }
-    public bool LimitCollectionCreationDeletion { get; set; }
     public bool AllowAdminAccessToAllCollectionItems { get; set; }
     public bool UseRiskInsights { get; set; }
 }
diff --git a/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs b/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
index 1ca047aa47..eebe76baef 100644
--- a/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
+++ b/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
@@ -581,14 +581,6 @@ public class OrganizationService : IOrganizationService
             SmServiceAccounts = license.SmServiceAccounts,
         };
 
-        // These fields are being removed from consideration when processing
-        // licenses.
-        if (!_featureService.IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit))
-        {
-            organization.LimitCollectionCreationDeletion = license.LimitCollectionCreationDeletion;
-            organization.AllowAdminAccessToAllCollectionItems = license.AllowAdminAccessToAllCollectionItems;
-        }
-
         var result = await SignUpAsync(organization, owner.Id, ownerKey, collectionName, false);
 
         var dir = $"{_globalSettings.LicenseDirectory}/organization";
diff --git a/src/Core/Billing/Licenses/Services/Implementations/OrganizationLicenseClaimsFactory.cs b/src/Core/Billing/Licenses/Services/Implementations/OrganizationLicenseClaimsFactory.cs
index 300b87dcca..1aac7bb1d8 100644
--- a/src/Core/Billing/Licenses/Services/Implementations/OrganizationLicenseClaimsFactory.cs
+++ b/src/Core/Billing/Licenses/Services/Implementations/OrganizationLicenseClaimsFactory.cs
@@ -52,7 +52,11 @@ public class OrganizationLicenseClaimsFactory : ILicenseClaimsFactory<Organizati
             new(nameof(OrganizationLicenseConstants.UseSecretsManager), entity.UseSecretsManager.ToString()),
             new(nameof(OrganizationLicenseConstants.SmSeats), entity.SmSeats.ToString()),
             new(nameof(OrganizationLicenseConstants.SmServiceAccounts), entity.SmServiceAccounts.ToString()),
-            new(nameof(OrganizationLicenseConstants.LimitCollectionCreationDeletion), entity.LimitCollectionCreationDeletion.ToString()),
+            // LimitCollectionCreationDeletion was split and removed from the
+            // license. Left here with an assignment from the new values for
+            // backwards compatibility.
+            new(nameof(OrganizationLicenseConstants.LimitCollectionCreationDeletion),
+                (entity.LimitCollectionCreation || entity.LimitCollectionDeletion).ToString()),
             new(nameof(OrganizationLicenseConstants.AllowAdminAccessToAllCollectionItems), entity.AllowAdminAccessToAllCollectionItems.ToString()),
             new(nameof(OrganizationLicenseConstants.Expires), expires.ToString(CultureInfo.InvariantCulture)),
             new(nameof(OrganizationLicenseConstants.Refresh), refresh.ToString(CultureInfo.InvariantCulture)),
diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index 8c1456793d..75e154f041 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -144,7 +144,7 @@ public static class FeatureFlagKeys
     public const string AccessIntelligence = "pm-13227-access-intelligence";
     public const string VerifiedSsoDomainEndpoint = "pm-12337-refactor-sso-details-endpoint";
     public const string PM12275_MultiOrganizationEnterprises = "pm-12275-multi-organization-enterprises";
-    public const string LimitCollectionCreationDeletionSplit = "pm-10863-limit-collection-creation-deletion-split";
+    public const string Pm13322AddPolicyDefinitions = "pm-13322-add-policy-definitions";
     public const string GeneratorToolsModernization = "generator-tools-modernization";
     public const string NewDeviceVerification = "new-device-verification";
     public const string RiskInsightsCriticalApplication = "pm-14466-risk-insights-critical-application";
diff --git a/src/Core/Models/Business/OrganizationLicense.cs b/src/Core/Models/Business/OrganizationLicense.cs
index 37a086646c..d280a81023 100644
--- a/src/Core/Models/Business/OrganizationLicense.cs
+++ b/src/Core/Models/Business/OrganizationLicense.cs
@@ -57,7 +57,7 @@ public class OrganizationLicense : ILicense
         SmServiceAccounts = org.SmServiceAccounts;
 
         // Deprecated. Left for backwards compatibility with old license versions.
-        LimitCollectionCreationDeletion = org.LimitCollectionCreationDeletion;
+        LimitCollectionCreationDeletion = org.LimitCollectionCreation || org.LimitCollectionDeletion;
         AllowAdminAccessToAllCollectionItems = org.AllowAdminAccessToAllCollectionItems;
         //
 
diff --git a/src/Infrastructure.EntityFramework/AdminConsole/Models/Organization.cs b/src/Infrastructure.EntityFramework/AdminConsole/Models/Organization.cs
index d7f83d829d..39968142bb 100644
--- a/src/Infrastructure.EntityFramework/AdminConsole/Models/Organization.cs
+++ b/src/Infrastructure.EntityFramework/AdminConsole/Models/Organization.cs
@@ -9,6 +9,11 @@ namespace Bit.Infrastructure.EntityFramework.AdminConsole.Models;
 
 public class Organization : Core.AdminConsole.Entities.Organization
 {
+    // Shadow property. To be removed by
+    // https://bitwarden.atlassian.net/browse/PM-10863.
+    // This was replaced with `LimitCollectionCreation` and
+    // `LimitCollectionDeletion`.
+    public bool LimitCollectionCreationDeletion { get; set; }
     public virtual ICollection<Cipher> Ciphers { get; set; }
     public virtual ICollection<OrganizationUser> OrganizationUsers { get; set; }
     public virtual ICollection<Group> Groups { get; set; }
@@ -38,6 +43,7 @@ public class OrganizationMapperProfile : Profile
             .ForMember(org => org.ApiKeys, opt => opt.Ignore())
             .ForMember(org => org.Connections, opt => opt.Ignore())
             .ForMember(org => org.Domains, opt => opt.Ignore())
+            .ForMember(org => org.LimitCollectionCreationDeletion, opt => opt.Ignore())
             .ReverseMap();
 
         CreateProjection<Organization, SelfHostedOrganizationDetails>()
diff --git a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationRepository.cs b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationRepository.cs
index 7a667db8f5..fb3766c6c7 100644
--- a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationRepository.cs
+++ b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationRepository.cs
@@ -101,10 +101,8 @@ public class OrganizationRepository : Repository<Core.AdminConsole.Entities.Orga
                 UsePolicies = e.UsePolicies,
                 LimitCollectionCreation = e.LimitCollectionCreation,
                 LimitCollectionDeletion = e.LimitCollectionDeletion,
-                // Deprecated: https://bitwarden.atlassian.net/browse/PM-10863
-                LimitCollectionCreationDeletion = e.LimitCollectionCreationDeletion,
                 AllowAdminAccessToAllCollectionItems = e.AllowAdminAccessToAllCollectionItems,
-                UseRiskInsights = e.UseRiskInsights,
+                UseRiskInsights = e.UseRiskInsights
             }).ToListAsync();
         }
     }
diff --git a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/Queries/OrganizationUserOrganizationDetailsViewQuery.cs b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/Queries/OrganizationUserOrganizationDetailsViewQuery.cs
index 7e71557dcb..c93903ab0f 100644
--- a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/Queries/OrganizationUserOrganizationDetailsViewQuery.cs
+++ b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/Queries/OrganizationUserOrganizationDetailsViewQuery.cs
@@ -68,8 +68,6 @@ public class OrganizationUserOrganizationDetailsViewQuery : IQuery<OrganizationU
                         SmServiceAccounts = o.SmServiceAccounts,
                         LimitCollectionCreation = o.LimitCollectionCreation,
                         LimitCollectionDeletion = o.LimitCollectionDeletion,
-                        // Deprecated: https://bitwarden.atlassian.net/browse/PM-10863
-                        LimitCollectionCreationDeletion = o.LimitCollectionCreationDeletion,
                         AllowAdminAccessToAllCollectionItems = o.AllowAdminAccessToAllCollectionItems,
                         UseRiskInsights = o.UseRiskInsights,
                     };
diff --git a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/Queries/ProviderUserOrganizationDetailsViewQuery.cs b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/Queries/ProviderUserOrganizationDetailsViewQuery.cs
index 2697f06fb5..7d9974d117 100644
--- a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/Queries/ProviderUserOrganizationDetailsViewQuery.cs
+++ b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/Queries/ProviderUserOrganizationDetailsViewQuery.cs
@@ -46,8 +46,6 @@ public class ProviderUserOrganizationDetailsViewQuery : IQuery<ProviderUserOrgan
             PlanType = x.o.PlanType,
             LimitCollectionCreation = x.o.LimitCollectionCreation,
             LimitCollectionDeletion = x.o.LimitCollectionDeletion,
-            // Deprecated: https://bitwarden.atlassian.net/browse/PM-10863
-            LimitCollectionCreationDeletion = x.o.LimitCollectionCreationDeletion,
             AllowAdminAccessToAllCollectionItems = x.o.AllowAdminAccessToAllCollectionItems,
             UseRiskInsights = x.o.UseRiskInsights,
         });
diff --git a/test/Api.Test/Vault/AuthorizationHandlers/BulkCollectionAuthorizationHandlerTests.cs b/test/Api.Test/Vault/AuthorizationHandlers/BulkCollectionAuthorizationHandlerTests.cs
index 3336c0f4d0..846f5ac731 100644
--- a/test/Api.Test/Vault/AuthorizationHandlers/BulkCollectionAuthorizationHandlerTests.cs
+++ b/test/Api.Test/Vault/AuthorizationHandlers/BulkCollectionAuthorizationHandlerTests.cs
@@ -1,6 +1,5 @@
 using System.Security.Claims;
 using Bit.Api.Vault.AuthorizationHandlers.Collections;
-using Bit.Core;
 using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
@@ -33,10 +32,7 @@ public class BulkCollectionAuthorizationHandlerTests
         organization.Type = userType;
         organization.Permissions = new Permissions();
 
-        // `LimitCollectonCreationDeletionSplit` feature flag state isn't
-        // relevant for this test. The flag is never checked for in this
-        // test. This is asserted below.
-        ArrangeOrganizationAbility_WithLimitCollectionCreationDeletionSplitFeatureEnabled(sutProvider, organization, true, true);
+        ArrangeOrganizationAbility(sutProvider, organization, true, true);
 
         var context = new AuthorizationHandlerContext(
             new[] { BulkCollectionOperations.Create },
@@ -48,12 +44,11 @@ public class BulkCollectionAuthorizationHandlerTests
 
         await sutProvider.Sut.HandleAsync(context);
 
-        sutProvider.GetDependency<IFeatureService>().DidNotReceiveWithAnyArgs().IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit);
         Assert.True(context.HasSucceeded);
     }
 
     [Theory, BitAutoData, CollectionCustomization]
-    public async Task CanCreateAsync_WhenUser_WithLimitCollectionCreationFalse_WithLimitCollectionCreationDeletionSplitFeatureDisabled_Success(
+    public async Task CanCreateAsync_WhenUser_WithLimitCollectionCreationFalse_Success(
         SutProvider<BulkCollectionAuthorizationHandler> sutProvider,
         ICollection<Collection> collections,
         CurrentContextOrganization organization)
@@ -62,7 +57,7 @@ public class BulkCollectionAuthorizationHandlerTests
 
         organization.Type = OrganizationUserType.User;
 
-        ArrangeOrganizationAbility_WithLimitCollectionCreationDeletionSplitFeatureDisabled(sutProvider, organization, false, false);
+        ArrangeOrganizationAbility(sutProvider, organization, false, false);
 
         var context = new AuthorizationHandlerContext(
             new[] { BulkCollectionOperations.Create },
@@ -71,49 +66,16 @@ public class BulkCollectionAuthorizationHandlerTests
 
         sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
         sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
-        sutProvider.GetDependency<IFeatureService>()
-            .IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit)
-            .Returns(false);
 
         await sutProvider.Sut.HandleAsync(context);
 
-        sutProvider.GetDependency<IFeatureService>().Received(1).IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit);
-        Assert.True(context.HasSucceeded);
-    }
-
-    [Theory, BitAutoData, CollectionCustomization]
-    public async Task CanCreateAsync_WhenUser_WithLimitCollectionCreationFalse_WithLimitCollectionCreationDeletionSplitFeatureEnabled_Success(
-        SutProvider<BulkCollectionAuthorizationHandler> sutProvider,
-        ICollection<Collection> collections,
-        CurrentContextOrganization organization)
-    {
-        var actingUserId = Guid.NewGuid();
-
-        organization.Type = OrganizationUserType.User;
-
-        ArrangeOrganizationAbility_WithLimitCollectionCreationDeletionSplitFeatureEnabled(sutProvider, organization, false, false);
-
-        var context = new AuthorizationHandlerContext(
-            new[] { BulkCollectionOperations.Create },
-            new ClaimsPrincipal(),
-            collections);
-
-        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
-        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
-        sutProvider.GetDependency<IFeatureService>()
-            .IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit)
-            .Returns(true);
-
-        await sutProvider.Sut.HandleAsync(context);
-
-        sutProvider.GetDependency<IFeatureService>().Received(1).IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit);
         Assert.True(context.HasSucceeded);
     }
 
     [Theory, CollectionCustomization]
     [BitAutoData(OrganizationUserType.User)]
     [BitAutoData(OrganizationUserType.Custom)]
-    public async Task CanCreateAsync_WhenMissingPermissions_WithLimitCollectionCreationDeletionSplitFeatureDisabled_NoSuccess(
+    public async Task CanCreateAsync_WhenMissingPermissions_NoSuccess(
         OrganizationUserType userType,
         SutProvider<BulkCollectionAuthorizationHandler> sutProvider,
         ICollection<Collection> collections,
@@ -130,7 +92,7 @@ public class BulkCollectionAuthorizationHandlerTests
             ManageUsers = false
         };
 
-        ArrangeOrganizationAbility_WithLimitCollectionCreationDeletionSplitFeatureDisabled(sutProvider, organization, true, true);
+        ArrangeOrganizationAbility(sutProvider, organization, true, true);
 
         var context = new AuthorizationHandlerContext(
             new[] { BulkCollectionOperations.Create },
@@ -140,61 +102,21 @@ public class BulkCollectionAuthorizationHandlerTests
         sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
         sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
         sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(Arg.Any<Guid>()).Returns(false);
-        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit).Returns(false);
 
         await sutProvider.Sut.HandleAsync(context);
 
-        sutProvider.GetDependency<IFeatureService>().Received(1).IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit);
-        Assert.False(context.HasSucceeded);
-    }
-
-    [Theory, CollectionCustomization]
-    [BitAutoData(OrganizationUserType.User)]
-    [BitAutoData(OrganizationUserType.Custom)]
-    public async Task CanCreateAsync_WhenMissingPermissions_WithLimitCollectionCreationDeletionSplitFeatureEnabled_NoSuccess(
-        OrganizationUserType userType,
-        SutProvider<BulkCollectionAuthorizationHandler> sutProvider,
-        ICollection<Collection> collections,
-        CurrentContextOrganization organization)
-    {
-        var actingUserId = Guid.NewGuid();
-
-        organization.Type = userType;
-        organization.Permissions = new Permissions
-        {
-            EditAnyCollection = false,
-            DeleteAnyCollection = false,
-            ManageGroups = false,
-            ManageUsers = false
-        };
-
-        ArrangeOrganizationAbility_WithLimitCollectionCreationDeletionSplitFeatureEnabled(sutProvider, organization, true, true);
-
-        var context = new AuthorizationHandlerContext(
-            new[] { BulkCollectionOperations.Create },
-            new ClaimsPrincipal(),
-            collections);
-
-        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
-        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
-        sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(Arg.Any<Guid>()).Returns(false);
-        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit).Returns(true);
-
-        await sutProvider.Sut.HandleAsync(context);
-
-        sutProvider.GetDependency<IFeatureService>().Received(1).IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit);
         Assert.False(context.HasSucceeded);
     }
 
     [Theory, BitAutoData, CollectionCustomization]
-    public async Task CanCreateAsync_WhenMissingOrgAccess_WithLimitCollectionCreationDeletionSplitDisabled_NoSuccess(
+    public async Task CanCreateAsync_WhenMissingOrgAccess_NoSuccess(
         Guid userId,
         CurrentContextOrganization organization,
         List<Collection> collections,
         SutProvider<BulkCollectionAuthorizationHandler> sutProvider)
     {
         collections.ForEach(c => c.OrganizationId = organization.Id);
-        ArrangeOrganizationAbility_WithLimitCollectionCreationDeletionSplitFeatureDisabled(sutProvider, organization, true, true);
+        ArrangeOrganizationAbility(sutProvider, organization, true, true);
 
         var context = new AuthorizationHandlerContext(
             new[] { BulkCollectionOperations.Create },
@@ -205,38 +127,9 @@ public class BulkCollectionAuthorizationHandlerTests
         sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
         sutProvider.GetDependency<ICurrentContext>().GetOrganization(Arg.Any<Guid>()).Returns((CurrentContextOrganization)null);
         sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(Arg.Any<Guid>()).Returns(false);
-        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit).Returns(false);
 
         await sutProvider.Sut.HandleAsync(context);
 
-        sutProvider.GetDependency<IFeatureService>().Received(1).IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit);
-        Assert.False(context.HasSucceeded);
-    }
-
-    [Theory, BitAutoData, CollectionCustomization]
-    public async Task CanCreateAsync_WhenMissingOrgAccess_WithLimitCollectionCreationDeletionSplitEnabled_NoSuccess(
-        Guid userId,
-        CurrentContextOrganization organization,
-        List<Collection> collections,
-        SutProvider<BulkCollectionAuthorizationHandler> sutProvider)
-    {
-        collections.ForEach(c => c.OrganizationId = organization.Id);
-        ArrangeOrganizationAbility_WithLimitCollectionCreationDeletionSplitFeatureEnabled(sutProvider, organization, true, true);
-
-        var context = new AuthorizationHandlerContext(
-            new[] { BulkCollectionOperations.Create },
-            new ClaimsPrincipal(),
-            collections
-        );
-
-        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
-        sutProvider.GetDependency<ICurrentContext>().GetOrganization(Arg.Any<Guid>()).Returns((CurrentContextOrganization)null);
-        sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(Arg.Any<Guid>()).Returns(false);
-        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit).Returns(true);
-
-        await sutProvider.Sut.HandleAsync(context);
-
-        sutProvider.GetDependency<IFeatureService>().Received(1).IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit);
         Assert.False(context.HasSucceeded);
     }
 
@@ -1015,7 +908,7 @@ public class BulkCollectionAuthorizationHandlerTests
         // `LimitCollectonCreationDeletionSplit` feature flag state isn't
         // relevant for this test. The flag is never checked for in this
         // test. This is asserted below.
-        ArrangeOrganizationAbility_WithLimitCollectionCreationDeletionSplitFeatureEnabled(sutProvider, organization, true, true);
+        ArrangeOrganizationAbility(sutProvider, organization, true, true);
 
         var context = new AuthorizationHandlerContext(
             new[] { BulkCollectionOperations.Delete },
@@ -1027,7 +920,6 @@ public class BulkCollectionAuthorizationHandlerTests
 
         await sutProvider.Sut.HandleAsync(context);
 
-        sutProvider.GetDependency<IFeatureService>().DidNotReceiveWithAnyArgs().IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit);
         Assert.True(context.HasSucceeded);
     }
 
@@ -1046,7 +938,7 @@ public class BulkCollectionAuthorizationHandlerTests
         // `LimitCollectonCreationDeletionSplit` feature flag state isn't
         // relevant for this test. The flag is never checked for in this
         // test. This is asserted below.
-        ArrangeOrganizationAbility_WithLimitCollectionCreationDeletionSplitFeatureEnabled(sutProvider, organization, true, true);
+        ArrangeOrganizationAbility(sutProvider, organization, true, true);
 
         var context = new AuthorizationHandlerContext(
             new[] { BulkCollectionOperations.Delete },
@@ -1058,12 +950,11 @@ public class BulkCollectionAuthorizationHandlerTests
 
         await sutProvider.Sut.HandleAsync(context);
 
-        sutProvider.GetDependency<IFeatureService>().DidNotReceiveWithAnyArgs().IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit);
         Assert.True(context.HasSucceeded);
     }
 
     [Theory, BitAutoData, CollectionCustomization]
-    public async Task CanDeleteAsync_WhenUser_LimitCollectionDeletionFalse_WithCanManagePermission_WithLimitCollectionCreationDeletionSplitFeatureDisabled_Success(
+    public async Task CanDeleteAsync_WhenUser_LimitCollectionDeletionFalse_WithCanManagePermission_Success(
         SutProvider<BulkCollectionAuthorizationHandler> sutProvider,
         ICollection<CollectionDetails> collections,
         CurrentContextOrganization organization)
@@ -1073,12 +964,11 @@ public class BulkCollectionAuthorizationHandlerTests
         organization.Type = OrganizationUserType.User;
         organization.Permissions = new Permissions();
 
-        ArrangeOrganizationAbility_WithLimitCollectionCreationDeletionSplitFeatureDisabled(sutProvider, organization, false, false);
+        ArrangeOrganizationAbility(sutProvider, organization, false, false);
 
         sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
         sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
         sutProvider.GetDependency<ICollectionRepository>().GetManyByUserIdAsync(actingUserId).Returns(collections);
-        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit).Returns(false);
 
         foreach (var c in collections)
         {
@@ -1092,41 +982,6 @@ public class BulkCollectionAuthorizationHandlerTests
 
         await sutProvider.Sut.HandleAsync(context);
 
-        sutProvider.GetDependency<IFeatureService>().Received(1).IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit);
-        Assert.True(context.HasSucceeded);
-    }
-
-    [Theory, BitAutoData, CollectionCustomization]
-    public async Task CanDeleteAsync_WhenUser_LimitCollectionDeletionFalse_WithCanManagePermission_WithLimitCollectionCreationDeletionSplitFeatureEnabled_Success(
-        SutProvider<BulkCollectionAuthorizationHandler> sutProvider,
-        ICollection<CollectionDetails> collections,
-        CurrentContextOrganization organization)
-    {
-        var actingUserId = Guid.NewGuid();
-
-        organization.Type = OrganizationUserType.User;
-        organization.Permissions = new Permissions();
-
-        ArrangeOrganizationAbility_WithLimitCollectionCreationDeletionSplitFeatureEnabled(sutProvider, organization, false, false);
-
-        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
-        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
-        sutProvider.GetDependency<ICollectionRepository>().GetManyByUserIdAsync(actingUserId).Returns(collections);
-        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit).Returns(true);
-
-        foreach (var c in collections)
-        {
-            c.Manage = true;
-        }
-
-        var context = new AuthorizationHandlerContext(
-                new[] { BulkCollectionOperations.Delete },
-                new ClaimsPrincipal(),
-                collections);
-
-        await sutProvider.Sut.HandleAsync(context);
-
-        sutProvider.GetDependency<IFeatureService>().Received(1).IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit);
         Assert.True(context.HasSucceeded);
     }
 
@@ -1134,7 +989,7 @@ public class BulkCollectionAuthorizationHandlerTests
     [BitAutoData(OrganizationUserType.Admin)]
     [BitAutoData(OrganizationUserType.Owner)]
     [BitAutoData(OrganizationUserType.User)]
-    public async Task CanDeleteAsync_LimitCollectionDeletionFalse_AllowAdminAccessToAllCollectionItemsFalse_WithCanManagePermission_WithLimitCollectionCreationDeletionSplitFeatureDisabled_Success(
+    public async Task CanDeleteAsync_LimitCollectionDeletionFalse_AllowAdminAccessToAllCollectionItemsFalse_WithCanManagePermission_Success(
         OrganizationUserType userType,
         SutProvider<BulkCollectionAuthorizationHandler> sutProvider,
         ICollection<CollectionDetails> collections,
@@ -1145,12 +1000,11 @@ public class BulkCollectionAuthorizationHandlerTests
         organization.Type = userType;
         organization.Permissions = new Permissions();
 
-        ArrangeOrganizationAbility_WithLimitCollectionCreationDeletionSplitFeatureDisabled(sutProvider, organization, false, false, false);
+        ArrangeOrganizationAbility(sutProvider, organization, false, false, false);
 
         sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
         sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
         sutProvider.GetDependency<ICollectionRepository>().GetManyByUserIdAsync(actingUserId).Returns(collections);
-        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit).Returns(false);
 
         foreach (var c in collections)
         {
@@ -1164,15 +1018,13 @@ public class BulkCollectionAuthorizationHandlerTests
 
         await sutProvider.Sut.HandleAsync(context);
 
-        sutProvider.GetDependency<IFeatureService>().Received(1).IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit);
         Assert.True(context.HasSucceeded);
     }
 
     [Theory, CollectionCustomization]
     [BitAutoData(OrganizationUserType.Admin)]
     [BitAutoData(OrganizationUserType.Owner)]
-    [BitAutoData(OrganizationUserType.User)]
-    public async Task CanDeleteAsync_LimitCollectionDeletionFalse_AllowAdminAccessToAllCollectionItemsFalse_WithCanManagePermission_WithLimitCollectionCreationDeletionSplitFeatureEnabled_Success(
+    public async Task CanDeleteAsync_WhenAdminOrOwner_LimitCollectionDeletionTrue_AllowAdminAccessToAllCollectionItemsFalse_WithCanManagePermission_Success(
         OrganizationUserType userType,
         SutProvider<BulkCollectionAuthorizationHandler> sutProvider,
         ICollection<CollectionDetails> collections,
@@ -1183,12 +1035,11 @@ public class BulkCollectionAuthorizationHandlerTests
         organization.Type = userType;
         organization.Permissions = new Permissions();
 
-        ArrangeOrganizationAbility_WithLimitCollectionCreationDeletionSplitFeatureEnabled(sutProvider, organization, false, false, false);
+        ArrangeOrganizationAbility(sutProvider, organization, true, true, false);
 
         sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
         sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
         sutProvider.GetDependency<ICollectionRepository>().GetManyByUserIdAsync(actingUserId).Returns(collections);
-        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit).Returns(true);
 
         foreach (var c in collections)
         {
@@ -1202,14 +1053,13 @@ public class BulkCollectionAuthorizationHandlerTests
 
         await sutProvider.Sut.HandleAsync(context);
 
-        sutProvider.GetDependency<IFeatureService>().Received(1).IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit);
         Assert.True(context.HasSucceeded);
     }
 
     [Theory, CollectionCustomization]
     [BitAutoData(OrganizationUserType.Admin)]
     [BitAutoData(OrganizationUserType.Owner)]
-    public async Task CanDeleteAsync_WhenAdminOrOwner_LimitCollectionDeletionTrue_AllowAdminAccessToAllCollectionItemsFalse_WithCanManagePermission_WithLimitCollectionCreationDeletionSplitFeatureDisabled_Success(
+    public async Task CanDeleteAsync_WhenAdminOrOwner_LimitCollectionDeletionTrue_AllowAdminAccessToAllCollectionItemsFalse_WithoutCanManagePermission_Failure(
         OrganizationUserType userType,
         SutProvider<BulkCollectionAuthorizationHandler> sutProvider,
         ICollection<CollectionDetails> collections,
@@ -1220,87 +1070,12 @@ public class BulkCollectionAuthorizationHandlerTests
         organization.Type = userType;
         organization.Permissions = new Permissions();
 
-        ArrangeOrganizationAbility_WithLimitCollectionCreationDeletionSplitFeatureDisabled(sutProvider, organization, true, true, false);
-
-        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
-        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
-        sutProvider.GetDependency<ICollectionRepository>().GetManyByUserIdAsync(actingUserId).Returns(collections);
-        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit).Returns(false);
-
-        foreach (var c in collections)
-        {
-            c.Manage = true;
-        }
-
-        var context = new AuthorizationHandlerContext(
-            new[] { BulkCollectionOperations.Delete },
-            new ClaimsPrincipal(),
-            collections);
-
-        await sutProvider.Sut.HandleAsync(context);
-
-        sutProvider.GetDependency<IFeatureService>().Received(1).IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit);
-        Assert.True(context.HasSucceeded);
-    }
-
-    [Theory, CollectionCustomization]
-    [BitAutoData(OrganizationUserType.Admin)]
-    [BitAutoData(OrganizationUserType.Owner)]
-    public async Task CanDeleteAsync_WhenAdminOrOwner_LimitCollectionDeletionTrue_AllowAdminAccessToAllCollectionItemsFalse_WithCanManagePermission_WithLimitCollectionCreationDeletionSplitFeatureEnabled_Success(
-        OrganizationUserType userType,
-        SutProvider<BulkCollectionAuthorizationHandler> sutProvider,
-        ICollection<CollectionDetails> collections,
-        CurrentContextOrganization organization)
-    {
-        var actingUserId = Guid.NewGuid();
-
-        organization.Type = userType;
-        organization.Permissions = new Permissions();
-
-        ArrangeOrganizationAbility_WithLimitCollectionCreationDeletionSplitFeatureEnabled(sutProvider, organization, true, true, false);
-
-        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
-        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
-        sutProvider.GetDependency<ICollectionRepository>().GetManyByUserIdAsync(actingUserId).Returns(collections);
-        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit).Returns(true);
-
-        foreach (var c in collections)
-        {
-            c.Manage = true;
-        }
-
-        var context = new AuthorizationHandlerContext(
-            new[] { BulkCollectionOperations.Delete },
-            new ClaimsPrincipal(),
-            collections);
-
-        await sutProvider.Sut.HandleAsync(context);
-
-        sutProvider.GetDependency<IFeatureService>().Received(1).IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit);
-        Assert.True(context.HasSucceeded);
-    }
-
-    [Theory, CollectionCustomization]
-    [BitAutoData(OrganizationUserType.Admin)]
-    [BitAutoData(OrganizationUserType.Owner)]
-    public async Task CanDeleteAsync_WhenAdminOrOwner_LimitCollectionDeletionTrue_AllowAdminAccessToAllCollectionItemsFalse_WithoutCanManagePermission_WithLimitCollectionCreationDeletionSplitFeatureDisabled_Failure(
-        OrganizationUserType userType,
-        SutProvider<BulkCollectionAuthorizationHandler> sutProvider,
-        ICollection<CollectionDetails> collections,
-        CurrentContextOrganization organization)
-    {
-        var actingUserId = Guid.NewGuid();
-
-        organization.Type = userType;
-        organization.Permissions = new Permissions();
-
-        ArrangeOrganizationAbility_WithLimitCollectionCreationDeletionSplitFeatureDisabled(sutProvider, organization, true, true, false);
+        ArrangeOrganizationAbility(sutProvider, organization, true, true, false);
 
         sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
         sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
         sutProvider.GetDependency<ICollectionRepository>().GetManyByUserIdAsync(actingUserId).Returns(collections);
         sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(Arg.Any<Guid>()).Returns(false);
-        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit).Returns(false);
 
         foreach (var c in collections)
         {
@@ -1314,50 +1089,11 @@ public class BulkCollectionAuthorizationHandlerTests
 
         await sutProvider.Sut.HandleAsync(context);
 
-        sutProvider.GetDependency<IFeatureService>().Received(1).IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit);
-        Assert.False(context.HasSucceeded);
-    }
-
-    [Theory, CollectionCustomization]
-    [BitAutoData(OrganizationUserType.Admin)]
-    [BitAutoData(OrganizationUserType.Owner)]
-    public async Task CanDeleteAsync_WhenAdminOrOwner_LimitCollectionDeletionTrue_AllowAdminAccessToAllCollectionItemsFalse_WithoutCanManagePermission_WithLimitCollectionCreationDeletionSplitFeatureEnabled_Failure(
-        OrganizationUserType userType,
-        SutProvider<BulkCollectionAuthorizationHandler> sutProvider,
-        ICollection<CollectionDetails> collections,
-        CurrentContextOrganization organization)
-    {
-        var actingUserId = Guid.NewGuid();
-
-        organization.Type = userType;
-        organization.Permissions = new Permissions();
-
-        ArrangeOrganizationAbility_WithLimitCollectionCreationDeletionSplitFeatureEnabled(sutProvider, organization, true, true, false);
-
-        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
-        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
-        sutProvider.GetDependency<ICollectionRepository>().GetManyByUserIdAsync(actingUserId).Returns(collections);
-        sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(Arg.Any<Guid>()).Returns(false);
-        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit).Returns(true);
-
-        foreach (var c in collections)
-        {
-            c.Manage = false;
-        }
-
-        var context = new AuthorizationHandlerContext(
-            new[] { BulkCollectionOperations.Delete },
-            new ClaimsPrincipal(),
-            collections);
-
-        await sutProvider.Sut.HandleAsync(context);
-
-        sutProvider.GetDependency<IFeatureService>().Received(1).IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit);
         Assert.False(context.HasSucceeded);
     }
 
     [Theory, BitAutoData, CollectionCustomization]
-    public async Task CanDeleteAsync_WhenUser_LimitCollectionDeletionTrue_AllowAdminAccessToAllCollectionItemsTrue_WithLimitCollectionCreationDeletionSplitFeatureDisabled_Failure(
+    public async Task CanDeleteAsync_WhenUser_LimitCollectionDeletionTrue_AllowAdminAccessToAllCollectionItemsTrue_Failure(
         SutProvider<BulkCollectionAuthorizationHandler> sutProvider,
         ICollection<CollectionDetails> collections,
         CurrentContextOrganization organization)
@@ -1367,13 +1103,12 @@ public class BulkCollectionAuthorizationHandlerTests
         organization.Type = OrganizationUserType.User;
         organization.Permissions = new Permissions();
 
-        ArrangeOrganizationAbility_WithLimitCollectionCreationDeletionSplitFeatureDisabled(sutProvider, organization, true, true);
+        ArrangeOrganizationAbility(sutProvider, organization, true, true);
 
         sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
         sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
         sutProvider.GetDependency<ICollectionRepository>().GetManyByUserIdAsync(actingUserId).Returns(collections);
         sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(Arg.Any<Guid>()).Returns(false);
-        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit).Returns(false);
 
         foreach (var c in collections)
         {
@@ -1387,12 +1122,11 @@ public class BulkCollectionAuthorizationHandlerTests
 
         await sutProvider.Sut.HandleAsync(context);
 
-        sutProvider.GetDependency<IFeatureService>().Received(1).IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit);
         Assert.False(context.HasSucceeded);
     }
 
     [Theory, BitAutoData, CollectionCustomization]
-    public async Task CanDeleteAsync_WhenUser_LimitCollectionDeletionTrue_AllowAdminAccessToAllCollectionItemsTrue_WithLimitCollectionCreationDeletionSplitFeatureEnabled_Failure(
+    public async Task CanDeleteAsync_WhenUser_LimitCollectionDeletionTrue_AllowAdminAccessToAllCollectionItemsFalse_Failure(
         SutProvider<BulkCollectionAuthorizationHandler> sutProvider,
         ICollection<CollectionDetails> collections,
         CurrentContextOrganization organization)
@@ -1402,13 +1136,12 @@ public class BulkCollectionAuthorizationHandlerTests
         organization.Type = OrganizationUserType.User;
         organization.Permissions = new Permissions();
 
-        ArrangeOrganizationAbility_WithLimitCollectionCreationDeletionSplitFeatureEnabled(sutProvider, organization, true, true);
+        ArrangeOrganizationAbility(sutProvider, organization, true, true, false);
 
         sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
         sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
         sutProvider.GetDependency<ICollectionRepository>().GetManyByUserIdAsync(actingUserId).Returns(collections);
         sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(Arg.Any<Guid>()).Returns(false);
-        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit).Returns(true);
 
         foreach (var c in collections)
         {
@@ -1422,88 +1155,13 @@ public class BulkCollectionAuthorizationHandlerTests
 
         await sutProvider.Sut.HandleAsync(context);
 
-        sutProvider.GetDependency<IFeatureService>().Received(1).IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit);
-        Assert.False(context.HasSucceeded);
-    }
-
-    [Theory, BitAutoData, CollectionCustomization]
-    public async Task CanDeleteAsync_WhenUser_LimitCollectionDeletionTrue_AllowAdminAccessToAllCollectionItemsFalse_WithLimitCollectionCreationDeletionSplitFeatureDisabled_Failure(
-        SutProvider<BulkCollectionAuthorizationHandler> sutProvider,
-        ICollection<CollectionDetails> collections,
-        CurrentContextOrganization organization)
-    {
-        var actingUserId = Guid.NewGuid();
-
-        organization.Type = OrganizationUserType.User;
-        organization.Permissions = new Permissions();
-
-        ArrangeOrganizationAbility_WithLimitCollectionCreationDeletionSplitFeatureDisabled(sutProvider, organization, true, true, false);
-
-        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
-        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
-        sutProvider.GetDependency<ICollectionRepository>().GetManyByUserIdAsync(actingUserId).Returns(collections);
-        sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(Arg.Any<Guid>()).Returns(false);
-        sutProvider.GetDependency<IFeatureService>()
-            .IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit)
-            .Returns(false);
-
-        foreach (var c in collections)
-        {
-            c.Manage = true;
-        }
-
-        var context = new AuthorizationHandlerContext(
-            new[] { BulkCollectionOperations.Delete },
-            new ClaimsPrincipal(),
-            collections);
-
-        await sutProvider.Sut.HandleAsync(context);
-
-        sutProvider.GetDependency<IFeatureService>().Received(1).IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit);
-        Assert.False(context.HasSucceeded);
-    }
-
-    [Theory, BitAutoData, CollectionCustomization]
-    public async Task CanDeleteAsync_WhenUser_LimitCollectionDeletionTrue_AllowAdminAccessToAllCollectionItemsFalse_WithLimitCollectionCreationDeletionSplitFeatureEnabled_Failure(
-        SutProvider<BulkCollectionAuthorizationHandler> sutProvider,
-        ICollection<CollectionDetails> collections,
-        CurrentContextOrganization organization)
-    {
-        var actingUserId = Guid.NewGuid();
-
-        organization.Type = OrganizationUserType.User;
-        organization.Permissions = new Permissions();
-
-        ArrangeOrganizationAbility_WithLimitCollectionCreationDeletionSplitFeatureEnabled(sutProvider, organization, true, true, false);
-
-        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
-        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
-        sutProvider.GetDependency<ICollectionRepository>().GetManyByUserIdAsync(actingUserId).Returns(collections);
-        sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(Arg.Any<Guid>()).Returns(false);
-        sutProvider.GetDependency<IFeatureService>()
-            .IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit)
-            .Returns(true);
-
-        foreach (var c in collections)
-        {
-            c.Manage = true;
-        }
-
-        var context = new AuthorizationHandlerContext(
-            new[] { BulkCollectionOperations.Delete },
-            new ClaimsPrincipal(),
-            collections);
-
-        await sutProvider.Sut.HandleAsync(context);
-
-        sutProvider.GetDependency<IFeatureService>().Received(1).IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit);
         Assert.False(context.HasSucceeded);
     }
 
     [Theory, CollectionCustomization]
     [BitAutoData(OrganizationUserType.User)]
     [BitAutoData(OrganizationUserType.Custom)]
-    public async Task CanDeleteAsync_WhenMissingPermissions_WithLimitCollectionCreationDeletionSplitFeatureDisabled_NoSuccess(
+    public async Task CanDeleteAsync_WhenMissingPermissions_NoSuccess(
         OrganizationUserType userType,
         SutProvider<BulkCollectionAuthorizationHandler> sutProvider,
         ICollection<Collection> collections,
@@ -1520,7 +1178,7 @@ public class BulkCollectionAuthorizationHandlerTests
             ManageUsers = false
         };
 
-        ArrangeOrganizationAbility_WithLimitCollectionCreationDeletionSplitFeatureDisabled(sutProvider, organization, true, true);
+        ArrangeOrganizationAbility(sutProvider, organization, true, true);
 
         var context = new AuthorizationHandlerContext(
             new[] { BulkCollectionOperations.Delete },
@@ -1530,54 +1188,14 @@ public class BulkCollectionAuthorizationHandlerTests
         sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
         sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
         sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(Arg.Any<Guid>()).Returns(false);
-        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit).Returns(false);
 
         await sutProvider.Sut.HandleAsync(context);
 
-        sutProvider.GetDependency<IFeatureService>().Received(1).IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit);
-        Assert.False(context.HasSucceeded);
-    }
-
-    [Theory, CollectionCustomization]
-    [BitAutoData(OrganizationUserType.User)]
-    [BitAutoData(OrganizationUserType.Custom)]
-    public async Task CanDeleteAsync_WhenMissingPermissions_WithLimitCollectionCreationDeletionSplitFeatureEnabled_NoSuccess(
-        OrganizationUserType userType,
-        SutProvider<BulkCollectionAuthorizationHandler> sutProvider,
-        ICollection<Collection> collections,
-        CurrentContextOrganization organization)
-    {
-        var actingUserId = Guid.NewGuid();
-
-        organization.Type = userType;
-        organization.Permissions = new Permissions
-        {
-            EditAnyCollection = false,
-            DeleteAnyCollection = false,
-            ManageGroups = false,
-            ManageUsers = false
-        };
-
-        ArrangeOrganizationAbility_WithLimitCollectionCreationDeletionSplitFeatureEnabled(sutProvider, organization, true, true);
-
-        var context = new AuthorizationHandlerContext(
-            new[] { BulkCollectionOperations.Delete },
-            new ClaimsPrincipal(),
-            collections);
-
-        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
-        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
-        sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(Arg.Any<Guid>()).Returns(false);
-        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit).Returns(true);
-
-        await sutProvider.Sut.HandleAsync(context);
-
-        sutProvider.GetDependency<IFeatureService>().Received(1).IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit);
         Assert.False(context.HasSucceeded);
     }
 
     [Theory, BitAutoData, CollectionCustomization]
-    public async Task CanDeleteAsync_WhenMissingOrgAccess_WithLimitCollectionCreationDeletionSplitFeatureDisabled_NoSuccess(
+    public async Task CanDeleteAsync_WhenMissingOrgAccess_NoSuccess(
         Guid userId,
         ICollection<Collection> collections,
         SutProvider<BulkCollectionAuthorizationHandler> sutProvider)
@@ -1591,34 +1209,9 @@ public class BulkCollectionAuthorizationHandlerTests
         sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
         sutProvider.GetDependency<ICurrentContext>().GetOrganization(Arg.Any<Guid>()).Returns((CurrentContextOrganization)null);
         sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(Arg.Any<Guid>()).Returns(false);
-        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit).Returns(false);
 
         await sutProvider.Sut.HandleAsync(context);
 
-        sutProvider.GetDependency<IFeatureService>().Received(1).IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit);
-        Assert.False(context.HasSucceeded);
-    }
-
-    [Theory, BitAutoData, CollectionCustomization]
-    public async Task CanDeleteAsync_WhenMissingOrgAccess_WithLimitCollectionCreationDeletionSplitFeatureEnabled_NoSuccess(
-        Guid userId,
-        ICollection<Collection> collections,
-        SutProvider<BulkCollectionAuthorizationHandler> sutProvider)
-    {
-        var context = new AuthorizationHandlerContext(
-            new[] { BulkCollectionOperations.Delete },
-            new ClaimsPrincipal(),
-            collections
-        );
-
-        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
-        sutProvider.GetDependency<ICurrentContext>().GetOrganization(Arg.Any<Guid>()).Returns((CurrentContextOrganization)null);
-        sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(Arg.Any<Guid>()).Returns(false);
-        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit).Returns(true);
-
-        await sutProvider.Sut.HandleAsync(context);
-
-        sutProvider.GetDependency<IFeatureService>().Received(1).IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit);
         Assert.False(context.HasSucceeded);
     }
 
@@ -1639,7 +1232,6 @@ public class BulkCollectionAuthorizationHandlerTests
         await sutProvider.Sut.HandleAsync(context);
         Assert.True(context.HasFailed);
         sutProvider.GetDependency<ICollectionRepository>().DidNotReceiveWithAnyArgs();
-        sutProvider.GetDependency<IFeatureService>().DidNotReceiveWithAnyArgs().IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit);
     }
 
     [Theory, BitAutoData, CollectionCustomization]
@@ -1663,66 +1255,10 @@ public class BulkCollectionAuthorizationHandlerTests
         var exception = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.HandleAsync(context));
         Assert.Equal("Requested collections must belong to the same organization.", exception.Message);
         sutProvider.GetDependency<ICurrentContext>().DidNotReceiveWithAnyArgs().GetOrganization(default);
-        sutProvider.GetDependency<IFeatureService>().DidNotReceiveWithAnyArgs().IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit);
     }
 
     [Theory, BitAutoData, CollectionCustomization]
-    public async Task HandleRequirementAsync_Provider_WithLimitCollectionCreationDeletionSplitFeatureDisabled_Success(
-        SutProvider<BulkCollectionAuthorizationHandler> sutProvider,
-        ICollection<Collection> collections)
-    {
-        var actingUserId = Guid.NewGuid();
-        var orgId = collections.First().OrganizationId;
-
-        var organizationAbilities = new Dictionary<Guid, OrganizationAbility>
-        {
-            { collections.First().OrganizationId,
-                new OrganizationAbility
-                {
-                    LimitCollectionCreationDeletion = true,
-                    AllowAdminAccessToAllCollectionItems = true
-                }
-            }
-        };
-
-        var operationsToTest = new[]
-        {
-            BulkCollectionOperations.Create,
-            BulkCollectionOperations.Read,
-            BulkCollectionOperations.ReadAccess,
-            BulkCollectionOperations.Update,
-            BulkCollectionOperations.ModifyUserAccess,
-            BulkCollectionOperations.ModifyGroupAccess,
-            BulkCollectionOperations.Delete,
-        };
-
-        foreach (var op in operationsToTest)
-        {
-            sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
-            sutProvider.GetDependency<ICurrentContext>().GetOrganization(orgId).Returns((CurrentContextOrganization)null);
-            sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilitiesAsync()
-                .Returns(organizationAbilities);
-            sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(Arg.Any<Guid>()).Returns(true);
-            sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit).Returns(false);
-
-            var context = new AuthorizationHandlerContext(
-                new[] { op },
-                new ClaimsPrincipal(),
-                collections
-            );
-
-            await sutProvider.Sut.HandleAsync(context);
-
-            Assert.True(context.HasSucceeded);
-            await sutProvider.GetDependency<ICurrentContext>().Received().ProviderUserForOrgAsync(orgId);
-
-            // Recreate the SUT to reset the mocks/dependencies between tests
-            sutProvider.Recreate();
-        }
-    }
-
-    [Theory, BitAutoData, CollectionCustomization]
-    public async Task HandleRequirementAsync_Provider_WithLimitCollectionCreationDeletionSplitFeatureEnabled_Success(
+    public async Task HandleRequirementAsync_Provider_Success(
         SutProvider<BulkCollectionAuthorizationHandler> sutProvider,
         ICollection<Collection> collections)
     {
@@ -1759,7 +1295,6 @@ public class BulkCollectionAuthorizationHandlerTests
             sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilitiesAsync()
                 .Returns(organizationAbilities);
             sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(Arg.Any<Guid>()).Returns(true);
-            sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit).Returns(true);
 
             var context = new AuthorizationHandlerContext(
                 new[] { op },
@@ -1810,30 +1345,12 @@ public class BulkCollectionAuthorizationHandlerTests
         await sutProvider.GetDependency<ICollectionRepository>().Received(1).GetManyByUserIdAsync(Arg.Any<Guid>());
     }
 
-    private static void ArrangeOrganizationAbility_WithLimitCollectionCreationDeletionSplitFeatureDisabled(
-        SutProvider<BulkCollectionAuthorizationHandler> sutProvider,
-        CurrentContextOrganization organization,
-        bool limitCollectionCreation,
-        bool limitCollectionDeletion,
-        bool allowAdminAccessToAllCollectionItems = true)
-    {
-        var organizationAbility = new OrganizationAbility();
-        organizationAbility.Id = organization.Id;
-
-        organizationAbility.LimitCollectionCreationDeletion = limitCollectionCreation || limitCollectionDeletion;
-
-        organizationAbility.AllowAdminAccessToAllCollectionItems = allowAdminAccessToAllCollectionItems;
-
-        sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilityAsync(organizationAbility.Id)
-            .Returns(organizationAbility);
-    }
-
-    private static void ArrangeOrganizationAbility_WithLimitCollectionCreationDeletionSplitFeatureEnabled(
-        SutProvider<BulkCollectionAuthorizationHandler> sutProvider,
-        CurrentContextOrganization organization,
-        bool limitCollectionCreation,
-        bool limitCollectionDeletion,
-        bool allowAdminAccessToAllCollectionItems = true)
+    private static void ArrangeOrganizationAbility(
+         SutProvider<BulkCollectionAuthorizationHandler> sutProvider,
+         CurrentContextOrganization organization,
+         bool limitCollectionCreation,
+         bool limitCollectionDeletion,
+         bool allowAdminAccessToAllCollectionItems = true)
     {
         var organizationAbility = new OrganizationAbility();
         organizationAbility.Id = organization.Id;
diff --git a/test/Core.Test/Models/Business/OrganizationLicenseFileFixtures.cs b/test/Core.Test/Models/Business/OrganizationLicenseFileFixtures.cs
index 500c4475a9..de5fb25fca 100644
--- a/test/Core.Test/Models/Business/OrganizationLicenseFileFixtures.cs
+++ b/test/Core.Test/Models/Business/OrganizationLicenseFileFixtures.cs
@@ -111,7 +111,8 @@ public static class OrganizationLicenseFileFixtures
             SmServiceAccounts = 8,
             MaxAutoscaleSmSeats = 101,
             MaxAutoscaleSmServiceAccounts = 102,
-            LimitCollectionCreationDeletion = true,
+            LimitCollectionCreation = true,
+            LimitCollectionDeletion = true,
             AllowAdminAccessToAllCollectionItems = true,
         };
 }
diff --git a/test/Core.Test/OrganizationFeatures/OrganizationLicenses/UpdateOrganizationLicenseCommandTests.cs b/test/Core.Test/OrganizationFeatures/OrganizationLicenses/UpdateOrganizationLicenseCommandTests.cs
index b8e677177c..420d330aaa 100644
--- a/test/Core.Test/OrganizationFeatures/OrganizationLicenses/UpdateOrganizationLicenseCommandTests.cs
+++ b/test/Core.Test/OrganizationFeatures/OrganizationLicenses/UpdateOrganizationLicenseCommandTests.cs
@@ -83,11 +83,12 @@ public class UpdateOrganizationLicenseCommandTests
                 .Received(1)
                 .ReplaceAndUpdateCacheAsync(Arg.Is<Organization>(
                     org => AssertPropertyEqual(license, org,
-                               "Id", "MaxStorageGb", "Issued", "Refresh", "Version", "Trial", "LicenseType",
-                               "Hash", "Signature", "SignatureBytes", "InstallationId", "Expires",
-                               "ExpirationWithoutGracePeriod", "Token") &&
-                           // Same property but different name, use explicit mapping
-                           org.ExpirationDate == license.Expires));
+                        "Id", "MaxStorageGb", "Issued", "Refresh", "Version", "Trial", "LicenseType",
+                        "Hash", "Signature", "SignatureBytes", "InstallationId", "Expires",
+                        "ExpirationWithoutGracePeriod", "Token", "LimitCollectionCreationDeletion",
+                        "LimitCollectionCreation", "LimitCollectionDeletion", "AllowAdminAccessToAllCollectionItems") &&
+                         // Same property but different name, use explicit mapping
+                         org.ExpirationDate == license.Expires));
         }
         finally
         {
diff --git a/test/Infrastructure.IntegrationTest/AdminConsole/Repositories/OrganizationUserRepositoryTests.cs b/test/Infrastructure.IntegrationTest/AdminConsole/Repositories/OrganizationUserRepositoryTests.cs
index 4732d8a474..aee4beb8ce 100644
--- a/test/Infrastructure.IntegrationTest/AdminConsole/Repositories/OrganizationUserRepositoryTests.cs
+++ b/test/Infrastructure.IntegrationTest/AdminConsole/Repositories/OrganizationUserRepositoryTests.cs
@@ -255,8 +255,6 @@ public class OrganizationUserRepositoryTests
         Assert.Equal(organization.SmServiceAccounts, result.SmServiceAccounts);
         Assert.Equal(organization.LimitCollectionCreation, result.LimitCollectionCreation);
         Assert.Equal(organization.LimitCollectionDeletion, result.LimitCollectionDeletion);
-        // Deprecated: https://bitwarden.atlassian.net/browse/PM-10863
-        Assert.Equal(organization.LimitCollectionCreationDeletion, result.LimitCollectionCreationDeletion);
         Assert.Equal(organization.AllowAdminAccessToAllCollectionItems, result.AllowAdminAccessToAllCollectionItems);
         Assert.Equal(organization.UseRiskInsights, result.UseRiskInsights);
     }

From 9ebddd223acc6e0408e30caf6d24213873369b69 Mon Sep 17 00:00:00 2001
From: Opeyemi <Alaoopeyemi101@gmail.com>
Date: Fri, 6 Dec 2024 16:53:52 +0000
Subject: [PATCH 033/384] [BRE-470] - Update Renovate Conf for BRE team (#5123)

---
 .github/renovate.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/renovate.json b/.github/renovate.json
index ac08134041..5779b28edb 100644
--- a/.github/renovate.json
+++ b/.github/renovate.json
@@ -26,7 +26,7 @@
     },
     {
       "matchManagers": ["github-actions", "dockerfile", "docker-compose"],
-      "commitMessagePrefix": "[deps] DevOps:"
+      "commitMessagePrefix": "[deps] BRE:"
     },
     {
       "matchPackageNames": ["DnsClient"],
@@ -116,8 +116,8 @@
     {
       "matchPackageNames": ["CommandDotNet", "YamlDotNet"],
       "description": "DevOps owned dependencies",
-      "commitMessagePrefix": "[deps] DevOps:",
-      "reviewers": ["team:dept-devops"]
+      "commitMessagePrefix": "[deps] BRE:",
+      "reviewers": ["team:dept-bre"]
     },
     {
       "matchPackageNames": [

From fb5db40f4c8fa6b2324c85280935525ae827f03e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=AD=9F=E6=AD=A6=2E=E5=B0=BC=E5=BE=B7=E9=9C=8D=E6=A0=BC?=
 =?UTF-8?q?=2E=E9=BE=8D?= <7708801314520.tony@gmail.com>
Date: Sat, 7 Dec 2024 02:34:50 +0800
Subject: [PATCH 034/384] Update docker reference link (#5096)

Update docker reference link

Co-authored-by: Daniel James Smith <2670567+djsmith85@users.noreply.github.com>
---
 util/Setup/Templates/DockerCompose.hbs | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/util/Setup/Templates/DockerCompose.hbs b/util/Setup/Templates/DockerCompose.hbs
index d9ad6c4613..ffe9121089 100644
--- a/util/Setup/Templates/DockerCompose.hbs
+++ b/util/Setup/Templates/DockerCompose.hbs
@@ -1,8 +1,8 @@
 #
 # Useful references:
-# https://docs.docker.com/compose/compose-file/
-# https://docs.docker.com/compose/reference/overview/#use--f-to-specify-name-and-path-of-one-or-more-compose-files
-# https://docs.docker.com/compose/reference/envvars/
+# https://docs.docker.com/reference/compose-file/
+# https://docs.docker.com/reference/cli/docker/compose/#use--f-to-specify-the-name-and-path-of-one-or-more-compose-files
+# https://docs.docker.com/compose/how-tos/environment-variables/envvars/
 #
 #########################################################################
 # WARNING: This file is generated. Do not make changes to this file.    #

From c591997d0136a6126308444068cfa89f604c531f Mon Sep 17 00:00:00 2001
From: Brandon Treston <btreston@bitwarden.com>
Date: Fri, 6 Dec 2024 14:40:47 -0500
Subject: [PATCH 035/384] [PM-13013] add delete many async method to i user
 repository and i user service for bulk user deletion (#5035)

* Add DeleteManyAsync method and stored procedure

* Add DeleteManyAsync and tests

* removed stored procedure, refactor User_DeleteById to accept multiple Ids

* add sproc, refactor tests

* revert existing sproc

* add bulk delete to IUserService

* fix sproc

* fix and add tests

* add migration script, fix test

* Add feature flag

* add feature flag to tests for deleteManyAsync

* enable nullable, delete only user that pass validation

* revert changes to DeleteAsync

* Cleanup whitespace

* remove redundant feature flag

* fix tests

* move DeleteManyAsync from UserService into DeleteManagedOrganizationUserAccountCommand

* refactor validation, remove unneeded tasks

* refactor tests, remove unused service
---
 ...teManagedOrganizationUserAccountCommand.cs |  86 +++++++++-
 src/Core/Repositories/IUserRepository.cs      |   1 +
 .../Repositories/UserRepository.cs            |  12 ++
 .../Repositories/UserRepository.cs            |  47 ++++++
 .../Stored Procedures/User_DeleteByIds.sql    | 158 ++++++++++++++++++
 ...agedOrganizationUserAccountCommandTests.cs |  12 +-
 .../Auth/Repositories/UserRepositoryTests.cs  |  99 +++++++++++
 .../2024-11-22_00_UserDeleteByIds.sql         | 158 ++++++++++++++++++
 8 files changed, 565 insertions(+), 8 deletions(-)
 create mode 100644 src/Sql/dbo/Stored Procedures/User_DeleteByIds.sql
 create mode 100644 test/Infrastructure.IntegrationTest/Auth/Repositories/UserRepositoryTests.cs
 create mode 100644 util/Migrator/DbScripts/2024-11-22_00_UserDeleteByIds.sql

diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/DeleteManagedOrganizationUserAccountCommand.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/DeleteManagedOrganizationUserAccountCommand.cs
index 0bcd16cee1..cb7e2a6250 100644
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/DeleteManagedOrganizationUserAccountCommand.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/DeleteManagedOrganizationUserAccountCommand.cs
@@ -1,10 +1,14 @@
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
+using Bit.Core.Tools.Enums;
+using Bit.Core.Tools.Models.Business;
+using Bit.Core.Tools.Services;
 
 #nullable enable
 
@@ -19,7 +23,10 @@ public class DeleteManagedOrganizationUserAccountCommand : IDeleteManagedOrganiz
     private readonly IUserRepository _userRepository;
     private readonly ICurrentContext _currentContext;
     private readonly IHasConfirmedOwnersExceptQuery _hasConfirmedOwnersExceptQuery;
-
+    private readonly IReferenceEventService _referenceEventService;
+    private readonly IPushNotificationService _pushService;
+    private readonly IOrganizationRepository _organizationRepository;
+    private readonly IProviderUserRepository _providerUserRepository;
     public DeleteManagedOrganizationUserAccountCommand(
         IUserService userService,
         IEventService eventService,
@@ -27,7 +34,11 @@ public class DeleteManagedOrganizationUserAccountCommand : IDeleteManagedOrganiz
         IOrganizationUserRepository organizationUserRepository,
         IUserRepository userRepository,
         ICurrentContext currentContext,
-        IHasConfirmedOwnersExceptQuery hasConfirmedOwnersExceptQuery)
+        IHasConfirmedOwnersExceptQuery hasConfirmedOwnersExceptQuery,
+        IReferenceEventService referenceEventService,
+        IPushNotificationService pushService,
+        IOrganizationRepository organizationRepository,
+        IProviderUserRepository providerUserRepository)
     {
         _userService = userService;
         _eventService = eventService;
@@ -36,6 +47,10 @@ public class DeleteManagedOrganizationUserAccountCommand : IDeleteManagedOrganiz
         _userRepository = userRepository;
         _currentContext = currentContext;
         _hasConfirmedOwnersExceptQuery = hasConfirmedOwnersExceptQuery;
+        _referenceEventService = referenceEventService;
+        _pushService = pushService;
+        _organizationRepository = organizationRepository;
+        _providerUserRepository = providerUserRepository;
     }
 
     public async Task DeleteUserAsync(Guid organizationId, Guid organizationUserId, Guid? deletingUserId)
@@ -89,7 +104,8 @@ public class DeleteManagedOrganizationUserAccountCommand : IDeleteManagedOrganiz
                     throw new NotFoundException("Member not found.");
                 }
 
-                await _userService.DeleteAsync(user);
+                await ValidateUserMembershipAndPremiumAsync(user);
+
                 results.Add((orgUserId, string.Empty));
             }
             catch (Exception ex)
@@ -98,6 +114,15 @@ public class DeleteManagedOrganizationUserAccountCommand : IDeleteManagedOrganiz
             }
         }
 
+        var orgUserResultsToDelete = results.Where(result => string.IsNullOrEmpty(result.ErrorMessage));
+        var orgUsersToDelete = orgUsers.Where(orgUser => orgUserResultsToDelete.Any(result => orgUser.Id == result.OrganizationUserId));
+        var usersToDelete = users.Where(user => orgUsersToDelete.Any(orgUser => orgUser.UserId == user.Id));
+
+        if (usersToDelete.Any())
+        {
+            await DeleteManyAsync(usersToDelete);
+        }
+
         await LogDeletedOrganizationUsersAsync(orgUsers, results);
 
         return results;
@@ -158,4 +183,59 @@ public class DeleteManagedOrganizationUserAccountCommand : IDeleteManagedOrganiz
             await _eventService.LogOrganizationUserEventsAsync(events);
         }
     }
+    private async Task DeleteManyAsync(IEnumerable<User> users)
+    {
+
+        await _userRepository.DeleteManyAsync(users);
+        foreach (var user in users)
+        {
+            await _referenceEventService.RaiseEventAsync(
+                new ReferenceEvent(ReferenceEventType.DeleteAccount, user, _currentContext));
+            await _pushService.PushLogOutAsync(user.Id);
+        }
+
+    }
+
+    private async Task ValidateUserMembershipAndPremiumAsync(User user)
+    {
+        // Check if user is the only owner of any organizations.
+        var onlyOwnerCount = await _organizationUserRepository.GetCountByOnlyOwnerAsync(user.Id);
+        if (onlyOwnerCount > 0)
+        {
+            throw new BadRequestException("Cannot delete this user because it is the sole owner of at least one organization. Please delete these organizations or upgrade another user.");
+        }
+
+        var orgs = await _organizationUserRepository.GetManyDetailsByUserAsync(user.Id, OrganizationUserStatusType.Confirmed);
+        if (orgs.Count == 1)
+        {
+            var org = await _organizationRepository.GetByIdAsync(orgs.First().OrganizationId);
+            if (org != null && (!org.Enabled || string.IsNullOrWhiteSpace(org.GatewaySubscriptionId)))
+            {
+                var orgCount = await _organizationUserRepository.GetCountByOrganizationIdAsync(org.Id);
+                if (orgCount <= 1)
+                {
+                    await _organizationRepository.DeleteAsync(org);
+                }
+                else
+                {
+                    throw new BadRequestException("Cannot delete this user because it is the sole owner of at least one organization. Please delete these organizations or upgrade another user.");
+                }
+            }
+        }
+
+        var onlyOwnerProviderCount = await _providerUserRepository.GetCountByOnlyOwnerAsync(user.Id);
+        if (onlyOwnerProviderCount > 0)
+        {
+            throw new BadRequestException("Cannot delete this user because it is the sole owner of at least one provider. Please delete these providers or upgrade another user.");
+        }
+
+        if (!string.IsNullOrWhiteSpace(user.GatewaySubscriptionId))
+        {
+            try
+            {
+                await _userService.CancelPremiumAsync(user);
+            }
+            catch (GatewayException) { }
+        }
+    }
 }
diff --git a/src/Core/Repositories/IUserRepository.cs b/src/Core/Repositories/IUserRepository.cs
index 22e2ec1a07..040e6e1f49 100644
--- a/src/Core/Repositories/IUserRepository.cs
+++ b/src/Core/Repositories/IUserRepository.cs
@@ -32,4 +32,5 @@ public interface IUserRepository : IRepository<User, Guid>
     /// <param name="updateDataActions">Registered database calls to update re-encrypted data.</param>
     Task UpdateUserKeyAndEncryptedDataAsync(User user,
         IEnumerable<UpdateEncryptedDataForKeyRotation> updateDataActions);
+    Task DeleteManyAsync(IEnumerable<User> users);
 }
diff --git a/src/Infrastructure.Dapper/Repositories/UserRepository.cs b/src/Infrastructure.Dapper/Repositories/UserRepository.cs
index 9e613fdf08..227a7c03e5 100644
--- a/src/Infrastructure.Dapper/Repositories/UserRepository.cs
+++ b/src/Infrastructure.Dapper/Repositories/UserRepository.cs
@@ -172,6 +172,18 @@ public class UserRepository : Repository<User, Guid>, IUserRepository
                 commandTimeout: 180);
         }
     }
+    public async Task DeleteManyAsync(IEnumerable<User> users)
+    {
+        var ids = users.Select(user => user.Id);
+        using (var connection = new SqlConnection(ConnectionString))
+        {
+            await connection.ExecuteAsync(
+                $"[{Schema}].[{Table}_DeleteByIds]",
+                new { Ids = JsonSerializer.Serialize(ids) },
+                commandType: CommandType.StoredProcedure,
+                commandTimeout: 180);
+        }
+    }
 
     public async Task UpdateStorageAsync(Guid id)
     {
diff --git a/src/Infrastructure.EntityFramework/Repositories/UserRepository.cs b/src/Infrastructure.EntityFramework/Repositories/UserRepository.cs
index d234d25455..cbfefb6483 100644
--- a/src/Infrastructure.EntityFramework/Repositories/UserRepository.cs
+++ b/src/Infrastructure.EntityFramework/Repositories/UserRepository.cs
@@ -261,6 +261,53 @@ public class UserRepository : Repository<Core.Entities.User, User, Guid>, IUserR
             var mappedUser = Mapper.Map<User>(user);
             dbContext.Users.Remove(mappedUser);
 
+            await transaction.CommitAsync();
+            await dbContext.SaveChangesAsync();
+        }
+    }
+
+    public async Task DeleteManyAsync(IEnumerable<Core.Entities.User> users)
+    {
+        using (var scope = ServiceScopeFactory.CreateScope())
+        {
+            var dbContext = GetDatabaseContext(scope);
+
+            var transaction = await dbContext.Database.BeginTransactionAsync();
+
+            var targetIds = users.Select(u => u.Id).ToList();
+
+            await dbContext.WebAuthnCredentials.Where(wa => targetIds.Contains(wa.UserId)).ExecuteDeleteAsync();
+            await dbContext.Ciphers.Where(c => targetIds.Contains(c.UserId ?? default)).ExecuteDeleteAsync();
+            await dbContext.Folders.Where(f => targetIds.Contains(f.UserId)).ExecuteDeleteAsync();
+            await dbContext.AuthRequests.Where(a => targetIds.Contains(a.UserId)).ExecuteDeleteAsync();
+            await dbContext.Devices.Where(d => targetIds.Contains(d.UserId)).ExecuteDeleteAsync();
+            var collectionUsers = from cu in dbContext.CollectionUsers
+                                  join ou in dbContext.OrganizationUsers on cu.OrganizationUserId equals ou.Id
+                                  where targetIds.Contains(ou.UserId ?? default)
+                                  select cu;
+            dbContext.CollectionUsers.RemoveRange(collectionUsers);
+            var groupUsers = from gu in dbContext.GroupUsers
+                             join ou in dbContext.OrganizationUsers on gu.OrganizationUserId equals ou.Id
+                             where targetIds.Contains(ou.UserId ?? default)
+                             select gu;
+            dbContext.GroupUsers.RemoveRange(groupUsers);
+            await dbContext.UserProjectAccessPolicy.Where(ap => targetIds.Contains(ap.OrganizationUser.UserId ?? default)).ExecuteDeleteAsync();
+            await dbContext.UserServiceAccountAccessPolicy.Where(ap => targetIds.Contains(ap.OrganizationUser.UserId ?? default)).ExecuteDeleteAsync();
+            await dbContext.OrganizationUsers.Where(ou => targetIds.Contains(ou.UserId ?? default)).ExecuteDeleteAsync();
+            await dbContext.ProviderUsers.Where(pu => targetIds.Contains(pu.UserId ?? default)).ExecuteDeleteAsync();
+            await dbContext.SsoUsers.Where(su => targetIds.Contains(su.UserId)).ExecuteDeleteAsync();
+            await dbContext.EmergencyAccesses.Where(ea => targetIds.Contains(ea.GrantorId) || targetIds.Contains(ea.GranteeId ?? default)).ExecuteDeleteAsync();
+            await dbContext.Sends.Where(s => targetIds.Contains(s.UserId ?? default)).ExecuteDeleteAsync();
+            await dbContext.NotificationStatuses.Where(ns => targetIds.Contains(ns.UserId)).ExecuteDeleteAsync();
+            await dbContext.Notifications.Where(n => targetIds.Contains(n.UserId ?? default)).ExecuteDeleteAsync();
+
+            foreach (var u in users)
+            {
+                var mappedUser = Mapper.Map<User>(u);
+                dbContext.Users.Remove(mappedUser);
+            }
+
+
             await transaction.CommitAsync();
             await dbContext.SaveChangesAsync();
         }
diff --git a/src/Sql/dbo/Stored Procedures/User_DeleteByIds.sql b/src/Sql/dbo/Stored Procedures/User_DeleteByIds.sql
new file mode 100644
index 0000000000..97ab955f83
--- /dev/null
+++ b/src/Sql/dbo/Stored Procedures/User_DeleteByIds.sql	
@@ -0,0 +1,158 @@
+CREATE PROCEDURE [dbo].[User_DeleteByIds]
+    @Ids NVARCHAR(MAX)
+WITH RECOMPILE
+AS
+BEGIN
+    SET NOCOUNT ON
+    -- Declare a table variable to hold the parsed JSON data
+    DECLARE @ParsedIds TABLE (Id UNIQUEIDENTIFIER);
+
+    -- Parse the JSON input into the table variable
+    INSERT INTO @ParsedIds (Id)
+    SELECT value
+    FROM OPENJSON(@Ids);
+
+    -- Check if the input table is empty
+    IF (SELECT COUNT(1) FROM @ParsedIds) < 1
+    BEGIN
+        RETURN(-1);
+    END
+
+    DECLARE @BatchSize INT = 100
+
+    -- Delete ciphers
+    WHILE @BatchSize > 0
+    BEGIN
+        BEGIN TRANSACTION User_DeleteById_Ciphers
+
+        DELETE TOP(@BatchSize)
+        FROM
+            [dbo].[Cipher]
+        WHERE
+            [UserId] IN (SELECT * FROM @ParsedIds)
+
+        SET @BatchSize = @@ROWCOUNT
+
+        COMMIT TRANSACTION User_DeleteById_Ciphers
+    END
+
+    BEGIN TRANSACTION User_DeleteById
+
+    -- Delete WebAuthnCredentials
+    DELETE
+    FROM
+        [dbo].[WebAuthnCredential]
+    WHERE
+        [UserId] IN (SELECT * FROM @ParsedIds)
+
+    -- Delete folders
+    DELETE
+    FROM
+        [dbo].[Folder]
+    WHERE
+        [UserId] IN (SELECT * FROM @ParsedIds)
+
+    -- Delete AuthRequest, must be before Device
+    DELETE
+    FROM
+        [dbo].[AuthRequest]
+    WHERE 
+        [UserId] IN (SELECT * FROM @ParsedIds)
+
+    -- Delete devices
+    DELETE
+    FROM
+        [dbo].[Device]
+    WHERE
+        [UserId] IN (SELECT * FROM @ParsedIds)
+
+    -- Delete collection users
+    DELETE
+        CU
+    FROM
+        [dbo].[CollectionUser] CU
+        INNER JOIN
+        [dbo].[OrganizationUser] OU ON OU.[Id] = CU.[OrganizationUserId]
+    WHERE
+        OU.[UserId] IN (SELECT * FROM @ParsedIds)
+
+    -- Delete group users
+    DELETE
+        GU
+    FROM
+        [dbo].[GroupUser] GU
+        INNER JOIN
+        [dbo].[OrganizationUser] OU ON OU.[Id] = GU.[OrganizationUserId]
+    WHERE
+        OU.[UserId] IN (SELECT * FROM @ParsedIds)
+
+    -- Delete AccessPolicy
+    DELETE
+        AP
+    FROM
+        [dbo].[AccessPolicy] AP
+        INNER JOIN
+        [dbo].[OrganizationUser] OU ON OU.[Id] = AP.[OrganizationUserId]
+    WHERE
+        [UserId] IN (SELECT * FROM @ParsedIds)
+
+    -- Delete organization users
+    DELETE
+    FROM
+        [dbo].[OrganizationUser]
+    WHERE
+        [UserId] IN (SELECT * FROM @ParsedIds)
+
+    -- Delete provider users
+    DELETE
+    FROM
+        [dbo].[ProviderUser]
+    WHERE
+        [UserId] IN (SELECT * FROM @ParsedIds)
+
+    -- Delete SSO Users
+    DELETE
+    FROM
+        [dbo].[SsoUser]
+    WHERE
+        [UserId] IN (SELECT * FROM @ParsedIds)
+
+    -- Delete Emergency Accesses
+    DELETE
+    FROM
+        [dbo].[EmergencyAccess]
+    WHERE
+        [GrantorId] IN (SELECT * FROM @ParsedIds)
+        OR
+        [GranteeId] IN (SELECT * FROM @ParsedIds)
+
+    -- Delete Sends
+    DELETE
+    FROM
+        [dbo].[Send]
+    WHERE 
+        [UserId] IN (SELECT * FROM @ParsedIds)
+
+    -- Delete Notification Status
+    DELETE
+    FROM
+        [dbo].[NotificationStatus]
+    WHERE
+        [UserId] IN (SELECT * FROM @ParsedIds)
+
+    -- Delete Notification
+    DELETE
+    FROM
+        [dbo].[Notification]
+    WHERE
+        [UserId] IN (SELECT * FROM @ParsedIds)
+    
+    -- Finally, delete the user
+    DELETE
+    FROM
+        [dbo].[User]
+    WHERE
+        [Id] IN (SELECT * FROM @ParsedIds)
+
+    COMMIT TRANSACTION User_DeleteById
+END
diff --git a/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/DeleteManagedOrganizationUserAccountCommandTests.cs b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/DeleteManagedOrganizationUserAccountCommandTests.cs
index 81e83d7450..b21ae5459f 100644
--- a/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/DeleteManagedOrganizationUserAccountCommandTests.cs
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/DeleteManagedOrganizationUserAccountCommandTests.cs
@@ -258,14 +258,15 @@ public class DeleteManagedOrganizationUserAccountCommandTests
             .Returns(new Dictionary<Guid, bool> { { orgUser1.Id, true }, { orgUser2.Id, true } });
 
         // Act
-        var results = await sutProvider.Sut.DeleteManyUsersAsync(organizationId, new[] { orgUser1.Id, orgUser2.Id }, null);
+        var userIds = new[] { orgUser1.Id, orgUser2.Id };
+        var results = await sutProvider.Sut.DeleteManyUsersAsync(organizationId, userIds, null);
 
         // Assert
         Assert.Equal(2, results.Count());
         Assert.All(results, r => Assert.Empty(r.Item2));
 
-        await sutProvider.GetDependency<IUserService>().Received(1).DeleteAsync(user1);
-        await sutProvider.GetDependency<IUserService>().Received(1).DeleteAsync(user2);
+        await sutProvider.GetDependency<IOrganizationUserRepository>().Received(1).GetManyAsync(userIds);
+        await sutProvider.GetDependency<IUserRepository>().Received(1).DeleteManyAsync(Arg.Is<IEnumerable<User>>(users => users.Any(u => u.Id == user1.Id) && users.Any(u => u.Id == user2.Id)));
         await sutProvider.GetDependency<IEventService>().Received(1).LogOrganizationUserEventsAsync(
             Arg.Is<IEnumerable<(OrganizationUser, EventType, DateTime?)>>(events =>
                 events.Count(e => e.Item1.Id == orgUser1.Id && e.Item2 == EventType.OrganizationUser_Deleted) == 1
@@ -286,7 +287,9 @@ public class DeleteManagedOrganizationUserAccountCommandTests
         Assert.Single(result);
         Assert.Equal(orgUserId, result.First().Item1);
         Assert.Contains("Member not found.", result.First().Item2);
-        await sutProvider.GetDependency<IUserService>().Received(0).DeleteAsync(Arg.Any<User>());
+        await sutProvider.GetDependency<IUserRepository>()
+            .DidNotReceiveWithAnyArgs()
+            .DeleteManyAsync(default);
         await sutProvider.GetDependency<IEventService>().Received(0)
             .LogOrganizationUserEventsAsync(Arg.Any<IEnumerable<(OrganizationUser, EventType, DateTime?)>>());
     }
@@ -484,7 +487,6 @@ public class DeleteManagedOrganizationUserAccountCommandTests
         Assert.Equal("You cannot delete a member with Invited status.", results.First(r => r.Item1 == orgUser2.Id).Item2);
         Assert.Equal("Member is not managed by the organization.", results.First(r => r.Item1 == orgUser3.Id).Item2);
 
-        await sutProvider.GetDependency<IUserService>().Received(1).DeleteAsync(user1);
         await sutProvider.GetDependency<IEventService>().Received(1).LogOrganizationUserEventsAsync(
             Arg.Is<IEnumerable<(OrganizationUser, EventType, DateTime?)>>(events =>
             events.Count(e => e.Item1.Id == orgUser1.Id && e.Item2 == EventType.OrganizationUser_Deleted) == 1));
diff --git a/test/Infrastructure.IntegrationTest/Auth/Repositories/UserRepositoryTests.cs b/test/Infrastructure.IntegrationTest/Auth/Repositories/UserRepositoryTests.cs
new file mode 100644
index 0000000000..d4606ae632
--- /dev/null
+++ b/test/Infrastructure.IntegrationTest/Auth/Repositories/UserRepositoryTests.cs
@@ -0,0 +1,99 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Repositories;
+using Xunit;
+
+namespace Bit.Infrastructure.IntegrationTest.Repositories;
+
+public class UserRepositoryTests
+{
+    [DatabaseTheory, DatabaseData]
+    public async Task DeleteAsync_Works(IUserRepository userRepository)
+    {
+        var user = await userRepository.CreateAsync(new User
+        {
+            Name = "Test User",
+            Email = $"test+{Guid.NewGuid()}@example.com",
+            ApiKey = "TEST",
+            SecurityStamp = "stamp",
+        });
+
+        await userRepository.DeleteAsync(user);
+
+        var deletedUser = await userRepository.GetByIdAsync(user.Id);
+        Assert.Null(deletedUser);
+    }
+
+    [DatabaseTheory, DatabaseData]
+    public async Task DeleteManyAsync_Works(IUserRepository userRepository, IOrganizationUserRepository organizationUserRepository, IOrganizationRepository organizationRepository)
+    {
+        var user1 = await userRepository.CreateAsync(new User
+        {
+            Name = "Test User 1",
+            Email = $"test+{Guid.NewGuid()}@email.com",
+            ApiKey = "TEST",
+            SecurityStamp = "stamp",
+        });
+
+        var user2 = await userRepository.CreateAsync(new User
+        {
+            Name = "Test User 2",
+            Email = $"test+{Guid.NewGuid()}@email.com",
+            ApiKey = "TEST",
+            SecurityStamp = "stamp",
+        });
+
+        var user3 = await userRepository.CreateAsync(new User
+        {
+            Name = "Test User 3",
+            Email = $"test+{Guid.NewGuid()}@email.com",
+            ApiKey = "TEST",
+            SecurityStamp = "stamp",
+        });
+
+        var organization = await organizationRepository.CreateAsync(new Organization
+        {
+            Name = "Test Org",
+            BillingEmail = user3.Email, // TODO: EF does not enfore this being NOT NULL
+            Plan = "Test", // TODO: EF does not enforce this being NOT NULl
+        });
+
+        await organizationUserRepository.CreateAsync(new OrganizationUser
+        {
+            OrganizationId = organization.Id,
+            UserId = user1.Id,
+            Status = OrganizationUserStatusType.Confirmed,
+        });
+
+        await organizationUserRepository.CreateAsync(new OrganizationUser
+        {
+            OrganizationId = organization.Id,
+            UserId = user3.Id,
+            Status = OrganizationUserStatusType.Confirmed,
+        });
+
+        await userRepository.DeleteManyAsync(new List<User>
+        {
+            user1,
+            user2
+        });
+
+        var deletedUser1 = await userRepository.GetByIdAsync(user1.Id);
+        var deletedUser2 = await userRepository.GetByIdAsync(user2.Id);
+        var notDeletedUser3 = await userRepository.GetByIdAsync(user3.Id);
+
+        var orgUser1Deleted = await organizationUserRepository.GetByIdAsync(user1.Id);
+
+        var notDeletedOrgUsers = await organizationUserRepository.GetManyByUserAsync(user3.Id);
+
+        Assert.Null(deletedUser1);
+        Assert.Null(deletedUser2);
+        Assert.NotNull(notDeletedUser3);
+
+        Assert.Null(orgUser1Deleted);
+        Assert.NotNull(notDeletedOrgUsers);
+        Assert.True(notDeletedOrgUsers.Count > 0);
+    }
+
+}
diff --git a/util/Migrator/DbScripts/2024-11-22_00_UserDeleteByIds.sql b/util/Migrator/DbScripts/2024-11-22_00_UserDeleteByIds.sql
new file mode 100644
index 0000000000..244151143e
--- /dev/null
+++ b/util/Migrator/DbScripts/2024-11-22_00_UserDeleteByIds.sql
@@ -0,0 +1,158 @@
+CREATE OR ALTER PROCEDURE [dbo].[User_DeleteByIds]
+    @Ids NVARCHAR(MAX)
+WITH RECOMPILE
+AS
+BEGIN
+    SET NOCOUNT ON
+    -- Declare a table variable to hold the parsed JSON data
+    DECLARE @ParsedIds TABLE (Id UNIQUEIDENTIFIER);
+
+    -- Parse the JSON input into the table variable
+    INSERT INTO @ParsedIds (Id)
+    SELECT value
+    FROM OPENJSON(@Ids);
+
+    -- Check if the input table is empty
+    IF (SELECT COUNT(1) FROM @ParsedIds) < 1
+    BEGIN
+        RETURN(-1);
+    END
+
+    DECLARE @BatchSize INT = 100
+
+    -- Delete ciphers
+    WHILE @BatchSize > 0
+    BEGIN
+        BEGIN TRANSACTION User_DeleteById_Ciphers
+
+        DELETE TOP(@BatchSize)
+        FROM
+            [dbo].[Cipher]
+        WHERE
+            [UserId] IN (SELECT * FROM @ParsedIds)
+
+        SET @BatchSize = @@ROWCOUNT
+
+        COMMIT TRANSACTION User_DeleteById_Ciphers
+    END
+
+    BEGIN TRANSACTION User_DeleteById
+
+    -- Delete WebAuthnCredentials
+    DELETE
+    FROM
+        [dbo].[WebAuthnCredential]
+    WHERE
+        [UserId] IN (SELECT * FROM @ParsedIds)
+
+    -- Delete folders
+    DELETE
+    FROM
+        [dbo].[Folder]
+    WHERE
+        [UserId] IN (SELECT * FROM @ParsedIds)
+
+    -- Delete AuthRequest, must be before Device
+    DELETE
+    FROM
+        [dbo].[AuthRequest]
+    WHERE 
+        [UserId] IN (SELECT * FROM @ParsedIds)
+
+    -- Delete devices
+    DELETE
+    FROM
+        [dbo].[Device]
+    WHERE
+        [UserId] IN (SELECT * FROM @ParsedIds)
+
+    -- Delete collection users
+    DELETE
+        CU
+    FROM
+        [dbo].[CollectionUser] CU
+        INNER JOIN
+        [dbo].[OrganizationUser] OU ON OU.[Id] = CU.[OrganizationUserId]
+    WHERE
+        OU.[UserId] IN (SELECT * FROM @ParsedIds)
+
+    -- Delete group users
+    DELETE
+        GU
+    FROM
+        [dbo].[GroupUser] GU
+        INNER JOIN
+        [dbo].[OrganizationUser] OU ON OU.[Id] = GU.[OrganizationUserId]
+    WHERE
+        OU.[UserId] IN (SELECT * FROM @ParsedIds)
+
+    -- Delete AccessPolicy
+    DELETE
+        AP
+    FROM
+        [dbo].[AccessPolicy] AP
+        INNER JOIN
+        [dbo].[OrganizationUser] OU ON OU.[Id] = AP.[OrganizationUserId]
+    WHERE
+        [UserId] IN (SELECT * FROM @ParsedIds)
+
+    -- Delete organization users
+    DELETE
+    FROM
+        [dbo].[OrganizationUser]
+    WHERE
+        [UserId] IN (SELECT * FROM @ParsedIds)
+
+    -- Delete provider users
+    DELETE
+    FROM
+        [dbo].[ProviderUser]
+    WHERE
+        [UserId] IN (SELECT * FROM @ParsedIds)
+
+    -- Delete SSO Users
+    DELETE
+    FROM
+        [dbo].[SsoUser]
+    WHERE
+        [UserId] IN (SELECT * FROM @ParsedIds)
+
+    -- Delete Emergency Accesses
+    DELETE
+    FROM
+        [dbo].[EmergencyAccess]
+    WHERE
+        [GrantorId] IN (SELECT * FROM @ParsedIds)
+        OR
+        [GranteeId] IN (SELECT * FROM @ParsedIds)
+
+    -- Delete Sends
+    DELETE
+    FROM
+        [dbo].[Send]
+    WHERE 
+        [UserId] IN (SELECT * FROM @ParsedIds)
+
+    -- Delete Notification Status
+    DELETE
+    FROM
+        [dbo].[NotificationStatus]
+    WHERE
+        [UserId] IN (SELECT * FROM @ParsedIds)
+
+    -- Delete Notification
+    DELETE
+    FROM
+        [dbo].[Notification]
+    WHERE
+        [UserId] IN (SELECT * FROM @ParsedIds)
+    
+    -- Finally, delete the user
+    DELETE
+    FROM
+        [dbo].[User]
+    WHERE
+        [Id] IN (SELECT * FROM @ParsedIds)
+
+    COMMIT TRANSACTION User_DeleteById
+END

From 2212f552aa1ecc9d643592889ee408c0718270c4 Mon Sep 17 00:00:00 2001
From: Conner Turnbull <133619638+cturnbull-bitwarden@users.noreply.github.com>
Date: Mon, 9 Dec 2024 14:56:12 -0500
Subject: [PATCH 036/384] Updated quartz jobs to create a container scope to
 allow for scoped services (#5131)

---
 src/Core/Jobs/JobFactory.cs | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/Core/Jobs/JobFactory.cs b/src/Core/Jobs/JobFactory.cs
index ee95c6b2d6..6529443d97 100644
--- a/src/Core/Jobs/JobFactory.cs
+++ b/src/Core/Jobs/JobFactory.cs
@@ -1,4 +1,5 @@
-using Quartz;
+using Microsoft.Extensions.DependencyInjection;
+using Quartz;
 using Quartz.Spi;
 
 namespace Bit.Core.Jobs;
@@ -14,7 +15,8 @@ public class JobFactory : IJobFactory
 
     public IJob NewJob(TriggerFiredBundle bundle, IScheduler scheduler)
     {
-        return _container.GetService(bundle.JobDetail.JobType) as IJob;
+        var scope = _container.CreateScope();
+        return scope.ServiceProvider.GetService(bundle.JobDetail.JobType) as IJob;
     }
 
     public void ReturnJob(IJob job)

From 127f1fd34d65c1ab5a60f0cd8c7d09e8d8021d15 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rui=20Tom=C3=A9?=
 <108268980+r-tome@users.noreply.github.com>
Date: Tue, 10 Dec 2024 11:14:34 +0000
Subject: [PATCH 037/384] =?UTF-8?q?[PM-10338]=C2=A0Update=20the=20Organiza?=
 =?UTF-8?q?tion=20'Leave'=20endpoint=20to=20log=20EventType.OrganizationUs?=
 =?UTF-8?q?er=5FLeft=20(#4908)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Implement UserLeaveAsync in IRemoveOrganizationUserCommand and refactor OrganizationsController to use it

* Edit summary message for IRemoveOrganizationUserCommand.UserLeaveAsync

* Refactor RemoveOrganizationUserCommand.RemoveUsersAsync to log in bulk

---------

Co-authored-by: Matt Bishop <mbishop@bitwarden.com>
---
 .../Controllers/OrganizationsController.cs    |   2 +-
 .../IRemoveOrganizationUserCommand.cs         |   7 +
 .../RemoveOrganizationUserCommand.cs          |  12 +-
 .../OrganizationsControllerTests.cs           |   4 +-
 .../RemoveOrganizationUserCommandTests.cs     | 136 +++++++++++++++++-
 5 files changed, 153 insertions(+), 8 deletions(-)

diff --git a/src/Api/AdminConsole/Controllers/OrganizationsController.cs b/src/Api/AdminConsole/Controllers/OrganizationsController.cs
index 4421af3a9a..226fe83c73 100644
--- a/src/Api/AdminConsole/Controllers/OrganizationsController.cs
+++ b/src/Api/AdminConsole/Controllers/OrganizationsController.cs
@@ -259,7 +259,7 @@ public class OrganizationsController : Controller
             throw new BadRequestException("Managed user account cannot leave managing organization. Contact your organization administrator for additional details.");
         }
 
-        await _removeOrganizationUserCommand.RemoveUserAsync(id, user.Id);
+        await _removeOrganizationUserCommand.UserLeaveAsync(id, user.Id);
     }
 
     [HttpDelete("{id}")]
diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Interfaces/IRemoveOrganizationUserCommand.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Interfaces/IRemoveOrganizationUserCommand.cs
index 7c1cdf05f8..605a5f5aee 100644
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Interfaces/IRemoveOrganizationUserCommand.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Interfaces/IRemoveOrganizationUserCommand.cs
@@ -50,4 +50,11 @@ public interface IRemoveOrganizationUserCommand
     /// </returns>
     Task<IEnumerable<(Guid OrganizationUserId, string ErrorMessage)>> RemoveUsersAsync(
         Guid organizationId, IEnumerable<Guid> organizationUserIds, EventSystemUser eventSystemUser);
+
+    /// <summary>
+    /// Removes a user from an organization when they have left voluntarily. This should only be called by the same user who is being removed.
+    /// </summary>
+    /// <param name="organizationId">Organization to leave.</param>
+    /// <param name="userId">User to leave.</param>
+    Task UserLeaveAsync(Guid organizationId, Guid userId);
 }
diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RemoveOrganizationUserCommand.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RemoveOrganizationUserCommand.cs
index fa027f8e47..e45f109df1 100644
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RemoveOrganizationUserCommand.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RemoveOrganizationUserCommand.cs
@@ -114,6 +114,16 @@ public class RemoveOrganizationUserCommand : IRemoveOrganizationUserCommand
         return result.Select(r => (r.OrganizationUser.Id, r.ErrorMessage));
     }
 
+    public async Task UserLeaveAsync(Guid organizationId, Guid userId)
+    {
+        var organizationUser = await _organizationUserRepository.GetByOrganizationAsync(organizationId, userId);
+        ValidateRemoveUser(organizationId, organizationUser);
+
+        await RepositoryRemoveUserAsync(organizationUser, deletingUserId: null, eventSystemUser: null);
+
+        await _eventService.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Left);
+    }
+
     private void ValidateRemoveUser(Guid organizationId, OrganizationUser orgUser)
     {
         if (orgUser == null || orgUser.OrganizationId != organizationId)
@@ -234,7 +244,7 @@ public class RemoveOrganizationUserCommand : IRemoveOrganizationUserCommand
             await _organizationUserRepository.DeleteManyAsync(organizationUsersToRemove.Select(ou => ou.Id));
             foreach (var orgUser in organizationUsersToRemove.Where(ou => ou.UserId.HasValue))
             {
-                await DeleteAndPushUserRegistrationAsync(organizationId, orgUser.UserId.Value);
+                await DeleteAndPushUserRegistrationAsync(organizationId, orgUser.UserId!.Value);
             }
         }
 
diff --git a/test/Api.Test/AdminConsole/Controllers/OrganizationsControllerTests.cs b/test/Api.Test/AdminConsole/Controllers/OrganizationsControllerTests.cs
index e58cd05b9d..f35dbaa5cf 100644
--- a/test/Api.Test/AdminConsole/Controllers/OrganizationsControllerTests.cs
+++ b/test/Api.Test/AdminConsole/Controllers/OrganizationsControllerTests.cs
@@ -130,7 +130,7 @@ public class OrganizationsControllerTests : IDisposable
         Assert.Contains("Your organization's Single Sign-On settings prevent you from leaving.",
             exception.Message);
 
-        await _removeOrganizationUserCommand.DidNotReceiveWithAnyArgs().RemoveUserAsync(default, default);
+        await _removeOrganizationUserCommand.DidNotReceiveWithAnyArgs().UserLeaveAsync(default, default);
     }
 
     [Theory, AutoData]
@@ -193,7 +193,7 @@ public class OrganizationsControllerTests : IDisposable
 
         await _sut.Leave(orgId);
 
-        await _removeOrganizationUserCommand.Received(1).RemoveUserAsync(orgId, user.Id);
+        await _removeOrganizationUserCommand.Received(1).UserLeaveAsync(orgId, user.Id);
     }
 
     [Theory, AutoData]
diff --git a/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/RemoveOrganizationUserCommandTests.cs b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/RemoveOrganizationUserCommandTests.cs
index 61371b756e..6ab8236b8e 100644
--- a/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/RemoveOrganizationUserCommandTests.cs
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/RemoveOrganizationUserCommandTests.cs
@@ -202,6 +202,14 @@ public class RemoveOrganizationUserCommandTests
             .HasConfirmedOwnersExceptAsync(
                 organizationUser.OrganizationId,
                 Arg.Is<IEnumerable<Guid>>(i => i.Contains(organizationUser.Id)), true);
+
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .DidNotReceiveWithAnyArgs()
+            .DeleteAsync(default);
+
+        await sutProvider.GetDependency<IEventService>()
+            .DidNotReceiveWithAnyArgs()
+            .LogOrganizationUserEventAsync((OrganizationUser)default, default);
     }
 
     [Theory, BitAutoData]
@@ -346,9 +354,7 @@ public class RemoveOrganizationUserCommandTests
         [OrganizationUser(type: OrganizationUserType.User)] OrganizationUser organizationUser,
         SutProvider<RemoveOrganizationUserCommand> sutProvider)
     {
-        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
-
-        organizationUserRepository
+        sutProvider.GetDependency<IOrganizationUserRepository>()
             .GetByOrganizationAsync(organizationUser.OrganizationId, organizationUser.UserId!.Value)
             .Returns(organizationUser);
 
@@ -361,7 +367,13 @@ public class RemoveOrganizationUserCommandTests
 
         await sutProvider.Sut.RemoveUserAsync(organizationUser.OrganizationId, organizationUser.UserId.Value);
 
-        await sutProvider.GetDependency<IEventService>().Received(1).LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Removed);
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .Received(1)
+            .DeleteAsync(organizationUser);
+
+        await sutProvider.GetDependency<IEventService>()
+            .Received(1)
+            .LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Removed);
     }
 
     [Theory, BitAutoData]
@@ -370,6 +382,14 @@ public class RemoveOrganizationUserCommandTests
     {
         // Act & Assert
         await Assert.ThrowsAsync<NotFoundException>(async () => await sutProvider.Sut.RemoveUserAsync(organizationId, userId));
+
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .DidNotReceiveWithAnyArgs()
+            .DeleteAsync(default);
+
+        await sutProvider.GetDependency<IEventService>()
+            .DidNotReceiveWithAnyArgs()
+            .LogOrganizationUserEventAsync((OrganizationUser)default, default);
     }
 
     [Theory, BitAutoData]
@@ -413,6 +433,14 @@ public class RemoveOrganizationUserCommandTests
                 organizationUser.OrganizationId,
                 Arg.Is<IEnumerable<Guid>>(i => i.Contains(organizationUser.Id)),
                 Arg.Any<bool>());
+
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .DidNotReceiveWithAnyArgs()
+            .DeleteAsync(default);
+
+        await sutProvider.GetDependency<IEventService>()
+            .DidNotReceiveWithAnyArgs()
+            .LogOrganizationUserEventAsync((OrganizationUser)default, default);
     }
 
     [Theory, BitAutoData]
@@ -424,6 +452,7 @@ public class RemoveOrganizationUserCommandTests
         var sutProvider = SutProviderFactory();
         var eventDate = sutProvider.GetDependency<FakeTimeProvider>().GetUtcNow().UtcDateTime;
         orgUser1.OrganizationId = orgUser2.OrganizationId = deletingUser.OrganizationId;
+
         var organizationUsers = new[] { orgUser1, orgUser2 };
         var organizationUserIds = organizationUsers.Select(u => u.Id);
 
@@ -774,6 +803,105 @@ public class RemoveOrganizationUserCommandTests
         Assert.Contains(RemoveOrganizationUserCommand.RemoveLastConfirmedOwnerErrorMessage, exception.Message);
     }
 
+    [Theory, BitAutoData]
+    public async Task UserLeave_Success(
+        [OrganizationUser(type: OrganizationUserType.User)] OrganizationUser organizationUser,
+        SutProvider<RemoveOrganizationUserCommand> sutProvider)
+    {
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetByOrganizationAsync(organizationUser.OrganizationId, organizationUser.UserId!.Value)
+            .Returns(organizationUser);
+
+        sutProvider.GetDependency<IHasConfirmedOwnersExceptQuery>()
+            .HasConfirmedOwnersExceptAsync(
+                organizationUser.OrganizationId,
+                Arg.Is<IEnumerable<Guid>>(i => i.Contains(organizationUser.Id)),
+                Arg.Any<bool>())
+            .Returns(true);
+
+        await sutProvider.Sut.UserLeaveAsync(organizationUser.OrganizationId, organizationUser.UserId.Value);
+
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .Received(1)
+            .DeleteAsync(organizationUser);
+
+        await sutProvider.GetDependency<IEventService>()
+            .Received(1)
+            .LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Left);
+    }
+
+    [Theory, BitAutoData]
+    public async Task UserLeave_NotFound_ThrowsException(SutProvider<RemoveOrganizationUserCommand> sutProvider,
+        Guid organizationId, Guid userId)
+    {
+        await Assert.ThrowsAsync<NotFoundException>(async () => await sutProvider.Sut.UserLeaveAsync(organizationId, userId));
+
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .DidNotReceiveWithAnyArgs()
+            .DeleteAsync(default);
+
+        await sutProvider.GetDependency<IEventService>()
+            .DidNotReceiveWithAnyArgs()
+            .LogOrganizationUserEventAsync((OrganizationUser)default, default);
+    }
+
+    [Theory, BitAutoData]
+    public async Task UserLeave_InvalidUser_ThrowsException(OrganizationUser organizationUser,
+        SutProvider<RemoveOrganizationUserCommand> sutProvider)
+    {
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetByOrganizationAsync(organizationUser.OrganizationId, organizationUser.UserId!.Value)
+            .Returns(organizationUser);
+
+        var exception = await Assert.ThrowsAsync<NotFoundException>(
+            () => sutProvider.Sut.UserLeaveAsync(Guid.NewGuid(), organizationUser.UserId.Value));
+
+        Assert.Contains(RemoveOrganizationUserCommand.UserNotFoundErrorMessage, exception.Message);
+
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .DidNotReceiveWithAnyArgs()
+            .DeleteAsync(default);
+
+        await sutProvider.GetDependency<IEventService>()
+            .DidNotReceiveWithAnyArgs()
+            .LogOrganizationUserEventAsync((OrganizationUser)default, default);
+    }
+
+    [Theory, BitAutoData]
+    public async Task UserLeave_RemovingLastOwner_ThrowsException(
+        [OrganizationUser(type: OrganizationUserType.Owner)] OrganizationUser organizationUser,
+        SutProvider<RemoveOrganizationUserCommand> sutProvider)
+    {
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetByOrganizationAsync(organizationUser.OrganizationId, organizationUser.UserId!.Value)
+            .Returns(organizationUser);
+        sutProvider.GetDependency<IHasConfirmedOwnersExceptQuery>()
+            .HasConfirmedOwnersExceptAsync(
+                organizationUser.OrganizationId,
+                Arg.Is<IEnumerable<Guid>>(i => i.Contains(organizationUser.Id)),
+                Arg.Any<bool>())
+            .Returns(false);
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.UserLeaveAsync(organizationUser.OrganizationId, organizationUser.UserId.Value));
+
+        Assert.Contains(RemoveOrganizationUserCommand.RemoveLastConfirmedOwnerErrorMessage, exception.Message);
+        _ = sutProvider.GetDependency<IHasConfirmedOwnersExceptQuery>()
+            .Received(1)
+            .HasConfirmedOwnersExceptAsync(
+                organizationUser.OrganizationId,
+                Arg.Is<IEnumerable<Guid>>(i => i.Contains(organizationUser.Id)),
+                Arg.Any<bool>());
+
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .DidNotReceiveWithAnyArgs()
+            .DeleteAsync(default);
+
+        await sutProvider.GetDependency<IEventService>()
+            .DidNotReceiveWithAnyArgs()
+            .LogOrganizationUserEventAsync((OrganizationUser)default, default);
+    }
+
     /// <summary>
     /// Returns a new SutProvider with a FakeTimeProvider registered in the Sut.
     /// </summary>

From 9e860104f209277e7c38a3e38e7c6e6eea6bb507 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Ch=C4=99ci=C5=84ski?=
 <mchecinski@bitwarden.com>
Date: Tue, 10 Dec 2024 15:30:34 +0100
Subject: [PATCH 038/384] BRE-311 Fix the MsSqlMigratorUtility failing silently
 (#5134)

---
 util/MsSqlMigratorUtility/Program.cs | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/util/MsSqlMigratorUtility/Program.cs b/util/MsSqlMigratorUtility/Program.cs
index 056cb696f8..0a65617eb7 100644
--- a/util/MsSqlMigratorUtility/Program.cs
+++ b/util/MsSqlMigratorUtility/Program.cs
@@ -9,7 +9,7 @@ internal class Program
     }
 
     [DefaultCommand]
-    public void Execute(
+    public int Execute(
         [Operand(Description = "Database connection string")]
         string databaseConnectionString,
         [Option('r', "repeatable", Description = "Mark scripts as repeatable")]
@@ -20,7 +20,11 @@ internal class Program
         bool dryRun = false,
         [Option("no-transaction", Description = "Run without adding transaction per script or all scripts")]
         bool noTransactionMigration = false
-        ) => MigrateDatabase(databaseConnectionString, repeatable, folderName, dryRun, noTransactionMigration);
+        )
+        {
+            return MigrateDatabase(databaseConnectionString, repeatable, folderName, dryRun, noTransactionMigration) ? 0 : -1;
+        }
+
 
     private static bool MigrateDatabase(string databaseConnectionString,
         bool repeatable = false, string folderName = "", bool dryRun = false, bool noTransactionMigration = false)

From 9c8f932149f647d0a6153f82417b6effb0e36fca Mon Sep 17 00:00:00 2001
From: Brandon Treston <btreston@bitwarden.com>
Date: Tue, 10 Dec 2024 09:55:03 -0500
Subject: [PATCH 039/384] [PM-12273] Integration page (#5119)

* add feature flag

* add rest endpoint to get plan type for organization
---
 .../Controllers/OrganizationsController.cs          | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/src/Api/AdminConsole/Controllers/OrganizationsController.cs b/src/Api/AdminConsole/Controllers/OrganizationsController.cs
index 226fe83c73..4e01bb3451 100644
--- a/src/Api/AdminConsole/Controllers/OrganizationsController.cs
+++ b/src/Api/AdminConsole/Controllers/OrganizationsController.cs
@@ -540,4 +540,17 @@ public class OrganizationsController : Controller
         await _organizationService.UpdateAsync(model.ToOrganization(organization, _featureService), eventType: EventType.Organization_CollectionManagement_Updated);
         return new OrganizationResponseModel(organization);
     }
+
+    [HttpGet("{id}/plan-type")]
+    public async Task<PlanType> GetPlanType(string id)
+    {
+        var orgIdGuid = new Guid(id);
+        var organization = await _organizationRepository.GetByIdAsync(orgIdGuid);
+        if (organization == null)
+        {
+            throw new NotFoundException();
+        }
+
+        return organization.PlanType;
+    }
 }

From 4730d2dab7c9f43f162bf90e689c9c24c7595e91 Mon Sep 17 00:00:00 2001
From: Brandon Treston <btreston@bitwarden.com>
Date: Tue, 10 Dec 2024 09:55:36 -0500
Subject: [PATCH 040/384] add feature flag (#5114)

---
 src/Core/Constants.cs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index 75e154f041..c4027e1689 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -158,6 +158,7 @@ public static class FeatureFlagKeys
     public const string MacOsNativeCredentialSync = "macos-native-credential-sync";
     public const string PM9111ExtensionPersistAddEditForm = "pm-9111-extension-persist-add-edit-form";
     public const string InlineMenuTotp = "inline-menu-totp";
+    public const string PM12443RemovePagingLogic = "pm-12443-remove-paging-logic";
     public const string SelfHostLicenseRefactor = "pm-11516-self-host-license-refactor";
 
     public static List<string> GetAllKeys()

From fe70db3e878afea124fb84b0cd8b9b0cc9867a77 Mon Sep 17 00:00:00 2001
From: Jonas Hendrickx <jhendrickx@bitwarden.com>
Date: Tue, 10 Dec 2024 16:42:14 +0100
Subject: [PATCH 041/384] [PM-12765] Display error when attempting to autoscale
 canceled subscription (#5132)

---
 .../Services/Implementations/OrganizationService.cs        | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs b/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
index eebe76baef..49f339cc9a 100644
--- a/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
+++ b/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
@@ -14,6 +14,7 @@ using Bit.Core.Auth.Models.Business;
 using Bit.Core.Auth.Models.Business.Tokenables;
 using Bit.Core.Auth.Repositories;
 using Bit.Core.Auth.UserFeatures.TwoFactorAuth.Interfaces;
+using Bit.Core.Billing.Constants;
 using Bit.Core.Billing.Enums;
 using Bit.Core.Billing.Extensions;
 using Bit.Core.Billing.Services;
@@ -1324,6 +1325,12 @@ public class OrganizationService : IOrganizationService
             return (false, $"Seat limit has been reached.");
         }
 
+        var subscription = await _paymentService.GetSubscriptionAsync(organization);
+        if (subscription?.Subscription?.Status == StripeConstants.SubscriptionStatus.Canceled)
+        {
+            return (false, "Cannot autoscale with a canceled subscription.");
+        }
+
         return (true, failureReason);
     }
 

From 2d257dc27434dd201d211a14a82f3fed112a3438 Mon Sep 17 00:00:00 2001
From: Addison Beck <github@addisonbeck.com>
Date: Tue, 10 Dec 2024 12:29:54 -0500
Subject: [PATCH 042/384] chore: run `dotnet format` (#5137)

---
 util/MsSqlMigratorUtility/Program.cs | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/util/MsSqlMigratorUtility/Program.cs b/util/MsSqlMigratorUtility/Program.cs
index 0a65617eb7..c9f984b6de 100644
--- a/util/MsSqlMigratorUtility/Program.cs
+++ b/util/MsSqlMigratorUtility/Program.cs
@@ -21,9 +21,9 @@ internal class Program
         [Option("no-transaction", Description = "Run without adding transaction per script or all scripts")]
         bool noTransactionMigration = false
         )
-        {
-            return MigrateDatabase(databaseConnectionString, repeatable, folderName, dryRun, noTransactionMigration) ? 0 : -1;
-        }
+    {
+        return MigrateDatabase(databaseConnectionString, repeatable, folderName, dryRun, noTransactionMigration) ? 0 : -1;
+    }
 
 
     private static bool MigrateDatabase(string databaseConnectionString,

From 39ce7637c99ba2719395216e14044719001b111b Mon Sep 17 00:00:00 2001
From: Vincent Salucci <26154748+vincentsalucci@users.noreply.github.com>
Date: Tue, 10 Dec 2024 12:50:06 -0600
Subject: [PATCH 043/384] fix: remove policy definitions feature flag, refs
 PM-14245 (#5139)

---
 src/Core/Constants.cs | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index c4027e1689..9f326bdb19 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -144,7 +144,6 @@ public static class FeatureFlagKeys
     public const string AccessIntelligence = "pm-13227-access-intelligence";
     public const string VerifiedSsoDomainEndpoint = "pm-12337-refactor-sso-details-endpoint";
     public const string PM12275_MultiOrganizationEnterprises = "pm-12275-multi-organization-enterprises";
-    public const string Pm13322AddPolicyDefinitions = "pm-13322-add-policy-definitions";
     public const string GeneratorToolsModernization = "generator-tools-modernization";
     public const string NewDeviceVerification = "new-device-verification";
     public const string RiskInsightsCriticalApplication = "pm-14466-risk-insights-critical-application";

From 94761a8c7b6c6d8ec94aaf196762b62078a01d17 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Tue, 10 Dec 2024 15:21:26 -0500
Subject: [PATCH 044/384] [deps] Billing: Update FluentAssertions to v7 (#5127)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 test/Billing.Test/Billing.Test.csproj | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/Billing.Test/Billing.Test.csproj b/test/Billing.Test/Billing.Test.csproj
index c6a7ef48e0..4d71425681 100644
--- a/test/Billing.Test/Billing.Test.csproj
+++ b/test/Billing.Test/Billing.Test.csproj
@@ -6,7 +6,7 @@
 
   <ItemGroup>
     <PackageReference Include="Divergic.Logging.Xunit" Version="4.3.0" />
-    <PackageReference Include="FluentAssertions" Version="6.12.2" />
+    <PackageReference Include="FluentAssertions" Version="7.0.0" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(MicrosoftNetTestSdkVersion)" />
     <PackageReference Include="RichardSzalay.MockHttp" Version="7.0.0" />
     <PackageReference Include="xunit" Version="$(XUnitVersion)" />

From 674e5228433d0fa493c1e2f8abce80a83f0ce4a1 Mon Sep 17 00:00:00 2001
From: Jonas Hendrickx <jhendrickx@bitwarden.com>
Date: Wed, 11 Dec 2024 10:32:28 +0100
Subject: [PATCH 045/384] =?UTF-8?q?[PM-6201]=20Self-Host=20Admin=20Portal?=
 =?UTF-8?q?=20is=20reporting=20"10239=20GB=20of=20Additional=E2=80=A6=20(#?=
 =?UTF-8?q?5130)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../AdminConsole/Views/Organizations/Index.cshtml    | 12 ++----------
 src/Core/AdminConsole/Entities/Organization.cs       |  5 +++++
 2 files changed, 7 insertions(+), 10 deletions(-)

diff --git a/src/Admin/AdminConsole/Views/Organizations/Index.cshtml b/src/Admin/AdminConsole/Views/Organizations/Index.cshtml
index 756cd76f62..3dc6801490 100644
--- a/src/Admin/AdminConsole/Views/Organizations/Index.cshtml
+++ b/src/Admin/AdminConsole/Views/Organizations/Index.cshtml
@@ -81,16 +81,8 @@
                                     <i class="fa fa-smile-o fa-lg fa-fw text-body-secondary" title="Freeloader"></i>
                                 }
                             }
-                            @if(org.MaxStorageGb.HasValue && org.MaxStorageGb > 1)
-                            {
-                                <i class="fa fa-plus-square fa-lg fa-fw"
-                                   title="Additional Storage, @(org.MaxStorageGb - 1) GB"></i>
-                            }
-                            else
-                            {
-                                <i class="fa fa-plus-square-o fa-lg fa-fw text-body-secondary"
-                                   title="No Additional Storage"></i>
-                            }
+                            <i class="fa fa-hdd-o fa-lg fa-fw"
+                               title="Used Storage, @org.StorageGb GB"></i>
                             @if(org.Enabled)
                             {
                                 <i class="fa fa-check-circle fa-lg fa-fw"
diff --git a/src/Core/AdminConsole/Entities/Organization.cs b/src/Core/AdminConsole/Entities/Organization.cs
index 37e21d7f57..0676bcc8a8 100644
--- a/src/Core/AdminConsole/Entities/Organization.cs
+++ b/src/Core/AdminConsole/Entities/Organization.cs
@@ -181,6 +181,11 @@ public class Organization : ITableObject<Guid>, IStorableSubscriber, IRevisable,
 
     public bool IsExpired() => ExpirationDate.HasValue && ExpirationDate.Value <= DateTime.UtcNow;
 
+    /// <summary>
+    /// Used storage in gigabytes.
+    /// </summary>
+    public double StorageGb => Storage.HasValue ? Math.Round(Storage.Value / 1073741824D, 2) : 0;
+
     public long StorageBytesRemaining()
     {
         if (!MaxStorageGb.HasValue)

From 9b478107b67bb863632af87f4bffc4a0772e7e16 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rui=20Tom=C3=A9?=
 <108268980+r-tome@users.noreply.github.com>
Date: Wed, 11 Dec 2024 11:09:12 +0000
Subject: [PATCH 046/384] [PM-15128] Add Promote Provider Service User
 functionality to Bitwarden Portal (#5118)

* Add Promote Provider Service User feature to Admin Portal

* Rename feature flag key for Promote Provider Service User tool
---
 src/Admin/Controllers/ToolsController.cs      | 45 +++++++++++++++++++
 src/Admin/Enums/Permissions.cs                |  1 +
 .../Models/PromoteProviderServiceUserModel.cs | 13 ++++++
 src/Admin/Utilities/RolePermissionMapping.cs  |  2 +
 src/Admin/Views/Shared/_Layout.cshtml         | 12 ++++-
 .../Tools/PromoteProviderServiceUser.cshtml   | 25 +++++++++++
 src/Core/Constants.cs                         |  1 +
 7 files changed, 98 insertions(+), 1 deletion(-)
 create mode 100644 src/Admin/Models/PromoteProviderServiceUserModel.cs
 create mode 100644 src/Admin/Views/Tools/PromoteProviderServiceUser.cshtml

diff --git a/src/Admin/Controllers/ToolsController.cs b/src/Admin/Controllers/ToolsController.cs
index 3e092b90af..ea91d01cb8 100644
--- a/src/Admin/Controllers/ToolsController.cs
+++ b/src/Admin/Controllers/ToolsController.cs
@@ -3,7 +3,9 @@ using System.Text.Json;
 using Bit.Admin.Enums;
 using Bit.Admin.Models;
 using Bit.Admin.Utilities;
+using Bit.Core;
 using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Entities;
 using Bit.Core.Models.BitStripe;
 using Bit.Core.OrganizationFeatures.OrganizationLicenses.Interfaces;
@@ -28,6 +30,7 @@ public class ToolsController : Controller
     private readonly ITransactionRepository _transactionRepository;
     private readonly IInstallationRepository _installationRepository;
     private readonly IOrganizationUserRepository _organizationUserRepository;
+    private readonly IProviderUserRepository _providerUserRepository;
     private readonly IPaymentService _paymentService;
     private readonly ITaxRateRepository _taxRateRepository;
     private readonly IStripeAdapter _stripeAdapter;
@@ -41,6 +44,7 @@ public class ToolsController : Controller
         ITransactionRepository transactionRepository,
         IInstallationRepository installationRepository,
         IOrganizationUserRepository organizationUserRepository,
+        IProviderUserRepository providerUserRepository,
         ITaxRateRepository taxRateRepository,
         IPaymentService paymentService,
         IStripeAdapter stripeAdapter,
@@ -53,6 +57,7 @@ public class ToolsController : Controller
         _transactionRepository = transactionRepository;
         _installationRepository = installationRepository;
         _organizationUserRepository = organizationUserRepository;
+        _providerUserRepository = providerUserRepository;
         _taxRateRepository = taxRateRepository;
         _paymentService = paymentService;
         _stripeAdapter = stripeAdapter;
@@ -220,6 +225,46 @@ public class ToolsController : Controller
         return RedirectToAction("Edit", "Organizations", new { id = model.OrganizationId.Value });
     }
 
+    [RequireFeature(FeatureFlagKeys.PromoteProviderServiceUserTool)]
+    [RequirePermission(Permission.Tools_PromoteProviderServiceUser)]
+    public IActionResult PromoteProviderServiceUser()
+    {
+        return View();
+    }
+
+    [HttpPost]
+    [ValidateAntiForgeryToken]
+    [RequireFeature(FeatureFlagKeys.PromoteProviderServiceUserTool)]
+    [RequirePermission(Permission.Tools_PromoteProviderServiceUser)]
+    public async Task<IActionResult> PromoteProviderServiceUser(PromoteProviderServiceUserModel model)
+    {
+        if (!ModelState.IsValid)
+        {
+            return View(model);
+        }
+
+        var providerUsers = await _providerUserRepository.GetManyByProviderAsync(
+            model.ProviderId.Value, null);
+        var serviceUser = providerUsers.FirstOrDefault(u => u.UserId == model.UserId.Value);
+        if (serviceUser == null)
+        {
+            ModelState.AddModelError(nameof(model.UserId), "Service User Id not found in this provider.");
+        }
+        else if (serviceUser.Type != Core.AdminConsole.Enums.Provider.ProviderUserType.ServiceUser)
+        {
+            ModelState.AddModelError(nameof(model.UserId), "User is not a service user of this provider.");
+        }
+
+        if (!ModelState.IsValid)
+        {
+            return View(model);
+        }
+
+        serviceUser.Type = Core.AdminConsole.Enums.Provider.ProviderUserType.ProviderAdmin;
+        await _providerUserRepository.ReplaceAsync(serviceUser);
+        return RedirectToAction("Edit", "Providers", new { id = model.ProviderId.Value });
+    }
+
     [RequirePermission(Permission.Tools_GenerateLicenseFile)]
     public IActionResult GenerateLicense()
     {
diff --git a/src/Admin/Enums/Permissions.cs b/src/Admin/Enums/Permissions.cs
index 274db11cb4..c878267f89 100644
--- a/src/Admin/Enums/Permissions.cs
+++ b/src/Admin/Enums/Permissions.cs
@@ -44,6 +44,7 @@ public enum Permission
 
     Tools_ChargeBrainTreeCustomer,
     Tools_PromoteAdmin,
+    Tools_PromoteProviderServiceUser,
     Tools_GenerateLicenseFile,
     Tools_ManageTaxRates,
     Tools_ManageStripeSubscriptions,
diff --git a/src/Admin/Models/PromoteProviderServiceUserModel.cs b/src/Admin/Models/PromoteProviderServiceUserModel.cs
new file mode 100644
index 0000000000..5d6ca03ce6
--- /dev/null
+++ b/src/Admin/Models/PromoteProviderServiceUserModel.cs
@@ -0,0 +1,13 @@
+using System.ComponentModel.DataAnnotations;
+
+namespace Bit.Admin.Models;
+
+public class PromoteProviderServiceUserModel
+{
+    [Required]
+    [Display(Name = "Provider Service User Id")]
+    public Guid? UserId { get; set; }
+    [Required]
+    [Display(Name = "Provider Id")]
+    public Guid? ProviderId { get; set; }
+}
diff --git a/src/Admin/Utilities/RolePermissionMapping.cs b/src/Admin/Utilities/RolePermissionMapping.cs
index e260c264f4..81da3fcf38 100644
--- a/src/Admin/Utilities/RolePermissionMapping.cs
+++ b/src/Admin/Utilities/RolePermissionMapping.cs
@@ -45,6 +45,7 @@ public static class RolePermissionMapping
                 Permission.Provider_ResendEmailInvite,
                 Permission.Tools_ChargeBrainTreeCustomer,
                 Permission.Tools_PromoteAdmin,
+                Permission.Tools_PromoteProviderServiceUser,
                 Permission.Tools_GenerateLicenseFile,
                 Permission.Tools_ManageTaxRates,
                 Permission.Tools_ManageStripeSubscriptions
@@ -91,6 +92,7 @@ public static class RolePermissionMapping
                 Permission.Provider_ResendEmailInvite,
                 Permission.Tools_ChargeBrainTreeCustomer,
                 Permission.Tools_PromoteAdmin,
+                Permission.Tools_PromoteProviderServiceUser,
                 Permission.Tools_GenerateLicenseFile,
                 Permission.Tools_ManageTaxRates,
                 Permission.Tools_ManageStripeSubscriptions,
diff --git a/src/Admin/Views/Shared/_Layout.cshtml b/src/Admin/Views/Shared/_Layout.cshtml
index 62cc5706df..b1f0a24420 100644
--- a/src/Admin/Views/Shared/_Layout.cshtml
+++ b/src/Admin/Views/Shared/_Layout.cshtml
@@ -1,8 +1,10 @@
 @using Bit.Admin.Enums;
+@using Bit.Core
 
 @inject SignInManager<IdentityUser> SignInManager
 @inject Bit.Core.Settings.GlobalSettings GlobalSettings
 @inject Bit.Admin.Services.IAccessControlService AccessControlService
+@inject Bit.Core.Services.IFeatureService FeatureService
 
 @{
     var canViewUsers = AccessControlService.UserHasPermission(Permission.User_List_View);
@@ -11,13 +13,15 @@
     var canChargeBraintree = AccessControlService.UserHasPermission(Permission.Tools_ChargeBrainTreeCustomer);
     var canCreateTransaction = AccessControlService.UserHasPermission(Permission.Tools_CreateEditTransaction);
     var canPromoteAdmin = AccessControlService.UserHasPermission(Permission.Tools_PromoteAdmin);
+    var canPromoteProviderServiceUser = FeatureService.IsEnabled(FeatureFlagKeys.PromoteProviderServiceUserTool) &&
+                                        AccessControlService.UserHasPermission(Permission.Tools_PromoteProviderServiceUser);
     var canGenerateLicense = AccessControlService.UserHasPermission(Permission.Tools_GenerateLicenseFile);
     var canManageTaxRates = AccessControlService.UserHasPermission(Permission.Tools_ManageTaxRates);
     var canManageStripeSubscriptions = AccessControlService.UserHasPermission(Permission.Tools_ManageStripeSubscriptions);
     var canProcessStripeEvents = AccessControlService.UserHasPermission(Permission.Tools_ProcessStripeEvents);
     var canMigrateProviders = AccessControlService.UserHasPermission(Permission.Tools_MigrateProviders);
 
-    var canViewTools = canChargeBraintree || canCreateTransaction || canPromoteAdmin ||
+    var canViewTools = canChargeBraintree || canCreateTransaction || canPromoteAdmin || canPromoteProviderServiceUser ||
                         canGenerateLicense || canManageTaxRates || canManageStripeSubscriptions;
 }
 
@@ -91,6 +95,12 @@
                                                 Promote Admin
                                             </a>
                                         }
+                                        @if (canPromoteProviderServiceUser)
+                                        {
+                                            <a class="dropdown-item" asp-controller="Tools" asp-action="PromoteProviderServiceUser">
+                                                Promote Provider Service User
+                                            </a>
+                                        }
                                         @if (canGenerateLicense)
                                         {
                                             <a class="dropdown-item" asp-controller="Tools" asp-action="GenerateLicense">
diff --git a/src/Admin/Views/Tools/PromoteProviderServiceUser.cshtml b/src/Admin/Views/Tools/PromoteProviderServiceUser.cshtml
new file mode 100644
index 0000000000..7ff45fce53
--- /dev/null
+++ b/src/Admin/Views/Tools/PromoteProviderServiceUser.cshtml
@@ -0,0 +1,25 @@
+@model PromoteProviderServiceUserModel
+@{
+    ViewData["Title"] = "Promote Provider Service User";
+}
+
+<h1>Promote Provider Service User</h1>
+
+<form method="post">
+    <div asp-validation-summary="All" class="alert alert-danger"></div>
+    <div class="row">
+        <div class="col-md">
+            <div class="mb-3">
+                <label asp-for="UserId" class="form-label"></label>
+                <input type="text" class="form-control" asp-for="UserId">
+            </div>
+        </div>
+        <div class="col-md">
+            <div class="mb-3">
+                <label asp-for="ProviderId" class="form-label"></label>
+                <input type="text" class="form-control" asp-for="ProviderId">
+            </div>
+        </div>
+    </div>
+    <button type="submit" class="btn btn-primary">Promote Service User</button>
+</form>
\ No newline at end of file
diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index 9f326bdb19..cf7feecc85 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -159,6 +159,7 @@ public static class FeatureFlagKeys
     public const string InlineMenuTotp = "inline-menu-totp";
     public const string PM12443RemovePagingLogic = "pm-12443-remove-paging-logic";
     public const string SelfHostLicenseRefactor = "pm-11516-self-host-license-refactor";
+    public const string PromoteProviderServiceUserTool = "pm-15128-promote-provider-service-user-tool";
 
     public static List<string> GetAllKeys()
     {

From 09db6c79cbce367ac72debbcf55fdfe86a9800dc Mon Sep 17 00:00:00 2001
From: Addison Beck <addison@bitwarden.com>
Date: Wed, 11 Dec 2024 06:31:22 -0500
Subject: [PATCH 047/384] chore(codeowners): assign a bunch of workflows to
 platform (#5136)

---
 .github/CODEOWNERS | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index 1d142016f2..9784e1f9ab 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -15,11 +15,7 @@
 
 ## These are shared workflows ##
 .github/workflows/_move_finalization_db_scripts.yml
-.github/workflows/build.yml
-.github/workflows/cleanup-after-pr.yml
-.github/workflows/cleanup-rc-branch.yml
 .github/workflows/release.yml
-.github/workflows/repository-management.yml
 
 # Database Operations for database changes
 src/Sql/** @bitwarden/dept-dbops
@@ -68,6 +64,14 @@ src/EventsProcessor @bitwarden/team-admin-console-dev
 src/Admin/Controllers/ToolsController.cs @bitwarden/team-billing-dev
 src/Admin/Views/Tools @bitwarden/team-billing-dev
 
+# Platform team
+.github/workflows/build.yml @bitwarden/team-platform-dev
+.github/workflows/cleanup-after-pr.yml @bitwarden/team-platform-dev
+.github/workflows/cleanup-rc-branch.yml @bitwarden/team-platform-dev
+.github/workflows/repository-management.yml @bitwarden/team-platform-dev
+.github/workflows/test-database.yml @bitwarden/team-platform-dev
+.github/workflows/test.yml @bitwarden/team-platform-dev
+
 # Multiple owners - DO NOT REMOVE (BRE)
 **/packages.lock.json
 Directory.Build.props

From 64573d01a38823424976633b3ff822cd8db03f9e Mon Sep 17 00:00:00 2001
From: Jonas Hendrickx <jhendrickx@bitwarden.com>
Date: Wed, 11 Dec 2024 14:56:46 +0100
Subject: [PATCH 048/384] [PM-6201] Fix creation of organizations no longer
 working after merging #5130 (#5142)

---
 src/Admin/AdminConsole/Models/OrganizationsModel.cs     | 2 ++
 src/Admin/AdminConsole/Views/Organizations/Index.cshtml | 3 +--
 src/Core/AdminConsole/Entities/Organization.cs          | 5 -----
 3 files changed, 3 insertions(+), 7 deletions(-)

diff --git a/src/Admin/AdminConsole/Models/OrganizationsModel.cs b/src/Admin/AdminConsole/Models/OrganizationsModel.cs
index 147c5275f8..a98985ef01 100644
--- a/src/Admin/AdminConsole/Models/OrganizationsModel.cs
+++ b/src/Admin/AdminConsole/Models/OrganizationsModel.cs
@@ -10,4 +10,6 @@ public class OrganizationsModel : PagedModel<Organization>
     public bool? Paid { get; set; }
     public string Action { get; set; }
     public bool SelfHosted { get; set; }
+
+    public double StorageGB(Organization org) => org.Storage.HasValue ? Math.Round(org.Storage.Value / 1073741824D, 2) : 0;
 }
diff --git a/src/Admin/AdminConsole/Views/Organizations/Index.cshtml b/src/Admin/AdminConsole/Views/Organizations/Index.cshtml
index 3dc6801490..d42d0e8aa2 100644
--- a/src/Admin/AdminConsole/Views/Organizations/Index.cshtml
+++ b/src/Admin/AdminConsole/Views/Organizations/Index.cshtml
@@ -81,8 +81,7 @@
                                     <i class="fa fa-smile-o fa-lg fa-fw text-body-secondary" title="Freeloader"></i>
                                 }
                             }
-                            <i class="fa fa-hdd-o fa-lg fa-fw"
-                               title="Used Storage, @org.StorageGb GB"></i>
+                            <i class="fa fa-hdd-o fa-lg fa-fw" title="Used Storage, @Model.StorageGB(org) GB"></i>
                             @if(org.Enabled)
                             {
                                 <i class="fa fa-check-circle fa-lg fa-fw"
diff --git a/src/Core/AdminConsole/Entities/Organization.cs b/src/Core/AdminConsole/Entities/Organization.cs
index 0676bcc8a8..37e21d7f57 100644
--- a/src/Core/AdminConsole/Entities/Organization.cs
+++ b/src/Core/AdminConsole/Entities/Organization.cs
@@ -181,11 +181,6 @@ public class Organization : ITableObject<Guid>, IStorableSubscriber, IRevisable,
 
     public bool IsExpired() => ExpirationDate.HasValue && ExpirationDate.Value <= DateTime.UtcNow;
 
-    /// <summary>
-    /// Used storage in gigabytes.
-    /// </summary>
-    public double StorageGb => Storage.HasValue ? Math.Round(Storage.Value / 1073741824D, 2) : 0;
-
     public long StorageBytesRemaining()
     {
         if (!MaxStorageGb.HasValue)

From c99b4106f544920ec7496c1cc1e4dbeff6aa597e Mon Sep 17 00:00:00 2001
From: Jonas Hendrickx <jhendrickx@bitwarden.com>
Date: Wed, 11 Dec 2024 15:19:38 +0100
Subject: [PATCH 049/384] Revert [PM-6201] (#5143)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Revert "[PM-6201] Fix creation of organizations no longer working after merging #5130 (#5142)"

This reverts commit 64573d01a38823424976633b3ff822cd8db03f9e.

* Revert "[PM-6201] Self-Host Admin Portal is reporting "10239 GB of Additional… (#5130)"

This reverts commit 674e5228433d0fa493c1e2f8abce80a83f0ce4a1.
---
 src/Admin/AdminConsole/Models/OrganizationsModel.cs   |  2 --
 .../AdminConsole/Views/Organizations/Index.cshtml     | 11 ++++++++++-
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/src/Admin/AdminConsole/Models/OrganizationsModel.cs b/src/Admin/AdminConsole/Models/OrganizationsModel.cs
index a98985ef01..147c5275f8 100644
--- a/src/Admin/AdminConsole/Models/OrganizationsModel.cs
+++ b/src/Admin/AdminConsole/Models/OrganizationsModel.cs
@@ -10,6 +10,4 @@ public class OrganizationsModel : PagedModel<Organization>
     public bool? Paid { get; set; }
     public string Action { get; set; }
     public bool SelfHosted { get; set; }
-
-    public double StorageGB(Organization org) => org.Storage.HasValue ? Math.Round(org.Storage.Value / 1073741824D, 2) : 0;
 }
diff --git a/src/Admin/AdminConsole/Views/Organizations/Index.cshtml b/src/Admin/AdminConsole/Views/Organizations/Index.cshtml
index d42d0e8aa2..756cd76f62 100644
--- a/src/Admin/AdminConsole/Views/Organizations/Index.cshtml
+++ b/src/Admin/AdminConsole/Views/Organizations/Index.cshtml
@@ -81,7 +81,16 @@
                                     <i class="fa fa-smile-o fa-lg fa-fw text-body-secondary" title="Freeloader"></i>
                                 }
                             }
-                            <i class="fa fa-hdd-o fa-lg fa-fw" title="Used Storage, @Model.StorageGB(org) GB"></i>
+                            @if(org.MaxStorageGb.HasValue && org.MaxStorageGb > 1)
+                            {
+                                <i class="fa fa-plus-square fa-lg fa-fw"
+                                   title="Additional Storage, @(org.MaxStorageGb - 1) GB"></i>
+                            }
+                            else
+                            {
+                                <i class="fa fa-plus-square-o fa-lg fa-fw text-body-secondary"
+                                   title="No Additional Storage"></i>
+                            }
                             @if(org.Enabled)
                             {
                                 <i class="fa fa-check-circle fa-lg fa-fw"

From 170836aba1f87ee4a5c5a0b33d76dfa487ee94d1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rui=20Tom=C3=A9?=
 <108268980+r-tome@users.noreply.github.com>
Date: Wed, 11 Dec 2024 14:48:00 +0000
Subject: [PATCH 050/384] Update unclaimed domains email copy (#5116)

---
 .../OrganizationDomainService.cs              | 17 +++++++++---
 .../OrganizationDomainUnclaimed.html.hbs      | 27 +++++++++++++++++++
 .../OrganizationDomainUnclaimed.text.hbs      | 10 +++++++
 src/Core/Services/IMailService.cs             |  1 +
 .../Implementations/HandlebarsMailService.cs  | 13 +++++++++
 .../NoopImplementations/NoopMailService.cs    |  5 ++++
 6 files changed, 70 insertions(+), 3 deletions(-)
 create mode 100644 src/Core/MailTemplates/Handlebars/OrganizationDomainUnclaimed.html.hbs
 create mode 100644 src/Core/MailTemplates/Handlebars/OrganizationDomainUnclaimed.text.hbs

diff --git a/src/Core/AdminConsole/Services/Implementations/OrganizationDomainService.cs b/src/Core/AdminConsole/Services/Implementations/OrganizationDomainService.cs
index 4ce33f3b5b..9b99cf71f0 100644
--- a/src/Core/AdminConsole/Services/Implementations/OrganizationDomainService.cs
+++ b/src/Core/AdminConsole/Services/Implementations/OrganizationDomainService.cs
@@ -17,6 +17,7 @@ public class OrganizationDomainService : IOrganizationDomainService
     private readonly TimeProvider _timeProvider;
     private readonly ILogger<OrganizationDomainService> _logger;
     private readonly IGlobalSettings _globalSettings;
+    private readonly IFeatureService _featureService;
 
     public OrganizationDomainService(
         IOrganizationDomainRepository domainRepository,
@@ -26,7 +27,8 @@ public class OrganizationDomainService : IOrganizationDomainService
         IVerifyOrganizationDomainCommand verifyOrganizationDomainCommand,
         TimeProvider timeProvider,
         ILogger<OrganizationDomainService> logger,
-        IGlobalSettings globalSettings)
+        IGlobalSettings globalSettings,
+        IFeatureService featureService)
     {
         _domainRepository = domainRepository;
         _organizationUserRepository = organizationUserRepository;
@@ -36,6 +38,7 @@ public class OrganizationDomainService : IOrganizationDomainService
         _timeProvider = timeProvider;
         _logger = logger;
         _globalSettings = globalSettings;
+        _featureService = featureService;
     }
 
     public async Task ValidateOrganizationsDomainAsync()
@@ -90,8 +93,16 @@ public class OrganizationDomainService : IOrganizationDomainService
                 //Send email to administrators
                 if (adminEmails.Count > 0)
                 {
-                    await _mailService.SendUnverifiedOrganizationDomainEmailAsync(adminEmails,
-                        domain.OrganizationId.ToString(), domain.DomainName);
+                    if (_featureService.IsEnabled(FeatureFlagKeys.AccountDeprovisioning))
+                    {
+                        await _mailService.SendUnclaimedOrganizationDomainEmailAsync(adminEmails,
+                            domain.OrganizationId.ToString(), domain.DomainName);
+                    }
+                    else
+                    {
+                        await _mailService.SendUnverifiedOrganizationDomainEmailAsync(adminEmails,
+                            domain.OrganizationId.ToString(), domain.DomainName);
+                    }
                 }
 
                 _logger.LogInformation(Constants.BypassFiltersEventId, "Expired domain: {domainName}", domain.DomainName);
diff --git a/src/Core/MailTemplates/Handlebars/OrganizationDomainUnclaimed.html.hbs b/src/Core/MailTemplates/Handlebars/OrganizationDomainUnclaimed.html.hbs
new file mode 100644
index 0000000000..cc42898c29
--- /dev/null
+++ b/src/Core/MailTemplates/Handlebars/OrganizationDomainUnclaimed.html.hbs
@@ -0,0 +1,27 @@
+{{#>FullHtmlLayout}}
+<table width="100%" cellpadding="0" cellspacing="0" style="margin: 0; box-sizing: border-box; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+    <tr style="margin: 0; box-sizing: border-box; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+        <td class="content-block" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0 0 10px; -webkit-text-size-adjust: none; text-align: left;" valign="top">
+            The domain {{DomainName}} in your Bitwarden organization could not be claimed.
+        </td>
+    </tr>
+    <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+        <td class="content-block" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0 0 10px; -webkit-text-size-adjust: none;" valign="top">
+            Check the corresponding record in your domain host. Then reclaim this domain in Bitwarden to use it for your organization.
+        </td>
+    </tr>
+    <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+        <td class="content-block" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0 0 10px; -webkit-text-size-adjust: none;" valign="top">
+            The domain will be removed from your organization in 7 days if it is not claimed.
+        </td>
+    </tr>
+    <tr style="margin: 0; box-sizing: border-box; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+        <td class="content-block" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0 0 10px; -webkit-text-size-adjust: none; text-align: center;" valign="top" align="center">
+            <a href="{{{Url}}}" clicktracking=off target="_blank" style="color: #ffffff; text-decoration: none; text-align: center; cursor: pointer; display: inline-block; border-radius: 5px; background-color: #175DDC; border-color: #175DDC; border-style: solid; border-width: 10px 20px; margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+                Manage Domains
+            </a>
+            <br style="margin: 0; box-sizing: border-box; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;" />
+        </td>
+    </tr>
+</table>
+{{/FullHtmlLayout}}
diff --git a/src/Core/MailTemplates/Handlebars/OrganizationDomainUnclaimed.text.hbs b/src/Core/MailTemplates/Handlebars/OrganizationDomainUnclaimed.text.hbs
new file mode 100644
index 0000000000..4f205c5054
--- /dev/null
+++ b/src/Core/MailTemplates/Handlebars/OrganizationDomainUnclaimed.text.hbs
@@ -0,0 +1,10 @@
+{{#>BasicTextLayout}}
+The domain {{DomainName}} in your Bitwarden organization could not be claimed.
+
+Check the corresponding record in your domain host. Then reclaim this domain in Bitwarden to use it for your organization.
+
+The domain will be removed from your organization in 7 days if it is not claimed.
+
+{{Url}}
+
+{{/BasicTextLayout}}
diff --git a/src/Core/Services/IMailService.cs b/src/Core/Services/IMailService.cs
index c6c9dc7948..0f69d8daaf 100644
--- a/src/Core/Services/IMailService.cs
+++ b/src/Core/Services/IMailService.cs
@@ -85,6 +85,7 @@ public interface IMailService
     Task SendFailedLoginAttemptsEmailAsync(string email, DateTime utcNow, string ip);
     Task SendFailedTwoFactorAttemptsEmailAsync(string email, DateTime utcNow, string ip);
     Task SendUnverifiedOrganizationDomainEmailAsync(IEnumerable<string> adminEmails, string organizationId, string domainName);
+    Task SendUnclaimedOrganizationDomainEmailAsync(IEnumerable<string> adminEmails, string organizationId, string domainName);
     Task SendSecretsManagerMaxSeatLimitReachedEmailAsync(Organization organization, int maxSeatCount, IEnumerable<string> ownerEmails);
     Task SendSecretsManagerMaxServiceAccountLimitReachedEmailAsync(Organization organization, int maxSeatCount, IEnumerable<string> ownerEmails);
     Task SendTrustedDeviceAdminApprovalEmailAsync(string email, DateTime utcNow, string ip, string deviceTypeAndIdentifier);
diff --git a/src/Core/Services/Implementations/HandlebarsMailService.cs b/src/Core/Services/Implementations/HandlebarsMailService.cs
index c220df18a1..22341111f3 100644
--- a/src/Core/Services/Implementations/HandlebarsMailService.cs
+++ b/src/Core/Services/Implementations/HandlebarsMailService.cs
@@ -1068,6 +1068,19 @@ public class HandlebarsMailService : IMailService
         await _mailDeliveryService.SendEmailAsync(message);
     }
 
+    public async Task SendUnclaimedOrganizationDomainEmailAsync(IEnumerable<string> adminEmails, string organizationId, string domainName)
+    {
+        var message = CreateDefaultMessage("Domain not claimed", adminEmails);
+        var model = new OrganizationDomainUnverifiedViewModel
+        {
+            Url = $"{_globalSettings.BaseServiceUri.VaultWithHash}/organizations/{organizationId}/settings/domain-verification",
+            DomainName = domainName
+        };
+        await AddMessageContentAsync(message, "OrganizationDomainUnclaimed", model);
+        message.Category = "UnclaimedOrganizationDomain";
+        await _mailDeliveryService.SendEmailAsync(message);
+    }
+
     public async Task SendSecretsManagerMaxSeatLimitReachedEmailAsync(Organization organization, int maxSeatCount,
         IEnumerable<string> ownerEmails)
     {
diff --git a/src/Core/Services/NoopImplementations/NoopMailService.cs b/src/Core/Services/NoopImplementations/NoopMailService.cs
index e8ea8d9863..4ce188c86b 100644
--- a/src/Core/Services/NoopImplementations/NoopMailService.cs
+++ b/src/Core/Services/NoopImplementations/NoopMailService.cs
@@ -273,6 +273,11 @@ public class NoopMailService : IMailService
         return Task.FromResult(0);
     }
 
+    public Task SendUnclaimedOrganizationDomainEmailAsync(IEnumerable<string> adminEmails, string organizationId, string domainName)
+    {
+        return Task.FromResult(0);
+    }
+
     public Task SendSecretsManagerMaxSeatLimitReachedEmailAsync(Organization organization, int maxSeatCount,
         IEnumerable<string> ownerEmails)
     {

From 9b732c739aa20654a0ecdb52a76927c75842cb67 Mon Sep 17 00:00:00 2001
From: Todd Martin <106564991+trmartin4@users.noreply.github.com>
Date: Wed, 11 Dec 2024 10:10:20 -0500
Subject: [PATCH 051/384] [PM-15907] Disable cipher key encryption on
 self-hosted instances (#5140)

* Disable cipher key encryption on self-hosted instances

* Removed override instead of setting to false
---
 src/Core/Constants.cs | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index cf7feecc85..df0abfb4b9 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -175,7 +175,6 @@ public static class FeatureFlagKeys
         return new Dictionary<string, string>()
         {
             { DuoRedirect, "true" },
-            { CipherKeyEncryption, "true" },
         };
     }
 }

From 4c502f8cc81bf543caafb3c5e1cb7e4849d09e78 Mon Sep 17 00:00:00 2001
From: Github Actions <actions@github.com>
Date: Wed, 11 Dec 2024 18:07:57 +0000
Subject: [PATCH 052/384] Bumped version to 2024.12.1

---
 Directory.Build.props | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Directory.Build.props b/Directory.Build.props
index 8639ac4a0d..05598bbbe1 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -3,7 +3,7 @@
   <PropertyGroup>
     <TargetFramework>net8.0</TargetFramework>
 
-    <Version>2024.12.0</Version>
+    <Version>2024.12.1</Version>
 
     <RootNamespace>Bit.$(MSBuildProjectName)</RootNamespace>
     <ImplicitUsings>enable</ImplicitUsings>
@@ -64,4 +64,4 @@
     </ItemGroup>
   </Target>
 
-</Project>
+</Project>
\ No newline at end of file

From 2d891b396ac6248787969be75485b2262b46e8d2 Mon Sep 17 00:00:00 2001
From: Alex Morask <144709477+amorask-bitwarden@users.noreply.github.com>
Date: Wed, 11 Dec 2024 13:55:00 -0500
Subject: [PATCH 053/384] [PM-11127] Write `OrganizationInstallation` record
 when license is retrieved (#5090)

* Add SQL files

* Add SQL Server migration

* Add Core entity

* Add Dapper repository

* Add EF repository

* Add EF migrations

* Save OrganizationInstallation during GetLicense invocation

* Run dotnet format
---
 .../Controllers/OrganizationsController.cs    |   27 +-
 .../Entities/OrganizationInstallation.cs      |   24 +
 .../IOrganizationInstallationRepository.cs    |   10 +
 .../OrganizationInstallationRepository.cs     |   39 +
 .../DapperServiceCollectionExtensions.cs      |    1 +
 ...tionInstallationEntityTypeConfiguration.cs |   29 +
 .../Models/OrganizationInstallation.cs        |   19 +
 .../OrganizationInstallationRepository.cs     |   45 +
 .../Repositories/DatabaseContext.cs           |    1 +
 .../OrganizationInstallation_Create.sql       |   27 +
 .../OrganizationInstallation_DeleteById.sql   |   12 +
 .../OrganizationInstallation_ReadById.sql     |   13 +
 ...ationInstallation_ReadByInstallationId.sql |   13 +
 ...ationInstallation_ReadByOrganizationId.sql |   13 +
 .../OrganizationInstallation_Update.sql       |   17 +
 .../dbo/Tables/OrganizationInstallation.sql   |   18 +
 .../Views/OrganizationInstallationView.sql    |    6 +
 .../OrganizationsControllerTests.cs           |    6 +-
 ...6_00_AddTable_OrganizationInstallation.sql |  158 +
 ...Table_OrganizationInstallation.Designer.cs | 2988 ++++++++++++++++
 ...85456_AddTable_OrganizationInstallation.cs |   58 +
 .../DatabaseContextModelSnapshot.cs           |   48 +
 ...Table_OrganizationInstallation.Designer.cs | 2994 +++++++++++++++++
 ...85450_AddTable_OrganizationInstallation.cs |   57 +
 .../DatabaseContextModelSnapshot.cs           |   48 +
 ...Table_OrganizationInstallation.Designer.cs | 2977 ++++++++++++++++
 ...85500_AddTable_OrganizationInstallation.cs |   57 +
 .../DatabaseContextModelSnapshot.cs           |   48 +
 28 files changed, 9751 insertions(+), 2 deletions(-)
 create mode 100644 src/Core/Billing/Entities/OrganizationInstallation.cs
 create mode 100644 src/Core/Billing/Repositories/IOrganizationInstallationRepository.cs
 create mode 100644 src/Infrastructure.Dapper/Billing/Repositories/OrganizationInstallationRepository.cs
 create mode 100644 src/Infrastructure.EntityFramework/Billing/Configurations/OrganizationInstallationEntityTypeConfiguration.cs
 create mode 100644 src/Infrastructure.EntityFramework/Billing/Models/OrganizationInstallation.cs
 create mode 100644 src/Infrastructure.EntityFramework/Billing/Repositories/OrganizationInstallationRepository.cs
 create mode 100644 src/Sql/Billing/dbo/Stored Procedures/OrganizationInstallation_Create.sql
 create mode 100644 src/Sql/Billing/dbo/Stored Procedures/OrganizationInstallation_DeleteById.sql
 create mode 100644 src/Sql/Billing/dbo/Stored Procedures/OrganizationInstallation_ReadById.sql
 create mode 100644 src/Sql/Billing/dbo/Stored Procedures/OrganizationInstallation_ReadByInstallationId.sql
 create mode 100644 src/Sql/Billing/dbo/Stored Procedures/OrganizationInstallation_ReadByOrganizationId.sql
 create mode 100644 src/Sql/Billing/dbo/Stored Procedures/OrganizationInstallation_Update.sql
 create mode 100644 src/Sql/Billing/dbo/Tables/OrganizationInstallation.sql
 create mode 100644 src/Sql/Billing/dbo/Views/OrganizationInstallationView.sql
 create mode 100644 util/Migrator/DbScripts/2024-11-26_00_AddTable_OrganizationInstallation.sql
 create mode 100644 util/MySqlMigrations/Migrations/20241126185456_AddTable_OrganizationInstallation.Designer.cs
 create mode 100644 util/MySqlMigrations/Migrations/20241126185456_AddTable_OrganizationInstallation.cs
 create mode 100644 util/PostgresMigrations/Migrations/20241126185450_AddTable_OrganizationInstallation.Designer.cs
 create mode 100644 util/PostgresMigrations/Migrations/20241126185450_AddTable_OrganizationInstallation.cs
 create mode 100644 util/SqliteMigrations/Migrations/20241126185500_AddTable_OrganizationInstallation.Designer.cs
 create mode 100644 util/SqliteMigrations/Migrations/20241126185500_AddTable_OrganizationInstallation.cs

diff --git a/src/Api/Billing/Controllers/OrganizationsController.cs b/src/Api/Billing/Controllers/OrganizationsController.cs
index 75ae2fb89c..ccb30c6a77 100644
--- a/src/Api/Billing/Controllers/OrganizationsController.cs
+++ b/src/Api/Billing/Controllers/OrganizationsController.cs
@@ -6,7 +6,9 @@ using Bit.Api.Models.Request.Organizations;
 using Bit.Api.Models.Response;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.Billing.Constants;
+using Bit.Core.Billing.Entities;
 using Bit.Core.Billing.Models;
+using Bit.Core.Billing.Repositories;
 using Bit.Core.Billing.Services;
 using Bit.Core.Context;
 using Bit.Core.Enums;
@@ -42,7 +44,8 @@ public class OrganizationsController(
     IUpgradeOrganizationPlanCommand upgradeOrganizationPlanCommand,
     IAddSecretsManagerSubscriptionCommand addSecretsManagerSubscriptionCommand,
     IReferenceEventService referenceEventService,
-    ISubscriberService subscriberService)
+    ISubscriberService subscriberService,
+    IOrganizationInstallationRepository organizationInstallationRepository)
     : Controller
 {
     [HttpGet("{id:guid}/subscription")]
@@ -97,6 +100,8 @@ public class OrganizationsController(
             throw new NotFoundException();
         }
 
+        await SaveOrganizationInstallationAsync(id, installationId);
+
         return license;
     }
 
@@ -366,4 +371,24 @@ public class OrganizationsController(
 
         return await organizationRepository.GetByIdAsync(id);
     }
+
+    private async Task SaveOrganizationInstallationAsync(Guid organizationId, Guid installationId)
+    {
+        var organizationInstallation =
+            await organizationInstallationRepository.GetByInstallationIdAsync(installationId);
+
+        if (organizationInstallation == null)
+        {
+            await organizationInstallationRepository.CreateAsync(new OrganizationInstallation
+            {
+                OrganizationId = organizationId,
+                InstallationId = installationId
+            });
+        }
+        else if (organizationInstallation.OrganizationId == organizationId)
+        {
+            organizationInstallation.RevisionDate = DateTime.UtcNow;
+            await organizationInstallationRepository.ReplaceAsync(organizationInstallation);
+        }
+    }
 }
diff --git a/src/Core/Billing/Entities/OrganizationInstallation.cs b/src/Core/Billing/Entities/OrganizationInstallation.cs
new file mode 100644
index 0000000000..4332afd44a
--- /dev/null
+++ b/src/Core/Billing/Entities/OrganizationInstallation.cs
@@ -0,0 +1,24 @@
+using Bit.Core.Entities;
+using Bit.Core.Utilities;
+
+namespace Bit.Core.Billing.Entities;
+
+#nullable enable
+
+public class OrganizationInstallation : ITableObject<Guid>
+{
+    public Guid Id { get; set; }
+
+    public Guid OrganizationId { get; set; }
+    public Guid InstallationId { get; set; }
+    public DateTime CreationDate { get; internal set; } = DateTime.UtcNow;
+    public DateTime? RevisionDate { get; set; }
+
+    public void SetNewId()
+    {
+        if (Id == default)
+        {
+            Id = CoreHelpers.GenerateComb();
+        }
+    }
+}
diff --git a/src/Core/Billing/Repositories/IOrganizationInstallationRepository.cs b/src/Core/Billing/Repositories/IOrganizationInstallationRepository.cs
new file mode 100644
index 0000000000..05710d3966
--- /dev/null
+++ b/src/Core/Billing/Repositories/IOrganizationInstallationRepository.cs
@@ -0,0 +1,10 @@
+using Bit.Core.Billing.Entities;
+using Bit.Core.Repositories;
+
+namespace Bit.Core.Billing.Repositories;
+
+public interface IOrganizationInstallationRepository : IRepository<OrganizationInstallation, Guid>
+{
+    Task<OrganizationInstallation> GetByInstallationIdAsync(Guid installationId);
+    Task<ICollection<OrganizationInstallation>> GetByOrganizationIdAsync(Guid organizationId);
+}
diff --git a/src/Infrastructure.Dapper/Billing/Repositories/OrganizationInstallationRepository.cs b/src/Infrastructure.Dapper/Billing/Repositories/OrganizationInstallationRepository.cs
new file mode 100644
index 0000000000..f73eefb793
--- /dev/null
+++ b/src/Infrastructure.Dapper/Billing/Repositories/OrganizationInstallationRepository.cs
@@ -0,0 +1,39 @@
+using System.Data;
+using Bit.Core.Billing.Entities;
+using Bit.Core.Billing.Repositories;
+using Bit.Core.Settings;
+using Bit.Infrastructure.Dapper.Repositories;
+using Dapper;
+using Microsoft.Data.SqlClient;
+
+namespace Bit.Infrastructure.Dapper.Billing.Repositories;
+
+public class OrganizationInstallationRepository(
+    GlobalSettings globalSettings) : Repository<OrganizationInstallation, Guid>(
+        globalSettings.SqlServer.ConnectionString,
+        globalSettings.SqlServer.ReadOnlyConnectionString), IOrganizationInstallationRepository
+{
+    public async Task<OrganizationInstallation> GetByInstallationIdAsync(Guid installationId)
+    {
+        var sqlConnection = new SqlConnection(ConnectionString);
+
+        var results = await sqlConnection.QueryAsync<OrganizationInstallation>(
+            "[dbo].[OrganizationInstallation_ReadByInstallationId]",
+            new { InstallationId = installationId },
+            commandType: CommandType.StoredProcedure);
+
+        return results.FirstOrDefault();
+    }
+
+    public async Task<ICollection<OrganizationInstallation>> GetByOrganizationIdAsync(Guid organizationId)
+    {
+        var sqlConnection = new SqlConnection(ConnectionString);
+
+        var results = await sqlConnection.QueryAsync<OrganizationInstallation>(
+            "[dbo].[OrganizationInstallation_ReadByOrganizationId]",
+            new { OrganizationId = organizationId },
+            commandType: CommandType.StoredProcedure);
+
+        return results.ToArray();
+    }
+}
diff --git a/src/Infrastructure.Dapper/DapperServiceCollectionExtensions.cs b/src/Infrastructure.Dapper/DapperServiceCollectionExtensions.cs
index c873f84aa0..834f681d28 100644
--- a/src/Infrastructure.Dapper/DapperServiceCollectionExtensions.cs
+++ b/src/Infrastructure.Dapper/DapperServiceCollectionExtensions.cs
@@ -63,6 +63,7 @@ public static class DapperServiceCollectionExtensions
         services.AddSingleton<IPasswordHealthReportApplicationRepository, PasswordHealthReportApplicationRepository>();
         services.AddSingleton<ISecurityTaskRepository, SecurityTaskRepository>();
         services.AddSingleton<IUserAsymmetricKeysRepository, UserAsymmetricKeysRepository>();
+        services.AddSingleton<IOrganizationInstallationRepository, OrganizationInstallationRepository>();
 
         if (selfHosted)
         {
diff --git a/src/Infrastructure.EntityFramework/Billing/Configurations/OrganizationInstallationEntityTypeConfiguration.cs b/src/Infrastructure.EntityFramework/Billing/Configurations/OrganizationInstallationEntityTypeConfiguration.cs
new file mode 100644
index 0000000000..e4ba27b75d
--- /dev/null
+++ b/src/Infrastructure.EntityFramework/Billing/Configurations/OrganizationInstallationEntityTypeConfiguration.cs
@@ -0,0 +1,29 @@
+using Bit.Infrastructure.EntityFramework.Billing.Models;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Metadata.Builders;
+
+namespace Bit.Infrastructure.EntityFramework.Billing.Configurations;
+
+public class OrganizationInstallationEntityTypeConfiguration : IEntityTypeConfiguration<OrganizationInstallation>
+{
+    public void Configure(EntityTypeBuilder<OrganizationInstallation> builder)
+    {
+        builder
+            .Property(oi => oi.Id)
+            .ValueGeneratedNever();
+
+        builder
+            .HasKey(oi => oi.Id)
+            .IsClustered();
+
+        builder
+            .HasIndex(oi => oi.OrganizationId)
+            .IsClustered(false);
+
+        builder
+            .HasIndex(oi => oi.InstallationId)
+            .IsClustered(false);
+
+        builder.ToTable(nameof(OrganizationInstallation));
+    }
+}
diff --git a/src/Infrastructure.EntityFramework/Billing/Models/OrganizationInstallation.cs b/src/Infrastructure.EntityFramework/Billing/Models/OrganizationInstallation.cs
new file mode 100644
index 0000000000..2f00768206
--- /dev/null
+++ b/src/Infrastructure.EntityFramework/Billing/Models/OrganizationInstallation.cs
@@ -0,0 +1,19 @@
+using AutoMapper;
+using Bit.Infrastructure.EntityFramework.AdminConsole.Models;
+using Bit.Infrastructure.EntityFramework.Models;
+
+namespace Bit.Infrastructure.EntityFramework.Billing.Models;
+
+public class OrganizationInstallation : Core.Billing.Entities.OrganizationInstallation
+{
+    public virtual Installation Installation { get; set; }
+    public virtual Organization Organization { get; set; }
+}
+
+public class OrganizationInstallationMapperProfile : Profile
+{
+    public OrganizationInstallationMapperProfile()
+    {
+        CreateMap<Core.Billing.Entities.OrganizationInstallation, OrganizationInstallation>().ReverseMap();
+    }
+}
diff --git a/src/Infrastructure.EntityFramework/Billing/Repositories/OrganizationInstallationRepository.cs b/src/Infrastructure.EntityFramework/Billing/Repositories/OrganizationInstallationRepository.cs
new file mode 100644
index 0000000000..566c52332e
--- /dev/null
+++ b/src/Infrastructure.EntityFramework/Billing/Repositories/OrganizationInstallationRepository.cs
@@ -0,0 +1,45 @@
+using AutoMapper;
+using Bit.Core.Billing.Entities;
+using Bit.Core.Billing.Repositories;
+using Bit.Infrastructure.EntityFramework.Repositories;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.Extensions.DependencyInjection;
+using EFOrganizationInstallation = Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation;
+
+namespace Bit.Infrastructure.EntityFramework.Billing.Repositories;
+
+public class OrganizationInstallationRepository(
+    IMapper mapper,
+    IServiceScopeFactory serviceScopeFactory) : Repository<OrganizationInstallation, EFOrganizationInstallation, Guid>(
+        serviceScopeFactory,
+        mapper,
+        context => context.OrganizationInstallations), IOrganizationInstallationRepository
+{
+    public async Task<OrganizationInstallation> GetByInstallationIdAsync(Guid installationId)
+    {
+        using var serviceScope = ServiceScopeFactory.CreateScope();
+
+        var databaseContext = GetDatabaseContext(serviceScope);
+
+        var query =
+            from organizationInstallation in databaseContext.OrganizationInstallations
+            where organizationInstallation.Id == installationId
+            select organizationInstallation;
+
+        return await query.FirstOrDefaultAsync();
+    }
+
+    public async Task<ICollection<OrganizationInstallation>> GetByOrganizationIdAsync(Guid organizationId)
+    {
+        using var serviceScope = ServiceScopeFactory.CreateScope();
+
+        var databaseContext = GetDatabaseContext(serviceScope);
+
+        var query =
+            from organizationInstallation in databaseContext.OrganizationInstallations
+            where organizationInstallation.OrganizationId == organizationId
+            select organizationInstallation;
+
+        return await query.ToArrayAsync();
+    }
+}
diff --git a/src/Infrastructure.EntityFramework/Repositories/DatabaseContext.cs b/src/Infrastructure.EntityFramework/Repositories/DatabaseContext.cs
index 1f1ea16bfc..24ef2ab269 100644
--- a/src/Infrastructure.EntityFramework/Repositories/DatabaseContext.cs
+++ b/src/Infrastructure.EntityFramework/Repositories/DatabaseContext.cs
@@ -78,6 +78,7 @@ public class DatabaseContext : DbContext
     public DbSet<ClientOrganizationMigrationRecord> ClientOrganizationMigrationRecords { get; set; }
     public DbSet<PasswordHealthReportApplication> PasswordHealthReportApplications { get; set; }
     public DbSet<SecurityTask> SecurityTasks { get; set; }
+    public DbSet<OrganizationInstallation> OrganizationInstallations { get; set; }
 
     protected override void OnModelCreating(ModelBuilder builder)
     {
diff --git a/src/Sql/Billing/dbo/Stored Procedures/OrganizationInstallation_Create.sql b/src/Sql/Billing/dbo/Stored Procedures/OrganizationInstallation_Create.sql
new file mode 100644
index 0000000000..2bca369fc9
--- /dev/null
+++ b/src/Sql/Billing/dbo/Stored Procedures/OrganizationInstallation_Create.sql	
@@ -0,0 +1,27 @@
+CREATE PROCEDURE [dbo].[OrganizationInstallation_Create]
+    @Id UNIQUEIDENTIFIER OUTPUT,
+    @OrganizationId UNIQUEIDENTIFIER,
+    @InstallationId UNIQUEIDENTIFIER,
+    @CreationDate DATETIME2 (7),
+    @RevisionDate DATETIME2 (7) = NULL
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    INSERT INTO [dbo].[OrganizationInstallation]
+    (
+        [Id],
+        [OrganizationId],
+        [InstallationId],
+        [CreationDate],
+        [RevisionDate]
+    )
+    VALUES
+    (
+     @Id,
+     @OrganizationId,
+     @InstallationId,
+     @CreationDate,
+     @RevisionDate
+    )
+END
diff --git a/src/Sql/Billing/dbo/Stored Procedures/OrganizationInstallation_DeleteById.sql b/src/Sql/Billing/dbo/Stored Procedures/OrganizationInstallation_DeleteById.sql
new file mode 100644
index 0000000000..edc97a1a05
--- /dev/null
+++ b/src/Sql/Billing/dbo/Stored Procedures/OrganizationInstallation_DeleteById.sql	
@@ -0,0 +1,12 @@
+CREATE PROCEDURE [dbo].[OrganizationInstallation_DeleteById]
+    @Id UNIQUEIDENTIFIER
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    DELETE
+    FROM
+        [dbo].[OrganizationInstallation]
+    WHERE
+        [Id] = @Id
+END
diff --git a/src/Sql/Billing/dbo/Stored Procedures/OrganizationInstallation_ReadById.sql b/src/Sql/Billing/dbo/Stored Procedures/OrganizationInstallation_ReadById.sql
new file mode 100644
index 0000000000..bda3039cf9
--- /dev/null
+++ b/src/Sql/Billing/dbo/Stored Procedures/OrganizationInstallation_ReadById.sql	
@@ -0,0 +1,13 @@
+CREATE PROCEDURE [dbo].[OrganizationInstallation_ReadById]
+    @Id UNIQUEIDENTIFIER
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    SELECT
+        *
+    FROM
+        [dbo].[OrganizationInstallationView]
+    WHERE
+        [Id] = @Id
+END
diff --git a/src/Sql/Billing/dbo/Stored Procedures/OrganizationInstallation_ReadByInstallationId.sql b/src/Sql/Billing/dbo/Stored Procedures/OrganizationInstallation_ReadByInstallationId.sql
new file mode 100644
index 0000000000..a2a3b2ef16
--- /dev/null
+++ b/src/Sql/Billing/dbo/Stored Procedures/OrganizationInstallation_ReadByInstallationId.sql	
@@ -0,0 +1,13 @@
+CREATE PROCEDURE [dbo].[OrganizationInstallation_ReadByInstallationId]
+    @InstallationId UNIQUEIDENTIFIER
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    SELECT
+        *
+    FROM
+        [dbo].[OrganizationInstallationView]
+    WHERE
+        [InstallationId] = @InstallationId
+END
diff --git a/src/Sql/Billing/dbo/Stored Procedures/OrganizationInstallation_ReadByOrganizationId.sql b/src/Sql/Billing/dbo/Stored Procedures/OrganizationInstallation_ReadByOrganizationId.sql
new file mode 100644
index 0000000000..3dffe1968e
--- /dev/null
+++ b/src/Sql/Billing/dbo/Stored Procedures/OrganizationInstallation_ReadByOrganizationId.sql	
@@ -0,0 +1,13 @@
+CREATE PROCEDURE [dbo].[OrganizationInstallation_ReadByOrganizationId]
+    @OrganizationId UNIQUEIDENTIFIER
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    SELECT
+        *
+    FROM
+        [dbo].[OrganizationInstallationView]
+    WHERE
+        [OrganizationId] = @OrganizationId
+END
diff --git a/src/Sql/Billing/dbo/Stored Procedures/OrganizationInstallation_Update.sql b/src/Sql/Billing/dbo/Stored Procedures/OrganizationInstallation_Update.sql
new file mode 100644
index 0000000000..22aefc540d
--- /dev/null
+++ b/src/Sql/Billing/dbo/Stored Procedures/OrganizationInstallation_Update.sql	
@@ -0,0 +1,17 @@
+CREATE PROCEDURE [dbo].[OrganizationInstallation_Update]
+    @Id UNIQUEIDENTIFIER OUTPUT,
+    @OrganizationId UNIQUEIDENTIFIER,
+    @InstallationId UNIQUEIDENTIFIER,
+    @CreationDate DATETIME2 (7),
+    @RevisionDate DATETIME2 (7)
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    UPDATE
+        [dbo].[OrganizationInstallation]
+    SET
+        [RevisionDate] = @RevisionDate
+    WHERE
+        [Id] = @Id
+END
diff --git a/src/Sql/Billing/dbo/Tables/OrganizationInstallation.sql b/src/Sql/Billing/dbo/Tables/OrganizationInstallation.sql
new file mode 100644
index 0000000000..e17d689a9a
--- /dev/null
+++ b/src/Sql/Billing/dbo/Tables/OrganizationInstallation.sql
@@ -0,0 +1,18 @@
+CREATE TABLE [dbo].[OrganizationInstallation] (
+    [Id]             UNIQUEIDENTIFIER NOT NULL,
+    [OrganizationId] UNIQUEIDENTIFIER NOT NULL,
+    [InstallationId] UNIQUEIDENTIFIER NOT NULL,
+    [CreationDate]   DATETIME2 (7) NOT NULL,
+    [RevisionDate]   DATETIME2 (7) NULL,
+    CONSTRAINT [PK_OrganizationInstallation] PRIMARY KEY CLUSTERED ([Id] ASC),
+    CONSTRAINT [FK_OrganizationInstallation_Organization] FOREIGN KEY ([OrganizationId]) REFERENCES [dbo].[Organization] ([Id]) ON DELETE CASCADE,
+    CONSTRAINT [FK_OrganizationInstallation_Installation] FOREIGN KEY ([InstallationId]) REFERENCES [dbo].[Installation] ([Id]) ON DELETE CASCADE
+);
+GO
+
+CREATE NONCLUSTERED INDEX [IX_OrganizationInstallation_OrganizationId]
+    ON [dbo].[OrganizationInstallation]([OrganizationId] ASC);
+GO
+
+CREATE NONCLUSTERED INDEX [IX_OrganizationInstallation_InstallationId]
+    ON [dbo].[OrganizationInstallation]([InstallationId] ASC);
diff --git a/src/Sql/Billing/dbo/Views/OrganizationInstallationView.sql b/src/Sql/Billing/dbo/Views/OrganizationInstallationView.sql
new file mode 100644
index 0000000000..c68142b700
--- /dev/null
+++ b/src/Sql/Billing/dbo/Views/OrganizationInstallationView.sql
@@ -0,0 +1,6 @@
+CREATE VIEW [dbo].[OrganizationInstallationView]
+AS
+SELECT
+    *
+FROM
+    [dbo].[OrganizationInstallation];
diff --git a/test/Api.Test/Billing/Controllers/OrganizationsControllerTests.cs b/test/Api.Test/Billing/Controllers/OrganizationsControllerTests.cs
index ec6047fbfe..483d962830 100644
--- a/test/Api.Test/Billing/Controllers/OrganizationsControllerTests.cs
+++ b/test/Api.Test/Billing/Controllers/OrganizationsControllerTests.cs
@@ -10,6 +10,7 @@ using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Models.Data;
 using Bit.Core.Auth.Repositories;
 using Bit.Core.Auth.Services;
+using Bit.Core.Billing.Repositories;
 using Bit.Core.Billing.Services;
 using Bit.Core.Context;
 using Bit.Core.Entities;
@@ -47,6 +48,7 @@ public class OrganizationsControllerTests : IDisposable
     private readonly IReferenceEventService _referenceEventService;
     private readonly ISubscriberService _subscriberService;
     private readonly IRemoveOrganizationUserCommand _removeOrganizationUserCommand;
+    private readonly IOrganizationInstallationRepository _organizationInstallationRepository;
 
     private readonly OrganizationsController _sut;
 
@@ -70,6 +72,7 @@ public class OrganizationsControllerTests : IDisposable
         _referenceEventService = Substitute.For<IReferenceEventService>();
         _subscriberService = Substitute.For<ISubscriberService>();
         _removeOrganizationUserCommand = Substitute.For<IRemoveOrganizationUserCommand>();
+        _organizationInstallationRepository = Substitute.For<IOrganizationInstallationRepository>();
 
         _sut = new OrganizationsController(
             _organizationRepository,
@@ -85,7 +88,8 @@ public class OrganizationsControllerTests : IDisposable
             _upgradeOrganizationPlanCommand,
             _addSecretsManagerSubscriptionCommand,
             _referenceEventService,
-            _subscriberService);
+            _subscriberService,
+            _organizationInstallationRepository);
     }
 
     public void Dispose()
diff --git a/util/Migrator/DbScripts/2024-11-26_00_AddTable_OrganizationInstallation.sql b/util/Migrator/DbScripts/2024-11-26_00_AddTable_OrganizationInstallation.sql
new file mode 100644
index 0000000000..20199ade6a
--- /dev/null
+++ b/util/Migrator/DbScripts/2024-11-26_00_AddTable_OrganizationInstallation.sql
@@ -0,0 +1,158 @@
+-- OrganizationInstallation
+
+-- Table
+IF OBJECT_ID('[dbo].[OrganizationInstallation]') IS NULL
+BEGIN
+    CREATE TABLE [dbo].[OrganizationInstallation] (
+        [Id]             UNIQUEIDENTIFIER NOT NULL,
+        [OrganizationId] UNIQUEIDENTIFIER NOT NULL,
+        [InstallationId] UNIQUEIDENTIFIER NOT NULL,
+        [CreationDate]   DATETIME2 (7) NOT NULL,
+        [RevisionDate]   DATETIME2 (7) NULL,
+        CONSTRAINT [PK_OrganizationInstallation] PRIMARY KEY CLUSTERED ([Id] ASC),
+        CONSTRAINT [FK_OrganizationInstallation_Organization] FOREIGN KEY ([OrganizationId]) REFERENCES [dbo].[Organization] ([Id]) ON DELETE CASCADE,
+        CONSTRAINT [FK_OrganizationInstallation_Installation] FOREIGN KEY ([InstallationId]) REFERENCES [dbo].[Installation] ([Id]) ON DELETE CASCADE
+    );
+END
+GO
+
+-- Indexes
+IF NOT EXISTS(SELECT name FROM sys.indexes WHERE name = 'IX_OrganizationInstallation_OrganizationId')
+BEGIN
+    CREATE NONCLUSTERED INDEX [IX_OrganizationInstallation_OrganizationId]
+        ON [dbo].[OrganizationInstallation]([OrganizationId] ASC);
+END
+
+IF NOT EXISTS(SELECT name FROM sys.indexes WHERE name = 'IX_OrganizationInstallation_InstallationId')
+BEGIN
+    CREATE NONCLUSTERED INDEX [IX_OrganizationInstallation_InstallationId]
+        ON [dbo].[OrganizationInstallation]([InstallationId] ASC);
+END
+
+-- View
+IF EXISTS(SELECT * FROM sys.views WHERE [Name] = 'OrganizationInstallationView')
+BEGIN
+    DROP VIEW [dbo].[OrganizationInstallationView];
+END
+GO
+
+CREATE VIEW [dbo].[OrganizationInstallationView]
+AS
+SELECT
+    *
+FROM
+    [dbo].[OrganizationInstallation]
+GO
+
+-- Stored Procedures: Create
+CREATE OR ALTER PROCEDURE [dbo].[OrganizationInstallation_Create]
+    @Id UNIQUEIDENTIFIER OUTPUT,
+    @OrganizationId UNIQUEIDENTIFIER,
+    @InstallationId UNIQUEIDENTIFIER,
+    @CreationDate DATETIME2 (7),
+    @RevisionDate DATETIME2 (7) = NULL
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    INSERT INTO [dbo].[OrganizationInstallation]
+    (
+        [Id],
+        [OrganizationId],
+        [InstallationId],
+        [CreationDate],
+        [RevisionDate]
+    )
+    VALUES
+    (
+     @Id,
+     @OrganizationId,
+     @InstallationId,
+     @CreationDate,
+     @RevisionDate
+    )
+END
+GO
+
+-- Stored Procedures: DeleteById
+CREATE OR ALTER PROCEDURE [dbo].[OrganizationInstallation_DeleteById]
+    @Id UNIQUEIDENTIFIER
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    DELETE
+    FROM
+        [dbo].[OrganizationInstallation]
+    WHERE
+        [Id] = @Id
+END
+GO
+
+-- Stored Procedures: ReadById
+CREATE PROCEDURE [dbo].[OrganizationInstallation_ReadById]
+    @Id UNIQUEIDENTIFIER
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    SELECT
+        *
+    FROM
+        [dbo].[OrganizationInstallationView]
+    WHERE
+        [Id] = @Id
+END
+GO
+
+-- Stored Procedures: ReadByInstallationId
+CREATE PROCEDURE [dbo].[OrganizationInstallation_ReadByInstallationId]
+    @InstallationId UNIQUEIDENTIFIER
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    SELECT
+        *
+    FROM
+        [dbo].[OrganizationInstallationView]
+    WHERE
+        [InstallationId] = @InstallationId
+END
+GO
+
+-- Stored Procedures: ReadByOrganizationId
+CREATE PROCEDURE [dbo].[OrganizationInstallation_ReadByOrganizationId]
+    @OrganizationId UNIQUEIDENTIFIER
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    SELECT
+        *
+    FROM
+        [dbo].[OrganizationInstallationView]
+    WHERE
+        [OrganizationId] = @OrganizationId
+END
+GO
+
+-- Stored Procedures: Update
+CREATE PROCEDURE [dbo].[OrganizationInstallation_Update]
+    @Id UNIQUEIDENTIFIER OUTPUT,
+    @OrganizationId UNIQUEIDENTIFIER,
+    @InstallationId UNIQUEIDENTIFIER,
+    @CreationDate DATETIME2 (7),
+    @RevisionDate DATETIME2 (7)
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    UPDATE
+        [dbo].[OrganizationInstallation]
+    SET
+        [RevisionDate] = @RevisionDate
+    WHERE
+        [Id] = @Id
+END
+GO
diff --git a/util/MySqlMigrations/Migrations/20241126185456_AddTable_OrganizationInstallation.Designer.cs b/util/MySqlMigrations/Migrations/20241126185456_AddTable_OrganizationInstallation.Designer.cs
new file mode 100644
index 0000000000..26cc7988b4
--- /dev/null
+++ b/util/MySqlMigrations/Migrations/20241126185456_AddTable_OrganizationInstallation.Designer.cs
@@ -0,0 +1,2988 @@
+// <auto-generated />
+using System;
+using Bit.Infrastructure.EntityFramework.Repositories;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Metadata;
+using Microsoft.EntityFrameworkCore.Migrations;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
+
+#nullable disable
+
+namespace Bit.MySqlMigrations.Migrations
+{
+    [DbContext(typeof(DatabaseContext))]
+    [Migration("20241126185456_AddTable_OrganizationInstallation")]
+    partial class AddTable_OrganizationInstallation
+    {
+        /// <inheritdoc />
+        protected override void BuildTargetModel(ModelBuilder modelBuilder)
+        {
+#pragma warning disable 612, 618
+            modelBuilder
+                .HasAnnotation("ProductVersion", "8.0.8")
+                .HasAnnotation("Relational:MaxIdentifierLength", 64);
+
+            MySqlModelBuilderExtensions.AutoIncrementColumns(modelBuilder);
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("AllowAdminAccessToAllCollectionItems")
+                        .HasColumnType("tinyint(1)")
+                        .HasDefaultValue(true);
+
+                    b.Property<string>("BillingEmail")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasMaxLength(2)
+                        .HasColumnType("varchar(2)");
+
+                    b.Property<string>("BusinessName")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasMaxLength(30)
+                        .HasColumnType("varchar(30)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("Identifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("varchar(100)");
+
+                    b.Property<bool>("LimitCollectionCreation")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("LimitCollectionCreationDeletion")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("LimitCollectionDeletion")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("MaxAutoscaleSmSeats")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("MaxAutoscaleSmServiceAccounts")
+                        .HasColumnType("int");
+
+                    b.Property<short?>("MaxCollections")
+                        .HasColumnType("smallint");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<DateTime?>("OwnersNotifiedOfAutoscaling")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Plan")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<int?>("Seats")
+                        .HasColumnType("int");
+
+                    b.Property<bool>("SelfHost")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<int?>("SmSeats")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("SmServiceAccounts")
+                        .HasColumnType("int");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("bigint");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("longtext");
+
+                    b.Property<bool>("Use2fa")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseApi")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseCustomPermissions")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseDirectory")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseGroups")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseKeyConnector")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UsePasswordManager")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UsePolicies")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseResetPassword")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseScim")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseSecretsManager")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseSso")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseTotp")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UsersGetPremium")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id", "Enabled")
+                        .HasAnnotation("Npgsql:IndexInclude", new[] { "UseTotp" });
+
+                    b.ToTable("Organization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("longtext");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "Type")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Policy", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("BillingEmail")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BillingPhone")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessName")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Provider", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Settings")
+                        .HasColumnType("longtext");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderOrganization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Email")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("ProviderUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("AccessCode")
+                        .HasMaxLength(25)
+                        .HasColumnType("varchar(25)");
+
+                    b.Property<bool?>("Approved")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime?>("AuthenticationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("MasterPasswordHash")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("RequestDeviceIdentifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<byte>("RequestDeviceType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("RequestIpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<DateTime?>("ResponseDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid?>("ResponseDeviceId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ResponseDeviceId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("AuthRequest", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<Guid?>("GranteeId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("GrantorId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("KeyEncrypted")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime?>("LastNotificationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("RecoveryInitiatedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<int>("WaitTimeDays")
+                        .HasColumnType("int");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("GranteeId");
+
+                    b.HasIndex("GrantorId");
+
+                    b.ToTable("EmergencyAccess", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.Grant", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("int");
+
+                    MySqlPropertyBuilderExtensions.UseMySqlIdentityColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("ClientId")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("varchar(200)");
+
+                    b.Property<DateTime?>("ConsumedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Data")
+                        .IsRequired()
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Description")
+                        .HasMaxLength(200)
+                        .HasColumnType("varchar(200)");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("varchar(200)");
+
+                    b.Property<string>("SessionId")
+                        .HasMaxLength(100)
+                        .HasColumnType("varchar(100)");
+
+                    b.Property<string>("SubjectId")
+                        .HasMaxLength(200)
+                        .HasColumnType("varchar(200)");
+
+                    b.Property<string>("Type")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.HasKey("Id")
+                        .HasName("PK_Grant")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpirationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Key")
+                        .IsUnique();
+
+                    b.ToTable("Grant", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    MySqlPropertyBuilderExtensions.UseMySqlIdentityColumn(b.Property<long>("Id"));
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("longtext");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("SsoConfig", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    MySqlPropertyBuilderExtensions.UseMySqlIdentityColumn(b.Property<long>("Id"));
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId");
+
+                    b.HasIndex("OrganizationId", "ExternalId")
+                        .IsUnique()
+                        .HasAnnotation("Npgsql:IndexInclude", new[] { "UserId" })
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "UserId")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SsoUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("AaGuid")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int>("Counter")
+                        .HasColumnType("int");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("CredentialId")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("varchar(2000)");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("varchar(2000)");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("varchar(2000)");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("PublicKey")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("SupportsPrf")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<string>("Type")
+                        .HasMaxLength(20)
+                        .HasColumnType("varchar(20)");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("WebAuthnCredential", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ClientOrganizationMigrationRecord", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("int");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int>("Seats")
+                        .HasColumnType("int");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId", "OrganizationId")
+                        .IsUnique();
+
+                    b.ToTable("ClientOrganizationMigrationRecord", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid>("InstallationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime?>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("InstallationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationInstallation", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int>("AssignedSeats")
+                        .HasColumnType("int");
+
+                    b.Property<Guid?>("ClientId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("ClientName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<DateTime>("Created")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("InvoiceId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("InvoiceNumber")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("PlanName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<decimal>("Total")
+                        .HasColumnType("decimal(65,30)");
+
+                    b.Property<int>("UsedSeats")
+                        .HasColumnType("int");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderInvoiceItem", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int?>("AllocatedSeats")
+                        .HasColumnType("int");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int?>("PurchasedSeats")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("SeatMinimum")
+                        .HasColumnType("int");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("Id", "PlanType")
+                        .IsUnique();
+
+                    b.ToTable("ProviderPlan", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Cache", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(449)
+                        .HasColumnType("varchar(449)");
+
+                    b.Property<DateTime?>("AbsoluteExpiration")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("ExpiresAtTime")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<long?>("SlidingExpirationInSeconds")
+                        .HasColumnType("bigint");
+
+                    b.Property<byte[]>("Value")
+                        .IsRequired()
+                        .HasColumnType("longblob");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpiresAtTime")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Cache", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("varchar(300)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Collection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("CipherId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("CollectionId", "CipherId");
+
+                    b.HasIndex("CipherId");
+
+                    b.ToTable("CollectionCipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("CollectionId", "GroupId");
+
+                    b.HasIndex("GroupId");
+
+                    b.ToTable("CollectionGroups");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("CollectionId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("tinyint(1)")
+                        .HasDefaultValue(true);
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Identifier")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("PushToken")
+                        .HasMaxLength(255)
+                        .HasColumnType("varchar(255)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Identifier")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "Identifier")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Device", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Event", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("ActingUserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("CollectionId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("Date")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte?>("DeviceType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("DomainName")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid?>("GroupId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("InstallationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("IpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("PolicyId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("ProviderOrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("ProviderUserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("SecretId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte?>("SystemUser")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<int>("Type")
+                        .HasColumnType("int");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Date", "OrganizationId", "ActingUserId", "CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Event", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("varchar(300)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(100)
+                        .HasColumnType("varchar(100)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Group", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("GroupId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("GroupUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Installation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(150)
+                        .HasColumnType("varchar(150)");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Installation", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("varchar(30)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Config")
+                        .HasColumnType("longtext");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationConnection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("DomainName")
+                        .IsRequired()
+                        .HasMaxLength(255)
+                        .HasColumnType("varchar(255)");
+
+                    b.Property<int>("JobRunCount")
+                        .HasColumnType("int");
+
+                    b.Property<DateTime?>("LastCheckedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("NextRunDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Txt")
+                        .IsRequired()
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime?>("VerifiedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationDomain", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("FriendlyName")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<DateTime?>("LastSyncDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("OfferedToEmail")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<byte?>("PlanSponsorshipType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("SponsoredOrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("SponsoringOrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("SponsoringOrganizationUserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("ToDelete")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime?>("ValidUntil")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SponsoredOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationUserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationSponsorship", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("AccessSecretsManager")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("varchar(300)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("ResetPasswordKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<short>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int>("AccessCount")
+                        .HasColumnType("int");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("DeletionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("Disabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool?>("HideEmail")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<int?>("MaxAccessCount")
+                        .HasColumnType("int");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Password")
+                        .HasMaxLength(300)
+                        .HasColumnType("varchar(300)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("DeletionDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Send", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.TaxRate", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(40)
+                        .HasColumnType("varchar(40)");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<string>("Country")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("PostalCode")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("varchar(10)");
+
+                    b.Property<decimal>("Rate")
+                        .HasColumnType("decimal(65,30)");
+
+                    b.Property<string>("State")
+                        .HasMaxLength(2)
+                        .HasColumnType("varchar(2)");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("TaxRate", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<decimal>("Amount")
+                        .HasColumnType("decimal(65,30)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Details")
+                        .HasMaxLength(100)
+                        .HasColumnType("varchar(100)");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("GatewayId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte?>("PaymentMethodType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool?>("Refunded")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<decimal?>("RefundedAmount")
+                        .HasColumnType("decimal(65,30)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId", "CreationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Transaction", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("AccountRevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("varchar(30)");
+
+                    b.Property<string>("AvatarColor")
+                        .HasMaxLength(7)
+                        .HasColumnType("varchar(7)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Culture")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("varchar(10)");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<bool>("EmailVerified")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<string>("EquivalentDomains")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("ExcludedGlobalEquivalentDomains")
+                        .HasColumnType("longtext");
+
+                    b.Property<int>("FailedLoginCount")
+                        .HasColumnType("int");
+
+                    b.Property<bool>("ForcePasswordReset")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<byte>("Kdf")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<int>("KdfIterations")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("KdfMemory")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("KdfParallelism")
+                        .HasColumnType("int");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime?>("LastEmailChangeDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("LastFailedLoginDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("LastKdfChangeDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("LastKeyRotationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("LastPasswordChangeDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("varchar(100)");
+
+                    b.Property<string>("MasterPassword")
+                        .HasMaxLength(300)
+                        .HasColumnType("varchar(300)");
+
+                    b.Property<string>("MasterPasswordHint")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<bool>("Premium")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime?>("PremiumExpirationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime?>("RenewalReminderDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("SecurityStamp")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("bigint");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("TwoFactorRecoveryCode")
+                        .HasMaxLength(32)
+                        .HasColumnType("varchar(32)");
+
+                    b.Property<bool>("UsesKeyConnector")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Email")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Premium", "PremiumExpirationDate", "RenewalReminderDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("User", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Body")
+                        .HasColumnType("longtext");
+
+                    b.Property<byte>("ClientType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("Global")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte>("Priority")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Title")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("ClientType", "Global", "UserId", "OrganizationId", "Priority", "CreationDate")
+                        .IsDescending(false, false, false, false, true, true)
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Notification", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("NotificationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("ReadDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("UserId", "NotificationId")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("NotificationId");
+
+                    b.ToTable("NotificationStatus", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Discriminator")
+                        .IsRequired()
+                        .HasMaxLength(34)
+                        .HasColumnType("varchar(34)");
+
+                    b.Property<bool>("Read")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("Write")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.ToTable("AccessPolicy", (string)null);
+
+                    b.HasDiscriminator().HasValue("AccessPolicy");
+
+                    b.UseTphMappingStrategy();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("ClientSecretHash")
+                        .HasMaxLength(128)
+                        .HasColumnType("varchar(128)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("EncryptedPayload")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("varchar(4000)");
+
+                    b.Property<DateTime?>("ExpireAt")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("varchar(200)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Scope")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("varchar(4000)");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ServiceAccountId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Project", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Note")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Value")
+                        .HasColumnType("longtext");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Secret", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ServiceAccount", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Uri")
+                        .HasColumnType("longtext");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("PasswordHealthReportApplication", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Attachments")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Favorites")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Folders")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte?>("Reprompt")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Cipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Folder", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SecurityTask", (string)null);
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.Property<Guid>("ProjectsId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("SecretsId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("ProjectsId", "SecretsId");
+
+                    b.HasIndex("SecretsId");
+
+                    b.ToTable("ProjectSecret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Policies")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Device", "ResponseDevice")
+                        .WithMany()
+                        .HasForeignKey("ResponseDeviceId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("ResponseDevice");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantee")
+                        .WithMany()
+                        .HasForeignKey("GranteeId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantor")
+                        .WithMany()
+                        .HasForeignKey("GrantorId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Grantee");
+
+                    b.Navigation("Grantor");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoConfigs")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Installation", "Installation")
+                        .WithMany()
+                        .HasForeignKey("InstallationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Installation");
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Collections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CipherId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Collection");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionGroups")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Groups")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Group");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Connections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Domains")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoredOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoredOrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoringOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoringOrganizationId");
+
+                    b.Navigation("SponsoredOrganization");
+
+                    b.Navigation("SponsoringOrganization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Transactions")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Transactions")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", "Notification")
+                        .WithMany()
+                        .HasForeignKey("NotificationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Notification");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Folders")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany()
+                        .HasForeignKey("CipherId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", null)
+                        .WithMany()
+                        .HasForeignKey("ProjectsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", null)
+                        .WithMany()
+                        .HasForeignKey("SecretsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ProjectAccessPolicies")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany()
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Collections");
+
+                    b.Navigation("Connections");
+
+                    b.Navigation("Domains");
+
+                    b.Navigation("Groups");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("Policies");
+
+                    b.Navigation("SsoConfigs");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+
+                    b.Navigation("CollectionGroups");
+
+                    b.Navigation("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Navigation("CollectionUsers");
+
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Folders");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ProjectAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+                });
+#pragma warning restore 612, 618
+        }
+    }
+}
diff --git a/util/MySqlMigrations/Migrations/20241126185456_AddTable_OrganizationInstallation.cs b/util/MySqlMigrations/Migrations/20241126185456_AddTable_OrganizationInstallation.cs
new file mode 100644
index 0000000000..ddffc19aff
--- /dev/null
+++ b/util/MySqlMigrations/Migrations/20241126185456_AddTable_OrganizationInstallation.cs
@@ -0,0 +1,58 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace Bit.MySqlMigrations.Migrations;
+
+/// <inheritdoc />
+public partial class AddTable_OrganizationInstallation : Migration
+{
+    /// <inheritdoc />
+    protected override void Up(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.CreateTable(
+            name: "OrganizationInstallation",
+            columns: table => new
+            {
+                Id = table.Column<Guid>(type: "char(36)", nullable: false, collation: "ascii_general_ci"),
+                OrganizationId = table.Column<Guid>(type: "char(36)", nullable: false, collation: "ascii_general_ci"),
+                InstallationId = table.Column<Guid>(type: "char(36)", nullable: false, collation: "ascii_general_ci"),
+                CreationDate = table.Column<DateTime>(type: "datetime(6)", nullable: false),
+                RevisionDate = table.Column<DateTime>(type: "datetime(6)", nullable: true)
+            },
+            constraints: table =>
+            {
+                table.PrimaryKey("PK_OrganizationInstallation", x => x.Id);
+                table.ForeignKey(
+                    name: "FK_OrganizationInstallation_Installation_InstallationId",
+                    column: x => x.InstallationId,
+                    principalTable: "Installation",
+                    principalColumn: "Id",
+                    onDelete: ReferentialAction.Cascade);
+                table.ForeignKey(
+                    name: "FK_OrganizationInstallation_Organization_OrganizationId",
+                    column: x => x.OrganizationId,
+                    principalTable: "Organization",
+                    principalColumn: "Id",
+                    onDelete: ReferentialAction.Cascade);
+            })
+            .Annotation("MySql:CharSet", "utf8mb4");
+
+        migrationBuilder.CreateIndex(
+            name: "IX_OrganizationInstallation_InstallationId",
+            table: "OrganizationInstallation",
+            column: "InstallationId");
+
+        migrationBuilder.CreateIndex(
+            name: "IX_OrganizationInstallation_OrganizationId",
+            table: "OrganizationInstallation",
+            column: "OrganizationId");
+    }
+
+    /// <inheritdoc />
+    protected override void Down(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.DropTable(
+            name: "OrganizationInstallation");
+    }
+}
diff --git a/util/MySqlMigrations/Migrations/DatabaseContextModelSnapshot.cs b/util/MySqlMigrations/Migrations/DatabaseContextModelSnapshot.cs
index 5927762791..000274387c 100644
--- a/util/MySqlMigrations/Migrations/DatabaseContextModelSnapshot.cs
+++ b/util/MySqlMigrations/Migrations/DatabaseContextModelSnapshot.cs
@@ -737,6 +737,35 @@ namespace Bit.MySqlMigrations.Migrations
                     b.ToTable("ClientOrganizationMigrationRecord", (string)null);
                 });
 
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid>("InstallationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime?>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("InstallationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationInstallation", (string)null);
+                });
+
             modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
                 {
                     b.Property<Guid>("Id")
@@ -2336,6 +2365,25 @@ namespace Bit.MySqlMigrations.Migrations
                     b.Navigation("User");
                 });
 
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Installation", "Installation")
+                        .WithMany()
+                        .HasForeignKey("InstallationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Installation");
+
+                    b.Navigation("Organization");
+                });
+
             modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
                 {
                     b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
diff --git a/util/PostgresMigrations/Migrations/20241126185450_AddTable_OrganizationInstallation.Designer.cs b/util/PostgresMigrations/Migrations/20241126185450_AddTable_OrganizationInstallation.Designer.cs
new file mode 100644
index 0000000000..d511ef53ef
--- /dev/null
+++ b/util/PostgresMigrations/Migrations/20241126185450_AddTable_OrganizationInstallation.Designer.cs
@@ -0,0 +1,2994 @@
+// <auto-generated />
+using System;
+using Bit.Infrastructure.EntityFramework.Repositories;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Migrations;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
+using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata;
+
+#nullable disable
+
+namespace Bit.PostgresMigrations.Migrations
+{
+    [DbContext(typeof(DatabaseContext))]
+    [Migration("20241126185450_AddTable_OrganizationInstallation")]
+    partial class AddTable_OrganizationInstallation
+    {
+        /// <inheritdoc />
+        protected override void BuildTargetModel(ModelBuilder modelBuilder)
+        {
+#pragma warning disable 612, 618
+            modelBuilder
+                .HasAnnotation("Npgsql:CollationDefinition:postgresIndetermanisticCollation", "en-u-ks-primary,en-u-ks-primary,icu,False")
+                .HasAnnotation("ProductVersion", "8.0.8")
+                .HasAnnotation("Relational:MaxIdentifierLength", 63);
+
+            NpgsqlModelBuilderExtensions.UseIdentityByDefaultColumns(modelBuilder);
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("AllowAdminAccessToAllCollectionItems")
+                        .HasColumnType("boolean")
+                        .HasDefaultValue(true);
+
+                    b.Property<string>("BillingEmail")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasMaxLength(2)
+                        .HasColumnType("character varying(2)");
+
+                    b.Property<string>("BusinessName")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasMaxLength(30)
+                        .HasColumnType("character varying(30)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("Identifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)")
+                        .UseCollation("postgresIndetermanisticCollation");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<bool>("LimitCollectionCreation")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("LimitCollectionCreationDeletion")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("LimitCollectionDeletion")
+                        .HasColumnType("boolean");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("MaxAutoscaleSmSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("MaxAutoscaleSmServiceAccounts")
+                        .HasColumnType("integer");
+
+                    b.Property<short?>("MaxCollections")
+                        .HasColumnType("smallint");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<DateTime?>("OwnersNotifiedOfAutoscaling")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Plan")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<int?>("Seats")
+                        .HasColumnType("integer");
+
+                    b.Property<bool>("SelfHost")
+                        .HasColumnType("boolean");
+
+                    b.Property<int?>("SmSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("SmServiceAccounts")
+                        .HasColumnType("integer");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("bigint");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("text");
+
+                    b.Property<bool>("Use2fa")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseApi")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseCustomPermissions")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseDirectory")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseGroups")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseKeyConnector")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UsePasswordManager")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UsePolicies")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseResetPassword")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseScim")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseSecretsManager")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseSso")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseTotp")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UsersGetPremium")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id", "Enabled");
+
+                    NpgsqlIndexBuilderExtensions.IncludeProperties(b.HasIndex("Id", "Enabled"), new[] { "UseTotp" });
+
+                    b.ToTable("Organization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("text");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "Type")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Policy", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("BillingEmail")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BillingPhone")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessName")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasColumnType("text");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Provider", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Settings")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderOrganization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Email")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("ProviderUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("AccessCode")
+                        .HasMaxLength(25)
+                        .HasColumnType("character varying(25)");
+
+                    b.Property<bool?>("Approved")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("AuthenticationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<string>("MasterPasswordHash")
+                        .HasColumnType("text");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("RequestDeviceIdentifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<byte>("RequestDeviceType")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("RequestIpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<DateTime?>("ResponseDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid?>("ResponseDeviceId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ResponseDeviceId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("AuthRequest", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<Guid?>("GranteeId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("GrantorId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("KeyEncrypted")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("LastNotificationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("RecoveryInitiatedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<int>("WaitTimeDays")
+                        .HasColumnType("integer");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("GranteeId");
+
+                    b.HasIndex("GrantorId");
+
+                    b.ToTable("EmergencyAccess", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.Grant", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("ClientId")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<DateTime?>("ConsumedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Data")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("Description")
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<string>("SessionId")
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<string>("SubjectId")
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<string>("Type")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.HasKey("Id")
+                        .HasName("PK_Grant")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpirationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Key")
+                        .IsUnique();
+
+                    b.ToTable("Grant", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("Id"));
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("text");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("SsoConfig", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("Id"));
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)")
+                        .UseCollation("postgresIndetermanisticCollation");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId");
+
+                    b.HasIndex("OrganizationId", "ExternalId")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    NpgsqlIndexBuilderExtensions.IncludeProperties(b.HasIndex("OrganizationId", "ExternalId"), new[] { "UserId" });
+
+                    b.HasIndex("OrganizationId", "UserId")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SsoUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("AaGuid")
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("Counter")
+                        .HasColumnType("integer");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("CredentialId")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("character varying(2000)");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("character varying(2000)");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("character varying(2000)");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("PublicKey")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("SupportsPrf")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("Type")
+                        .HasMaxLength(20)
+                        .HasColumnType("character varying(20)");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("WebAuthnCredential", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ClientOrganizationMigrationRecord", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("Seats")
+                        .HasColumnType("integer");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId", "OrganizationId")
+                        .IsUnique();
+
+                    b.ToTable("ClientOrganizationMigrationRecord", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("InstallationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime?>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("InstallationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationInstallation", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("AssignedSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<Guid?>("ClientId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("ClientName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<DateTime>("Created")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("InvoiceId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("InvoiceNumber")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("PlanName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<decimal>("Total")
+                        .HasColumnType("numeric");
+
+                    b.Property<int>("UsedSeats")
+                        .HasColumnType("integer");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderInvoiceItem", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<int?>("AllocatedSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<int?>("PurchasedSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("SeatMinimum")
+                        .HasColumnType("integer");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("Id", "PlanType")
+                        .IsUnique();
+
+                    b.ToTable("ProviderPlan", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Cache", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(449)
+                        .HasColumnType("character varying(449)");
+
+                    b.Property<DateTime?>("AbsoluteExpiration")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("ExpiresAtTime")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<long?>("SlidingExpirationInSeconds")
+                        .HasColumnType("bigint");
+
+                    b.Property<byte[]>("Value")
+                        .IsRequired()
+                        .HasColumnType("bytea");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpiresAtTime")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Cache", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("character varying(300)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Collection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("CipherId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("CollectionId", "CipherId");
+
+                    b.HasIndex("CipherId");
+
+                    b.ToTable("CollectionCipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("CollectionId", "GroupId");
+
+                    b.HasIndex("GroupId");
+
+                    b.ToTable("CollectionGroups");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("CollectionId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("boolean")
+                        .HasDefaultValue(true);
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Identifier")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("PushToken")
+                        .HasMaxLength(255)
+                        .HasColumnType("character varying(255)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Identifier")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "Identifier")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Device", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Event", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("ActingUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("CollectionId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("Date")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte?>("DeviceType")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("DomainName")
+                        .HasColumnType("text");
+
+                    b.Property<Guid?>("GroupId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("InstallationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("IpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("PolicyId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("ProviderOrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("ProviderUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("SecretId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte?>("SystemUser")
+                        .HasColumnType("smallint");
+
+                    b.Property<int>("Type")
+                        .HasColumnType("integer");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Date", "OrganizationId", "ActingUserId", "CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Event", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("character varying(300)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Group", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("GroupId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("GroupUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Installation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(150)
+                        .HasColumnType("character varying(150)");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Installation", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("character varying(30)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Config")
+                        .HasColumnType("text");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationConnection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("DomainName")
+                        .IsRequired()
+                        .HasMaxLength(255)
+                        .HasColumnType("character varying(255)");
+
+                    b.Property<int>("JobRunCount")
+                        .HasColumnType("integer");
+
+                    b.Property<DateTime?>("LastCheckedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("NextRunDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Txt")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("VerifiedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationDomain", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("FriendlyName")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<DateTime?>("LastSyncDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("OfferedToEmail")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<byte?>("PlanSponsorshipType")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("SponsoredOrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("SponsoringOrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("SponsoringOrganizationUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("ToDelete")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("ValidUntil")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SponsoredOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationUserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationSponsorship", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("AccessSecretsManager")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("character varying(300)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ResetPasswordKey")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<short>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("AccessCount")
+                        .HasColumnType("integer");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("DeletionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("Disabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool?>("HideEmail")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<int?>("MaxAccessCount")
+                        .HasColumnType("integer");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Password")
+                        .HasMaxLength(300)
+                        .HasColumnType("character varying(300)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("DeletionDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Send", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.TaxRate", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(40)
+                        .HasColumnType("character varying(40)");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("Country")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("PostalCode")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("character varying(10)");
+
+                    b.Property<decimal>("Rate")
+                        .HasColumnType("numeric");
+
+                    b.Property<string>("State")
+                        .HasMaxLength(2)
+                        .HasColumnType("character varying(2)");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("TaxRate", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<decimal>("Amount")
+                        .HasColumnType("numeric");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Details")
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("GatewayId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte?>("PaymentMethodType")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool?>("Refunded")
+                        .HasColumnType("boolean");
+
+                    b.Property<decimal?>("RefundedAmount")
+                        .HasColumnType("numeric");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId", "CreationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Transaction", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("AccountRevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("character varying(30)");
+
+                    b.Property<string>("AvatarColor")
+                        .HasMaxLength(7)
+                        .HasColumnType("character varying(7)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Culture")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("character varying(10)");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)")
+                        .UseCollation("postgresIndetermanisticCollation");
+
+                    b.Property<bool>("EmailVerified")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("EquivalentDomains")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ExcludedGlobalEquivalentDomains")
+                        .HasColumnType("text");
+
+                    b.Property<int>("FailedLoginCount")
+                        .HasColumnType("integer");
+
+                    b.Property<bool>("ForcePasswordReset")
+                        .HasColumnType("boolean");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<byte>("Kdf")
+                        .HasColumnType("smallint");
+
+                    b.Property<int>("KdfIterations")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("KdfMemory")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("KdfParallelism")
+                        .HasColumnType("integer");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("LastEmailChangeDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("LastFailedLoginDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("LastKdfChangeDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("LastKeyRotationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("LastPasswordChangeDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<string>("MasterPassword")
+                        .HasMaxLength(300)
+                        .HasColumnType("character varying(300)");
+
+                    b.Property<string>("MasterPasswordHint")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<bool>("Premium")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("PremiumExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("RenewalReminderDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("SecurityStamp")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("bigint");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("text");
+
+                    b.Property<string>("TwoFactorRecoveryCode")
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<bool>("UsesKeyConnector")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Email")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Premium", "PremiumExpirationDate", "RenewalReminderDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("User", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Body")
+                        .HasColumnType("text");
+
+                    b.Property<byte>("ClientType")
+                        .HasColumnType("smallint");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("Global")
+                        .HasColumnType("boolean");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte>("Priority")
+                        .HasColumnType("smallint");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Title")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("ClientType", "Global", "UserId", "OrganizationId", "Priority", "CreationDate")
+                        .IsDescending(false, false, false, false, true, true)
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Notification", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("NotificationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("ReadDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("UserId", "NotificationId")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("NotificationId");
+
+                    b.ToTable("NotificationStatus", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Discriminator")
+                        .IsRequired()
+                        .HasMaxLength(34)
+                        .HasColumnType("character varying(34)");
+
+                    b.Property<bool>("Read")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("Write")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.ToTable("AccessPolicy", (string)null);
+
+                    b.HasDiscriminator().HasValue("AccessPolicy");
+
+                    b.UseTphMappingStrategy();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("ClientSecretHash")
+                        .HasMaxLength(128)
+                        .HasColumnType("character varying(128)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("EncryptedPayload")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("character varying(4000)");
+
+                    b.Property<DateTime?>("ExpireAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Scope")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("character varying(4000)");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ServiceAccountId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Project", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Note")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Value")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Secret", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ServiceAccount", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Uri")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("PasswordHealthReportApplication", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Attachments")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Favorites")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Folders")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte?>("Reprompt")
+                        .HasColumnType("smallint");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Cipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Folder", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SecurityTask", (string)null);
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.Property<Guid>("ProjectsId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("SecretsId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("ProjectsId", "SecretsId");
+
+                    b.HasIndex("SecretsId");
+
+                    b.ToTable("ProjectSecret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Policies")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Device", "ResponseDevice")
+                        .WithMany()
+                        .HasForeignKey("ResponseDeviceId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("ResponseDevice");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantee")
+                        .WithMany()
+                        .HasForeignKey("GranteeId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantor")
+                        .WithMany()
+                        .HasForeignKey("GrantorId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Grantee");
+
+                    b.Navigation("Grantor");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoConfigs")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Installation", "Installation")
+                        .WithMany()
+                        .HasForeignKey("InstallationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Installation");
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Collections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CipherId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Collection");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionGroups")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Groups")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Group");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Connections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Domains")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoredOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoredOrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoringOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoringOrganizationId");
+
+                    b.Navigation("SponsoredOrganization");
+
+                    b.Navigation("SponsoringOrganization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Transactions")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Transactions")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", "Notification")
+                        .WithMany()
+                        .HasForeignKey("NotificationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Notification");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Folders")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany()
+                        .HasForeignKey("CipherId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", null)
+                        .WithMany()
+                        .HasForeignKey("ProjectsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", null)
+                        .WithMany()
+                        .HasForeignKey("SecretsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ProjectAccessPolicies")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany()
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Collections");
+
+                    b.Navigation("Connections");
+
+                    b.Navigation("Domains");
+
+                    b.Navigation("Groups");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("Policies");
+
+                    b.Navigation("SsoConfigs");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+
+                    b.Navigation("CollectionGroups");
+
+                    b.Navigation("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Navigation("CollectionUsers");
+
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Folders");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ProjectAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+                });
+#pragma warning restore 612, 618
+        }
+    }
+}
diff --git a/util/PostgresMigrations/Migrations/20241126185450_AddTable_OrganizationInstallation.cs b/util/PostgresMigrations/Migrations/20241126185450_AddTable_OrganizationInstallation.cs
new file mode 100644
index 0000000000..e653db6c25
--- /dev/null
+++ b/util/PostgresMigrations/Migrations/20241126185450_AddTable_OrganizationInstallation.cs
@@ -0,0 +1,57 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace Bit.PostgresMigrations.Migrations;
+
+/// <inheritdoc />
+public partial class AddTable_OrganizationInstallation : Migration
+{
+    /// <inheritdoc />
+    protected override void Up(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.CreateTable(
+            name: "OrganizationInstallation",
+            columns: table => new
+            {
+                Id = table.Column<Guid>(type: "uuid", nullable: false),
+                OrganizationId = table.Column<Guid>(type: "uuid", nullable: false),
+                InstallationId = table.Column<Guid>(type: "uuid", nullable: false),
+                CreationDate = table.Column<DateTime>(type: "timestamp with time zone", nullable: false),
+                RevisionDate = table.Column<DateTime>(type: "timestamp with time zone", nullable: true)
+            },
+            constraints: table =>
+            {
+                table.PrimaryKey("PK_OrganizationInstallation", x => x.Id);
+                table.ForeignKey(
+                    name: "FK_OrganizationInstallation_Installation_InstallationId",
+                    column: x => x.InstallationId,
+                    principalTable: "Installation",
+                    principalColumn: "Id",
+                    onDelete: ReferentialAction.Cascade);
+                table.ForeignKey(
+                    name: "FK_OrganizationInstallation_Organization_OrganizationId",
+                    column: x => x.OrganizationId,
+                    principalTable: "Organization",
+                    principalColumn: "Id",
+                    onDelete: ReferentialAction.Cascade);
+            });
+
+        migrationBuilder.CreateIndex(
+            name: "IX_OrganizationInstallation_InstallationId",
+            table: "OrganizationInstallation",
+            column: "InstallationId");
+
+        migrationBuilder.CreateIndex(
+            name: "IX_OrganizationInstallation_OrganizationId",
+            table: "OrganizationInstallation",
+            column: "OrganizationId");
+    }
+
+    /// <inheritdoc />
+    protected override void Down(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.DropTable(
+            name: "OrganizationInstallation");
+    }
+}
diff --git a/util/PostgresMigrations/Migrations/DatabaseContextModelSnapshot.cs b/util/PostgresMigrations/Migrations/DatabaseContextModelSnapshot.cs
index 4259d1aed8..c8cce33e11 100644
--- a/util/PostgresMigrations/Migrations/DatabaseContextModelSnapshot.cs
+++ b/util/PostgresMigrations/Migrations/DatabaseContextModelSnapshot.cs
@@ -742,6 +742,35 @@ namespace Bit.PostgresMigrations.Migrations
                     b.ToTable("ClientOrganizationMigrationRecord", (string)null);
                 });
 
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("InstallationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime?>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("InstallationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationInstallation", (string)null);
+                });
+
             modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
                 {
                     b.Property<Guid>("Id")
@@ -2342,6 +2371,25 @@ namespace Bit.PostgresMigrations.Migrations
                     b.Navigation("User");
                 });
 
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Installation", "Installation")
+                        .WithMany()
+                        .HasForeignKey("InstallationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Installation");
+
+                    b.Navigation("Organization");
+                });
+
             modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
                 {
                     b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
diff --git a/util/SqliteMigrations/Migrations/20241126185500_AddTable_OrganizationInstallation.Designer.cs b/util/SqliteMigrations/Migrations/20241126185500_AddTable_OrganizationInstallation.Designer.cs
new file mode 100644
index 0000000000..85f073ae90
--- /dev/null
+++ b/util/SqliteMigrations/Migrations/20241126185500_AddTable_OrganizationInstallation.Designer.cs
@@ -0,0 +1,2977 @@
+// <auto-generated />
+using System;
+using Bit.Infrastructure.EntityFramework.Repositories;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Migrations;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
+
+#nullable disable
+
+namespace Bit.SqliteMigrations.Migrations
+{
+    [DbContext(typeof(DatabaseContext))]
+    [Migration("20241126185500_AddTable_OrganizationInstallation")]
+    partial class AddTable_OrganizationInstallation
+    {
+        /// <inheritdoc />
+        protected override void BuildTargetModel(ModelBuilder modelBuilder)
+        {
+#pragma warning disable 612, 618
+            modelBuilder.HasAnnotation("ProductVersion", "8.0.8");
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("AllowAdminAccessToAllCollectionItems")
+                        .HasColumnType("INTEGER")
+                        .HasDefaultValue(true);
+
+                    b.Property<string>("BillingEmail")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasMaxLength(2)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessName")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasMaxLength(30)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Identifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("LimitCollectionCreation")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("LimitCollectionCreationDeletion")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("LimitCollectionDeletion")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("MaxAutoscaleSmSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("MaxAutoscaleSmServiceAccounts")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<short?>("MaxCollections")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("OwnersNotifiedOfAutoscaling")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Plan")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int?>("Seats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("SelfHost")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("SmSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("SmServiceAccounts")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Use2fa")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseApi")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseCustomPermissions")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseDirectory")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseGroups")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseKeyConnector")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UsePasswordManager")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UsePolicies")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseResetPassword")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseScim")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseSecretsManager")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseSso")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseTotp")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UsersGetPremium")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id", "Enabled")
+                        .HasAnnotation("Npgsql:IndexInclude", new[] { "UseTotp" });
+
+                    b.ToTable("Organization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "Type")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Policy", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BillingEmail")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BillingPhone")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessName")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Provider", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Settings")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderOrganization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Email")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("ProviderUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("AccessCode")
+                        .HasMaxLength(25)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool?>("Approved")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("AuthenticationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("MasterPasswordHash")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("RequestDeviceIdentifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("RequestDeviceType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("RequestIpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ResponseDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ResponseDeviceId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ResponseDeviceId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("AuthRequest", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("GranteeId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("GrantorId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("KeyEncrypted")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastNotificationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("RecoveryInitiatedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int>("WaitTimeDays")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("GranteeId");
+
+                    b.HasIndex("GrantorId");
+
+                    b.ToTable("EmergencyAccess", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.Grant", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("ClientId")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ConsumedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Data")
+                        .IsRequired()
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Description")
+                        .HasMaxLength(200)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("SessionId")
+                        .HasMaxLength(100)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("SubjectId")
+                        .HasMaxLength(200)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Type")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasName("PK_Grant")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpirationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Key")
+                        .IsUnique();
+
+                    b.ToTable("Grant", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("SsoConfig", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId");
+
+                    b.HasIndex("OrganizationId", "ExternalId")
+                        .IsUnique()
+                        .HasAnnotation("Npgsql:IndexInclude", new[] { "UserId" })
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "UserId")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SsoUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("AaGuid")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("Counter")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("CredentialId")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PublicKey")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("SupportsPrf")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Type")
+                        .HasMaxLength(20)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("WebAuthnCredential", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ClientOrganizationMigrationRecord", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("Seats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId", "OrganizationId")
+                        .IsUnique();
+
+                    b.ToTable("ClientOrganizationMigrationRecord", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("InstallationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("InstallationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationInstallation", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("AssignedSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("ClientId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ClientName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("Created")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("InvoiceId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("InvoiceNumber")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PlanName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<decimal>("Total")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("UsedSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderInvoiceItem", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int?>("AllocatedSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int?>("PurchasedSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("SeatMinimum")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("Id", "PlanType")
+                        .IsUnique();
+
+                    b.ToTable("ProviderPlan", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Cache", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(449)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("AbsoluteExpiration")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("ExpiresAtTime")
+                        .HasColumnType("TEXT");
+
+                    b.Property<long?>("SlidingExpirationInSeconds")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte[]>("Value")
+                        .IsRequired()
+                        .HasColumnType("BLOB");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpiresAtTime")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Cache", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Collection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("CipherId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("CollectionId", "CipherId");
+
+                    b.HasIndex("CipherId");
+
+                    b.ToTable("CollectionCipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("CollectionId", "GroupId");
+
+                    b.HasIndex("GroupId");
+
+                    b.ToTable("CollectionGroups");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("CollectionId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("INTEGER")
+                        .HasDefaultValue(true);
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Identifier")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PushToken")
+                        .HasMaxLength(255)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Identifier")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "Identifier")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Device", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Event", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ActingUserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("CollectionId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("Date")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("DeviceType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("DomainName")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("GroupId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("InstallationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("IpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("PolicyId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ProviderOrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ProviderUserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("SecretId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("SystemUser")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Date", "OrganizationId", "ActingUserId", "CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Event", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(100)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Group", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("GroupId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("GroupUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Installation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(150)
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Installation", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Config")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationConnection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("DomainName")
+                        .IsRequired()
+                        .HasMaxLength(255)
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("JobRunCount")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("LastCheckedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("NextRunDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Txt")
+                        .IsRequired()
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("VerifiedDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationDomain", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("FriendlyName")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastSyncDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("OfferedToEmail")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("PlanSponsorshipType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("SponsoredOrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("SponsoringOrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("SponsoringOrganizationUserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("ToDelete")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("ValidUntil")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SponsoredOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationUserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationSponsorship", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("AccessSecretsManager")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ResetPasswordKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<short>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("AccessCount")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("DeletionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Disabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool?>("HideEmail")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int?>("MaxAccessCount")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Password")
+                        .HasMaxLength(300)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("DeletionDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Send", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.TaxRate", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(40)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Country")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PostalCode")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("TEXT");
+
+                    b.Property<decimal>("Rate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("State")
+                        .HasMaxLength(2)
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("TaxRate", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<decimal>("Amount")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Details")
+                        .HasMaxLength(100)
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("GatewayId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("PaymentMethodType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool?>("Refunded")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<decimal?>("RefundedAmount")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId", "CreationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Transaction", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("AccountRevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("AvatarColor")
+                        .HasMaxLength(7)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Culture")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("EmailVerified")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("EquivalentDomains")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ExcludedGlobalEquivalentDomains")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("FailedLoginCount")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("ForcePasswordReset")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Kdf")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int>("KdfIterations")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("KdfMemory")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("KdfParallelism")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastEmailChangeDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastFailedLoginDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastKdfChangeDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastKeyRotationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastPasswordChangeDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("MasterPassword")
+                        .HasMaxLength(300)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("MasterPasswordHint")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Premium")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("PremiumExpirationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("RenewalReminderDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("SecurityStamp")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("TwoFactorRecoveryCode")
+                        .HasMaxLength(32)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("UsesKeyConnector")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Email")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Premium", "PremiumExpirationDate", "RenewalReminderDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("User", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Body")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("ClientType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Global")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Priority")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Title")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("ClientType", "Global", "UserId", "OrganizationId", "Priority", "CreationDate")
+                        .IsDescending(false, false, false, false, true, true)
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Notification", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("NotificationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ReadDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("UserId", "NotificationId")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("NotificationId");
+
+                    b.ToTable("NotificationStatus", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Discriminator")
+                        .IsRequired()
+                        .HasMaxLength(34)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Read")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Write")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.ToTable("AccessPolicy", (string)null);
+
+                    b.HasDiscriminator().HasValue("AccessPolicy");
+
+                    b.UseTphMappingStrategy();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ClientSecretHash")
+                        .HasMaxLength(128)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedPayload")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ExpireAt")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Scope")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ServiceAccountId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Project", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Note")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Value")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Secret", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ServiceAccount", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Uri")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("PasswordHealthReportApplication", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Attachments")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Favorites")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Folders")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("Reprompt")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Cipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Folder", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SecurityTask", (string)null);
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.Property<Guid>("ProjectsId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("SecretsId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("ProjectsId", "SecretsId");
+
+                    b.HasIndex("SecretsId");
+
+                    b.ToTable("ProjectSecret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Policies")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Device", "ResponseDevice")
+                        .WithMany()
+                        .HasForeignKey("ResponseDeviceId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("ResponseDevice");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantee")
+                        .WithMany()
+                        .HasForeignKey("GranteeId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantor")
+                        .WithMany()
+                        .HasForeignKey("GrantorId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Grantee");
+
+                    b.Navigation("Grantor");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoConfigs")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Installation", "Installation")
+                        .WithMany()
+                        .HasForeignKey("InstallationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Installation");
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Collections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CipherId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Collection");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionGroups")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Groups")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Group");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Connections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Domains")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoredOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoredOrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoringOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoringOrganizationId");
+
+                    b.Navigation("SponsoredOrganization");
+
+                    b.Navigation("SponsoringOrganization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Transactions")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Transactions")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", "Notification")
+                        .WithMany()
+                        .HasForeignKey("NotificationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Notification");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Folders")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany()
+                        .HasForeignKey("CipherId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", null)
+                        .WithMany()
+                        .HasForeignKey("ProjectsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", null)
+                        .WithMany()
+                        .HasForeignKey("SecretsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ProjectAccessPolicies")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany()
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Collections");
+
+                    b.Navigation("Connections");
+
+                    b.Navigation("Domains");
+
+                    b.Navigation("Groups");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("Policies");
+
+                    b.Navigation("SsoConfigs");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+
+                    b.Navigation("CollectionGroups");
+
+                    b.Navigation("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Navigation("CollectionUsers");
+
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Folders");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ProjectAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+                });
+#pragma warning restore 612, 618
+        }
+    }
+}
diff --git a/util/SqliteMigrations/Migrations/20241126185500_AddTable_OrganizationInstallation.cs b/util/SqliteMigrations/Migrations/20241126185500_AddTable_OrganizationInstallation.cs
new file mode 100644
index 0000000000..fde1b974d5
--- /dev/null
+++ b/util/SqliteMigrations/Migrations/20241126185500_AddTable_OrganizationInstallation.cs
@@ -0,0 +1,57 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace Bit.SqliteMigrations.Migrations;
+
+/// <inheritdoc />
+public partial class AddTable_OrganizationInstallation : Migration
+{
+    /// <inheritdoc />
+    protected override void Up(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.CreateTable(
+            name: "OrganizationInstallation",
+            columns: table => new
+            {
+                Id = table.Column<Guid>(type: "TEXT", nullable: false),
+                OrganizationId = table.Column<Guid>(type: "TEXT", nullable: false),
+                InstallationId = table.Column<Guid>(type: "TEXT", nullable: false),
+                CreationDate = table.Column<DateTime>(type: "TEXT", nullable: false),
+                RevisionDate = table.Column<DateTime>(type: "TEXT", nullable: true)
+            },
+            constraints: table =>
+            {
+                table.PrimaryKey("PK_OrganizationInstallation", x => x.Id);
+                table.ForeignKey(
+                    name: "FK_OrganizationInstallation_Installation_InstallationId",
+                    column: x => x.InstallationId,
+                    principalTable: "Installation",
+                    principalColumn: "Id",
+                    onDelete: ReferentialAction.Cascade);
+                table.ForeignKey(
+                    name: "FK_OrganizationInstallation_Organization_OrganizationId",
+                    column: x => x.OrganizationId,
+                    principalTable: "Organization",
+                    principalColumn: "Id",
+                    onDelete: ReferentialAction.Cascade);
+            });
+
+        migrationBuilder.CreateIndex(
+            name: "IX_OrganizationInstallation_InstallationId",
+            table: "OrganizationInstallation",
+            column: "InstallationId");
+
+        migrationBuilder.CreateIndex(
+            name: "IX_OrganizationInstallation_OrganizationId",
+            table: "OrganizationInstallation",
+            column: "OrganizationId");
+    }
+
+    /// <inheritdoc />
+    protected override void Down(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.DropTable(
+            name: "OrganizationInstallation");
+    }
+}
diff --git a/util/SqliteMigrations/Migrations/DatabaseContextModelSnapshot.cs b/util/SqliteMigrations/Migrations/DatabaseContextModelSnapshot.cs
index f906543254..12a1c9792b 100644
--- a/util/SqliteMigrations/Migrations/DatabaseContextModelSnapshot.cs
+++ b/util/SqliteMigrations/Migrations/DatabaseContextModelSnapshot.cs
@@ -726,6 +726,35 @@ namespace Bit.SqliteMigrations.Migrations
                     b.ToTable("ClientOrganizationMigrationRecord", (string)null);
                 });
 
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("InstallationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("InstallationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationInstallation", (string)null);
+                });
+
             modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
                 {
                     b.Property<Guid>("Id")
@@ -2325,6 +2354,25 @@ namespace Bit.SqliteMigrations.Migrations
                     b.Navigation("User");
                 });
 
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Installation", "Installation")
+                        .WithMany()
+                        .HasForeignKey("InstallationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Installation");
+
+                    b.Navigation("Organization");
+                });
+
             modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
                 {
                     b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")

From c852575a9eaf67789eb0bbb0c80b10ff7de018b8 Mon Sep 17 00:00:00 2001
From: Alex Morask <144709477+amorask-bitwarden@users.noreply.github.com>
Date: Thu, 12 Dec 2024 07:08:17 -0500
Subject: [PATCH 054/384] [PM-14984] Use provider subscription for MSP managed
 enterprise license (#5102)

* Use provider subscription when creating license for MSP managed enterprise organization

* Run dotnet format
---
 .../Cloud/CloudGetOrganizationLicenseQuery.cs | 20 +++++++++--
 .../CloudGetOrganizationLicenseQueryTests.cs  | 33 +++++++++++++++++++
 2 files changed, 51 insertions(+), 2 deletions(-)

diff --git a/src/Core/OrganizationFeatures/OrganizationLicenses/Cloud/CloudGetOrganizationLicenseQuery.cs b/src/Core/OrganizationFeatures/OrganizationLicenses/Cloud/CloudGetOrganizationLicenseQuery.cs
index a4b08736c2..d7782fcd98 100644
--- a/src/Core/OrganizationFeatures/OrganizationLicenses/Cloud/CloudGetOrganizationLicenseQuery.cs
+++ b/src/Core/OrganizationFeatures/OrganizationLicenses/Cloud/CloudGetOrganizationLicenseQuery.cs
@@ -1,4 +1,6 @@
 using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Repositories;
+using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Models.Business;
 using Bit.Core.OrganizationFeatures.OrganizationLicenses.Interfaces;
@@ -12,15 +14,18 @@ public class CloudGetOrganizationLicenseQuery : ICloudGetOrganizationLicenseQuer
     private readonly IInstallationRepository _installationRepository;
     private readonly IPaymentService _paymentService;
     private readonly ILicensingService _licensingService;
+    private readonly IProviderRepository _providerRepository;
 
     public CloudGetOrganizationLicenseQuery(
         IInstallationRepository installationRepository,
         IPaymentService paymentService,
-        ILicensingService licensingService)
+        ILicensingService licensingService,
+        IProviderRepository providerRepository)
     {
         _installationRepository = installationRepository;
         _paymentService = paymentService;
         _licensingService = licensingService;
+        _providerRepository = providerRepository;
     }
 
     public async Task<OrganizationLicense> GetLicenseAsync(Organization organization, Guid installationId,
@@ -32,11 +37,22 @@ public class CloudGetOrganizationLicenseQuery : ICloudGetOrganizationLicenseQuer
             throw new BadRequestException("Invalid installation id");
         }
 
-        var subscriptionInfo = await _paymentService.GetSubscriptionAsync(organization);
+        var subscriptionInfo = await GetSubscriptionAsync(organization);
 
         return new OrganizationLicense(organization, subscriptionInfo, installationId, _licensingService, version)
         {
             Token = await _licensingService.CreateOrganizationTokenAsync(organization, installationId, subscriptionInfo)
         };
     }
+
+    private async Task<SubscriptionInfo> GetSubscriptionAsync(Organization organization)
+    {
+        if (organization is not { Status: OrganizationStatusType.Managed })
+        {
+            return await _paymentService.GetSubscriptionAsync(organization);
+        }
+
+        var provider = await _providerRepository.GetByOrganizationIdAsync(organization.Id);
+        return await _paymentService.GetSubscriptionAsync(provider);
+    }
 }
diff --git a/test/Core.Test/OrganizationFeatures/OrganizationLicenses/CloudGetOrganizationLicenseQueryTests.cs b/test/Core.Test/OrganizationFeatures/OrganizationLicenses/CloudGetOrganizationLicenseQueryTests.cs
index 00a4b12b2e..52bee7068f 100644
--- a/test/Core.Test/OrganizationFeatures/OrganizationLicenses/CloudGetOrganizationLicenseQueryTests.cs
+++ b/test/Core.Test/OrganizationFeatures/OrganizationLicenses/CloudGetOrganizationLicenseQueryTests.cs
@@ -1,4 +1,6 @@
 using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Entities.Provider;
+using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
@@ -11,6 +13,7 @@ using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
 using NSubstitute;
 using NSubstitute.ReturnsExtensions;
+using Stripe;
 using Xunit;
 
 namespace Bit.Core.Test.OrganizationFeatures.OrganizationLicenses;
@@ -62,4 +65,34 @@ public class CloudGetOrganizationLicenseQueryTests
         Assert.Equal(installationId, result.InstallationId);
         Assert.Equal(licenseSignature, result.SignatureBytes);
     }
+
+    [Theory]
+    [BitAutoData]
+    public async Task GetLicenseAsync_MSPManagedOrganization_UsesProviderSubscription(SutProvider<CloudGetOrganizationLicenseQuery> sutProvider,
+        Organization organization, Guid installationId, Installation installation, SubscriptionInfo subInfo,
+        byte[] licenseSignature, Provider provider)
+    {
+        organization.Status = OrganizationStatusType.Managed;
+        organization.ExpirationDate = null;
+
+        subInfo.Subscription = new SubscriptionInfo.BillingSubscription(new Subscription
+        {
+            CurrentPeriodStart = DateTime.UtcNow,
+            CurrentPeriodEnd = DateTime.UtcNow.AddMonths(1)
+        });
+
+        installation.Enabled = true;
+        sutProvider.GetDependency<IInstallationRepository>().GetByIdAsync(installationId).Returns(installation);
+        sutProvider.GetDependency<IProviderRepository>().GetByOrganizationIdAsync(organization.Id).Returns(provider);
+        sutProvider.GetDependency<IPaymentService>().GetSubscriptionAsync(provider).Returns(subInfo);
+        sutProvider.GetDependency<ILicensingService>().SignLicense(Arg.Any<ILicense>()).Returns(licenseSignature);
+
+        var result = await sutProvider.Sut.GetLicenseAsync(organization, installationId);
+
+        Assert.Equal(LicenseType.Organization, result.LicenseType);
+        Assert.Equal(organization.Id, result.Id);
+        Assert.Equal(installationId, result.InstallationId);
+        Assert.Equal(licenseSignature, result.SignatureBytes);
+        Assert.Equal(DateTime.UtcNow.AddYears(1).Date, result.Expires!.Value.Date);
+    }
 }

From a76a9cb8001f8cd54d2d89cb9f45ad26bb71d76a Mon Sep 17 00:00:00 2001
From: Jimmy Vo <huynhmaivo82@gmail.com>
Date: Thu, 12 Dec 2024 10:18:11 -0500
Subject: [PATCH 055/384] [PM-14826] Add UsePolicies check to GET endpoints
 (#5046)

GetByToken and GetMasterPasswordPolicy endpoints provide policy information, so if the organization is not using policies, then we avoid the rest of the logic.
---
 .../Controllers/PoliciesController.cs         |  34 ++-
 .../Controllers/PoliciesControllerTests.cs    | 278 +++++++++++++++++-
 2 files changed, 291 insertions(+), 21 deletions(-)

diff --git a/src/Api/AdminConsole/Controllers/PoliciesController.cs b/src/Api/AdminConsole/Controllers/PoliciesController.cs
index 1167d7a86c..7de6f6e730 100644
--- a/src/Api/AdminConsole/Controllers/PoliciesController.cs
+++ b/src/Api/AdminConsole/Controllers/PoliciesController.cs
@@ -27,19 +27,20 @@ namespace Bit.Api.AdminConsole.Controllers;
 [Authorize("Application")]
 public class PoliciesController : Controller
 {
-    private readonly IPolicyRepository _policyRepository;
-    private readonly IOrganizationUserRepository _organizationUserRepository;
-    private readonly IUserService _userService;
     private readonly ICurrentContext _currentContext;
-    private readonly GlobalSettings _globalSettings;
-    private readonly IDataProtector _organizationServiceDataProtector;
-    private readonly IDataProtectorTokenFactory<OrgUserInviteTokenable> _orgUserInviteTokenDataFactory;
     private readonly IFeatureService _featureService;
+    private readonly GlobalSettings _globalSettings;
     private readonly IOrganizationHasVerifiedDomainsQuery _organizationHasVerifiedDomainsQuery;
+    private readonly IOrganizationRepository _organizationRepository;
+    private readonly IDataProtector _organizationServiceDataProtector;
+    private readonly IOrganizationUserRepository _organizationUserRepository;
+    private readonly IDataProtectorTokenFactory<OrgUserInviteTokenable> _orgUserInviteTokenDataFactory;
+    private readonly IPolicyRepository _policyRepository;
+    private readonly IUserService _userService;
+
     private readonly ISavePolicyCommand _savePolicyCommand;
 
-    public PoliciesController(
-        IPolicyRepository policyRepository,
+    public PoliciesController(IPolicyRepository policyRepository,
         IOrganizationUserRepository organizationUserRepository,
         IUserService userService,
         ICurrentContext currentContext,
@@ -48,6 +49,7 @@ public class PoliciesController : Controller
         IDataProtectorTokenFactory<OrgUserInviteTokenable> orgUserInviteTokenDataFactory,
         IFeatureService featureService,
         IOrganizationHasVerifiedDomainsQuery organizationHasVerifiedDomainsQuery,
+        IOrganizationRepository organizationRepository,
         ISavePolicyCommand savePolicyCommand)
     {
         _policyRepository = policyRepository;
@@ -57,7 +59,7 @@ public class PoliciesController : Controller
         _globalSettings = globalSettings;
         _organizationServiceDataProtector = dataProtectionProvider.CreateProtector(
             "OrganizationServiceDataProtector");
-
+        _organizationRepository = organizationRepository;
         _orgUserInviteTokenDataFactory = orgUserInviteTokenDataFactory;
         _featureService = featureService;
         _organizationHasVerifiedDomainsQuery = organizationHasVerifiedDomainsQuery;
@@ -104,6 +106,13 @@ public class PoliciesController : Controller
     public async Task<ListResponseModel<PolicyResponseModel>> GetByToken(Guid orgId, [FromQuery] string email,
         [FromQuery] string token, [FromQuery] Guid organizationUserId)
     {
+        var organization = await _organizationRepository.GetByIdAsync(orgId);
+
+        if (organization is not { UsePolicies: true })
+        {
+            throw new NotFoundException();
+        }
+
         // TODO: PM-4142 - remove old token validation logic once 3 releases of backwards compatibility are complete
         var newTokenValid = OrgUserInviteTokenable.ValidateOrgUserInviteStringToken(
             _orgUserInviteTokenDataFactory, token, organizationUserId, email);
@@ -158,6 +167,13 @@ public class PoliciesController : Controller
     [HttpGet("master-password")]
     public async Task<PolicyResponseModel> GetMasterPasswordPolicy(Guid orgId)
     {
+        var organization = await _organizationRepository.GetByIdAsync(orgId);
+
+        if (organization is not { UsePolicies: true })
+        {
+            throw new NotFoundException();
+        }
+
         var userId = _userService.GetProperUserId(User).Value;
 
         var orgUser = await _organizationUserRepository.GetByOrganizationAsync(orgId, userId);
diff --git a/test/Api.Test/Controllers/PoliciesControllerTests.cs b/test/Api.Test/Controllers/PoliciesControllerTests.cs
index 1b96ace5d0..1f652c80f5 100644
--- a/test/Api.Test/Controllers/PoliciesControllerTests.cs
+++ b/test/Api.Test/Controllers/PoliciesControllerTests.cs
@@ -6,11 +6,13 @@ using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Enums;
 using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
 using Bit.Core.AdminConsole.Repositories;
+using Bit.Core.Auth.Models.Business.Tokenables;
 using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.Exceptions;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
+using Bit.Core.Tokens;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
 using NSubstitute;
@@ -28,10 +30,19 @@ public class PoliciesControllerTests
     [Theory]
     [BitAutoData]
     public async Task GetMasterPasswordPolicy_WhenCalled_ReturnsMasterPasswordPolicy(
-        SutProvider<PoliciesController> sutProvider, Guid orgId, Guid userId, OrganizationUser orgUser,
-        Policy policy, MasterPasswordPolicyData mpPolicyData)
+        SutProvider<PoliciesController> sutProvider,
+        Guid orgId, Guid userId,
+        OrganizationUser orgUser,
+        Policy policy,
+        MasterPasswordPolicyData mpPolicyData,
+        Organization organization)
     {
         // Arrange
+        organization.UsePolicies = true;
+
+        var organizationRepository = sutProvider.GetDependency<IOrganizationRepository>();
+        organizationRepository.GetByIdAsync(orgId).Returns(organization);
+
         sutProvider.GetDependency<IUserService>()
             .GetProperUserId(Arg.Any<ClaimsPrincipal>())
             .Returns((Guid?)userId);
@@ -135,6 +146,39 @@ public class PoliciesControllerTests
         await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.GetMasterPasswordPolicy(orgId));
     }
 
+    [Theory]
+    [BitAutoData]
+    public async Task GetMasterPasswordPolicy_WhenUsePoliciesIsFalse_ThrowsNotFoundException(
+        SutProvider<PoliciesController> sutProvider,
+        Guid orgId)
+    {
+        // Arrange
+        var organizationRepository = sutProvider.GetDependency<IOrganizationRepository>();
+        organizationRepository.GetByIdAsync(orgId).Returns((Organization)null);
+
+
+        // Act & Assert
+        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.GetMasterPasswordPolicy(orgId));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task GetMasterPasswordPolicy_WhenOrgIsNull_ThrowsNotFoundException(
+        SutProvider<PoliciesController> sutProvider,
+        Guid orgId,
+        Organization organization)
+    {
+        // Arrange
+        organization.UsePolicies = false;
+
+        var organizationRepository = sutProvider.GetDependency<IOrganizationRepository>();
+        organizationRepository.GetByIdAsync(orgId).Returns(organization);
+
+
+        // Act & Assert
+        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.GetMasterPasswordPolicy(orgId));
+    }
+
     [Theory]
     [BitAutoData]
     public async Task Get_WhenUserCanManagePolicies_WithExistingType_ReturnsExistingPolicy(
@@ -142,16 +186,16 @@ public class PoliciesControllerTests
     {
         // Arrange
         sutProvider.GetDependency<ICurrentContext>()
-        .ManagePolicies(orgId)
-        .Returns(true);
+            .ManagePolicies(orgId)
+            .Returns(true);
 
         policy.Type = (PolicyType)type;
         policy.Enabled = true;
         policy.Data = null;
 
         sutProvider.GetDependency<IPolicyRepository>()
-        .GetByOrganizationIdTypeAsync(orgId, (PolicyType)type)
-        .Returns(policy);
+            .GetByOrganizationIdTypeAsync(orgId, (PolicyType)type)
+            .Returns(policy);
 
         // Act
         var result = await sutProvider.Sut.Get(orgId, type);
@@ -171,12 +215,12 @@ public class PoliciesControllerTests
     {
         // Arrange
         sutProvider.GetDependency<ICurrentContext>()
-        .ManagePolicies(orgId)
-        .Returns(true);
+            .ManagePolicies(orgId)
+            .Returns(true);
 
         sutProvider.GetDependency<IPolicyRepository>()
-        .GetByOrganizationIdTypeAsync(orgId, (PolicyType)type)
-        .Returns((Policy)null);
+            .GetByOrganizationIdTypeAsync(orgId, (PolicyType)type)
+            .Returns((Policy)null);
 
         // Act
         var result = await sutProvider.Sut.Get(orgId, type);
@@ -194,11 +238,221 @@ public class PoliciesControllerTests
     {
         // Arrange
         sutProvider.GetDependency<ICurrentContext>()
-        .ManagePolicies(orgId)
-        .Returns(false);
+            .ManagePolicies(orgId)
+            .Returns(false);
 
         // Act & Assert
         await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.Get(orgId, type));
     }
 
+    [Theory]
+    [BitAutoData]
+    public async Task GetByToken_WhenOrganizationUseUsePoliciesIsFalse_ThrowsNotFoundException(
+        SutProvider<PoliciesController> sutProvider, Guid orgId, Guid organizationUserId, string token, string email,
+        Organization organization)
+    {
+        // Arrange
+        organization.UsePolicies = false;
+
+        var organizationRepository = sutProvider.GetDependency<IOrganizationRepository>();
+        organizationRepository.GetByIdAsync(orgId).Returns(organization);
+
+
+        // Act & Assert
+        await Assert.ThrowsAsync<NotFoundException>(() =>
+            sutProvider.Sut.GetByToken(orgId, email, token, organizationUserId));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task GetByToken_WhenOrganizationIsNull_ThrowsNotFoundException(
+        SutProvider<PoliciesController> sutProvider, Guid orgId, Guid organizationUserId, string token, string email)
+    {
+        // Arrange
+        var organizationRepository = sutProvider.GetDependency<IOrganizationRepository>();
+        organizationRepository.GetByIdAsync(orgId).Returns((Organization)null);
+
+        // Act & Assert
+        await Assert.ThrowsAsync<NotFoundException>(() =>
+            sutProvider.Sut.GetByToken(orgId, email, token, organizationUserId));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task GetByToken_WhenTokenIsInvalid_ThrowsNotFoundException(
+        SutProvider<PoliciesController> sutProvider,
+        Guid orgId,
+        Guid organizationUserId,
+        string token,
+        string email,
+        Organization organization
+        )
+    {
+        // Arrange
+        organization.UsePolicies = true;
+
+        var organizationRepository = sutProvider.GetDependency<IOrganizationRepository>();
+        organizationRepository.GetByIdAsync(orgId).Returns(organization);
+
+        var decryptedToken = Substitute.For<OrgUserInviteTokenable>();
+        decryptedToken.Valid.Returns(false);
+
+        var orgUserInviteTokenDataFactory = sutProvider.GetDependency<IDataProtectorTokenFactory<OrgUserInviteTokenable>>();
+
+        orgUserInviteTokenDataFactory.TryUnprotect(token, out Arg.Any<OrgUserInviteTokenable>())
+            .Returns(x =>
+        {
+            x[1] = decryptedToken;
+            return true;
+        });
+
+        // Act & Assert
+        await Assert.ThrowsAsync<NotFoundException>(() =>
+            sutProvider.Sut.GetByToken(orgId, email, token, organizationUserId));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task GetByToken_WhenUserIsNull_ThrowsNotFoundException(
+        SutProvider<PoliciesController> sutProvider,
+        Guid orgId,
+        Guid organizationUserId,
+        string token,
+        string email,
+        Organization organization
+        )
+    {
+        // Arrange
+        organization.UsePolicies = true;
+
+        var organizationRepository = sutProvider.GetDependency<IOrganizationRepository>();
+        organizationRepository.GetByIdAsync(orgId).Returns(organization);
+
+        var decryptedToken = Substitute.For<OrgUserInviteTokenable>();
+        decryptedToken.Valid.Returns(true);
+        decryptedToken.OrgUserId = organizationUserId;
+        decryptedToken.OrgUserEmail = email;
+
+        var orgUserInviteTokenDataFactory = sutProvider.GetDependency<IDataProtectorTokenFactory<OrgUserInviteTokenable>>();
+
+        orgUserInviteTokenDataFactory.TryUnprotect(token, out Arg.Any<OrgUserInviteTokenable>())
+            .Returns(x =>
+        {
+            x[1] = decryptedToken;
+            return true;
+        });
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetByIdAsync(organizationUserId)
+            .Returns((OrganizationUser)null);
+
+        // Act & Assert
+        await Assert.ThrowsAsync<NotFoundException>(() =>
+            sutProvider.Sut.GetByToken(orgId, email, token, organizationUserId));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task GetByToken_WhenUserOrgIdDoesNotMatchOrgId_ThrowsNotFoundException(
+        SutProvider<PoliciesController> sutProvider,
+        Guid orgId,
+        Guid organizationUserId,
+        string token,
+        string email,
+        OrganizationUser orgUser,
+        Organization organization
+        )
+    {
+        // Arrange
+        organization.UsePolicies = true;
+
+        var organizationRepository = sutProvider.GetDependency<IOrganizationRepository>();
+        organizationRepository.GetByIdAsync(orgId).Returns(organization);
+
+        var decryptedToken = Substitute.For<OrgUserInviteTokenable>();
+        decryptedToken.Valid.Returns(true);
+        decryptedToken.OrgUserId = organizationUserId;
+        decryptedToken.OrgUserEmail = email;
+
+        var orgUserInviteTokenDataFactory = sutProvider.GetDependency<IDataProtectorTokenFactory<OrgUserInviteTokenable>>();
+
+        orgUserInviteTokenDataFactory.TryUnprotect(token, out Arg.Any<OrgUserInviteTokenable>())
+            .Returns(x =>
+        {
+            x[1] = decryptedToken;
+            return true;
+        });
+
+        orgUser.OrganizationId = Guid.Empty;
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetByIdAsync(organizationUserId)
+            .Returns(orgUser);
+
+        // Act & Assert
+        await Assert.ThrowsAsync<NotFoundException>(() =>
+            sutProvider.Sut.GetByToken(orgId, email, token, organizationUserId));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task GetByToken_ShouldReturnEnabledPolicies(
+        SutProvider<PoliciesController> sutProvider,
+        Guid orgId,
+        Guid organizationUserId,
+        string token,
+        string email,
+        OrganizationUser orgUser,
+        Organization organization
+        )
+    {
+        // Arrange
+        organization.UsePolicies = true;
+
+        var organizationRepository = sutProvider.GetDependency<IOrganizationRepository>();
+        organizationRepository.GetByIdAsync(orgId).Returns(organization);
+
+        var decryptedToken = Substitute.For<OrgUserInviteTokenable>();
+        decryptedToken.Valid.Returns(true);
+        decryptedToken.OrgUserId = organizationUserId;
+        decryptedToken.OrgUserEmail = email;
+
+        var orgUserInviteTokenDataFactory = sutProvider.GetDependency<IDataProtectorTokenFactory<OrgUserInviteTokenable>>();
+
+        orgUserInviteTokenDataFactory.TryUnprotect(token, out Arg.Any<OrgUserInviteTokenable>())
+            .Returns(x =>
+        {
+            x[1] = decryptedToken;
+            return true;
+        });
+
+        orgUser.OrganizationId = orgId;
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetByIdAsync(organizationUserId)
+            .Returns(orgUser);
+
+        var enabledPolicy = Substitute.For<Policy>();
+        enabledPolicy.Enabled = true;
+        var disabledPolicy = Substitute.For<Policy>();
+        disabledPolicy.Enabled = false;
+
+        var policies = new[] { enabledPolicy, disabledPolicy };
+
+
+        sutProvider.GetDependency<IPolicyRepository>()
+            .GetManyByOrganizationIdAsync(orgId)
+            .Returns(policies);
+
+        // Act
+        var result = await sutProvider.Sut.GetByToken(orgId, email, token, organizationUserId);
+
+        // Assert
+        var expectedPolicy = result.Data.Single();
+
+        Assert.NotNull(result);
+
+        Assert.Equal(enabledPolicy.Id, expectedPolicy.Id);
+        Assert.Equal(enabledPolicy.Type, expectedPolicy.Type);
+        Assert.Equal(enabledPolicy.Enabled, expectedPolicy.Enabled);
+    }
 }

From 867fa848dd8c15cdd1a7e65716799d4bd2b52d25 Mon Sep 17 00:00:00 2001
From: Ike <137194738+ike-kottlowski@users.noreply.github.com>
Date: Thu, 12 Dec 2024 09:08:11 -0800
Subject: [PATCH 056/384] [PM-8220] New Device Verification (#5084)

* feat(BaseRequestValidator):
Add global setting for new device verification.
Refactor BaseRequestValidator enabling better self-documenting code and better single responsibility principle for validators.
Updated DeviceValidator to handle new device verification, behind a feature flag.
Moved IDeviceValidator interface to separate file.
Updated CustomRequestValidator to act as the conduit by which *Validators communicate authentication context between themselves and the RequestValidators.
Adding new test for DeviceValidator class.
Updated tests for BaseRequestValidator as some functionality was moved to the DeviceValidator class.
---
 .../Implementations/RegisterUserCommand.cs    |   2 +-
 src/Core/Settings/GlobalSettings.cs           |  13 +-
 src/Core/Settings/IGlobalSettings.cs          |   1 +
 .../CustomValidatorRequestContext.cs          |  32 +
 .../Enums/DeviceValidationResultType.cs       |  10 +
 .../RequestValidators/BaseRequestValidator.cs | 201 ++++--
 .../CustomTokenRequestValidator.cs            |  18 +-
 .../RequestValidators/DeviceValidator.cs      | 222 ++++--
 .../RequestValidators/IDeviceValidator.cs     |  24 +
 .../ResourceOwnerPasswordValidator.cs         |  36 +-
 .../WebAuthnGrantValidator.cs                 |  26 +-
 .../ResourceOwnerPasswordValidatorTests.cs    |  57 +-
 .../BaseRequestValidatorTests.cs              | 276 +++++---
 .../IdentityServer/DeviceValidatorTests.cs    | 662 +++++++++++++-----
 .../BaseRequestValidatorTestWrapper.cs        |   5 +
 15 files changed, 1112 insertions(+), 473 deletions(-)
 create mode 100644 src/Identity/IdentityServer/Enums/DeviceValidationResultType.cs
 create mode 100644 src/Identity/IdentityServer/RequestValidators/IDeviceValidator.cs

diff --git a/src/Core/Auth/UserFeatures/Registration/Implementations/RegisterUserCommand.cs b/src/Core/Auth/UserFeatures/Registration/Implementations/RegisterUserCommand.cs
index 8174d7d364..89851fce23 100644
--- a/src/Core/Auth/UserFeatures/Registration/Implementations/RegisterUserCommand.cs
+++ b/src/Core/Auth/UserFeatures/Registration/Implementations/RegisterUserCommand.cs
@@ -329,7 +329,7 @@ public class RegisterUserCommand : IRegisterUserCommand
     {
         // We validate open registration on send of initial email and here b/c a user could technically start the
         // account creation process while open registration is enabled and then finish it after it has been
-        // disabled by the self hosted admin.Ï
+        // disabled by the self hosted admin.
         if (_globalSettings.DisableUserRegistration)
         {
             throw new BadRequestException(_disabledUserRegistrationExceptionMsg);
diff --git a/src/Core/Settings/GlobalSettings.cs b/src/Core/Settings/GlobalSettings.cs
index 793b6ac1c1..2ececb9658 100644
--- a/src/Core/Settings/GlobalSettings.cs
+++ b/src/Core/Settings/GlobalSettings.cs
@@ -41,6 +41,7 @@ public class GlobalSettings : IGlobalSettings
     public virtual string HibpApiKey { get; set; }
     public virtual bool DisableUserRegistration { get; set; }
     public virtual bool DisableEmailNewDevice { get; set; }
+    public virtual bool EnableNewDeviceVerification { get; set; }
     public virtual bool EnableCloudCommunication { get; set; } = false;
     public virtual int OrganizationInviteExpirationHours { get; set; } = 120; // 5 days
     public virtual string EventGridKey { get; set; }
@@ -433,18 +434,18 @@ public class GlobalSettings : IGlobalSettings
         public bool EnableSendTracing { get; set; } = false;
         /// <summary>
         /// The date and time at which registration will be enabled.
-        /// 
+        ///
         /// **This value should not be updated once set, as it is used to determine installation location of devices.**
-        /// 
+        ///
         /// If null, registration is disabled.
-        /// 
+        ///
         /// </summary>
         public DateTime? RegistrationStartDate { get; set; }
         /// <summary>
         /// The date and time at which registration will be disabled.
-        /// 
+        ///
         /// **This value should not be updated once set, as it is used to determine installation location of devices.**
-        /// 
+        ///
         /// If null, hub registration has no yet known expiry.
         /// </summary>
         public DateTime? RegistrationEndDate { get; set; }
@@ -454,7 +455,7 @@ public class GlobalSettings : IGlobalSettings
     {
         /// <summary>
         /// List of Notification Hub settings to use for sending push notifications.
-        /// 
+        ///
         /// Note that hubs on the same namespace share active device limits, so multiple namespaces should be used to increase capacity.
         /// </summary>
         public List<NotificationHubSettings> NotificationHubs { get; set; } = new();
diff --git a/src/Core/Settings/IGlobalSettings.cs b/src/Core/Settings/IGlobalSettings.cs
index d91d4b8c3d..02d151ed95 100644
--- a/src/Core/Settings/IGlobalSettings.cs
+++ b/src/Core/Settings/IGlobalSettings.cs
@@ -14,6 +14,7 @@ public interface IGlobalSettings
     string LicenseCertificatePassword { get; set; }
     int OrganizationInviteExpirationHours { get; set; }
     bool DisableUserRegistration { get; set; }
+    bool EnableNewDeviceVerification { get; set; }
     IInstallationSettings Installation { get; set; }
     IFileStorageSettings Attachment { get; set; }
     IConnectionStringSettings Storage { get; set; }
diff --git a/src/Identity/IdentityServer/CustomValidatorRequestContext.cs b/src/Identity/IdentityServer/CustomValidatorRequestContext.cs
index a3485bfb13..bce460c5c4 100644
--- a/src/Identity/IdentityServer/CustomValidatorRequestContext.cs
+++ b/src/Identity/IdentityServer/CustomValidatorRequestContext.cs
@@ -1,11 +1,43 @@
 using Bit.Core.Auth.Models.Business;
 using Bit.Core.Entities;
+using Duende.IdentityServer.Validation;
 
 namespace Bit.Identity.IdentityServer;
 
 public class CustomValidatorRequestContext
 {
     public User User { get; set; }
+    /// <summary>
+    /// This is the device that the user is using to authenticate. It can be either known or unknown.
+    /// We set it here since the ResourceOwnerPasswordValidator needs the device to know if CAPTCHA is required.
+    /// The option to set it here saves a trip to the database.
+    /// </summary>
+    public Device Device { get; set; }
+    /// <summary>
+    /// Communicates whether or not the device in the request is known to the user.
+    /// KnownDevice is set in the child classes of the BaseRequestValidator using the DeviceValidator.KnownDeviceAsync method.
+    /// Except in the CustomTokenRequestValidator, where it is hardcoded to true.
+    /// </summary>
     public bool KnownDevice { get; set; }
+    /// <summary>
+    /// This communicates whether or not two factor is required for the user to authenticate.
+    /// </summary>
+    public bool TwoFactorRequired { get; set; } = false;
+    /// <summary>
+    /// This communicates whether or not SSO is required for the user to authenticate.
+    /// </summary>
+    public bool SsoRequired { get; set; } = false;
+    /// <summary>
+    /// We use the parent class for both GrantValidationResult and TokenRequestValidationResult here for
+    /// flexibility when building an error response.
+    /// This will be null if the authentication request is successful.
+    /// </summary>
+    public ValidationResult ValidationErrorResult { get; set; }
+    /// <summary>
+    /// This dictionary should contain relevant information for the clients to act on.
+    /// This will contain the information used to guide a user to successful authentication, such as TwoFactorProviders.
+    /// This will be null if the authentication request is successful.
+    /// </summary>
+    public Dictionary<string, object> CustomResponse { get; set; }
     public CaptchaResponse CaptchaResponse { get; set; }
 }
diff --git a/src/Identity/IdentityServer/Enums/DeviceValidationResultType.cs b/src/Identity/IdentityServer/Enums/DeviceValidationResultType.cs
new file mode 100644
index 0000000000..45c901e306
--- /dev/null
+++ b/src/Identity/IdentityServer/Enums/DeviceValidationResultType.cs
@@ -0,0 +1,10 @@
+namespace Bit.Identity.IdentityServer.Enums;
+
+public enum DeviceValidationResultType : byte
+{
+    Success = 0,
+    InvalidUser = 1,
+    InvalidNewDeviceOtp = 2,
+    NewDeviceVerificationRequired = 3,
+    NoDeviceInformationProvided = 4
+}
diff --git a/src/Identity/IdentityServer/RequestValidators/BaseRequestValidator.cs b/src/Identity/IdentityServer/RequestValidators/BaseRequestValidator.cs
index 185d32a7f2..78c00f86d5 100644
--- a/src/Identity/IdentityServer/RequestValidators/BaseRequestValidator.cs
+++ b/src/Identity/IdentityServer/RequestValidators/BaseRequestValidator.cs
@@ -77,37 +77,51 @@ public abstract class BaseRequestValidator<T> where T : class
     protected async Task ValidateAsync(T context, ValidatedTokenRequest request,
         CustomValidatorRequestContext validatorContext)
     {
+        // 1. we need to check if the user is a bot and if their master password hash is correct
         var isBot = validatorContext.CaptchaResponse?.IsBot ?? false;
-        if (isBot)
-        {
-            _logger.LogInformation(Constants.BypassFiltersEventId,
-                "Login attempt for {0} detected as a captcha bot with score {1}.",
-                request.UserName, validatorContext.CaptchaResponse.Score);
-        }
-
         var valid = await ValidateContextAsync(context, validatorContext);
         var user = validatorContext.User;
-        if (!valid)
-        {
-            await UpdateFailedAuthDetailsAsync(user, false, !validatorContext.KnownDevice);
-        }
-
         if (!valid || isBot)
         {
+            if (isBot)
+            {
+                _logger.LogInformation(Constants.BypassFiltersEventId,
+                    "Login attempt for {UserName} detected as a captcha bot with score {CaptchaScore}.",
+                    request.UserName, validatorContext.CaptchaResponse.Score);
+            }
+
+            if (!valid)
+            {
+                await UpdateFailedAuthDetailsAsync(user, false, !validatorContext.KnownDevice);
+            }
+
             await BuildErrorResultAsync("Username or password is incorrect. Try again.", false, context, user);
             return;
         }
 
-        var (isTwoFactorRequired, twoFactorOrganization) = await _twoFactorAuthenticationValidator.RequiresTwoFactorAsync(user, request);
-        var twoFactorToken = request.Raw["TwoFactorToken"]?.ToString();
-        var twoFactorProvider = request.Raw["TwoFactorProvider"]?.ToString();
-        var twoFactorRemember = request.Raw["TwoFactorRemember"]?.ToString() == "1";
-        var validTwoFactorRequest = !string.IsNullOrWhiteSpace(twoFactorToken) &&
-                                    !string.IsNullOrWhiteSpace(twoFactorProvider);
-
-        if (isTwoFactorRequired)
+        // 2. Does this user belong to an organization that requires SSO
+        validatorContext.SsoRequired = await RequireSsoLoginAsync(user, request.GrantType);
+        if (validatorContext.SsoRequired)
         {
-            // 2FA required and not provided response
+            SetSsoResult(context,
+                new Dictionary<string, object>
+                {
+                    { "ErrorModel", new ErrorResponseModel("SSO authentication is required.") }
+                });
+            return;
+        }
+
+        // 3. Check if 2FA is required
+        (validatorContext.TwoFactorRequired, var twoFactorOrganization) = await _twoFactorAuthenticationValidator.RequiresTwoFactorAsync(user, request);
+        // This flag is used to determine if the user wants a rememberMe token sent when authentication is successful
+        var returnRememberMeToken = false;
+        if (validatorContext.TwoFactorRequired)
+        {
+            var twoFactorToken = request.Raw["TwoFactorToken"]?.ToString();
+            var twoFactorProvider = request.Raw["TwoFactorProvider"]?.ToString();
+            var validTwoFactorRequest = !string.IsNullOrWhiteSpace(twoFactorToken) &&
+                                        !string.IsNullOrWhiteSpace(twoFactorProvider);
+            // response for 2FA required and not provided state
             if (!validTwoFactorRequest ||
                 !Enum.TryParse(twoFactorProvider, out TwoFactorProviderType twoFactorProviderType))
             {
@@ -125,18 +139,14 @@ public abstract class BaseRequestValidator<T> where T : class
                 return;
             }
 
-            var verified = await _twoFactorAuthenticationValidator
+            var twoFactorTokenValid = await _twoFactorAuthenticationValidator
                                     .VerifyTwoFactor(user, twoFactorOrganization, twoFactorProviderType, twoFactorToken);
 
-            // 2FA required but request not valid or remember token expired response
-            if (!verified || isBot)
+            // response for 2FA required but request is not valid or remember token expired state
+            if (!twoFactorTokenValid)
             {
-                if (twoFactorProviderType != TwoFactorProviderType.Remember)
-                {
-                    await UpdateFailedAuthDetailsAsync(user, true, !validatorContext.KnownDevice);
-                    await BuildErrorResultAsync("Two-step token is invalid. Try again.", true, context, user);
-                }
-                else if (twoFactorProviderType == TwoFactorProviderType.Remember)
+                // The remember me token has expired
+                if (twoFactorProviderType == TwoFactorProviderType.Remember)
                 {
                     var resultDict = await _twoFactorAuthenticationValidator
                                             .BuildTwoFactorResultAsync(user, twoFactorOrganization);
@@ -145,16 +155,34 @@ public abstract class BaseRequestValidator<T> where T : class
                     resultDict.Add("MasterPasswordPolicy", await GetMasterPasswordPolicy(user));
                     SetTwoFactorResult(context, resultDict);
                 }
+                else
+                {
+                    await UpdateFailedAuthDetailsAsync(user, true, !validatorContext.KnownDevice);
+                    await BuildErrorResultAsync("Two-step token is invalid. Try again.", true, context, user);
+                }
                 return;
             }
-        }
-        else
-        {
-            validTwoFactorRequest = false;
-            twoFactorRemember = false;
+
+            // When the two factor authentication is successful, we can check if the user wants a rememberMe token
+            var twoFactorRemember = request.Raw["TwoFactorRemember"]?.ToString() == "1";
+            if (twoFactorRemember // Check if the user wants a rememberMe token
+                && twoFactorTokenValid // Make sure two factor authentication was successful
+                && twoFactorProviderType != TwoFactorProviderType.Remember) // if the two factor auth was rememberMe do not send another token
+            {
+                returnRememberMeToken = true;
+            }
         }
 
-        // Force legacy users to the web for migration
+        // 4. Check if the user is logging in from a new device
+        var deviceValid = await _deviceValidator.ValidateRequestDeviceAsync(request, validatorContext);
+        if (!deviceValid)
+        {
+            SetValidationErrorResult(context, validatorContext);
+            await LogFailedLoginEvent(validatorContext.User, EventType.User_FailedLogIn);
+            return;
+        }
+
+        // 5. Force legacy users to the web for migration
         if (FeatureService.IsEnabled(FeatureFlagKeys.BlockLegacyUsers))
         {
             if (UserService.IsLegacyUser(user) && request.ClientId != "web")
@@ -164,24 +192,7 @@ public abstract class BaseRequestValidator<T> where T : class
             }
         }
 
-        if (await IsValidAuthTypeAsync(user, request.GrantType))
-        {
-            var device = await _deviceValidator.SaveDeviceAsync(user, request);
-            if (device == null)
-            {
-                await BuildErrorResultAsync("No device information provided.", false, context, user);
-                return;
-            }
-            await BuildSuccessResultAsync(user, context, device, validTwoFactorRequest && twoFactorRemember);
-        }
-        else
-        {
-            SetSsoResult(context,
-                new Dictionary<string, object>
-                {
-                    { "ErrorModel", new ErrorResponseModel("SSO authentication is required.") }
-                });
-        }
+        await BuildSuccessResultAsync(user, context, validatorContext.Device, returnRememberMeToken);
     }
 
     protected async Task FailAuthForLegacyUserAsync(User user, T context)
@@ -235,6 +246,17 @@ public abstract class BaseRequestValidator<T> where T : class
         await SetSuccessResult(context, user, claims, customResponse);
     }
 
+    /// <summary>
+    /// This does two things, it sets the error result for the current ValidatorContext _and_ it logs error.
+    /// These two things should be seperated to maintain single concerns.
+    /// </summary>
+    /// <param name="message">Error message for the error result</param>
+    /// <param name="twoFactorRequest">bool that controls how the error is logged</param>
+    /// <param name="context">used to set the error result in the current validator</param>
+    /// <param name="user">used to associate the failed login with a user</param>
+    /// <returns>void</returns>
+    [Obsolete("Consider using SetValidationErrorResult to set the validation result, and LogFailedLoginEvent " +
+        "to log the failure.")]
     protected async Task BuildErrorResultAsync(string message, bool twoFactorRequest, T context, User user)
     {
         if (user != null)
@@ -255,41 +277,80 @@ public abstract class BaseRequestValidator<T> where T : class
             new Dictionary<string, object> { { "ErrorModel", new ErrorResponseModel(message) } });
     }
 
+    protected async Task LogFailedLoginEvent(User user, EventType eventType)
+    {
+        if (user != null)
+        {
+            await _eventService.LogUserEventAsync(user.Id, eventType);
+        }
+
+        if (_globalSettings.SelfHosted)
+        {
+            string formattedMessage;
+            switch (eventType)
+            {
+                case EventType.User_FailedLogIn:
+                    formattedMessage = string.Format("Failed login attempt. {0}", $" {CurrentContext.IpAddress}");
+                    break;
+                case EventType.User_FailedLogIn2fa:
+                    formattedMessage = string.Format("Failed login attempt, 2FA invalid.{0}", $" {CurrentContext.IpAddress}");
+                    break;
+                default:
+                    formattedMessage = "Failed login attempt.";
+                    break;
+            }
+            _logger.LogWarning(Constants.BypassFiltersEventId, formattedMessage);
+        }
+        await Task.Delay(2000); // Delay for brute force.
+    }
+
+    [Obsolete("Consider using SetValidationErrorResult instead.")]
     protected abstract void SetTwoFactorResult(T context, Dictionary<string, object> customResponse);
-
+    [Obsolete("Consider using SetValidationErrorResult instead.")]
     protected abstract void SetSsoResult(T context, Dictionary<string, object> customResponse);
+    [Obsolete("Consider using SetValidationErrorResult instead.")]
+    protected abstract void SetErrorResult(T context, Dictionary<string, object> customResponse);
 
+    /// <summary>
+    /// This consumes the ValidationErrorResult property in the CustomValidatorRequestContext and sets
+    /// it appropriately in the response object for the token and grant validators.
+    /// </summary>
+    /// <param name="context">The current grant or token context</param>
+    /// <param name="requestContext">The modified request context containing material used to build the response object</param>
+    protected abstract void SetValidationErrorResult(T context, CustomValidatorRequestContext requestContext);
     protected abstract Task SetSuccessResult(T context, User user, List<Claim> claims,
         Dictionary<string, object> customResponse);
 
-    protected abstract void SetErrorResult(T context, Dictionary<string, object> customResponse);
     protected abstract ClaimsPrincipal GetSubject(T context);
 
     /// <summary>
     /// Check if the user is required to authenticate via SSO. If the user requires SSO, but they are
     /// logging in using an API Key (client_credentials) then they are allowed to bypass the SSO requirement.
+    /// If the GrantType is authorization_code or client_credentials we know the user is trying to login
+    /// using the SSO flow so they are allowed to continue.
     /// </summary>
     /// <param name="user">user trying to login</param>
     /// <param name="grantType">magic string identifying the grant type requested</param>
-    /// <returns></returns>
-    private async Task<bool> IsValidAuthTypeAsync(User user, string grantType)
+    /// <returns>true if sso required; false if not required or already in process</returns>
+    private async Task<bool> RequireSsoLoginAsync(User user, string grantType)
     {
         if (grantType == "authorization_code" || grantType == "client_credentials")
         {
-            // Already using SSO to authorize, finish successfully
-            // Or login via api key, skip SSO requirement
-            return true;
-        }
-
-        // Check if user belongs to any organization with an active SSO policy
-        var anySsoPoliciesApplicableToUser = await PolicyService.AnyPoliciesApplicableToUserAsync(user.Id, PolicyType.RequireSso, OrganizationUserStatusType.Confirmed);
-        if (anySsoPoliciesApplicableToUser)
-        {
+            // Already using SSO to authenticate, or logging-in via api key to skip SSO requirement
+            // allow to authenticate successfully
             return false;
         }
 
-        // Default - continue validation process
-        return true;
+        // Check if user belongs to any organization with an active SSO policy
+        var anySsoPoliciesApplicableToUser = await PolicyService.AnyPoliciesApplicableToUserAsync(
+                                                user.Id, PolicyType.RequireSso, OrganizationUserStatusType.Confirmed);
+        if (anySsoPoliciesApplicableToUser)
+        {
+            return true;
+        }
+
+        // Default - SSO is not required
+        return false;
     }
 
     private async Task ResetFailedAuthDetailsAsync(User user)
@@ -350,7 +411,7 @@ public abstract class BaseRequestValidator<T> where T : class
         var orgs = (await CurrentContext.OrganizationMembershipAsync(_organizationUserRepository, user.Id))
             .ToList();
 
-        if (!orgs.Any())
+        if (orgs.Count == 0)
         {
             return null;
         }
diff --git a/src/Identity/IdentityServer/RequestValidators/CustomTokenRequestValidator.cs b/src/Identity/IdentityServer/RequestValidators/CustomTokenRequestValidator.cs
index c826243f88..fb7b129b09 100644
--- a/src/Identity/IdentityServer/RequestValidators/CustomTokenRequestValidator.cs
+++ b/src/Identity/IdentityServer/RequestValidators/CustomTokenRequestValidator.cs
@@ -89,8 +89,7 @@ public class CustomTokenRequestValidator : BaseRequestValidator<CustomTokenReque
             }
             return;
         }
-        await ValidateAsync(context, context.Result.ValidatedRequest,
-            new CustomValidatorRequestContext { KnownDevice = true });
+        await ValidateAsync(context, context.Result.ValidatedRequest, new CustomValidatorRequestContext { });
     }
 
     protected async override Task<bool> ValidateContextAsync(CustomTokenRequestValidationContext context,
@@ -162,6 +161,7 @@ public class CustomTokenRequestValidator : BaseRequestValidator<CustomTokenReque
         return context.Result.ValidatedRequest.Subject;
     }
 
+    [Obsolete("Consider using SetGrantValidationErrorResult instead.")]
     protected override void SetTwoFactorResult(CustomTokenRequestValidationContext context,
         Dictionary<string, object> customResponse)
     {
@@ -172,16 +172,18 @@ public class CustomTokenRequestValidator : BaseRequestValidator<CustomTokenReque
         context.Result.CustomResponse = customResponse;
     }
 
+    [Obsolete("Consider using SetGrantValidationErrorResult instead.")]
     protected override void SetSsoResult(CustomTokenRequestValidationContext context,
         Dictionary<string, object> customResponse)
     {
         Debug.Assert(context.Result is not null);
         context.Result.Error = "invalid_grant";
-        context.Result.ErrorDescription = "Single Sign on required.";
+        context.Result.ErrorDescription = "Sso authentication required.";
         context.Result.IsError = true;
         context.Result.CustomResponse = customResponse;
     }
 
+    [Obsolete("Consider using SetGrantValidationErrorResult instead.")]
     protected override void SetErrorResult(CustomTokenRequestValidationContext context,
         Dictionary<string, object> customResponse)
     {
@@ -190,4 +192,14 @@ public class CustomTokenRequestValidator : BaseRequestValidator<CustomTokenReque
         context.Result.IsError = true;
         context.Result.CustomResponse = customResponse;
     }
+
+    protected override void SetValidationErrorResult(
+        CustomTokenRequestValidationContext context, CustomValidatorRequestContext requestContext)
+    {
+        Debug.Assert(context.Result is not null);
+        context.Result.Error = requestContext.ValidationErrorResult.Error;
+        context.Result.IsError = requestContext.ValidationErrorResult.IsError;
+        context.Result.ErrorDescription = requestContext.ValidationErrorResult.ErrorDescription;
+        context.Result.CustomResponse = requestContext.CustomResponse;
+    }
 }
diff --git a/src/Identity/IdentityServer/RequestValidators/DeviceValidator.cs b/src/Identity/IdentityServer/RequestValidators/DeviceValidator.cs
index db9368cf46..2a048bcb2a 100644
--- a/src/Identity/IdentityServer/RequestValidators/DeviceValidator.cs
+++ b/src/Identity/IdentityServer/RequestValidators/DeviceValidator.cs
@@ -1,95 +1,162 @@
 using System.ComponentModel.DataAnnotations;
 using System.Reflection;
+using Bit.Core;
 using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
+using Bit.Core.Models.Api;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Settings;
+using Bit.Identity.IdentityServer.Enums;
 using Duende.IdentityServer.Validation;
 
 namespace Bit.Identity.IdentityServer.RequestValidators;
 
-public interface IDeviceValidator
-{
-    /// <summary>
-    /// Save a device to the database. If the device is already known, it will be returned.
-    /// </summary>
-    /// <param name="user">The user is assumed NOT null, still going to check though</param>
-    /// <param name="request">Duende Validated Request that contains the data to create the device object</param>
-    /// <returns>Returns null if user or device is malformed; The existing device if already in DB; a new device login</returns>
-    Task<Device> SaveDeviceAsync(User user, ValidatedTokenRequest request);
-    /// <summary>
-    /// Check if a device is known to the user.
-    /// </summary>
-    /// <param name="user">current user trying to authenticate</param>
-    /// <param name="request">contains raw information that is parsed about the device</param>
-    /// <returns>true if the device is known, false if it is not</returns>
-    Task<bool> KnownDeviceAsync(User user, ValidatedTokenRequest request);
-}
-
 public class DeviceValidator(
     IDeviceService deviceService,
     IDeviceRepository deviceRepository,
     GlobalSettings globalSettings,
     IMailService mailService,
-    ICurrentContext currentContext) : IDeviceValidator
+    ICurrentContext currentContext,
+    IUserService userService,
+    IFeatureService featureService) : IDeviceValidator
 {
     private readonly IDeviceService _deviceService = deviceService;
     private readonly IDeviceRepository _deviceRepository = deviceRepository;
     private readonly GlobalSettings _globalSettings = globalSettings;
     private readonly IMailService _mailService = mailService;
     private readonly ICurrentContext _currentContext = currentContext;
+    private readonly IUserService _userService = userService;
+    private readonly IFeatureService _featureService = featureService;
 
-    /// <summary>
-    /// Save a device to the database. If the device is already known, it will be returned.
-    /// </summary>
-    /// <param name="user">The user is assumed NOT null, still going to check though</param>
-    /// <param name="request">Duende Validated Request that contains the data to create the device object</param>
-    /// <returns>Returns null if user or device is malformed; The existing device if already in DB; a new device login</returns>
-    public async Task<Device> SaveDeviceAsync(User user, ValidatedTokenRequest request)
+    public async Task<bool> ValidateRequestDeviceAsync(ValidatedTokenRequest request, CustomValidatorRequestContext context)
     {
-        var device = GetDeviceFromRequest(request);
-        if (device != null && user != null)
+        // Parse device from request and return early if no device information is provided
+        var requestDevice = context.Device ?? GetDeviceFromRequest(request);
+        // If context.Device and request device information are null then return error
+        // backwards compatibility -- check if user is null
+        // PM-13340: Null user check happens in the HandleNewDeviceVerificationAsync method and can be removed from here
+        if (requestDevice == null || context.User == null)
         {
-            var existingDevice = await GetKnownDeviceAsync(user, device);
-            if (existingDevice == null)
-            {
-                device.UserId = user.Id;
-                await _deviceService.SaveAsync(device);
-
-                // This makes sure the user isn't sent a "new device" email on their first login
-                var now = DateTime.UtcNow;
-                if (now - user.CreationDate > TimeSpan.FromMinutes(10))
-                {
-                    var deviceType = device.Type.GetType().GetMember(device.Type.ToString())
-                        .FirstOrDefault()?.GetCustomAttribute<DisplayAttribute>()?.GetName();
-                    if (!_globalSettings.DisableEmailNewDevice)
-                    {
-                        await _mailService.SendNewDeviceLoggedInEmail(user.Email, deviceType, now,
-                            _currentContext.IpAddress);
-                    }
-                }
-                return device;
-            }
-            return existingDevice;
+            (context.ValidationErrorResult, context.CustomResponse) =
+                BuildDeviceErrorResult(DeviceValidationResultType.NoDeviceInformationProvided);
+            return false;
         }
-        return null;
+
+        // if not a new device request then check if the device is known
+        if (!NewDeviceOtpRequest(request))
+        {
+            var knownDevice = await GetKnownDeviceAsync(context.User, requestDevice);
+            // if the device is know then we return the device fetched from the database
+            // returning the database device is important for TDE
+            if (knownDevice != null)
+            {
+                context.KnownDevice = true;
+                context.Device = knownDevice;
+                return true;
+            }
+        }
+
+        // We have established that the device is unknown at this point; begin new device verification
+        // PM-13340: remove feature flag
+        if (_featureService.IsEnabled(FeatureFlagKeys.NewDeviceVerification) &&
+            request.GrantType == "password" &&
+            request.Raw["AuthRequest"] == null &&
+            !context.TwoFactorRequired &&
+            !context.SsoRequired &&
+            _globalSettings.EnableNewDeviceVerification)
+        {
+            // We only want to return early if the device is invalid or there is an error
+            var validationResult = await HandleNewDeviceVerificationAsync(context.User, request);
+            if (validationResult != DeviceValidationResultType.Success)
+            {
+                (context.ValidationErrorResult, context.CustomResponse) =
+                    BuildDeviceErrorResult(validationResult);
+                if (validationResult == DeviceValidationResultType.NewDeviceVerificationRequired)
+                {
+                    await _userService.SendOTPAsync(context.User);
+                }
+                return false;
+            }
+        }
+
+        // At this point we have established either new device verification is not required or the NewDeviceOtp is valid
+        requestDevice.UserId = context.User.Id;
+        await _deviceService.SaveAsync(requestDevice);
+        context.Device = requestDevice;
+
+        // backwards compatibility -- If NewDeviceVerification not enabled send the new login emails
+        // PM-13340: removal Task; remove entire if block emails should no longer be sent
+        if (!_featureService.IsEnabled(FeatureFlagKeys.NewDeviceVerification))
+        {
+            // This ensures the user doesn't receive a "new device" email on the first login
+            var now = DateTime.UtcNow;
+            if (now - context.User.CreationDate > TimeSpan.FromMinutes(10))
+            {
+                var deviceType = requestDevice.Type.GetType().GetMember(requestDevice.Type.ToString())
+                    .FirstOrDefault()?.GetCustomAttribute<DisplayAttribute>()?.GetName();
+                if (!_globalSettings.DisableEmailNewDevice)
+                {
+                    await _mailService.SendNewDeviceLoggedInEmail(context.User.Email, deviceType, now,
+                        _currentContext.IpAddress);
+                }
+            }
+        }
+        return true;
     }
 
-    public async Task<bool> KnownDeviceAsync(User user, ValidatedTokenRequest request) =>
-        (await GetKnownDeviceAsync(user, GetDeviceFromRequest(request))) != default;
+    /// <summary>
+    /// Checks the if the requesting deice requires new device verification otherwise saves the device to the database
+    /// </summary>
+    /// <param name="user">user attempting to authenticate</param>
+    /// <param name="ValidatedRequest">The Request is used to check for the NewDeviceOtp and for the raw device data</param>
+    /// <returns>returns deviceValtaionResultType</returns>
+    private async Task<DeviceValidationResultType> HandleNewDeviceVerificationAsync(User user, ValidatedRequest request)
+    {
+        // currently unreachable due to backward compatibility
+        // PM-13340: will address this
+        if (user == null)
+        {
+            return DeviceValidationResultType.InvalidUser;
+        }
 
-    private async Task<Device> GetKnownDeviceAsync(User user, Device device)
+        // parse request for NewDeviceOtp to validate
+        var newDeviceOtp = request.Raw["NewDeviceOtp"]?.ToString();
+        // we only check null here since an empty OTP will be considered an incorrect OTP
+        if (newDeviceOtp != null)
+        {
+            // verify the NewDeviceOtp
+            var otpValid = await _userService.VerifyOTPAsync(user, newDeviceOtp);
+            if (otpValid)
+            {
+                return DeviceValidationResultType.Success;
+            }
+            return DeviceValidationResultType.InvalidNewDeviceOtp;
+        }
+
+        // if a user has no devices they are assumed to be newly registered user which does not require new device verification
+        var devices = await _deviceRepository.GetManyByUserIdAsync(user.Id);
+        if (devices.Count == 0)
+        {
+            return DeviceValidationResultType.Success;
+        }
+
+        // if we get to here then we need to send a new device verification email
+        return DeviceValidationResultType.NewDeviceVerificationRequired;
+    }
+
+    public async Task<Device> GetKnownDeviceAsync(User user, Device device)
     {
         if (user == null || device == null)
         {
-            return default;
+            return null;
         }
+
         return await _deviceRepository.GetByIdentifierAsync(device.Identifier, user.Id);
     }
 
-    private static Device GetDeviceFromRequest(ValidatedRequest request)
+    public static Device GetDeviceFromRequest(ValidatedRequest request)
     {
         var deviceIdentifier = request.Raw["DeviceIdentifier"]?.ToString();
         var requestDeviceType = request.Raw["DeviceType"]?.ToString();
@@ -112,4 +179,49 @@ public class DeviceValidator(
             PushToken = string.IsNullOrWhiteSpace(devicePushToken) ? null : devicePushToken
         };
     }
+
+    /// <summary>
+    /// Checks request for the NewDeviceOtp field to determine if a new device verification is required.
+    /// </summary>
+    /// <param name="request"></param>
+    /// <returns></returns>
+    public static bool NewDeviceOtpRequest(ValidatedRequest request)
+    {
+        return !string.IsNullOrEmpty(request.Raw["NewDeviceOtp"]?.ToString());
+    }
+
+    /// <summary>
+    /// This builds builds the error result for the various grant and token validators. The Success type is not used here.
+    /// </summary>
+    /// <param name="errorType">DeviceValidationResultType that is an error, success type is not used.</param>
+    /// <returns>validation result used by grant and token validators, and the custom response for either Grant or Token response objects.</returns>
+    private static (Duende.IdentityServer.Validation.ValidationResult, Dictionary<string, object>) BuildDeviceErrorResult(DeviceValidationResultType errorType)
+    {
+        var result = new Duende.IdentityServer.Validation.ValidationResult
+        {
+            IsError = true,
+            Error = "device_error",
+        };
+        var customResponse = new Dictionary<string, object>();
+        switch (errorType)
+        {
+            case DeviceValidationResultType.InvalidUser:
+                result.ErrorDescription = "Invalid user";
+                customResponse.Add("ErrorModel", new ErrorResponseModel("invalid user"));
+                break;
+            case DeviceValidationResultType.InvalidNewDeviceOtp:
+                result.ErrorDescription = "Invalid New Device OTP";
+                customResponse.Add("ErrorModel", new ErrorResponseModel("invalid new device otp"));
+                break;
+            case DeviceValidationResultType.NewDeviceVerificationRequired:
+                result.ErrorDescription = "New device verification required";
+                customResponse.Add("ErrorModel", new ErrorResponseModel("new device verification required"));
+                break;
+            case DeviceValidationResultType.NoDeviceInformationProvided:
+                result.ErrorDescription = "No device information provided";
+                customResponse.Add("ErrorModel", new ErrorResponseModel("no device information provided"));
+                break;
+        }
+        return (result, customResponse);
+    }
 }
diff --git a/src/Identity/IdentityServer/RequestValidators/IDeviceValidator.cs b/src/Identity/IdentityServer/RequestValidators/IDeviceValidator.cs
new file mode 100644
index 0000000000..0bff7e4fab
--- /dev/null
+++ b/src/Identity/IdentityServer/RequestValidators/IDeviceValidator.cs
@@ -0,0 +1,24 @@
+using Bit.Core.Entities;
+using Duende.IdentityServer.Validation;
+
+namespace Bit.Identity.IdentityServer.RequestValidators;
+
+public interface IDeviceValidator
+{
+    /// <summary>
+    /// Fetches device from the database using the Device Identifier and the User Id to know if the user
+    /// has ever tried to authenticate with this specific instance of Bitwarden.
+    /// </summary>
+    /// <param name="user">user attempting to authenticate</param>
+    /// <param name="device">current instance of Bitwarden the user is interacting with</param>
+    /// <returns>null or Device</returns>
+    Task<Device> GetKnownDeviceAsync(User user, Device device);
+
+    /// <summary>
+    /// Validate the requesting device. Modifies the ValidatorRequestContext with error result if any.
+    /// </summary>
+    /// <param name="request">The Request is used to check for the NewDeviceOtp and for the raw device data</param>
+    /// <param name="context">Contains two factor and sso context that are important for decisions on new device verification</param>
+    /// <returns>returns true if device is valid and no other action required; if false modifies the context with an error result to be returned;</returns>
+    Task<bool> ValidateRequestDeviceAsync(ValidatedTokenRequest request, CustomValidatorRequestContext context);
+}
diff --git a/src/Identity/IdentityServer/RequestValidators/ResourceOwnerPasswordValidator.cs b/src/Identity/IdentityServer/RequestValidators/ResourceOwnerPasswordValidator.cs
index f072a64177..852bf27e40 100644
--- a/src/Identity/IdentityServer/RequestValidators/ResourceOwnerPasswordValidator.cs
+++ b/src/Identity/IdentityServer/RequestValidators/ResourceOwnerPasswordValidator.cs
@@ -75,11 +75,16 @@ public class ResourceOwnerPasswordValidator : BaseRequestValidator<ResourceOwner
         }
 
         var user = await _userManager.FindByEmailAsync(context.UserName.ToLowerInvariant());
+        // We want to keep this device around incase the device is new for the user
+        var requestDevice = DeviceValidator.GetDeviceFromRequest(context.Request);
+        var knownDevice = await _deviceValidator.GetKnownDeviceAsync(user, requestDevice);
         var validatorContext = new CustomValidatorRequestContext
         {
             User = user,
-            KnownDevice = await _deviceValidator.KnownDeviceAsync(user, context.Request),
+            KnownDevice = knownDevice != null,
+            Device = knownDevice ?? requestDevice,
         };
+
         string bypassToken = null;
         if (!validatorContext.KnownDevice &&
             _captchaValidationService.RequireCaptchaValidation(_currentContext, user))
@@ -156,6 +161,7 @@ public class ResourceOwnerPasswordValidator : BaseRequestValidator<ResourceOwner
         return Task.CompletedTask;
     }
 
+    [Obsolete("Consider using SetGrantValidationErrorResult instead.")]
     protected override void SetTwoFactorResult(ResourceOwnerPasswordValidationContext context,
         Dictionary<string, object> customResponse)
     {
@@ -163,6 +169,7 @@ public class ResourceOwnerPasswordValidator : BaseRequestValidator<ResourceOwner
             customResponse);
     }
 
+    [Obsolete("Consider using SetGrantValidationErrorResult instead.")]
     protected override void SetSsoResult(ResourceOwnerPasswordValidationContext context,
         Dictionary<string, object> customResponse)
     {
@@ -170,12 +177,25 @@ public class ResourceOwnerPasswordValidator : BaseRequestValidator<ResourceOwner
             customResponse);
     }
 
+    [Obsolete("Consider using SetGrantValidationErrorResult instead.")]
     protected override void SetErrorResult(ResourceOwnerPasswordValidationContext context,
         Dictionary<string, object> customResponse)
     {
         context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, customResponse: customResponse);
     }
 
+    protected override void SetValidationErrorResult(
+        ResourceOwnerPasswordValidationContext context, CustomValidatorRequestContext requestContext)
+    {
+        context.Result = new GrantValidationResult
+        {
+            Error = requestContext.ValidationErrorResult.Error,
+            ErrorDescription = requestContext.ValidationErrorResult.ErrorDescription,
+            IsError = true,
+            CustomResponse = requestContext.CustomResponse
+        };
+    }
+
     protected override ClaimsPrincipal GetSubject(ResourceOwnerPasswordValidationContext context)
     {
         return context.Result.Subject;
@@ -183,28 +203,26 @@ public class ResourceOwnerPasswordValidator : BaseRequestValidator<ResourceOwner
 
     private bool AuthEmailHeaderIsValid(ResourceOwnerPasswordValidationContext context)
     {
-        if (!_currentContext.HttpContext.Request.Headers.ContainsKey("Auth-Email"))
-        {
-            return false;
-        }
-        else
+        if (_currentContext.HttpContext.Request.Headers.TryGetValue("Auth-Email", out var authEmailHeader))
         {
             try
             {
-                var authEmailHeader = _currentContext.HttpContext.Request.Headers["Auth-Email"];
                 var authEmailDecoded = CoreHelpers.Base64UrlDecodeString(authEmailHeader);
-
                 if (authEmailDecoded != context.UserName)
                 {
                     return false;
                 }
             }
-            catch (System.Exception e) when (e is System.InvalidOperationException || e is System.FormatException)
+            catch (Exception e) when (e is InvalidOperationException || e is FormatException)
             {
                 // Invalid B64 encoding
                 return false;
             }
         }
+        else
+        {
+            return false;
+        }
 
         return true;
     }
diff --git a/src/Identity/IdentityServer/RequestValidators/WebAuthnGrantValidator.cs b/src/Identity/IdentityServer/RequestValidators/WebAuthnGrantValidator.cs
index 515dca7828..499c22ad89 100644
--- a/src/Identity/IdentityServer/RequestValidators/WebAuthnGrantValidator.cs
+++ b/src/Identity/IdentityServer/RequestValidators/WebAuthnGrantValidator.cs
@@ -91,15 +91,9 @@ public class WebAuthnGrantValidator : BaseRequestValidator<ExtensionGrantValidat
         }
 
         var (user, credential) = await _assertWebAuthnLoginCredentialCommand.AssertWebAuthnLoginCredential(token.Options, deviceResponse);
-        var validatorContext = new CustomValidatorRequestContext
-        {
-            User = user,
-            KnownDevice = await _deviceValidator.KnownDeviceAsync(user, context.Request)
-        };
-
         UserDecryptionOptionsBuilder.WithWebAuthnLoginCredential(credential);
 
-        await ValidateAsync(context, context.Request, validatorContext);
+        await ValidateAsync(context, context.Request, new CustomValidatorRequestContext { User = user });
     }
 
     protected override Task<bool> ValidateContextAsync(ExtensionGrantValidationContext context,
@@ -128,6 +122,7 @@ public class WebAuthnGrantValidator : BaseRequestValidator<ExtensionGrantValidat
         return context.Result.Subject;
     }
 
+    [Obsolete("Consider using SetValidationErrorResult instead.")]
     protected override void SetTwoFactorResult(ExtensionGrantValidationContext context,
         Dictionary<string, object> customResponse)
     {
@@ -135,6 +130,7 @@ public class WebAuthnGrantValidator : BaseRequestValidator<ExtensionGrantValidat
             customResponse);
     }
 
+    [Obsolete("Consider using SetValidationErrorResult instead.")]
     protected override void SetSsoResult(ExtensionGrantValidationContext context,
         Dictionary<string, object> customResponse)
     {
@@ -142,9 +138,21 @@ public class WebAuthnGrantValidator : BaseRequestValidator<ExtensionGrantValidat
             customResponse);
     }
 
-    protected override void SetErrorResult(ExtensionGrantValidationContext context,
-        Dictionary<string, object> customResponse)
+    [Obsolete("Consider using SetValidationErrorResult instead.")]
+    protected override void SetErrorResult(ExtensionGrantValidationContext context, Dictionary<string, object> customResponse)
     {
         context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, customResponse: customResponse);
     }
+
+    protected override void SetValidationErrorResult(
+        ExtensionGrantValidationContext context, CustomValidatorRequestContext requestContext)
+    {
+        context.Result = new GrantValidationResult
+        {
+            Error = requestContext.ValidationErrorResult.Error,
+            ErrorDescription = requestContext.ValidationErrorResult.ErrorDescription,
+            IsError = true,
+            CustomResponse = requestContext.CustomResponse
+        };
+    }
 }
diff --git a/test/Identity.IntegrationTest/RequestValidation/ResourceOwnerPasswordValidatorTests.cs b/test/Identity.IntegrationTest/RequestValidation/ResourceOwnerPasswordValidatorTests.cs
index 703faed48c..4bec8d8167 100644
--- a/test/Identity.IntegrationTest/RequestValidation/ResourceOwnerPasswordValidatorTests.cs
+++ b/test/Identity.IntegrationTest/RequestValidation/ResourceOwnerPasswordValidatorTests.cs
@@ -5,14 +5,11 @@ using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
-using Bit.Identity.IdentityServer.RequestValidators;
 using Bit.Identity.Models.Request.Accounts;
 using Bit.IntegrationTestCommon.Factories;
 using Bit.Test.Common.AutoFixture.Attributes;
 using Bit.Test.Common.Helpers;
-using Duende.IdentityServer.Validation;
 using Microsoft.AspNetCore.Identity;
-using NSubstitute;
 using Xunit;
 
 namespace Bit.Identity.IntegrationTest.RequestValidation;
@@ -217,48 +214,6 @@ public class ResourceOwnerPasswordValidatorTests : IClassFixture<IdentityApplica
         Assert.Equal("Username or password is incorrect. Try again.", errorMessage);
     }
 
-    [Fact]
-    public async Task ValidateAsync_DeviceSaveAsync_ReturnsNullDevice_ErrorResult()
-    {
-        // Arrange
-        var factory = new IdentityApplicationFactory();
-
-        // Stub DeviceValidator
-        factory.SubstituteService<IDeviceValidator>(sub =>
-        {
-            sub.SaveDeviceAsync(Arg.Any<User>(), Arg.Any<ValidatedTokenRequest>())
-                .Returns(null as Device);
-        });
-
-        // Add User
-        await factory.RegisterAsync(new RegisterRequestModel
-        {
-            Email = DefaultUsername,
-            MasterPasswordHash = DefaultPassword
-        });
-        var userManager = factory.GetService<UserManager<User>>();
-        await factory.RegisterAsync(new RegisterRequestModel
-        {
-            Email = DefaultUsername,
-            MasterPasswordHash = DefaultPassword
-        });
-        var user = await userManager.FindByEmailAsync(DefaultUsername);
-        Assert.NotNull(user);
-
-        // Act
-        var context = await factory.Server.PostAsync("/connect/token",
-            GetFormUrlEncodedContent(),
-            context => context.SetAuthEmail(DefaultUsername));
-
-        // Assert
-        var body = await AssertHelper.AssertResponseTypeIs<JsonDocument>(context);
-        var root = body.RootElement;
-
-        var errorModel = AssertHelper.AssertJsonProperty(root, "ErrorModel", JsonValueKind.Object);
-        var errorMessage = AssertHelper.AssertJsonProperty(errorModel, "Message", JsonValueKind.String).GetString();
-        Assert.Equal("No device information provided.", errorMessage);
-    }
-
     private async Task EnsureUserCreatedAsync(IdentityApplicationFactory factory = null)
     {
         factory ??= _factory;
@@ -290,6 +245,18 @@ public class ResourceOwnerPasswordValidatorTests : IClassFixture<IdentityApplica
         });
     }
 
+    private FormUrlEncodedContent GetDefaultFormUrlEncodedContentWithoutDevice()
+    {
+        return new FormUrlEncodedContent(new Dictionary<string, string>
+        {
+            { "scope", "api offline_access" },
+            { "client_id", "web" },
+            { "grant_type", "password" },
+            { "username", DefaultUsername },
+            { "password", DefaultPassword },
+        });
+    }
+
     private static string DeviceTypeAsString(DeviceType deviceType)
     {
         return ((int)deviceType).ToString();
diff --git a/test/Identity.Test/IdentityServer/BaseRequestValidatorTests.cs b/test/Identity.Test/IdentityServer/BaseRequestValidatorTests.cs
index d0372202ad..02b6982419 100644
--- a/test/Identity.Test/IdentityServer/BaseRequestValidatorTests.cs
+++ b/test/Identity.Test/IdentityServer/BaseRequestValidatorTests.cs
@@ -22,7 +22,6 @@ using NSubstitute;
 using Xunit;
 using AuthFixtures = Bit.Identity.Test.AutoFixture;
 
-
 namespace Bit.Identity.Test.IdentityServer;
 
 public class BaseRequestValidatorTests
@@ -82,10 +81,10 @@ public class BaseRequestValidatorTests
     }
 
     /* Logic path
-    ValidateAsync -> _Logger.LogInformation
-                 |-> BuildErrorResultAsync -> _eventService.LogUserEventAsync
-                                          |-> SetErrorResult
-    */
+     * ValidateAsync -> _Logger.LogInformation
+     *            |-> BuildErrorResultAsync -> _eventService.LogUserEventAsync
+     *                                     |-> SetErrorResult
+     */
     [Theory, BitAutoData]
     public async Task ValidateAsync_IsBot_UserNotNull_ShouldBuildErrorResult_ShouldLogFailedLoginEvent(
         [AuthFixtures.ValidatedTokenRequest] ValidatedTokenRequest tokenRequest,
@@ -112,11 +111,11 @@ public class BaseRequestValidatorTests
     }
 
     /* Logic path
-    ValidateAsync -> UpdateFailedAuthDetailsAsync -> _mailService.SendFailedLoginAttemptsEmailAsync
-                 |-> BuildErrorResultAsync -> _eventService.LogUserEventAsync
-                            (self hosted) |-> _logger.LogWarning()
-                                          |-> SetErrorResult
-    */
+     * ValidateAsync -> UpdateFailedAuthDetailsAsync -> _mailService.SendFailedLoginAttemptsEmailAsync
+     *            |-> BuildErrorResultAsync -> _eventService.LogUserEventAsync
+     *                       (self hosted) |-> _logger.LogWarning()
+     *                                     |-> SetErrorResult
+     */
     [Theory, BitAutoData]
     public async Task ValidateAsync_ContextNotValid_SelfHosted_ShouldBuildErrorResult_ShouldLogWarning(
         [AuthFixtures.ValidatedTokenRequest] ValidatedTokenRequest tokenRequest,
@@ -140,10 +139,10 @@ public class BaseRequestValidatorTests
     }
 
     /* Logic path
-    ValidateAsync -> UpdateFailedAuthDetailsAsync -> _mailService.SendFailedLoginAttemptsEmailAsync
-                 |-> BuildErrorResultAsync -> _eventService.LogUserEventAsync
-                                          |-> SetErrorResult
-    */
+     * ValidateAsync -> UpdateFailedAuthDetailsAsync -> _mailService.SendFailedLoginAttemptsEmailAsync
+     *            |-> BuildErrorResultAsync -> _eventService.LogUserEventAsync
+     *                                     |-> SetErrorResult
+     */
     [Theory, BitAutoData]
     public async Task ValidateAsync_ContextNotValid_MaxAttemptLogin_ShouldSendEmail(
         [AuthFixtures.ValidatedTokenRequest] ValidatedTokenRequest tokenRequest,
@@ -177,134 +176,97 @@ public class BaseRequestValidatorTests
         Assert.Equal("Username or password is incorrect. Try again.", errorResponse.Message);
     }
 
-
-    /* Logic path
-    ValidateAsync -> IsValidAuthTypeAsync -> SaveDeviceAsync -> BuildErrorResult
-    */
     [Theory, BitAutoData]
-    public async Task ValidateAsync_AuthCodeGrantType_DeviceNull_ShouldError(
+    public async Task ValidateAsync_DeviceNotValidated_ShouldLogError(
         [AuthFixtures.ValidatedTokenRequest] ValidatedTokenRequest tokenRequest,
         CustomValidatorRequestContext requestContext,
         GrantValidationResult grantResult)
     {
         // Arrange
         var context = CreateContext(tokenRequest, requestContext, grantResult);
-        _twoFactorAuthenticationValidator
-            .RequiresTwoFactorAsync(Arg.Any<User>(), Arg.Any<ValidatedTokenRequest>())
-            .Returns(Task.FromResult(new Tuple<bool, Organization>(false, default)));
-
+        // 1 -> to pass
         context.CustomValidatorRequestContext.CaptchaResponse.IsBot = false;
         _sut.isValid = true;
 
-        context.ValidatedTokenRequest.GrantType = "authorization_code";
+        // 2 -> will result to false with no extra configuration
+        // 3 -> set two factor to be false
+        _twoFactorAuthenticationValidator
+                .RequiresTwoFactorAsync(Arg.Any<User>(), tokenRequest)
+                .Returns(Task.FromResult(new Tuple<bool, Organization>(false, null)));
+
+        // 4 -> set up device validator to fail
+        requestContext.KnownDevice = false;
+        tokenRequest.GrantType = "password";
+        _deviceValidator.ValidateRequestDeviceAsync(Arg.Any<ValidatedTokenRequest>(), Arg.Any<CustomValidatorRequestContext>())
+                         .Returns(Task.FromResult(false));
+
+        // 5 -> not legacy user
+        _userService.IsLegacyUser(Arg.Any<string>())
+            .Returns(false);
 
         // Act
         await _sut.ValidateAsync(context);
 
-        var errorResponse = (ErrorResponseModel)context.GrantResult.CustomResponse["ErrorModel"];
-
         // Assert
         Assert.True(context.GrantResult.IsError);
-        Assert.Equal("No device information provided.", errorResponse.Message);
+        await _eventService.Received(1)
+            .LogUserEventAsync(context.CustomValidatorRequestContext.User.Id, EventType.User_FailedLogIn);
     }
 
-    /* Logic path
-    ValidateAsync -> IsValidAuthTypeAsync -> SaveDeviceAsync -> BuildSuccessResultAsync
-    */
     [Theory, BitAutoData]
-    public async Task ValidateAsync_ClientCredentialsGrantType_ShouldSucceed(
-        [AuthFixtures.ValidatedTokenRequest] ValidatedTokenRequest tokenRequest,
-        CustomValidatorRequestContext requestContext,
-        GrantValidationResult grantResult,
-        Device device)
-    {
-        // Arrange
-        var context = CreateContext(tokenRequest, requestContext, grantResult);
-        _twoFactorAuthenticationValidator
-            .RequiresTwoFactorAsync(Arg.Any<User>(), Arg.Any<ValidatedTokenRequest>())
-            .Returns(Task.FromResult(new Tuple<bool, Organization>(false, null)));
-
-        context.CustomValidatorRequestContext.CaptchaResponse.IsBot = false;
-        _sut.isValid = true;
-
-        context.CustomValidatorRequestContext.User.CreationDate = DateTime.UtcNow - TimeSpan.FromDays(1);
-        _globalSettings.DisableEmailNewDevice = false;
-
-        context.ValidatedTokenRequest.GrantType = "client_credentials"; // This || AuthCode will allow process to continue to get device
-
-        _deviceValidator.SaveDeviceAsync(Arg.Any<User>(), Arg.Any<ValidatedTokenRequest>())
-                         .Returns(device);
-        // Act
-        await _sut.ValidateAsync(context);
-
-        // Assert
-        Assert.False(context.GrantResult.IsError);
-    }
-
-    /* Logic path
-    ValidateAsync -> IsValidAuthTypeAsync -> SaveDeviceAsync -> BuildSuccessResultAsync
-    */
-    [Theory, BitAutoData]
-    public async Task ValidateAsync_ClientCredentialsGrantType_ExistingDevice_ShouldSucceed(
-        [AuthFixtures.ValidatedTokenRequest] ValidatedTokenRequest tokenRequest,
-        CustomValidatorRequestContext requestContext,
-        GrantValidationResult grantResult,
-        Device device)
-    {
-        // Arrange
-        var context = CreateContext(tokenRequest, requestContext, grantResult);
-
-        context.CustomValidatorRequestContext.CaptchaResponse.IsBot = false;
-        _sut.isValid = true;
-
-        context.CustomValidatorRequestContext.User.CreationDate = DateTime.UtcNow - TimeSpan.FromDays(1);
-        _globalSettings.DisableEmailNewDevice = false;
-
-        context.ValidatedTokenRequest.GrantType = "client_credentials"; // This || AuthCode will allow process to continue to get device
-
-        _deviceValidator.SaveDeviceAsync(Arg.Any<User>(), Arg.Any<ValidatedTokenRequest>())
-                         .Returns(device);
-        _twoFactorAuthenticationValidator
-            .RequiresTwoFactorAsync(Arg.Any<User>(), Arg.Any<ValidatedTokenRequest>())
-            .Returns(Task.FromResult(new Tuple<bool, Organization>(false, null)));
-        // Act
-        await _sut.ValidateAsync(context);
-
-        // Assert
-        await _eventService.LogUserEventAsync(
-            context.CustomValidatorRequestContext.User.Id, EventType.User_LoggedIn);
-        await _userRepository.Received(1).ReplaceAsync(Arg.Any<User>());
-
-        Assert.False(context.GrantResult.IsError);
-    }
-
-    /* Logic path
-    ValidateAsync -> IsLegacyUser -> BuildErrorResultAsync
-    */
-    [Theory, BitAutoData]
-    public async Task ValidateAsync_InvalidAuthType_ShouldSetSsoResult(
+    public async Task ValidateAsync_DeviceValidated_ShouldSucceed(
         [AuthFixtures.ValidatedTokenRequest] ValidatedTokenRequest tokenRequest,
         CustomValidatorRequestContext requestContext,
         GrantValidationResult grantResult)
     {
         // Arrange
         var context = CreateContext(tokenRequest, requestContext, grantResult);
-
-        context.ValidatedTokenRequest.Raw["DeviceIdentifier"] = "DeviceIdentifier";
-        context.ValidatedTokenRequest.Raw["DevicePushToken"] = "DevicePushToken";
-        context.ValidatedTokenRequest.Raw["DeviceName"] = "DeviceName";
-        context.ValidatedTokenRequest.Raw["DeviceType"] = "Android"; // This needs to be an actual Type
+        // 1 -> to pass
         context.CustomValidatorRequestContext.CaptchaResponse.IsBot = false;
         _sut.isValid = true;
 
-        context.ValidatedTokenRequest.GrantType = "";
+        // 2 -> will result to false with no extra configuration
+        // 3 -> set two factor to be false
+        _twoFactorAuthenticationValidator
+                .RequiresTwoFactorAsync(Arg.Any<User>(), tokenRequest)
+                .Returns(Task.FromResult(new Tuple<bool, Organization>(false, null)));
 
+        // 4 -> set up device validator to pass
+        _deviceValidator.ValidateRequestDeviceAsync(Arg.Any<ValidatedTokenRequest>(), Arg.Any<CustomValidatorRequestContext>())
+                         .Returns(Task.FromResult(true));
+
+        // 5 -> not legacy user
+        _userService.IsLegacyUser(Arg.Any<string>())
+            .Returns(false);
+
+        // Act
+        await _sut.ValidateAsync(context);
+
+        // Assert
+        Assert.False(context.GrantResult.IsError);
+    }
+
+    // Test grantTypes that require SSO when a user is in an organization that requires it
+    [Theory]
+    [BitAutoData("password")]
+    [BitAutoData("webauthn")]
+    [BitAutoData("refresh_token")]
+    public async Task ValidateAsync_GrantTypes_OrgSsoRequiredTrue_ShouldSetSsoResult(
+        string grantType,
+        [AuthFixtures.ValidatedTokenRequest] ValidatedTokenRequest tokenRequest,
+        CustomValidatorRequestContext requestContext,
+        GrantValidationResult grantResult)
+    {
+        // Arrange
+        var context = CreateContext(tokenRequest, requestContext, grantResult);
+        context.CustomValidatorRequestContext.CaptchaResponse.IsBot = false;
+        _sut.isValid = true;
+
+        context.ValidatedTokenRequest.GrantType = grantType;
         _policyService.AnyPoliciesApplicableToUserAsync(
                         Arg.Any<Guid>(), PolicyType.RequireSso, OrganizationUserStatusType.Confirmed)
                       .Returns(Task.FromResult(true));
-        _twoFactorAuthenticationValidator
-            .RequiresTwoFactorAsync(Arg.Any<User>(), Arg.Any<ValidatedTokenRequest>())
-            .Returns(Task.FromResult(new Tuple<bool, Organization>(false, null)));
+
         // Act
         await _sut.ValidateAsync(context);
 
@@ -314,6 +276,85 @@ public class BaseRequestValidatorTests
         Assert.Equal("SSO authentication is required.", errorResponse.Message);
     }
 
+    // Test grantTypes where SSO would be required but the user is not in an
+    // organization that requires it
+    [Theory]
+    [BitAutoData("password")]
+    [BitAutoData("webauthn")]
+    [BitAutoData("refresh_token")]
+    public async Task ValidateAsync_GrantTypes_OrgSsoRequiredFalse_ShouldSucceed(
+        string grantType,
+        [AuthFixtures.ValidatedTokenRequest] ValidatedTokenRequest tokenRequest,
+        CustomValidatorRequestContext requestContext,
+        GrantValidationResult grantResult)
+    {
+        // Arrange
+        var context = CreateContext(tokenRequest, requestContext, grantResult);
+        context.CustomValidatorRequestContext.CaptchaResponse.IsBot = false;
+        _sut.isValid = true;
+
+        context.ValidatedTokenRequest.GrantType = grantType;
+
+        _policyService.AnyPoliciesApplicableToUserAsync(
+                        Arg.Any<Guid>(), PolicyType.RequireSso, OrganizationUserStatusType.Confirmed)
+                      .Returns(Task.FromResult(false));
+        _twoFactorAuthenticationValidator.RequiresTwoFactorAsync(requestContext.User, tokenRequest)
+            .Returns(Task.FromResult(new Tuple<bool, Organization>(false, null)));
+        _deviceValidator.ValidateRequestDeviceAsync(tokenRequest, requestContext)
+            .Returns(Task.FromResult(true));
+        context.ValidatedTokenRequest.ClientId = "web";
+
+        // Act
+        await _sut.ValidateAsync(context);
+
+        // Assert
+        await _eventService.Received(1).LogUserEventAsync(
+            context.CustomValidatorRequestContext.User.Id, EventType.User_LoggedIn);
+        await _userRepository.Received(1).ReplaceAsync(Arg.Any<User>());
+
+        Assert.False(context.GrantResult.IsError);
+
+    }
+
+    // Test the grantTypes where SSO is in progress or not relevant
+    [Theory]
+    [BitAutoData("authorization_code")]
+    [BitAutoData("client_credentials")]
+    public async Task ValidateAsync_GrantTypes_SsoRequiredFalse_ShouldSucceed(
+        string grantType,
+        [AuthFixtures.ValidatedTokenRequest] ValidatedTokenRequest tokenRequest,
+        CustomValidatorRequestContext requestContext,
+        GrantValidationResult grantResult)
+    {
+        // Arrange
+        var context = CreateContext(tokenRequest, requestContext, grantResult);
+        context.CustomValidatorRequestContext.CaptchaResponse.IsBot = false;
+        _sut.isValid = true;
+
+        context.ValidatedTokenRequest.GrantType = grantType;
+
+        _twoFactorAuthenticationValidator.RequiresTwoFactorAsync(requestContext.User, tokenRequest)
+            .Returns(Task.FromResult(new Tuple<bool, Organization>(false, null)));
+        _deviceValidator.ValidateRequestDeviceAsync(tokenRequest, requestContext)
+            .Returns(Task.FromResult(true));
+        context.ValidatedTokenRequest.ClientId = "web";
+
+        // Act
+        await _sut.ValidateAsync(context);
+
+        // Assert
+        await _policyService.DidNotReceive().AnyPoliciesApplicableToUserAsync(
+                Arg.Any<Guid>(), PolicyType.RequireSso, OrganizationUserStatusType.Confirmed);
+        await _eventService.Received(1).LogUserEventAsync(
+            context.CustomValidatorRequestContext.User.Id, EventType.User_LoggedIn);
+        await _userRepository.Received(1).ReplaceAsync(Arg.Any<User>());
+
+        Assert.False(context.GrantResult.IsError);
+    }
+
+    /* Logic Path
+     * ValidateAsync -> UserService.IsLegacyUser -> FailAuthForLegacyUserAsync
+     */
     [Theory, BitAutoData]
     public async Task ValidateAsync_IsLegacyUser_FailAuthForLegacyUserAsync(
         [AuthFixtures.ValidatedTokenRequest] ValidatedTokenRequest tokenRequest,
@@ -332,6 +373,8 @@ public class BaseRequestValidatorTests
         _twoFactorAuthenticationValidator
             .RequiresTwoFactorAsync(Arg.Any<User>(), Arg.Any<ValidatedTokenRequest>())
             .Returns(Task.FromResult(new Tuple<bool, Organization>(false, null)));
+        _deviceValidator.ValidateRequestDeviceAsync(tokenRequest, requestContext)
+            .Returns(Task.FromResult(true));
 
         // Act
         await _sut.ValidateAsync(context);
@@ -339,8 +382,9 @@ public class BaseRequestValidatorTests
         // Assert
         Assert.True(context.GrantResult.IsError);
         var errorResponse = (ErrorResponseModel)context.GrantResult.CustomResponse["ErrorModel"];
-        Assert.Equal($"Encryption key migration is required. Please log in to the web vault at {_globalSettings.BaseServiceUri.VaultWithHash}"
-                    , errorResponse.Message);
+        var expectedMessage = $"Encryption key migration is required. Please log in to the web " +
+                              $"vault at {_globalSettings.BaseServiceUri.VaultWithHash}";
+        Assert.Equal(expectedMessage, errorResponse.Message);
     }
 
     private BaseRequestValidationContextFake CreateContext(
@@ -367,4 +411,12 @@ public class BaseRequestValidatorTests
             Substitute.For<IServiceProvider>(),
             Substitute.For<ILogger<UserManager<User>>>());
     }
+
+    private void AddValidDeviceToRequest(ValidatedTokenRequest request)
+    {
+        request.Raw["DeviceIdentifier"] = "DeviceIdentifier";
+        request.Raw["DeviceType"] = "Android"; // must be valid device type
+        request.Raw["DeviceName"] = "DeviceName";
+        request.Raw["DevicePushToken"] = "DevicePushToken";
+    }
 }
diff --git a/test/Identity.Test/IdentityServer/DeviceValidatorTests.cs b/test/Identity.Test/IdentityServer/DeviceValidatorTests.cs
index 2db792c936..304715b68c 100644
--- a/test/Identity.Test/IdentityServer/DeviceValidatorTests.cs
+++ b/test/Identity.Test/IdentityServer/DeviceValidatorTests.cs
@@ -1,9 +1,12 @@
-using Bit.Core.Context;
+using Bit.Core;
+using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
+using Bit.Core.Models.Api;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Settings;
+using Bit.Identity.IdentityServer;
 using Bit.Identity.IdentityServer.RequestValidators;
 using Bit.Test.Common.AutoFixture.Attributes;
 using Duende.IdentityServer.Validation;
@@ -20,6 +23,8 @@ public class DeviceValidatorTests
     private readonly GlobalSettings _globalSettings;
     private readonly IMailService _mailService;
     private readonly ICurrentContext _currentContext;
+    private readonly IUserService _userService;
+    private readonly IFeatureService _featureService;
     private readonly DeviceValidator _sut;
 
     public DeviceValidatorTests()
@@ -29,219 +34,550 @@ public class DeviceValidatorTests
         _globalSettings = new GlobalSettings();
         _mailService = Substitute.For<IMailService>();
         _currentContext = Substitute.For<ICurrentContext>();
+        _userService = Substitute.For<IUserService>();
+        _featureService = Substitute.For<IFeatureService>();
         _sut = new DeviceValidator(
             _deviceService,
             _deviceRepository,
             _globalSettings,
             _mailService,
-            _currentContext);
+            _currentContext,
+            _userService,
+            _featureService);
     }
 
-    [Theory]
-    [BitAutoData]
-    public async void SaveDeviceAsync_DeviceNull_ShouldReturnNull(
-        [AuthFixtures.ValidatedTokenRequest] ValidatedTokenRequest request,
-        User user)
-    {
-        // Arrange
-        request.Raw["DeviceIdentifier"] = null;
-
-        // Act
-        var device = await _sut.SaveDeviceAsync(user, request);
-
-        // Assert
-        Assert.Null(device);
-        await _mailService.DidNotReceive().SendNewDeviceLoggedInEmail(
-            Arg.Any<string>(), Arg.Any<string>(), Arg.Any<DateTime>(), Arg.Any<string>());
-    }
-
-    [Theory]
-    [BitAutoData]
-    public async void SaveDeviceAsync_UserIsNull_ShouldReturnNull(
-        [AuthFixtures.ValidatedTokenRequest] ValidatedTokenRequest request)
-    {
-        // Arrange
-        request = AddValidDeviceToRequest(request);
-
-        // Act
-        var device = await _sut.SaveDeviceAsync(null, request);
-
-        // Assert
-        Assert.Null(device);
-        await _mailService.DidNotReceive().SendNewDeviceLoggedInEmail(
-            Arg.Any<string>(), Arg.Any<string>(), Arg.Any<DateTime>(), Arg.Any<string>());
-    }
-
-    [Theory]
-    [BitAutoData]
-    public async void SaveDeviceAsync_ExistingUser_NewDevice_ReturnsDevice_SendsEmail(
-        [AuthFixtures.ValidatedTokenRequest] ValidatedTokenRequest request,
-        User user)
-    {
-        // Arrange
-        request = AddValidDeviceToRequest(request);
-
-        user.CreationDate = DateTime.UtcNow - TimeSpan.FromMinutes(11);
-        _globalSettings.DisableEmailNewDevice = false;
-
-        // Act
-        var device = await _sut.SaveDeviceAsync(user, request);
-
-        // Assert
-        Assert.NotNull(device);
-        Assert.Equal(user.Id, device.UserId);
-        Assert.Equal("DeviceIdentifier", device.Identifier);
-        Assert.Equal(DeviceType.Android, device.Type);
-        await _mailService.Received(1).SendNewDeviceLoggedInEmail(
-            user.Email, "Android", Arg.Any<DateTime>(), Arg.Any<string>());
-    }
-
-    [Theory]
-    [BitAutoData]
-    public async void SaveDeviceAsync_ExistingUser_NewDevice_ReturnsDevice_SendEmailFalse(
-        [AuthFixtures.ValidatedTokenRequest] ValidatedTokenRequest request,
-        User user)
-    {
-        // Arrange
-        request = AddValidDeviceToRequest(request);
-
-        user.CreationDate = DateTime.UtcNow - TimeSpan.FromMinutes(11);
-        _globalSettings.DisableEmailNewDevice = true;
-
-        // Act
-        var device = await _sut.SaveDeviceAsync(user, request);
-
-        // Assert
-        Assert.NotNull(device);
-        Assert.Equal(user.Id, device.UserId);
-        Assert.Equal("DeviceIdentifier", device.Identifier);
-        Assert.Equal(DeviceType.Android, device.Type);
-        await _mailService.DidNotReceive().SendNewDeviceLoggedInEmail(
-            user.Email, "Android", Arg.Any<DateTime>(), Arg.Any<string>());
-    }
-
-    [Theory]
-    [BitAutoData]
-    public async void SaveDeviceAsync_DeviceIsKnown_ShouldReturnDevice(
-        [AuthFixtures.ValidatedTokenRequest] ValidatedTokenRequest request,
-        User user,
+    [Theory, BitAutoData]
+    public async void GetKnownDeviceAsync_UserNull_ReturnsFalse(
         Device device)
     {
         // Arrange
-        request = AddValidDeviceToRequest(request);
-
-        device.UserId = user.Id;
-        device.Identifier = "DeviceIdentifier";
-        device.Type = DeviceType.Android;
-        device.Name = "DeviceName";
-        device.PushToken = "DevicePushToken";
-        _deviceRepository.GetByIdentifierAsync(device.Identifier, user.Id).Returns(device);
+        // AutoData arrages
 
         // Act
-        var resultDevice = await _sut.SaveDeviceAsync(user, request);
+        var result = await _sut.GetKnownDeviceAsync(null, device);
 
         // Assert
-        Assert.Equal(device, resultDevice);
-        await _mailService.DidNotReceive().SendNewDeviceLoggedInEmail(
-            Arg.Any<string>(), Arg.Any<string>(), Arg.Any<DateTime>(), Arg.Any<string>());
+        Assert.Null(result);
     }
 
-    [Theory]
-    [BitAutoData]
-    public async void SaveDeviceAsync_NewUser_DeviceUnknown_ShouldSaveDevice_NoEmail(
-        [AuthFixtures.ValidatedTokenRequest] ValidatedTokenRequest request,
-        User user)
-    {
-        // Arrange
-        request = AddValidDeviceToRequest(request);
-        user.CreationDate = DateTime.UtcNow;
-        _deviceRepository.GetByIdentifierAsync(Arg.Any<string>(), Arg.Any<Guid>()).Returns(null as Device);
-
-        // Act
-        var device = await _sut.SaveDeviceAsync(user, request);
-
-        // Assert
-        Assert.NotNull(device);
-        Assert.Equal(user.Id, device.UserId);
-        Assert.Equal("DeviceIdentifier", device.Identifier);
-        Assert.Equal(DeviceType.Android, device.Type);
-        await _deviceService.Received(1).SaveAsync(device);
-        await _mailService.DidNotReceive().SendNewDeviceLoggedInEmail(
-            Arg.Any<string>(), Arg.Any<string>(), Arg.Any<DateTime>(), Arg.Any<string>());
-    }
-
-    [Theory]
-    [BitAutoData]
-    public async void KnownDeviceAsync_UserNull_ReturnsFalse(
-        [AuthFixtures.ValidatedTokenRequest] ValidatedTokenRequest request)
-    {
-        // Arrange
-        request = AddValidDeviceToRequest(request);
-
-        // Act
-        var result = await _sut.KnownDeviceAsync(null, request);
-
-        // Assert
-        Assert.False(result);
-    }
-
-    [Theory]
-    [BitAutoData]
-    public async void KnownDeviceAsync_DeviceNull_ReturnsFalse(
-        [AuthFixtures.ValidatedTokenRequest] ValidatedTokenRequest request,
+    [Theory, BitAutoData]
+    public async void GetKnownDeviceAsync_DeviceNull_ReturnsFalse(
         User user)
     {
         // Arrange
         // Device raw data is null which will cause the device to be null
 
         // Act
-        var result = await _sut.KnownDeviceAsync(user, request);
+        var result = await _sut.GetKnownDeviceAsync(user, null);
 
         // Assert
-        Assert.False(result);
+        Assert.Null(result);
     }
 
-    [Theory]
-    [BitAutoData]
-    public async void KnownDeviceAsync_DeviceNotInDatabase_ReturnsFalse(
-        [AuthFixtures.ValidatedTokenRequest] ValidatedTokenRequest request,
-        User user)
+    [Theory, BitAutoData]
+    public async void GetKnownDeviceAsync_DeviceNotInDatabase_ReturnsFalse(
+        User user,
+        Device device)
     {
         // Arrange
-        request = AddValidDeviceToRequest(request);
         _deviceRepository.GetByIdentifierAsync(Arg.Any<string>(), Arg.Any<Guid>())
                          .Returns(null as Device);
         // Act
-        var result = await _sut.KnownDeviceAsync(user, request);
+        var result = await _sut.GetKnownDeviceAsync(user, device);
 
         // Assert
-        Assert.False(result);
+        Assert.Null(result);
     }
 
-    [Theory]
-    [BitAutoData]
-    public async void KnownDeviceAsync_UserAndDeviceValid_ReturnsTrue(
+    [Theory, BitAutoData]
+    public async void GetKnownDeviceAsync_UserAndDeviceValid_ReturnsTrue(
         [AuthFixtures.ValidatedTokenRequest] ValidatedTokenRequest request,
         User user,
         Device device)
     {
         // Arrange
-        request = AddValidDeviceToRequest(request);
+        AddValidDeviceToRequest(request);
         _deviceRepository.GetByIdentifierAsync(Arg.Any<string>(), Arg.Any<Guid>())
                          .Returns(device);
         // Act
-        var result = await _sut.KnownDeviceAsync(user, request);
+        var result = await _sut.GetKnownDeviceAsync(user, device);
+
+        // Assert
+        Assert.NotNull(result);
+    }
+
+    [Theory]
+    [BitAutoData("not null", "Android", "")]
+    [BitAutoData("not null", "", "not null")]
+    [BitAutoData("", "Android", "not null")]
+    public void GetDeviceFromRequest_RawDeviceInfoNull_ReturnsNull(
+        string deviceIdentifier,
+        string deviceType,
+        string deviceName,
+        [AuthFixtures.ValidatedTokenRequest] ValidatedTokenRequest request)
+    {
+        // Arrange
+        request.Raw["DeviceIdentifier"] = deviceIdentifier;
+        request.Raw["DeviceType"] = deviceType;
+        request.Raw["DeviceName"] = deviceName;
+
+        // Act
+        var result = DeviceValidator.GetDeviceFromRequest(request);
+
+        // Assert
+        Assert.Null(result);
+    }
+
+    [Theory, BitAutoData]
+    public void GetDeviceFromRequest_RawDeviceInfoValid_ReturnsDevice(
+        [AuthFixtures.ValidatedTokenRequest] ValidatedTokenRequest request)
+    {
+        // Arrange
+        AddValidDeviceToRequest(request);
+
+        // Act
+        var result = DeviceValidator.GetDeviceFromRequest(request);
+
+        // Assert
+        Assert.NotNull(result);
+        Assert.Equal("DeviceIdentifier", result.Identifier);
+        Assert.Equal("DeviceName", result.Name);
+        Assert.Equal(DeviceType.Android, result.Type);
+        Assert.Equal("DevicePushToken", result.PushToken);
+    }
+
+    [Theory, BitAutoData]
+    public async void ValidateRequestDeviceAsync_DeviceNull_ContextModified_ReturnsFalse(
+        CustomValidatorRequestContext context,
+        [AuthFixtures.ValidatedTokenRequest] ValidatedTokenRequest request)
+    {
+        // Arrange
+        context.KnownDevice = false;
+        context.Device = null;
+
+        // Act
+        Assert.NotNull(context.User);
+        var result = await _sut.ValidateRequestDeviceAsync(request, context);
+
+        // Assert
+        await _deviceService.Received(0).SaveAsync(Arg.Any<Device>());
+
+        Assert.False(result);
+        Assert.NotNull(context.CustomResponse["ErrorModel"]);
+        var expectedErrorModel = new ErrorResponseModel("no device information provided");
+        var actualResponse = (ErrorResponseModel)context.CustomResponse["ErrorModel"];
+        Assert.Equal(expectedErrorModel.Message, actualResponse.Message);
+    }
+
+    [Theory, BitAutoData]
+    public async void ValidateRequestDeviceAsync_RequestDeviceKnown_ContextDeviceModified_ReturnsTrue(
+        Device device,
+        CustomValidatorRequestContext context,
+        [AuthFixtures.ValidatedTokenRequest] ValidatedTokenRequest request)
+    {
+        // Arrange
+        context.KnownDevice = false;
+        context.Device = null;
+        AddValidDeviceToRequest(request);
+        _deviceRepository.GetByIdentifierAsync(Arg.Any<string>(), Arg.Any<Guid>())
+            .Returns(device);
+
+        // Act
+        var result = await _sut.ValidateRequestDeviceAsync(request, context);
+
+        // Assert
+        await _deviceService.Received(0).SaveAsync(Arg.Any<Device>());
+
+        Assert.True(result);
+        Assert.False(context.CustomResponse.ContainsKey("ErrorModel"));
+        Assert.NotNull(context.Device);
+        Assert.Equal(context.Device, device);
+    }
+
+    [Theory, BitAutoData]
+    public async void ValidateRequestDeviceAsync_ContextDeviceKnown_ContextDeviceModified_ReturnsTrue(
+    Device databaseDevice,
+    CustomValidatorRequestContext context,
+    [AuthFixtures.ValidatedTokenRequest] ValidatedTokenRequest request)
+    {
+        // Arrange
+        context.KnownDevice = false;
+        _deviceRepository.GetByIdentifierAsync(Arg.Any<string>(), Arg.Any<Guid>())
+            .Returns(databaseDevice);
+        // we want to show that the context device is updated when the device is known
+        Assert.NotEqual(context.Device, databaseDevice);
+
+        // Act
+        var result = await _sut.ValidateRequestDeviceAsync(request, context);
+
+        // Assert
+        await _deviceService.Received(0).SaveAsync(Arg.Any<Device>());
+
+        Assert.True(result);
+        Assert.False(context.CustomResponse.ContainsKey("ErrorModel"));
+        Assert.Equal(context.Device, databaseDevice);
+    }
+
+    [Theory, BitAutoData]
+    public async void ValidateRequestDeviceAsync_NewDeviceVerificationFeatureFlagFalse_SendsEmail_ReturnsTrue(
+        CustomValidatorRequestContext context,
+        [AuthFixtures.ValidatedTokenRequest] ValidatedTokenRequest request)
+    {
+        // Arrange
+        context.KnownDevice = false;
+        AddValidDeviceToRequest(request);
+        _globalSettings.DisableEmailNewDevice = false;
+        _deviceRepository.GetByIdentifierAsync(context.Device.Identifier, context.User.Id)
+            .Returns(null as Device);
+        _featureService.IsEnabled(FeatureFlagKeys.NewDeviceVerification)
+            .Returns(false);
+        // set user creation to more than 10 minutes ago
+        context.User.CreationDate = DateTime.UtcNow - TimeSpan.FromMinutes(11);
+
+        // Act
+        var result = await _sut.ValidateRequestDeviceAsync(request, context);
+
+        // Assert
+        await _deviceService.Received(1).SaveAsync(context.Device);
+        await _mailService.Received(1).SendNewDeviceLoggedInEmail(
+            Arg.Any<string>(), Arg.Any<string>(), Arg.Any<DateTime>(), Arg.Any<string>());
+        Assert.True(result);
+    }
+
+    [Theory, BitAutoData]
+    public async void ValidateRequestDeviceAsync_NewDeviceVerificationFeatureFlagFalse_NewUser_DoesNotSendEmail_ReturnsTrue(
+    CustomValidatorRequestContext context,
+    [AuthFixtures.ValidatedTokenRequest] ValidatedTokenRequest request)
+    {
+        // Arrange
+        context.KnownDevice = false;
+        AddValidDeviceToRequest(request);
+        _globalSettings.DisableEmailNewDevice = false;
+        _deviceRepository.GetByIdentifierAsync(context.Device.Identifier, context.User.Id)
+            .Returns(null as Device);
+        _featureService.IsEnabled(FeatureFlagKeys.NewDeviceVerification)
+            .Returns(false);
+        // set user creation to less than 10 minutes ago
+        context.User.CreationDate = DateTime.UtcNow - TimeSpan.FromMinutes(9);
+
+        // Act
+        var result = await _sut.ValidateRequestDeviceAsync(request, context);
+
+        // Assert
+        await _deviceService.Received(1).SaveAsync(context.Device);
+        await _mailService.Received(0).SendNewDeviceLoggedInEmail(
+            Arg.Any<string>(), Arg.Any<string>(), Arg.Any<DateTime>(), Arg.Any<string>());
+        Assert.True(result);
+    }
+
+    [Theory, BitAutoData]
+    public async void ValidateRequestDeviceAsync_NewDeviceVerificationFeatureFlagFalse_DisableEmailTrue_DoesNotSendEmail_ReturnsTrue(
+        CustomValidatorRequestContext context,
+        [AuthFixtures.ValidatedTokenRequest] ValidatedTokenRequest request)
+    {
+        // Arrange
+        context.KnownDevice = false;
+        AddValidDeviceToRequest(request);
+        _globalSettings.DisableEmailNewDevice = true;
+        _deviceRepository.GetByIdentifierAsync(context.Device.Identifier, context.User.Id)
+            .Returns(null as Device);
+        _featureService.IsEnabled(FeatureFlagKeys.NewDeviceVerification)
+            .Returns(false);
+
+        // Act
+        var result = await _sut.ValidateRequestDeviceAsync(request, context);
+
+        // Assert
+        await _deviceService.Received(1).SaveAsync(context.Device);
+        await _mailService.Received(0).SendNewDeviceLoggedInEmail(
+            Arg.Any<string>(), Arg.Any<string>(), Arg.Any<DateTime>(), Arg.Any<string>());
+        Assert.True(result);
+    }
+
+    [Theory]
+    [BitAutoData("webauthn")]
+    [BitAutoData("refresh_token")]
+    [BitAutoData("authorization_code")]
+    [BitAutoData("client_credentials")]
+    public async void ValidateRequestDeviceAsync_GrantTypeNotPassword_SavesDevice_ReturnsTrue(
+        string grantType,
+        CustomValidatorRequestContext context,
+        [AuthFixtures.ValidatedTokenRequest] ValidatedTokenRequest request)
+    {
+        // Arrange
+        context.KnownDevice = false;
+        ArrangeForHandleNewDeviceVerificationTest(context, request);
+        AddValidDeviceToRequest(request);
+        _deviceRepository.GetByIdentifierAsync(context.Device.Identifier, context.User.Id)
+            .Returns(null as Device);
+        _featureService.IsEnabled(FeatureFlagKeys.NewDeviceVerification)
+            .Returns(true);
+
+        request.GrantType = grantType;
+
+        // Act
+        var result = await _sut.ValidateRequestDeviceAsync(request, context);
+
+        // Assert
+        await _deviceService.Received(1).SaveAsync(context.Device);
+        Assert.True(result);
+    }
+
+    [Theory, BitAutoData]
+    public async void ValidateRequestDeviceAsync_IsAuthRequest_SavesDevice_ReturnsTrue(
+        CustomValidatorRequestContext context,
+        [AuthFixtures.ValidatedTokenRequest] ValidatedTokenRequest request)
+    {
+        // Arrange
+        context.KnownDevice = false;
+        ArrangeForHandleNewDeviceVerificationTest(context, request);
+        AddValidDeviceToRequest(request);
+        _deviceRepository.GetByIdentifierAsync(context.Device.Identifier, context.User.Id)
+            .Returns(null as Device);
+        _featureService.IsEnabled(FeatureFlagKeys.NewDeviceVerification)
+            .Returns(true);
+
+        request.Raw.Add("AuthRequest", "authRequest");
+
+        // Act
+        var result = await _sut.ValidateRequestDeviceAsync(request, context);
+
+        // Assert
+        await _deviceService.Received(1).SaveAsync(context.Device);
+        Assert.True(result);
+    }
+
+    [Theory, BitAutoData]
+    public async void ValidateRequestDeviceAsync_TwoFactorRequired_SavesDevice_ReturnsTrue(
+        CustomValidatorRequestContext context,
+        [AuthFixtures.ValidatedTokenRequest] ValidatedTokenRequest request)
+    {
+        // Arrange
+        context.KnownDevice = false;
+        ArrangeForHandleNewDeviceVerificationTest(context, request);
+        AddValidDeviceToRequest(request);
+        _deviceRepository.GetByIdentifierAsync(context.Device.Identifier, context.User.Id)
+            .Returns(null as Device);
+        _featureService.IsEnabled(FeatureFlagKeys.NewDeviceVerification)
+            .Returns(true);
+
+        context.TwoFactorRequired = true;
+
+        // Act
+        var result = await _sut.ValidateRequestDeviceAsync(request, context);
+
+        // Assert
+        await _deviceService.Received(1).SaveAsync(context.Device);
+        Assert.True(result);
+    }
+
+    [Theory, BitAutoData]
+    public async void ValidateRequestDeviceAsync_SsoRequired_SavesDevice_ReturnsTrue(
+        CustomValidatorRequestContext context,
+        [AuthFixtures.ValidatedTokenRequest] ValidatedTokenRequest request)
+    {
+        // Arrange
+        context.KnownDevice = false;
+        ArrangeForHandleNewDeviceVerificationTest(context, request);
+        AddValidDeviceToRequest(request);
+        _deviceRepository.GetByIdentifierAsync(context.Device.Identifier, context.User.Id)
+            .Returns(null as Device);
+        _featureService.IsEnabled(FeatureFlagKeys.NewDeviceVerification)
+            .Returns(true);
+
+        context.SsoRequired = true;
+
+        // Act
+        var result = await _sut.ValidateRequestDeviceAsync(request, context);
+
+        // Assert
+        await _deviceService.Received(1).SaveAsync(context.Device);
+        Assert.True(result);
+    }
+
+    [Theory, BitAutoData]
+    public async void HandleNewDeviceVerificationAsync_UserNull_ContextModified_ReturnsInvalidUser(
+        CustomValidatorRequestContext context,
+        [AuthFixtures.ValidatedTokenRequest] ValidatedTokenRequest request)
+    {
+        // Arrange
+        ArrangeForHandleNewDeviceVerificationTest(context, request);
+        _featureService.IsEnabled(FeatureFlagKeys.NewDeviceVerification).Returns(true);
+        _globalSettings.EnableNewDeviceVerification = true;
+
+        context.User = null;
+
+        // Act
+        var result = await _sut.ValidateRequestDeviceAsync(request, context);
+
+        // Assert
+        await _deviceService.Received(0).SaveAsync(Arg.Any<Device>());
+
+        Assert.False(result);
+        Assert.NotNull(context.CustomResponse["ErrorModel"]);
+        // PM-13340: The error message should be "invalid user" instead of "no device information provided"
+        var expectedErrorMessage = "no device information provided";
+        var actualResponse = (ErrorResponseModel)context.CustomResponse["ErrorModel"];
+        Assert.Equal(expectedErrorMessage, actualResponse.Message);
+    }
+
+    [Theory, BitAutoData]
+    public async void HandleNewDeviceVerificationAsync_NewDeviceOtpValid_ReturnsSuccess(
+        CustomValidatorRequestContext context,
+        [AuthFixtures.ValidatedTokenRequest] ValidatedTokenRequest request)
+    {
+        // Arrange
+        ArrangeForHandleNewDeviceVerificationTest(context, request);
+        _featureService.IsEnabled(FeatureFlagKeys.NewDeviceVerification).Returns(true);
+        _globalSettings.EnableNewDeviceVerification = true;
+
+        var newDeviceOtp = "123456";
+        request.Raw.Add("NewDeviceOtp", newDeviceOtp);
+
+        _userService.VerifyOTPAsync(context.User, newDeviceOtp).Returns(true);
+
+        // Act
+        var result = await _sut.ValidateRequestDeviceAsync(request, context);
+
+        // Assert
+        await _userService.Received(0).SendOTPAsync(context.User);
+        await _deviceService.Received(1).SaveAsync(context.Device);
+
+        Assert.True(result);
+        Assert.False(context.CustomResponse.ContainsKey("ErrorModel"));
+        Assert.Equal(context.User.Id, context.Device.UserId);
+        Assert.NotNull(context.Device);
+    }
+
+    [Theory]
+    [BitAutoData("")]
+    [BitAutoData("123456")]
+    public async void HandleNewDeviceVerificationAsync_NewDeviceOtpInvalid_ReturnsInvalidNewDeviceOtp(
+        string newDeviceOtp,
+        CustomValidatorRequestContext context,
+        [AuthFixtures.ValidatedTokenRequest] ValidatedTokenRequest request)
+    {
+        // Arrange
+        ArrangeForHandleNewDeviceVerificationTest(context, request);
+        _featureService.IsEnabled(FeatureFlagKeys.NewDeviceVerification).Returns(true);
+        _globalSettings.EnableNewDeviceVerification = true;
+
+        request.Raw.Add("NewDeviceOtp", newDeviceOtp);
+
+        _userService.VerifyOTPAsync(context.User, newDeviceOtp).Returns(false);
+
+        // Act
+        var result = await _sut.ValidateRequestDeviceAsync(request, context);
+
+        // Assert
+        await _userService.DidNotReceive().SendOTPAsync(Arg.Any<User>());
+        await _deviceService.Received(0).SaveAsync(Arg.Any<Device>());
+
+        Assert.False(result);
+        Assert.NotNull(context.CustomResponse["ErrorModel"]);
+        var expectedErrorMessage = "invalid new device otp";
+        var actualResponse = (ErrorResponseModel)context.CustomResponse["ErrorModel"];
+        Assert.Equal(expectedErrorMessage, actualResponse.Message);
+    }
+
+    [Theory, BitAutoData]
+    public async void HandleNewDeviceVerificationAsync_UserHasNoDevices_ReturnsSuccess(
+        CustomValidatorRequestContext context,
+        [AuthFixtures.ValidatedTokenRequest] ValidatedTokenRequest request)
+    {
+        // Arrange
+        ArrangeForHandleNewDeviceVerificationTest(context, request);
+        _featureService.IsEnabled(FeatureFlagKeys.NewDeviceVerification).Returns(true);
+        _globalSettings.EnableNewDeviceVerification = true;
+        _deviceRepository.GetManyByUserIdAsync(context.User.Id).Returns([]);
+
+        // Act
+        var result = await _sut.ValidateRequestDeviceAsync(request, context);
+
+        // Assert
+        await _userService.Received(0).VerifyOTPAsync(Arg.Any<User>(), Arg.Any<string>());
+        await _userService.Received(0).SendOTPAsync(Arg.Any<User>());
+        await _deviceService.Received(1).SaveAsync(context.Device);
+
+        Assert.True(result);
+        Assert.False(context.CustomResponse.ContainsKey("ErrorModel"));
+        Assert.Equal(context.User.Id, context.Device.UserId);
+        Assert.NotNull(context.Device);
+    }
+
+    [Theory, BitAutoData]
+    public async void HandleNewDeviceVerificationAsync_NewDeviceOtpEmpty_UserHasDevices_ReturnsNewDeviceVerificationRequired(
+        CustomValidatorRequestContext context,
+        [AuthFixtures.ValidatedTokenRequest] ValidatedTokenRequest request)
+    {
+        // Arrange
+        ArrangeForHandleNewDeviceVerificationTest(context, request);
+        _featureService.IsEnabled(FeatureFlagKeys.NewDeviceVerification).Returns(true);
+        _globalSettings.EnableNewDeviceVerification = true;
+        _deviceRepository.GetManyByUserIdAsync(context.User.Id).Returns([new Device()]);
+
+        // Act
+        var result = await _sut.ValidateRequestDeviceAsync(request, context);
+
+        // Assert
+        await _userService.Received(1).SendOTPAsync(context.User);
+        await _deviceService.Received(0).SaveAsync(Arg.Any<Device>());
+
+        Assert.False(result);
+        Assert.NotNull(context.CustomResponse["ErrorModel"]);
+        var expectedErrorMessage = "new device verification required";
+        var actualResponse = (ErrorResponseModel)context.CustomResponse["ErrorModel"];
+        Assert.Equal(expectedErrorMessage, actualResponse.Message);
+    }
+
+    [Theory, BitAutoData]
+    public void NewDeviceOtpRequest_NewDeviceOtpNull_ReturnsFalse(
+        [AuthFixtures.ValidatedTokenRequest] ValidatedTokenRequest request)
+    {
+        // Arrange
+        // Autodata arranges
+
+        // Act
+        var result = DeviceValidator.NewDeviceOtpRequest(request);
+
+        // Assert
+        Assert.False(result);
+    }
+
+    [Theory, BitAutoData]
+    public void NewDeviceOtpRequest_NewDeviceOtpNotNull_ReturnsTrue(
+        [AuthFixtures.ValidatedTokenRequest] ValidatedTokenRequest request)
+    {
+        // Arrange
+        request.Raw["NewDeviceOtp"] = "123456";
+
+        // Act
+        var result = DeviceValidator.NewDeviceOtpRequest(request);
 
         // Assert
         Assert.True(result);
     }
 
-    private ValidatedTokenRequest AddValidDeviceToRequest(ValidatedTokenRequest request)
+    private static void AddValidDeviceToRequest(ValidatedTokenRequest request)
     {
         request.Raw["DeviceIdentifier"] = "DeviceIdentifier";
-        request.Raw["DeviceType"] = "Android";
+        request.Raw["DeviceType"] = "Android"; // must be valid device type
         request.Raw["DeviceName"] = "DeviceName";
         request.Raw["DevicePushToken"] = "DevicePushToken";
-        return request;
+    }
+
+    /// <summary>
+    /// Configures the request context to facilitate testing the HandleNewDeviceVerificationAsync method.
+    /// </summary>
+    /// <param name="context">test context</param>
+    /// <param name="request">test request</param>
+    private static void ArrangeForHandleNewDeviceVerificationTest(
+        CustomValidatorRequestContext context,
+        ValidatedTokenRequest request)
+    {
+        context.KnownDevice = false;
+        request.GrantType = "password";
+        context.TwoFactorRequired = false;
+        context.SsoRequired = false;
     }
 }
diff --git a/test/Identity.Test/Wrappers/BaseRequestValidatorTestWrapper.cs b/test/Identity.Test/Wrappers/BaseRequestValidatorTestWrapper.cs
index f7cfd1d394..cbe091a44c 100644
--- a/test/Identity.Test/Wrappers/BaseRequestValidatorTestWrapper.cs
+++ b/test/Identity.Test/Wrappers/BaseRequestValidatorTestWrapper.cs
@@ -123,6 +123,11 @@ IBaseRequestValidatorTestWrapper
         Dictionary<string, object> customResponse)
     { }
 
+    protected override void SetValidationErrorResult(
+        BaseRequestValidationContextFake context,
+        CustomValidatorRequestContext requestContext)
+    { }
+
     protected override Task<bool> ValidateContextAsync(
         BaseRequestValidationContextFake context,
         CustomValidatorRequestContext validatorContext)

From 03dde0d008c87e1be3c563a418c547535be87d20 Mon Sep 17 00:00:00 2001
From: Brandon Treston <btreston@bitwarden.com>
Date: Thu, 12 Dec 2024 13:54:04 -0500
Subject: [PATCH 057/384] update copy for domain claimed by organization email
 (#5138)

---
 .../AdminConsole/DomainClaimedByOrganization.html.hbs        | 5 ++---
 .../AdminConsole/DomainClaimedByOrganization.text.hbs        | 5 ++---
 src/Core/Services/Implementations/HandlebarsMailService.cs   | 2 +-
 3 files changed, 5 insertions(+), 7 deletions(-)

diff --git a/src/Core/MailTemplates/Handlebars/AdminConsole/DomainClaimedByOrganization.html.hbs b/src/Core/MailTemplates/Handlebars/AdminConsole/DomainClaimedByOrganization.html.hbs
index 05ca170a50..ad2245e585 100644
--- a/src/Core/MailTemplates/Handlebars/AdminConsole/DomainClaimedByOrganization.html.hbs
+++ b/src/Core/MailTemplates/Handlebars/AdminConsole/DomainClaimedByOrganization.html.hbs
@@ -9,9 +9,8 @@
             <td style="font-family:'Helvetica Neue', Helvetica, Arial, sans-serif; font-style: normal; font-weight: 400; font-size: 16px; line-height: 24px; margin-top: 30px; margin-bottom: 25px; margin-left: 35px; margin-right: 35px;">
                 <b>Here's what that means:</b>
                 <ul>
-                    <li>This account should only be used to store items related to {{OrganizationName}}</li>
-                    <li>Admins managing your Bitwarden organization manage your email address and other account settings</li>
-                    <li>Admins can also revoke or delete your account at any time</li>
+                    <li>Your administrators can delete your account at any time</li>
+                    <li>You cannot leave the organization</li>
                 </ul>
             </td>
         </tr>
diff --git a/src/Core/MailTemplates/Handlebars/AdminConsole/DomainClaimedByOrganization.text.hbs b/src/Core/MailTemplates/Handlebars/AdminConsole/DomainClaimedByOrganization.text.hbs
index c0078d389d..b3041a21e9 100644
--- a/src/Core/MailTemplates/Handlebars/AdminConsole/DomainClaimedByOrganization.text.hbs
+++ b/src/Core/MailTemplates/Handlebars/AdminConsole/DomainClaimedByOrganization.text.hbs
@@ -1,8 +1,7 @@
 As a member of {{OrganizationName}}, your Bitwarden account is claimed and owned by your organization.
 
 Here's what that means:
-- This account should only be used to store items related to {{OrganizationName}}
-- Your admins managing your Bitwarden organization manages your email address and other account settings
-- Your admins can also revoke or delete your account at any time
+- Your administrators can delete your account at any time
+- You cannot leave the organization
 
 For more information, please refer to the following help article: Claimed Accounts (https://bitwarden.com/help/claimed-accounts)
diff --git a/src/Core/Services/Implementations/HandlebarsMailService.cs b/src/Core/Services/Implementations/HandlebarsMailService.cs
index 22341111f3..deae80c056 100644
--- a/src/Core/Services/Implementations/HandlebarsMailService.cs
+++ b/src/Core/Services/Implementations/HandlebarsMailService.cs
@@ -472,7 +472,7 @@ public class HandlebarsMailService : IMailService
                 "AdminConsole.DomainClaimedByOrganization",
                 new ClaimedDomainUserNotificationViewModel
                 {
-                    TitleFirst = $"Hey {emailAddress}, here is a heads up on your claimed account:",
+                    TitleFirst = $"Hey {emailAddress}, your account is owned by {org.DisplayName()}",
                     OrganizationName = CoreHelpers.SanitizeForEmail(org.DisplayName(), false)
                 });
     }

From a332a69112c32c729732d9582d2afc2eb7030aea Mon Sep 17 00:00:00 2001
From: SmithThe4th <gsmith@bitwarden.com>
Date: Thu, 12 Dec 2024 14:27:31 -0500
Subject: [PATCH 058/384] [PM-14376] Add GET tasks endpoint (#5089)

* Added CQRS pattern

* Added the GetManyByUserIdAsync signature to the repositiory

* Added sql sproc

Created user defined type to hold status

Created migration file

* Added ef core query

* Added absract and concrete implementation for GetManyByUserIdStatusAsync

* Added integration tests

* Updated params to status

* Implemented new query to utilize repository method

* Added controller for the security task endpoint

* Fixed lint issues

* Added documentation

* simplified to require single status

modified script to check for users with edit rights

* Updated ef core query

* Added new assertions

* simplified to require single status

* fixed formatting

* Fixed sql script

* Removed default null

* Added security tasks feature flag
---
 .../Controllers/SecurityTaskController.cs     |  40 +++++++
 .../Response/SecurityTasksResponseModel.cs    |  30 +++++
 .../Queries/GetTaskDetailsForUserQuery.cs     |  13 +++
 .../Queries/IGetTaskDetailsForUserQuery.cs    |  15 +++
 .../Repositories/ISecurityTaskRepository.cs   |   9 +-
 .../Vault/VaultServiceCollectionExtensions.cs |   1 +
 .../Repositories/SecurityTaskRepository.cs    |  19 +++-
 .../SecurityTaskReadByUserIdStatusQuery.cs    |  90 +++++++++++++++
 .../Repositories/SecurityTaskRepository.cs    |  14 +++
 .../SecurityTask_ReadByUserIdStatus.sql       |  56 ++++++++++
 .../Comparers/SecurityTaskComparer.cs         |  22 ++++
 .../SecurityTaskRepositoryTests.cs            | 103 ++++++++++++++++++
 ...1-21_00_SecurityTaskReadByUserIdStatus.sql |  59 ++++++++++
 13 files changed, 469 insertions(+), 2 deletions(-)
 create mode 100644 src/Api/Vault/Controllers/SecurityTaskController.cs
 create mode 100644 src/Api/Vault/Models/Response/SecurityTasksResponseModel.cs
 create mode 100644 src/Core/Vault/Queries/GetTaskDetailsForUserQuery.cs
 create mode 100644 src/Core/Vault/Queries/IGetTaskDetailsForUserQuery.cs
 create mode 100644 src/Infrastructure.EntityFramework/Vault/Repositories/Queries/SecurityTaskReadByUserIdStatusQuery.cs
 create mode 100644 src/Sql/Vault/dbo/Stored Procedures/SecurityTask/SecurityTask_ReadByUserIdStatus.sql
 create mode 100644 test/Infrastructure.IntegrationTest/Comparers/SecurityTaskComparer.cs
 create mode 100644 util/Migrator/DbScripts/2024-11-21_00_SecurityTaskReadByUserIdStatus.sql

diff --git a/src/Api/Vault/Controllers/SecurityTaskController.cs b/src/Api/Vault/Controllers/SecurityTaskController.cs
new file mode 100644
index 0000000000..7b0bfa0bfb
--- /dev/null
+++ b/src/Api/Vault/Controllers/SecurityTaskController.cs
@@ -0,0 +1,40 @@
+using Bit.Api.Models.Response;
+using Bit.Api.Vault.Models.Response;
+using Bit.Core;
+using Bit.Core.Services;
+using Bit.Core.Utilities;
+using Bit.Core.Vault.Enums;
+using Bit.Core.Vault.Queries;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+
+namespace Bit.Api.Vault.Controllers;
+
+[Route("tasks")]
+[Authorize("Application")]
+[RequireFeature(FeatureFlagKeys.SecurityTasks)]
+public class SecurityTaskController : Controller
+{
+    private readonly IUserService _userService;
+    private readonly IGetTaskDetailsForUserQuery _getTaskDetailsForUserQuery;
+
+    public SecurityTaskController(IUserService userService, IGetTaskDetailsForUserQuery getTaskDetailsForUserQuery)
+    {
+        _userService = userService;
+        _getTaskDetailsForUserQuery = getTaskDetailsForUserQuery;
+    }
+
+    /// <summary>
+    /// Retrieves security tasks for the current user.
+    /// </summary>
+    /// <param name="status">Optional filter for task status. If not provided returns tasks of all statuses.</param>
+    /// <returns>A list response model containing the security tasks for the user.</returns>
+    [HttpGet("")]
+    public async Task<ListResponseModel<SecurityTasksResponseModel>> Get([FromQuery] SecurityTaskStatus? status)
+    {
+        var userId = _userService.GetProperUserId(User).Value;
+        var securityTasks = await _getTaskDetailsForUserQuery.GetTaskDetailsForUserAsync(userId, status);
+        var response = securityTasks.Select(x => new SecurityTasksResponseModel(x)).ToList();
+        return new ListResponseModel<SecurityTasksResponseModel>(response);
+    }
+}
diff --git a/src/Api/Vault/Models/Response/SecurityTasksResponseModel.cs b/src/Api/Vault/Models/Response/SecurityTasksResponseModel.cs
new file mode 100644
index 0000000000..c41c54b983
--- /dev/null
+++ b/src/Api/Vault/Models/Response/SecurityTasksResponseModel.cs
@@ -0,0 +1,30 @@
+using Bit.Core.Models.Api;
+using Bit.Core.Vault.Entities;
+using Bit.Core.Vault.Enums;
+
+namespace Bit.Api.Vault.Models.Response;
+
+public class SecurityTasksResponseModel : ResponseModel
+{
+    public SecurityTasksResponseModel(SecurityTask securityTask, string obj = "securityTask")
+        : base(obj)
+    {
+        ArgumentNullException.ThrowIfNull(securityTask);
+
+        Id = securityTask.Id;
+        OrganizationId = securityTask.OrganizationId;
+        CipherId = securityTask.CipherId;
+        Type = securityTask.Type;
+        Status = securityTask.Status;
+        CreationDate = securityTask.CreationDate;
+        RevisionDate = securityTask.RevisionDate;
+    }
+
+    public Guid Id { get; set; }
+    public Guid OrganizationId { get; set; }
+    public Guid? CipherId { get; set; }
+    public SecurityTaskType Type { get; set; }
+    public SecurityTaskStatus Status { get; set; }
+    public DateTime CreationDate { get; set; }
+    public DateTime RevisionDate { get; set; }
+}
diff --git a/src/Core/Vault/Queries/GetTaskDetailsForUserQuery.cs b/src/Core/Vault/Queries/GetTaskDetailsForUserQuery.cs
new file mode 100644
index 0000000000..976f8fb0ca
--- /dev/null
+++ b/src/Core/Vault/Queries/GetTaskDetailsForUserQuery.cs
@@ -0,0 +1,13 @@
+using Bit.Core.Vault.Entities;
+using Bit.Core.Vault.Enums;
+using Bit.Core.Vault.Repositories;
+
+namespace Bit.Core.Vault.Queries;
+
+public class GetTaskDetailsForUserQuery(ISecurityTaskRepository securityTaskRepository) : IGetTaskDetailsForUserQuery
+{
+    /// <inheritdoc />
+    public async Task<IEnumerable<SecurityTask>> GetTaskDetailsForUserAsync(Guid userId,
+        SecurityTaskStatus? status = null)
+        => await securityTaskRepository.GetManyByUserIdStatusAsync(userId, status);
+}
diff --git a/src/Core/Vault/Queries/IGetTaskDetailsForUserQuery.cs b/src/Core/Vault/Queries/IGetTaskDetailsForUserQuery.cs
new file mode 100644
index 0000000000..14733c3188
--- /dev/null
+++ b/src/Core/Vault/Queries/IGetTaskDetailsForUserQuery.cs
@@ -0,0 +1,15 @@
+using Bit.Core.Vault.Entities;
+using Bit.Core.Vault.Enums;
+
+namespace Bit.Core.Vault.Queries;
+
+public interface IGetTaskDetailsForUserQuery
+{
+    /// <summary>
+    /// Retrieves security tasks for a user based on their organization and cipher access permissions.
+    /// </summary>
+    /// <param name="userId">The Id of the user retrieving tasks</param>
+    /// <param name="status">Optional filter for task status. If not provided, returns tasks of all statuses</param>
+    /// <returns>A collection of security tasks</returns>
+    Task<IEnumerable<SecurityTask>> GetTaskDetailsForUserAsync(Guid userId, SecurityTaskStatus? status = null);
+}
diff --git a/src/Core/Vault/Repositories/ISecurityTaskRepository.cs b/src/Core/Vault/Repositories/ISecurityTaskRepository.cs
index f2262f207a..34f1f2ee64 100644
--- a/src/Core/Vault/Repositories/ISecurityTaskRepository.cs
+++ b/src/Core/Vault/Repositories/ISecurityTaskRepository.cs
@@ -1,9 +1,16 @@
 using Bit.Core.Repositories;
 using Bit.Core.Vault.Entities;
+using Bit.Core.Vault.Enums;
 
 namespace Bit.Core.Vault.Repositories;
 
 public interface ISecurityTaskRepository : IRepository<SecurityTask, Guid>
 {
-
+    /// <summary>
+    /// Retrieves security tasks for a user based on their organization and cipher access permissions.
+    /// </summary>
+    /// <param name="userId">The Id of the user retrieving tasks</param>
+    /// <param name="status">Optional filter for task status. If not provided, returns tasks of all statuses</param>
+    /// <returns></returns>
+    Task<ICollection<SecurityTask>> GetManyByUserIdStatusAsync(Guid userId, SecurityTaskStatus? status = null);
 }
diff --git a/src/Core/Vault/VaultServiceCollectionExtensions.cs b/src/Core/Vault/VaultServiceCollectionExtensions.cs
index 5296f47e3e..d3c9dd9648 100644
--- a/src/Core/Vault/VaultServiceCollectionExtensions.cs
+++ b/src/Core/Vault/VaultServiceCollectionExtensions.cs
@@ -15,5 +15,6 @@ public static class VaultServiceCollectionExtensions
     private static void AddVaultQueries(this IServiceCollection services)
     {
         services.AddScoped<IOrganizationCiphersQuery, OrganizationCiphersQuery>();
+        services.AddScoped<IGetTaskDetailsForUserQuery, GetTaskDetailsForUserQuery>();
     }
 }
diff --git a/src/Infrastructure.Dapper/Vault/Repositories/SecurityTaskRepository.cs b/src/Infrastructure.Dapper/Vault/Repositories/SecurityTaskRepository.cs
index 1674b965f0..dfe8a04814 100644
--- a/src/Infrastructure.Dapper/Vault/Repositories/SecurityTaskRepository.cs
+++ b/src/Infrastructure.Dapper/Vault/Repositories/SecurityTaskRepository.cs
@@ -1,7 +1,11 @@
-using Bit.Core.Settings;
+using System.Data;
+using Bit.Core.Settings;
 using Bit.Core.Vault.Entities;
+using Bit.Core.Vault.Enums;
 using Bit.Core.Vault.Repositories;
 using Bit.Infrastructure.Dapper.Repositories;
+using Dapper;
+using Microsoft.Data.SqlClient;
 
 namespace Bit.Infrastructure.Dapper.Vault.Repositories;
 
@@ -15,4 +19,17 @@ public class SecurityTaskRepository : Repository<SecurityTask, Guid>, ISecurityT
         : base(connectionString, readOnlyConnectionString)
     { }
 
+    /// <inheritdoc />
+    public async Task<ICollection<SecurityTask>> GetManyByUserIdStatusAsync(Guid userId,
+        SecurityTaskStatus? status = null)
+    {
+        await using var connection = new SqlConnection(ConnectionString);
+
+        var results = await connection.QueryAsync<SecurityTask>(
+            $"[{Schema}].[SecurityTask_ReadByUserIdStatus]",
+            new { UserId = userId, Status = status },
+            commandType: CommandType.StoredProcedure);
+
+        return results.ToList();
+    }
 }
diff --git a/src/Infrastructure.EntityFramework/Vault/Repositories/Queries/SecurityTaskReadByUserIdStatusQuery.cs b/src/Infrastructure.EntityFramework/Vault/Repositories/Queries/SecurityTaskReadByUserIdStatusQuery.cs
new file mode 100644
index 0000000000..73f4249542
--- /dev/null
+++ b/src/Infrastructure.EntityFramework/Vault/Repositories/Queries/SecurityTaskReadByUserIdStatusQuery.cs
@@ -0,0 +1,90 @@
+using Bit.Core.Enums;
+using Bit.Core.Vault.Entities;
+using Bit.Core.Vault.Enums;
+using Bit.Infrastructure.EntityFramework.Repositories;
+using Bit.Infrastructure.EntityFramework.Repositories.Queries;
+
+namespace Bit.Infrastructure.EntityFramework.Vault.Repositories.Queries;
+
+public class SecurityTaskReadByUserIdStatusQuery : IQuery<SecurityTask>
+{
+    private readonly Guid _userId;
+    private readonly SecurityTaskStatus? _status;
+
+    public SecurityTaskReadByUserIdStatusQuery(Guid userId, SecurityTaskStatus? status)
+    {
+        _userId = userId;
+        _status = status;
+    }
+
+    public IQueryable<SecurityTask> Run(DatabaseContext dbContext)
+    {
+        var query = from st in dbContext.SecurityTasks
+
+                    join ou in dbContext.OrganizationUsers
+                        on st.OrganizationId equals ou.OrganizationId
+
+                    join o in dbContext.Organizations
+                        on st.OrganizationId equals o.Id
+
+                    join c in dbContext.Ciphers
+                        on st.CipherId equals c.Id into c_g
+                    from c in c_g.DefaultIfEmpty()
+
+                    join cc in dbContext.CollectionCiphers
+                        on c.Id equals cc.CipherId into cc_g
+                    from cc in cc_g.DefaultIfEmpty()
+
+                    join cu in dbContext.CollectionUsers
+                        on new { cc.CollectionId, OrganizationUserId = ou.Id } equals
+                        new { cu.CollectionId, cu.OrganizationUserId } into cu_g
+                    from cu in cu_g.DefaultIfEmpty()
+
+                    join gu in dbContext.GroupUsers
+                        on new { CollectionId = (Guid?)cu.CollectionId, OrganizationUserId = ou.Id } equals
+                        new { CollectionId = (Guid?)null, gu.OrganizationUserId } into gu_g
+                    from gu in gu_g.DefaultIfEmpty()
+
+                    join cg in dbContext.CollectionGroups
+                        on new { cc.CollectionId, gu.GroupId } equals
+                        new { cg.CollectionId, cg.GroupId } into cg_g
+                    from cg in cg_g.DefaultIfEmpty()
+
+                    where
+                        ou.UserId == _userId &&
+                        ou.Status == OrganizationUserStatusType.Confirmed &&
+                        o.Enabled &&
+                        (
+                            st.CipherId == null ||
+                            (
+                                c != null &&
+                                (
+                                    (cu != null && !cu.ReadOnly) || (cg != null && !cg.ReadOnly && cu == null)
+                                )
+                            )
+                        ) &&
+                        (_status == null || st.Status == _status)
+                    group st by new
+                    {
+                        st.Id,
+                        st.OrganizationId,
+                        st.CipherId,
+                        st.Type,
+                        st.Status,
+                        st.CreationDate,
+                        st.RevisionDate
+                    } into g
+                    select new SecurityTask
+                    {
+                        Id = g.Key.Id,
+                        OrganizationId = g.Key.OrganizationId,
+                        CipherId = g.Key.CipherId,
+                        Type = g.Key.Type,
+                        Status = g.Key.Status,
+                        CreationDate = g.Key.CreationDate,
+                        RevisionDate = g.Key.RevisionDate
+                    };
+
+        return query.OrderByDescending(st => st.CreationDate);
+    }
+}
diff --git a/src/Infrastructure.EntityFramework/Vault/Repositories/SecurityTaskRepository.cs b/src/Infrastructure.EntityFramework/Vault/Repositories/SecurityTaskRepository.cs
index 82c06bcc6b..bd56df1bcf 100644
--- a/src/Infrastructure.EntityFramework/Vault/Repositories/SecurityTaskRepository.cs
+++ b/src/Infrastructure.EntityFramework/Vault/Repositories/SecurityTaskRepository.cs
@@ -1,7 +1,10 @@
 using AutoMapper;
+using Bit.Core.Vault.Enums;
 using Bit.Core.Vault.Repositories;
 using Bit.Infrastructure.EntityFramework.Repositories;
 using Bit.Infrastructure.EntityFramework.Vault.Models;
+using Bit.Infrastructure.EntityFramework.Vault.Repositories.Queries;
+using Microsoft.EntityFrameworkCore;
 using Microsoft.Extensions.DependencyInjection;
 
 namespace Bit.Infrastructure.EntityFramework.Vault.Repositories;
@@ -11,4 +14,15 @@ public class SecurityTaskRepository : Repository<Core.Vault.Entities.SecurityTas
     public SecurityTaskRepository(IServiceScopeFactory serviceScopeFactory, IMapper mapper)
         : base(serviceScopeFactory, mapper, (context) => context.SecurityTasks)
     { }
+
+    /// <inheritdoc />
+    public async Task<ICollection<Core.Vault.Entities.SecurityTask>> GetManyByUserIdStatusAsync(Guid userId,
+        SecurityTaskStatus? status = null)
+    {
+        using var scope = ServiceScopeFactory.CreateScope();
+        var dbContext = GetDatabaseContext(scope);
+        var query = new SecurityTaskReadByUserIdStatusQuery(userId, status);
+        var data = await query.Run(dbContext).ToListAsync();
+        return data;
+    }
 }
diff --git a/src/Sql/Vault/dbo/Stored Procedures/SecurityTask/SecurityTask_ReadByUserIdStatus.sql b/src/Sql/Vault/dbo/Stored Procedures/SecurityTask/SecurityTask_ReadByUserIdStatus.sql
new file mode 100644
index 0000000000..2a4ecdb4c1
--- /dev/null
+++ b/src/Sql/Vault/dbo/Stored Procedures/SecurityTask/SecurityTask_ReadByUserIdStatus.sql	
@@ -0,0 +1,56 @@
+CREATE PROCEDURE [dbo].[SecurityTask_ReadByUserIdStatus]
+    @UserId UNIQUEIDENTIFIER,
+    @Status TINYINT = NULL
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    SELECT
+        ST.Id,
+        ST.OrganizationId,
+        ST.CipherId,
+        ST.Type,
+        ST.Status,
+        ST.CreationDate,
+        ST.RevisionDate
+    FROM
+        [dbo].[SecurityTaskView] ST
+    INNER JOIN
+        [dbo].[OrganizationUserView] OU ON OU.[OrganizationId] = ST.[OrganizationId]
+    INNER JOIN
+        [dbo].[Organization] O ON O.[Id] = ST.[OrganizationId]
+    LEFT JOIN
+        [dbo].[CipherView] C ON C.[Id] = ST.[CipherId]
+    LEFT JOIN
+        [dbo].[CollectionCipher] CC ON CC.[CipherId] = C.[Id] AND C.[Id] IS NOT NULL
+    LEFT JOIN
+        [dbo].[CollectionUser] CU ON CU.[CollectionId] = CC.[CollectionId] AND CU.[OrganizationUserId] = OU.[Id] AND C.[Id] IS NOT NULL
+    LEFT JOIN
+        [dbo].[GroupUser] GU ON GU.[OrganizationUserId] = OU.[Id] AND CU.[CollectionId] IS NULL AND C.[Id] IS NOT NULL
+    LEFT JOIN
+        [dbo].[CollectionGroup] CG ON CG.[GroupId] = GU.[GroupId] AND CG.[CollectionId] = CC.[CollectionId]
+    WHERE
+        OU.[UserId] = @UserId
+        AND OU.[Status] = 2 -- Ensure user is confirmed
+        AND O.[Enabled] = 1
+        AND (
+            ST.[CipherId] IS NULL
+            OR (
+                C.[Id] IS NOT NULL
+                AND (
+                    CU.[ReadOnly] = 0
+                    OR CG.[ReadOnly] = 0
+                )
+            )
+        )
+        AND ST.[Status] = COALESCE(@Status, ST.[Status])
+    GROUP BY
+        ST.Id,
+        ST.OrganizationId,
+        ST.CipherId,
+        ST.Type,
+        ST.Status,
+        ST.CreationDate,
+        ST.RevisionDate
+    ORDER BY ST.[CreationDate] DESC
+END
diff --git a/test/Infrastructure.IntegrationTest/Comparers/SecurityTaskComparer.cs b/test/Infrastructure.IntegrationTest/Comparers/SecurityTaskComparer.cs
new file mode 100644
index 0000000000..847896d3a0
--- /dev/null
+++ b/test/Infrastructure.IntegrationTest/Comparers/SecurityTaskComparer.cs
@@ -0,0 +1,22 @@
+using System.Diagnostics.CodeAnalysis;
+using Bit.Core.Vault.Entities;
+
+namespace Bit.Infrastructure.IntegrationTest.Comparers;
+
+/// <summary>
+/// Determines the equality of two SecurityTask objects.
+/// </summary>
+public class SecurityTaskComparer : IEqualityComparer<SecurityTask>
+{
+    public bool Equals(SecurityTask x, SecurityTask y)
+    {
+        return x.Id.Equals(y.Id) &&
+               x.Type.Equals(y.Type) &&
+               x.Status.Equals(y.Status);
+    }
+
+    public int GetHashCode([DisallowNull] SecurityTask obj)
+    {
+        return base.GetHashCode();
+    }
+}
diff --git a/test/Infrastructure.IntegrationTest/Vault/Repositories/SecurityTaskRepositoryTests.cs b/test/Infrastructure.IntegrationTest/Vault/Repositories/SecurityTaskRepositoryTests.cs
index 79cc1d2bc9..2010c90a5e 100644
--- a/test/Infrastructure.IntegrationTest/Vault/Repositories/SecurityTaskRepositoryTests.cs
+++ b/test/Infrastructure.IntegrationTest/Vault/Repositories/SecurityTaskRepositoryTests.cs
@@ -1,9 +1,13 @@
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.Billing.Enums;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Models.Data;
 using Bit.Core.Repositories;
 using Bit.Core.Vault.Entities;
 using Bit.Core.Vault.Enums;
 using Bit.Core.Vault.Repositories;
+using Bit.Infrastructure.IntegrationTest.Comparers;
 using Xunit;
 
 namespace Bit.Infrastructure.IntegrationTest.Vault.Repositories;
@@ -120,4 +124,103 @@ public class SecurityTaskRepositoryTests
         Assert.Equal(task.Id, updatedTask.Id);
         Assert.Equal(SecurityTaskStatus.Completed, updatedTask.Status);
     }
+
+    [DatabaseTheory, DatabaseData]
+    public async Task GetManyByUserIdAsync_ReturnsExpectedTasks(
+        IUserRepository userRepository,
+        IOrganizationRepository organizationRepository,
+        ICipherRepository cipherRepository,
+        ISecurityTaskRepository securityTaskRepository,
+        IOrganizationUserRepository organizationUserRepository,
+        ICollectionRepository collectionRepository)
+    {
+        var user = await userRepository.CreateAsync(new User
+        {
+            Name = "Test User",
+            Email = $"test+{Guid.NewGuid()}@email.com",
+            ApiKey = "TEST",
+            SecurityStamp = "stamp",
+        });
+
+        var organization = await organizationRepository.CreateAsync(new Organization
+        {
+            Name = "Test Org",
+            PlanType = PlanType.EnterpriseAnnually,
+            Plan = "Test Plan",
+            BillingEmail = "billing@email.com"
+        });
+
+        var orgUser = await organizationUserRepository.CreateAsync(new OrganizationUser
+        {
+            OrganizationId = organization.Id,
+            UserId = user.Id,
+            Status = OrganizationUserStatusType.Confirmed
+        });
+
+        var collection = await collectionRepository.CreateAsync(new Collection
+        {
+            OrganizationId = organization.Id,
+            Name = "Test Collection 1",
+        });
+
+        var collection2 = await collectionRepository.CreateAsync(new Collection
+        {
+            OrganizationId = organization.Id,
+            Name = "Test Collection 2",
+        });
+
+        var cipher1 = new Cipher { Type = CipherType.Login, OrganizationId = organization.Id, Data = "", };
+        await cipherRepository.CreateAsync(cipher1, [collection.Id, collection2.Id]);
+
+        var cipher2 = new Cipher { Type = CipherType.Login, OrganizationId = organization.Id, Data = "", };
+        await cipherRepository.CreateAsync(cipher2, [collection.Id]);
+
+        var task1 = await securityTaskRepository.CreateAsync(new SecurityTask
+        {
+            OrganizationId = organization.Id,
+            CipherId = cipher1.Id,
+            Status = SecurityTaskStatus.Pending,
+            Type = SecurityTaskType.UpdateAtRiskCredential,
+        });
+
+        var task2 = await securityTaskRepository.CreateAsync(new SecurityTask
+        {
+            OrganizationId = organization.Id,
+            CipherId = cipher2.Id,
+            Status = SecurityTaskStatus.Completed,
+            Type = SecurityTaskType.UpdateAtRiskCredential,
+        });
+
+        var task3 = await securityTaskRepository.CreateAsync(new SecurityTask
+        {
+            OrganizationId = organization.Id,
+            CipherId = cipher2.Id,
+            Status = SecurityTaskStatus.Pending,
+            Type = SecurityTaskType.UpdateAtRiskCredential,
+        });
+
+        await collectionRepository.UpdateUsersAsync(collection.Id,
+            new List<CollectionAccessSelection>
+            {
+                new() {Id = orgUser.Id, ReadOnly = false, HidePasswords = false, Manage = true}
+            });
+
+        var allTasks = await securityTaskRepository.GetManyByUserIdStatusAsync(user.Id);
+        Assert.Equal(3, allTasks.Count);
+        Assert.Contains(task1, allTasks, new SecurityTaskComparer());
+        Assert.Contains(task2, allTasks, new SecurityTaskComparer());
+        Assert.Contains(task3, allTasks, new SecurityTaskComparer());
+
+        var pendingTasks = await securityTaskRepository.GetManyByUserIdStatusAsync(user.Id, SecurityTaskStatus.Pending);
+        Assert.Equal(2, pendingTasks.Count);
+        Assert.Contains(task1, pendingTasks, new SecurityTaskComparer());
+        Assert.Contains(task3, pendingTasks, new SecurityTaskComparer());
+        Assert.DoesNotContain(task2, pendingTasks, new SecurityTaskComparer());
+
+        var completedTasks = await securityTaskRepository.GetManyByUserIdStatusAsync(user.Id, SecurityTaskStatus.Completed);
+        Assert.Single(completedTasks);
+        Assert.Contains(task2, completedTasks, new SecurityTaskComparer());
+        Assert.DoesNotContain(task1, completedTasks, new SecurityTaskComparer());
+        Assert.DoesNotContain(task3, completedTasks, new SecurityTaskComparer());
+    }
 }
diff --git a/util/Migrator/DbScripts/2024-11-21_00_SecurityTaskReadByUserIdStatus.sql b/util/Migrator/DbScripts/2024-11-21_00_SecurityTaskReadByUserIdStatus.sql
new file mode 100644
index 0000000000..a5760227cb
--- /dev/null
+++ b/util/Migrator/DbScripts/2024-11-21_00_SecurityTaskReadByUserIdStatus.sql
@@ -0,0 +1,59 @@
+-- Security Task Read By UserId Status
+-- Stored Procedure: ReadByUserIdStatus
+CREATE OR ALTER PROCEDURE [dbo].[SecurityTask_ReadByUserIdStatus]
+    @UserId UNIQUEIDENTIFIER,
+    @Status TINYINT = NULL
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    SELECT
+        ST.Id,
+        ST.OrganizationId,
+        ST.CipherId,
+        ST.Type,
+        ST.Status,
+        ST.CreationDate,
+        ST.RevisionDate
+    FROM
+        [dbo].[SecurityTaskView] ST
+    INNER JOIN
+        [dbo].[OrganizationUserView] OU ON OU.[OrganizationId] = ST.[OrganizationId]
+    INNER JOIN
+        [dbo].[Organization] O ON O.[Id] = ST.[OrganizationId]
+    LEFT JOIN
+        [dbo].[CipherView] C ON C.[Id] = ST.[CipherId]
+    LEFT JOIN
+        [dbo].[CollectionCipher] CC ON CC.[CipherId] = C.[Id] AND C.[Id] IS NOT NULL
+    LEFT JOIN
+        [dbo].[CollectionUser] CU ON CU.[CollectionId] = CC.[CollectionId] AND CU.[OrganizationUserId] = OU.[Id] AND C.[Id] IS NOT NULL
+    LEFT JOIN
+        [dbo].[GroupUser] GU ON GU.[OrganizationUserId] = OU.[Id] AND CU.[CollectionId] IS NULL AND C.[Id] IS NOT NULL
+    LEFT JOIN
+        [dbo].[CollectionGroup] CG ON CG.[GroupId] = GU.[GroupId] AND CG.[CollectionId] = CC.[CollectionId]
+    WHERE
+        OU.[UserId] = @UserId
+        AND OU.[Status] = 2 -- Ensure user is confirmed
+        AND O.[Enabled] = 1
+        AND (
+            ST.[CipherId] IS NULL
+            OR (
+                C.[Id] IS NOT NULL
+                AND (
+                    CU.[ReadOnly] = 0
+                    OR CG.[ReadOnly] = 0
+                )
+            )
+        )
+        AND ST.[Status] = COALESCE(@Status, ST.[Status])
+    GROUP BY
+        ST.Id,
+        ST.OrganizationId,
+        ST.CipherId,
+        ST.Type,
+        ST.Status,
+        ST.CreationDate,
+        ST.RevisionDate
+    ORDER BY ST.[CreationDate] DESC
+END
+GO

From a3174cffd4555b8ed743ba014ccd7b3822a4199a Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Thu, 12 Dec 2024 11:52:28 -0800
Subject: [PATCH 059/384] [deps] Auth: Update webpack to v5.97.1 (#5018)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 bitwarden_license/src/Sso/package-lock.json | 214 +++++++++++---------
 bitwarden_license/src/Sso/package.json      |   2 +-
 src/Admin/package-lock.json                 | 214 +++++++++++---------
 src/Admin/package.json                      |   2 +-
 4 files changed, 228 insertions(+), 204 deletions(-)

diff --git a/bitwarden_license/src/Sso/package-lock.json b/bitwarden_license/src/Sso/package-lock.json
index f9f0a90e94..cb95485b88 100644
--- a/bitwarden_license/src/Sso/package-lock.json
+++ b/bitwarden_license/src/Sso/package-lock.json
@@ -19,7 +19,7 @@
         "mini-css-extract-plugin": "2.9.1",
         "sass": "1.79.5",
         "sass-loader": "16.0.2",
-        "webpack": "5.95.0",
+        "webpack": "5.97.1",
         "webpack-cli": "5.1.4"
       }
     },
@@ -394,6 +394,28 @@
         "url": "https://opencollective.com/popperjs"
       }
     },
+    "node_modules/@types/eslint": {
+      "version": "9.6.1",
+      "resolved": "https://registry.npmjs.org/@types/eslint/-/eslint-9.6.1.tgz",
+      "integrity": "sha512-FXx2pKgId/WyYo2jXw63kk7/+TY7u7AziEJxJAnSFzHlqTAS3Ync6SvgYAN/k4/PQpnnVuzoMuVnByKK2qp0ag==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@types/estree": "*",
+        "@types/json-schema": "*"
+      }
+    },
+    "node_modules/@types/eslint-scope": {
+      "version": "3.7.7",
+      "resolved": "https://registry.npmjs.org/@types/eslint-scope/-/eslint-scope-3.7.7.tgz",
+      "integrity": "sha512-MzMFlSLBqNF2gcHWO0G1vP/YQyfvrxZ0bF+u7mzUdZ1/xK4A4sru+nraZz5i3iEIk1l1uyicaDVTB4QbbEkAYg==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@types/eslint": "*",
+        "@types/estree": "*"
+      }
+    },
     "node_modules/@types/estree": {
       "version": "1.0.6",
       "resolved": "https://registry.npmjs.org/@types/estree/-/estree-1.0.6.tgz",
@@ -419,73 +441,73 @@
       }
     },
     "node_modules/@webassemblyjs/ast": {
-      "version": "1.12.1",
-      "resolved": "https://registry.npmjs.org/@webassemblyjs/ast/-/ast-1.12.1.tgz",
-      "integrity": "sha512-EKfMUOPRRUTy5UII4qJDGPpqfwjOmZ5jeGFwid9mnoqIFK+e0vqoi1qH56JpmZSzEL53jKnNzScdmftJyG5xWg==",
+      "version": "1.14.1",
+      "resolved": "https://registry.npmjs.org/@webassemblyjs/ast/-/ast-1.14.1.tgz",
+      "integrity": "sha512-nuBEDgQfm1ccRp/8bCQrx1frohyufl4JlbMMZ4P1wpeOfDhF6FQkxZJ1b/e+PLwr6X1Nhw6OLme5usuBWYBvuQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@webassemblyjs/helper-numbers": "1.11.6",
-        "@webassemblyjs/helper-wasm-bytecode": "1.11.6"
+        "@webassemblyjs/helper-numbers": "1.13.2",
+        "@webassemblyjs/helper-wasm-bytecode": "1.13.2"
       }
     },
     "node_modules/@webassemblyjs/floating-point-hex-parser": {
-      "version": "1.11.6",
-      "resolved": "https://registry.npmjs.org/@webassemblyjs/floating-point-hex-parser/-/floating-point-hex-parser-1.11.6.tgz",
-      "integrity": "sha512-ejAj9hfRJ2XMsNHk/v6Fu2dGS+i4UaXBXGemOfQ/JfQ6mdQg/WXtwleQRLLS4OvfDhv8rYnVwH27YJLMyYsxhw==",
+      "version": "1.13.2",
+      "resolved": "https://registry.npmjs.org/@webassemblyjs/floating-point-hex-parser/-/floating-point-hex-parser-1.13.2.tgz",
+      "integrity": "sha512-6oXyTOzbKxGH4steLbLNOu71Oj+C8Lg34n6CqRvqfS2O71BxY6ByfMDRhBytzknj9yGUPVJ1qIKhRlAwO1AovA==",
       "dev": true,
       "license": "MIT"
     },
     "node_modules/@webassemblyjs/helper-api-error": {
-      "version": "1.11.6",
-      "resolved": "https://registry.npmjs.org/@webassemblyjs/helper-api-error/-/helper-api-error-1.11.6.tgz",
-      "integrity": "sha512-o0YkoP4pVu4rN8aTJgAyj9hC2Sv5UlkzCHhxqWj8butaLvnpdc2jOwh4ewE6CX0txSfLn/UYaV/pheS2Txg//Q==",
+      "version": "1.13.2",
+      "resolved": "https://registry.npmjs.org/@webassemblyjs/helper-api-error/-/helper-api-error-1.13.2.tgz",
+      "integrity": "sha512-U56GMYxy4ZQCbDZd6JuvvNV/WFildOjsaWD3Tzzvmw/mas3cXzRJPMjP83JqEsgSbyrmaGjBfDtV7KDXV9UzFQ==",
       "dev": true,
       "license": "MIT"
     },
     "node_modules/@webassemblyjs/helper-buffer": {
-      "version": "1.12.1",
-      "resolved": "https://registry.npmjs.org/@webassemblyjs/helper-buffer/-/helper-buffer-1.12.1.tgz",
-      "integrity": "sha512-nzJwQw99DNDKr9BVCOZcLuJJUlqkJh+kVzVl6Fmq/tI5ZtEyWT1KZMyOXltXLZJmDtvLCDgwsyrkohEtopTXCw==",
+      "version": "1.14.1",
+      "resolved": "https://registry.npmjs.org/@webassemblyjs/helper-buffer/-/helper-buffer-1.14.1.tgz",
+      "integrity": "sha512-jyH7wtcHiKssDtFPRB+iQdxlDf96m0E39yb0k5uJVhFGleZFoNw1c4aeIcVUPPbXUVJ94wwnMOAqUHyzoEPVMA==",
       "dev": true,
       "license": "MIT"
     },
     "node_modules/@webassemblyjs/helper-numbers": {
-      "version": "1.11.6",
-      "resolved": "https://registry.npmjs.org/@webassemblyjs/helper-numbers/-/helper-numbers-1.11.6.tgz",
-      "integrity": "sha512-vUIhZ8LZoIWHBohiEObxVm6hwP034jwmc9kuq5GdHZH0wiLVLIPcMCdpJzG4C11cHoQ25TFIQj9kaVADVX7N3g==",
+      "version": "1.13.2",
+      "resolved": "https://registry.npmjs.org/@webassemblyjs/helper-numbers/-/helper-numbers-1.13.2.tgz",
+      "integrity": "sha512-FE8aCmS5Q6eQYcV3gI35O4J789wlQA+7JrqTTpJqn5emA4U2hvwJmvFRC0HODS+3Ye6WioDklgd6scJ3+PLnEA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@webassemblyjs/floating-point-hex-parser": "1.11.6",
-        "@webassemblyjs/helper-api-error": "1.11.6",
+        "@webassemblyjs/floating-point-hex-parser": "1.13.2",
+        "@webassemblyjs/helper-api-error": "1.13.2",
         "@xtuc/long": "4.2.2"
       }
     },
     "node_modules/@webassemblyjs/helper-wasm-bytecode": {
-      "version": "1.11.6",
-      "resolved": "https://registry.npmjs.org/@webassemblyjs/helper-wasm-bytecode/-/helper-wasm-bytecode-1.11.6.tgz",
-      "integrity": "sha512-sFFHKwcmBprO9e7Icf0+gddyWYDViL8bpPjJJl0WHxCdETktXdmtWLGVzoHbqUcY4Be1LkNfwTmXOJUFZYSJdA==",
+      "version": "1.13.2",
+      "resolved": "https://registry.npmjs.org/@webassemblyjs/helper-wasm-bytecode/-/helper-wasm-bytecode-1.13.2.tgz",
+      "integrity": "sha512-3QbLKy93F0EAIXLh0ogEVR6rOubA9AoZ+WRYhNbFyuB70j3dRdwH9g+qXhLAO0kiYGlg3TxDV+I4rQTr/YNXkA==",
       "dev": true,
       "license": "MIT"
     },
     "node_modules/@webassemblyjs/helper-wasm-section": {
-      "version": "1.12.1",
-      "resolved": "https://registry.npmjs.org/@webassemblyjs/helper-wasm-section/-/helper-wasm-section-1.12.1.tgz",
-      "integrity": "sha512-Jif4vfB6FJlUlSbgEMHUyk1j234GTNG9dBJ4XJdOySoj518Xj0oGsNi59cUQF4RRMS9ouBUxDDdyBVfPTypa5g==",
+      "version": "1.14.1",
+      "resolved": "https://registry.npmjs.org/@webassemblyjs/helper-wasm-section/-/helper-wasm-section-1.14.1.tgz",
+      "integrity": "sha512-ds5mXEqTJ6oxRoqjhWDU83OgzAYjwsCV8Lo/N+oRsNDmx/ZDpqalmrtgOMkHwxsG0iI//3BwWAErYRHtgn0dZw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@webassemblyjs/ast": "1.12.1",
-        "@webassemblyjs/helper-buffer": "1.12.1",
-        "@webassemblyjs/helper-wasm-bytecode": "1.11.6",
-        "@webassemblyjs/wasm-gen": "1.12.1"
+        "@webassemblyjs/ast": "1.14.1",
+        "@webassemblyjs/helper-buffer": "1.14.1",
+        "@webassemblyjs/helper-wasm-bytecode": "1.13.2",
+        "@webassemblyjs/wasm-gen": "1.14.1"
       }
     },
     "node_modules/@webassemblyjs/ieee754": {
-      "version": "1.11.6",
-      "resolved": "https://registry.npmjs.org/@webassemblyjs/ieee754/-/ieee754-1.11.6.tgz",
-      "integrity": "sha512-LM4p2csPNvbij6U1f19v6WR56QZ8JcHg3QIJTlSwzFcmx6WSORicYj6I63f9yU1kEUtrpG+kjkiIAkevHpDXrg==",
+      "version": "1.13.2",
+      "resolved": "https://registry.npmjs.org/@webassemblyjs/ieee754/-/ieee754-1.13.2.tgz",
+      "integrity": "sha512-4LtOzh58S/5lX4ITKxnAK2USuNEvpdVV9AlgGQb8rJDHaLeHciwG4zlGr0j/SNWlr7x3vO1lDEsuePvtcDNCkw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -493,9 +515,9 @@
       }
     },
     "node_modules/@webassemblyjs/leb128": {
-      "version": "1.11.6",
-      "resolved": "https://registry.npmjs.org/@webassemblyjs/leb128/-/leb128-1.11.6.tgz",
-      "integrity": "sha512-m7a0FhE67DQXgouf1tbN5XQcdWoNgaAuoULHIfGFIEVKA6tu/edls6XnIlkmS6FrXAquJRPni3ZZKjw6FSPjPQ==",
+      "version": "1.13.2",
+      "resolved": "https://registry.npmjs.org/@webassemblyjs/leb128/-/leb128-1.13.2.tgz",
+      "integrity": "sha512-Lde1oNoIdzVzdkNEAWZ1dZ5orIbff80YPdHx20mrHwHrVNNTjNr8E3xz9BdpcGqRQbAEa+fkrCb+fRFTl/6sQw==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
@@ -503,79 +525,79 @@
       }
     },
     "node_modules/@webassemblyjs/utf8": {
-      "version": "1.11.6",
-      "resolved": "https://registry.npmjs.org/@webassemblyjs/utf8/-/utf8-1.11.6.tgz",
-      "integrity": "sha512-vtXf2wTQ3+up9Zsg8sa2yWiQpzSsMyXj0qViVP6xKGCUT8p8YJ6HqI7l5eCnWx1T/FYdsv07HQs2wTFbbof/RA==",
+      "version": "1.13.2",
+      "resolved": "https://registry.npmjs.org/@webassemblyjs/utf8/-/utf8-1.13.2.tgz",
+      "integrity": "sha512-3NQWGjKTASY1xV5m7Hr0iPeXD9+RDobLll3T9d2AO+g3my8xy5peVyjSag4I50mR1bBSN/Ct12lo+R9tJk0NZQ==",
       "dev": true,
       "license": "MIT"
     },
     "node_modules/@webassemblyjs/wasm-edit": {
-      "version": "1.12.1",
-      "resolved": "https://registry.npmjs.org/@webassemblyjs/wasm-edit/-/wasm-edit-1.12.1.tgz",
-      "integrity": "sha512-1DuwbVvADvS5mGnXbE+c9NfA8QRcZ6iKquqjjmR10k6o+zzsRVesil54DKexiowcFCPdr/Q0qaMgB01+SQ1u6g==",
+      "version": "1.14.1",
+      "resolved": "https://registry.npmjs.org/@webassemblyjs/wasm-edit/-/wasm-edit-1.14.1.tgz",
+      "integrity": "sha512-RNJUIQH/J8iA/1NzlE4N7KtyZNHi3w7at7hDjvRNm5rcUXa00z1vRz3glZoULfJ5mpvYhLybmVcwcjGrC1pRrQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@webassemblyjs/ast": "1.12.1",
-        "@webassemblyjs/helper-buffer": "1.12.1",
-        "@webassemblyjs/helper-wasm-bytecode": "1.11.6",
-        "@webassemblyjs/helper-wasm-section": "1.12.1",
-        "@webassemblyjs/wasm-gen": "1.12.1",
-        "@webassemblyjs/wasm-opt": "1.12.1",
-        "@webassemblyjs/wasm-parser": "1.12.1",
-        "@webassemblyjs/wast-printer": "1.12.1"
+        "@webassemblyjs/ast": "1.14.1",
+        "@webassemblyjs/helper-buffer": "1.14.1",
+        "@webassemblyjs/helper-wasm-bytecode": "1.13.2",
+        "@webassemblyjs/helper-wasm-section": "1.14.1",
+        "@webassemblyjs/wasm-gen": "1.14.1",
+        "@webassemblyjs/wasm-opt": "1.14.1",
+        "@webassemblyjs/wasm-parser": "1.14.1",
+        "@webassemblyjs/wast-printer": "1.14.1"
       }
     },
     "node_modules/@webassemblyjs/wasm-gen": {
-      "version": "1.12.1",
-      "resolved": "https://registry.npmjs.org/@webassemblyjs/wasm-gen/-/wasm-gen-1.12.1.tgz",
-      "integrity": "sha512-TDq4Ojh9fcohAw6OIMXqiIcTq5KUXTGRkVxbSo1hQnSy6lAM5GSdfwWeSxpAo0YzgsgF182E/U0mDNhuA0tW7w==",
+      "version": "1.14.1",
+      "resolved": "https://registry.npmjs.org/@webassemblyjs/wasm-gen/-/wasm-gen-1.14.1.tgz",
+      "integrity": "sha512-AmomSIjP8ZbfGQhumkNvgC33AY7qtMCXnN6bL2u2Js4gVCg8fp735aEiMSBbDR7UQIj90n4wKAFUSEd0QN2Ukg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@webassemblyjs/ast": "1.12.1",
-        "@webassemblyjs/helper-wasm-bytecode": "1.11.6",
-        "@webassemblyjs/ieee754": "1.11.6",
-        "@webassemblyjs/leb128": "1.11.6",
-        "@webassemblyjs/utf8": "1.11.6"
+        "@webassemblyjs/ast": "1.14.1",
+        "@webassemblyjs/helper-wasm-bytecode": "1.13.2",
+        "@webassemblyjs/ieee754": "1.13.2",
+        "@webassemblyjs/leb128": "1.13.2",
+        "@webassemblyjs/utf8": "1.13.2"
       }
     },
     "node_modules/@webassemblyjs/wasm-opt": {
-      "version": "1.12.1",
-      "resolved": "https://registry.npmjs.org/@webassemblyjs/wasm-opt/-/wasm-opt-1.12.1.tgz",
-      "integrity": "sha512-Jg99j/2gG2iaz3hijw857AVYekZe2SAskcqlWIZXjji5WStnOpVoat3gQfT/Q5tb2djnCjBtMocY/Su1GfxPBg==",
+      "version": "1.14.1",
+      "resolved": "https://registry.npmjs.org/@webassemblyjs/wasm-opt/-/wasm-opt-1.14.1.tgz",
+      "integrity": "sha512-PTcKLUNvBqnY2U6E5bdOQcSM+oVP/PmrDY9NzowJjislEjwP/C4an2303MCVS2Mg9d3AJpIGdUFIQQWbPds0Sw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@webassemblyjs/ast": "1.12.1",
-        "@webassemblyjs/helper-buffer": "1.12.1",
-        "@webassemblyjs/wasm-gen": "1.12.1",
-        "@webassemblyjs/wasm-parser": "1.12.1"
+        "@webassemblyjs/ast": "1.14.1",
+        "@webassemblyjs/helper-buffer": "1.14.1",
+        "@webassemblyjs/wasm-gen": "1.14.1",
+        "@webassemblyjs/wasm-parser": "1.14.1"
       }
     },
     "node_modules/@webassemblyjs/wasm-parser": {
-      "version": "1.12.1",
-      "resolved": "https://registry.npmjs.org/@webassemblyjs/wasm-parser/-/wasm-parser-1.12.1.tgz",
-      "integrity": "sha512-xikIi7c2FHXysxXe3COrVUPSheuBtpcfhbpFj4gmu7KRLYOzANztwUU0IbsqvMqzuNK2+glRGWCEqZo1WCLyAQ==",
+      "version": "1.14.1",
+      "resolved": "https://registry.npmjs.org/@webassemblyjs/wasm-parser/-/wasm-parser-1.14.1.tgz",
+      "integrity": "sha512-JLBl+KZ0R5qB7mCnud/yyX08jWFw5MsoalJ1pQ4EdFlgj9VdXKGuENGsiCIjegI1W7p91rUlcB/LB5yRJKNTcQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@webassemblyjs/ast": "1.12.1",
-        "@webassemblyjs/helper-api-error": "1.11.6",
-        "@webassemblyjs/helper-wasm-bytecode": "1.11.6",
-        "@webassemblyjs/ieee754": "1.11.6",
-        "@webassemblyjs/leb128": "1.11.6",
-        "@webassemblyjs/utf8": "1.11.6"
+        "@webassemblyjs/ast": "1.14.1",
+        "@webassemblyjs/helper-api-error": "1.13.2",
+        "@webassemblyjs/helper-wasm-bytecode": "1.13.2",
+        "@webassemblyjs/ieee754": "1.13.2",
+        "@webassemblyjs/leb128": "1.13.2",
+        "@webassemblyjs/utf8": "1.13.2"
       }
     },
     "node_modules/@webassemblyjs/wast-printer": {
-      "version": "1.12.1",
-      "resolved": "https://registry.npmjs.org/@webassemblyjs/wast-printer/-/wast-printer-1.12.1.tgz",
-      "integrity": "sha512-+X4WAlOisVWQMikjbcvY2e0rwPsKQ9F688lksZhBcPycBBuii3O7m8FACbDMWDojpAqvjIncrG8J0XHKyQfVeA==",
+      "version": "1.14.1",
+      "resolved": "https://registry.npmjs.org/@webassemblyjs/wast-printer/-/wast-printer-1.14.1.tgz",
+      "integrity": "sha512-kPSSXE6De1XOR820C90RIo2ogvZG+c3KiHzqUoO/F34Y2shGzesfqv7o57xrxovZJH/MetF5UjroJ/R/3isoiw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@webassemblyjs/ast": "1.12.1",
+        "@webassemblyjs/ast": "1.14.1",
         "@xtuc/long": "4.2.2"
       }
     },
@@ -641,9 +663,9 @@
       "license": "Apache-2.0"
     },
     "node_modules/acorn": {
-      "version": "8.12.1",
-      "resolved": "https://registry.npmjs.org/acorn/-/acorn-8.12.1.tgz",
-      "integrity": "sha512-tcpGyI9zbizT9JbV6oYE477V6mTlXvvi0T0G3SNIYE2apm/G5huBa1+K89VGeovbg+jycCrfhl3ADxErOuO6Jg==",
+      "version": "8.14.0",
+      "resolved": "https://registry.npmjs.org/acorn/-/acorn-8.14.0.tgz",
+      "integrity": "sha512-cl669nCJTZBsL97OF4kUQm5g5hC2uihk0NxY3WENAC0TYdILVkAyHymAntgxGkl7K+t0cXIrH5siy5S4XkFycA==",
       "dev": true,
       "license": "MIT",
       "bin": {
@@ -653,16 +675,6 @@
         "node": ">=0.4.0"
       }
     },
-    "node_modules/acorn-import-attributes": {
-      "version": "1.9.5",
-      "resolved": "https://registry.npmjs.org/acorn-import-attributes/-/acorn-import-attributes-1.9.5.tgz",
-      "integrity": "sha512-n02Vykv5uA3eHGM/Z2dQrcD56kL8TyDb2p1+0P83PClMnC/nc+anbQRhIOWnSq4Ke/KvDPrY3C9hDtC/A3eHnQ==",
-      "dev": true,
-      "license": "MIT",
-      "peerDependencies": {
-        "acorn": "^8"
-      }
-    },
     "node_modules/ajv": {
       "version": "8.17.1",
       "resolved": "https://registry.npmjs.org/ajv/-/ajv-8.17.1.tgz",
@@ -2216,19 +2228,19 @@
       }
     },
     "node_modules/webpack": {
-      "version": "5.95.0",
-      "resolved": "https://registry.npmjs.org/webpack/-/webpack-5.95.0.tgz",
-      "integrity": "sha512-2t3XstrKULz41MNMBF+cJ97TyHdyQ8HCt//pqErqDvNjU9YQBnZxIHa11VXsi7F3mb5/aO2tuDxdeTPdU7xu9Q==",
+      "version": "5.97.1",
+      "resolved": "https://registry.npmjs.org/webpack/-/webpack-5.97.1.tgz",
+      "integrity": "sha512-EksG6gFY3L1eFMROS/7Wzgrii5mBAFe4rIr3r2BTfo7bcc+DWwFZ4OJ/miOuHJO/A85HwyI4eQ0F6IKXesO7Fg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@types/estree": "^1.0.5",
-        "@webassemblyjs/ast": "^1.12.1",
-        "@webassemblyjs/wasm-edit": "^1.12.1",
-        "@webassemblyjs/wasm-parser": "^1.12.1",
-        "acorn": "^8.7.1",
-        "acorn-import-attributes": "^1.9.5",
-        "browserslist": "^4.21.10",
+        "@types/eslint-scope": "^3.7.7",
+        "@types/estree": "^1.0.6",
+        "@webassemblyjs/ast": "^1.14.1",
+        "@webassemblyjs/wasm-edit": "^1.14.1",
+        "@webassemblyjs/wasm-parser": "^1.14.1",
+        "acorn": "^8.14.0",
+        "browserslist": "^4.24.0",
         "chrome-trace-event": "^1.0.2",
         "enhanced-resolve": "^5.17.1",
         "es-module-lexer": "^1.2.1",
diff --git a/bitwarden_license/src/Sso/package.json b/bitwarden_license/src/Sso/package.json
index 29dee20ad8..9f488d6be8 100644
--- a/bitwarden_license/src/Sso/package.json
+++ b/bitwarden_license/src/Sso/package.json
@@ -18,7 +18,7 @@
     "mini-css-extract-plugin": "2.9.1",
     "sass": "1.79.5",
     "sass-loader": "16.0.2",
-    "webpack": "5.95.0",
+    "webpack": "5.97.1",
     "webpack-cli": "5.1.4"
   }
 }
diff --git a/src/Admin/package-lock.json b/src/Admin/package-lock.json
index a9256a9a4d..f9976a8467 100644
--- a/src/Admin/package-lock.json
+++ b/src/Admin/package-lock.json
@@ -20,7 +20,7 @@
         "mini-css-extract-plugin": "2.9.1",
         "sass": "1.79.5",
         "sass-loader": "16.0.2",
-        "webpack": "5.95.0",
+        "webpack": "5.97.1",
         "webpack-cli": "5.1.4"
       }
     },
@@ -395,6 +395,28 @@
         "url": "https://opencollective.com/popperjs"
       }
     },
+    "node_modules/@types/eslint": {
+      "version": "9.6.1",
+      "resolved": "https://registry.npmjs.org/@types/eslint/-/eslint-9.6.1.tgz",
+      "integrity": "sha512-FXx2pKgId/WyYo2jXw63kk7/+TY7u7AziEJxJAnSFzHlqTAS3Ync6SvgYAN/k4/PQpnnVuzoMuVnByKK2qp0ag==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@types/estree": "*",
+        "@types/json-schema": "*"
+      }
+    },
+    "node_modules/@types/eslint-scope": {
+      "version": "3.7.7",
+      "resolved": "https://registry.npmjs.org/@types/eslint-scope/-/eslint-scope-3.7.7.tgz",
+      "integrity": "sha512-MzMFlSLBqNF2gcHWO0G1vP/YQyfvrxZ0bF+u7mzUdZ1/xK4A4sru+nraZz5i3iEIk1l1uyicaDVTB4QbbEkAYg==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@types/eslint": "*",
+        "@types/estree": "*"
+      }
+    },
     "node_modules/@types/estree": {
       "version": "1.0.6",
       "resolved": "https://registry.npmjs.org/@types/estree/-/estree-1.0.6.tgz",
@@ -420,73 +442,73 @@
       }
     },
     "node_modules/@webassemblyjs/ast": {
-      "version": "1.12.1",
-      "resolved": "https://registry.npmjs.org/@webassemblyjs/ast/-/ast-1.12.1.tgz",
-      "integrity": "sha512-EKfMUOPRRUTy5UII4qJDGPpqfwjOmZ5jeGFwid9mnoqIFK+e0vqoi1qH56JpmZSzEL53jKnNzScdmftJyG5xWg==",
+      "version": "1.14.1",
+      "resolved": "https://registry.npmjs.org/@webassemblyjs/ast/-/ast-1.14.1.tgz",
+      "integrity": "sha512-nuBEDgQfm1ccRp/8bCQrx1frohyufl4JlbMMZ4P1wpeOfDhF6FQkxZJ1b/e+PLwr6X1Nhw6OLme5usuBWYBvuQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@webassemblyjs/helper-numbers": "1.11.6",
-        "@webassemblyjs/helper-wasm-bytecode": "1.11.6"
+        "@webassemblyjs/helper-numbers": "1.13.2",
+        "@webassemblyjs/helper-wasm-bytecode": "1.13.2"
       }
     },
     "node_modules/@webassemblyjs/floating-point-hex-parser": {
-      "version": "1.11.6",
-      "resolved": "https://registry.npmjs.org/@webassemblyjs/floating-point-hex-parser/-/floating-point-hex-parser-1.11.6.tgz",
-      "integrity": "sha512-ejAj9hfRJ2XMsNHk/v6Fu2dGS+i4UaXBXGemOfQ/JfQ6mdQg/WXtwleQRLLS4OvfDhv8rYnVwH27YJLMyYsxhw==",
+      "version": "1.13.2",
+      "resolved": "https://registry.npmjs.org/@webassemblyjs/floating-point-hex-parser/-/floating-point-hex-parser-1.13.2.tgz",
+      "integrity": "sha512-6oXyTOzbKxGH4steLbLNOu71Oj+C8Lg34n6CqRvqfS2O71BxY6ByfMDRhBytzknj9yGUPVJ1qIKhRlAwO1AovA==",
       "dev": true,
       "license": "MIT"
     },
     "node_modules/@webassemblyjs/helper-api-error": {
-      "version": "1.11.6",
-      "resolved": "https://registry.npmjs.org/@webassemblyjs/helper-api-error/-/helper-api-error-1.11.6.tgz",
-      "integrity": "sha512-o0YkoP4pVu4rN8aTJgAyj9hC2Sv5UlkzCHhxqWj8butaLvnpdc2jOwh4ewE6CX0txSfLn/UYaV/pheS2Txg//Q==",
+      "version": "1.13.2",
+      "resolved": "https://registry.npmjs.org/@webassemblyjs/helper-api-error/-/helper-api-error-1.13.2.tgz",
+      "integrity": "sha512-U56GMYxy4ZQCbDZd6JuvvNV/WFildOjsaWD3Tzzvmw/mas3cXzRJPMjP83JqEsgSbyrmaGjBfDtV7KDXV9UzFQ==",
       "dev": true,
       "license": "MIT"
     },
     "node_modules/@webassemblyjs/helper-buffer": {
-      "version": "1.12.1",
-      "resolved": "https://registry.npmjs.org/@webassemblyjs/helper-buffer/-/helper-buffer-1.12.1.tgz",
-      "integrity": "sha512-nzJwQw99DNDKr9BVCOZcLuJJUlqkJh+kVzVl6Fmq/tI5ZtEyWT1KZMyOXltXLZJmDtvLCDgwsyrkohEtopTXCw==",
+      "version": "1.14.1",
+      "resolved": "https://registry.npmjs.org/@webassemblyjs/helper-buffer/-/helper-buffer-1.14.1.tgz",
+      "integrity": "sha512-jyH7wtcHiKssDtFPRB+iQdxlDf96m0E39yb0k5uJVhFGleZFoNw1c4aeIcVUPPbXUVJ94wwnMOAqUHyzoEPVMA==",
       "dev": true,
       "license": "MIT"
     },
     "node_modules/@webassemblyjs/helper-numbers": {
-      "version": "1.11.6",
-      "resolved": "https://registry.npmjs.org/@webassemblyjs/helper-numbers/-/helper-numbers-1.11.6.tgz",
-      "integrity": "sha512-vUIhZ8LZoIWHBohiEObxVm6hwP034jwmc9kuq5GdHZH0wiLVLIPcMCdpJzG4C11cHoQ25TFIQj9kaVADVX7N3g==",
+      "version": "1.13.2",
+      "resolved": "https://registry.npmjs.org/@webassemblyjs/helper-numbers/-/helper-numbers-1.13.2.tgz",
+      "integrity": "sha512-FE8aCmS5Q6eQYcV3gI35O4J789wlQA+7JrqTTpJqn5emA4U2hvwJmvFRC0HODS+3Ye6WioDklgd6scJ3+PLnEA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@webassemblyjs/floating-point-hex-parser": "1.11.6",
-        "@webassemblyjs/helper-api-error": "1.11.6",
+        "@webassemblyjs/floating-point-hex-parser": "1.13.2",
+        "@webassemblyjs/helper-api-error": "1.13.2",
         "@xtuc/long": "4.2.2"
       }
     },
     "node_modules/@webassemblyjs/helper-wasm-bytecode": {
-      "version": "1.11.6",
-      "resolved": "https://registry.npmjs.org/@webassemblyjs/helper-wasm-bytecode/-/helper-wasm-bytecode-1.11.6.tgz",
-      "integrity": "sha512-sFFHKwcmBprO9e7Icf0+gddyWYDViL8bpPjJJl0WHxCdETktXdmtWLGVzoHbqUcY4Be1LkNfwTmXOJUFZYSJdA==",
+      "version": "1.13.2",
+      "resolved": "https://registry.npmjs.org/@webassemblyjs/helper-wasm-bytecode/-/helper-wasm-bytecode-1.13.2.tgz",
+      "integrity": "sha512-3QbLKy93F0EAIXLh0ogEVR6rOubA9AoZ+WRYhNbFyuB70j3dRdwH9g+qXhLAO0kiYGlg3TxDV+I4rQTr/YNXkA==",
       "dev": true,
       "license": "MIT"
     },
     "node_modules/@webassemblyjs/helper-wasm-section": {
-      "version": "1.12.1",
-      "resolved": "https://registry.npmjs.org/@webassemblyjs/helper-wasm-section/-/helper-wasm-section-1.12.1.tgz",
-      "integrity": "sha512-Jif4vfB6FJlUlSbgEMHUyk1j234GTNG9dBJ4XJdOySoj518Xj0oGsNi59cUQF4RRMS9ouBUxDDdyBVfPTypa5g==",
+      "version": "1.14.1",
+      "resolved": "https://registry.npmjs.org/@webassemblyjs/helper-wasm-section/-/helper-wasm-section-1.14.1.tgz",
+      "integrity": "sha512-ds5mXEqTJ6oxRoqjhWDU83OgzAYjwsCV8Lo/N+oRsNDmx/ZDpqalmrtgOMkHwxsG0iI//3BwWAErYRHtgn0dZw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@webassemblyjs/ast": "1.12.1",
-        "@webassemblyjs/helper-buffer": "1.12.1",
-        "@webassemblyjs/helper-wasm-bytecode": "1.11.6",
-        "@webassemblyjs/wasm-gen": "1.12.1"
+        "@webassemblyjs/ast": "1.14.1",
+        "@webassemblyjs/helper-buffer": "1.14.1",
+        "@webassemblyjs/helper-wasm-bytecode": "1.13.2",
+        "@webassemblyjs/wasm-gen": "1.14.1"
       }
     },
     "node_modules/@webassemblyjs/ieee754": {
-      "version": "1.11.6",
-      "resolved": "https://registry.npmjs.org/@webassemblyjs/ieee754/-/ieee754-1.11.6.tgz",
-      "integrity": "sha512-LM4p2csPNvbij6U1f19v6WR56QZ8JcHg3QIJTlSwzFcmx6WSORicYj6I63f9yU1kEUtrpG+kjkiIAkevHpDXrg==",
+      "version": "1.13.2",
+      "resolved": "https://registry.npmjs.org/@webassemblyjs/ieee754/-/ieee754-1.13.2.tgz",
+      "integrity": "sha512-4LtOzh58S/5lX4ITKxnAK2USuNEvpdVV9AlgGQb8rJDHaLeHciwG4zlGr0j/SNWlr7x3vO1lDEsuePvtcDNCkw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -494,9 +516,9 @@
       }
     },
     "node_modules/@webassemblyjs/leb128": {
-      "version": "1.11.6",
-      "resolved": "https://registry.npmjs.org/@webassemblyjs/leb128/-/leb128-1.11.6.tgz",
-      "integrity": "sha512-m7a0FhE67DQXgouf1tbN5XQcdWoNgaAuoULHIfGFIEVKA6tu/edls6XnIlkmS6FrXAquJRPni3ZZKjw6FSPjPQ==",
+      "version": "1.13.2",
+      "resolved": "https://registry.npmjs.org/@webassemblyjs/leb128/-/leb128-1.13.2.tgz",
+      "integrity": "sha512-Lde1oNoIdzVzdkNEAWZ1dZ5orIbff80YPdHx20mrHwHrVNNTjNr8E3xz9BdpcGqRQbAEa+fkrCb+fRFTl/6sQw==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
@@ -504,79 +526,79 @@
       }
     },
     "node_modules/@webassemblyjs/utf8": {
-      "version": "1.11.6",
-      "resolved": "https://registry.npmjs.org/@webassemblyjs/utf8/-/utf8-1.11.6.tgz",
-      "integrity": "sha512-vtXf2wTQ3+up9Zsg8sa2yWiQpzSsMyXj0qViVP6xKGCUT8p8YJ6HqI7l5eCnWx1T/FYdsv07HQs2wTFbbof/RA==",
+      "version": "1.13.2",
+      "resolved": "https://registry.npmjs.org/@webassemblyjs/utf8/-/utf8-1.13.2.tgz",
+      "integrity": "sha512-3NQWGjKTASY1xV5m7Hr0iPeXD9+RDobLll3T9d2AO+g3my8xy5peVyjSag4I50mR1bBSN/Ct12lo+R9tJk0NZQ==",
       "dev": true,
       "license": "MIT"
     },
     "node_modules/@webassemblyjs/wasm-edit": {
-      "version": "1.12.1",
-      "resolved": "https://registry.npmjs.org/@webassemblyjs/wasm-edit/-/wasm-edit-1.12.1.tgz",
-      "integrity": "sha512-1DuwbVvADvS5mGnXbE+c9NfA8QRcZ6iKquqjjmR10k6o+zzsRVesil54DKexiowcFCPdr/Q0qaMgB01+SQ1u6g==",
+      "version": "1.14.1",
+      "resolved": "https://registry.npmjs.org/@webassemblyjs/wasm-edit/-/wasm-edit-1.14.1.tgz",
+      "integrity": "sha512-RNJUIQH/J8iA/1NzlE4N7KtyZNHi3w7at7hDjvRNm5rcUXa00z1vRz3glZoULfJ5mpvYhLybmVcwcjGrC1pRrQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@webassemblyjs/ast": "1.12.1",
-        "@webassemblyjs/helper-buffer": "1.12.1",
-        "@webassemblyjs/helper-wasm-bytecode": "1.11.6",
-        "@webassemblyjs/helper-wasm-section": "1.12.1",
-        "@webassemblyjs/wasm-gen": "1.12.1",
-        "@webassemblyjs/wasm-opt": "1.12.1",
-        "@webassemblyjs/wasm-parser": "1.12.1",
-        "@webassemblyjs/wast-printer": "1.12.1"
+        "@webassemblyjs/ast": "1.14.1",
+        "@webassemblyjs/helper-buffer": "1.14.1",
+        "@webassemblyjs/helper-wasm-bytecode": "1.13.2",
+        "@webassemblyjs/helper-wasm-section": "1.14.1",
+        "@webassemblyjs/wasm-gen": "1.14.1",
+        "@webassemblyjs/wasm-opt": "1.14.1",
+        "@webassemblyjs/wasm-parser": "1.14.1",
+        "@webassemblyjs/wast-printer": "1.14.1"
       }
     },
     "node_modules/@webassemblyjs/wasm-gen": {
-      "version": "1.12.1",
-      "resolved": "https://registry.npmjs.org/@webassemblyjs/wasm-gen/-/wasm-gen-1.12.1.tgz",
-      "integrity": "sha512-TDq4Ojh9fcohAw6OIMXqiIcTq5KUXTGRkVxbSo1hQnSy6lAM5GSdfwWeSxpAo0YzgsgF182E/U0mDNhuA0tW7w==",
+      "version": "1.14.1",
+      "resolved": "https://registry.npmjs.org/@webassemblyjs/wasm-gen/-/wasm-gen-1.14.1.tgz",
+      "integrity": "sha512-AmomSIjP8ZbfGQhumkNvgC33AY7qtMCXnN6bL2u2Js4gVCg8fp735aEiMSBbDR7UQIj90n4wKAFUSEd0QN2Ukg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@webassemblyjs/ast": "1.12.1",
-        "@webassemblyjs/helper-wasm-bytecode": "1.11.6",
-        "@webassemblyjs/ieee754": "1.11.6",
-        "@webassemblyjs/leb128": "1.11.6",
-        "@webassemblyjs/utf8": "1.11.6"
+        "@webassemblyjs/ast": "1.14.1",
+        "@webassemblyjs/helper-wasm-bytecode": "1.13.2",
+        "@webassemblyjs/ieee754": "1.13.2",
+        "@webassemblyjs/leb128": "1.13.2",
+        "@webassemblyjs/utf8": "1.13.2"
       }
     },
     "node_modules/@webassemblyjs/wasm-opt": {
-      "version": "1.12.1",
-      "resolved": "https://registry.npmjs.org/@webassemblyjs/wasm-opt/-/wasm-opt-1.12.1.tgz",
-      "integrity": "sha512-Jg99j/2gG2iaz3hijw857AVYekZe2SAskcqlWIZXjji5WStnOpVoat3gQfT/Q5tb2djnCjBtMocY/Su1GfxPBg==",
+      "version": "1.14.1",
+      "resolved": "https://registry.npmjs.org/@webassemblyjs/wasm-opt/-/wasm-opt-1.14.1.tgz",
+      "integrity": "sha512-PTcKLUNvBqnY2U6E5bdOQcSM+oVP/PmrDY9NzowJjislEjwP/C4an2303MCVS2Mg9d3AJpIGdUFIQQWbPds0Sw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@webassemblyjs/ast": "1.12.1",
-        "@webassemblyjs/helper-buffer": "1.12.1",
-        "@webassemblyjs/wasm-gen": "1.12.1",
-        "@webassemblyjs/wasm-parser": "1.12.1"
+        "@webassemblyjs/ast": "1.14.1",
+        "@webassemblyjs/helper-buffer": "1.14.1",
+        "@webassemblyjs/wasm-gen": "1.14.1",
+        "@webassemblyjs/wasm-parser": "1.14.1"
       }
     },
     "node_modules/@webassemblyjs/wasm-parser": {
-      "version": "1.12.1",
-      "resolved": "https://registry.npmjs.org/@webassemblyjs/wasm-parser/-/wasm-parser-1.12.1.tgz",
-      "integrity": "sha512-xikIi7c2FHXysxXe3COrVUPSheuBtpcfhbpFj4gmu7KRLYOzANztwUU0IbsqvMqzuNK2+glRGWCEqZo1WCLyAQ==",
+      "version": "1.14.1",
+      "resolved": "https://registry.npmjs.org/@webassemblyjs/wasm-parser/-/wasm-parser-1.14.1.tgz",
+      "integrity": "sha512-JLBl+KZ0R5qB7mCnud/yyX08jWFw5MsoalJ1pQ4EdFlgj9VdXKGuENGsiCIjegI1W7p91rUlcB/LB5yRJKNTcQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@webassemblyjs/ast": "1.12.1",
-        "@webassemblyjs/helper-api-error": "1.11.6",
-        "@webassemblyjs/helper-wasm-bytecode": "1.11.6",
-        "@webassemblyjs/ieee754": "1.11.6",
-        "@webassemblyjs/leb128": "1.11.6",
-        "@webassemblyjs/utf8": "1.11.6"
+        "@webassemblyjs/ast": "1.14.1",
+        "@webassemblyjs/helper-api-error": "1.13.2",
+        "@webassemblyjs/helper-wasm-bytecode": "1.13.2",
+        "@webassemblyjs/ieee754": "1.13.2",
+        "@webassemblyjs/leb128": "1.13.2",
+        "@webassemblyjs/utf8": "1.13.2"
       }
     },
     "node_modules/@webassemblyjs/wast-printer": {
-      "version": "1.12.1",
-      "resolved": "https://registry.npmjs.org/@webassemblyjs/wast-printer/-/wast-printer-1.12.1.tgz",
-      "integrity": "sha512-+X4WAlOisVWQMikjbcvY2e0rwPsKQ9F688lksZhBcPycBBuii3O7m8FACbDMWDojpAqvjIncrG8J0XHKyQfVeA==",
+      "version": "1.14.1",
+      "resolved": "https://registry.npmjs.org/@webassemblyjs/wast-printer/-/wast-printer-1.14.1.tgz",
+      "integrity": "sha512-kPSSXE6De1XOR820C90RIo2ogvZG+c3KiHzqUoO/F34Y2shGzesfqv7o57xrxovZJH/MetF5UjroJ/R/3isoiw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@webassemblyjs/ast": "1.12.1",
+        "@webassemblyjs/ast": "1.14.1",
         "@xtuc/long": "4.2.2"
       }
     },
@@ -642,9 +664,9 @@
       "license": "Apache-2.0"
     },
     "node_modules/acorn": {
-      "version": "8.12.1",
-      "resolved": "https://registry.npmjs.org/acorn/-/acorn-8.12.1.tgz",
-      "integrity": "sha512-tcpGyI9zbizT9JbV6oYE477V6mTlXvvi0T0G3SNIYE2apm/G5huBa1+K89VGeovbg+jycCrfhl3ADxErOuO6Jg==",
+      "version": "8.14.0",
+      "resolved": "https://registry.npmjs.org/acorn/-/acorn-8.14.0.tgz",
+      "integrity": "sha512-cl669nCJTZBsL97OF4kUQm5g5hC2uihk0NxY3WENAC0TYdILVkAyHymAntgxGkl7K+t0cXIrH5siy5S4XkFycA==",
       "dev": true,
       "license": "MIT",
       "bin": {
@@ -654,16 +676,6 @@
         "node": ">=0.4.0"
       }
     },
-    "node_modules/acorn-import-attributes": {
-      "version": "1.9.5",
-      "resolved": "https://registry.npmjs.org/acorn-import-attributes/-/acorn-import-attributes-1.9.5.tgz",
-      "integrity": "sha512-n02Vykv5uA3eHGM/Z2dQrcD56kL8TyDb2p1+0P83PClMnC/nc+anbQRhIOWnSq4Ke/KvDPrY3C9hDtC/A3eHnQ==",
-      "dev": true,
-      "license": "MIT",
-      "peerDependencies": {
-        "acorn": "^8"
-      }
-    },
     "node_modules/ajv": {
       "version": "8.17.1",
       "resolved": "https://registry.npmjs.org/ajv/-/ajv-8.17.1.tgz",
@@ -2225,19 +2237,19 @@
       }
     },
     "node_modules/webpack": {
-      "version": "5.95.0",
-      "resolved": "https://registry.npmjs.org/webpack/-/webpack-5.95.0.tgz",
-      "integrity": "sha512-2t3XstrKULz41MNMBF+cJ97TyHdyQ8HCt//pqErqDvNjU9YQBnZxIHa11VXsi7F3mb5/aO2tuDxdeTPdU7xu9Q==",
+      "version": "5.97.1",
+      "resolved": "https://registry.npmjs.org/webpack/-/webpack-5.97.1.tgz",
+      "integrity": "sha512-EksG6gFY3L1eFMROS/7Wzgrii5mBAFe4rIr3r2BTfo7bcc+DWwFZ4OJ/miOuHJO/A85HwyI4eQ0F6IKXesO7Fg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@types/estree": "^1.0.5",
-        "@webassemblyjs/ast": "^1.12.1",
-        "@webassemblyjs/wasm-edit": "^1.12.1",
-        "@webassemblyjs/wasm-parser": "^1.12.1",
-        "acorn": "^8.7.1",
-        "acorn-import-attributes": "^1.9.5",
-        "browserslist": "^4.21.10",
+        "@types/eslint-scope": "^3.7.7",
+        "@types/estree": "^1.0.6",
+        "@webassemblyjs/ast": "^1.14.1",
+        "@webassemblyjs/wasm-edit": "^1.14.1",
+        "@webassemblyjs/wasm-parser": "^1.14.1",
+        "acorn": "^8.14.0",
+        "browserslist": "^4.24.0",
         "chrome-trace-event": "^1.0.2",
         "enhanced-resolve": "^5.17.1",
         "es-module-lexer": "^1.2.1",
diff --git a/src/Admin/package.json b/src/Admin/package.json
index 6984e99814..d0d9018dad 100644
--- a/src/Admin/package.json
+++ b/src/Admin/package.json
@@ -19,7 +19,7 @@
     "mini-css-extract-plugin": "2.9.1",
     "sass": "1.79.5",
     "sass-loader": "16.0.2",
-    "webpack": "5.95.0",
+    "webpack": "5.97.1",
     "webpack-cli": "5.1.4"
   }
 }

From e0d82c447da4a994c9b55b7d7e97fa4daab14035 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Thu, 12 Dec 2024 12:57:00 -0800
Subject: [PATCH 060/384] [deps] Auth: Update sass-loader to v16.0.4 (#5014)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 bitwarden_license/src/Sso/package-lock.json | 8 ++++----
 bitwarden_license/src/Sso/package.json      | 2 +-
 src/Admin/package-lock.json                 | 8 ++++----
 src/Admin/package.json                      | 2 +-
 4 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/bitwarden_license/src/Sso/package-lock.json b/bitwarden_license/src/Sso/package-lock.json
index cb95485b88..c403e35d4b 100644
--- a/bitwarden_license/src/Sso/package-lock.json
+++ b/bitwarden_license/src/Sso/package-lock.json
@@ -18,7 +18,7 @@
         "expose-loader": "5.0.0",
         "mini-css-extract-plugin": "2.9.1",
         "sass": "1.79.5",
-        "sass-loader": "16.0.2",
+        "sass-loader": "16.0.4",
         "webpack": "5.97.1",
         "webpack-cli": "5.1.4"
       }
@@ -1849,9 +1849,9 @@
       }
     },
     "node_modules/sass-loader": {
-      "version": "16.0.2",
-      "resolved": "https://registry.npmjs.org/sass-loader/-/sass-loader-16.0.2.tgz",
-      "integrity": "sha512-Ll6iXZ1EYwYT19SqW4mSBb76vSSi8JgzElmzIerhEGgzB5hRjDQIWsPmuk1UrAXkR16KJHqVY0eH+5/uw9Tmfw==",
+      "version": "16.0.4",
+      "resolved": "https://registry.npmjs.org/sass-loader/-/sass-loader-16.0.4.tgz",
+      "integrity": "sha512-LavLbgbBGUt3wCiYzhuLLu65+fWXaXLmq7YxivLhEqmiupCFZ5sKUAipK3do6V80YSU0jvSxNhEdT13IXNr3rg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
diff --git a/bitwarden_license/src/Sso/package.json b/bitwarden_license/src/Sso/package.json
index 9f488d6be8..312adea945 100644
--- a/bitwarden_license/src/Sso/package.json
+++ b/bitwarden_license/src/Sso/package.json
@@ -17,7 +17,7 @@
     "expose-loader": "5.0.0",
     "mini-css-extract-plugin": "2.9.1",
     "sass": "1.79.5",
-    "sass-loader": "16.0.2",
+    "sass-loader": "16.0.4",
     "webpack": "5.97.1",
     "webpack-cli": "5.1.4"
   }
diff --git a/src/Admin/package-lock.json b/src/Admin/package-lock.json
index f9976a8467..8cc83c6e2d 100644
--- a/src/Admin/package-lock.json
+++ b/src/Admin/package-lock.json
@@ -19,7 +19,7 @@
         "expose-loader": "5.0.0",
         "mini-css-extract-plugin": "2.9.1",
         "sass": "1.79.5",
-        "sass-loader": "16.0.2",
+        "sass-loader": "16.0.4",
         "webpack": "5.97.1",
         "webpack-cli": "5.1.4"
       }
@@ -1850,9 +1850,9 @@
       }
     },
     "node_modules/sass-loader": {
-      "version": "16.0.2",
-      "resolved": "https://registry.npmjs.org/sass-loader/-/sass-loader-16.0.2.tgz",
-      "integrity": "sha512-Ll6iXZ1EYwYT19SqW4mSBb76vSSi8JgzElmzIerhEGgzB5hRjDQIWsPmuk1UrAXkR16KJHqVY0eH+5/uw9Tmfw==",
+      "version": "16.0.4",
+      "resolved": "https://registry.npmjs.org/sass-loader/-/sass-loader-16.0.4.tgz",
+      "integrity": "sha512-LavLbgbBGUt3wCiYzhuLLu65+fWXaXLmq7YxivLhEqmiupCFZ5sKUAipK3do6V80YSU0jvSxNhEdT13IXNr3rg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
diff --git a/src/Admin/package.json b/src/Admin/package.json
index d0d9018dad..ba0bc954d8 100644
--- a/src/Admin/package.json
+++ b/src/Admin/package.json
@@ -18,7 +18,7 @@
     "expose-loader": "5.0.0",
     "mini-css-extract-plugin": "2.9.1",
     "sass": "1.79.5",
-    "sass-loader": "16.0.2",
+    "sass-loader": "16.0.4",
     "webpack": "5.97.1",
     "webpack-cli": "5.1.4"
   }

From ce60657b8e72c94a898a7f6fc93b0f5f6d9fe0d4 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Thu, 12 Dec 2024 19:04:33 -0800
Subject: [PATCH 061/384] [deps] Auth: Update mini-css-extract-plugin to v2.9.2
 (#5013)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 bitwarden_license/src/Sso/package-lock.json | 8 ++++----
 bitwarden_license/src/Sso/package.json      | 2 +-
 src/Admin/package-lock.json                 | 8 ++++----
 src/Admin/package.json                      | 2 +-
 4 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/bitwarden_license/src/Sso/package-lock.json b/bitwarden_license/src/Sso/package-lock.json
index c403e35d4b..c23e3b67da 100644
--- a/bitwarden_license/src/Sso/package-lock.json
+++ b/bitwarden_license/src/Sso/package-lock.json
@@ -16,7 +16,7 @@
       "devDependencies": {
         "css-loader": "7.1.2",
         "expose-loader": "5.0.0",
-        "mini-css-extract-plugin": "2.9.1",
+        "mini-css-extract-plugin": "2.9.2",
         "sass": "1.79.5",
         "sass-loader": "16.0.4",
         "webpack": "5.97.1",
@@ -1438,9 +1438,9 @@
       }
     },
     "node_modules/mini-css-extract-plugin": {
-      "version": "2.9.1",
-      "resolved": "https://registry.npmjs.org/mini-css-extract-plugin/-/mini-css-extract-plugin-2.9.1.tgz",
-      "integrity": "sha512-+Vyi+GCCOHnrJ2VPS+6aPoXN2k2jgUzDRhTFLjjTBn23qyXJXkjUWQgTL+mXpF5/A8ixLdCc6kWsoeOjKGejKQ==",
+      "version": "2.9.2",
+      "resolved": "https://registry.npmjs.org/mini-css-extract-plugin/-/mini-css-extract-plugin-2.9.2.tgz",
+      "integrity": "sha512-GJuACcS//jtq4kCtd5ii/M0SZf7OZRH+BxdqXZHaJfb8TJiVl+NgQRPwiYt2EuqeSkNydn/7vP+bcE27C5mb9w==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
diff --git a/bitwarden_license/src/Sso/package.json b/bitwarden_license/src/Sso/package.json
index 312adea945..fa1fac3907 100644
--- a/bitwarden_license/src/Sso/package.json
+++ b/bitwarden_license/src/Sso/package.json
@@ -15,7 +15,7 @@
   "devDependencies": {
     "css-loader": "7.1.2",
     "expose-loader": "5.0.0",
-    "mini-css-extract-plugin": "2.9.1",
+    "mini-css-extract-plugin": "2.9.2",
     "sass": "1.79.5",
     "sass-loader": "16.0.4",
     "webpack": "5.97.1",
diff --git a/src/Admin/package-lock.json b/src/Admin/package-lock.json
index 8cc83c6e2d..203e574717 100644
--- a/src/Admin/package-lock.json
+++ b/src/Admin/package-lock.json
@@ -17,7 +17,7 @@
       "devDependencies": {
         "css-loader": "7.1.2",
         "expose-loader": "5.0.0",
-        "mini-css-extract-plugin": "2.9.1",
+        "mini-css-extract-plugin": "2.9.2",
         "sass": "1.79.5",
         "sass-loader": "16.0.4",
         "webpack": "5.97.1",
@@ -1439,9 +1439,9 @@
       }
     },
     "node_modules/mini-css-extract-plugin": {
-      "version": "2.9.1",
-      "resolved": "https://registry.npmjs.org/mini-css-extract-plugin/-/mini-css-extract-plugin-2.9.1.tgz",
-      "integrity": "sha512-+Vyi+GCCOHnrJ2VPS+6aPoXN2k2jgUzDRhTFLjjTBn23qyXJXkjUWQgTL+mXpF5/A8ixLdCc6kWsoeOjKGejKQ==",
+      "version": "2.9.2",
+      "resolved": "https://registry.npmjs.org/mini-css-extract-plugin/-/mini-css-extract-plugin-2.9.2.tgz",
+      "integrity": "sha512-GJuACcS//jtq4kCtd5ii/M0SZf7OZRH+BxdqXZHaJfb8TJiVl+NgQRPwiYt2EuqeSkNydn/7vP+bcE27C5mb9w==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
diff --git a/src/Admin/package.json b/src/Admin/package.json
index ba0bc954d8..2a8e91f43e 100644
--- a/src/Admin/package.json
+++ b/src/Admin/package.json
@@ -16,7 +16,7 @@
   "devDependencies": {
     "css-loader": "7.1.2",
     "expose-loader": "5.0.0",
-    "mini-css-extract-plugin": "2.9.1",
+    "mini-css-extract-plugin": "2.9.2",
     "sass": "1.79.5",
     "sass-loader": "16.0.4",
     "webpack": "5.97.1",

From 6d9c8d0a474dedcd525d57549832c494fc95a8ac Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Thu, 12 Dec 2024 20:04:18 -0800
Subject: [PATCH 062/384] [deps] Auth: Lock file maintenance (#4952)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 bitwarden_license/src/Sso/package-lock.json | 246 +++++++++++---------
 src/Admin/package-lock.json                 | 246 +++++++++++---------
 2 files changed, 270 insertions(+), 222 deletions(-)

diff --git a/bitwarden_license/src/Sso/package-lock.json b/bitwarden_license/src/Sso/package-lock.json
index c23e3b67da..67fc4d71f1 100644
--- a/bitwarden_license/src/Sso/package-lock.json
+++ b/bitwarden_license/src/Sso/package-lock.json
@@ -34,9 +34,9 @@
       }
     },
     "node_modules/@jridgewell/gen-mapping": {
-      "version": "0.3.5",
-      "resolved": "https://registry.npmjs.org/@jridgewell/gen-mapping/-/gen-mapping-0.3.5.tgz",
-      "integrity": "sha512-IzL8ZoEDIBRWEzlCcRhOaCupYyN5gdIK+Q6fbFdPDg6HqX6jpkItn7DFIpW9LQzXG6Df9sA7+OKnq0qlz/GaQg==",
+      "version": "0.3.8",
+      "resolved": "https://registry.npmjs.org/@jridgewell/gen-mapping/-/gen-mapping-0.3.8.tgz",
+      "integrity": "sha512-imAbBGkb+ebQyxKgzv5Hu2nmROxoDOXHh80evxdoXNOrvAnVx7zimzc1Oo5h9RlfV4vPXaE2iM5pOFbvOCClWA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -98,10 +98,11 @@
       }
     },
     "node_modules/@parcel/watcher": {
-      "version": "2.4.1",
-      "resolved": "https://registry.npmjs.org/@parcel/watcher/-/watcher-2.4.1.tgz",
-      "integrity": "sha512-HNjmfLQEVRZmHRET336f20H/8kOozUGwk7yajvsonjNxbj2wBTK1WsQuHkD5yYh9RxFGL2EyDHryOihOwUoKDA==",
+      "version": "2.5.0",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher/-/watcher-2.5.0.tgz",
+      "integrity": "sha512-i0GV1yJnm2n3Yq1qw6QrUrd/LI9bE8WEBOTtOkpCXHHdyN3TAGgqAK/DAT05z4fq2x04cARXt2pDmjWjL92iTQ==",
       "dev": true,
+      "hasInstallScript": true,
       "license": "MIT",
       "dependencies": {
         "detect-libc": "^1.0.3",
@@ -117,24 +118,25 @@
         "url": "https://opencollective.com/parcel"
       },
       "optionalDependencies": {
-        "@parcel/watcher-android-arm64": "2.4.1",
-        "@parcel/watcher-darwin-arm64": "2.4.1",
-        "@parcel/watcher-darwin-x64": "2.4.1",
-        "@parcel/watcher-freebsd-x64": "2.4.1",
-        "@parcel/watcher-linux-arm-glibc": "2.4.1",
-        "@parcel/watcher-linux-arm64-glibc": "2.4.1",
-        "@parcel/watcher-linux-arm64-musl": "2.4.1",
-        "@parcel/watcher-linux-x64-glibc": "2.4.1",
-        "@parcel/watcher-linux-x64-musl": "2.4.1",
-        "@parcel/watcher-win32-arm64": "2.4.1",
-        "@parcel/watcher-win32-ia32": "2.4.1",
-        "@parcel/watcher-win32-x64": "2.4.1"
+        "@parcel/watcher-android-arm64": "2.5.0",
+        "@parcel/watcher-darwin-arm64": "2.5.0",
+        "@parcel/watcher-darwin-x64": "2.5.0",
+        "@parcel/watcher-freebsd-x64": "2.5.0",
+        "@parcel/watcher-linux-arm-glibc": "2.5.0",
+        "@parcel/watcher-linux-arm-musl": "2.5.0",
+        "@parcel/watcher-linux-arm64-glibc": "2.5.0",
+        "@parcel/watcher-linux-arm64-musl": "2.5.0",
+        "@parcel/watcher-linux-x64-glibc": "2.5.0",
+        "@parcel/watcher-linux-x64-musl": "2.5.0",
+        "@parcel/watcher-win32-arm64": "2.5.0",
+        "@parcel/watcher-win32-ia32": "2.5.0",
+        "@parcel/watcher-win32-x64": "2.5.0"
       }
     },
     "node_modules/@parcel/watcher-android-arm64": {
-      "version": "2.4.1",
-      "resolved": "https://registry.npmjs.org/@parcel/watcher-android-arm64/-/watcher-android-arm64-2.4.1.tgz",
-      "integrity": "sha512-LOi/WTbbh3aTn2RYddrO8pnapixAziFl6SMxHM69r3tvdSm94JtCenaKgk1GRg5FJ5wpMCpHeW+7yqPlvZv7kg==",
+      "version": "2.5.0",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-android-arm64/-/watcher-android-arm64-2.5.0.tgz",
+      "integrity": "sha512-qlX4eS28bUcQCdribHkg/herLe+0A9RyYC+mm2PXpncit8z5b3nSqGVzMNR3CmtAOgRutiZ02eIJJgP/b1iEFQ==",
       "cpu": [
         "arm64"
       ],
@@ -153,9 +155,9 @@
       }
     },
     "node_modules/@parcel/watcher-darwin-arm64": {
-      "version": "2.4.1",
-      "resolved": "https://registry.npmjs.org/@parcel/watcher-darwin-arm64/-/watcher-darwin-arm64-2.4.1.tgz",
-      "integrity": "sha512-ln41eihm5YXIY043vBrrHfn94SIBlqOWmoROhsMVTSXGh0QahKGy77tfEywQ7v3NywyxBBkGIfrWRHm0hsKtzA==",
+      "version": "2.5.0",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-darwin-arm64/-/watcher-darwin-arm64-2.5.0.tgz",
+      "integrity": "sha512-hyZ3TANnzGfLpRA2s/4U1kbw2ZI4qGxaRJbBH2DCSREFfubMswheh8TeiC1sGZ3z2jUf3s37P0BBlrD3sjVTUw==",
       "cpu": [
         "arm64"
       ],
@@ -174,9 +176,9 @@
       }
     },
     "node_modules/@parcel/watcher-darwin-x64": {
-      "version": "2.4.1",
-      "resolved": "https://registry.npmjs.org/@parcel/watcher-darwin-x64/-/watcher-darwin-x64-2.4.1.tgz",
-      "integrity": "sha512-yrw81BRLjjtHyDu7J61oPuSoeYWR3lDElcPGJyOvIXmor6DEo7/G2u1o7I38cwlcoBHQFULqF6nesIX3tsEXMg==",
+      "version": "2.5.0",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-darwin-x64/-/watcher-darwin-x64-2.5.0.tgz",
+      "integrity": "sha512-9rhlwd78saKf18fT869/poydQK8YqlU26TMiNg7AIu7eBp9adqbJZqmdFOsbZ5cnLp5XvRo9wcFmNHgHdWaGYA==",
       "cpu": [
         "x64"
       ],
@@ -195,9 +197,9 @@
       }
     },
     "node_modules/@parcel/watcher-freebsd-x64": {
-      "version": "2.4.1",
-      "resolved": "https://registry.npmjs.org/@parcel/watcher-freebsd-x64/-/watcher-freebsd-x64-2.4.1.tgz",
-      "integrity": "sha512-TJa3Pex/gX3CWIx/Co8k+ykNdDCLx+TuZj3f3h7eOjgpdKM+Mnix37RYsYU4LHhiYJz3DK5nFCCra81p6g050w==",
+      "version": "2.5.0",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-freebsd-x64/-/watcher-freebsd-x64-2.5.0.tgz",
+      "integrity": "sha512-syvfhZzyM8kErg3VF0xpV8dixJ+RzbUaaGaeb7uDuz0D3FK97/mZ5AJQ3XNnDsXX7KkFNtyQyFrXZzQIcN49Tw==",
       "cpu": [
         "x64"
       ],
@@ -216,9 +218,30 @@
       }
     },
     "node_modules/@parcel/watcher-linux-arm-glibc": {
-      "version": "2.4.1",
-      "resolved": "https://registry.npmjs.org/@parcel/watcher-linux-arm-glibc/-/watcher-linux-arm-glibc-2.4.1.tgz",
-      "integrity": "sha512-4rVYDlsMEYfa537BRXxJ5UF4ddNwnr2/1O4MHM5PjI9cvV2qymvhwZSFgXqbS8YoTk5i/JR0L0JDs69BUn45YA==",
+      "version": "2.5.0",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-linux-arm-glibc/-/watcher-linux-arm-glibc-2.5.0.tgz",
+      "integrity": "sha512-0VQY1K35DQET3dVYWpOaPFecqOT9dbuCfzjxoQyif1Wc574t3kOSkKevULddcR9znz1TcklCE7Ht6NIxjvTqLA==",
+      "cpu": [
+        "arm"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">= 10.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      }
+    },
+    "node_modules/@parcel/watcher-linux-arm-musl": {
+      "version": "2.5.0",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-linux-arm-musl/-/watcher-linux-arm-musl-2.5.0.tgz",
+      "integrity": "sha512-6uHywSIzz8+vi2lAzFeltnYbdHsDm3iIB57d4g5oaB9vKwjb6N6dRIgZMujw4nm5r6v9/BQH0noq6DzHrqr2pA==",
       "cpu": [
         "arm"
       ],
@@ -237,9 +260,9 @@
       }
     },
     "node_modules/@parcel/watcher-linux-arm64-glibc": {
-      "version": "2.4.1",
-      "resolved": "https://registry.npmjs.org/@parcel/watcher-linux-arm64-glibc/-/watcher-linux-arm64-glibc-2.4.1.tgz",
-      "integrity": "sha512-BJ7mH985OADVLpbrzCLgrJ3TOpiZggE9FMblfO65PlOCdG++xJpKUJ0Aol74ZUIYfb8WsRlUdgrZxKkz3zXWYA==",
+      "version": "2.5.0",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-linux-arm64-glibc/-/watcher-linux-arm64-glibc-2.5.0.tgz",
+      "integrity": "sha512-BfNjXwZKxBy4WibDb/LDCriWSKLz+jJRL3cM/DllnHH5QUyoiUNEp3GmL80ZqxeumoADfCCP19+qiYiC8gUBjA==",
       "cpu": [
         "arm64"
       ],
@@ -258,9 +281,9 @@
       }
     },
     "node_modules/@parcel/watcher-linux-arm64-musl": {
-      "version": "2.4.1",
-      "resolved": "https://registry.npmjs.org/@parcel/watcher-linux-arm64-musl/-/watcher-linux-arm64-musl-2.4.1.tgz",
-      "integrity": "sha512-p4Xb7JGq3MLgAfYhslU2SjoV9G0kI0Xry0kuxeG/41UfpjHGOhv7UoUDAz/jb1u2elbhazy4rRBL8PegPJFBhA==",
+      "version": "2.5.0",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-linux-arm64-musl/-/watcher-linux-arm64-musl-2.5.0.tgz",
+      "integrity": "sha512-S1qARKOphxfiBEkwLUbHjCY9BWPdWnW9j7f7Hb2jPplu8UZ3nes7zpPOW9bkLbHRvWM0WDTsjdOTUgW0xLBN1Q==",
       "cpu": [
         "arm64"
       ],
@@ -279,9 +302,9 @@
       }
     },
     "node_modules/@parcel/watcher-linux-x64-glibc": {
-      "version": "2.4.1",
-      "resolved": "https://registry.npmjs.org/@parcel/watcher-linux-x64-glibc/-/watcher-linux-x64-glibc-2.4.1.tgz",
-      "integrity": "sha512-s9O3fByZ/2pyYDPoLM6zt92yu6P4E39a03zvO0qCHOTjxmt3GHRMLuRZEWhWLASTMSrrnVNWdVI/+pUElJBBBg==",
+      "version": "2.5.0",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-linux-x64-glibc/-/watcher-linux-x64-glibc-2.5.0.tgz",
+      "integrity": "sha512-d9AOkusyXARkFD66S6zlGXyzx5RvY+chTP9Jp0ypSTC9d4lzyRs9ovGf/80VCxjKddcUvnsGwCHWuF2EoPgWjw==",
       "cpu": [
         "x64"
       ],
@@ -300,9 +323,9 @@
       }
     },
     "node_modules/@parcel/watcher-linux-x64-musl": {
-      "version": "2.4.1",
-      "resolved": "https://registry.npmjs.org/@parcel/watcher-linux-x64-musl/-/watcher-linux-x64-musl-2.4.1.tgz",
-      "integrity": "sha512-L2nZTYR1myLNST0O632g0Dx9LyMNHrn6TOt76sYxWLdff3cB22/GZX2UPtJnaqQPdCRoszoY5rcOj4oMTtp5fQ==",
+      "version": "2.5.0",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-linux-x64-musl/-/watcher-linux-x64-musl-2.5.0.tgz",
+      "integrity": "sha512-iqOC+GoTDoFyk/VYSFHwjHhYrk8bljW6zOhPuhi5t9ulqiYq1togGJB5e3PwYVFFfeVgc6pbz3JdQyDoBszVaA==",
       "cpu": [
         "x64"
       ],
@@ -321,9 +344,9 @@
       }
     },
     "node_modules/@parcel/watcher-win32-arm64": {
-      "version": "2.4.1",
-      "resolved": "https://registry.npmjs.org/@parcel/watcher-win32-arm64/-/watcher-win32-arm64-2.4.1.tgz",
-      "integrity": "sha512-Uq2BPp5GWhrq/lcuItCHoqxjULU1QYEcyjSO5jqqOK8RNFDBQnenMMx4gAl3v8GiWa59E9+uDM7yZ6LxwUIfRg==",
+      "version": "2.5.0",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-win32-arm64/-/watcher-win32-arm64-2.5.0.tgz",
+      "integrity": "sha512-twtft1d+JRNkM5YbmexfcH/N4znDtjgysFaV9zvZmmJezQsKpkfLYJ+JFV3uygugK6AtIM2oADPkB2AdhBrNig==",
       "cpu": [
         "arm64"
       ],
@@ -342,9 +365,9 @@
       }
     },
     "node_modules/@parcel/watcher-win32-ia32": {
-      "version": "2.4.1",
-      "resolved": "https://registry.npmjs.org/@parcel/watcher-win32-ia32/-/watcher-win32-ia32-2.4.1.tgz",
-      "integrity": "sha512-maNRit5QQV2kgHFSYwftmPBxiuK5u4DXjbXx7q6eKjq5dsLXZ4FJiVvlcw35QXzk0KrUecJmuVFbj4uV9oYrcw==",
+      "version": "2.5.0",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-win32-ia32/-/watcher-win32-ia32-2.5.0.tgz",
+      "integrity": "sha512-+rgpsNRKwo8A53elqbbHXdOMtY/tAtTzManTWShB5Kk54N8Q9mzNWV7tV+IbGueCbcj826MfWGU3mprWtuf1TA==",
       "cpu": [
         "ia32"
       ],
@@ -363,9 +386,9 @@
       }
     },
     "node_modules/@parcel/watcher-win32-x64": {
-      "version": "2.4.1",
-      "resolved": "https://registry.npmjs.org/@parcel/watcher-win32-x64/-/watcher-win32-x64-2.4.1.tgz",
-      "integrity": "sha512-+DvS92F9ezicfswqrvIRM2njcYJbd5mb9CUgtrHCHmvn7pPPa+nMDRu1o1bYYz/l5IB2NVGNJWiH7h1E58IF2A==",
+      "version": "2.5.0",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-win32-x64/-/watcher-win32-x64-2.5.0.tgz",
+      "integrity": "sha512-lPrxve92zEHdgeff3aiu4gDOIt4u7sJYha6wbdEZDCDUhtjTsOMiaJzG5lMY4GkWH8p0fMmO2Ppq5G5XXG+DQw==",
       "cpu": [
         "x64"
       ],
@@ -431,13 +454,13 @@
       "license": "MIT"
     },
     "node_modules/@types/node": {
-      "version": "22.7.5",
-      "resolved": "https://registry.npmjs.org/@types/node/-/node-22.7.5.tgz",
-      "integrity": "sha512-jML7s2NAzMWc//QSJ1a3prpk78cOPchGvXJsC3C6R6PSMoooztvRVQEz89gmBTBY1SPMaqo5teB4uNHPdetShQ==",
+      "version": "22.10.2",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-22.10.2.tgz",
+      "integrity": "sha512-Xxr6BBRCAOQixvonOye19wnzyDiUtTeqldOOmj3CkeblonbccA12PFwlufvRdrpjXxqnmUaeiU5EOA+7s5diUQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "undici-types": "~6.19.2"
+        "undici-types": "~6.20.0"
       }
     },
     "node_modules/@webassemblyjs/ast": {
@@ -737,6 +760,7 @@
           "url": "https://opencollective.com/bootstrap"
         }
       ],
+      "license": "MIT",
       "peerDependencies": {
         "@popperjs/core": "^2.11.8"
       }
@@ -755,9 +779,9 @@
       }
     },
     "node_modules/browserslist": {
-      "version": "4.24.0",
-      "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-4.24.0.tgz",
-      "integrity": "sha512-Rmb62sR1Zpjql25eSanFGEhAxcFwfA1K0GuQcLoaJBAcENegrQut3hYdhXFF1obQfiDyqIW/cLM5HSJ/9k884A==",
+      "version": "4.24.2",
+      "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-4.24.2.tgz",
+      "integrity": "sha512-ZIc+Q62revdMcqC6aChtW4jz3My3klmCO1fEmINZY/8J3EpBg5/A/D0AKmBveUh6pgoeycoMkVMko84tuYS+Gg==",
       "dev": true,
       "funding": [
         {
@@ -775,10 +799,10 @@
       ],
       "license": "MIT",
       "dependencies": {
-        "caniuse-lite": "^1.0.30001663",
-        "electron-to-chromium": "^1.5.28",
+        "caniuse-lite": "^1.0.30001669",
+        "electron-to-chromium": "^1.5.41",
         "node-releases": "^2.0.18",
-        "update-browserslist-db": "^1.1.0"
+        "update-browserslist-db": "^1.1.1"
       },
       "bin": {
         "browserslist": "cli.js"
@@ -795,9 +819,9 @@
       "license": "MIT"
     },
     "node_modules/caniuse-lite": {
-      "version": "1.0.30001668",
-      "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001668.tgz",
-      "integrity": "sha512-nWLrdxqCdblixUO+27JtGJJE/txpJlyUy5YN1u53wLZkP0emYCo5zgS6QYft7VUYR42LGgi/S5hdLZTrnyIddw==",
+      "version": "1.0.30001688",
+      "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001688.tgz",
+      "integrity": "sha512-Nmqpru91cuABu/DTCXbM2NSRHzM2uVHfPnhJ/1zEAJx/ILBRVmz3pzH4N7DZqbdG0gWClsCC05Oj0mJ/1AWMbA==",
       "dev": true,
       "funding": [
         {
@@ -871,9 +895,9 @@
       "license": "MIT"
     },
     "node_modules/cross-spawn": {
-      "version": "7.0.3",
-      "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.3.tgz",
-      "integrity": "sha512-iRDPJKUPVEND7dHPO8rkbOnPpyDygcDFtWjpeWNCgy8WP2rXcxXL8TskReQl6OrB2G7+UJrags1q15Fudc7G6w==",
+      "version": "7.0.6",
+      "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.6.tgz",
+      "integrity": "sha512-uV2QOWP2nWzsy2aMp8aRibhi9dlzF5Hgh5SHaB9OiTGEyDTiJJyx0uy51QXdyWbtAHNua4XJzUKca3OzKUd3vA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -948,9 +972,9 @@
       }
     },
     "node_modules/electron-to-chromium": {
-      "version": "1.5.36",
-      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.36.tgz",
-      "integrity": "sha512-HYTX8tKge/VNp6FGO+f/uVDmUkq+cEfcxYhKf15Akc4M5yxt5YmorwlAitKWjWhWQnKcDRBAQKXkhqqXMqcrjw==",
+      "version": "1.5.73",
+      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.73.tgz",
+      "integrity": "sha512-8wGNxG9tAG5KhGd3eeA0o6ixhiNdgr0DcHWm85XPCphwZgD1lIEoi6t3VERayWao7SF7AAZTw6oARGJeVjH8Kg==",
       "dev": true,
       "license": "ISC"
     },
@@ -1087,11 +1111,11 @@
       "license": "MIT"
     },
     "node_modules/fast-uri": {
-      "version": "3.0.2",
-      "resolved": "https://registry.npmjs.org/fast-uri/-/fast-uri-3.0.2.tgz",
-      "integrity": "sha512-GR6f0hD7XXyNJa25Tb9BuIdN0tdr+0BMi6/CJPH3wJO1JjNG3n/VsSw38AwRdKZABm8lGbPfakLRkYzx2V9row==",
+      "version": "3.0.3",
+      "resolved": "https://registry.npmjs.org/fast-uri/-/fast-uri-3.0.3.tgz",
+      "integrity": "sha512-aLrHthzCjH5He4Z2H9YZ+v6Ujb9ocRuW6ZzkJQOrTxleEijANq4v1TsaPaVG1PZcuurEzrLcWRyYBYXD5cEiaw==",
       "dev": true,
-      "license": "MIT"
+      "license": "BSD-3-Clause"
     },
     "node_modules/fastest-levenshtein": {
       "version": "1.0.16",
@@ -1459,9 +1483,9 @@
       }
     },
     "node_modules/nanoid": {
-      "version": "3.3.7",
-      "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.7.tgz",
-      "integrity": "sha512-eSRppjcPIatRIMC1U6UngP8XFcz8MQWGQdt1MTBQ7NaAmvXDfvNxbvWV3x2y6CdEUciCSsDHDQZbhYaB8QEo2g==",
+      "version": "3.3.8",
+      "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.8.tgz",
+      "integrity": "sha512-WNLf5Sd8oZxOm+TzppcYk8gVOgP+l58xNy58D0nbUnOxOWRWvlcCV4kUF7ltmI6PsrLl/BgKEyS4mqsGChFN0w==",
       "dev": true,
       "funding": [
         {
@@ -1492,9 +1516,9 @@
       "license": "MIT"
     },
     "node_modules/node-releases": {
-      "version": "2.0.18",
-      "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-2.0.18.tgz",
-      "integrity": "sha512-d9VeXT4SJ7ZeOqGX6R5EM022wpL+eWPooLI+5UpWn2jCT1aosUQEhQP214x33Wkwx3JQMvIm+tIoVOdodFS40g==",
+      "version": "2.0.19",
+      "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-2.0.19.tgz",
+      "integrity": "sha512-xxOWJsBKtzAq7DY0J+DTzuz58K8e7sJbdgwkbMWQe8UYB6ekmsQ45q0M/tJDsGaZmbC+l7n57UV8Hl5tHxO9uw==",
       "dev": true,
       "license": "MIT"
     },
@@ -1565,9 +1589,9 @@
       "license": "MIT"
     },
     "node_modules/picocolors": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/picocolors/-/picocolors-1.1.0.tgz",
-      "integrity": "sha512-TQ92mBOW0l3LeMeyLV6mzy/kWr8lkd/hp3mTg7wYK7zJhuBStmGMBG0BdeDZS/dZx1IukaX6Bk11zcln25o1Aw==",
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/picocolors/-/picocolors-1.1.1.tgz",
+      "integrity": "sha512-xceH2snhtb5M9liqDsmEw56le376mTZkEX/jEb/RxNFyegNul7eNslCXP9FDj/Lcu0X8KEyMceP2ntpaHrDEVA==",
       "dev": true,
       "license": "ISC"
     },
@@ -1598,9 +1622,9 @@
       }
     },
     "node_modules/postcss": {
-      "version": "8.4.47",
-      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.47.tgz",
-      "integrity": "sha512-56rxCq7G/XfB4EkXq9Egn5GCqugWvDFjafDOThIdMBsI15iqPqR5r15TfSr1YPYeEI19YeaXMCbY6u88Y76GLQ==",
+      "version": "8.4.49",
+      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.49.tgz",
+      "integrity": "sha512-OCVPnIObs4N29kxTjzLfUryOkvZEq+pf8jTF0lg8E7uETuWHA+v7j3c/xJmiqpX450191LlmZfUKkXxkTry7nA==",
       "dev": true,
       "funding": [
         {
@@ -1619,7 +1643,7 @@
       "license": "MIT",
       "dependencies": {
         "nanoid": "^3.3.7",
-        "picocolors": "^1.1.0",
+        "picocolors": "^1.1.1",
         "source-map-js": "^1.2.1"
       },
       "engines": {
@@ -1640,14 +1664,14 @@
       }
     },
     "node_modules/postcss-modules-local-by-default": {
-      "version": "4.0.5",
-      "resolved": "https://registry.npmjs.org/postcss-modules-local-by-default/-/postcss-modules-local-by-default-4.0.5.tgz",
-      "integrity": "sha512-6MieY7sIfTK0hYfafw1OMEG+2bg8Q1ocHCpoWLqOKj3JXlKu4G7btkmM/B7lFubYkYWmRSPLZi5chid63ZaZYw==",
+      "version": "4.2.0",
+      "resolved": "https://registry.npmjs.org/postcss-modules-local-by-default/-/postcss-modules-local-by-default-4.2.0.tgz",
+      "integrity": "sha512-5kcJm/zk+GJDSfw+V/42fJ5fhjL5YbFDl8nVdXkJPLLW+Vf9mTD5Xe0wqIaDnLuL2U6cDNpTr+UQ+v2HWIBhzw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "icss-utils": "^5.0.0",
-        "postcss-selector-parser": "^6.0.2",
+        "postcss-selector-parser": "^7.0.0",
         "postcss-value-parser": "^4.1.0"
       },
       "engines": {
@@ -1658,13 +1682,13 @@
       }
     },
     "node_modules/postcss-modules-scope": {
-      "version": "3.2.0",
-      "resolved": "https://registry.npmjs.org/postcss-modules-scope/-/postcss-modules-scope-3.2.0.tgz",
-      "integrity": "sha512-oq+g1ssrsZOsx9M96c5w8laRmvEu9C3adDSjI8oTcbfkrTE8hx/zfyobUoWIxaKPO8bt6S62kxpw5GqypEw1QQ==",
+      "version": "3.2.1",
+      "resolved": "https://registry.npmjs.org/postcss-modules-scope/-/postcss-modules-scope-3.2.1.tgz",
+      "integrity": "sha512-m9jZstCVaqGjTAuny8MdgE88scJnCiQSlSrOWcTQgM2t32UBe+MUmFSO5t7VMSfAf/FJKImAxBav8ooCHJXCJA==",
       "dev": true,
       "license": "ISC",
       "dependencies": {
-        "postcss-selector-parser": "^6.0.4"
+        "postcss-selector-parser": "^7.0.0"
       },
       "engines": {
         "node": "^10 || ^12 || >= 14"
@@ -1690,9 +1714,9 @@
       }
     },
     "node_modules/postcss-selector-parser": {
-      "version": "6.1.2",
-      "resolved": "https://registry.npmjs.org/postcss-selector-parser/-/postcss-selector-parser-6.1.2.tgz",
-      "integrity": "sha512-Q8qQfPiZ+THO/3ZrOrO0cJJKfpYCagtMUkXbnEfmgUjwXg6z/WBeOyS9APBBPCTSiDV+s4SwQGu8yFsiMRIudg==",
+      "version": "7.0.0",
+      "resolved": "https://registry.npmjs.org/postcss-selector-parser/-/postcss-selector-parser-7.0.0.tgz",
+      "integrity": "sha512-9RbEr1Y7FFfptd/1eEdntyjMwLeghW1bHX9GWjXo19vx4ytPQhANltvVxDggzJl7mnWM+dX28kb6cyS/4iQjlQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -1890,9 +1914,9 @@
       }
     },
     "node_modules/schema-utils": {
-      "version": "4.2.0",
-      "resolved": "https://registry.npmjs.org/schema-utils/-/schema-utils-4.2.0.tgz",
-      "integrity": "sha512-L0jRsrPpjdckP3oPug3/VxNKt2trR8TcabrM6FOAAlvC/9Phcmm+cuAgTlxBqdBR1WJx7Naj9WHw+aOmheSVbw==",
+      "version": "4.3.0",
+      "resolved": "https://registry.npmjs.org/schema-utils/-/schema-utils-4.3.0.tgz",
+      "integrity": "sha512-Gf9qqc58SpCA/xdziiHz35F4GNIWYWZrEshUc/G/r5BnLph6xpKuLeoJoQuj5WfBIx/eQLf+hmVPYHaxJu7V2g==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -1902,7 +1926,7 @@
         "ajv-keywords": "^5.1.0"
       },
       "engines": {
-        "node": ">= 12.13.0"
+        "node": ">= 10.13.0"
       },
       "funding": {
         "type": "opencollective",
@@ -2039,9 +2063,9 @@
       }
     },
     "node_modules/terser": {
-      "version": "5.34.1",
-      "resolved": "https://registry.npmjs.org/terser/-/terser-5.34.1.tgz",
-      "integrity": "sha512-FsJZ7iZLd/BXkz+4xrRTGJ26o/6VTjQytUk8b8OxkwcD2I+79VPJlz7qss1+zE7h8GNIScFqXcDyJ/KqBYZFVA==",
+      "version": "5.37.0",
+      "resolved": "https://registry.npmjs.org/terser/-/terser-5.37.0.tgz",
+      "integrity": "sha512-B8wRRkmre4ERucLM/uXx4MOV5cbnOlVAqUst+1+iLKPI0dOgFO28f84ptoQt9HEI537PMzfYa/d+GEPKTRXmYA==",
       "dev": true,
       "license": "BSD-2-Clause",
       "dependencies": {
@@ -2159,9 +2183,9 @@
       }
     },
     "node_modules/undici-types": {
-      "version": "6.19.8",
-      "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-6.19.8.tgz",
-      "integrity": "sha512-ve2KP6f/JnbPBFyobGHuerC9g1FYGn/F8n1LWTwNxCEzd6IfqTwUQcNXgEtmmQ6DlRrC1hrSrBnCZPokRrDHjw==",
+      "version": "6.20.0",
+      "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-6.20.0.tgz",
+      "integrity": "sha512-Ny6QZ2Nju20vw1SRHe3d9jVu6gJ+4e3+MMpqu7pqE5HT6WsTSlce++GQmK5UXS8mzV8DSYHrQH+Xrf2jVcuKNg==",
       "dev": true,
       "license": "MIT"
     },
diff --git a/src/Admin/package-lock.json b/src/Admin/package-lock.json
index 203e574717..e792106499 100644
--- a/src/Admin/package-lock.json
+++ b/src/Admin/package-lock.json
@@ -35,9 +35,9 @@
       }
     },
     "node_modules/@jridgewell/gen-mapping": {
-      "version": "0.3.5",
-      "resolved": "https://registry.npmjs.org/@jridgewell/gen-mapping/-/gen-mapping-0.3.5.tgz",
-      "integrity": "sha512-IzL8ZoEDIBRWEzlCcRhOaCupYyN5gdIK+Q6fbFdPDg6HqX6jpkItn7DFIpW9LQzXG6Df9sA7+OKnq0qlz/GaQg==",
+      "version": "0.3.8",
+      "resolved": "https://registry.npmjs.org/@jridgewell/gen-mapping/-/gen-mapping-0.3.8.tgz",
+      "integrity": "sha512-imAbBGkb+ebQyxKgzv5Hu2nmROxoDOXHh80evxdoXNOrvAnVx7zimzc1Oo5h9RlfV4vPXaE2iM5pOFbvOCClWA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -99,10 +99,11 @@
       }
     },
     "node_modules/@parcel/watcher": {
-      "version": "2.4.1",
-      "resolved": "https://registry.npmjs.org/@parcel/watcher/-/watcher-2.4.1.tgz",
-      "integrity": "sha512-HNjmfLQEVRZmHRET336f20H/8kOozUGwk7yajvsonjNxbj2wBTK1WsQuHkD5yYh9RxFGL2EyDHryOihOwUoKDA==",
+      "version": "2.5.0",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher/-/watcher-2.5.0.tgz",
+      "integrity": "sha512-i0GV1yJnm2n3Yq1qw6QrUrd/LI9bE8WEBOTtOkpCXHHdyN3TAGgqAK/DAT05z4fq2x04cARXt2pDmjWjL92iTQ==",
       "dev": true,
+      "hasInstallScript": true,
       "license": "MIT",
       "dependencies": {
         "detect-libc": "^1.0.3",
@@ -118,24 +119,25 @@
         "url": "https://opencollective.com/parcel"
       },
       "optionalDependencies": {
-        "@parcel/watcher-android-arm64": "2.4.1",
-        "@parcel/watcher-darwin-arm64": "2.4.1",
-        "@parcel/watcher-darwin-x64": "2.4.1",
-        "@parcel/watcher-freebsd-x64": "2.4.1",
-        "@parcel/watcher-linux-arm-glibc": "2.4.1",
-        "@parcel/watcher-linux-arm64-glibc": "2.4.1",
-        "@parcel/watcher-linux-arm64-musl": "2.4.1",
-        "@parcel/watcher-linux-x64-glibc": "2.4.1",
-        "@parcel/watcher-linux-x64-musl": "2.4.1",
-        "@parcel/watcher-win32-arm64": "2.4.1",
-        "@parcel/watcher-win32-ia32": "2.4.1",
-        "@parcel/watcher-win32-x64": "2.4.1"
+        "@parcel/watcher-android-arm64": "2.5.0",
+        "@parcel/watcher-darwin-arm64": "2.5.0",
+        "@parcel/watcher-darwin-x64": "2.5.0",
+        "@parcel/watcher-freebsd-x64": "2.5.0",
+        "@parcel/watcher-linux-arm-glibc": "2.5.0",
+        "@parcel/watcher-linux-arm-musl": "2.5.0",
+        "@parcel/watcher-linux-arm64-glibc": "2.5.0",
+        "@parcel/watcher-linux-arm64-musl": "2.5.0",
+        "@parcel/watcher-linux-x64-glibc": "2.5.0",
+        "@parcel/watcher-linux-x64-musl": "2.5.0",
+        "@parcel/watcher-win32-arm64": "2.5.0",
+        "@parcel/watcher-win32-ia32": "2.5.0",
+        "@parcel/watcher-win32-x64": "2.5.0"
       }
     },
     "node_modules/@parcel/watcher-android-arm64": {
-      "version": "2.4.1",
-      "resolved": "https://registry.npmjs.org/@parcel/watcher-android-arm64/-/watcher-android-arm64-2.4.1.tgz",
-      "integrity": "sha512-LOi/WTbbh3aTn2RYddrO8pnapixAziFl6SMxHM69r3tvdSm94JtCenaKgk1GRg5FJ5wpMCpHeW+7yqPlvZv7kg==",
+      "version": "2.5.0",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-android-arm64/-/watcher-android-arm64-2.5.0.tgz",
+      "integrity": "sha512-qlX4eS28bUcQCdribHkg/herLe+0A9RyYC+mm2PXpncit8z5b3nSqGVzMNR3CmtAOgRutiZ02eIJJgP/b1iEFQ==",
       "cpu": [
         "arm64"
       ],
@@ -154,9 +156,9 @@
       }
     },
     "node_modules/@parcel/watcher-darwin-arm64": {
-      "version": "2.4.1",
-      "resolved": "https://registry.npmjs.org/@parcel/watcher-darwin-arm64/-/watcher-darwin-arm64-2.4.1.tgz",
-      "integrity": "sha512-ln41eihm5YXIY043vBrrHfn94SIBlqOWmoROhsMVTSXGh0QahKGy77tfEywQ7v3NywyxBBkGIfrWRHm0hsKtzA==",
+      "version": "2.5.0",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-darwin-arm64/-/watcher-darwin-arm64-2.5.0.tgz",
+      "integrity": "sha512-hyZ3TANnzGfLpRA2s/4U1kbw2ZI4qGxaRJbBH2DCSREFfubMswheh8TeiC1sGZ3z2jUf3s37P0BBlrD3sjVTUw==",
       "cpu": [
         "arm64"
       ],
@@ -175,9 +177,9 @@
       }
     },
     "node_modules/@parcel/watcher-darwin-x64": {
-      "version": "2.4.1",
-      "resolved": "https://registry.npmjs.org/@parcel/watcher-darwin-x64/-/watcher-darwin-x64-2.4.1.tgz",
-      "integrity": "sha512-yrw81BRLjjtHyDu7J61oPuSoeYWR3lDElcPGJyOvIXmor6DEo7/G2u1o7I38cwlcoBHQFULqF6nesIX3tsEXMg==",
+      "version": "2.5.0",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-darwin-x64/-/watcher-darwin-x64-2.5.0.tgz",
+      "integrity": "sha512-9rhlwd78saKf18fT869/poydQK8YqlU26TMiNg7AIu7eBp9adqbJZqmdFOsbZ5cnLp5XvRo9wcFmNHgHdWaGYA==",
       "cpu": [
         "x64"
       ],
@@ -196,9 +198,9 @@
       }
     },
     "node_modules/@parcel/watcher-freebsd-x64": {
-      "version": "2.4.1",
-      "resolved": "https://registry.npmjs.org/@parcel/watcher-freebsd-x64/-/watcher-freebsd-x64-2.4.1.tgz",
-      "integrity": "sha512-TJa3Pex/gX3CWIx/Co8k+ykNdDCLx+TuZj3f3h7eOjgpdKM+Mnix37RYsYU4LHhiYJz3DK5nFCCra81p6g050w==",
+      "version": "2.5.0",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-freebsd-x64/-/watcher-freebsd-x64-2.5.0.tgz",
+      "integrity": "sha512-syvfhZzyM8kErg3VF0xpV8dixJ+RzbUaaGaeb7uDuz0D3FK97/mZ5AJQ3XNnDsXX7KkFNtyQyFrXZzQIcN49Tw==",
       "cpu": [
         "x64"
       ],
@@ -217,9 +219,30 @@
       }
     },
     "node_modules/@parcel/watcher-linux-arm-glibc": {
-      "version": "2.4.1",
-      "resolved": "https://registry.npmjs.org/@parcel/watcher-linux-arm-glibc/-/watcher-linux-arm-glibc-2.4.1.tgz",
-      "integrity": "sha512-4rVYDlsMEYfa537BRXxJ5UF4ddNwnr2/1O4MHM5PjI9cvV2qymvhwZSFgXqbS8YoTk5i/JR0L0JDs69BUn45YA==",
+      "version": "2.5.0",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-linux-arm-glibc/-/watcher-linux-arm-glibc-2.5.0.tgz",
+      "integrity": "sha512-0VQY1K35DQET3dVYWpOaPFecqOT9dbuCfzjxoQyif1Wc574t3kOSkKevULddcR9znz1TcklCE7Ht6NIxjvTqLA==",
+      "cpu": [
+        "arm"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">= 10.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      }
+    },
+    "node_modules/@parcel/watcher-linux-arm-musl": {
+      "version": "2.5.0",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-linux-arm-musl/-/watcher-linux-arm-musl-2.5.0.tgz",
+      "integrity": "sha512-6uHywSIzz8+vi2lAzFeltnYbdHsDm3iIB57d4g5oaB9vKwjb6N6dRIgZMujw4nm5r6v9/BQH0noq6DzHrqr2pA==",
       "cpu": [
         "arm"
       ],
@@ -238,9 +261,9 @@
       }
     },
     "node_modules/@parcel/watcher-linux-arm64-glibc": {
-      "version": "2.4.1",
-      "resolved": "https://registry.npmjs.org/@parcel/watcher-linux-arm64-glibc/-/watcher-linux-arm64-glibc-2.4.1.tgz",
-      "integrity": "sha512-BJ7mH985OADVLpbrzCLgrJ3TOpiZggE9FMblfO65PlOCdG++xJpKUJ0Aol74ZUIYfb8WsRlUdgrZxKkz3zXWYA==",
+      "version": "2.5.0",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-linux-arm64-glibc/-/watcher-linux-arm64-glibc-2.5.0.tgz",
+      "integrity": "sha512-BfNjXwZKxBy4WibDb/LDCriWSKLz+jJRL3cM/DllnHH5QUyoiUNEp3GmL80ZqxeumoADfCCP19+qiYiC8gUBjA==",
       "cpu": [
         "arm64"
       ],
@@ -259,9 +282,9 @@
       }
     },
     "node_modules/@parcel/watcher-linux-arm64-musl": {
-      "version": "2.4.1",
-      "resolved": "https://registry.npmjs.org/@parcel/watcher-linux-arm64-musl/-/watcher-linux-arm64-musl-2.4.1.tgz",
-      "integrity": "sha512-p4Xb7JGq3MLgAfYhslU2SjoV9G0kI0Xry0kuxeG/41UfpjHGOhv7UoUDAz/jb1u2elbhazy4rRBL8PegPJFBhA==",
+      "version": "2.5.0",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-linux-arm64-musl/-/watcher-linux-arm64-musl-2.5.0.tgz",
+      "integrity": "sha512-S1qARKOphxfiBEkwLUbHjCY9BWPdWnW9j7f7Hb2jPplu8UZ3nes7zpPOW9bkLbHRvWM0WDTsjdOTUgW0xLBN1Q==",
       "cpu": [
         "arm64"
       ],
@@ -280,9 +303,9 @@
       }
     },
     "node_modules/@parcel/watcher-linux-x64-glibc": {
-      "version": "2.4.1",
-      "resolved": "https://registry.npmjs.org/@parcel/watcher-linux-x64-glibc/-/watcher-linux-x64-glibc-2.4.1.tgz",
-      "integrity": "sha512-s9O3fByZ/2pyYDPoLM6zt92yu6P4E39a03zvO0qCHOTjxmt3GHRMLuRZEWhWLASTMSrrnVNWdVI/+pUElJBBBg==",
+      "version": "2.5.0",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-linux-x64-glibc/-/watcher-linux-x64-glibc-2.5.0.tgz",
+      "integrity": "sha512-d9AOkusyXARkFD66S6zlGXyzx5RvY+chTP9Jp0ypSTC9d4lzyRs9ovGf/80VCxjKddcUvnsGwCHWuF2EoPgWjw==",
       "cpu": [
         "x64"
       ],
@@ -301,9 +324,9 @@
       }
     },
     "node_modules/@parcel/watcher-linux-x64-musl": {
-      "version": "2.4.1",
-      "resolved": "https://registry.npmjs.org/@parcel/watcher-linux-x64-musl/-/watcher-linux-x64-musl-2.4.1.tgz",
-      "integrity": "sha512-L2nZTYR1myLNST0O632g0Dx9LyMNHrn6TOt76sYxWLdff3cB22/GZX2UPtJnaqQPdCRoszoY5rcOj4oMTtp5fQ==",
+      "version": "2.5.0",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-linux-x64-musl/-/watcher-linux-x64-musl-2.5.0.tgz",
+      "integrity": "sha512-iqOC+GoTDoFyk/VYSFHwjHhYrk8bljW6zOhPuhi5t9ulqiYq1togGJB5e3PwYVFFfeVgc6pbz3JdQyDoBszVaA==",
       "cpu": [
         "x64"
       ],
@@ -322,9 +345,9 @@
       }
     },
     "node_modules/@parcel/watcher-win32-arm64": {
-      "version": "2.4.1",
-      "resolved": "https://registry.npmjs.org/@parcel/watcher-win32-arm64/-/watcher-win32-arm64-2.4.1.tgz",
-      "integrity": "sha512-Uq2BPp5GWhrq/lcuItCHoqxjULU1QYEcyjSO5jqqOK8RNFDBQnenMMx4gAl3v8GiWa59E9+uDM7yZ6LxwUIfRg==",
+      "version": "2.5.0",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-win32-arm64/-/watcher-win32-arm64-2.5.0.tgz",
+      "integrity": "sha512-twtft1d+JRNkM5YbmexfcH/N4znDtjgysFaV9zvZmmJezQsKpkfLYJ+JFV3uygugK6AtIM2oADPkB2AdhBrNig==",
       "cpu": [
         "arm64"
       ],
@@ -343,9 +366,9 @@
       }
     },
     "node_modules/@parcel/watcher-win32-ia32": {
-      "version": "2.4.1",
-      "resolved": "https://registry.npmjs.org/@parcel/watcher-win32-ia32/-/watcher-win32-ia32-2.4.1.tgz",
-      "integrity": "sha512-maNRit5QQV2kgHFSYwftmPBxiuK5u4DXjbXx7q6eKjq5dsLXZ4FJiVvlcw35QXzk0KrUecJmuVFbj4uV9oYrcw==",
+      "version": "2.5.0",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-win32-ia32/-/watcher-win32-ia32-2.5.0.tgz",
+      "integrity": "sha512-+rgpsNRKwo8A53elqbbHXdOMtY/tAtTzManTWShB5Kk54N8Q9mzNWV7tV+IbGueCbcj826MfWGU3mprWtuf1TA==",
       "cpu": [
         "ia32"
       ],
@@ -364,9 +387,9 @@
       }
     },
     "node_modules/@parcel/watcher-win32-x64": {
-      "version": "2.4.1",
-      "resolved": "https://registry.npmjs.org/@parcel/watcher-win32-x64/-/watcher-win32-x64-2.4.1.tgz",
-      "integrity": "sha512-+DvS92F9ezicfswqrvIRM2njcYJbd5mb9CUgtrHCHmvn7pPPa+nMDRu1o1bYYz/l5IB2NVGNJWiH7h1E58IF2A==",
+      "version": "2.5.0",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-win32-x64/-/watcher-win32-x64-2.5.0.tgz",
+      "integrity": "sha512-lPrxve92zEHdgeff3aiu4gDOIt4u7sJYha6wbdEZDCDUhtjTsOMiaJzG5lMY4GkWH8p0fMmO2Ppq5G5XXG+DQw==",
       "cpu": [
         "x64"
       ],
@@ -432,13 +455,13 @@
       "license": "MIT"
     },
     "node_modules/@types/node": {
-      "version": "22.7.5",
-      "resolved": "https://registry.npmjs.org/@types/node/-/node-22.7.5.tgz",
-      "integrity": "sha512-jML7s2NAzMWc//QSJ1a3prpk78cOPchGvXJsC3C6R6PSMoooztvRVQEz89gmBTBY1SPMaqo5teB4uNHPdetShQ==",
+      "version": "22.10.2",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-22.10.2.tgz",
+      "integrity": "sha512-Xxr6BBRCAOQixvonOye19wnzyDiUtTeqldOOmj3CkeblonbccA12PFwlufvRdrpjXxqnmUaeiU5EOA+7s5diUQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "undici-types": "~6.19.2"
+        "undici-types": "~6.20.0"
       }
     },
     "node_modules/@webassemblyjs/ast": {
@@ -738,6 +761,7 @@
           "url": "https://opencollective.com/bootstrap"
         }
       ],
+      "license": "MIT",
       "peerDependencies": {
         "@popperjs/core": "^2.11.8"
       }
@@ -756,9 +780,9 @@
       }
     },
     "node_modules/browserslist": {
-      "version": "4.24.0",
-      "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-4.24.0.tgz",
-      "integrity": "sha512-Rmb62sR1Zpjql25eSanFGEhAxcFwfA1K0GuQcLoaJBAcENegrQut3hYdhXFF1obQfiDyqIW/cLM5HSJ/9k884A==",
+      "version": "4.24.2",
+      "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-4.24.2.tgz",
+      "integrity": "sha512-ZIc+Q62revdMcqC6aChtW4jz3My3klmCO1fEmINZY/8J3EpBg5/A/D0AKmBveUh6pgoeycoMkVMko84tuYS+Gg==",
       "dev": true,
       "funding": [
         {
@@ -776,10 +800,10 @@
       ],
       "license": "MIT",
       "dependencies": {
-        "caniuse-lite": "^1.0.30001663",
-        "electron-to-chromium": "^1.5.28",
+        "caniuse-lite": "^1.0.30001669",
+        "electron-to-chromium": "^1.5.41",
         "node-releases": "^2.0.18",
-        "update-browserslist-db": "^1.1.0"
+        "update-browserslist-db": "^1.1.1"
       },
       "bin": {
         "browserslist": "cli.js"
@@ -796,9 +820,9 @@
       "license": "MIT"
     },
     "node_modules/caniuse-lite": {
-      "version": "1.0.30001668",
-      "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001668.tgz",
-      "integrity": "sha512-nWLrdxqCdblixUO+27JtGJJE/txpJlyUy5YN1u53wLZkP0emYCo5zgS6QYft7VUYR42LGgi/S5hdLZTrnyIddw==",
+      "version": "1.0.30001688",
+      "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001688.tgz",
+      "integrity": "sha512-Nmqpru91cuABu/DTCXbM2NSRHzM2uVHfPnhJ/1zEAJx/ILBRVmz3pzH4N7DZqbdG0gWClsCC05Oj0mJ/1AWMbA==",
       "dev": true,
       "funding": [
         {
@@ -872,9 +896,9 @@
       "license": "MIT"
     },
     "node_modules/cross-spawn": {
-      "version": "7.0.3",
-      "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.3.tgz",
-      "integrity": "sha512-iRDPJKUPVEND7dHPO8rkbOnPpyDygcDFtWjpeWNCgy8WP2rXcxXL8TskReQl6OrB2G7+UJrags1q15Fudc7G6w==",
+      "version": "7.0.6",
+      "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.6.tgz",
+      "integrity": "sha512-uV2QOWP2nWzsy2aMp8aRibhi9dlzF5Hgh5SHaB9OiTGEyDTiJJyx0uy51QXdyWbtAHNua4XJzUKca3OzKUd3vA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -949,9 +973,9 @@
       }
     },
     "node_modules/electron-to-chromium": {
-      "version": "1.5.36",
-      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.36.tgz",
-      "integrity": "sha512-HYTX8tKge/VNp6FGO+f/uVDmUkq+cEfcxYhKf15Akc4M5yxt5YmorwlAitKWjWhWQnKcDRBAQKXkhqqXMqcrjw==",
+      "version": "1.5.73",
+      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.73.tgz",
+      "integrity": "sha512-8wGNxG9tAG5KhGd3eeA0o6ixhiNdgr0DcHWm85XPCphwZgD1lIEoi6t3VERayWao7SF7AAZTw6oARGJeVjH8Kg==",
       "dev": true,
       "license": "ISC"
     },
@@ -1088,11 +1112,11 @@
       "license": "MIT"
     },
     "node_modules/fast-uri": {
-      "version": "3.0.2",
-      "resolved": "https://registry.npmjs.org/fast-uri/-/fast-uri-3.0.2.tgz",
-      "integrity": "sha512-GR6f0hD7XXyNJa25Tb9BuIdN0tdr+0BMi6/CJPH3wJO1JjNG3n/VsSw38AwRdKZABm8lGbPfakLRkYzx2V9row==",
+      "version": "3.0.3",
+      "resolved": "https://registry.npmjs.org/fast-uri/-/fast-uri-3.0.3.tgz",
+      "integrity": "sha512-aLrHthzCjH5He4Z2H9YZ+v6Ujb9ocRuW6ZzkJQOrTxleEijANq4v1TsaPaVG1PZcuurEzrLcWRyYBYXD5cEiaw==",
       "dev": true,
-      "license": "MIT"
+      "license": "BSD-3-Clause"
     },
     "node_modules/fastest-levenshtein": {
       "version": "1.0.16",
@@ -1460,9 +1484,9 @@
       }
     },
     "node_modules/nanoid": {
-      "version": "3.3.7",
-      "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.7.tgz",
-      "integrity": "sha512-eSRppjcPIatRIMC1U6UngP8XFcz8MQWGQdt1MTBQ7NaAmvXDfvNxbvWV3x2y6CdEUciCSsDHDQZbhYaB8QEo2g==",
+      "version": "3.3.8",
+      "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.8.tgz",
+      "integrity": "sha512-WNLf5Sd8oZxOm+TzppcYk8gVOgP+l58xNy58D0nbUnOxOWRWvlcCV4kUF7ltmI6PsrLl/BgKEyS4mqsGChFN0w==",
       "dev": true,
       "funding": [
         {
@@ -1493,9 +1517,9 @@
       "license": "MIT"
     },
     "node_modules/node-releases": {
-      "version": "2.0.18",
-      "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-2.0.18.tgz",
-      "integrity": "sha512-d9VeXT4SJ7ZeOqGX6R5EM022wpL+eWPooLI+5UpWn2jCT1aosUQEhQP214x33Wkwx3JQMvIm+tIoVOdodFS40g==",
+      "version": "2.0.19",
+      "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-2.0.19.tgz",
+      "integrity": "sha512-xxOWJsBKtzAq7DY0J+DTzuz58K8e7sJbdgwkbMWQe8UYB6ekmsQ45q0M/tJDsGaZmbC+l7n57UV8Hl5tHxO9uw==",
       "dev": true,
       "license": "MIT"
     },
@@ -1566,9 +1590,9 @@
       "license": "MIT"
     },
     "node_modules/picocolors": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/picocolors/-/picocolors-1.1.0.tgz",
-      "integrity": "sha512-TQ92mBOW0l3LeMeyLV6mzy/kWr8lkd/hp3mTg7wYK7zJhuBStmGMBG0BdeDZS/dZx1IukaX6Bk11zcln25o1Aw==",
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/picocolors/-/picocolors-1.1.1.tgz",
+      "integrity": "sha512-xceH2snhtb5M9liqDsmEw56le376mTZkEX/jEb/RxNFyegNul7eNslCXP9FDj/Lcu0X8KEyMceP2ntpaHrDEVA==",
       "dev": true,
       "license": "ISC"
     },
@@ -1599,9 +1623,9 @@
       }
     },
     "node_modules/postcss": {
-      "version": "8.4.47",
-      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.47.tgz",
-      "integrity": "sha512-56rxCq7G/XfB4EkXq9Egn5GCqugWvDFjafDOThIdMBsI15iqPqR5r15TfSr1YPYeEI19YeaXMCbY6u88Y76GLQ==",
+      "version": "8.4.49",
+      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.49.tgz",
+      "integrity": "sha512-OCVPnIObs4N29kxTjzLfUryOkvZEq+pf8jTF0lg8E7uETuWHA+v7j3c/xJmiqpX450191LlmZfUKkXxkTry7nA==",
       "dev": true,
       "funding": [
         {
@@ -1620,7 +1644,7 @@
       "license": "MIT",
       "dependencies": {
         "nanoid": "^3.3.7",
-        "picocolors": "^1.1.0",
+        "picocolors": "^1.1.1",
         "source-map-js": "^1.2.1"
       },
       "engines": {
@@ -1641,14 +1665,14 @@
       }
     },
     "node_modules/postcss-modules-local-by-default": {
-      "version": "4.0.5",
-      "resolved": "https://registry.npmjs.org/postcss-modules-local-by-default/-/postcss-modules-local-by-default-4.0.5.tgz",
-      "integrity": "sha512-6MieY7sIfTK0hYfafw1OMEG+2bg8Q1ocHCpoWLqOKj3JXlKu4G7btkmM/B7lFubYkYWmRSPLZi5chid63ZaZYw==",
+      "version": "4.2.0",
+      "resolved": "https://registry.npmjs.org/postcss-modules-local-by-default/-/postcss-modules-local-by-default-4.2.0.tgz",
+      "integrity": "sha512-5kcJm/zk+GJDSfw+V/42fJ5fhjL5YbFDl8nVdXkJPLLW+Vf9mTD5Xe0wqIaDnLuL2U6cDNpTr+UQ+v2HWIBhzw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "icss-utils": "^5.0.0",
-        "postcss-selector-parser": "^6.0.2",
+        "postcss-selector-parser": "^7.0.0",
         "postcss-value-parser": "^4.1.0"
       },
       "engines": {
@@ -1659,13 +1683,13 @@
       }
     },
     "node_modules/postcss-modules-scope": {
-      "version": "3.2.0",
-      "resolved": "https://registry.npmjs.org/postcss-modules-scope/-/postcss-modules-scope-3.2.0.tgz",
-      "integrity": "sha512-oq+g1ssrsZOsx9M96c5w8laRmvEu9C3adDSjI8oTcbfkrTE8hx/zfyobUoWIxaKPO8bt6S62kxpw5GqypEw1QQ==",
+      "version": "3.2.1",
+      "resolved": "https://registry.npmjs.org/postcss-modules-scope/-/postcss-modules-scope-3.2.1.tgz",
+      "integrity": "sha512-m9jZstCVaqGjTAuny8MdgE88scJnCiQSlSrOWcTQgM2t32UBe+MUmFSO5t7VMSfAf/FJKImAxBav8ooCHJXCJA==",
       "dev": true,
       "license": "ISC",
       "dependencies": {
-        "postcss-selector-parser": "^6.0.4"
+        "postcss-selector-parser": "^7.0.0"
       },
       "engines": {
         "node": "^10 || ^12 || >= 14"
@@ -1691,9 +1715,9 @@
       }
     },
     "node_modules/postcss-selector-parser": {
-      "version": "6.1.2",
-      "resolved": "https://registry.npmjs.org/postcss-selector-parser/-/postcss-selector-parser-6.1.2.tgz",
-      "integrity": "sha512-Q8qQfPiZ+THO/3ZrOrO0cJJKfpYCagtMUkXbnEfmgUjwXg6z/WBeOyS9APBBPCTSiDV+s4SwQGu8yFsiMRIudg==",
+      "version": "7.0.0",
+      "resolved": "https://registry.npmjs.org/postcss-selector-parser/-/postcss-selector-parser-7.0.0.tgz",
+      "integrity": "sha512-9RbEr1Y7FFfptd/1eEdntyjMwLeghW1bHX9GWjXo19vx4ytPQhANltvVxDggzJl7mnWM+dX28kb6cyS/4iQjlQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -1891,9 +1915,9 @@
       }
     },
     "node_modules/schema-utils": {
-      "version": "4.2.0",
-      "resolved": "https://registry.npmjs.org/schema-utils/-/schema-utils-4.2.0.tgz",
-      "integrity": "sha512-L0jRsrPpjdckP3oPug3/VxNKt2trR8TcabrM6FOAAlvC/9Phcmm+cuAgTlxBqdBR1WJx7Naj9WHw+aOmheSVbw==",
+      "version": "4.3.0",
+      "resolved": "https://registry.npmjs.org/schema-utils/-/schema-utils-4.3.0.tgz",
+      "integrity": "sha512-Gf9qqc58SpCA/xdziiHz35F4GNIWYWZrEshUc/G/r5BnLph6xpKuLeoJoQuj5WfBIx/eQLf+hmVPYHaxJu7V2g==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -1903,7 +1927,7 @@
         "ajv-keywords": "^5.1.0"
       },
       "engines": {
-        "node": ">= 12.13.0"
+        "node": ">= 10.13.0"
       },
       "funding": {
         "type": "opencollective",
@@ -2040,9 +2064,9 @@
       }
     },
     "node_modules/terser": {
-      "version": "5.34.1",
-      "resolved": "https://registry.npmjs.org/terser/-/terser-5.34.1.tgz",
-      "integrity": "sha512-FsJZ7iZLd/BXkz+4xrRTGJ26o/6VTjQytUk8b8OxkwcD2I+79VPJlz7qss1+zE7h8GNIScFqXcDyJ/KqBYZFVA==",
+      "version": "5.37.0",
+      "resolved": "https://registry.npmjs.org/terser/-/terser-5.37.0.tgz",
+      "integrity": "sha512-B8wRRkmre4ERucLM/uXx4MOV5cbnOlVAqUst+1+iLKPI0dOgFO28f84ptoQt9HEI537PMzfYa/d+GEPKTRXmYA==",
       "dev": true,
       "license": "BSD-2-Clause",
       "dependencies": {
@@ -2168,9 +2192,9 @@
       }
     },
     "node_modules/undici-types": {
-      "version": "6.19.8",
-      "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-6.19.8.tgz",
-      "integrity": "sha512-ve2KP6f/JnbPBFyobGHuerC9g1FYGn/F8n1LWTwNxCEzd6IfqTwUQcNXgEtmmQ6DlRrC1hrSrBnCZPokRrDHjw==",
+      "version": "6.20.0",
+      "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-6.20.0.tgz",
+      "integrity": "sha512-Ny6QZ2Nju20vw1SRHe3d9jVu6gJ+4e3+MMpqu7pqE5HT6WsTSlce++GQmK5UXS8mzV8DSYHrQH+Xrf2jVcuKNg==",
       "dev": true,
       "license": "MIT"
     },

From 6da7fdc39e6076ab7b181c4cb19805d5266258b9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rui=20Tom=C3=A9?=
 <108268980+r-tome@users.noreply.github.com>
Date: Fri, 13 Dec 2024 11:32:29 +0000
Subject: [PATCH 063/384] =?UTF-8?q?[PM-15547]=C2=A0Revoke=20managed=20user?=
 =?UTF-8?q?=20on=202FA=20removal=20if=20enforced=20by=20organization=20pol?=
 =?UTF-8?q?icy=20(#5124)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Revoke managed user on 2FA removal if enforced by organization policy

* Rename TwoFactorDisabling to TwoFactorDisabled in EventSystemUser enum
---
 .../AdminConsole/Enums/EventSystemUser.cs     |   1 +
 .../Services/Implementations/UserService.cs   |  28 ++-
 test/Core.Test/Services/UserServiceTests.cs   | 171 +++++++++++++++++-
 3 files changed, 195 insertions(+), 5 deletions(-)

diff --git a/src/Core/AdminConsole/Enums/EventSystemUser.cs b/src/Core/AdminConsole/Enums/EventSystemUser.cs
index c3e13705dd..1eb1e5b4ab 100644
--- a/src/Core/AdminConsole/Enums/EventSystemUser.cs
+++ b/src/Core/AdminConsole/Enums/EventSystemUser.cs
@@ -6,4 +6,5 @@ public enum EventSystemUser : byte
     SCIM = 1,
     DomainVerification = 2,
     PublicApi = 3,
+    TwoFactorDisabled = 4,
 }
diff --git a/src/Core/Services/Implementations/UserService.cs b/src/Core/Services/Implementations/UserService.cs
index fa8cd3cef8..2bc81959b9 100644
--- a/src/Core/Services/Implementations/UserService.cs
+++ b/src/Core/Services/Implementations/UserService.cs
@@ -1,7 +1,9 @@
 using System.Security.Claims;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Data;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Requests;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.AdminConsole.Services;
 using Bit.Core.Auth.Enums;
@@ -14,6 +16,7 @@ using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Models.Business;
+using Bit.Core.Models.Data.Organizations.OrganizationUsers;
 using Bit.Core.OrganizationFeatures.OrganizationUsers.Interfaces;
 using Bit.Core.Repositories;
 using Bit.Core.Settings;
@@ -67,6 +70,7 @@ public class UserService : UserManager<User>, IUserService, IDisposable
     private readonly IFeatureService _featureService;
     private readonly IPremiumUserBillingService _premiumUserBillingService;
     private readonly IRemoveOrganizationUserCommand _removeOrganizationUserCommand;
+    private readonly IRevokeNonCompliantOrganizationUserCommand _revokeNonCompliantOrganizationUserCommand;
 
     public UserService(
         IUserRepository userRepository,
@@ -101,7 +105,8 @@ public class UserService : UserManager<User>, IUserService, IDisposable
         IDataProtectorTokenFactory<OrgUserInviteTokenable> orgUserInviteTokenDataFactory,
         IFeatureService featureService,
         IPremiumUserBillingService premiumUserBillingService,
-        IRemoveOrganizationUserCommand removeOrganizationUserCommand)
+        IRemoveOrganizationUserCommand removeOrganizationUserCommand,
+        IRevokeNonCompliantOrganizationUserCommand revokeNonCompliantOrganizationUserCommand)
         : base(
               store,
               optionsAccessor,
@@ -142,6 +147,7 @@ public class UserService : UserManager<User>, IUserService, IDisposable
         _featureService = featureService;
         _premiumUserBillingService = premiumUserBillingService;
         _removeOrganizationUserCommand = removeOrganizationUserCommand;
+        _revokeNonCompliantOrganizationUserCommand = revokeNonCompliantOrganizationUserCommand;
     }
 
     public Guid? GetProperUserId(ClaimsPrincipal principal)
@@ -1355,13 +1361,27 @@ public class UserService : UserManager<User>, IUserService, IDisposable
     private async Task CheckPoliciesOnTwoFactorRemovalAsync(User user)
     {
         var twoFactorPolicies = await _policyService.GetPoliciesApplicableToUserAsync(user.Id, PolicyType.TwoFactorAuthentication);
+        var organizationsManagingUser = await GetOrganizationsManagingUserAsync(user.Id);
 
         var removeOrgUserTasks = twoFactorPolicies.Select(async p =>
         {
-            await _removeOrganizationUserCommand.RemoveUserAsync(p.OrganizationId, user.Id);
             var organization = await _organizationRepository.GetByIdAsync(p.OrganizationId);
-            await _mailService.SendOrganizationUserRemovedForPolicyTwoStepEmailAsync(
-                organization.DisplayName(), user.Email);
+            if (_featureService.IsEnabled(FeatureFlagKeys.AccountDeprovisioning) && organizationsManagingUser.Any(o => o.Id == p.OrganizationId))
+            {
+                await _revokeNonCompliantOrganizationUserCommand.RevokeNonCompliantOrganizationUsersAsync(
+                    new RevokeOrganizationUsersRequest(
+                        p.OrganizationId,
+                        [new OrganizationUserUserDetails { UserId = user.Id, OrganizationId = p.OrganizationId }],
+                        new SystemUser(EventSystemUser.TwoFactorDisabled)));
+                await _mailService.SendOrganizationUserRevokedForTwoFactoryPolicyEmailAsync(organization.DisplayName(), user.Email);
+            }
+            else
+            {
+                await _removeOrganizationUserCommand.RemoveUserAsync(p.OrganizationId, user.Id);
+                await _mailService.SendOrganizationUserRemovedForPolicyTwoStepEmailAsync(
+                    organization.DisplayName(), user.Email);
+            }
+
         }).ToArray();
 
         await Task.WhenAll(removeOrgUserTasks);
diff --git a/test/Core.Test/Services/UserServiceTests.cs b/test/Core.Test/Services/UserServiceTests.cs
index 71cceb86ad..de2a518717 100644
--- a/test/Core.Test/Services/UserServiceTests.cs
+++ b/test/Core.Test/Services/UserServiceTests.cs
@@ -1,7 +1,9 @@
 using System.Security.Claims;
 using System.Text.Json;
 using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Enums;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Requests;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.AdminConsole.Services;
 using Bit.Core.Auth.Enums;
@@ -10,13 +12,16 @@ using Bit.Core.Auth.Models.Business.Tokenables;
 using Bit.Core.Billing.Services;
 using Bit.Core.Context;
 using Bit.Core.Entities;
+using Bit.Core.Enums;
 using Bit.Core.Models.Business;
 using Bit.Core.Models.Data.Organizations;
+using Bit.Core.Models.Data.Organizations.OrganizationUsers;
 using Bit.Core.OrganizationFeatures.OrganizationUsers.Interfaces;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Settings;
 using Bit.Core.Tools.Services;
+using Bit.Core.Utilities;
 using Bit.Core.Vault.Repositories;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
@@ -268,7 +273,8 @@ public class UserServiceTests
             new FakeDataProtectorTokenFactory<OrgUserInviteTokenable>(),
             sutProvider.GetDependency<IFeatureService>(),
             sutProvider.GetDependency<IPremiumUserBillingService>(),
-            sutProvider.GetDependency<IRemoveOrganizationUserCommand>()
+            sutProvider.GetDependency<IRemoveOrganizationUserCommand>(),
+            sutProvider.GetDependency<IRevokeNonCompliantOrganizationUserCommand>()
             );
 
         var actualIsVerified = await sut.VerifySecretAsync(user, secret);
@@ -353,6 +359,169 @@ public class UserServiceTests
         Assert.False(result);
     }
 
+    [Theory, BitAutoData]
+    public async Task DisableTwoFactorProviderAsync_WhenOrganizationHas2FAPolicyEnabled_DisablingAllProviders_RemovesUserFromOrganizationAndSendsEmail(
+        SutProvider<UserService> sutProvider, User user, Organization organization)
+    {
+        // Arrange
+        user.SetTwoFactorProviders(new Dictionary<TwoFactorProviderType, TwoFactorProvider>
+        {
+            [TwoFactorProviderType.Email] = new() { Enabled = true }
+        });
+        sutProvider.GetDependency<IPolicyService>()
+            .GetPoliciesApplicableToUserAsync(user.Id, PolicyType.TwoFactorAuthentication)
+            .Returns(
+            [
+                new OrganizationUserPolicyDetails
+                {
+                    OrganizationId = organization.Id,
+                    PolicyType = PolicyType.TwoFactorAuthentication,
+                    PolicyEnabled = true
+                }
+            ]);
+        sutProvider.GetDependency<IOrganizationRepository>()
+            .GetByIdAsync(organization.Id)
+            .Returns(organization);
+        var expectedSavedProviders = JsonHelpers.LegacySerialize(new Dictionary<TwoFactorProviderType, TwoFactorProvider>(), JsonHelpers.LegacyEnumKeyResolver);
+
+        // Act
+        await sutProvider.Sut.DisableTwoFactorProviderAsync(user, TwoFactorProviderType.Email);
+
+        // Assert
+        await sutProvider.GetDependency<IUserRepository>()
+            .Received(1)
+            .ReplaceAsync(Arg.Is<User>(u => u.Id == user.Id && u.TwoFactorProviders == expectedSavedProviders));
+        await sutProvider.GetDependency<IEventService>()
+            .Received(1)
+            .LogUserEventAsync(user.Id, EventType.User_Disabled2fa);
+        await sutProvider.GetDependency<IRemoveOrganizationUserCommand>()
+            .Received(1)
+            .RemoveUserAsync(organization.Id, user.Id);
+        await sutProvider.GetDependency<IMailService>()
+            .Received(1)
+            .SendOrganizationUserRemovedForPolicyTwoStepEmailAsync(organization.DisplayName(), user.Email);
+    }
+
+    [Theory, BitAutoData]
+    public async Task DisableTwoFactorProviderAsync_WhenOrganizationHas2FAPolicyEnabled_UserHasOneProviderEnabled_DoesNotRemoveUserFromOrganization(
+        SutProvider<UserService> sutProvider, User user, Organization organization)
+    {
+        // Arrange
+        user.SetTwoFactorProviders(new Dictionary<TwoFactorProviderType, TwoFactorProvider>
+        {
+            [TwoFactorProviderType.Email] = new() { Enabled = true },
+            [TwoFactorProviderType.Remember] = new() { Enabled = true }
+        });
+        sutProvider.GetDependency<IPolicyService>()
+            .GetPoliciesApplicableToUserAsync(user.Id, PolicyType.TwoFactorAuthentication)
+            .Returns(
+            [
+                new OrganizationUserPolicyDetails
+                {
+                    OrganizationId = organization.Id,
+                    PolicyType = PolicyType.TwoFactorAuthentication,
+                    PolicyEnabled = true
+                }
+            ]);
+        sutProvider.GetDependency<IOrganizationRepository>()
+            .GetByIdAsync(organization.Id)
+            .Returns(organization);
+        var expectedSavedProviders = JsonHelpers.LegacySerialize(new Dictionary<TwoFactorProviderType, TwoFactorProvider>
+        {
+            [TwoFactorProviderType.Remember] = new() { Enabled = true }
+        }, JsonHelpers.LegacyEnumKeyResolver);
+
+        // Act
+        await sutProvider.Sut.DisableTwoFactorProviderAsync(user, TwoFactorProviderType.Email);
+
+        // Assert
+        await sutProvider.GetDependency<IUserRepository>()
+            .Received(1)
+            .ReplaceAsync(Arg.Is<User>(u => u.Id == user.Id && u.TwoFactorProviders == expectedSavedProviders));
+        await sutProvider.GetDependency<IEventService>()
+            .Received(1)
+            .LogUserEventAsync(user.Id, EventType.User_Disabled2fa);
+        await sutProvider.GetDependency<IRemoveOrganizationUserCommand>()
+            .DidNotReceiveWithAnyArgs()
+            .RemoveUserAsync(default, default);
+        await sutProvider.GetDependency<IMailService>()
+            .DidNotReceiveWithAnyArgs()
+            .SendOrganizationUserRemovedForPolicyTwoStepEmailAsync(default, default);
+    }
+
+    [Theory, BitAutoData]
+    public async Task DisableTwoFactorProviderAsync_WithAccountDeprovisioningEnabled_WhenOrganizationHas2FAPolicyEnabled_WhenUserIsManaged_DisablingAllProviders_RemovesOrRevokesUserAndSendsEmail(
+        SutProvider<UserService> sutProvider, User user, Organization organization1, Organization organization2)
+    {
+        // Arrange
+        user.SetTwoFactorProviders(new Dictionary<TwoFactorProviderType, TwoFactorProvider>
+        {
+            [TwoFactorProviderType.Email] = new() { Enabled = true }
+        });
+        organization1.Enabled = organization2.Enabled = true;
+        organization1.UseSso = organization2.UseSso = true;
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.AccountDeprovisioning)
+            .Returns(true);
+        sutProvider.GetDependency<IPolicyService>()
+            .GetPoliciesApplicableToUserAsync(user.Id, PolicyType.TwoFactorAuthentication)
+            .Returns(
+            [
+                new OrganizationUserPolicyDetails
+                {
+                    OrganizationId = organization1.Id,
+                    PolicyType = PolicyType.TwoFactorAuthentication,
+                    PolicyEnabled = true
+                },
+                new OrganizationUserPolicyDetails
+                {
+                    OrganizationId = organization2.Id,
+                    PolicyType = PolicyType.TwoFactorAuthentication,
+                    PolicyEnabled = true
+                }
+            ]);
+        sutProvider.GetDependency<IOrganizationRepository>()
+            .GetByIdAsync(organization1.Id)
+            .Returns(organization1);
+        sutProvider.GetDependency<IOrganizationRepository>()
+            .GetByIdAsync(organization2.Id)
+            .Returns(organization2);
+        sutProvider.GetDependency<IOrganizationRepository>()
+            .GetByVerifiedUserEmailDomainAsync(user.Id)
+            .Returns(new[] { organization1 });
+        var expectedSavedProviders = JsonHelpers.LegacySerialize(new Dictionary<TwoFactorProviderType, TwoFactorProvider>(), JsonHelpers.LegacyEnumKeyResolver);
+
+        // Act
+        await sutProvider.Sut.DisableTwoFactorProviderAsync(user, TwoFactorProviderType.Email);
+
+        // Assert
+        await sutProvider.GetDependency<IUserRepository>()
+            .Received(1)
+            .ReplaceAsync(Arg.Is<User>(u => u.Id == user.Id && u.TwoFactorProviders == expectedSavedProviders));
+        await sutProvider.GetDependency<IEventService>()
+            .Received(1)
+            .LogUserEventAsync(user.Id, EventType.User_Disabled2fa);
+
+        // Revoke the user from the first organization because they are managed by it
+        await sutProvider.GetDependency<IRevokeNonCompliantOrganizationUserCommand>()
+            .Received(1)
+            .RevokeNonCompliantOrganizationUsersAsync(
+                Arg.Is<RevokeOrganizationUsersRequest>(r => r.OrganizationId == organization1.Id &&
+                    r.OrganizationUsers.First().UserId == user.Id &&
+                    r.OrganizationUsers.First().OrganizationId == organization1.Id));
+        await sutProvider.GetDependency<IMailService>()
+            .Received(1)
+            .SendOrganizationUserRevokedForTwoFactoryPolicyEmailAsync(organization1.DisplayName(), user.Email);
+
+        // Remove the user from the second organization because they are not managed by it
+        await sutProvider.GetDependency<IRemoveOrganizationUserCommand>()
+            .Received(1)
+            .RemoveUserAsync(organization2.Id, user.Id);
+        await sutProvider.GetDependency<IMailService>()
+            .Received(1)
+            .SendOrganizationUserRemovedForPolicyTwoStepEmailAsync(organization2.DisplayName(), user.Email);
+    }
+
     private static void SetupUserAndDevice(User user,
         bool shouldHavePassword)
     {

From a28e517eebe28da5f7d89183bbc8af3cc8e00428 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 12:42:25 +0100
Subject: [PATCH 064/384] [deps] Billing: Update swashbuckle-aspnetcore
 monorepo to v7 (#5069)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: cyprain-okeke <108260115+cyprain-okeke@users.noreply.github.com>
---
 .config/dotnet-tools.json      | 2 +-
 src/Api/Api.csproj             | 2 +-
 src/SharedWeb/SharedWeb.csproj | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.config/dotnet-tools.json b/.config/dotnet-tools.json
index d56bb2796f..f42f226153 100644
--- a/.config/dotnet-tools.json
+++ b/.config/dotnet-tools.json
@@ -3,7 +3,7 @@
   "isRoot": true,
   "tools": {
     "swashbuckle.aspnetcore.cli": {
-      "version": "6.9.0",
+      "version": "7.2.0",
       "commands": ["swagger"]
     },
     "dotnet-ef": {
diff --git a/src/Api/Api.csproj b/src/Api/Api.csproj
index 4a018b2198..c490e90150 100644
--- a/src/Api/Api.csproj
+++ b/src/Api/Api.csproj
@@ -34,7 +34,7 @@
     <PackageReference Include="AspNetCore.HealthChecks.SqlServer" Version="8.0.2" />
     <PackageReference Include="AspNetCore.HealthChecks.Uris" Version="8.0.1" />
     <PackageReference Include="Azure.Messaging.EventGrid" Version="4.25.0" />
-    <PackageReference Include="Swashbuckle.AspNetCore" Version="6.9.0" />
+    <PackageReference Include="Swashbuckle.AspNetCore" Version="7.2.0" />
   </ItemGroup>
 
 </Project>
diff --git a/src/SharedWeb/SharedWeb.csproj b/src/SharedWeb/SharedWeb.csproj
index 8d1097eeec..6df65b2310 100644
--- a/src/SharedWeb/SharedWeb.csproj
+++ b/src/SharedWeb/SharedWeb.csproj
@@ -7,7 +7,7 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="Swashbuckle.AspNetCore.SwaggerGen" Version="6.9.0" />
+    <PackageReference Include="Swashbuckle.AspNetCore.SwaggerGen" Version="7.2.0" />
   </ItemGroup>
 
 </Project>

From 11bdb93d1e1822bb518b224a141eb38c882ab048 Mon Sep 17 00:00:00 2001
From: Matt Bishop <mbishop@bitwarden.com>
Date: Fri, 13 Dec 2024 09:41:17 -0500
Subject: [PATCH 065/384] Sign main branch container builds with cosign (#5148)

* Sign main branch container builds with cosign

* Properly label
---
 .github/workflows/build.yml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 0fa03312b8..85c24b88c1 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -131,6 +131,7 @@ jobs:
     runs-on: ubuntu-22.04
     permissions:
       security-events: write
+      id-token: write
     needs:
       - build-artifacts
     strategy:
@@ -276,6 +277,7 @@ jobs:
             -d ${{ matrix.base_path }}/${{ matrix.project_name }}/obj/build-output/publish
 
       - name: Build Docker image
+        id: build-docker
         uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
         with:
           context: ${{ matrix.base_path }}/${{ matrix.project_name }}
@@ -286,6 +288,22 @@ jobs:
           secrets: |
             "GH_PAT=${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}"
 
+      - name: Install Cosign
+        if: github.event_name != 'pull_request_target' && github.ref == 'refs/heads/main'
+        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
+
+      - name: Sign images with Cosign
+        if: github.event_name != 'pull_request_target' && github.ref == 'refs/heads/main'
+        env:
+          DIGEST: ${{ steps.build-docker.outputs.digest }}
+          TAGS: ${{ steps.image-tags.outputs.tags }}
+        run: |
+          images=""
+          for tag in ${TAGS}; do
+            images+="${tag}@${DIGEST} "
+          done
+          cosign sign --yes ${images}
+
       - name: Scan Docker image
         id: container-scan
         uses: anchore/scan-action@5ed195cc06065322983cae4bb31e2a751feb86fd # v5.2.0

From c0a9c55891dd3192568cbda4d05885f9e2f21b81 Mon Sep 17 00:00:00 2001
From: Matt Bishop <mbishop@bitwarden.com>
Date: Fri, 13 Dec 2024 10:26:45 -0500
Subject: [PATCH 066/384] Fix image path formation for Cosign (#5151)

---
 .github/workflows/build.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 85c24b88c1..420b9b6375 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -292,14 +292,15 @@ jobs:
         if: github.event_name != 'pull_request_target' && github.ref == 'refs/heads/main'
         uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
 
-      - name: Sign images with Cosign
+      - name: Sign image with Cosign
         if: github.event_name != 'pull_request_target' && github.ref == 'refs/heads/main'
         env:
           DIGEST: ${{ steps.build-docker.outputs.digest }}
           TAGS: ${{ steps.image-tags.outputs.tags }}
         run: |
+          IFS="," read -a tags <<< "${TAGS}"
           images=""
-          for tag in ${TAGS}; do
+          for tag in "${tags[@]}"; do
             images+="${tag}@${DIGEST} "
           done
           cosign sign --yes ${images}

From 141a046a287a31c0d397f77981dfb9a8e77f6754 Mon Sep 17 00:00:00 2001
From: SmithThe4th <gsmith@bitwarden.com>
Date: Fri, 13 Dec 2024 14:50:20 -0500
Subject: [PATCH 067/384] [PM-14377] Add PATCH complete endpoint (#5100)

* Added CQRS pattern

* Added the GetManyByUserIdAsync signature to the repositiory

* Added sql sproc

Created user defined type to hold status

Created migration file

* Added ef core query

* Added absract and concrete implementation for GetManyByUserIdStatusAsync

* Added integration tests

* Updated params to status

* Implemented new query to utilize repository method

* Added controller for the security task endpoint

* Fixed lint issues

* Added documentation

* simplified to require single status

modified script to check for users with edit rights

* Updated ef core query

* Added new assertions

* simplified to require single status

* fixed formatting

* Fixed sql script

* Removed default null

* Added OperationAuthorizationRequirement for secruity task

* Added and registered MarkTaskAsCompletedCommand

* Added unit tests for the command

* Added complete endpoint

* removed false value
---
 .../Controllers/SecurityTaskController.cs     | 19 ++++-
 .../Authorization/SecurityTaskOperations.cs   | 16 ++++
 .../Interfaces/IMarkTaskAsCompleteCommand.cs  | 11 +++
 .../Commands/MarkTaskAsCompletedCommand.cs    | 50 +++++++++++
 .../Vault/VaultServiceCollectionExtensions.cs |  5 +-
 .../Vault/AutoFixture/SecurityTaskFixtures.cs | 25 ++++++
 .../MarkTaskAsCompletedCommandTest.cs         | 83 +++++++++++++++++++
 7 files changed, 207 insertions(+), 2 deletions(-)
 create mode 100644 src/Core/Vault/Authorization/SecurityTaskOperations.cs
 create mode 100644 src/Core/Vault/Commands/Interfaces/IMarkTaskAsCompleteCommand.cs
 create mode 100644 src/Core/Vault/Commands/MarkTaskAsCompletedCommand.cs
 create mode 100644 test/Core.Test/Vault/AutoFixture/SecurityTaskFixtures.cs
 create mode 100644 test/Core.Test/Vault/Commands/MarkTaskAsCompletedCommandTest.cs

diff --git a/src/Api/Vault/Controllers/SecurityTaskController.cs b/src/Api/Vault/Controllers/SecurityTaskController.cs
index 7b0bfa0bfb..a0b18cb847 100644
--- a/src/Api/Vault/Controllers/SecurityTaskController.cs
+++ b/src/Api/Vault/Controllers/SecurityTaskController.cs
@@ -3,6 +3,7 @@ using Bit.Api.Vault.Models.Response;
 using Bit.Core;
 using Bit.Core.Services;
 using Bit.Core.Utilities;
+using Bit.Core.Vault.Commands.Interfaces;
 using Bit.Core.Vault.Enums;
 using Bit.Core.Vault.Queries;
 using Microsoft.AspNetCore.Authorization;
@@ -17,11 +18,16 @@ public class SecurityTaskController : Controller
 {
     private readonly IUserService _userService;
     private readonly IGetTaskDetailsForUserQuery _getTaskDetailsForUserQuery;
+    private readonly IMarkTaskAsCompleteCommand _markTaskAsCompleteCommand;
 
-    public SecurityTaskController(IUserService userService, IGetTaskDetailsForUserQuery getTaskDetailsForUserQuery)
+    public SecurityTaskController(
+        IUserService userService,
+        IGetTaskDetailsForUserQuery getTaskDetailsForUserQuery,
+        IMarkTaskAsCompleteCommand markTaskAsCompleteCommand)
     {
         _userService = userService;
         _getTaskDetailsForUserQuery = getTaskDetailsForUserQuery;
+        _markTaskAsCompleteCommand = markTaskAsCompleteCommand;
     }
 
     /// <summary>
@@ -37,4 +43,15 @@ public class SecurityTaskController : Controller
         var response = securityTasks.Select(x => new SecurityTasksResponseModel(x)).ToList();
         return new ListResponseModel<SecurityTasksResponseModel>(response);
     }
+
+    /// <summary>
+    /// Marks a task as complete. The user must have edit permission on the cipher associated with the task.
+    /// </summary>
+    /// <param name="taskId">The unique identifier of the task to complete</param>
+    [HttpPatch("{taskId:guid}/complete")]
+    public async Task<IActionResult> Complete(Guid taskId)
+    {
+        await _markTaskAsCompleteCommand.CompleteAsync(taskId);
+        return NoContent();
+    }
 }
diff --git a/src/Core/Vault/Authorization/SecurityTaskOperations.cs b/src/Core/Vault/Authorization/SecurityTaskOperations.cs
new file mode 100644
index 0000000000..77b504723f
--- /dev/null
+++ b/src/Core/Vault/Authorization/SecurityTaskOperations.cs
@@ -0,0 +1,16 @@
+using Microsoft.AspNetCore.Authorization.Infrastructure;
+
+namespace Bit.Core.Vault.Authorization;
+
+public class SecurityTaskOperationRequirement : OperationAuthorizationRequirement
+{
+    public SecurityTaskOperationRequirement(string name)
+    {
+        Name = name;
+    }
+}
+
+public static class SecurityTaskOperations
+{
+    public static readonly SecurityTaskOperationRequirement Update = new(nameof(Update));
+}
diff --git a/src/Core/Vault/Commands/Interfaces/IMarkTaskAsCompleteCommand.cs b/src/Core/Vault/Commands/Interfaces/IMarkTaskAsCompleteCommand.cs
new file mode 100644
index 0000000000..1b745b8d07
--- /dev/null
+++ b/src/Core/Vault/Commands/Interfaces/IMarkTaskAsCompleteCommand.cs
@@ -0,0 +1,11 @@
+namespace Bit.Core.Vault.Commands.Interfaces;
+
+public interface IMarkTaskAsCompleteCommand
+{
+    /// <summary>
+    /// Marks a task as complete.
+    /// </summary>
+    /// <param name="taskId">The unique identifier of the task to complete</param>
+    /// <returns>A task representing the async operation</returns>
+    Task CompleteAsync(Guid taskId);
+}
diff --git a/src/Core/Vault/Commands/MarkTaskAsCompletedCommand.cs b/src/Core/Vault/Commands/MarkTaskAsCompletedCommand.cs
new file mode 100644
index 0000000000..b46fb0cecb
--- /dev/null
+++ b/src/Core/Vault/Commands/MarkTaskAsCompletedCommand.cs
@@ -0,0 +1,50 @@
+using Bit.Core.Context;
+using Bit.Core.Exceptions;
+using Bit.Core.Utilities;
+using Bit.Core.Vault.Authorization;
+using Bit.Core.Vault.Commands.Interfaces;
+using Bit.Core.Vault.Enums;
+using Bit.Core.Vault.Repositories;
+using Microsoft.AspNetCore.Authorization;
+
+namespace Bit.Core.Vault.Commands;
+
+public class MarkTaskAsCompletedCommand : IMarkTaskAsCompleteCommand
+{
+    private readonly ISecurityTaskRepository _securityTaskRepository;
+    private readonly IAuthorizationService _authorizationService;
+    private readonly ICurrentContext _currentContext;
+
+    public MarkTaskAsCompletedCommand(
+        ISecurityTaskRepository securityTaskRepository,
+        IAuthorizationService authorizationService,
+        ICurrentContext currentContext)
+    {
+        _securityTaskRepository = securityTaskRepository;
+        _authorizationService = authorizationService;
+        _currentContext = currentContext;
+    }
+
+    /// <inheritdoc />
+    public async Task CompleteAsync(Guid taskId)
+    {
+        if (!_currentContext.UserId.HasValue)
+        {
+            throw new NotFoundException();
+        }
+
+        var task = await _securityTaskRepository.GetByIdAsync(taskId);
+        if (task is null)
+        {
+            throw new NotFoundException();
+        }
+
+        await _authorizationService.AuthorizeOrThrowAsync(_currentContext.HttpContext.User, task,
+            SecurityTaskOperations.Update);
+
+        task.Status = SecurityTaskStatus.Completed;
+        task.RevisionDate = DateTime.UtcNow;
+
+        await _securityTaskRepository.ReplaceAsync(task);
+    }
+}
diff --git a/src/Core/Vault/VaultServiceCollectionExtensions.cs b/src/Core/Vault/VaultServiceCollectionExtensions.cs
index d3c9dd9648..15cb01f1a0 100644
--- a/src/Core/Vault/VaultServiceCollectionExtensions.cs
+++ b/src/Core/Vault/VaultServiceCollectionExtensions.cs
@@ -1,4 +1,6 @@
-using Bit.Core.Vault.Queries;
+using Bit.Core.Vault.Commands;
+using Bit.Core.Vault.Commands.Interfaces;
+using Bit.Core.Vault.Queries;
 using Microsoft.Extensions.DependencyInjection;
 
 namespace Bit.Core.Vault;
@@ -16,5 +18,6 @@ public static class VaultServiceCollectionExtensions
     {
         services.AddScoped<IOrganizationCiphersQuery, OrganizationCiphersQuery>();
         services.AddScoped<IGetTaskDetailsForUserQuery, GetTaskDetailsForUserQuery>();
+        services.AddScoped<IMarkTaskAsCompleteCommand, MarkTaskAsCompletedCommand>();
     }
 }
diff --git a/test/Core.Test/Vault/AutoFixture/SecurityTaskFixtures.cs b/test/Core.Test/Vault/AutoFixture/SecurityTaskFixtures.cs
new file mode 100644
index 0000000000..eb0a29421a
--- /dev/null
+++ b/test/Core.Test/Vault/AutoFixture/SecurityTaskFixtures.cs
@@ -0,0 +1,25 @@
+using AutoFixture;
+using Bit.Core.Vault.Entities;
+using Bit.Core.Vault.Enums;
+using Bit.Test.Common.AutoFixture.Attributes;
+
+namespace Bit.Core.Test.Vault.AutoFixture;
+
+public class SecurityTaskFixtures : ICustomization
+{
+    public void Customize(IFixture fixture)
+    {
+        fixture.Customize<SecurityTask>(composer =>
+            composer
+                .With(task => task.Id, Guid.NewGuid())
+                .With(task => task.OrganizationId, Guid.NewGuid())
+                .With(task => task.Status, SecurityTaskStatus.Pending)
+                .Without(x => x.CipherId)
+        );
+    }
+}
+
+public class SecurityTaskCustomizeAttribute : BitCustomizeAttribute
+{
+    public override ICustomization GetCustomization() => new SecurityTaskFixtures();
+}
diff --git a/test/Core.Test/Vault/Commands/MarkTaskAsCompletedCommandTest.cs b/test/Core.Test/Vault/Commands/MarkTaskAsCompletedCommandTest.cs
new file mode 100644
index 0000000000..82550df48d
--- /dev/null
+++ b/test/Core.Test/Vault/Commands/MarkTaskAsCompletedCommandTest.cs
@@ -0,0 +1,83 @@
+#nullable enable
+using System.Security.Claims;
+using Bit.Core.Context;
+using Bit.Core.Exceptions;
+using Bit.Core.Test.Vault.AutoFixture;
+using Bit.Core.Vault.Authorization;
+using Bit.Core.Vault.Commands;
+using Bit.Core.Vault.Entities;
+using Bit.Core.Vault.Repositories;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using Microsoft.AspNetCore.Authorization;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Core.Test.Vault.Commands;
+
+[SutProviderCustomize]
+[SecurityTaskCustomize]
+public class MarkTaskAsCompletedCommandTest
+{
+    private static void Setup(SutProvider<MarkTaskAsCompletedCommand> sutProvider, Guid taskId, SecurityTask? securityTask, Guid? userId, bool authorizedUpdate = false)
+    {
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
+        sutProvider.GetDependency<ISecurityTaskRepository>()
+            .GetByIdAsync(taskId)
+            .Returns(securityTask);
+        sutProvider.GetDependency<IAuthorizationService>()
+            .AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), securityTask ?? Arg.Any<SecurityTask>(),
+                Arg.Is<IEnumerable<IAuthorizationRequirement>>(reqs =>
+                    reqs.Contains(SecurityTaskOperations.Update)))
+            .Returns(authorizedUpdate ? AuthorizationResult.Success() : AuthorizationResult.Failed());
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task CompleteAsync_NotLoggedIn_NotFoundException(
+        SutProvider<MarkTaskAsCompletedCommand> sutProvider,
+        Guid taskId,
+        SecurityTask securityTask)
+    {
+        Setup(sutProvider, taskId, securityTask, null, true);
+
+        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.CompleteAsync(taskId));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task CompleteAsync_TaskNotFound_NotFoundException(
+        SutProvider<MarkTaskAsCompletedCommand> sutProvider,
+        Guid taskId)
+    {
+        Setup(sutProvider, taskId, null, Guid.NewGuid(), true);
+
+        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.CompleteAsync(taskId));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task CompleteAsync_AuthorizationFailed_NotFoundException(
+        SutProvider<MarkTaskAsCompletedCommand> sutProvider,
+        Guid taskId,
+        SecurityTask securityTask)
+    {
+        Setup(sutProvider, taskId, securityTask, Guid.NewGuid());
+
+        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.CompleteAsync(taskId));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task CompleteAsync_Success(
+        SutProvider<MarkTaskAsCompletedCommand> sutProvider,
+        Guid taskId,
+        SecurityTask securityTask)
+    {
+        Setup(sutProvider, taskId, securityTask, Guid.NewGuid(), true);
+
+        await sutProvider.Sut.CompleteAsync(taskId);
+
+        await sutProvider.GetDependency<ISecurityTaskRepository>().Received(1).ReplaceAsync(securityTask);
+    }
+}

From a8091bf58539737c506162643a2e06463376d917 Mon Sep 17 00:00:00 2001
From: Addison Beck <addison@bitwarden.com>
Date: Fri, 13 Dec 2024 16:04:55 -0500
Subject: [PATCH 068/384] chore(db): add `Installation.LastActivityDate` column
 (#5060)

* chore(mssql): add `Installation.LastActivityDate` column

* chore(ef): add `Installation.LastActivityDate` column
---
 .../Models/Installation.cs                    |    8 +
 .../Stored Procedures/Installation_Create.sql |   11 +-
 .../Stored Procedures/Installation_Update.sql |   10 +-
 src/Sql/dbo/Tables/Installation.sql           |   13 +-
 ..._AddInstallationLastActivityDateColumn.sql |   72 +
 ...allationLastActivityDateColumn.Designer.cs | 2943 ++++++++++++++++
 ...8_AddInstallationLastActivityDateColumn.cs |   27 +
 .../DatabaseContextModelSnapshot.cs           |    3 +
 ...allationLastActivityDateColumn.Designer.cs | 2949 +++++++++++++++++
 ...3_AddInstallationLastActivityDateColumn.cs |   27 +
 .../DatabaseContextModelSnapshot.cs           |    3 +
 ...allationLastActivityDateColumn.Designer.cs | 2932 ++++++++++++++++
 ...2_AddInstallationLastActivityDateColumn.cs |   27 +
 .../DatabaseContextModelSnapshot.cs           |    3 +
 14 files changed, 9014 insertions(+), 14 deletions(-)
 create mode 100644 util/Migrator/DbScripts/2024-12-02_00_AddInstallationLastActivityDateColumn.sql
 create mode 100644 util/MySqlMigrations/Migrations/20241202201938_AddInstallationLastActivityDateColumn.Designer.cs
 create mode 100644 util/MySqlMigrations/Migrations/20241202201938_AddInstallationLastActivityDateColumn.cs
 create mode 100644 util/PostgresMigrations/Migrations/20241202201943_AddInstallationLastActivityDateColumn.Designer.cs
 create mode 100644 util/PostgresMigrations/Migrations/20241202201943_AddInstallationLastActivityDateColumn.cs
 create mode 100644 util/SqliteMigrations/Migrations/20241202201932_AddInstallationLastActivityDateColumn.Designer.cs
 create mode 100644 util/SqliteMigrations/Migrations/20241202201932_AddInstallationLastActivityDateColumn.cs

diff --git a/src/Infrastructure.EntityFramework/Models/Installation.cs b/src/Infrastructure.EntityFramework/Models/Installation.cs
index 35223a33d7..c38680a23c 100644
--- a/src/Infrastructure.EntityFramework/Models/Installation.cs
+++ b/src/Infrastructure.EntityFramework/Models/Installation.cs
@@ -4,12 +4,20 @@ namespace Bit.Infrastructure.EntityFramework.Models;
 
 public class Installation : Core.Entities.Installation
 {
+    // Shadow property - to be introduced by https://bitwarden.atlassian.net/browse/PM-11129
+    // This isn't a value or entity used by self hosted servers, but it's
+    // being added for synchronicity between database provider options.
+    public DateTime? LastActivityDate { get; set; }
 }
 
 public class InstallationMapperProfile : Profile
 {
     public InstallationMapperProfile()
     {
+        CreateMap<Core.Entities.Installation, Installation>()
+            // Shadow property - to be introduced by https://bitwarden.atlassian.net/browse/PM-11129
+            .ForMember(i => i.LastActivityDate, opt => opt.Ignore())
+            .ReverseMap();
         CreateMap<Core.Entities.Installation, Installation>().ReverseMap();
     }
 }
diff --git a/src/Sql/dbo/Stored Procedures/Installation_Create.sql b/src/Sql/dbo/Stored Procedures/Installation_Create.sql
index 8c91a5b81a..40a6ea069f 100644
--- a/src/Sql/dbo/Stored Procedures/Installation_Create.sql	
+++ b/src/Sql/dbo/Stored Procedures/Installation_Create.sql	
@@ -1,9 +1,10 @@
-CREATE PROCEDURE [dbo].[Installation_Create]
+CREATE PROCEDURE [dbo].[Installation_Create]
     @Id UNIQUEIDENTIFIER OUTPUT,
     @Email NVARCHAR(256),
     @Key VARCHAR(150),
     @Enabled BIT,
-    @CreationDate DATETIME2(7)
+    @CreationDate DATETIME2(7),
+    @LastActivityDate DATETIME2(7) = NULL
 AS
 BEGIN
     SET NOCOUNT ON
@@ -14,7 +15,8 @@ BEGIN
         [Email],
         [Key],
         [Enabled],
-        [CreationDate]
+        [CreationDate],
+        [LastActivityDate]
     )
     VALUES
     (
@@ -22,6 +24,7 @@ BEGIN
         @Email,
         @Key,
         @Enabled,
-        @CreationDate
+        @CreationDate,
+        @LastActivityDate
     )
 END
diff --git a/src/Sql/dbo/Stored Procedures/Installation_Update.sql b/src/Sql/dbo/Stored Procedures/Installation_Update.sql
index af2fd8737c..51ef47bfab 100644
--- a/src/Sql/dbo/Stored Procedures/Installation_Update.sql	
+++ b/src/Sql/dbo/Stored Procedures/Installation_Update.sql	
@@ -1,9 +1,10 @@
-CREATE PROCEDURE [dbo].[Installation_Update]
+CREATE PROCEDURE [dbo].[Installation_Update]
     @Id UNIQUEIDENTIFIER,
     @Email NVARCHAR(256),
     @Key VARCHAR(150),
     @Enabled BIT,
-    @CreationDate DATETIME2(7)
+    @CreationDate DATETIME2(7),
+    @LastActivityDate DATETIME2(7) = NULL
 AS
 BEGIN
     SET NOCOUNT ON
@@ -14,7 +15,8 @@ BEGIN
         [Email] = @Email,
         [Key] = @Key,
         [Enabled] = @Enabled,
-        [CreationDate] = @CreationDate
+        [CreationDate] = @CreationDate,
+        [LastActivityDate] = @LastActivityDate
     WHERE
         [Id] = @Id
-END
\ No newline at end of file
+END
diff --git a/src/Sql/dbo/Tables/Installation.sql b/src/Sql/dbo/Tables/Installation.sql
index df4b7260ed..207e94a569 100644
--- a/src/Sql/dbo/Tables/Installation.sql
+++ b/src/Sql/dbo/Tables/Installation.sql
@@ -1,9 +1,10 @@
-CREATE TABLE [dbo].[Installation] (
-    [Id]           UNIQUEIDENTIFIER NOT NULL,
-    [Email]        NVARCHAR (256)   NOT NULL,
-    [Key]          VARCHAR (150)    NOT NULL,
-    [Enabled]      BIT              NOT NULL,
-    [CreationDate] DATETIME2 (7)    NOT NULL,
+CREATE TABLE [dbo].[Installation] (
+    [Id]               UNIQUEIDENTIFIER  NOT NULL,
+    [Email]            NVARCHAR (256)    NOT NULL,
+    [Key]              VARCHAR (150)     NOT NULL,
+    [Enabled]          BIT               NOT NULL,
+    [CreationDate]     DATETIME2 (7)     NOT NULL,
+    [LastActivityDate] DATETIME2 (7)     NULL,
     CONSTRAINT [PK_Installation] PRIMARY KEY CLUSTERED ([Id] ASC)
 );
 
diff --git a/util/Migrator/DbScripts/2024-12-02_00_AddInstallationLastActivityDateColumn.sql b/util/Migrator/DbScripts/2024-12-02_00_AddInstallationLastActivityDateColumn.sql
new file mode 100644
index 0000000000..3023c6e2d9
--- /dev/null
+++ b/util/Migrator/DbScripts/2024-12-02_00_AddInstallationLastActivityDateColumn.sql
@@ -0,0 +1,72 @@
+IF COL_LENGTH('[dbo].[Installation]', 'LastActivityDate') IS NULL
+BEGIN
+  ALTER TABLE
+    [dbo].[Installation]
+  ADD
+    [LastActivityDate] DATETIME2 (7) NULL
+END
+GO
+
+CREATE OR ALTER VIEW [dbo].[InstallationView]
+AS
+    SELECT
+        *
+    FROM
+        [dbo].[Installation]
+GO
+
+CREATE OR ALTER PROCEDURE [dbo].[Installation_Create]
+    @Id UNIQUEIDENTIFIER OUTPUT,
+    @Email NVARCHAR(256),
+    @Key VARCHAR(150),
+    @Enabled BIT,
+    @CreationDate DATETIME2(7),
+    @LastActivityDate DATETIME2(7) = NULL
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    INSERT INTO [dbo].[Installation]
+    (
+        [Id],
+        [Email],
+        [Key],
+        [Enabled],
+        [CreationDate],
+        [LastActivityDate]
+    )
+    VALUES
+    (
+        @Id,
+        @Email,
+        @Key,
+        @Enabled,
+        @CreationDate,
+        @LastActivityDate
+    )
+END
+GO
+
+CREATE OR ALTER PROCEDURE [dbo].[Installation_Update]
+    @Id UNIQUEIDENTIFIER,
+    @Email NVARCHAR(256),
+    @Key VARCHAR(150),
+    @Enabled BIT,
+    @CreationDate DATETIME2(7),
+    @LastActivityDate DATETIME2(7) = NULL
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    UPDATE
+        [dbo].[Installation]
+    SET
+        [Email] = @Email,
+        [Key] = @Key,
+        [Enabled] = @Enabled,
+        [CreationDate] = @CreationDate,
+        [LastActivityDate] = @LastActivityDate
+    WHERE
+        [Id] = @Id
+END
+GO
diff --git a/util/MySqlMigrations/Migrations/20241202201938_AddInstallationLastActivityDateColumn.Designer.cs b/util/MySqlMigrations/Migrations/20241202201938_AddInstallationLastActivityDateColumn.Designer.cs
new file mode 100644
index 0000000000..ff37c4716c
--- /dev/null
+++ b/util/MySqlMigrations/Migrations/20241202201938_AddInstallationLastActivityDateColumn.Designer.cs
@@ -0,0 +1,2943 @@
+// <auto-generated />
+using System;
+using Bit.Infrastructure.EntityFramework.Repositories;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Metadata;
+using Microsoft.EntityFrameworkCore.Migrations;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
+
+#nullable disable
+
+namespace Bit.MySqlMigrations.Migrations
+{
+    [DbContext(typeof(DatabaseContext))]
+    [Migration("20241202201938_AddInstallationLastActivityDateColumn")]
+    partial class AddInstallationLastActivityDateColumn
+    {
+        /// <inheritdoc />
+        protected override void BuildTargetModel(ModelBuilder modelBuilder)
+        {
+#pragma warning disable 612, 618
+            modelBuilder
+                .HasAnnotation("ProductVersion", "8.0.8")
+                .HasAnnotation("Relational:MaxIdentifierLength", 64);
+
+            MySqlModelBuilderExtensions.AutoIncrementColumns(modelBuilder);
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("AllowAdminAccessToAllCollectionItems")
+                        .HasColumnType("tinyint(1)")
+                        .HasDefaultValue(true);
+
+                    b.Property<string>("BillingEmail")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasMaxLength(2)
+                        .HasColumnType("varchar(2)");
+
+                    b.Property<string>("BusinessName")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasMaxLength(30)
+                        .HasColumnType("varchar(30)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("Identifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("varchar(100)");
+
+                    b.Property<bool>("LimitCollectionCreation")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("LimitCollectionCreationDeletion")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("LimitCollectionDeletion")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("MaxAutoscaleSmSeats")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("MaxAutoscaleSmServiceAccounts")
+                        .HasColumnType("int");
+
+                    b.Property<short?>("MaxCollections")
+                        .HasColumnType("smallint");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<DateTime?>("OwnersNotifiedOfAutoscaling")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Plan")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<int?>("Seats")
+                        .HasColumnType("int");
+
+                    b.Property<bool>("SelfHost")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<int?>("SmSeats")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("SmServiceAccounts")
+                        .HasColumnType("int");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("bigint");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("longtext");
+
+                    b.Property<bool>("Use2fa")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseApi")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseCustomPermissions")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseDirectory")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseGroups")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseKeyConnector")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UsePasswordManager")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UsePolicies")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseResetPassword")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseScim")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseSecretsManager")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseSso")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseTotp")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UsersGetPremium")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id", "Enabled")
+                        .HasAnnotation("Npgsql:IndexInclude", new[] { "UseTotp" });
+
+                    b.ToTable("Organization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("longtext");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "Type")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Policy", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("BillingEmail")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BillingPhone")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessName")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Provider", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Settings")
+                        .HasColumnType("longtext");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderOrganization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Email")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("ProviderUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("AccessCode")
+                        .HasMaxLength(25)
+                        .HasColumnType("varchar(25)");
+
+                    b.Property<bool?>("Approved")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime?>("AuthenticationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("MasterPasswordHash")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("RequestDeviceIdentifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<byte>("RequestDeviceType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("RequestIpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<DateTime?>("ResponseDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid?>("ResponseDeviceId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ResponseDeviceId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("AuthRequest", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<Guid?>("GranteeId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("GrantorId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("KeyEncrypted")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime?>("LastNotificationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("RecoveryInitiatedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<int>("WaitTimeDays")
+                        .HasColumnType("int");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("GranteeId");
+
+                    b.HasIndex("GrantorId");
+
+                    b.ToTable("EmergencyAccess", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.Grant", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("int");
+
+                    MySqlPropertyBuilderExtensions.UseMySqlIdentityColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("ClientId")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("varchar(200)");
+
+                    b.Property<DateTime?>("ConsumedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Data")
+                        .IsRequired()
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Description")
+                        .HasMaxLength(200)
+                        .HasColumnType("varchar(200)");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("varchar(200)");
+
+                    b.Property<string>("SessionId")
+                        .HasMaxLength(100)
+                        .HasColumnType("varchar(100)");
+
+                    b.Property<string>("SubjectId")
+                        .HasMaxLength(200)
+                        .HasColumnType("varchar(200)");
+
+                    b.Property<string>("Type")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.HasKey("Id")
+                        .HasName("PK_Grant")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpirationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Key")
+                        .IsUnique();
+
+                    b.ToTable("Grant", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    MySqlPropertyBuilderExtensions.UseMySqlIdentityColumn(b.Property<long>("Id"));
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("longtext");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("SsoConfig", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    MySqlPropertyBuilderExtensions.UseMySqlIdentityColumn(b.Property<long>("Id"));
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId");
+
+                    b.HasIndex("OrganizationId", "ExternalId")
+                        .IsUnique()
+                        .HasAnnotation("Npgsql:IndexInclude", new[] { "UserId" })
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "UserId")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SsoUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("AaGuid")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int>("Counter")
+                        .HasColumnType("int");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("CredentialId")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("varchar(2000)");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("varchar(2000)");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("varchar(2000)");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("PublicKey")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("SupportsPrf")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<string>("Type")
+                        .HasMaxLength(20)
+                        .HasColumnType("varchar(20)");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("WebAuthnCredential", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ClientOrganizationMigrationRecord", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("int");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int>("Seats")
+                        .HasColumnType("int");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId", "OrganizationId")
+                        .IsUnique();
+
+                    b.ToTable("ClientOrganizationMigrationRecord", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int>("AssignedSeats")
+                        .HasColumnType("int");
+
+                    b.Property<Guid?>("ClientId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("ClientName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<DateTime>("Created")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("InvoiceId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("InvoiceNumber")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("PlanName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<decimal>("Total")
+                        .HasColumnType("decimal(65,30)");
+
+                    b.Property<int>("UsedSeats")
+                        .HasColumnType("int");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderInvoiceItem", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int?>("AllocatedSeats")
+                        .HasColumnType("int");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int?>("PurchasedSeats")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("SeatMinimum")
+                        .HasColumnType("int");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("Id", "PlanType")
+                        .IsUnique();
+
+                    b.ToTable("ProviderPlan", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Cache", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(449)
+                        .HasColumnType("varchar(449)");
+
+                    b.Property<DateTime?>("AbsoluteExpiration")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("ExpiresAtTime")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<long?>("SlidingExpirationInSeconds")
+                        .HasColumnType("bigint");
+
+                    b.Property<byte[]>("Value")
+                        .IsRequired()
+                        .HasColumnType("longblob");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpiresAtTime")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Cache", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("varchar(300)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Collection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("CipherId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("CollectionId", "CipherId");
+
+                    b.HasIndex("CipherId");
+
+                    b.ToTable("CollectionCipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("CollectionId", "GroupId");
+
+                    b.HasIndex("GroupId");
+
+                    b.ToTable("CollectionGroups");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("CollectionId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("tinyint(1)")
+                        .HasDefaultValue(true);
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Identifier")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("PushToken")
+                        .HasMaxLength(255)
+                        .HasColumnType("varchar(255)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Identifier")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "Identifier")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Device", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Event", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("ActingUserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("CollectionId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("Date")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte?>("DeviceType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("DomainName")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid?>("GroupId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("InstallationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("IpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("PolicyId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("ProviderOrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("ProviderUserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("SecretId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte?>("SystemUser")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<int>("Type")
+                        .HasColumnType("int");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Date", "OrganizationId", "ActingUserId", "CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Event", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("varchar(300)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(100)
+                        .HasColumnType("varchar(100)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Group", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("GroupId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("GroupUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Installation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(150)
+                        .HasColumnType("varchar(150)");
+
+                    b.Property<DateTime?>("LastActivityDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Installation", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("varchar(30)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Config")
+                        .HasColumnType("longtext");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationConnection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("DomainName")
+                        .IsRequired()
+                        .HasMaxLength(255)
+                        .HasColumnType("varchar(255)");
+
+                    b.Property<int>("JobRunCount")
+                        .HasColumnType("int");
+
+                    b.Property<DateTime?>("LastCheckedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("NextRunDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Txt")
+                        .IsRequired()
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime?>("VerifiedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationDomain", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("FriendlyName")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<DateTime?>("LastSyncDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("OfferedToEmail")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<byte?>("PlanSponsorshipType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("SponsoredOrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("SponsoringOrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("SponsoringOrganizationUserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("ToDelete")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime?>("ValidUntil")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SponsoredOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationUserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationSponsorship", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("AccessSecretsManager")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("varchar(300)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("ResetPasswordKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<short>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int>("AccessCount")
+                        .HasColumnType("int");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("DeletionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("Disabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool?>("HideEmail")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<int?>("MaxAccessCount")
+                        .HasColumnType("int");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Password")
+                        .HasMaxLength(300)
+                        .HasColumnType("varchar(300)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("DeletionDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Send", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.TaxRate", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(40)
+                        .HasColumnType("varchar(40)");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<string>("Country")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("PostalCode")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("varchar(10)");
+
+                    b.Property<decimal>("Rate")
+                        .HasColumnType("decimal(65,30)");
+
+                    b.Property<string>("State")
+                        .HasMaxLength(2)
+                        .HasColumnType("varchar(2)");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("TaxRate", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<decimal>("Amount")
+                        .HasColumnType("decimal(65,30)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Details")
+                        .HasMaxLength(100)
+                        .HasColumnType("varchar(100)");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("GatewayId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte?>("PaymentMethodType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool?>("Refunded")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<decimal?>("RefundedAmount")
+                        .HasColumnType("decimal(65,30)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId", "CreationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Transaction", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("AccountRevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("varchar(30)");
+
+                    b.Property<string>("AvatarColor")
+                        .HasMaxLength(7)
+                        .HasColumnType("varchar(7)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Culture")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("varchar(10)");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<bool>("EmailVerified")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<string>("EquivalentDomains")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("ExcludedGlobalEquivalentDomains")
+                        .HasColumnType("longtext");
+
+                    b.Property<int>("FailedLoginCount")
+                        .HasColumnType("int");
+
+                    b.Property<bool>("ForcePasswordReset")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<byte>("Kdf")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<int>("KdfIterations")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("KdfMemory")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("KdfParallelism")
+                        .HasColumnType("int");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime?>("LastEmailChangeDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("LastFailedLoginDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("LastKdfChangeDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("LastKeyRotationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("LastPasswordChangeDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("varchar(100)");
+
+                    b.Property<string>("MasterPassword")
+                        .HasMaxLength(300)
+                        .HasColumnType("varchar(300)");
+
+                    b.Property<string>("MasterPasswordHint")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<bool>("Premium")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime?>("PremiumExpirationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime?>("RenewalReminderDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("SecurityStamp")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("bigint");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("TwoFactorRecoveryCode")
+                        .HasMaxLength(32)
+                        .HasColumnType("varchar(32)");
+
+                    b.Property<bool>("UsesKeyConnector")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Email")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Premium", "PremiumExpirationDate", "RenewalReminderDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("User", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Body")
+                        .HasColumnType("longtext");
+
+                    b.Property<byte>("ClientType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("Global")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte>("Priority")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Title")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("ClientType", "Global", "UserId", "OrganizationId", "Priority", "CreationDate")
+                        .IsDescending(false, false, false, false, true, true)
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Notification", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("NotificationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("ReadDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("UserId", "NotificationId")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("NotificationId");
+
+                    b.ToTable("NotificationStatus", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Discriminator")
+                        .IsRequired()
+                        .HasMaxLength(34)
+                        .HasColumnType("varchar(34)");
+
+                    b.Property<bool>("Read")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("Write")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.ToTable("AccessPolicy", (string)null);
+
+                    b.HasDiscriminator().HasValue("AccessPolicy");
+
+                    b.UseTphMappingStrategy();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("ClientSecretHash")
+                        .HasMaxLength(128)
+                        .HasColumnType("varchar(128)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("EncryptedPayload")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("varchar(4000)");
+
+                    b.Property<DateTime?>("ExpireAt")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("varchar(200)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Scope")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("varchar(4000)");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ServiceAccountId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Project", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Note")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Value")
+                        .HasColumnType("longtext");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Secret", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ServiceAccount", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Uri")
+                        .HasColumnType("longtext");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("PasswordHealthReportApplication", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Attachments")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Favorites")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Folders")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte?>("Reprompt")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Cipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Folder", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SecurityTask", (string)null);
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.Property<Guid>("ProjectsId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("SecretsId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("ProjectsId", "SecretsId");
+
+                    b.HasIndex("SecretsId");
+
+                    b.ToTable("ProjectSecret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Policies")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Device", "ResponseDevice")
+                        .WithMany()
+                        .HasForeignKey("ResponseDeviceId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("ResponseDevice");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantee")
+                        .WithMany()
+                        .HasForeignKey("GranteeId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantor")
+                        .WithMany()
+                        .HasForeignKey("GrantorId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Grantee");
+
+                    b.Navigation("Grantor");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoConfigs")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Collections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CipherId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Collection");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionGroups")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Groups")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Group");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Connections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Domains")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoredOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoredOrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoringOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoringOrganizationId");
+
+                    b.Navigation("SponsoredOrganization");
+
+                    b.Navigation("SponsoringOrganization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Transactions")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Transactions")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", "Notification")
+                        .WithMany()
+                        .HasForeignKey("NotificationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Notification");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Folders")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany()
+                        .HasForeignKey("CipherId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", null)
+                        .WithMany()
+                        .HasForeignKey("ProjectsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", null)
+                        .WithMany()
+                        .HasForeignKey("SecretsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ProjectAccessPolicies")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany()
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Collections");
+
+                    b.Navigation("Connections");
+
+                    b.Navigation("Domains");
+
+                    b.Navigation("Groups");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("Policies");
+
+                    b.Navigation("SsoConfigs");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+
+                    b.Navigation("CollectionGroups");
+
+                    b.Navigation("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Navigation("CollectionUsers");
+
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Folders");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ProjectAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+                });
+#pragma warning restore 612, 618
+        }
+    }
+}
diff --git a/util/MySqlMigrations/Migrations/20241202201938_AddInstallationLastActivityDateColumn.cs b/util/MySqlMigrations/Migrations/20241202201938_AddInstallationLastActivityDateColumn.cs
new file mode 100644
index 0000000000..aecdd01f95
--- /dev/null
+++ b/util/MySqlMigrations/Migrations/20241202201938_AddInstallationLastActivityDateColumn.cs
@@ -0,0 +1,27 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace Bit.MySqlMigrations.Migrations;
+
+/// <inheritdoc />
+public partial class AddInstallationLastActivityDateColumn : Migration
+{
+    /// <inheritdoc />
+    protected override void Up(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.AddColumn<DateTime>(
+            name: "LastActivityDate",
+            table: "Installation",
+            type: "datetime(6)",
+            nullable: true);
+    }
+
+    /// <inheritdoc />
+    protected override void Down(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.DropColumn(
+            name: "LastActivityDate",
+            table: "Installation");
+    }
+}
diff --git a/util/MySqlMigrations/Migrations/DatabaseContextModelSnapshot.cs b/util/MySqlMigrations/Migrations/DatabaseContextModelSnapshot.cs
index 000274387c..ed26d612a2 100644
--- a/util/MySqlMigrations/Migrations/DatabaseContextModelSnapshot.cs
+++ b/util/MySqlMigrations/Migrations/DatabaseContextModelSnapshot.cs
@@ -1165,6 +1165,9 @@ namespace Bit.MySqlMigrations.Migrations
                         .HasMaxLength(150)
                         .HasColumnType("varchar(150)");
 
+                    b.Property<DateTime?>("LastActivityDate")
+                        .HasColumnType("datetime(6)");
+
                     b.HasKey("Id");
 
                     b.ToTable("Installation", (string)null);
diff --git a/util/PostgresMigrations/Migrations/20241202201943_AddInstallationLastActivityDateColumn.Designer.cs b/util/PostgresMigrations/Migrations/20241202201943_AddInstallationLastActivityDateColumn.Designer.cs
new file mode 100644
index 0000000000..6bb6395156
--- /dev/null
+++ b/util/PostgresMigrations/Migrations/20241202201943_AddInstallationLastActivityDateColumn.Designer.cs
@@ -0,0 +1,2949 @@
+// <auto-generated />
+using System;
+using Bit.Infrastructure.EntityFramework.Repositories;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Migrations;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
+using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata;
+
+#nullable disable
+
+namespace Bit.PostgresMigrations.Migrations
+{
+    [DbContext(typeof(DatabaseContext))]
+    [Migration("20241202201943_AddInstallationLastActivityDateColumn")]
+    partial class AddInstallationLastActivityDateColumn
+    {
+        /// <inheritdoc />
+        protected override void BuildTargetModel(ModelBuilder modelBuilder)
+        {
+#pragma warning disable 612, 618
+            modelBuilder
+                .HasAnnotation("Npgsql:CollationDefinition:postgresIndetermanisticCollation", "en-u-ks-primary,en-u-ks-primary,icu,False")
+                .HasAnnotation("ProductVersion", "8.0.8")
+                .HasAnnotation("Relational:MaxIdentifierLength", 63);
+
+            NpgsqlModelBuilderExtensions.UseIdentityByDefaultColumns(modelBuilder);
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("AllowAdminAccessToAllCollectionItems")
+                        .HasColumnType("boolean")
+                        .HasDefaultValue(true);
+
+                    b.Property<string>("BillingEmail")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasMaxLength(2)
+                        .HasColumnType("character varying(2)");
+
+                    b.Property<string>("BusinessName")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasMaxLength(30)
+                        .HasColumnType("character varying(30)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("Identifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)")
+                        .UseCollation("postgresIndetermanisticCollation");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<bool>("LimitCollectionCreation")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("LimitCollectionCreationDeletion")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("LimitCollectionDeletion")
+                        .HasColumnType("boolean");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("MaxAutoscaleSmSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("MaxAutoscaleSmServiceAccounts")
+                        .HasColumnType("integer");
+
+                    b.Property<short?>("MaxCollections")
+                        .HasColumnType("smallint");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<DateTime?>("OwnersNotifiedOfAutoscaling")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Plan")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<int?>("Seats")
+                        .HasColumnType("integer");
+
+                    b.Property<bool>("SelfHost")
+                        .HasColumnType("boolean");
+
+                    b.Property<int?>("SmSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("SmServiceAccounts")
+                        .HasColumnType("integer");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("bigint");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("text");
+
+                    b.Property<bool>("Use2fa")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseApi")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseCustomPermissions")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseDirectory")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseGroups")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseKeyConnector")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UsePasswordManager")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UsePolicies")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseResetPassword")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseScim")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseSecretsManager")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseSso")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseTotp")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UsersGetPremium")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id", "Enabled");
+
+                    NpgsqlIndexBuilderExtensions.IncludeProperties(b.HasIndex("Id", "Enabled"), new[] { "UseTotp" });
+
+                    b.ToTable("Organization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("text");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "Type")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Policy", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("BillingEmail")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BillingPhone")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessName")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasColumnType("text");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Provider", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Settings")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderOrganization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Email")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("ProviderUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("AccessCode")
+                        .HasMaxLength(25)
+                        .HasColumnType("character varying(25)");
+
+                    b.Property<bool?>("Approved")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("AuthenticationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<string>("MasterPasswordHash")
+                        .HasColumnType("text");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("RequestDeviceIdentifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<byte>("RequestDeviceType")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("RequestIpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<DateTime?>("ResponseDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid?>("ResponseDeviceId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ResponseDeviceId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("AuthRequest", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<Guid?>("GranteeId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("GrantorId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("KeyEncrypted")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("LastNotificationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("RecoveryInitiatedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<int>("WaitTimeDays")
+                        .HasColumnType("integer");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("GranteeId");
+
+                    b.HasIndex("GrantorId");
+
+                    b.ToTable("EmergencyAccess", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.Grant", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("ClientId")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<DateTime?>("ConsumedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Data")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("Description")
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<string>("SessionId")
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<string>("SubjectId")
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<string>("Type")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.HasKey("Id")
+                        .HasName("PK_Grant")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpirationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Key")
+                        .IsUnique();
+
+                    b.ToTable("Grant", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("Id"));
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("text");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("SsoConfig", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("Id"));
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)")
+                        .UseCollation("postgresIndetermanisticCollation");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId");
+
+                    b.HasIndex("OrganizationId", "ExternalId")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    NpgsqlIndexBuilderExtensions.IncludeProperties(b.HasIndex("OrganizationId", "ExternalId"), new[] { "UserId" });
+
+                    b.HasIndex("OrganizationId", "UserId")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SsoUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("AaGuid")
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("Counter")
+                        .HasColumnType("integer");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("CredentialId")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("character varying(2000)");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("character varying(2000)");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("character varying(2000)");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("PublicKey")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("SupportsPrf")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("Type")
+                        .HasMaxLength(20)
+                        .HasColumnType("character varying(20)");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("WebAuthnCredential", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ClientOrganizationMigrationRecord", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("Seats")
+                        .HasColumnType("integer");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId", "OrganizationId")
+                        .IsUnique();
+
+                    b.ToTable("ClientOrganizationMigrationRecord", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("AssignedSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<Guid?>("ClientId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("ClientName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<DateTime>("Created")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("InvoiceId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("InvoiceNumber")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("PlanName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<decimal>("Total")
+                        .HasColumnType("numeric");
+
+                    b.Property<int>("UsedSeats")
+                        .HasColumnType("integer");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderInvoiceItem", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<int?>("AllocatedSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<int?>("PurchasedSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("SeatMinimum")
+                        .HasColumnType("integer");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("Id", "PlanType")
+                        .IsUnique();
+
+                    b.ToTable("ProviderPlan", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Cache", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(449)
+                        .HasColumnType("character varying(449)");
+
+                    b.Property<DateTime?>("AbsoluteExpiration")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("ExpiresAtTime")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<long?>("SlidingExpirationInSeconds")
+                        .HasColumnType("bigint");
+
+                    b.Property<byte[]>("Value")
+                        .IsRequired()
+                        .HasColumnType("bytea");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpiresAtTime")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Cache", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("character varying(300)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Collection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("CipherId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("CollectionId", "CipherId");
+
+                    b.HasIndex("CipherId");
+
+                    b.ToTable("CollectionCipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("CollectionId", "GroupId");
+
+                    b.HasIndex("GroupId");
+
+                    b.ToTable("CollectionGroups");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("CollectionId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("boolean")
+                        .HasDefaultValue(true);
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Identifier")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("PushToken")
+                        .HasMaxLength(255)
+                        .HasColumnType("character varying(255)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Identifier")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "Identifier")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Device", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Event", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("ActingUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("CollectionId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("Date")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte?>("DeviceType")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("DomainName")
+                        .HasColumnType("text");
+
+                    b.Property<Guid?>("GroupId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("InstallationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("IpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("PolicyId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("ProviderOrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("ProviderUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("SecretId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte?>("SystemUser")
+                        .HasColumnType("smallint");
+
+                    b.Property<int>("Type")
+                        .HasColumnType("integer");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Date", "OrganizationId", "ActingUserId", "CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Event", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("character varying(300)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Group", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("GroupId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("GroupUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Installation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(150)
+                        .HasColumnType("character varying(150)");
+
+                    b.Property<DateTime?>("LastActivityDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Installation", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("character varying(30)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Config")
+                        .HasColumnType("text");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationConnection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("DomainName")
+                        .IsRequired()
+                        .HasMaxLength(255)
+                        .HasColumnType("character varying(255)");
+
+                    b.Property<int>("JobRunCount")
+                        .HasColumnType("integer");
+
+                    b.Property<DateTime?>("LastCheckedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("NextRunDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Txt")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("VerifiedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationDomain", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("FriendlyName")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<DateTime?>("LastSyncDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("OfferedToEmail")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<byte?>("PlanSponsorshipType")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("SponsoredOrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("SponsoringOrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("SponsoringOrganizationUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("ToDelete")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("ValidUntil")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SponsoredOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationUserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationSponsorship", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("AccessSecretsManager")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("character varying(300)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ResetPasswordKey")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<short>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("AccessCount")
+                        .HasColumnType("integer");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("DeletionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("Disabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool?>("HideEmail")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<int?>("MaxAccessCount")
+                        .HasColumnType("integer");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Password")
+                        .HasMaxLength(300)
+                        .HasColumnType("character varying(300)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("DeletionDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Send", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.TaxRate", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(40)
+                        .HasColumnType("character varying(40)");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("Country")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("PostalCode")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("character varying(10)");
+
+                    b.Property<decimal>("Rate")
+                        .HasColumnType("numeric");
+
+                    b.Property<string>("State")
+                        .HasMaxLength(2)
+                        .HasColumnType("character varying(2)");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("TaxRate", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<decimal>("Amount")
+                        .HasColumnType("numeric");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Details")
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("GatewayId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte?>("PaymentMethodType")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool?>("Refunded")
+                        .HasColumnType("boolean");
+
+                    b.Property<decimal?>("RefundedAmount")
+                        .HasColumnType("numeric");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId", "CreationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Transaction", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("AccountRevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("character varying(30)");
+
+                    b.Property<string>("AvatarColor")
+                        .HasMaxLength(7)
+                        .HasColumnType("character varying(7)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Culture")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("character varying(10)");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)")
+                        .UseCollation("postgresIndetermanisticCollation");
+
+                    b.Property<bool>("EmailVerified")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("EquivalentDomains")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ExcludedGlobalEquivalentDomains")
+                        .HasColumnType("text");
+
+                    b.Property<int>("FailedLoginCount")
+                        .HasColumnType("integer");
+
+                    b.Property<bool>("ForcePasswordReset")
+                        .HasColumnType("boolean");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<byte>("Kdf")
+                        .HasColumnType("smallint");
+
+                    b.Property<int>("KdfIterations")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("KdfMemory")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("KdfParallelism")
+                        .HasColumnType("integer");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("LastEmailChangeDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("LastFailedLoginDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("LastKdfChangeDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("LastKeyRotationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("LastPasswordChangeDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<string>("MasterPassword")
+                        .HasMaxLength(300)
+                        .HasColumnType("character varying(300)");
+
+                    b.Property<string>("MasterPasswordHint")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<bool>("Premium")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("PremiumExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("RenewalReminderDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("SecurityStamp")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("bigint");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("text");
+
+                    b.Property<string>("TwoFactorRecoveryCode")
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<bool>("UsesKeyConnector")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Email")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Premium", "PremiumExpirationDate", "RenewalReminderDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("User", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Body")
+                        .HasColumnType("text");
+
+                    b.Property<byte>("ClientType")
+                        .HasColumnType("smallint");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("Global")
+                        .HasColumnType("boolean");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte>("Priority")
+                        .HasColumnType("smallint");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Title")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("ClientType", "Global", "UserId", "OrganizationId", "Priority", "CreationDate")
+                        .IsDescending(false, false, false, false, true, true)
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Notification", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("NotificationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("ReadDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("UserId", "NotificationId")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("NotificationId");
+
+                    b.ToTable("NotificationStatus", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Discriminator")
+                        .IsRequired()
+                        .HasMaxLength(34)
+                        .HasColumnType("character varying(34)");
+
+                    b.Property<bool>("Read")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("Write")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.ToTable("AccessPolicy", (string)null);
+
+                    b.HasDiscriminator().HasValue("AccessPolicy");
+
+                    b.UseTphMappingStrategy();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("ClientSecretHash")
+                        .HasMaxLength(128)
+                        .HasColumnType("character varying(128)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("EncryptedPayload")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("character varying(4000)");
+
+                    b.Property<DateTime?>("ExpireAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Scope")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("character varying(4000)");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ServiceAccountId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Project", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Note")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Value")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Secret", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ServiceAccount", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Uri")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("PasswordHealthReportApplication", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Attachments")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Favorites")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Folders")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte?>("Reprompt")
+                        .HasColumnType("smallint");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Cipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Folder", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SecurityTask", (string)null);
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.Property<Guid>("ProjectsId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("SecretsId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("ProjectsId", "SecretsId");
+
+                    b.HasIndex("SecretsId");
+
+                    b.ToTable("ProjectSecret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Policies")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Device", "ResponseDevice")
+                        .WithMany()
+                        .HasForeignKey("ResponseDeviceId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("ResponseDevice");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantee")
+                        .WithMany()
+                        .HasForeignKey("GranteeId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantor")
+                        .WithMany()
+                        .HasForeignKey("GrantorId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Grantee");
+
+                    b.Navigation("Grantor");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoConfigs")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Collections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CipherId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Collection");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionGroups")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Groups")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Group");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Connections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Domains")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoredOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoredOrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoringOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoringOrganizationId");
+
+                    b.Navigation("SponsoredOrganization");
+
+                    b.Navigation("SponsoringOrganization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Transactions")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Transactions")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", "Notification")
+                        .WithMany()
+                        .HasForeignKey("NotificationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Notification");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Folders")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany()
+                        .HasForeignKey("CipherId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", null)
+                        .WithMany()
+                        .HasForeignKey("ProjectsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", null)
+                        .WithMany()
+                        .HasForeignKey("SecretsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ProjectAccessPolicies")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany()
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Collections");
+
+                    b.Navigation("Connections");
+
+                    b.Navigation("Domains");
+
+                    b.Navigation("Groups");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("Policies");
+
+                    b.Navigation("SsoConfigs");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+
+                    b.Navigation("CollectionGroups");
+
+                    b.Navigation("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Navigation("CollectionUsers");
+
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Folders");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ProjectAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+                });
+#pragma warning restore 612, 618
+        }
+    }
+}
diff --git a/util/PostgresMigrations/Migrations/20241202201943_AddInstallationLastActivityDateColumn.cs b/util/PostgresMigrations/Migrations/20241202201943_AddInstallationLastActivityDateColumn.cs
new file mode 100644
index 0000000000..88a93ee851
--- /dev/null
+++ b/util/PostgresMigrations/Migrations/20241202201943_AddInstallationLastActivityDateColumn.cs
@@ -0,0 +1,27 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace Bit.PostgresMigrations.Migrations;
+
+/// <inheritdoc />
+public partial class AddInstallationLastActivityDateColumn : Migration
+{
+    /// <inheritdoc />
+    protected override void Up(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.AddColumn<DateTime>(
+            name: "LastActivityDate",
+            table: "Installation",
+            type: "timestamp with time zone",
+            nullable: true);
+    }
+
+    /// <inheritdoc />
+    protected override void Down(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.DropColumn(
+            name: "LastActivityDate",
+            table: "Installation");
+    }
+}
diff --git a/util/PostgresMigrations/Migrations/DatabaseContextModelSnapshot.cs b/util/PostgresMigrations/Migrations/DatabaseContextModelSnapshot.cs
index c8cce33e11..04636ab15d 100644
--- a/util/PostgresMigrations/Migrations/DatabaseContextModelSnapshot.cs
+++ b/util/PostgresMigrations/Migrations/DatabaseContextModelSnapshot.cs
@@ -1170,6 +1170,9 @@ namespace Bit.PostgresMigrations.Migrations
                         .HasMaxLength(150)
                         .HasColumnType("character varying(150)");
 
+                    b.Property<DateTime?>("LastActivityDate")
+                        .HasColumnType("timestamp with time zone");
+
                     b.HasKey("Id");
 
                     b.ToTable("Installation", (string)null);
diff --git a/util/SqliteMigrations/Migrations/20241202201932_AddInstallationLastActivityDateColumn.Designer.cs b/util/SqliteMigrations/Migrations/20241202201932_AddInstallationLastActivityDateColumn.Designer.cs
new file mode 100644
index 0000000000..a810146726
--- /dev/null
+++ b/util/SqliteMigrations/Migrations/20241202201932_AddInstallationLastActivityDateColumn.Designer.cs
@@ -0,0 +1,2932 @@
+// <auto-generated />
+using System;
+using Bit.Infrastructure.EntityFramework.Repositories;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Migrations;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
+
+#nullable disable
+
+namespace Bit.SqliteMigrations.Migrations
+{
+    [DbContext(typeof(DatabaseContext))]
+    [Migration("20241202201932_AddInstallationLastActivityDateColumn")]
+    partial class AddInstallationLastActivityDateColumn
+    {
+        /// <inheritdoc />
+        protected override void BuildTargetModel(ModelBuilder modelBuilder)
+        {
+#pragma warning disable 612, 618
+            modelBuilder.HasAnnotation("ProductVersion", "8.0.8");
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("AllowAdminAccessToAllCollectionItems")
+                        .HasColumnType("INTEGER")
+                        .HasDefaultValue(true);
+
+                    b.Property<string>("BillingEmail")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasMaxLength(2)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessName")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasMaxLength(30)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Identifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("LimitCollectionCreation")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("LimitCollectionCreationDeletion")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("LimitCollectionDeletion")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("MaxAutoscaleSmSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("MaxAutoscaleSmServiceAccounts")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<short?>("MaxCollections")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("OwnersNotifiedOfAutoscaling")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Plan")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int?>("Seats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("SelfHost")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("SmSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("SmServiceAccounts")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Use2fa")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseApi")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseCustomPermissions")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseDirectory")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseGroups")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseKeyConnector")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UsePasswordManager")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UsePolicies")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseResetPassword")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseScim")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseSecretsManager")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseSso")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseTotp")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UsersGetPremium")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id", "Enabled")
+                        .HasAnnotation("Npgsql:IndexInclude", new[] { "UseTotp" });
+
+                    b.ToTable("Organization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "Type")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Policy", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BillingEmail")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BillingPhone")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessName")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Provider", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Settings")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderOrganization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Email")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("ProviderUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("AccessCode")
+                        .HasMaxLength(25)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool?>("Approved")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("AuthenticationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("MasterPasswordHash")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("RequestDeviceIdentifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("RequestDeviceType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("RequestIpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ResponseDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ResponseDeviceId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ResponseDeviceId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("AuthRequest", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("GranteeId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("GrantorId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("KeyEncrypted")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastNotificationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("RecoveryInitiatedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int>("WaitTimeDays")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("GranteeId");
+
+                    b.HasIndex("GrantorId");
+
+                    b.ToTable("EmergencyAccess", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.Grant", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("ClientId")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ConsumedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Data")
+                        .IsRequired()
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Description")
+                        .HasMaxLength(200)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("SessionId")
+                        .HasMaxLength(100)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("SubjectId")
+                        .HasMaxLength(200)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Type")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasName("PK_Grant")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpirationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Key")
+                        .IsUnique();
+
+                    b.ToTable("Grant", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("SsoConfig", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId");
+
+                    b.HasIndex("OrganizationId", "ExternalId")
+                        .IsUnique()
+                        .HasAnnotation("Npgsql:IndexInclude", new[] { "UserId" })
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "UserId")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SsoUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("AaGuid")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("Counter")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("CredentialId")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PublicKey")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("SupportsPrf")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Type")
+                        .HasMaxLength(20)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("WebAuthnCredential", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ClientOrganizationMigrationRecord", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("Seats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId", "OrganizationId")
+                        .IsUnique();
+
+                    b.ToTable("ClientOrganizationMigrationRecord", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("AssignedSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("ClientId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ClientName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("Created")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("InvoiceId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("InvoiceNumber")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PlanName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<decimal>("Total")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("UsedSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderInvoiceItem", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int?>("AllocatedSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int?>("PurchasedSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("SeatMinimum")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("Id", "PlanType")
+                        .IsUnique();
+
+                    b.ToTable("ProviderPlan", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Cache", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(449)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("AbsoluteExpiration")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("ExpiresAtTime")
+                        .HasColumnType("TEXT");
+
+                    b.Property<long?>("SlidingExpirationInSeconds")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte[]>("Value")
+                        .IsRequired()
+                        .HasColumnType("BLOB");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpiresAtTime")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Cache", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Collection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("CipherId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("CollectionId", "CipherId");
+
+                    b.HasIndex("CipherId");
+
+                    b.ToTable("CollectionCipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("CollectionId", "GroupId");
+
+                    b.HasIndex("GroupId");
+
+                    b.ToTable("CollectionGroups");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("CollectionId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("INTEGER")
+                        .HasDefaultValue(true);
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Identifier")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PushToken")
+                        .HasMaxLength(255)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Identifier")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "Identifier")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Device", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Event", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ActingUserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("CollectionId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("Date")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("DeviceType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("DomainName")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("GroupId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("InstallationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("IpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("PolicyId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ProviderOrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ProviderUserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("SecretId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("SystemUser")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Date", "OrganizationId", "ActingUserId", "CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Event", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(100)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Group", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("GroupId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("GroupUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Installation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(150)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastActivityDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Installation", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Config")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationConnection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("DomainName")
+                        .IsRequired()
+                        .HasMaxLength(255)
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("JobRunCount")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("LastCheckedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("NextRunDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Txt")
+                        .IsRequired()
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("VerifiedDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationDomain", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("FriendlyName")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastSyncDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("OfferedToEmail")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("PlanSponsorshipType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("SponsoredOrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("SponsoringOrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("SponsoringOrganizationUserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("ToDelete")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("ValidUntil")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SponsoredOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationUserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationSponsorship", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("AccessSecretsManager")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ResetPasswordKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<short>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("AccessCount")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("DeletionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Disabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool?>("HideEmail")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int?>("MaxAccessCount")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Password")
+                        .HasMaxLength(300)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("DeletionDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Send", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.TaxRate", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(40)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Country")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PostalCode")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("TEXT");
+
+                    b.Property<decimal>("Rate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("State")
+                        .HasMaxLength(2)
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("TaxRate", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<decimal>("Amount")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Details")
+                        .HasMaxLength(100)
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("GatewayId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("PaymentMethodType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool?>("Refunded")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<decimal?>("RefundedAmount")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId", "CreationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Transaction", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("AccountRevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("AvatarColor")
+                        .HasMaxLength(7)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Culture")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("EmailVerified")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("EquivalentDomains")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ExcludedGlobalEquivalentDomains")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("FailedLoginCount")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("ForcePasswordReset")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Kdf")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int>("KdfIterations")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("KdfMemory")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("KdfParallelism")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastEmailChangeDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastFailedLoginDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastKdfChangeDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastKeyRotationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastPasswordChangeDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("MasterPassword")
+                        .HasMaxLength(300)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("MasterPasswordHint")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Premium")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("PremiumExpirationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("RenewalReminderDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("SecurityStamp")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("TwoFactorRecoveryCode")
+                        .HasMaxLength(32)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("UsesKeyConnector")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Email")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Premium", "PremiumExpirationDate", "RenewalReminderDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("User", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Body")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("ClientType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Global")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Priority")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Title")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("ClientType", "Global", "UserId", "OrganizationId", "Priority", "CreationDate")
+                        .IsDescending(false, false, false, false, true, true)
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Notification", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("NotificationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ReadDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("UserId", "NotificationId")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("NotificationId");
+
+                    b.ToTable("NotificationStatus", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Discriminator")
+                        .IsRequired()
+                        .HasMaxLength(34)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Read")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Write")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.ToTable("AccessPolicy", (string)null);
+
+                    b.HasDiscriminator().HasValue("AccessPolicy");
+
+                    b.UseTphMappingStrategy();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ClientSecretHash")
+                        .HasMaxLength(128)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedPayload")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ExpireAt")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Scope")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ServiceAccountId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Project", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Note")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Value")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Secret", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ServiceAccount", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Uri")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("PasswordHealthReportApplication", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Attachments")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Favorites")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Folders")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("Reprompt")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Cipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Folder", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SecurityTask", (string)null);
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.Property<Guid>("ProjectsId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("SecretsId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("ProjectsId", "SecretsId");
+
+                    b.HasIndex("SecretsId");
+
+                    b.ToTable("ProjectSecret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Policies")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Device", "ResponseDevice")
+                        .WithMany()
+                        .HasForeignKey("ResponseDeviceId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("ResponseDevice");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantee")
+                        .WithMany()
+                        .HasForeignKey("GranteeId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantor")
+                        .WithMany()
+                        .HasForeignKey("GrantorId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Grantee");
+
+                    b.Navigation("Grantor");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoConfigs")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Collections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CipherId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Collection");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionGroups")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Groups")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Group");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Connections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Domains")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoredOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoredOrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoringOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoringOrganizationId");
+
+                    b.Navigation("SponsoredOrganization");
+
+                    b.Navigation("SponsoringOrganization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Transactions")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Transactions")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", "Notification")
+                        .WithMany()
+                        .HasForeignKey("NotificationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Notification");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Folders")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany()
+                        .HasForeignKey("CipherId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", null)
+                        .WithMany()
+                        .HasForeignKey("ProjectsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", null)
+                        .WithMany()
+                        .HasForeignKey("SecretsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ProjectAccessPolicies")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany()
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Collections");
+
+                    b.Navigation("Connections");
+
+                    b.Navigation("Domains");
+
+                    b.Navigation("Groups");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("Policies");
+
+                    b.Navigation("SsoConfigs");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+
+                    b.Navigation("CollectionGroups");
+
+                    b.Navigation("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Navigation("CollectionUsers");
+
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Folders");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ProjectAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+                });
+#pragma warning restore 612, 618
+        }
+    }
+}
diff --git a/util/SqliteMigrations/Migrations/20241202201932_AddInstallationLastActivityDateColumn.cs b/util/SqliteMigrations/Migrations/20241202201932_AddInstallationLastActivityDateColumn.cs
new file mode 100644
index 0000000000..9238326096
--- /dev/null
+++ b/util/SqliteMigrations/Migrations/20241202201932_AddInstallationLastActivityDateColumn.cs
@@ -0,0 +1,27 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace Bit.SqliteMigrations.Migrations;
+
+/// <inheritdoc />
+public partial class AddInstallationLastActivityDateColumn : Migration
+{
+    /// <inheritdoc />
+    protected override void Up(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.AddColumn<DateTime>(
+            name: "LastActivityDate",
+            table: "Installation",
+            type: "TEXT",
+            nullable: true);
+    }
+
+    /// <inheritdoc />
+    protected override void Down(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.DropColumn(
+            name: "LastActivityDate",
+            table: "Installation");
+    }
+}
diff --git a/util/SqliteMigrations/Migrations/DatabaseContextModelSnapshot.cs b/util/SqliteMigrations/Migrations/DatabaseContextModelSnapshot.cs
index 12a1c9792b..d813ebcbcc 100644
--- a/util/SqliteMigrations/Migrations/DatabaseContextModelSnapshot.cs
+++ b/util/SqliteMigrations/Migrations/DatabaseContextModelSnapshot.cs
@@ -1154,6 +1154,9 @@ namespace Bit.SqliteMigrations.Migrations
                         .HasMaxLength(150)
                         .HasColumnType("TEXT");
 
+                    b.Property<DateTime?>("LastActivityDate")
+                        .HasColumnType("TEXT");
+
                     b.HasKey("Id");
 
                     b.ToTable("Installation", (string)null);

From 9321515eca750c8f9bc84126912827ed11d36aa7 Mon Sep 17 00:00:00 2001
From: Conner Turnbull <133619638+cturnbull-bitwarden@users.noreply.github.com>
Date: Mon, 16 Dec 2024 08:04:05 -0500
Subject: [PATCH 069/384] [PM-10873] Updated errors thrown when creating
 organization on selfhost to be more specific (#5007)

* Updated errors thrown when creating organization on selfhost to be more specific

* Added additional validation to ensure that the license type is accurate

---------

Co-authored-by: Matt Bishop <mbishop@bitwarden.com>
---
 .../Implementations/OrganizationService.cs     | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs b/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
index 49f339cc9a..1cf22b23ad 100644
--- a/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
+++ b/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
@@ -519,17 +519,29 @@ public class OrganizationService : IOrganizationService
         OrganizationLicense license, User owner, string ownerKey, string collectionName, string publicKey,
         string privateKey)
     {
+        if (license.LicenseType != LicenseType.Organization)
+        {
+            throw new BadRequestException("Premium licenses cannot be applied to an organization. " +
+                "Upload this license from your personal account settings page.");
+        }
+
         var claimsPrincipal = _licensingService.GetClaimsPrincipalFromLicense(license);
         var canUse = license.CanUse(_globalSettings, _licensingService, claimsPrincipal, out var exception);
+
         if (!canUse)
         {
             throw new BadRequestException(exception);
         }
 
-        if (license.PlanType != PlanType.Custom &&
-            StaticStore.Plans.FirstOrDefault(p => p.Type == license.PlanType && !p.Disabled) == null)
+        var plan = StaticStore.Plans.FirstOrDefault(p => p.Type == license.PlanType);
+        if (plan is null)
         {
-            throw new BadRequestException("Plan not found.");
+            throw new BadRequestException($"Server must be updated to support {license.Plan}.");
+        }
+
+        if (license.PlanType != PlanType.Custom && plan.Disabled)
+        {
+            throw new BadRequestException($"Plan {plan.Name} is disabled.");
         }
 
         var enabledOrgs = await _organizationRepository.GetManyByEnabledAsync();

From d0c72a34f12baadede2c191a814315f153872b4a Mon Sep 17 00:00:00 2001
From: Opeyemi <Alaoopeyemi101@gmail.com>
Date: Mon, 16 Dec 2024 14:21:05 +0000
Subject: [PATCH 070/384] Update SH Unified Build trigger (#5154)

* Update SH Unified Build trigger

* make value a boolean
---
 .github/workflows/build.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 420b9b6375..eb644fe8b5 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -580,6 +580,7 @@ jobs:
               ref: 'main',
               inputs: {
                 server_branch: process.env.GITHUB_REF
+                is_workflow_call: true
               }
             });
 

From 8994d1d7dd019e857d68e8ae46262f8daea82058 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Mon, 16 Dec 2024 15:11:56 +0000
Subject: [PATCH 071/384] [deps] Tools: Update aws-sdk-net monorepo (#5126)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Daniel James Smith <2670567+djsmith85@users.noreply.github.com>
---
 src/Core/Core.csproj | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/Core/Core.csproj b/src/Core/Core.csproj
index fd4d8cc7e1..9049f94dcf 100644
--- a/src/Core/Core.csproj
+++ b/src/Core/Core.csproj
@@ -21,8 +21,8 @@
 
   <ItemGroup>
     <PackageReference Include="AspNetCoreRateLimit.Redis" Version="2.0.0" />
-    <PackageReference Include="AWSSDK.SimpleEmail" Version="3.7.402" />
-    <PackageReference Include="AWSSDK.SQS" Version="3.7.400.57" />
+    <PackageReference Include="AWSSDK.SimpleEmail" Version="3.7.402.7" />
+    <PackageReference Include="AWSSDK.SQS" Version="3.7.400.64" />
     <PackageReference Include="Azure.Data.Tables" Version="12.9.0" />
     <PackageReference Include="Azure.Extensions.AspNetCore.DataProtection.Blobs" Version="1.3.4" />
     <PackageReference Include="Microsoft.AspNetCore.DataProtection" Version="8.0.10" />

From c446ac86fead55e6d7b762ca44ea814d9d53e80b Mon Sep 17 00:00:00 2001
From: Ike <137194738+ike-kottlowski@users.noreply.github.com>
Date: Mon, 16 Dec 2024 07:57:56 -0800
Subject: [PATCH 072/384] [PM-12512] Add Endpoint to allow users to request a
 new device otp (#5146)

feat(NewDeviceVerification): Added a resend new device OTP endpoint and method for the IUserService as well as wrote test for new methods for the user service.
---
 .../Auth/Controllers/AccountsController.cs    |   8 +
 ...henticatedSecretVerificatioRequestModel.cs |  12 ++
 src/Core/Services/IUserService.cs             |   2 +-
 .../Services/Implementations/UserService.cs   |  16 +-
 test/Core.Test/Services/UserServiceTests.cs   | 171 ++++++++++++++----
 5 files changed, 171 insertions(+), 38 deletions(-)
 create mode 100644 src/Api/Auth/Models/Request/Accounts/UnauthenticatedSecretVerificatioRequestModel.cs

diff --git a/src/Api/Auth/Controllers/AccountsController.cs b/src/Api/Auth/Controllers/AccountsController.cs
index a94e170cbb..1c08ce4f73 100644
--- a/src/Api/Auth/Controllers/AccountsController.cs
+++ b/src/Api/Auth/Controllers/AccountsController.cs
@@ -961,6 +961,14 @@ public class AccountsController : Controller
         }
     }
 
+    [RequireFeature(FeatureFlagKeys.NewDeviceVerification)]
+    [AllowAnonymous]
+    [HttpPost("resend-new-device-otp")]
+    public async Task ResendNewDeviceOtpAsync([FromBody] UnauthenticatedSecretVerificatioRequestModel request)
+    {
+        await _userService.ResendNewDeviceVerificationEmail(request.Email, request.Secret);
+    }
+
     private async Task<IEnumerable<Guid>> GetOrganizationIdsManagingUserAsync(Guid userId)
     {
         var organizationManagingUser = await _userService.GetOrganizationsManagingUserAsync(userId);
diff --git a/src/Api/Auth/Models/Request/Accounts/UnauthenticatedSecretVerificatioRequestModel.cs b/src/Api/Auth/Models/Request/Accounts/UnauthenticatedSecretVerificatioRequestModel.cs
new file mode 100644
index 0000000000..629896b8c4
--- /dev/null
+++ b/src/Api/Auth/Models/Request/Accounts/UnauthenticatedSecretVerificatioRequestModel.cs
@@ -0,0 +1,12 @@
+using System.ComponentModel.DataAnnotations;
+using Bit.Core.Utilities;
+
+namespace Bit.Api.Auth.Models.Request.Accounts;
+
+public class UnauthenticatedSecretVerificatioRequestModel : SecretVerificationRequestModel
+{
+    [Required]
+    [StrictEmailAddress]
+    [StringLength(256)]
+    public string Email { get; set; }
+}
diff --git a/src/Core/Services/IUserService.cs b/src/Core/Services/IUserService.cs
index 65bec5ea9f..f0ba535266 100644
--- a/src/Core/Services/IUserService.cs
+++ b/src/Core/Services/IUserService.cs
@@ -76,7 +76,7 @@ public interface IUserService
     Task SendOTPAsync(User user);
     Task<bool> VerifyOTPAsync(User user, string token);
     Task<bool> VerifySecretAsync(User user, string secret, bool isSettingMFA = false);
-
+    Task ResendNewDeviceVerificationEmail(string email, string secret);
 
     void SetTwoFactorProvider(User user, TwoFactorProviderType type, bool setEnabled = true);
 
diff --git a/src/Core/Services/Implementations/UserService.cs b/src/Core/Services/Implementations/UserService.cs
index 2bc81959b9..cb17d6e26b 100644
--- a/src/Core/Services/Implementations/UserService.cs
+++ b/src/Core/Services/Implementations/UserService.cs
@@ -1407,7 +1407,7 @@ public class UserService : UserManager<User>, IUserService, IDisposable
 
     public async Task SendOTPAsync(User user)
     {
-        if (user.Email == null)
+        if (string.IsNullOrEmpty(user.Email))
         {
             throw new BadRequestException("No user email.");
         }
@@ -1450,6 +1450,20 @@ public class UserService : UserManager<User>, IUserService, IDisposable
         return isVerified;
     }
 
+    public async Task ResendNewDeviceVerificationEmail(string email, string secret)
+    {
+        var user = await _userRepository.GetByEmailAsync(email);
+        if (user == null)
+        {
+            return;
+        }
+
+        if (await VerifySecretAsync(user, secret))
+        {
+            await SendOTPAsync(user);
+        }
+    }
+
     private async Task SendAppropriateWelcomeEmailAsync(User user, string initiationPath)
     {
         var isFromMarketingWebsite = initiationPath.Contains("Secrets Manager trial");
diff --git a/test/Core.Test/Services/UserServiceTests.cs b/test/Core.Test/Services/UserServiceTests.cs
index de2a518717..e44609c6d6 100644
--- a/test/Core.Test/Services/UserServiceTests.cs
+++ b/test/Core.Test/Services/UserServiceTests.cs
@@ -13,6 +13,7 @@ using Bit.Core.Billing.Services;
 using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
+using Bit.Core.Exceptions;
 using Bit.Core.Models.Business;
 using Bit.Core.Models.Data.Organizations;
 using Bit.Core.Models.Data.Organizations.OrganizationUsers;
@@ -240,42 +241,7 @@ public class UserServiceTests
             });
 
         // HACK: SutProvider is being weird about not injecting the IPasswordHasher that I configured
-        var sut = new UserService(
-            sutProvider.GetDependency<IUserRepository>(),
-            sutProvider.GetDependency<ICipherRepository>(),
-            sutProvider.GetDependency<IOrganizationUserRepository>(),
-            sutProvider.GetDependency<IOrganizationRepository>(),
-            sutProvider.GetDependency<IMailService>(),
-            sutProvider.GetDependency<IPushNotificationService>(),
-            sutProvider.GetDependency<IUserStore<User>>(),
-            sutProvider.GetDependency<IOptions<IdentityOptions>>(),
-            sutProvider.GetDependency<IPasswordHasher<User>>(),
-            sutProvider.GetDependency<IEnumerable<IUserValidator<User>>>(),
-            sutProvider.GetDependency<IEnumerable<IPasswordValidator<User>>>(),
-            sutProvider.GetDependency<ILookupNormalizer>(),
-            sutProvider.GetDependency<IdentityErrorDescriber>(),
-            sutProvider.GetDependency<IServiceProvider>(),
-            sutProvider.GetDependency<ILogger<UserManager<User>>>(),
-            sutProvider.GetDependency<ILicensingService>(),
-            sutProvider.GetDependency<IEventService>(),
-            sutProvider.GetDependency<IApplicationCacheService>(),
-            sutProvider.GetDependency<IDataProtectionProvider>(),
-            sutProvider.GetDependency<IPaymentService>(),
-            sutProvider.GetDependency<IPolicyRepository>(),
-            sutProvider.GetDependency<IPolicyService>(),
-            sutProvider.GetDependency<IReferenceEventService>(),
-            sutProvider.GetDependency<IFido2>(),
-            sutProvider.GetDependency<ICurrentContext>(),
-            sutProvider.GetDependency<IGlobalSettings>(),
-            sutProvider.GetDependency<IAcceptOrgUserCommand>(),
-            sutProvider.GetDependency<IProviderUserRepository>(),
-            sutProvider.GetDependency<IStripeSyncService>(),
-            new FakeDataProtectorTokenFactory<OrgUserInviteTokenable>(),
-            sutProvider.GetDependency<IFeatureService>(),
-            sutProvider.GetDependency<IPremiumUserBillingService>(),
-            sutProvider.GetDependency<IRemoveOrganizationUserCommand>(),
-            sutProvider.GetDependency<IRevokeNonCompliantOrganizationUserCommand>()
-            );
+        var sut = RebuildSut(sutProvider);
 
         var actualIsVerified = await sut.VerifySecretAsync(user, secret);
 
@@ -522,6 +488,99 @@ public class UserServiceTests
             .SendOrganizationUserRemovedForPolicyTwoStepEmailAsync(organization2.DisplayName(), user.Email);
     }
 
+    [Theory, BitAutoData]
+    public async Task ResendNewDeviceVerificationEmail_UserNull_SendOTPAsyncNotCalled(
+        SutProvider<UserService> sutProvider, string email, string secret)
+    {
+        sutProvider.GetDependency<IUserRepository>()
+            .GetByEmailAsync(email)
+            .Returns(null as User);
+
+        await sutProvider.Sut.ResendNewDeviceVerificationEmail(email, secret);
+
+        await sutProvider.GetDependency<IMailService>()
+            .DidNotReceive()
+            .SendOTPEmailAsync(Arg.Any<string>(), Arg.Any<string>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task ResendNewDeviceVerificationEmail_SecretNotValid_SendOTPAsyncNotCalled(
+    SutProvider<UserService> sutProvider, string email, string secret)
+    {
+        sutProvider.GetDependency<IUserRepository>()
+            .GetByEmailAsync(email)
+            .Returns(null as User);
+
+        await sutProvider.Sut.ResendNewDeviceVerificationEmail(email, secret);
+
+        await sutProvider.GetDependency<IMailService>()
+            .DidNotReceive()
+            .SendOTPEmailAsync(Arg.Any<string>(), Arg.Any<string>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task ResendNewDeviceVerificationEmail_SendsToken_Success(
+        SutProvider<UserService> sutProvider, User user)
+    {
+        // Arrange
+        var testPassword = "test_password";
+        var tokenProvider = SetupFakeTokenProvider(sutProvider, user);
+        SetupUserAndDevice(user, true);
+
+        // Setup the fake password verification
+        var substitutedUserPasswordStore = Substitute.For<IUserPasswordStore<User>>();
+        substitutedUserPasswordStore
+            .GetPasswordHashAsync(user, Arg.Any<CancellationToken>())
+            .Returns((ci) =>
+            {
+                return Task.FromResult("hashed_test_password");
+            });
+
+        sutProvider.SetDependency<IUserStore<User>>(substitutedUserPasswordStore, "store");
+
+        sutProvider.GetDependency<IPasswordHasher<User>>("passwordHasher")
+            .VerifyHashedPassword(user, "hashed_test_password", testPassword)
+            .Returns((ci) =>
+            {
+                return PasswordVerificationResult.Success;
+            });
+
+        sutProvider.GetDependency<IUserRepository>()
+            .GetByEmailAsync(user.Email)
+            .Returns(user);
+
+        // HACK: SutProvider is being weird about not injecting the IPasswordHasher that I configured
+        var sut = RebuildSut(sutProvider);
+
+        await sut.ResendNewDeviceVerificationEmail(user.Email, testPassword);
+
+        await sutProvider.GetDependency<IMailService>()
+            .Received(1)
+            .SendOTPEmailAsync(user.Email, Arg.Any<string>());
+    }
+
+    [Theory]
+    [BitAutoData("")]
+    [BitAutoData("null")]
+    public async Task SendOTPAsync_UserEmailNull_ThrowsBadRequest(
+        string email,
+        SutProvider<UserService> sutProvider, User user)
+    {
+        user.Email = email == "null" ? null : "";
+        var expectedMessage = "No user email.";
+        try
+        {
+            await sutProvider.Sut.SendOTPAsync(user);
+        }
+        catch (BadRequestException ex)
+        {
+            Assert.Equal(ex.Message, expectedMessage);
+            await sutProvider.GetDependency<IMailService>()
+                .DidNotReceive()
+                .SendOTPEmailAsync(Arg.Any<string>(), Arg.Any<string>());
+        }
+    }
+
     private static void SetupUserAndDevice(User user,
         bool shouldHavePassword)
     {
@@ -573,4 +632,44 @@ public class UserServiceTests
 
         return fakeUserTwoFactorProvider;
     }
+
+    private IUserService RebuildSut(SutProvider<UserService> sutProvider)
+    {
+        return new UserService(
+            sutProvider.GetDependency<IUserRepository>(),
+            sutProvider.GetDependency<ICipherRepository>(),
+            sutProvider.GetDependency<IOrganizationUserRepository>(),
+            sutProvider.GetDependency<IOrganizationRepository>(),
+            sutProvider.GetDependency<IMailService>(),
+            sutProvider.GetDependency<IPushNotificationService>(),
+            sutProvider.GetDependency<IUserStore<User>>(),
+            sutProvider.GetDependency<IOptions<IdentityOptions>>(),
+            sutProvider.GetDependency<IPasswordHasher<User>>(),
+            sutProvider.GetDependency<IEnumerable<IUserValidator<User>>>(),
+            sutProvider.GetDependency<IEnumerable<IPasswordValidator<User>>>(),
+            sutProvider.GetDependency<ILookupNormalizer>(),
+            sutProvider.GetDependency<IdentityErrorDescriber>(),
+            sutProvider.GetDependency<IServiceProvider>(),
+            sutProvider.GetDependency<ILogger<UserManager<User>>>(),
+            sutProvider.GetDependency<ILicensingService>(),
+            sutProvider.GetDependency<IEventService>(),
+            sutProvider.GetDependency<IApplicationCacheService>(),
+            sutProvider.GetDependency<IDataProtectionProvider>(),
+            sutProvider.GetDependency<IPaymentService>(),
+            sutProvider.GetDependency<IPolicyRepository>(),
+            sutProvider.GetDependency<IPolicyService>(),
+            sutProvider.GetDependency<IReferenceEventService>(),
+            sutProvider.GetDependency<IFido2>(),
+            sutProvider.GetDependency<ICurrentContext>(),
+            sutProvider.GetDependency<IGlobalSettings>(),
+            sutProvider.GetDependency<IAcceptOrgUserCommand>(),
+            sutProvider.GetDependency<IProviderUserRepository>(),
+            sutProvider.GetDependency<IStripeSyncService>(),
+            new FakeDataProtectorTokenFactory<OrgUserInviteTokenable>(),
+            sutProvider.GetDependency<IFeatureService>(),
+            sutProvider.GetDependency<IPremiumUserBillingService>(),
+            sutProvider.GetDependency<IRemoveOrganizationUserCommand>(),
+            sutProvider.GetDependency<IRevokeNonCompliantOrganizationUserCommand>()
+            );
+    }
 }

From d88a103fbc8baa60147eaf377d05eeeb87b1eb7a Mon Sep 17 00:00:00 2001
From: Daniel James Smith <2670567+djsmith85@users.noreply.github.com>
Date: Mon, 16 Dec 2024 17:11:37 +0100
Subject: [PATCH 073/384] Move CSVHelper under billing ownership (#5156)

Co-authored-by: Daniel James Smith <djsmith85@users.noreply.github.com>
---
 .github/renovate.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/renovate.json b/.github/renovate.json
index 5779b28edb..4ae3cc19d8 100644
--- a/.github/renovate.json
+++ b/.github/renovate.json
@@ -63,6 +63,7 @@
         "BitPay.Light",
         "Braintree",
         "coverlet.collector",
+        "CsvHelper",
         "FluentAssertions",
         "Kralizek.AutoFixture.Extensions.MockHttp",
         "Microsoft.AspNetCore.Mvc.Testing",

From 7637cbe12ac67006db73573f3eb9a1010a7cb153 Mon Sep 17 00:00:00 2001
From: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com>
Date: Mon, 16 Dec 2024 12:01:09 -0600
Subject: [PATCH 074/384] [PM-13362] Add private key regeneration endpoint
 (#4929)

* Add new RegenerateUserAsymmetricKeysCommand

* add new command tests

* Add regen controller

* Add regen controller tests

* add feature flag

* Add push notification to sync new asymmetric keys to other devices
---
 .../AccountsKeyManagementController.cs        |  50 +++++
 .../Requests/KeyRegenerationRequestModel.cs   |  23 ++
 src/Core/Constants.cs                         |   1 +
 .../IRegenerateUserAsymmetricKeysCommand.cs   |  13 ++
 .../RegenerateUserAsymmetricKeysCommand.cs    |  71 +++++++
 ...eyManagementServiceCollectionExtensions.cs |  18 ++
 .../Utilities/ServiceCollectionExtensions.cs  |   2 +
 .../Helpers/LoginHelper.cs                    |   6 +
 .../AccountsKeyManagementControllerTests.cs   | 164 +++++++++++++++
 .../AccountsKeyManagementControllerTests.cs   |  96 +++++++++
 ...egenerateUserAsymmetricKeysCommandTests.cs | 197 ++++++++++++++++++
 11 files changed, 641 insertions(+)
 create mode 100644 src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs
 create mode 100644 src/Api/KeyManagement/Models/Requests/KeyRegenerationRequestModel.cs
 create mode 100644 src/Core/KeyManagement/Commands/Interfaces/IRegenerateUserAsymmetricKeysCommand.cs
 create mode 100644 src/Core/KeyManagement/Commands/RegenerateUserAsymmetricKeysCommand.cs
 create mode 100644 src/Core/KeyManagement/KeyManagementServiceCollectionExtensions.cs
 create mode 100644 test/Api.IntegrationTest/KeyManagement/Controllers/AccountsKeyManagementControllerTests.cs
 create mode 100644 test/Api.Test/KeyManagement/Controllers/AccountsKeyManagementControllerTests.cs
 create mode 100644 test/Core.Test/KeyManagement/Commands/RegenerateUserAsymmetricKeysCommandTests.cs

diff --git a/src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs b/src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs
new file mode 100644
index 0000000000..b8d5e30949
--- /dev/null
+++ b/src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs
@@ -0,0 +1,50 @@
+#nullable enable
+using Bit.Api.KeyManagement.Models.Requests;
+using Bit.Core;
+using Bit.Core.Exceptions;
+using Bit.Core.KeyManagement.Commands.Interfaces;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+
+namespace Bit.Api.KeyManagement.Controllers;
+
+[Route("accounts/key-management")]
+[Authorize("Application")]
+public class AccountsKeyManagementController : Controller
+{
+    private readonly IEmergencyAccessRepository _emergencyAccessRepository;
+    private readonly IFeatureService _featureService;
+    private readonly IOrganizationUserRepository _organizationUserRepository;
+    private readonly IRegenerateUserAsymmetricKeysCommand _regenerateUserAsymmetricKeysCommand;
+    private readonly IUserService _userService;
+
+    public AccountsKeyManagementController(IUserService userService,
+        IFeatureService featureService,
+        IOrganizationUserRepository organizationUserRepository,
+        IEmergencyAccessRepository emergencyAccessRepository,
+        IRegenerateUserAsymmetricKeysCommand regenerateUserAsymmetricKeysCommand)
+    {
+        _userService = userService;
+        _featureService = featureService;
+        _regenerateUserAsymmetricKeysCommand = regenerateUserAsymmetricKeysCommand;
+        _organizationUserRepository = organizationUserRepository;
+        _emergencyAccessRepository = emergencyAccessRepository;
+    }
+
+    [HttpPost("regenerate-keys")]
+    public async Task RegenerateKeysAsync([FromBody] KeyRegenerationRequestModel request)
+    {
+        if (!_featureService.IsEnabled(FeatureFlagKeys.PrivateKeyRegeneration))
+        {
+            throw new NotFoundException();
+        }
+
+        var user = await _userService.GetUserByPrincipalAsync(User) ?? throw new UnauthorizedAccessException();
+        var usersOrganizationAccounts = await _organizationUserRepository.GetManyByUserAsync(user.Id);
+        var designatedEmergencyAccess = await _emergencyAccessRepository.GetManyDetailsByGranteeIdAsync(user.Id);
+        await _regenerateUserAsymmetricKeysCommand.RegenerateKeysAsync(request.ToUserAsymmetricKeys(user.Id),
+            usersOrganizationAccounts, designatedEmergencyAccess);
+    }
+}
diff --git a/src/Api/KeyManagement/Models/Requests/KeyRegenerationRequestModel.cs b/src/Api/KeyManagement/Models/Requests/KeyRegenerationRequestModel.cs
new file mode 100644
index 0000000000..495d13cccd
--- /dev/null
+++ b/src/Api/KeyManagement/Models/Requests/KeyRegenerationRequestModel.cs
@@ -0,0 +1,23 @@
+#nullable enable
+using Bit.Core.KeyManagement.Models.Data;
+using Bit.Core.Utilities;
+
+namespace Bit.Api.KeyManagement.Models.Requests;
+
+public class KeyRegenerationRequestModel
+{
+    public required string UserPublicKey { get; set; }
+
+    [EncryptedString]
+    public required string UserKeyEncryptedUserPrivateKey { get; set; }
+
+    public UserAsymmetricKeys ToUserAsymmetricKeys(Guid userId)
+    {
+        return new UserAsymmetricKeys
+        {
+            UserId = userId,
+            PublicKey = UserPublicKey,
+            UserKeyEncryptedPrivateKey = UserKeyEncryptedUserPrivateKey,
+        };
+    }
+}
diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index df0abfb4b9..2c315b2578 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -160,6 +160,7 @@ public static class FeatureFlagKeys
     public const string PM12443RemovePagingLogic = "pm-12443-remove-paging-logic";
     public const string SelfHostLicenseRefactor = "pm-11516-self-host-license-refactor";
     public const string PromoteProviderServiceUserTool = "pm-15128-promote-provider-service-user-tool";
+    public const string PrivateKeyRegeneration = "pm-12241-private-key-regeneration";
 
     public static List<string> GetAllKeys()
     {
diff --git a/src/Core/KeyManagement/Commands/Interfaces/IRegenerateUserAsymmetricKeysCommand.cs b/src/Core/KeyManagement/Commands/Interfaces/IRegenerateUserAsymmetricKeysCommand.cs
new file mode 100644
index 0000000000..d7ad7e3959
--- /dev/null
+++ b/src/Core/KeyManagement/Commands/Interfaces/IRegenerateUserAsymmetricKeysCommand.cs
@@ -0,0 +1,13 @@
+#nullable enable
+using Bit.Core.Auth.Models.Data;
+using Bit.Core.Entities;
+using Bit.Core.KeyManagement.Models.Data;
+
+namespace Bit.Core.KeyManagement.Commands.Interfaces;
+
+public interface IRegenerateUserAsymmetricKeysCommand
+{
+    Task RegenerateKeysAsync(UserAsymmetricKeys userAsymmetricKeys,
+        ICollection<OrganizationUser> usersOrganizationAccounts,
+        ICollection<EmergencyAccessDetails> designatedEmergencyAccess);
+}
diff --git a/src/Core/KeyManagement/Commands/RegenerateUserAsymmetricKeysCommand.cs b/src/Core/KeyManagement/Commands/RegenerateUserAsymmetricKeysCommand.cs
new file mode 100644
index 0000000000..a54223f685
--- /dev/null
+++ b/src/Core/KeyManagement/Commands/RegenerateUserAsymmetricKeysCommand.cs
@@ -0,0 +1,71 @@
+#nullable enable
+using Bit.Core.Auth.Enums;
+using Bit.Core.Auth.Models.Data;
+using Bit.Core.Context;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Exceptions;
+using Bit.Core.KeyManagement.Commands.Interfaces;
+using Bit.Core.KeyManagement.Models.Data;
+using Bit.Core.KeyManagement.Repositories;
+using Bit.Core.Services;
+using Microsoft.Extensions.Logging;
+
+namespace Bit.Core.KeyManagement.Commands;
+
+public class RegenerateUserAsymmetricKeysCommand : IRegenerateUserAsymmetricKeysCommand
+{
+    private readonly ICurrentContext _currentContext;
+    private readonly ILogger<RegenerateUserAsymmetricKeysCommand> _logger;
+    private readonly IUserAsymmetricKeysRepository _userAsymmetricKeysRepository;
+    private readonly IPushNotificationService _pushService;
+
+    public RegenerateUserAsymmetricKeysCommand(
+        ICurrentContext currentContext,
+        IUserAsymmetricKeysRepository userAsymmetricKeysRepository,
+        IPushNotificationService pushService,
+        ILogger<RegenerateUserAsymmetricKeysCommand> logger)
+    {
+        _currentContext = currentContext;
+        _logger = logger;
+        _userAsymmetricKeysRepository = userAsymmetricKeysRepository;
+        _pushService = pushService;
+    }
+
+    public async Task RegenerateKeysAsync(UserAsymmetricKeys userAsymmetricKeys,
+        ICollection<OrganizationUser> usersOrganizationAccounts,
+        ICollection<EmergencyAccessDetails> designatedEmergencyAccess)
+    {
+        var userId = _currentContext.UserId;
+        if (!userId.HasValue ||
+            userAsymmetricKeys.UserId != userId.Value ||
+            usersOrganizationAccounts.Any(ou => ou.UserId != userId) ||
+            designatedEmergencyAccess.Any(dea => dea.GranteeId != userId))
+        {
+            throw new NotFoundException();
+        }
+
+        var inOrganizations = usersOrganizationAccounts.Any(ou =>
+            ou.Status is OrganizationUserStatusType.Confirmed or OrganizationUserStatusType.Revoked);
+        var hasDesignatedEmergencyAccess = designatedEmergencyAccess.Any(x =>
+            x.Status is EmergencyAccessStatusType.Confirmed or EmergencyAccessStatusType.RecoveryApproved
+                or EmergencyAccessStatusType.RecoveryInitiated);
+
+        _logger.LogInformation(
+            "User asymmetric keys regeneration requested. UserId: {userId} OrganizationMembership: {inOrganizations} DesignatedEmergencyAccess: {hasDesignatedEmergencyAccess} DeviceType: {deviceType}",
+            userAsymmetricKeys.UserId, inOrganizations, hasDesignatedEmergencyAccess, _currentContext.DeviceType);
+
+        // For now, don't regenerate asymmetric keys for user's with organization membership and designated emergency access.
+        if (inOrganizations || hasDesignatedEmergencyAccess)
+        {
+            throw new BadRequestException("Key regeneration not supported for this user.");
+        }
+
+        await _userAsymmetricKeysRepository.RegenerateUserAsymmetricKeysAsync(userAsymmetricKeys);
+        _logger.LogInformation(
+            "User's asymmetric keys regenerated. UserId: {userId} OrganizationMembership: {inOrganizations} DesignatedEmergencyAccess: {hasDesignatedEmergencyAccess} DeviceType: {deviceType}",
+            userAsymmetricKeys.UserId, inOrganizations, hasDesignatedEmergencyAccess, _currentContext.DeviceType);
+
+        await _pushService.PushSyncSettingsAsync(userId.Value);
+    }
+}
diff --git a/src/Core/KeyManagement/KeyManagementServiceCollectionExtensions.cs b/src/Core/KeyManagement/KeyManagementServiceCollectionExtensions.cs
new file mode 100644
index 0000000000..102630c7e6
--- /dev/null
+++ b/src/Core/KeyManagement/KeyManagementServiceCollectionExtensions.cs
@@ -0,0 +1,18 @@
+using Bit.Core.KeyManagement.Commands;
+using Bit.Core.KeyManagement.Commands.Interfaces;
+using Microsoft.Extensions.DependencyInjection;
+
+namespace Bit.Core.KeyManagement;
+
+public static class KeyManagementServiceCollectionExtensions
+{
+    public static void AddKeyManagementServices(this IServiceCollection services)
+    {
+        services.AddKeyManagementCommands();
+    }
+
+    private static void AddKeyManagementCommands(this IServiceCollection services)
+    {
+        services.AddScoped<IRegenerateUserAsymmetricKeysCommand, RegenerateUserAsymmetricKeysCommand>();
+    }
+}
diff --git a/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs b/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
index 7585739d82..c757f163e9 100644
--- a/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
+++ b/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
@@ -26,6 +26,7 @@ using Bit.Core.Enums;
 using Bit.Core.HostedServices;
 using Bit.Core.Identity;
 using Bit.Core.IdentityServer;
+using Bit.Core.KeyManagement;
 using Bit.Core.NotificationHub;
 using Bit.Core.OrganizationFeatures;
 using Bit.Core.Repositories;
@@ -120,6 +121,7 @@ public static class ServiceCollectionExtensions
         services.AddScoped<IOrganizationDomainService, OrganizationDomainService>();
         services.AddVaultServices();
         services.AddReportingServices();
+        services.AddKeyManagementServices();
     }
 
     public static void AddTokenizers(this IServiceCollection services)
diff --git a/test/Api.IntegrationTest/Helpers/LoginHelper.cs b/test/Api.IntegrationTest/Helpers/LoginHelper.cs
index d6ce911bd0..1f5eb725d9 100644
--- a/test/Api.IntegrationTest/Helpers/LoginHelper.cs
+++ b/test/Api.IntegrationTest/Helpers/LoginHelper.cs
@@ -16,6 +16,12 @@ public class LoginHelper
         _client = client;
     }
 
+    public async Task LoginAsync(string email)
+    {
+        var tokens = await _factory.LoginAsync(email);
+        _client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", tokens.Token);
+    }
+
     public async Task LoginWithOrganizationApiKeyAsync(Guid organizationId)
     {
         var (clientId, apiKey) = await GetOrganizationApiKey(_factory, organizationId);
diff --git a/test/Api.IntegrationTest/KeyManagement/Controllers/AccountsKeyManagementControllerTests.cs b/test/Api.IntegrationTest/KeyManagement/Controllers/AccountsKeyManagementControllerTests.cs
new file mode 100644
index 0000000000..ec7ca37460
--- /dev/null
+++ b/test/Api.IntegrationTest/KeyManagement/Controllers/AccountsKeyManagementControllerTests.cs
@@ -0,0 +1,164 @@
+using System.Net;
+using Bit.Api.IntegrationTest.Factories;
+using Bit.Api.IntegrationTest.Helpers;
+using Bit.Api.KeyManagement.Models.Requests;
+using Bit.Core.Auth.Entities;
+using Bit.Core.Auth.Enums;
+using Bit.Core.Billing.Enums;
+using Bit.Core.Enums;
+using Bit.Core.Repositories;
+using Bit.Test.Common.AutoFixture.Attributes;
+using Xunit;
+
+namespace Bit.Api.IntegrationTest.KeyManagement.Controllers;
+
+public class AccountsKeyManagementControllerTests : IClassFixture<ApiApplicationFactory>, IAsyncLifetime
+{
+    private static readonly string _mockEncryptedString =
+        "2.AOs41Hd8OQiCPXjyJKCiDA==|O6OHgt2U2hJGBSNGnimJmg==|iD33s8B69C8JhYYhSa4V1tArjvLr8eEaGqOV7BRo5Jk=";
+
+    private readonly HttpClient _client;
+    private readonly IEmergencyAccessRepository _emergencyAccessRepository;
+    private readonly IOrganizationUserRepository _organizationUserRepository;
+    private readonly ApiApplicationFactory _factory;
+    private readonly LoginHelper _loginHelper;
+    private readonly IUserRepository _userRepository;
+    private string _ownerEmail = null!;
+
+    public AccountsKeyManagementControllerTests(ApiApplicationFactory factory)
+    {
+        _factory = factory;
+        _factory.UpdateConfiguration("globalSettings:launchDarkly:flagValues:pm-12241-private-key-regeneration",
+            "true");
+        _client = factory.CreateClient();
+        _loginHelper = new LoginHelper(_factory, _client);
+        _userRepository = _factory.GetService<IUserRepository>();
+        _emergencyAccessRepository = _factory.GetService<IEmergencyAccessRepository>();
+        _organizationUserRepository = _factory.GetService<IOrganizationUserRepository>();
+    }
+
+    public async Task InitializeAsync()
+    {
+        _ownerEmail = $"integration-test{Guid.NewGuid()}@bitwarden.com";
+        await _factory.LoginWithNewAccount(_ownerEmail);
+    }
+
+    public Task DisposeAsync()
+    {
+        _client.Dispose();
+        return Task.CompletedTask;
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task RegenerateKeysAsync_FeatureFlagTurnedOff_NotFound(KeyRegenerationRequestModel request)
+    {
+        // Localize factory to inject a false value for the feature flag.
+        var localFactory = new ApiApplicationFactory();
+        localFactory.UpdateConfiguration("globalSettings:launchDarkly:flagValues:pm-12241-private-key-regeneration",
+            "false");
+        var localClient = localFactory.CreateClient();
+        var localEmail = $"integration-test{Guid.NewGuid()}@bitwarden.com";
+        var localLoginHelper = new LoginHelper(localFactory, localClient);
+        await localFactory.LoginWithNewAccount(localEmail);
+        await localLoginHelper.LoginAsync(localEmail);
+
+        request.UserKeyEncryptedUserPrivateKey = _mockEncryptedString;
+
+        var response = await localClient.PostAsJsonAsync("/accounts/key-management/regenerate-keys", request);
+
+        Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task RegenerateKeysAsync_NotLoggedIn_Unauthorized(KeyRegenerationRequestModel request)
+    {
+        request.UserKeyEncryptedUserPrivateKey = _mockEncryptedString;
+
+        var response = await _client.PostAsJsonAsync("/accounts/key-management/regenerate-keys", request);
+
+        Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
+    }
+
+    [Theory]
+    [BitAutoData(OrganizationUserStatusType.Confirmed, EmergencyAccessStatusType.Confirmed)]
+    [BitAutoData(OrganizationUserStatusType.Confirmed, EmergencyAccessStatusType.RecoveryApproved)]
+    [BitAutoData(OrganizationUserStatusType.Confirmed, EmergencyAccessStatusType.RecoveryInitiated)]
+    [BitAutoData(OrganizationUserStatusType.Revoked, EmergencyAccessStatusType.Confirmed)]
+    [BitAutoData(OrganizationUserStatusType.Revoked, EmergencyAccessStatusType.RecoveryApproved)]
+    [BitAutoData(OrganizationUserStatusType.Revoked, EmergencyAccessStatusType.RecoveryInitiated)]
+    [BitAutoData(OrganizationUserStatusType.Confirmed, null)]
+    [BitAutoData(OrganizationUserStatusType.Revoked, null)]
+    [BitAutoData(OrganizationUserStatusType.Invited, EmergencyAccessStatusType.Confirmed)]
+    [BitAutoData(OrganizationUserStatusType.Invited, EmergencyAccessStatusType.RecoveryApproved)]
+    [BitAutoData(OrganizationUserStatusType.Invited, EmergencyAccessStatusType.RecoveryInitiated)]
+    public async Task RegenerateKeysAsync_UserInOrgOrHasDesignatedEmergencyAccess_ThrowsBadRequest(
+        OrganizationUserStatusType organizationUserStatus,
+        EmergencyAccessStatusType? emergencyAccessStatus,
+        KeyRegenerationRequestModel request)
+    {
+        if (organizationUserStatus is OrganizationUserStatusType.Confirmed or OrganizationUserStatusType.Revoked)
+        {
+            await CreateOrganizationUserAsync(organizationUserStatus);
+        }
+
+        if (emergencyAccessStatus != null)
+        {
+            await CreateDesignatedEmergencyAccessAsync(emergencyAccessStatus.Value);
+        }
+
+        await _loginHelper.LoginAsync(_ownerEmail);
+        request.UserKeyEncryptedUserPrivateKey = _mockEncryptedString;
+
+        var response = await _client.PostAsJsonAsync("/accounts/key-management/regenerate-keys", request);
+
+        Assert.Equal(HttpStatusCode.BadRequest, response.StatusCode);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task RegenerateKeysAsync_Success(KeyRegenerationRequestModel request)
+    {
+        await _loginHelper.LoginAsync(_ownerEmail);
+        request.UserKeyEncryptedUserPrivateKey = _mockEncryptedString;
+
+        var response = await _client.PostAsJsonAsync("/accounts/key-management/regenerate-keys", request);
+        response.EnsureSuccessStatusCode();
+
+        var user = await _userRepository.GetByEmailAsync(_ownerEmail);
+        Assert.NotNull(user);
+        Assert.Equal(request.UserPublicKey, user.PublicKey);
+        Assert.Equal(request.UserKeyEncryptedUserPrivateKey, user.PrivateKey);
+    }
+
+    private async Task CreateOrganizationUserAsync(OrganizationUserStatusType organizationUserStatus)
+    {
+        var (_, organizationUser) = await OrganizationTestHelpers.SignUpAsync(_factory,
+            PlanType.EnterpriseAnnually, _ownerEmail, passwordManagerSeats: 10,
+            paymentMethod: PaymentMethodType.Card);
+        organizationUser.Status = organizationUserStatus;
+        await _organizationUserRepository.ReplaceAsync(organizationUser);
+    }
+
+    private async Task CreateDesignatedEmergencyAccessAsync(EmergencyAccessStatusType emergencyAccessStatus)
+    {
+        var tempEmail = $"integration-test{Guid.NewGuid()}@bitwarden.com";
+        await _factory.LoginWithNewAccount(tempEmail);
+
+        var tempUser = await _userRepository.GetByEmailAsync(tempEmail);
+        var user = await _userRepository.GetByEmailAsync(_ownerEmail);
+        var emergencyAccess = new EmergencyAccess
+        {
+            GrantorId = tempUser!.Id,
+            GranteeId = user!.Id,
+            KeyEncrypted = _mockEncryptedString,
+            Status = emergencyAccessStatus,
+            Type = EmergencyAccessType.View,
+            WaitTimeDays = 10,
+            CreationDate = DateTime.UtcNow,
+            RevisionDate = DateTime.UtcNow
+        };
+        await _emergencyAccessRepository.CreateAsync(emergencyAccess);
+    }
+}
diff --git a/test/Api.Test/KeyManagement/Controllers/AccountsKeyManagementControllerTests.cs b/test/Api.Test/KeyManagement/Controllers/AccountsKeyManagementControllerTests.cs
new file mode 100644
index 0000000000..2615697ad3
--- /dev/null
+++ b/test/Api.Test/KeyManagement/Controllers/AccountsKeyManagementControllerTests.cs
@@ -0,0 +1,96 @@
+#nullable enable
+using System.Security.Claims;
+using Bit.Api.KeyManagement.Controllers;
+using Bit.Api.KeyManagement.Models.Requests;
+using Bit.Core;
+using Bit.Core.Auth.Models.Data;
+using Bit.Core.Entities;
+using Bit.Core.Exceptions;
+using Bit.Core.KeyManagement.Commands.Interfaces;
+using Bit.Core.KeyManagement.Models.Data;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using NSubstitute.ReturnsExtensions;
+using Xunit;
+
+namespace Bit.Api.Test.KeyManagement.Controllers;
+
+[ControllerCustomize(typeof(AccountsKeyManagementController))]
+[SutProviderCustomize]
+[JsonDocumentCustomize]
+public class AccountsKeyManagementControllerTests
+{
+    [Theory]
+    [BitAutoData]
+    public async Task RegenerateKeysAsync_FeatureFlagOff_Throws(
+        SutProvider<AccountsKeyManagementController> sutProvider,
+        KeyRegenerationRequestModel data)
+    {
+        sutProvider.GetDependency<IFeatureService>().IsEnabled(Arg.Is(FeatureFlagKeys.PrivateKeyRegeneration))
+            .Returns(false);
+        sutProvider.GetDependency<IUserService>().GetUserByPrincipalAsync(Arg.Any<ClaimsPrincipal>()).ReturnsNull();
+
+        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.RegenerateKeysAsync(data));
+
+        await sutProvider.GetDependency<IOrganizationUserRepository>().ReceivedWithAnyArgs(0)
+            .GetManyByUserAsync(Arg.Any<Guid>());
+        await sutProvider.GetDependency<IEmergencyAccessRepository>().ReceivedWithAnyArgs(0)
+            .GetManyDetailsByGranteeIdAsync(Arg.Any<Guid>());
+        await sutProvider.GetDependency<IRegenerateUserAsymmetricKeysCommand>().ReceivedWithAnyArgs(0)
+            .RegenerateKeysAsync(Arg.Any<UserAsymmetricKeys>(),
+                Arg.Any<ICollection<OrganizationUser>>(),
+                Arg.Any<ICollection<EmergencyAccessDetails>>());
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task RegenerateKeysAsync_UserNull_Throws(SutProvider<AccountsKeyManagementController> sutProvider,
+        KeyRegenerationRequestModel data)
+    {
+        sutProvider.GetDependency<IFeatureService>().IsEnabled(Arg.Is(FeatureFlagKeys.PrivateKeyRegeneration))
+            .Returns(true);
+        sutProvider.GetDependency<IUserService>().GetUserByPrincipalAsync(Arg.Any<ClaimsPrincipal>()).ReturnsNull();
+
+        await Assert.ThrowsAsync<UnauthorizedAccessException>(() => sutProvider.Sut.RegenerateKeysAsync(data));
+
+        await sutProvider.GetDependency<IOrganizationUserRepository>().ReceivedWithAnyArgs(0)
+            .GetManyByUserAsync(Arg.Any<Guid>());
+        await sutProvider.GetDependency<IEmergencyAccessRepository>().ReceivedWithAnyArgs(0)
+            .GetManyDetailsByGranteeIdAsync(Arg.Any<Guid>());
+        await sutProvider.GetDependency<IRegenerateUserAsymmetricKeysCommand>().ReceivedWithAnyArgs(0)
+            .RegenerateKeysAsync(Arg.Any<UserAsymmetricKeys>(),
+                Arg.Any<ICollection<OrganizationUser>>(),
+                Arg.Any<ICollection<EmergencyAccessDetails>>());
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task RegenerateKeysAsync_Success(SutProvider<AccountsKeyManagementController> sutProvider,
+        KeyRegenerationRequestModel data, User user, ICollection<OrganizationUser> orgUsers,
+        ICollection<EmergencyAccessDetails> accessDetails)
+    {
+        sutProvider.GetDependency<IFeatureService>().IsEnabled(Arg.Is(FeatureFlagKeys.PrivateKeyRegeneration))
+            .Returns(true);
+        sutProvider.GetDependency<IUserService>().GetUserByPrincipalAsync(Arg.Any<ClaimsPrincipal>()).Returns(user);
+        sutProvider.GetDependency<IOrganizationUserRepository>().GetManyByUserAsync(Arg.Is(user.Id)).Returns(orgUsers);
+        sutProvider.GetDependency<IEmergencyAccessRepository>().GetManyDetailsByGranteeIdAsync(Arg.Is(user.Id))
+            .Returns(accessDetails);
+
+        await sutProvider.Sut.RegenerateKeysAsync(data);
+
+        await sutProvider.GetDependency<IOrganizationUserRepository>().Received(1)
+            .GetManyByUserAsync(Arg.Is(user.Id));
+        await sutProvider.GetDependency<IEmergencyAccessRepository>().Received(1)
+            .GetManyDetailsByGranteeIdAsync(Arg.Is(user.Id));
+        await sutProvider.GetDependency<IRegenerateUserAsymmetricKeysCommand>().Received(1)
+            .RegenerateKeysAsync(
+                Arg.Is<UserAsymmetricKeys>(u =>
+                    u.UserId == user.Id && u.PublicKey == data.UserPublicKey &&
+                    u.UserKeyEncryptedPrivateKey == data.UserKeyEncryptedUserPrivateKey),
+                Arg.Is(orgUsers),
+                Arg.Is(accessDetails));
+    }
+}
diff --git a/test/Core.Test/KeyManagement/Commands/RegenerateUserAsymmetricKeysCommandTests.cs b/test/Core.Test/KeyManagement/Commands/RegenerateUserAsymmetricKeysCommandTests.cs
new file mode 100644
index 0000000000..3388956156
--- /dev/null
+++ b/test/Core.Test/KeyManagement/Commands/RegenerateUserAsymmetricKeysCommandTests.cs
@@ -0,0 +1,197 @@
+#nullable enable
+using Bit.Core.Auth.Enums;
+using Bit.Core.Auth.Models.Data;
+using Bit.Core.Context;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Exceptions;
+using Bit.Core.KeyManagement.Commands;
+using Bit.Core.KeyManagement.Models.Data;
+using Bit.Core.KeyManagement.Repositories;
+using Bit.Core.Services;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using NSubstitute.ReturnsExtensions;
+using Xunit;
+
+namespace Bit.Core.Test.KeyManagement.Commands;
+
+[SutProviderCustomize]
+public class RegenerateUserAsymmetricKeysCommandTests
+{
+    [Theory]
+    [BitAutoData]
+    public async Task RegenerateKeysAsync_NoCurrentContext_NotFoundException(
+        SutProvider<RegenerateUserAsymmetricKeysCommand> sutProvider,
+        UserAsymmetricKeys userAsymmetricKeys)
+    {
+        sutProvider.GetDependency<ICurrentContext>().UserId.ReturnsNullForAnyArgs();
+        var usersOrganizationAccounts = new List<OrganizationUser>();
+        var designatedEmergencyAccess = new List<EmergencyAccessDetails>();
+
+        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.RegenerateKeysAsync(userAsymmetricKeys,
+            usersOrganizationAccounts, designatedEmergencyAccess));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task RegenerateKeysAsync_UserHasNoSharedAccess_Success(
+        SutProvider<RegenerateUserAsymmetricKeysCommand> sutProvider,
+        UserAsymmetricKeys userAsymmetricKeys)
+    {
+        sutProvider.GetDependency<ICurrentContext>().UserId.ReturnsForAnyArgs(userAsymmetricKeys.UserId);
+        var usersOrganizationAccounts = new List<OrganizationUser>();
+        var designatedEmergencyAccess = new List<EmergencyAccessDetails>();
+
+        await sutProvider.Sut.RegenerateKeysAsync(userAsymmetricKeys,
+            usersOrganizationAccounts, designatedEmergencyAccess);
+
+        await sutProvider.GetDependency<IUserAsymmetricKeysRepository>()
+            .Received(1)
+            .RegenerateUserAsymmetricKeysAsync(Arg.Is(userAsymmetricKeys));
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(1)
+            .PushSyncSettingsAsync(Arg.Is(userAsymmetricKeys.UserId));
+    }
+
+    [Theory]
+    [BitAutoData(false, false, true)]
+    [BitAutoData(false, true, false)]
+    [BitAutoData(false, true, true)]
+    [BitAutoData(true, false, false)]
+    [BitAutoData(true, false, true)]
+    [BitAutoData(true, true, false)]
+    [BitAutoData(true, true, true)]
+    public async Task RegenerateKeysAsync_UserIdMisMatch_NotFoundException(
+        bool userAsymmetricKeysMismatch,
+        bool orgMismatch,
+        bool emergencyAccessMismatch,
+        SutProvider<RegenerateUserAsymmetricKeysCommand> sutProvider,
+        UserAsymmetricKeys userAsymmetricKeys,
+        ICollection<OrganizationUser> usersOrganizationAccounts,
+        ICollection<EmergencyAccessDetails> designatedEmergencyAccess)
+    {
+        sutProvider.GetDependency<ICurrentContext>().UserId
+            .ReturnsForAnyArgs(userAsymmetricKeysMismatch ? new Guid() : userAsymmetricKeys.UserId);
+
+        if (!orgMismatch)
+        {
+            usersOrganizationAccounts =
+                SetupOrganizationUserAccounts(userAsymmetricKeys.UserId, usersOrganizationAccounts);
+        }
+
+        if (!emergencyAccessMismatch)
+        {
+            designatedEmergencyAccess = SetupEmergencyAccess(userAsymmetricKeys.UserId, designatedEmergencyAccess);
+        }
+
+        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.RegenerateKeysAsync(userAsymmetricKeys,
+            usersOrganizationAccounts, designatedEmergencyAccess));
+
+        await sutProvider.GetDependency<IUserAsymmetricKeysRepository>()
+            .ReceivedWithAnyArgs(0)
+            .RegenerateUserAsymmetricKeysAsync(Arg.Any<UserAsymmetricKeys>());
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .ReceivedWithAnyArgs(0)
+            .PushSyncSettingsAsync(Arg.Any<Guid>());
+    }
+
+    [Theory]
+    [BitAutoData(OrganizationUserStatusType.Confirmed)]
+    [BitAutoData(OrganizationUserStatusType.Revoked)]
+    public async Task RegenerateKeysAsync_UserInOrganizations_BadRequestException(
+        OrganizationUserStatusType organizationUserStatus,
+        SutProvider<RegenerateUserAsymmetricKeysCommand> sutProvider,
+        UserAsymmetricKeys userAsymmetricKeys,
+        ICollection<OrganizationUser> usersOrganizationAccounts)
+    {
+        sutProvider.GetDependency<ICurrentContext>().UserId.ReturnsForAnyArgs(userAsymmetricKeys.UserId);
+        usersOrganizationAccounts = CreateInOrganizationAccounts(userAsymmetricKeys.UserId, organizationUserStatus,
+            usersOrganizationAccounts);
+        var designatedEmergencyAccess = new List<EmergencyAccessDetails>();
+
+        await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.RegenerateKeysAsync(userAsymmetricKeys,
+            usersOrganizationAccounts, designatedEmergencyAccess));
+
+        await sutProvider.GetDependency<IUserAsymmetricKeysRepository>()
+            .ReceivedWithAnyArgs(0)
+            .RegenerateUserAsymmetricKeysAsync(Arg.Any<UserAsymmetricKeys>());
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .ReceivedWithAnyArgs(0)
+            .PushSyncSettingsAsync(Arg.Any<Guid>());
+    }
+
+    [Theory]
+    [BitAutoData(EmergencyAccessStatusType.Confirmed)]
+    [BitAutoData(EmergencyAccessStatusType.RecoveryApproved)]
+    [BitAutoData(EmergencyAccessStatusType.RecoveryInitiated)]
+    public async Task RegenerateKeysAsync_UserHasDesignatedEmergencyAccess_BadRequestException(
+        EmergencyAccessStatusType statusType,
+        SutProvider<RegenerateUserAsymmetricKeysCommand> sutProvider,
+        UserAsymmetricKeys userAsymmetricKeys,
+        ICollection<EmergencyAccessDetails> designatedEmergencyAccess)
+    {
+        sutProvider.GetDependency<ICurrentContext>().UserId.ReturnsForAnyArgs(userAsymmetricKeys.UserId);
+        designatedEmergencyAccess =
+            CreateDesignatedEmergencyAccess(userAsymmetricKeys.UserId, statusType, designatedEmergencyAccess);
+        var usersOrganizationAccounts = new List<OrganizationUser>();
+
+
+        await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.RegenerateKeysAsync(userAsymmetricKeys,
+            usersOrganizationAccounts, designatedEmergencyAccess));
+
+        await sutProvider.GetDependency<IUserAsymmetricKeysRepository>()
+            .ReceivedWithAnyArgs(0)
+            .RegenerateUserAsymmetricKeysAsync(Arg.Any<UserAsymmetricKeys>());
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .ReceivedWithAnyArgs(0)
+            .PushSyncSettingsAsync(Arg.Any<Guid>());
+    }
+
+    private static ICollection<OrganizationUser> CreateInOrganizationAccounts(Guid userId,
+        OrganizationUserStatusType organizationUserStatus, ICollection<OrganizationUser> organizationUserAccounts)
+    {
+        foreach (var organizationUserAccount in organizationUserAccounts)
+        {
+            organizationUserAccount.UserId = userId;
+            organizationUserAccount.Status = organizationUserStatus;
+        }
+
+        return organizationUserAccounts;
+    }
+
+    private static ICollection<EmergencyAccessDetails> CreateDesignatedEmergencyAccess(Guid userId,
+        EmergencyAccessStatusType status, ICollection<EmergencyAccessDetails> designatedEmergencyAccess)
+    {
+        foreach (var designated in designatedEmergencyAccess)
+        {
+            designated.GranteeId = userId;
+            designated.Status = status;
+        }
+
+        return designatedEmergencyAccess;
+    }
+
+    private static ICollection<OrganizationUser> SetupOrganizationUserAccounts(Guid userId,
+        ICollection<OrganizationUser> organizationUserAccounts)
+    {
+        foreach (var organizationUserAccount in organizationUserAccounts)
+        {
+            organizationUserAccount.UserId = userId;
+        }
+
+        return organizationUserAccounts;
+    }
+
+    private static ICollection<EmergencyAccessDetails> SetupEmergencyAccess(Guid userId,
+        ICollection<EmergencyAccessDetails> emergencyAccessDetails)
+    {
+        foreach (var emergencyAccessDetail in emergencyAccessDetails)
+        {
+            emergencyAccessDetail.GranteeId = userId;
+        }
+
+        return emergencyAccessDetails;
+    }
+}

From b907935edaf0542cc2d8915b076d99e5b398cf62 Mon Sep 17 00:00:00 2001
From: Robyn MacCallum <robyntmaccallum@gmail.com>
Date: Mon, 16 Dec 2024 16:18:33 -0500
Subject: [PATCH 075/384] Add Authenticator sync flags (#5159)

* Add Authenticator sync flags

* Fix whitespace
---
 src/Core/Constants.cs | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index 2c315b2578..86e49fa6cf 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -161,6 +161,8 @@ public static class FeatureFlagKeys
     public const string SelfHostLicenseRefactor = "pm-11516-self-host-license-refactor";
     public const string PromoteProviderServiceUserTool = "pm-15128-promote-provider-service-user-tool";
     public const string PrivateKeyRegeneration = "pm-12241-private-key-regeneration";
+    public const string AuthenticatorSynciOS = "enable-authenticator-sync-ios";
+    public const string AuthenticatorSyncAndroid = "enable-authenticator-sync-android";
 
     public static List<string> GetAllKeys()
     {

From ecbfc056830e41822e4567721be0a8bc51fc0436 Mon Sep 17 00:00:00 2001
From: aj-bw <81774843+aj-bw@users.noreply.github.com>
Date: Tue, 17 Dec 2024 08:32:37 -0500
Subject: [PATCH 076/384] QA-689/BEEEP-public-api-GET-subscription-details
 (#5041)

* added GET operation to org subscription endpoint

* adding back removed using statement

* addressing unused import and lint warnings

* whitespace lint fix

* successful local format

* add NotSelfHostOnly attribute

* add endpoint summary and return details
---
 .../Controllers/OrganizationController.cs     | 44 +++++++++++++++++++
 ...anizationSubscriptionUpdateRequestModel.cs |  0
 ...izationSubscriptionDetailsResponseModel.cs | 32 ++++++++++++++
 3 files changed, 76 insertions(+)
 rename src/Api/Billing/Public/Models/{ => Request}/OrganizationSubscriptionUpdateRequestModel.cs (100%)
 create mode 100644 src/Api/Billing/Public/Models/Response/OrganizationSubscriptionDetailsResponseModel.cs

diff --git a/src/Api/Billing/Public/Controllers/OrganizationController.cs b/src/Api/Billing/Public/Controllers/OrganizationController.cs
index c696f2af50..7fcd94acd3 100644
--- a/src/Api/Billing/Public/Controllers/OrganizationController.cs
+++ b/src/Api/Billing/Public/Controllers/OrganizationController.cs
@@ -1,4 +1,5 @@
 using System.Net;
+using Bit.Api.Billing.Public.Models;
 using Bit.Api.Models.Public.Response;
 using Bit.Core.Context;
 using Bit.Core.OrganizationFeatures.OrganizationSubscriptions.Interface;
@@ -35,6 +36,49 @@ public class OrganizationController : Controller
         _logger = logger;
     }
 
+    /// <summary>
+    /// Retrieves the subscription details for the current organization.
+    /// </summary>
+    /// <returns>
+    /// Returns an object containing the subscription details if successful.
+    /// </returns>
+    [HttpGet("subscription")]
+    [SelfHosted(NotSelfHostedOnly = true)]
+    [ProducesResponseType(typeof(OrganizationSubscriptionDetailsResponseModel), (int)HttpStatusCode.OK)]
+    [ProducesResponseType(typeof(ErrorResponseModel), (int)HttpStatusCode.NotFound)]
+    public async Task<IActionResult> GetSubscriptionAsync()
+    {
+        try
+        {
+            var organizationId = _currentContext.OrganizationId.Value;
+            var organization = await _organizationRepository.GetByIdAsync(organizationId);
+
+            var subscriptionDetails = new OrganizationSubscriptionDetailsResponseModel
+            {
+                PasswordManager = new PasswordManagerSubscriptionDetails
+                {
+                    Seats = organization.Seats,
+                    MaxAutoScaleSeats = organization.MaxAutoscaleSeats,
+                    Storage = organization.MaxStorageGb
+                },
+                SecretsManager = new SecretsManagerSubscriptionDetails
+                {
+                    Seats = organization.SmSeats,
+                    MaxAutoScaleSeats = organization.MaxAutoscaleSmSeats,
+                    ServiceAccounts = organization.SmServiceAccounts,
+                    MaxAutoScaleServiceAccounts = organization.MaxAutoscaleSmServiceAccounts
+                }
+            };
+
+            return Ok(subscriptionDetails);
+        }
+        catch (Exception ex)
+        {
+            _logger.LogError(ex, "Unhandled error while retrieving the subscription details");
+            return StatusCode(500, new { Message = "An error occurred while retrieving the subscription details." });
+        }
+    }
+
     /// <summary>
     /// Update the organization's current subscription for Password Manager and/or Secrets Manager.
     /// </summary>
diff --git a/src/Api/Billing/Public/Models/OrganizationSubscriptionUpdateRequestModel.cs b/src/Api/Billing/Public/Models/Request/OrganizationSubscriptionUpdateRequestModel.cs
similarity index 100%
rename from src/Api/Billing/Public/Models/OrganizationSubscriptionUpdateRequestModel.cs
rename to src/Api/Billing/Public/Models/Request/OrganizationSubscriptionUpdateRequestModel.cs
diff --git a/src/Api/Billing/Public/Models/Response/OrganizationSubscriptionDetailsResponseModel.cs b/src/Api/Billing/Public/Models/Response/OrganizationSubscriptionDetailsResponseModel.cs
new file mode 100644
index 0000000000..09aa7decc1
--- /dev/null
+++ b/src/Api/Billing/Public/Models/Response/OrganizationSubscriptionDetailsResponseModel.cs
@@ -0,0 +1,32 @@
+using System.ComponentModel.DataAnnotations;
+
+namespace Bit.Api.Billing.Public.Models;
+
+public class OrganizationSubscriptionDetailsResponseModel : IValidatableObject
+{
+    public PasswordManagerSubscriptionDetails PasswordManager { get; set; }
+    public SecretsManagerSubscriptionDetails SecretsManager { get; set; }
+    public IEnumerable<ValidationResult> Validate(ValidationContext validationContext)
+    {
+        if (PasswordManager == null && SecretsManager == null)
+        {
+            yield return new ValidationResult("At least one of PasswordManager or SecretsManager must be provided.");
+        }
+
+        yield return ValidationResult.Success;
+    }
+}
+public class PasswordManagerSubscriptionDetails
+{
+    public int? Seats { get; set; }
+    public int? MaxAutoScaleSeats { get; set; }
+    public short? Storage { get; set; }
+}
+
+public class SecretsManagerSubscriptionDetails
+{
+    public int? Seats { get; set; }
+    public int? MaxAutoScaleSeats { get; set; }
+    public int? ServiceAccounts { get; set; }
+    public int? MaxAutoScaleServiceAccounts { get; set; }
+}

From 16488091d24f275885cab4777b9764f5847298c6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Ch=C4=99ci=C5=84ski?=
 <mchecinski@bitwarden.com>
Date: Tue, 17 Dec 2024 16:45:02 +0100
Subject: [PATCH 077/384] Remove is_workflow_call input from build workflow
 (#5161)

---
 .github/workflows/build.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index eb644fe8b5..420b9b6375 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -580,7 +580,6 @@ jobs:
               ref: 'main',
               inputs: {
                 server_branch: process.env.GITHUB_REF
-                is_workflow_call: true
               }
             });
 

From b75c63c2c6ac335747958c0e72e2d4143a3520c7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rui=20Tom=C3=A9?=
 <108268980+r-tome@users.noreply.github.com>
Date: Tue, 17 Dec 2024 15:57:31 +0000
Subject: [PATCH 078/384] [PM-15957] Fix: Domain Claim fails to enable Single
 Organization Policy, sends no emails and Revokes all users (#5147)

* Add JSON-based stored procedure for updating account revision dates and modify existing procedure to use it

* Refactor SingleOrgPolicyValidator to revoke only non-compliant organization users and update related tests
---
 .../SingleOrgPolicyValidator.cs               | 11 +++-
 ...OrganizationUser_SetStatusForUsersById.sql |  2 +-
 ...tRevisionDateByOrganizationUserIdsJson.sql | 33 ++++++++++
 .../SingleOrgPolicyValidatorTests.cs          | 38 +++++++++--
 ...2-11-00_BumpAccountRevisionDateJsonIds.sql | 64 +++++++++++++++++++
 5 files changed, 140 insertions(+), 8 deletions(-)
 create mode 100644 src/Sql/dbo/Stored Procedures/User_BumpAccountRevisionDateByOrganizationUserIdsJson.sql
 create mode 100644 util/Migrator/DbScripts/2024-12-11-00_BumpAccountRevisionDateJsonIds.sql

diff --git a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/SingleOrgPolicyValidator.cs b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/SingleOrgPolicyValidator.cs
index 050949ee7f..a37deef3eb 100644
--- a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/SingleOrgPolicyValidator.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/SingleOrgPolicyValidator.cs
@@ -97,15 +97,22 @@ public class SingleOrgPolicyValidator : IPolicyValidator
             return;
         }
 
+        var allRevocableUserOrgs = await _organizationUserRepository.GetManyByManyUsersAsync(
+            currentActiveRevocableOrganizationUsers.Select(ou => ou.UserId!.Value));
+        var usersToRevoke = currentActiveRevocableOrganizationUsers.Where(ou =>
+            allRevocableUserOrgs.Any(uo => uo.UserId == ou.UserId &&
+                uo.OrganizationId != organizationId &&
+                uo.Status != OrganizationUserStatusType.Invited)).ToList();
+
         var commandResult = await _revokeNonCompliantOrganizationUserCommand.RevokeNonCompliantOrganizationUsersAsync(
-            new RevokeOrganizationUsersRequest(organizationId, currentActiveRevocableOrganizationUsers, performedBy));
+            new RevokeOrganizationUsersRequest(organizationId, usersToRevoke, performedBy));
 
         if (commandResult.HasErrors)
         {
             throw new BadRequestException(string.Join(", ", commandResult.ErrorMessages));
         }
 
-        await Task.WhenAll(currentActiveRevocableOrganizationUsers.Select(x =>
+        await Task.WhenAll(usersToRevoke.Select(x =>
             _mailService.SendOrganizationUserRevokedForPolicySingleOrgEmailAsync(organization.DisplayName(), x.Email)));
     }
 
diff --git a/src/Sql/dbo/Stored Procedures/OrganizationUser_SetStatusForUsersById.sql b/src/Sql/dbo/Stored Procedures/OrganizationUser_SetStatusForUsersById.sql
index 95ed5a3155..18b876775e 100644
--- a/src/Sql/dbo/Stored Procedures/OrganizationUser_SetStatusForUsersById.sql	
+++ b/src/Sql/dbo/Stored Procedures/OrganizationUser_SetStatusForUsersById.sql	
@@ -24,6 +24,6 @@ BEGIN
     SET [Status] = @Status
     WHERE [Id] IN (SELECT Id from @ParsedIds)
 
-    EXEC [dbo].[User_BumpAccountRevisionDateByOrganizationUserIds] @OrganizationUserIds
+    EXEC [dbo].[User_BumpAccountRevisionDateByOrganizationUserIdsJson] @OrganizationUserIds
 END
 
diff --git a/src/Sql/dbo/Stored Procedures/User_BumpAccountRevisionDateByOrganizationUserIdsJson.sql b/src/Sql/dbo/Stored Procedures/User_BumpAccountRevisionDateByOrganizationUserIdsJson.sql
new file mode 100644
index 0000000000..6e4119d864
--- /dev/null
+++ b/src/Sql/dbo/Stored Procedures/User_BumpAccountRevisionDateByOrganizationUserIdsJson.sql	
@@ -0,0 +1,33 @@
+CREATE PROCEDURE [dbo].[User_BumpAccountRevisionDateByOrganizationUserIdsJson]
+    @OrganizationUserIds NVARCHAR(MAX)
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    CREATE TABLE #UserIds
+    (
+        UserId UNIQUEIDENTIFIER NOT NULL
+    );
+
+    INSERT INTO #UserIds (UserId)
+    SELECT
+        OU.UserId
+    FROM
+        [dbo].[OrganizationUser] OU
+    INNER JOIN
+        (SELECT [value] as Id FROM OPENJSON(@OrganizationUserIds)) AS OUIds
+        ON OUIds.Id = OU.Id
+    WHERE
+        OU.[Status] = 2 -- Confirmed
+
+    UPDATE
+        U
+    SET
+        U.[AccountRevisionDate] = GETUTCDATE()
+    FROM
+        [dbo].[User] U
+    INNER JOIN
+        #UserIds ON U.[Id] = #UserIds.[UserId]
+
+    DROP TABLE #UserIds
+END
diff --git a/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/SingleOrgPolicyValidatorTests.cs b/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/SingleOrgPolicyValidatorTests.cs
index 0731920757..d2809102aa 100644
--- a/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/SingleOrgPolicyValidatorTests.cs
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/SingleOrgPolicyValidatorTests.cs
@@ -75,6 +75,7 @@ public class SingleOrgPolicyValidatorTests
 
         var compliantUser1 = new OrganizationUserUserDetails
         {
+            Id = Guid.NewGuid(),
             OrganizationId = organization.Id,
             Type = OrganizationUserType.User,
             Status = OrganizationUserStatusType.Confirmed,
@@ -84,6 +85,7 @@ public class SingleOrgPolicyValidatorTests
 
         var compliantUser2 = new OrganizationUserUserDetails
         {
+            Id = Guid.NewGuid(),
             OrganizationId = organization.Id,
             Type = OrganizationUserType.User,
             Status = OrganizationUserStatusType.Confirmed,
@@ -93,6 +95,7 @@ public class SingleOrgPolicyValidatorTests
 
         var nonCompliantUser = new OrganizationUserUserDetails
         {
+            Id = Guid.NewGuid(),
             OrganizationId = organization.Id,
             Type = OrganizationUserType.User,
             Status = OrganizationUserStatusType.Confirmed,
@@ -106,6 +109,7 @@ public class SingleOrgPolicyValidatorTests
 
         var otherOrganizationUser = new OrganizationUser
         {
+            Id = Guid.NewGuid(),
             OrganizationId = new Guid(),
             UserId = nonCompliantUserId,
             Status = OrganizationUserStatusType.Confirmed
@@ -129,11 +133,20 @@ public class SingleOrgPolicyValidatorTests
 
         await sutProvider.GetDependency<IRevokeNonCompliantOrganizationUserCommand>()
             .Received(1)
-            .RevokeNonCompliantOrganizationUsersAsync(Arg.Any<RevokeOrganizationUsersRequest>());
+            .RevokeNonCompliantOrganizationUsersAsync(
+                Arg.Is<RevokeOrganizationUsersRequest>(r =>
+                    r.OrganizationId == organization.Id &&
+                    r.OrganizationUsers.Count() == 1 &&
+                    r.OrganizationUsers.First().Id == nonCompliantUser.Id));
+        await sutProvider.GetDependency<IMailService>()
+            .DidNotReceive()
+            .SendOrganizationUserRevokedForPolicySingleOrgEmailAsync(organization.DisplayName(), compliantUser1.Email);
+        await sutProvider.GetDependency<IMailService>()
+            .DidNotReceive()
+            .SendOrganizationUserRevokedForPolicySingleOrgEmailAsync(organization.DisplayName(), compliantUser2.Email);
         await sutProvider.GetDependency<IMailService>()
             .Received(1)
-            .SendOrganizationUserRevokedForPolicySingleOrgEmailAsync(organization.DisplayName(),
-                "user3@example.com");
+            .SendOrganizationUserRevokedForPolicySingleOrgEmailAsync(organization.DisplayName(), nonCompliantUser.Email);
     }
 
     [Theory, BitAutoData]
@@ -148,6 +161,7 @@ public class SingleOrgPolicyValidatorTests
 
         var compliantUser1 = new OrganizationUserUserDetails
         {
+            Id = Guid.NewGuid(),
             OrganizationId = organization.Id,
             Type = OrganizationUserType.User,
             Status = OrganizationUserStatusType.Confirmed,
@@ -157,6 +171,7 @@ public class SingleOrgPolicyValidatorTests
 
         var compliantUser2 = new OrganizationUserUserDetails
         {
+            Id = Guid.NewGuid(),
             OrganizationId = organization.Id,
             Type = OrganizationUserType.User,
             Status = OrganizationUserStatusType.Confirmed,
@@ -166,6 +181,7 @@ public class SingleOrgPolicyValidatorTests
 
         var nonCompliantUser = new OrganizationUserUserDetails
         {
+            Id = Guid.NewGuid(),
             OrganizationId = organization.Id,
             Type = OrganizationUserType.User,
             Status = OrganizationUserStatusType.Confirmed,
@@ -179,6 +195,7 @@ public class SingleOrgPolicyValidatorTests
 
         var otherOrganizationUser = new OrganizationUser
         {
+            Id = Guid.NewGuid(),
             OrganizationId = new Guid(),
             UserId = nonCompliantUserId,
             Status = OrganizationUserStatusType.Confirmed
@@ -200,13 +217,24 @@ public class SingleOrgPolicyValidatorTests
 
         await sutProvider.Sut.OnSaveSideEffectsAsync(policyUpdate, policy);
 
+        await sutProvider.GetDependency<IRemoveOrganizationUserCommand>()
+            .DidNotReceive()
+            .RemoveUserAsync(policyUpdate.OrganizationId, compliantUser1.Id, savingUserId);
+        await sutProvider.GetDependency<IRemoveOrganizationUserCommand>()
+            .DidNotReceive()
+            .RemoveUserAsync(policyUpdate.OrganizationId, compliantUser2.Id, savingUserId);
         await sutProvider.GetDependency<IRemoveOrganizationUserCommand>()
             .Received(1)
             .RemoveUserAsync(policyUpdate.OrganizationId, nonCompliantUser.Id, savingUserId);
+        await sutProvider.GetDependency<IMailService>()
+            .DidNotReceive()
+            .SendOrganizationUserRemovedForPolicySingleOrgEmailAsync(organization.DisplayName(), compliantUser1.Email);
+        await sutProvider.GetDependency<IMailService>()
+            .DidNotReceive()
+            .SendOrganizationUserRemovedForPolicySingleOrgEmailAsync(organization.DisplayName(), compliantUser2.Email);
         await sutProvider.GetDependency<IMailService>()
             .Received(1)
-            .SendOrganizationUserRemovedForPolicySingleOrgEmailAsync(organization.DisplayName(),
-                "user3@example.com");
+            .SendOrganizationUserRemovedForPolicySingleOrgEmailAsync(organization.DisplayName(), nonCompliantUser.Email);
     }
 
     [Theory, BitAutoData]
diff --git a/util/Migrator/DbScripts/2024-12-11-00_BumpAccountRevisionDateJsonIds.sql b/util/Migrator/DbScripts/2024-12-11-00_BumpAccountRevisionDateJsonIds.sql
new file mode 100644
index 0000000000..11d1d75a31
--- /dev/null
+++ b/util/Migrator/DbScripts/2024-12-11-00_BumpAccountRevisionDateJsonIds.sql
@@ -0,0 +1,64 @@
+CREATE OR ALTER PROCEDURE [dbo].[User_BumpAccountRevisionDateByOrganizationUserIdsJson]
+    @OrganizationUserIds NVARCHAR(MAX)
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    CREATE TABLE #UserIds
+    (
+        UserId UNIQUEIDENTIFIER NOT NULL
+    );
+
+    INSERT INTO #UserIds (UserId)
+    SELECT
+        OU.UserId
+    FROM
+        [dbo].[OrganizationUser] OU
+    INNER JOIN
+        (SELECT [value] as Id FROM OPENJSON(@OrganizationUserIds)) AS OUIds
+        ON OUIds.Id = OU.Id
+    WHERE
+        OU.[Status] = 2 -- Confirmed
+
+    UPDATE
+        U
+    SET
+        U.[AccountRevisionDate] = GETUTCDATE()
+    FROM
+        [dbo].[User] U
+    INNER JOIN
+        #UserIds ON U.[Id] = #UserIds.[UserId]
+
+    DROP TABLE #UserIds
+END
+GO
+
+CREATE OR ALTER PROCEDURE [dbo].[OrganizationUser_SetStatusForUsersById]
+    @OrganizationUserIds AS NVARCHAR(MAX),
+    @Status SMALLINT
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    -- Declare a table variable to hold the parsed JSON data
+    DECLARE @ParsedIds TABLE (Id UNIQUEIDENTIFIER);
+
+    -- Parse the JSON input into the table variable
+    INSERT INTO @ParsedIds (Id)
+    SELECT value
+    FROM OPENJSON(@OrganizationUserIds);
+
+    -- Check if the input table is empty
+    IF (SELECT COUNT(1) FROM @ParsedIds) < 1
+    BEGIN
+        RETURN(-1);
+    END
+
+    UPDATE
+        [dbo].[OrganizationUser]
+    SET [Status] = @Status
+    WHERE [Id] IN (SELECT Id from @ParsedIds)
+
+    EXEC [dbo].[User_BumpAccountRevisionDateByOrganizationUserIdsJson] @OrganizationUserIds
+END
+GO

From 2e8f2df9428edf19a272141a8d36dc7ddad20ed4 Mon Sep 17 00:00:00 2001
From: Ike <137194738+ike-kottlowski@users.noreply.github.com>
Date: Tue, 17 Dec 2024 08:59:39 -0800
Subject: [PATCH 079/384] feat(NewDeviceVerification) : (#5153)

feat(NewDeviceVerification) :
Added constat for the cache key in Bit.Core because the cache key format needs to be shared between the Identity Server and the MVC Admin project.
Updated DeviceValidator class to handle checking cache for user information to allow pass through.
Updated and Added tests to handle new flow.
---
 src/Core/Constants.cs                         |  2 +-
 .../RequestValidators/DeviceValidator.cs      | 18 ++++++++-
 .../IdentityServer/DeviceValidatorTests.cs    | 38 ++++++++++++++++++-
 3 files changed, 55 insertions(+), 3 deletions(-)

diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index 86e49fa6cf..9b51b12d62 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -57,7 +57,7 @@ public static class AuthConstants
     public static readonly RangeConstant ARGON2_ITERATIONS = new(2, 10, 3);
     public static readonly RangeConstant ARGON2_MEMORY = new(15, 1024, 64);
     public static readonly RangeConstant ARGON2_PARALLELISM = new(1, 16, 4);
-
+    public static readonly string NewDeviceVerificationExceptionCacheKeyFormat = "NewDeviceVerificationException_{0}";
 }
 
 public class RangeConstant
diff --git a/src/Identity/IdentityServer/RequestValidators/DeviceValidator.cs b/src/Identity/IdentityServer/RequestValidators/DeviceValidator.cs
index 2a048bcb2a..d59417bfa7 100644
--- a/src/Identity/IdentityServer/RequestValidators/DeviceValidator.cs
+++ b/src/Identity/IdentityServer/RequestValidators/DeviceValidator.cs
@@ -10,6 +10,7 @@ using Bit.Core.Services;
 using Bit.Core.Settings;
 using Bit.Identity.IdentityServer.Enums;
 using Duende.IdentityServer.Validation;
+using Microsoft.Extensions.Caching.Distributed;
 
 namespace Bit.Identity.IdentityServer.RequestValidators;
 
@@ -20,6 +21,8 @@ public class DeviceValidator(
     IMailService mailService,
     ICurrentContext currentContext,
     IUserService userService,
+    IDistributedCache distributedCache,
+    ILogger<DeviceValidator> logger,
     IFeatureService featureService) : IDeviceValidator
 {
     private readonly IDeviceService _deviceService = deviceService;
@@ -28,6 +31,8 @@ public class DeviceValidator(
     private readonly IMailService _mailService = mailService;
     private readonly ICurrentContext _currentContext = currentContext;
     private readonly IUserService _userService = userService;
+    private readonly IDistributedCache distributedCache = distributedCache;
+    private readonly ILogger<DeviceValidator> _logger = logger;
     private readonly IFeatureService _featureService = featureService;
 
     public async Task<bool> ValidateRequestDeviceAsync(ValidatedTokenRequest request, CustomValidatorRequestContext context)
@@ -67,7 +72,6 @@ public class DeviceValidator(
             !context.SsoRequired &&
             _globalSettings.EnableNewDeviceVerification)
         {
-            // We only want to return early if the device is invalid or there is an error
             var validationResult = await HandleNewDeviceVerificationAsync(context.User, request);
             if (validationResult != DeviceValidationResultType.Success)
             {
@@ -121,6 +125,18 @@ public class DeviceValidator(
             return DeviceValidationResultType.InvalidUser;
         }
 
+        // CS exception flow
+        // Check cache for user information
+        var cacheKey = string.Format(AuthConstants.NewDeviceVerificationExceptionCacheKeyFormat, user.Id.ToString());
+        var cacheValue = await distributedCache.GetAsync(cacheKey);
+        if (cacheValue != null)
+        {
+            // if found in cache return success result and remove from cache
+            await distributedCache.RemoveAsync(cacheKey);
+            _logger.LogInformation("New device verification exception for user {UserId} found in cache", user.Id);
+            return DeviceValidationResultType.Success;
+        }
+
         // parse request for NewDeviceOtp to validate
         var newDeviceOtp = request.Raw["NewDeviceOtp"]?.ToString();
         // we only check null here since an empty OTP will be considered an incorrect OTP
diff --git a/test/Identity.Test/IdentityServer/DeviceValidatorTests.cs b/test/Identity.Test/IdentityServer/DeviceValidatorTests.cs
index 304715b68c..105267ea30 100644
--- a/test/Identity.Test/IdentityServer/DeviceValidatorTests.cs
+++ b/test/Identity.Test/IdentityServer/DeviceValidatorTests.cs
@@ -10,6 +10,8 @@ using Bit.Identity.IdentityServer;
 using Bit.Identity.IdentityServer.RequestValidators;
 using Bit.Test.Common.AutoFixture.Attributes;
 using Duende.IdentityServer.Validation;
+using Microsoft.Extensions.Caching.Distributed;
+using Microsoft.Extensions.Logging;
 using NSubstitute;
 using Xunit;
 using AuthFixtures = Bit.Identity.Test.AutoFixture;
@@ -24,6 +26,8 @@ public class DeviceValidatorTests
     private readonly IMailService _mailService;
     private readonly ICurrentContext _currentContext;
     private readonly IUserService _userService;
+    private readonly IDistributedCache _distributedCache;
+    private readonly Logger<DeviceValidator> _logger;
     private readonly IFeatureService _featureService;
     private readonly DeviceValidator _sut;
 
@@ -35,6 +39,8 @@ public class DeviceValidatorTests
         _mailService = Substitute.For<IMailService>();
         _currentContext = Substitute.For<ICurrentContext>();
         _userService = Substitute.For<IUserService>();
+        _distributedCache = Substitute.For<IDistributedCache>();
+        _logger = new Logger<DeviceValidator>(Substitute.For<ILoggerFactory>());
         _featureService = Substitute.For<IFeatureService>();
         _sut = new DeviceValidator(
             _deviceService,
@@ -43,6 +49,8 @@ public class DeviceValidatorTests
             _mailService,
             _currentContext,
             _userService,
+            _distributedCache,
+            _logger,
             _featureService);
     }
 
@@ -51,7 +59,7 @@ public class DeviceValidatorTests
         Device device)
     {
         // Arrange
-        // AutoData arrages
+        // AutoData arranges
 
         // Act
         var result = await _sut.GetKnownDeviceAsync(null, device);
@@ -421,6 +429,30 @@ public class DeviceValidatorTests
         Assert.Equal(expectedErrorMessage, actualResponse.Message);
     }
 
+    [Theory, BitAutoData]
+    public async void HandleNewDeviceVerificationAsync_UserHasCacheValue_ReturnsSuccess(
+        CustomValidatorRequestContext context,
+        [AuthFixtures.ValidatedTokenRequest] ValidatedTokenRequest request)
+    {
+        // Arrange
+        ArrangeForHandleNewDeviceVerificationTest(context, request);
+        _featureService.IsEnabled(FeatureFlagKeys.NewDeviceVerification).Returns(true);
+        _globalSettings.EnableNewDeviceVerification = true;
+        _distributedCache.GetAsync(Arg.Any<string>()).Returns([1]);
+
+        // Act
+        var result = await _sut.ValidateRequestDeviceAsync(request, context);
+
+        // Assert
+        await _userService.Received(0).SendOTPAsync(context.User);
+        await _deviceService.Received(1).SaveAsync(Arg.Any<Device>());
+
+        Assert.True(result);
+        Assert.False(context.CustomResponse.ContainsKey("ErrorModel"));
+        Assert.Equal(context.User.Id, context.Device.UserId);
+        Assert.NotNull(context.Device);
+    }
+
     [Theory, BitAutoData]
     public async void HandleNewDeviceVerificationAsync_NewDeviceOtpValid_ReturnsSuccess(
         CustomValidatorRequestContext context,
@@ -430,6 +462,7 @@ public class DeviceValidatorTests
         ArrangeForHandleNewDeviceVerificationTest(context, request);
         _featureService.IsEnabled(FeatureFlagKeys.NewDeviceVerification).Returns(true);
         _globalSettings.EnableNewDeviceVerification = true;
+        _distributedCache.GetAsync(Arg.Any<string>()).Returns(null as byte[]);
 
         var newDeviceOtp = "123456";
         request.Raw.Add("NewDeviceOtp", newDeviceOtp);
@@ -461,6 +494,7 @@ public class DeviceValidatorTests
         ArrangeForHandleNewDeviceVerificationTest(context, request);
         _featureService.IsEnabled(FeatureFlagKeys.NewDeviceVerification).Returns(true);
         _globalSettings.EnableNewDeviceVerification = true;
+        _distributedCache.GetAsync(Arg.Any<string>()).Returns(null as byte[]);
 
         request.Raw.Add("NewDeviceOtp", newDeviceOtp);
 
@@ -489,6 +523,7 @@ public class DeviceValidatorTests
         ArrangeForHandleNewDeviceVerificationTest(context, request);
         _featureService.IsEnabled(FeatureFlagKeys.NewDeviceVerification).Returns(true);
         _globalSettings.EnableNewDeviceVerification = true;
+        _distributedCache.GetAsync(Arg.Any<string>()).Returns([1]);
         _deviceRepository.GetManyByUserIdAsync(context.User.Id).Returns([]);
 
         // Act
@@ -515,6 +550,7 @@ public class DeviceValidatorTests
         _featureService.IsEnabled(FeatureFlagKeys.NewDeviceVerification).Returns(true);
         _globalSettings.EnableNewDeviceVerification = true;
         _deviceRepository.GetManyByUserIdAsync(context.User.Id).Returns([new Device()]);
+        _distributedCache.GetAsync(Arg.Any<string>()).Returns(null as byte[]);
 
         // Act
         var result = await _sut.ValidateRequestDeviceAsync(request, context);

From eb9a061e6f84bbdb124b37db6895825a2bd4797c Mon Sep 17 00:00:00 2001
From: Jimmy Vo <huynhmaivo82@gmail.com>
Date: Tue, 17 Dec 2024 12:44:08 -0500
Subject: [PATCH 080/384] [pm-15123] Add delete permissions for CS and Billing.
 (#5145)

---
 src/Admin/Utilities/RolePermissionMapping.cs | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/Admin/Utilities/RolePermissionMapping.cs b/src/Admin/Utilities/RolePermissionMapping.cs
index 81da3fcf38..9cee571aba 100644
--- a/src/Admin/Utilities/RolePermissionMapping.cs
+++ b/src/Admin/Utilities/RolePermissionMapping.cs
@@ -114,6 +114,7 @@ public static class RolePermissionMapping
                 Permission.User_Billing_LaunchGateway,
                 Permission.Org_List_View,
                 Permission.Org_OrgInformation_View,
+                Permission.Org_Delete,
                 Permission.Org_GeneralDetails_View,
                 Permission.Org_BusinessInformation_View,
                 Permission.Org_BillingInformation_View,
@@ -156,6 +157,7 @@ public static class RolePermissionMapping
                 Permission.Org_Billing_View,
                 Permission.Org_Billing_Edit,
                 Permission.Org_Billing_LaunchGateway,
+                Permission.Org_Delete,
                 Permission.Provider_Edit,
                 Permission.Provider_View,
                 Permission.Provider_List_View,

From de2dc243fc81fe4966941c6ca7fc712fc0592904 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Wed, 18 Dec 2024 14:18:37 +0100
Subject: [PATCH 081/384] [deps] Tools: Update MailKit to 4.9.0 (#5133)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 src/Core/Core.csproj | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Core/Core.csproj b/src/Core/Core.csproj
index 9049f94dcf..43068a4ac0 100644
--- a/src/Core/Core.csproj
+++ b/src/Core/Core.csproj
@@ -34,7 +34,7 @@
     <PackageReference Include="DnsClient" Version="1.8.0" />
     <PackageReference Include="Fido2.AspNet" Version="3.0.1" />
     <PackageReference Include="Handlebars.Net" Version="2.1.6" />
-    <PackageReference Include="MailKit" Version="4.8.0" />    
+    <PackageReference Include="MailKit" Version="4.9.0" />    
     <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.10" />
     <PackageReference Include="Microsoft.Azure.Cosmos" Version="3.46.0" />
     <PackageReference Include="Microsoft.Azure.NotificationHubs" Version="4.2.0" />

From 21fcfcd5e855b72928f853f771c4980a5f9ccbc9 Mon Sep 17 00:00:00 2001
From: Maciej Zieniuk <167752252+mzieniukbw@users.noreply.github.com>
Date: Wed, 18 Dec 2024 15:59:50 +0100
Subject: [PATCH 082/384] [PM-10563] Notification Center API (#4852)

* PM-10563: Notification Center API

* PM-10563: continuation token hack

* PM-10563: Resolving merge conflicts

* PM-10563: Unit Tests

* PM-10563: Paging simplification by page number and size in database

* PM-10563: Request validation

* PM-10563: Read, Deleted status filters change

* PM-10563: Plural name for tests

* PM-10563: Request validation to always for int type

* PM-10563: Continuation Token returns null on response when no more records available

* PM-10563: Integration tests for GET

* PM-10563: Mark notification read, deleted commands date typos fix

* PM-10563: Integration tests for PATCH read, deleted

* PM-10563: Request, Response models tests

* PM-10563: EditorConfig compliance

* PM-10563: Extracting to const

* PM-10563: Update db migration script date

* PM-10563: Update migration script date
---
 .../Controllers/NotificationsController.cs    |  71 +++
 .../Request/NotificationFilterRequestModel.cs |  41 ++
 .../Response/NotificationResponseModel.cs     |  46 ++
 ...cationCenterServiceCollectionExtensions.cs |  29 +
 ...etNotificationStatusDetailsForUserQuery.cs |   7 +-
 ...etNotificationStatusDetailsForUserQuery.cs |   4 +-
 .../Repositories/INotificationRepository.cs   |  10 +-
 .../Repositories/NotificationRepository.cs    |  28 +-
 .../Repositories/NotificationRepository.cs    |  28 +-
 .../Utilities/ServiceCollectionExtensions.cs  |   2 +
 .../Notification_ReadByUserIdAndStatus.sql    |  15 +-
 .../NotificationsControllerTests.cs           | 582 ++++++++++++++++++
 .../NotificationsControllerTests.cs           | 202 ++++++
 .../NotificationFilterRequestModelTests.cs    |  93 +++
 .../NotificationResponseModelTests.cs         |  43 ++
 .../NotificationStatusDetailsFixtures.cs      |  34 +-
 ...tificationStatusDetailsForUserQueryTest.cs |  37 +-
 ...4-12-18_00_AddPagingToNotificationRead.sql |  39 ++
 18 files changed, 1272 insertions(+), 39 deletions(-)
 create mode 100644 src/Api/NotificationCenter/Controllers/NotificationsController.cs
 create mode 100644 src/Api/NotificationCenter/Models/Request/NotificationFilterRequestModel.cs
 create mode 100644 src/Api/NotificationCenter/Models/Response/NotificationResponseModel.cs
 create mode 100644 src/Core/NotificationCenter/NotificationCenterServiceCollectionExtensions.cs
 create mode 100644 test/Api.IntegrationTest/NotificationCenter/Controllers/NotificationsControllerTests.cs
 create mode 100644 test/Api.Test/NotificationCenter/Controllers/NotificationsControllerTests.cs
 create mode 100644 test/Api.Test/NotificationCenter/Models/Request/NotificationFilterRequestModelTests.cs
 create mode 100644 test/Api.Test/NotificationCenter/Models/Response/NotificationResponseModelTests.cs
 create mode 100644 util/Migrator/DbScripts/2024-12-18_00_AddPagingToNotificationRead.sql

diff --git a/src/Api/NotificationCenter/Controllers/NotificationsController.cs b/src/Api/NotificationCenter/Controllers/NotificationsController.cs
new file mode 100644
index 0000000000..9dc1505cb8
--- /dev/null
+++ b/src/Api/NotificationCenter/Controllers/NotificationsController.cs
@@ -0,0 +1,71 @@
+#nullable enable
+using Bit.Api.Models.Response;
+using Bit.Api.NotificationCenter.Models.Request;
+using Bit.Api.NotificationCenter.Models.Response;
+using Bit.Core.Models.Data;
+using Bit.Core.NotificationCenter.Commands.Interfaces;
+using Bit.Core.NotificationCenter.Models.Filter;
+using Bit.Core.NotificationCenter.Queries.Interfaces;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+
+namespace Bit.Api.NotificationCenter.Controllers;
+
+[Route("notifications")]
+[Authorize("Application")]
+public class NotificationsController : Controller
+{
+    private readonly IGetNotificationStatusDetailsForUserQuery _getNotificationStatusDetailsForUserQuery;
+    private readonly IMarkNotificationDeletedCommand _markNotificationDeletedCommand;
+    private readonly IMarkNotificationReadCommand _markNotificationReadCommand;
+
+    public NotificationsController(
+        IGetNotificationStatusDetailsForUserQuery getNotificationStatusDetailsForUserQuery,
+        IMarkNotificationDeletedCommand markNotificationDeletedCommand,
+        IMarkNotificationReadCommand markNotificationReadCommand)
+    {
+        _getNotificationStatusDetailsForUserQuery = getNotificationStatusDetailsForUserQuery;
+        _markNotificationDeletedCommand = markNotificationDeletedCommand;
+        _markNotificationReadCommand = markNotificationReadCommand;
+    }
+
+    [HttpGet("")]
+    public async Task<ListResponseModel<NotificationResponseModel>> ListAsync(
+        [FromQuery] NotificationFilterRequestModel filter)
+    {
+        var pageOptions = new PageOptions
+        {
+            ContinuationToken = filter.ContinuationToken,
+            PageSize = filter.PageSize
+        };
+
+        var notificationStatusFilter = new NotificationStatusFilter
+        {
+            Read = filter.ReadStatusFilter,
+            Deleted = filter.DeletedStatusFilter
+        };
+
+        var notificationStatusDetailsPagedResult =
+            await _getNotificationStatusDetailsForUserQuery.GetByUserIdStatusFilterAsync(notificationStatusFilter,
+                pageOptions);
+
+        var responses = notificationStatusDetailsPagedResult.Data
+            .Select(n => new NotificationResponseModel(n))
+            .ToList();
+
+        return new ListResponseModel<NotificationResponseModel>(responses,
+            notificationStatusDetailsPagedResult.ContinuationToken);
+    }
+
+    [HttpPatch("{id}/delete")]
+    public async Task MarkAsDeletedAsync([FromRoute] Guid id)
+    {
+        await _markNotificationDeletedCommand.MarkDeletedAsync(id);
+    }
+
+    [HttpPatch("{id}/read")]
+    public async Task MarkAsReadAsync([FromRoute] Guid id)
+    {
+        await _markNotificationReadCommand.MarkReadAsync(id);
+    }
+}
diff --git a/src/Api/NotificationCenter/Models/Request/NotificationFilterRequestModel.cs b/src/Api/NotificationCenter/Models/Request/NotificationFilterRequestModel.cs
new file mode 100644
index 0000000000..9c6252b6db
--- /dev/null
+++ b/src/Api/NotificationCenter/Models/Request/NotificationFilterRequestModel.cs
@@ -0,0 +1,41 @@
+#nullable enable
+using System.ComponentModel.DataAnnotations;
+
+namespace Bit.Api.NotificationCenter.Models.Request;
+
+public class NotificationFilterRequestModel : IValidatableObject
+{
+    /// <summary>
+    /// Filters notifications by read status. When not set, includes notifications without a status.
+    /// </summary>
+    public bool? ReadStatusFilter { get; set; }
+
+    /// <summary>
+    /// Filters notifications by deleted status. When not set, includes notifications without a status.
+    /// </summary>
+    public bool? DeletedStatusFilter { get; set; }
+
+    /// <summary>
+    /// A cursor for use in pagination.
+    /// </summary>
+    [StringLength(9)]
+    public string? ContinuationToken { get; set; }
+
+    /// <summary>
+    /// The number of items to return in a single page.
+    /// Default 10. Minimum 10, maximum 1000.
+    /// </summary>
+    [Range(10, 1000)]
+    public int PageSize { get; set; } = 10;
+
+    public IEnumerable<ValidationResult> Validate(ValidationContext validationContext)
+    {
+        if (!string.IsNullOrWhiteSpace(ContinuationToken) &&
+            (!int.TryParse(ContinuationToken, out var pageNumber) || pageNumber <= 0))
+        {
+            yield return new ValidationResult(
+                "Continuation token must be a positive, non zero integer.",
+                [nameof(ContinuationToken)]);
+        }
+    }
+}
diff --git a/src/Api/NotificationCenter/Models/Response/NotificationResponseModel.cs b/src/Api/NotificationCenter/Models/Response/NotificationResponseModel.cs
new file mode 100644
index 0000000000..1ebed87de2
--- /dev/null
+++ b/src/Api/NotificationCenter/Models/Response/NotificationResponseModel.cs
@@ -0,0 +1,46 @@
+#nullable enable
+using Bit.Core.Models.Api;
+using Bit.Core.NotificationCenter.Enums;
+using Bit.Core.NotificationCenter.Models.Data;
+
+namespace Bit.Api.NotificationCenter.Models.Response;
+
+public class NotificationResponseModel : ResponseModel
+{
+    private const string _objectName = "notification";
+
+    public NotificationResponseModel(NotificationStatusDetails notificationStatusDetails, string obj = _objectName)
+        : base(obj)
+    {
+        if (notificationStatusDetails == null)
+        {
+            throw new ArgumentNullException(nameof(notificationStatusDetails));
+        }
+
+        Id = notificationStatusDetails.Id;
+        Priority = notificationStatusDetails.Priority;
+        Title = notificationStatusDetails.Title;
+        Body = notificationStatusDetails.Body;
+        Date = notificationStatusDetails.RevisionDate;
+        ReadDate = notificationStatusDetails.ReadDate;
+        DeletedDate = notificationStatusDetails.DeletedDate;
+    }
+
+    public NotificationResponseModel() : base(_objectName)
+    {
+    }
+
+    public Guid Id { get; set; }
+
+    public Priority Priority { get; set; }
+
+    public string? Title { get; set; }
+
+    public string? Body { get; set; }
+
+    public DateTime Date { get; set; }
+
+    public DateTime? ReadDate { get; set; }
+
+    public DateTime? DeletedDate { get; set; }
+}
diff --git a/src/Core/NotificationCenter/NotificationCenterServiceCollectionExtensions.cs b/src/Core/NotificationCenter/NotificationCenterServiceCollectionExtensions.cs
new file mode 100644
index 0000000000..fe41ebc5c3
--- /dev/null
+++ b/src/Core/NotificationCenter/NotificationCenterServiceCollectionExtensions.cs
@@ -0,0 +1,29 @@
+#nullable enable
+using Bit.Core.NotificationCenter.Authorization;
+using Bit.Core.NotificationCenter.Commands;
+using Bit.Core.NotificationCenter.Commands.Interfaces;
+using Bit.Core.NotificationCenter.Queries;
+using Bit.Core.NotificationCenter.Queries.Interfaces;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.Extensions.DependencyInjection;
+
+namespace Bit.Core.NotificationCenter;
+
+public static class NotificationCenterServiceCollectionExtensions
+{
+    public static void AddNotificationCenterServices(this IServiceCollection services)
+    {
+        // Authorization Handlers
+        services.AddScoped<IAuthorizationHandler, NotificationAuthorizationHandler>();
+        services.AddScoped<IAuthorizationHandler, NotificationStatusAuthorizationHandler>();
+        // Commands
+        services.AddScoped<ICreateNotificationCommand, CreateNotificationCommand>();
+        services.AddScoped<ICreateNotificationStatusCommand, CreateNotificationStatusCommand>();
+        services.AddScoped<IMarkNotificationDeletedCommand, MarkNotificationDeletedCommand>();
+        services.AddScoped<IMarkNotificationReadCommand, MarkNotificationReadCommand>();
+        services.AddScoped<IUpdateNotificationCommand, UpdateNotificationCommand>();
+        // Queries
+        services.AddScoped<IGetNotificationStatusDetailsForUserQuery, GetNotificationStatusDetailsForUserQuery>();
+        services.AddScoped<IGetNotificationStatusForUserQuery, GetNotificationStatusForUserQuery>();
+    }
+}
diff --git a/src/Core/NotificationCenter/Queries/GetNotificationStatusDetailsForUserQuery.cs b/src/Core/NotificationCenter/Queries/GetNotificationStatusDetailsForUserQuery.cs
index 0a783a59ba..235c2c6ed0 100644
--- a/src/Core/NotificationCenter/Queries/GetNotificationStatusDetailsForUserQuery.cs
+++ b/src/Core/NotificationCenter/Queries/GetNotificationStatusDetailsForUserQuery.cs
@@ -1,6 +1,7 @@
 #nullable enable
 using Bit.Core.Context;
 using Bit.Core.Exceptions;
+using Bit.Core.Models.Data;
 using Bit.Core.NotificationCenter.Models.Data;
 using Bit.Core.NotificationCenter.Models.Filter;
 using Bit.Core.NotificationCenter.Queries.Interfaces;
@@ -21,8 +22,8 @@ public class GetNotificationStatusDetailsForUserQuery : IGetNotificationStatusDe
         _notificationRepository = notificationRepository;
     }
 
-    public async Task<IEnumerable<NotificationStatusDetails>> GetByUserIdStatusFilterAsync(
-        NotificationStatusFilter statusFilter)
+    public async Task<PagedResult<NotificationStatusDetails>> GetByUserIdStatusFilterAsync(
+        NotificationStatusFilter statusFilter, PageOptions pageOptions)
     {
         if (!_currentContext.UserId.HasValue)
         {
@@ -33,6 +34,6 @@ public class GetNotificationStatusDetailsForUserQuery : IGetNotificationStatusDe
 
         // Note: only returns the user's notifications - no authorization check needed
         return await _notificationRepository.GetByUserIdAndStatusAsync(_currentContext.UserId.Value, clientType,
-            statusFilter);
+            statusFilter, pageOptions);
     }
 }
diff --git a/src/Core/NotificationCenter/Queries/Interfaces/IGetNotificationStatusDetailsForUserQuery.cs b/src/Core/NotificationCenter/Queries/Interfaces/IGetNotificationStatusDetailsForUserQuery.cs
index 456a0e9400..fd6c0b5e63 100644
--- a/src/Core/NotificationCenter/Queries/Interfaces/IGetNotificationStatusDetailsForUserQuery.cs
+++ b/src/Core/NotificationCenter/Queries/Interfaces/IGetNotificationStatusDetailsForUserQuery.cs
@@ -1,4 +1,5 @@
 #nullable enable
+using Bit.Core.Models.Data;
 using Bit.Core.NotificationCenter.Models.Data;
 using Bit.Core.NotificationCenter.Models.Filter;
 
@@ -6,5 +7,6 @@ namespace Bit.Core.NotificationCenter.Queries.Interfaces;
 
 public interface IGetNotificationStatusDetailsForUserQuery
 {
-    Task<IEnumerable<NotificationStatusDetails>> GetByUserIdStatusFilterAsync(NotificationStatusFilter statusFilter);
+    Task<PagedResult<NotificationStatusDetails>> GetByUserIdStatusFilterAsync(NotificationStatusFilter statusFilter,
+        PageOptions pageOptions);
 }
diff --git a/src/Core/NotificationCenter/Repositories/INotificationRepository.cs b/src/Core/NotificationCenter/Repositories/INotificationRepository.cs
index 2c3faed914..21604ed169 100644
--- a/src/Core/NotificationCenter/Repositories/INotificationRepository.cs
+++ b/src/Core/NotificationCenter/Repositories/INotificationRepository.cs
@@ -1,5 +1,6 @@
 #nullable enable
 using Bit.Core.Enums;
+using Bit.Core.Models.Data;
 using Bit.Core.NotificationCenter.Entities;
 using Bit.Core.NotificationCenter.Models.Data;
 using Bit.Core.NotificationCenter.Models.Filter;
@@ -22,10 +23,13 @@ public interface INotificationRepository : IRepository<Notification, Guid>
     /// If both <see cref="NotificationStatusFilter.Read"/> and <see cref="NotificationStatusFilter.Deleted"/>
     /// are not set, includes notifications without a status.
     /// </param>
+    /// <param name="pageOptions">
+    /// Pagination options.
+    /// </param>
     /// <returns>
-    /// Ordered by priority (highest to lowest) and creation date (descending).
+    /// Paged results ordered by priority (descending, highest to lowest) and creation date (descending).
     /// Includes all fields from <see cref="Notification"/> and <see cref="NotificationStatus"/>
     /// </returns>
-    Task<IEnumerable<NotificationStatusDetails>> GetByUserIdAndStatusAsync(Guid userId, ClientType clientType,
-        NotificationStatusFilter? statusFilter);
+    Task<PagedResult<NotificationStatusDetails>> GetByUserIdAndStatusAsync(Guid userId, ClientType clientType,
+        NotificationStatusFilter? statusFilter, PageOptions pageOptions);
 }
diff --git a/src/Infrastructure.Dapper/NotificationCenter/Repositories/NotificationRepository.cs b/src/Infrastructure.Dapper/NotificationCenter/Repositories/NotificationRepository.cs
index f70c50f49f..b6843d9801 100644
--- a/src/Infrastructure.Dapper/NotificationCenter/Repositories/NotificationRepository.cs
+++ b/src/Infrastructure.Dapper/NotificationCenter/Repositories/NotificationRepository.cs
@@ -1,6 +1,7 @@
 #nullable enable
 using System.Data;
 using Bit.Core.Enums;
+using Bit.Core.Models.Data;
 using Bit.Core.NotificationCenter.Entities;
 using Bit.Core.NotificationCenter.Models.Data;
 using Bit.Core.NotificationCenter.Models.Filter;
@@ -24,16 +25,35 @@ public class NotificationRepository : Repository<Notification, Guid>, INotificat
     {
     }
 
-    public async Task<IEnumerable<NotificationStatusDetails>> GetByUserIdAndStatusAsync(Guid userId,
-        ClientType clientType, NotificationStatusFilter? statusFilter)
+    public async Task<PagedResult<NotificationStatusDetails>> GetByUserIdAndStatusAsync(Guid userId,
+        ClientType clientType, NotificationStatusFilter? statusFilter, PageOptions pageOptions)
     {
         await using var connection = new SqlConnection(ConnectionString);
 
+        if (!int.TryParse(pageOptions.ContinuationToken, out var pageNumber))
+        {
+            pageNumber = 1;
+        }
+
         var results = await connection.QueryAsync<NotificationStatusDetails>(
             "[dbo].[Notification_ReadByUserIdAndStatus]",
-            new { UserId = userId, ClientType = clientType, statusFilter?.Read, statusFilter?.Deleted },
+            new
+            {
+                UserId = userId,
+                ClientType = clientType,
+                statusFilter?.Read,
+                statusFilter?.Deleted,
+                PageNumber = pageNumber,
+                pageOptions.PageSize
+            },
             commandType: CommandType.StoredProcedure);
 
-        return results.ToList();
+        var data = results.ToList();
+
+        return new PagedResult<NotificationStatusDetails>
+        {
+            Data = data,
+            ContinuationToken = data.Count < pageOptions.PageSize ? null : (pageNumber + 1).ToString()
+        };
     }
 }
diff --git a/src/Infrastructure.EntityFramework/NotificationCenter/Repositories/NotificationRepository.cs b/src/Infrastructure.EntityFramework/NotificationCenter/Repositories/NotificationRepository.cs
index a413e78748..5d1071f26c 100644
--- a/src/Infrastructure.EntityFramework/NotificationCenter/Repositories/NotificationRepository.cs
+++ b/src/Infrastructure.EntityFramework/NotificationCenter/Repositories/NotificationRepository.cs
@@ -1,6 +1,7 @@
 #nullable enable
 using AutoMapper;
 using Bit.Core.Enums;
+using Bit.Core.Models.Data;
 using Bit.Core.NotificationCenter.Models.Data;
 using Bit.Core.NotificationCenter.Models.Filter;
 using Bit.Core.NotificationCenter.Repositories;
@@ -36,28 +37,41 @@ public class NotificationRepository : Repository<Core.NotificationCenter.Entitie
         return Mapper.Map<List<Core.NotificationCenter.Entities.Notification>>(notifications);
     }
 
-    public async Task<IEnumerable<NotificationStatusDetails>> GetByUserIdAndStatusAsync(Guid userId,
-        ClientType clientType, NotificationStatusFilter? statusFilter)
+    public async Task<PagedResult<NotificationStatusDetails>> GetByUserIdAndStatusAsync(Guid userId,
+        ClientType clientType, NotificationStatusFilter? statusFilter, PageOptions pageOptions)
     {
         await using var scope = ServiceScopeFactory.CreateAsyncScope();
         var dbContext = GetDatabaseContext(scope);
 
+        if (!int.TryParse(pageOptions.ContinuationToken, out var pageNumber))
+        {
+            pageNumber = 1;
+        }
+
         var notificationStatusDetailsViewQuery = new NotificationStatusDetailsViewQuery(userId, clientType);
 
         var query = notificationStatusDetailsViewQuery.Run(dbContext);
         if (statusFilter != null && (statusFilter.Read != null || statusFilter.Deleted != null))
         {
             query = from n in query
-                    where statusFilter.Read == null ||
-                          (statusFilter.Read == true ? n.ReadDate != null : n.ReadDate == null) ||
-                          statusFilter.Deleted == null ||
-                          (statusFilter.Deleted == true ? n.DeletedDate != null : n.DeletedDate == null)
+                    where (statusFilter.Read == null ||
+                           (statusFilter.Read == true ? n.ReadDate != null : n.ReadDate == null)) &&
+                          (statusFilter.Deleted == null ||
+                           (statusFilter.Deleted == true ? n.DeletedDate != null : n.DeletedDate == null))
                     select n;
         }
 
-        return await query
+        var results = await query
             .OrderByDescending(n => n.Priority)
             .ThenByDescending(n => n.CreationDate)
+            .Skip(pageOptions.PageSize * (pageNumber - 1))
+            .Take(pageOptions.PageSize)
             .ToListAsync();
+
+        return new PagedResult<NotificationStatusDetails>
+        {
+            Data = results,
+            ContinuationToken = results.Count < pageOptions.PageSize ? null : (pageNumber + 1).ToString()
+        };
     }
 }
diff --git a/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs b/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
index c757f163e9..85bd0301c3 100644
--- a/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
+++ b/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
@@ -27,6 +27,7 @@ using Bit.Core.HostedServices;
 using Bit.Core.Identity;
 using Bit.Core.IdentityServer;
 using Bit.Core.KeyManagement;
+using Bit.Core.NotificationCenter;
 using Bit.Core.NotificationHub;
 using Bit.Core.OrganizationFeatures;
 using Bit.Core.Repositories;
@@ -122,6 +123,7 @@ public static class ServiceCollectionExtensions
         services.AddVaultServices();
         services.AddReportingServices();
         services.AddKeyManagementServices();
+        services.AddNotificationCenterServices();
     }
 
     public static void AddTokenizers(this IServiceCollection services)
diff --git a/src/Sql/NotificationCenter/dbo/Stored Procedures/Notification_ReadByUserIdAndStatus.sql b/src/Sql/NotificationCenter/dbo/Stored Procedures/Notification_ReadByUserIdAndStatus.sql
index b98f85f73c..72efda2012 100644
--- a/src/Sql/NotificationCenter/dbo/Stored Procedures/Notification_ReadByUserIdAndStatus.sql	
+++ b/src/Sql/NotificationCenter/dbo/Stored Procedures/Notification_ReadByUserIdAndStatus.sql	
@@ -2,7 +2,9 @@ CREATE PROCEDURE [dbo].[Notification_ReadByUserIdAndStatus]
     @UserId UNIQUEIDENTIFIER,
     @ClientType TINYINT,
     @Read BIT,
-    @Deleted BIT
+    @Deleted BIT,
+    @PageNumber INT = 1,
+    @PageSize INT = 10
 AS
 BEGIN
     SET NOCOUNT ON
@@ -21,13 +23,14 @@ BEGIN
             AND ou.[OrganizationId] IS NOT NULL))
       AND ((@Read IS NULL AND @Deleted IS NULL)
         OR (n.[NotificationStatusUserId] IS NOT NULL
-            AND ((@Read IS NULL
+            AND (@Read IS NULL
                 OR IIF((@Read = 1 AND n.[ReadDate] IS NOT NULL) OR
                        (@Read = 0 AND n.[ReadDate] IS NULL),
                        1, 0) = 1)
-                OR (@Deleted IS NULL
-                    OR IIF((@Deleted = 1 AND n.[DeletedDate] IS NOT NULL) OR
-                           (@Deleted = 0 AND n.[DeletedDate] IS NULL),
-                           1, 0) = 1))))
+            AND (@Deleted IS NULL
+                OR IIF((@Deleted = 1 AND n.[DeletedDate] IS NOT NULL) OR
+                       (@Deleted = 0 AND n.[DeletedDate] IS NULL),
+                       1, 0) = 1)))
     ORDER BY [Priority] DESC, n.[CreationDate] DESC
+    OFFSET @PageSize * (@PageNumber - 1) ROWS FETCH NEXT @PageSize ROWS ONLY
 END
diff --git a/test/Api.IntegrationTest/NotificationCenter/Controllers/NotificationsControllerTests.cs b/test/Api.IntegrationTest/NotificationCenter/Controllers/NotificationsControllerTests.cs
new file mode 100644
index 0000000000..6d487c5d8f
--- /dev/null
+++ b/test/Api.IntegrationTest/NotificationCenter/Controllers/NotificationsControllerTests.cs
@@ -0,0 +1,582 @@
+using System.Net;
+using Bit.Api.IntegrationTest.Factories;
+using Bit.Api.IntegrationTest.Helpers;
+using Bit.Api.Models.Response;
+using Bit.Api.NotificationCenter.Models.Response;
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.Billing.Enums;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Models.Api;
+using Bit.Core.NotificationCenter.Entities;
+using Bit.Core.NotificationCenter.Enums;
+using Bit.Core.NotificationCenter.Repositories;
+using Bit.Core.Repositories;
+using Xunit;
+
+namespace Bit.Api.IntegrationTest.NotificationCenter.Controllers;
+
+public class NotificationsControllerTests : IClassFixture<ApiApplicationFactory>, IAsyncLifetime
+{
+    private static readonly string _mockEncryptedBody =
+        "2.AOs41Hd8OQiCPXjyJKCiDA==|O6OHgt2U2hJGBSNGnimJmg==|iD33s8B69C8JhYYhSa4V1tArjvLr8eEaGqOV7BRo5Jk=";
+
+    private static readonly string _mockEncryptedTitle =
+        "2.06CDSJjTZaigYHUuswIq5A==|trxgZl2RCkYrrmCvGE9WNA==|w5p05eI5wsaYeSyWtsAPvBX63vj798kIMxBTfSB0BQg=";
+
+    private static readonly Random _random = new();
+
+    private static TimeSpan OneMinuteTimeSpan => TimeSpan.FromMinutes(1);
+
+    private readonly HttpClient _client;
+    private readonly ApiApplicationFactory _factory;
+    private readonly LoginHelper _loginHelper;
+    private readonly INotificationRepository _notificationRepository;
+    private readonly INotificationStatusRepository _notificationStatusRepository;
+    private readonly IUserRepository _userRepository;
+    private Organization _organization = null!;
+    private OrganizationUser _organizationUserOwner = null!;
+    private string _ownerEmail = null!;
+    private List<(Notification, NotificationStatus?)> _notificationsWithStatuses = null!;
+
+    public NotificationsControllerTests(ApiApplicationFactory factory)
+    {
+        _factory = factory;
+        _client = factory.CreateClient();
+        _loginHelper = new LoginHelper(_factory, _client);
+        _notificationRepository = _factory.GetService<INotificationRepository>();
+        _notificationStatusRepository = _factory.GetService<INotificationStatusRepository>();
+        _userRepository = _factory.GetService<IUserRepository>();
+    }
+
+    public async Task InitializeAsync()
+    {
+        // Create the owner account
+        _ownerEmail = $"integration-test{Guid.NewGuid()}@bitwarden.com";
+        await _factory.LoginWithNewAccount(_ownerEmail);
+
+        // Create the organization
+        (_organization, _organizationUserOwner) = await OrganizationTestHelpers.SignUpAsync(_factory,
+            plan: PlanType.EnterpriseAnnually, ownerEmail: _ownerEmail, passwordManagerSeats: 10,
+            paymentMethod: PaymentMethodType.Card);
+
+        _notificationsWithStatuses = await CreateNotificationsWithStatusesAsync();
+    }
+
+    public Task DisposeAsync()
+    {
+        _client.Dispose();
+
+        foreach (var (notification, _) in _notificationsWithStatuses)
+        {
+            _notificationRepository.DeleteAsync(notification);
+        }
+
+        return Task.CompletedTask;
+    }
+
+    [Theory]
+    [InlineData("invalid")]
+    [InlineData("-1")]
+    [InlineData("0")]
+    public async Task ListAsync_RequestValidationContinuationInvalidNumber_BadRequest(string continuationToken)
+    {
+        await _loginHelper.LoginAsync(_ownerEmail);
+
+        var response = await _client.GetAsync($"/notifications?continuationToken={continuationToken}");
+        Assert.Equal(HttpStatusCode.BadRequest, response.StatusCode);
+        var result = await response.Content.ReadFromJsonAsync<ErrorResponseModel>();
+        Assert.NotNull(result);
+        Assert.Contains("ContinuationToken", result.ValidationErrors);
+        Assert.Contains("Continuation token must be a positive, non zero integer.",
+            result.ValidationErrors["ContinuationToken"]);
+    }
+
+    [Fact]
+    public async Task ListAsync_RequestValidationContinuationTokenMaxLengthExceeded_BadRequest()
+    {
+        await _loginHelper.LoginAsync(_ownerEmail);
+
+        var response = await _client.GetAsync("/notifications?continuationToken=1234567890");
+        Assert.Equal(HttpStatusCode.BadRequest, response.StatusCode);
+        var result = await response.Content.ReadFromJsonAsync<ErrorResponseModel>();
+        Assert.NotNull(result);
+        Assert.Contains("ContinuationToken", result.ValidationErrors);
+        Assert.Contains("The field ContinuationToken must be a string with a maximum length of 9.",
+            result.ValidationErrors["ContinuationToken"]);
+    }
+
+    [Theory]
+    [InlineData("9")]
+    [InlineData("1001")]
+    public async Task ListAsync_RequestValidationPageSizeInvalidRange_BadRequest(string pageSize)
+    {
+        await _loginHelper.LoginAsync(_ownerEmail);
+
+        var response = await _client.GetAsync($"/notifications?pageSize={pageSize}");
+        Assert.Equal(HttpStatusCode.BadRequest, response.StatusCode);
+        var result = await response.Content.ReadFromJsonAsync<ErrorResponseModel>();
+        Assert.NotNull(result);
+        Assert.Contains("PageSize", result.ValidationErrors);
+        Assert.Contains("The field PageSize must be between 10 and 1000.",
+            result.ValidationErrors["PageSize"]);
+    }
+
+    [Fact]
+    public async Task ListAsync_NotLoggedIn_Unauthorized()
+    {
+        var response = await _client.GetAsync("/notifications");
+        Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
+    }
+
+    [Theory]
+    [InlineData(null, null, "2", 10)]
+    [InlineData(10, null, "2", 10)]
+    [InlineData(10, 2, "3", 10)]
+    [InlineData(10, 3, null, 0)]
+    [InlineData(15, null, "2", 15)]
+    [InlineData(15, 2, null, 5)]
+    [InlineData(20, null, "2", 20)]
+    [InlineData(20, 2, null, 0)]
+    [InlineData(1000, null, null, 20)]
+    public async Task ListAsync_PaginationFilter_ReturnsNextPageOfNotificationsCorrectOrder(
+        int? pageSize, int? pageNumber, string? expectedContinuationToken, int expectedCount)
+    {
+        var pageSizeWithDefault = pageSize ?? 10;
+
+        await _loginHelper.LoginAsync(_ownerEmail);
+
+        var skip = pageNumber == null ? 0 : (pageNumber.Value - 1) * pageSizeWithDefault;
+
+        var notificationsInOrder = _notificationsWithStatuses.OrderByDescending(e => e.Item1.Priority)
+            .ThenByDescending(e => e.Item1.CreationDate)
+            .Skip(skip)
+            .Take(pageSizeWithDefault)
+            .ToList();
+
+        var url = "/notifications";
+        if (pageNumber != null)
+        {
+            url += $"?continuationToken={pageNumber}";
+        }
+
+        if (pageSize != null)
+        {
+            url += url.Contains('?') ? "&" : "?";
+            url += $"pageSize={pageSize}";
+        }
+
+        var response = await _client.GetAsync(url);
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+        var result = await response.Content.ReadFromJsonAsync<ListResponseModel<NotificationResponseModel>>();
+        Assert.NotNull(result?.Data);
+        Assert.InRange(result.Data.Count(), 0, pageSizeWithDefault);
+        Assert.Equal(expectedCount, notificationsInOrder.Count);
+        Assert.Equal(notificationsInOrder.Count, result.Data.Count());
+        AssertNotificationResponseModels(result.Data, notificationsInOrder);
+
+        Assert.Equal(expectedContinuationToken, result.ContinuationToken);
+    }
+
+    [Theory]
+    [InlineData(null, null)]
+    [InlineData(null, false)]
+    [InlineData(null, true)]
+    [InlineData(false, null)]
+    [InlineData(true, null)]
+    [InlineData(false, false)]
+    [InlineData(false, true)]
+    [InlineData(true, false)]
+    [InlineData(true, true)]
+    public async Task ListAsync_ReadStatusDeletedStatusFilter_ReturnsFilteredNotificationsCorrectOrder(
+        bool? readStatusFilter, bool? deletedStatusFilter)
+    {
+        await _loginHelper.LoginAsync(_ownerEmail);
+        var notificationsInOrder = _notificationsWithStatuses.FindAll(e =>
+                (readStatusFilter == null || readStatusFilter == (e.Item2?.ReadDate != null)) &&
+                (deletedStatusFilter == null || deletedStatusFilter == (e.Item2?.DeletedDate != null)))
+            .OrderByDescending(e => e.Item1.Priority)
+            .ThenByDescending(e => e.Item1.CreationDate)
+            .Take(10)
+            .ToList();
+
+        var url = "/notifications";
+        if (readStatusFilter != null)
+        {
+            url += $"?readStatusFilter={readStatusFilter}";
+        }
+
+        if (deletedStatusFilter != null)
+        {
+            url += url.Contains('?') ? "&" : "?";
+            url += $"deletedStatusFilter={deletedStatusFilter}";
+        }
+
+        var response = await _client.GetAsync(url);
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+        var result = await response.Content.ReadFromJsonAsync<ListResponseModel<NotificationResponseModel>>();
+        Assert.NotNull(result?.Data);
+        Assert.InRange(result.Data.Count(), 0, 10);
+        Assert.Equal(notificationsInOrder.Count, result.Data.Count());
+        AssertNotificationResponseModels(result.Data, notificationsInOrder);
+    }
+
+    [Fact]
+    private async void MarkAsDeletedAsync_NotLoggedIn_Unauthorized()
+    {
+        var url = $"/notifications/{Guid.NewGuid().ToString()}/delete";
+        var response = await _client.PatchAsync(url, new StringContent(""));
+        Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
+    }
+
+    [Fact]
+    private async void MarkAsDeletedAsync_NonExistentNotificationId_NotFound()
+    {
+        await _loginHelper.LoginAsync(_ownerEmail);
+
+        var url = $"/notifications/{Guid.NewGuid()}/delete";
+        var response = await _client.PatchAsync(url, new StringContent(""));
+        Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
+    }
+
+    [Fact]
+    private async void MarkAsDeletedAsync_UserIdNotMatching_NotFound()
+    {
+        var email = $"integration-test{Guid.NewGuid()}@bitwarden.com";
+        await _factory.LoginWithNewAccount(email);
+        var user = (await _userRepository.GetByEmailAsync(email))!;
+        var notifications = await CreateNotificationsAsync(user.Id);
+
+        await _loginHelper.LoginAsync(_ownerEmail);
+
+        var url = $"/notifications/{notifications[0].Id}/delete";
+        var response = await _client.PatchAsync(url, new StringContent(""));
+        Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
+    }
+
+    [Fact]
+    private async void MarkAsDeletedAsync_OrganizationIdNotMatchingUserNotPartOfOrganization_NotFound()
+    {
+        var email = $"integration-test{Guid.NewGuid()}@bitwarden.com";
+        await _factory.LoginWithNewAccount(email);
+        var user = (await _userRepository.GetByEmailAsync(email))!;
+        var notifications = await CreateNotificationsAsync(user.Id, _organization.Id);
+
+        await _loginHelper.LoginAsync(email);
+
+        var url = $"/notifications/{notifications[0].Id}/delete";
+        var response = await _client.PatchAsync(url, new StringContent(""));
+        Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
+    }
+
+    [Fact]
+    private async void MarkAsDeletedAsync_OrganizationIdNotMatchingUserPartOfDifferentOrganization_NotFound()
+    {
+        var (organization, _) = await OrganizationTestHelpers.SignUpAsync(_factory,
+            plan: PlanType.EnterpriseAnnually, ownerEmail: _ownerEmail, passwordManagerSeats: 10,
+            paymentMethod: PaymentMethodType.Card);
+        var email = $"integration-test{Guid.NewGuid()}@bitwarden.com";
+        await _factory.LoginWithNewAccount(email);
+        var user = (await _userRepository.GetByEmailAsync(email))!;
+        await OrganizationTestHelpers.CreateUserAsync(_factory, organization.Id, email, OrganizationUserType.User);
+        var notifications = await CreateNotificationsAsync(user.Id, _organization.Id);
+
+        await _loginHelper.LoginAsync(email);
+
+        var url = $"/notifications/{notifications[0].Id}/delete";
+        var response = await _client.PatchAsync(url, new StringContent(""));
+        Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
+    }
+
+    [Fact]
+    private async void MarkAsDeletedAsync_NotificationStatusNotExisting_Created()
+    {
+        var notifications = await CreateNotificationsAsync(_organizationUserOwner.UserId);
+
+        await _loginHelper.LoginAsync(_ownerEmail);
+
+        var url = $"/notifications/{notifications[0].Id}/delete";
+        var response = await _client.PatchAsync(url, new StringContent(""));
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+
+        var notificationStatus = await _notificationStatusRepository.GetByNotificationIdAndUserIdAsync(
+            notifications[0].Id, _organizationUserOwner.UserId!.Value);
+        Assert.NotNull(notificationStatus);
+        Assert.NotNull(notificationStatus.DeletedDate);
+        Assert.Equal(DateTime.UtcNow, notificationStatus.DeletedDate.Value, OneMinuteTimeSpan);
+        Assert.Null(notificationStatus.ReadDate);
+    }
+
+    [Theory]
+    [InlineData(false)]
+    [InlineData(true)]
+    private async void MarkAsDeletedAsync_NotificationStatusExisting_Updated(bool deletedDateNull)
+    {
+        var notifications = await CreateNotificationsAsync(_organizationUserOwner.UserId);
+        await _notificationStatusRepository.CreateAsync(new NotificationStatus
+        {
+            NotificationId = notifications[0].Id,
+            UserId = _organizationUserOwner.UserId!.Value,
+            ReadDate = null,
+            DeletedDate = deletedDateNull ? null : DateTime.UtcNow - TimeSpan.FromMinutes(_random.Next(3600))
+        });
+
+        await _loginHelper.LoginAsync(_ownerEmail);
+
+        var url = $"/notifications/{notifications[0].Id}/delete";
+        var response = await _client.PatchAsync(url, new StringContent(""));
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+
+        var notificationStatus = await _notificationStatusRepository.GetByNotificationIdAndUserIdAsync(
+            notifications[0].Id, _organizationUserOwner.UserId!.Value);
+        Assert.NotNull(notificationStatus);
+        Assert.NotNull(notificationStatus.DeletedDate);
+        Assert.Equal(DateTime.UtcNow, notificationStatus.DeletedDate.Value, OneMinuteTimeSpan);
+        Assert.Null(notificationStatus.ReadDate);
+    }
+
+    [Fact]
+    private async void MarkAsReadAsync_NotLoggedIn_Unauthorized()
+    {
+        var url = $"/notifications/{Guid.NewGuid().ToString()}/read";
+        var response = await _client.PatchAsync(url, new StringContent(""));
+        Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
+    }
+
+    [Fact]
+    private async void MarkAsReadAsync_NonExistentNotificationId_NotFound()
+    {
+        await _loginHelper.LoginAsync(_ownerEmail);
+
+        var url = $"/notifications/{Guid.NewGuid()}/read";
+        var response = await _client.PatchAsync(url, new StringContent(""));
+        Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
+    }
+
+    [Fact]
+    private async void MarkAsReadAsync_UserIdNotMatching_NotFound()
+    {
+        var email = $"integration-test{Guid.NewGuid()}@bitwarden.com";
+        await _factory.LoginWithNewAccount(email);
+        var user = (await _userRepository.GetByEmailAsync(email))!;
+        var notifications = await CreateNotificationsAsync(user.Id);
+
+        await _loginHelper.LoginAsync(_ownerEmail);
+
+        var url = $"/notifications/{notifications[0].Id}/read";
+        var response = await _client.PatchAsync(url, new StringContent(""));
+        Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
+    }
+
+    [Fact]
+    private async void MarkAsReadAsync_OrganizationIdNotMatchingUserNotPartOfOrganization_NotFound()
+    {
+        var email = $"integration-test{Guid.NewGuid()}@bitwarden.com";
+        await _factory.LoginWithNewAccount(email);
+        var user = (await _userRepository.GetByEmailAsync(email))!;
+        var notifications = await CreateNotificationsAsync(user.Id, _organization.Id);
+
+        await _loginHelper.LoginAsync(email);
+
+        var url = $"/notifications/{notifications[0].Id}/read";
+        var response = await _client.PatchAsync(url, new StringContent(""));
+        Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
+    }
+
+    [Fact]
+    private async void MarkAsReadAsync_OrganizationIdNotMatchingUserPartOfDifferentOrganization_NotFound()
+    {
+        var (organization, _) = await OrganizationTestHelpers.SignUpAsync(_factory,
+            plan: PlanType.EnterpriseAnnually, ownerEmail: _ownerEmail, passwordManagerSeats: 10,
+            paymentMethod: PaymentMethodType.Card);
+        var email = $"integration-test{Guid.NewGuid()}@bitwarden.com";
+        await _factory.LoginWithNewAccount(email);
+        var user = (await _userRepository.GetByEmailAsync(email))!;
+        await OrganizationTestHelpers.CreateUserAsync(_factory, organization.Id, email, OrganizationUserType.User);
+        var notifications = await CreateNotificationsAsync(user.Id, _organization.Id);
+
+        await _loginHelper.LoginAsync(email);
+
+        var url = $"/notifications/{notifications[0].Id}/read";
+        var response = await _client.PatchAsync(url, new StringContent(""));
+        Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
+    }
+
+    [Fact]
+    private async void MarkAsReadAsync_NotificationStatusNotExisting_Created()
+    {
+        var notifications = await CreateNotificationsAsync(_organizationUserOwner.UserId);
+
+        await _loginHelper.LoginAsync(_ownerEmail);
+
+        var url = $"/notifications/{notifications[0].Id}/read";
+        var response = await _client.PatchAsync(url, new StringContent(""));
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+
+        var notificationStatus = await _notificationStatusRepository.GetByNotificationIdAndUserIdAsync(
+            notifications[0].Id, _organizationUserOwner.UserId!.Value);
+        Assert.NotNull(notificationStatus);
+        Assert.NotNull(notificationStatus.ReadDate);
+        Assert.Equal(DateTime.UtcNow, notificationStatus.ReadDate.Value, OneMinuteTimeSpan);
+        Assert.Null(notificationStatus.DeletedDate);
+    }
+
+    [Theory]
+    [InlineData(false)]
+    [InlineData(true)]
+    private async void MarkAsReadAsync_NotificationStatusExisting_Updated(bool readDateNull)
+    {
+        var notifications = await CreateNotificationsAsync(_organizationUserOwner.UserId);
+        await _notificationStatusRepository.CreateAsync(new NotificationStatus
+        {
+            NotificationId = notifications[0].Id,
+            UserId = _organizationUserOwner.UserId!.Value,
+            ReadDate = readDateNull ? null : DateTime.UtcNow - TimeSpan.FromMinutes(_random.Next(3600)),
+            DeletedDate = null
+        });
+
+        await _loginHelper.LoginAsync(_ownerEmail);
+
+        var url = $"/notifications/{notifications[0].Id}/read";
+        var response = await _client.PatchAsync(url, new StringContent(""));
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+
+        var notificationStatus = await _notificationStatusRepository.GetByNotificationIdAndUserIdAsync(
+            notifications[0].Id, _organizationUserOwner.UserId!.Value);
+        Assert.NotNull(notificationStatus);
+        Assert.NotNull(notificationStatus.ReadDate);
+        Assert.Equal(DateTime.UtcNow, notificationStatus.ReadDate.Value, OneMinuteTimeSpan);
+        Assert.Null(notificationStatus.DeletedDate);
+    }
+
+    private static void AssertNotificationResponseModels(
+        IEnumerable<NotificationResponseModel> notificationResponseModels,
+        List<(Notification, NotificationStatus?)> expectedNotificationsWithStatuses)
+    {
+        var i = 0;
+        foreach (var notificationResponseModel in notificationResponseModels)
+        {
+            Assert.Contains(expectedNotificationsWithStatuses, e => e.Item1.Id == notificationResponseModel.Id);
+            var (expectedNotification, expectedNotificationStatus) = expectedNotificationsWithStatuses[i];
+            Assert.NotNull(expectedNotification);
+            Assert.Equal(expectedNotification.Priority, notificationResponseModel.Priority);
+            Assert.Equal(expectedNotification.Title, notificationResponseModel.Title);
+            Assert.Equal(expectedNotification.Body, notificationResponseModel.Body);
+            Assert.Equal(expectedNotification.RevisionDate, notificationResponseModel.Date);
+            if (expectedNotificationStatus != null)
+            {
+                Assert.Equal(expectedNotificationStatus.ReadDate, notificationResponseModel.ReadDate);
+                Assert.Equal(expectedNotificationStatus.DeletedDate, notificationResponseModel.DeletedDate);
+            }
+            else
+            {
+                Assert.Null(notificationResponseModel.ReadDate);
+                Assert.Null(notificationResponseModel.DeletedDate);
+            }
+
+            Assert.Equal("notification", notificationResponseModel.Object);
+            i++;
+        }
+    }
+
+    private async Task<List<(Notification, NotificationStatus?)>> CreateNotificationsWithStatusesAsync()
+    {
+        var userId = (Guid)_organizationUserOwner.UserId!;
+
+        var globalNotifications = await CreateNotificationsAsync();
+        var userWithoutOrganizationNotifications = await CreateNotificationsAsync(userId: userId);
+        var organizationWithoutUserNotifications = await CreateNotificationsAsync(organizationId: _organization.Id);
+        var userPartOrOrganizationNotifications = await CreateNotificationsAsync(userId: userId,
+            organizationId: _organization.Id);
+
+        var globalNotificationWithStatuses = await CreateNotificationStatusesAsync(globalNotifications, userId);
+        var userWithoutOrganizationNotificationWithStatuses =
+            await CreateNotificationStatusesAsync(userWithoutOrganizationNotifications, userId);
+        var organizationWithoutUserNotificationWithStatuses =
+            await CreateNotificationStatusesAsync(organizationWithoutUserNotifications, userId);
+        var userPartOrOrganizationNotificationWithStatuses =
+            await CreateNotificationStatusesAsync(userPartOrOrganizationNotifications, userId);
+
+        return new List<List<(Notification, NotificationStatus?)>>
+            {
+                globalNotificationWithStatuses,
+                userWithoutOrganizationNotificationWithStatuses,
+                organizationWithoutUserNotificationWithStatuses,
+                userPartOrOrganizationNotificationWithStatuses
+            }
+            .SelectMany(n => n)
+            .ToList();
+    }
+
+    private async Task<List<Notification>> CreateNotificationsAsync(Guid? userId = null, Guid? organizationId = null,
+        int numberToCreate = 5)
+    {
+        var priorities = Enum.GetValues<Priority>();
+        var clientTypes = Enum.GetValues<ClientType>();
+
+        var notifications = new List<Notification>();
+
+        foreach (var clientType in clientTypes)
+        {
+            for (var i = 0; i < numberToCreate; i++)
+            {
+                var notification = new Notification
+                {
+                    Global = userId == null && organizationId == null,
+                    UserId = userId,
+                    OrganizationId = organizationId,
+                    Title = _mockEncryptedTitle,
+                    Body = _mockEncryptedBody,
+                    Priority = (Priority)priorities.GetValue(_random.Next(priorities.Length))!,
+                    ClientType = clientType,
+                    CreationDate = DateTime.UtcNow - TimeSpan.FromMinutes(_random.Next(3600)),
+                    RevisionDate = DateTime.UtcNow - TimeSpan.FromMinutes(_random.Next(3600))
+                };
+
+                notification = await _notificationRepository.CreateAsync(notification);
+
+                notifications.Add(notification);
+            }
+        }
+
+        return notifications;
+    }
+
+    private async Task<List<(Notification, NotificationStatus?)>> CreateNotificationStatusesAsync(
+        List<Notification> notifications, Guid userId)
+    {
+        var readDateNotificationStatus = await _notificationStatusRepository.CreateAsync(new NotificationStatus
+        {
+            NotificationId = notifications[0].Id,
+            UserId = userId,
+            ReadDate = DateTime.UtcNow - TimeSpan.FromMinutes(_random.Next(3600)),
+            DeletedDate = null
+        });
+
+        var deletedDateNotificationStatus = await _notificationStatusRepository.CreateAsync(new NotificationStatus
+        {
+            NotificationId = notifications[1].Id,
+            UserId = userId,
+            ReadDate = null,
+            DeletedDate = DateTime.UtcNow - TimeSpan.FromMinutes(_random.Next(3600))
+        });
+
+        var readDateAndDeletedDateNotificationStatus = await _notificationStatusRepository.CreateAsync(
+            new NotificationStatus
+            {
+                NotificationId = notifications[2].Id,
+                UserId = userId,
+                ReadDate = DateTime.UtcNow - TimeSpan.FromMinutes(_random.Next(3600)),
+                DeletedDate = DateTime.UtcNow - TimeSpan.FromMinutes(_random.Next(3600))
+            });
+
+        return
+        [
+            (notifications[0], readDateNotificationStatus),
+            (notifications[1], deletedDateNotificationStatus),
+            (notifications[2], readDateAndDeletedDateNotificationStatus),
+            (notifications[3], null),
+            (notifications[4], null)
+        ];
+    }
+}
diff --git a/test/Api.Test/NotificationCenter/Controllers/NotificationsControllerTests.cs b/test/Api.Test/NotificationCenter/Controllers/NotificationsControllerTests.cs
new file mode 100644
index 0000000000..b8b21ef419
--- /dev/null
+++ b/test/Api.Test/NotificationCenter/Controllers/NotificationsControllerTests.cs
@@ -0,0 +1,202 @@
+#nullable enable
+using Bit.Api.NotificationCenter.Controllers;
+using Bit.Api.NotificationCenter.Models.Request;
+using Bit.Core.Models.Data;
+using Bit.Core.NotificationCenter.Commands.Interfaces;
+using Bit.Core.NotificationCenter.Models.Data;
+using Bit.Core.NotificationCenter.Models.Filter;
+using Bit.Core.NotificationCenter.Queries.Interfaces;
+using Bit.Core.Test.NotificationCenter.AutoFixture;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Api.Test.NotificationCenter.Controllers;
+
+[ControllerCustomize(typeof(NotificationsController))]
+[SutProviderCustomize]
+public class NotificationsControllerTests
+{
+    [Theory]
+    [BitAutoData([null, null])]
+    [BitAutoData([null, false])]
+    [BitAutoData([null, true])]
+    [BitAutoData(false, null)]
+    [BitAutoData(true, null)]
+    [BitAutoData(false, false)]
+    [BitAutoData(false, true)]
+    [BitAutoData(true, false)]
+    [BitAutoData(true, true)]
+    [NotificationStatusDetailsListCustomize(5)]
+    public async Task ListAsync_StatusFilter_ReturnedMatchingNotifications(bool? readStatusFilter, bool? deletedStatusFilter,
+        SutProvider<NotificationsController> sutProvider,
+        IEnumerable<NotificationStatusDetails> notificationStatusDetailsEnumerable)
+    {
+        var notificationStatusDetailsList = notificationStatusDetailsEnumerable
+            .OrderByDescending(n => n.Priority)
+            .ThenByDescending(n => n.CreationDate)
+            .ToList();
+
+        sutProvider.GetDependency<IGetNotificationStatusDetailsForUserQuery>()
+            .GetByUserIdStatusFilterAsync(Arg.Any<NotificationStatusFilter>(), Arg.Any<PageOptions>())
+            .Returns(new PagedResult<NotificationStatusDetails> { Data = notificationStatusDetailsList });
+
+        var expectedNotificationStatusDetailsMap = notificationStatusDetailsList
+            .Take(10)
+            .ToDictionary(n => n.Id);
+
+        var listResponse = await sutProvider.Sut.ListAsync(new NotificationFilterRequestModel
+        {
+            ReadStatusFilter = readStatusFilter,
+            DeletedStatusFilter = deletedStatusFilter
+        });
+
+        Assert.Equal("list", listResponse.Object);
+        Assert.Equal(5, listResponse.Data.Count());
+        Assert.All(listResponse.Data, notificationResponseModel =>
+        {
+            Assert.Equal("notification", notificationResponseModel.Object);
+            Assert.True(expectedNotificationStatusDetailsMap.ContainsKey(notificationResponseModel.Id));
+            var expectedNotificationStatusDetails = expectedNotificationStatusDetailsMap[notificationResponseModel.Id];
+            Assert.NotNull(expectedNotificationStatusDetails);
+            Assert.Equal(expectedNotificationStatusDetails.Id, notificationResponseModel.Id);
+            Assert.Equal(expectedNotificationStatusDetails.Priority, notificationResponseModel.Priority);
+            Assert.Equal(expectedNotificationStatusDetails.Title, notificationResponseModel.Title);
+            Assert.Equal(expectedNotificationStatusDetails.Body, notificationResponseModel.Body);
+            Assert.Equal(expectedNotificationStatusDetails.RevisionDate, notificationResponseModel.Date);
+            Assert.Equal(expectedNotificationStatusDetails.ReadDate, notificationResponseModel.ReadDate);
+            Assert.Equal(expectedNotificationStatusDetails.DeletedDate, notificationResponseModel.DeletedDate);
+        });
+        Assert.Null(listResponse.ContinuationToken);
+
+        await sutProvider.GetDependency<IGetNotificationStatusDetailsForUserQuery>()
+            .Received(1)
+            .GetByUserIdStatusFilterAsync(Arg.Is<NotificationStatusFilter>(filter =>
+                    filter.Read == readStatusFilter && filter.Deleted == deletedStatusFilter),
+                Arg.Is<PageOptions>(pageOptions =>
+                    pageOptions.ContinuationToken == null && pageOptions.PageSize == 10));
+    }
+
+    [Theory]
+    [BitAutoData]
+    [NotificationStatusDetailsListCustomize(19)]
+    public async Task ListAsync_PagingRequestNoContinuationToken_ReturnedFirst10MatchingNotifications(
+        SutProvider<NotificationsController> sutProvider,
+        IEnumerable<NotificationStatusDetails> notificationStatusDetailsEnumerable)
+    {
+        var notificationStatusDetailsList = notificationStatusDetailsEnumerable
+            .OrderByDescending(n => n.Priority)
+            .ThenByDescending(n => n.CreationDate)
+            .ToList();
+
+        sutProvider.GetDependency<IGetNotificationStatusDetailsForUserQuery>()
+            .GetByUserIdStatusFilterAsync(Arg.Any<NotificationStatusFilter>(), Arg.Any<PageOptions>())
+            .Returns(new PagedResult<NotificationStatusDetails>
+            { Data = notificationStatusDetailsList.Take(10).ToList(), ContinuationToken = "2" });
+
+        var expectedNotificationStatusDetailsMap = notificationStatusDetailsList
+            .Take(10)
+            .ToDictionary(n => n.Id);
+
+        var listResponse = await sutProvider.Sut.ListAsync(new NotificationFilterRequestModel());
+
+        Assert.Equal("list", listResponse.Object);
+        Assert.Equal(10, listResponse.Data.Count());
+        Assert.All(listResponse.Data, notificationResponseModel =>
+        {
+            Assert.Equal("notification", notificationResponseModel.Object);
+            Assert.True(expectedNotificationStatusDetailsMap.ContainsKey(notificationResponseModel.Id));
+            var expectedNotificationStatusDetails = expectedNotificationStatusDetailsMap[notificationResponseModel.Id];
+            Assert.NotNull(expectedNotificationStatusDetails);
+            Assert.Equal(expectedNotificationStatusDetails.Id, notificationResponseModel.Id);
+            Assert.Equal(expectedNotificationStatusDetails.Priority, notificationResponseModel.Priority);
+            Assert.Equal(expectedNotificationStatusDetails.Title, notificationResponseModel.Title);
+            Assert.Equal(expectedNotificationStatusDetails.Body, notificationResponseModel.Body);
+            Assert.Equal(expectedNotificationStatusDetails.RevisionDate, notificationResponseModel.Date);
+            Assert.Equal(expectedNotificationStatusDetails.ReadDate, notificationResponseModel.ReadDate);
+            Assert.Equal(expectedNotificationStatusDetails.DeletedDate, notificationResponseModel.DeletedDate);
+        });
+        Assert.Equal("2", listResponse.ContinuationToken);
+
+        await sutProvider.GetDependency<IGetNotificationStatusDetailsForUserQuery>()
+            .Received(1)
+            .GetByUserIdStatusFilterAsync(Arg.Any<NotificationStatusFilter>(),
+                Arg.Is<PageOptions>(pageOptions =>
+                    pageOptions.ContinuationToken == null && pageOptions.PageSize == 10));
+    }
+
+    [Theory]
+    [BitAutoData]
+    [NotificationStatusDetailsListCustomize(19)]
+    public async Task ListAsync_PagingRequestUsingContinuationToken_ReturnedLast9MatchingNotifications(
+        SutProvider<NotificationsController> sutProvider,
+        IEnumerable<NotificationStatusDetails> notificationStatusDetailsEnumerable)
+    {
+        var notificationStatusDetailsList = notificationStatusDetailsEnumerable
+            .OrderByDescending(n => n.Priority)
+            .ThenByDescending(n => n.CreationDate)
+            .ToList();
+
+        sutProvider.GetDependency<IGetNotificationStatusDetailsForUserQuery>()
+            .GetByUserIdStatusFilterAsync(Arg.Any<NotificationStatusFilter>(), Arg.Any<PageOptions>())
+            .Returns(new PagedResult<NotificationStatusDetails>
+            { Data = notificationStatusDetailsList.Skip(10).ToList() });
+
+        var expectedNotificationStatusDetailsMap = notificationStatusDetailsList
+            .Skip(10)
+            .ToDictionary(n => n.Id);
+
+        var listResponse = await sutProvider.Sut.ListAsync(new NotificationFilterRequestModel { ContinuationToken = "2" });
+
+        Assert.Equal("list", listResponse.Object);
+        Assert.Equal(9, listResponse.Data.Count());
+        Assert.All(listResponse.Data, notificationResponseModel =>
+        {
+            Assert.Equal("notification", notificationResponseModel.Object);
+            Assert.True(expectedNotificationStatusDetailsMap.ContainsKey(notificationResponseModel.Id));
+            var expectedNotificationStatusDetails = expectedNotificationStatusDetailsMap[notificationResponseModel.Id];
+            Assert.NotNull(expectedNotificationStatusDetails);
+            Assert.Equal(expectedNotificationStatusDetails.Id, notificationResponseModel.Id);
+            Assert.Equal(expectedNotificationStatusDetails.Priority, notificationResponseModel.Priority);
+            Assert.Equal(expectedNotificationStatusDetails.Title, notificationResponseModel.Title);
+            Assert.Equal(expectedNotificationStatusDetails.Body, notificationResponseModel.Body);
+            Assert.Equal(expectedNotificationStatusDetails.RevisionDate, notificationResponseModel.Date);
+            Assert.Equal(expectedNotificationStatusDetails.ReadDate, notificationResponseModel.ReadDate);
+            Assert.Equal(expectedNotificationStatusDetails.DeletedDate, notificationResponseModel.DeletedDate);
+        });
+        Assert.Null(listResponse.ContinuationToken);
+
+        await sutProvider.GetDependency<IGetNotificationStatusDetailsForUserQuery>()
+            .Received(1)
+            .GetByUserIdStatusFilterAsync(Arg.Any<NotificationStatusFilter>(),
+                Arg.Is<PageOptions>(pageOptions =>
+                    pageOptions.ContinuationToken == "2" && pageOptions.PageSize == 10));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task MarkAsDeletedAsync_NotificationId_MarkedAsDeleted(
+        SutProvider<NotificationsController> sutProvider,
+        Guid notificationId)
+    {
+        await sutProvider.Sut.MarkAsDeletedAsync(notificationId);
+
+        await sutProvider.GetDependency<IMarkNotificationDeletedCommand>()
+            .Received(1)
+            .MarkDeletedAsync(notificationId);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task MarkAsReadAsync_NotificationId_MarkedAsRead(
+        SutProvider<NotificationsController> sutProvider,
+        Guid notificationId)
+    {
+        await sutProvider.Sut.MarkAsReadAsync(notificationId);
+
+        await sutProvider.GetDependency<IMarkNotificationReadCommand>()
+            .Received(1)
+            .MarkReadAsync(notificationId);
+    }
+}
diff --git a/test/Api.Test/NotificationCenter/Models/Request/NotificationFilterRequestModelTests.cs b/test/Api.Test/NotificationCenter/Models/Request/NotificationFilterRequestModelTests.cs
new file mode 100644
index 0000000000..8b72d13e71
--- /dev/null
+++ b/test/Api.Test/NotificationCenter/Models/Request/NotificationFilterRequestModelTests.cs
@@ -0,0 +1,93 @@
+#nullable enable
+using System.ComponentModel.DataAnnotations;
+using Bit.Api.NotificationCenter.Models.Request;
+using Xunit;
+
+namespace Bit.Api.Test.NotificationCenter.Models.Request;
+
+public class NotificationFilterRequestModelTests
+{
+    [Theory]
+    [InlineData("invalid")]
+    [InlineData("-1")]
+    [InlineData("0")]
+    public void Validate_ContinuationTokenInvalidNumber_Invalid(string continuationToken)
+    {
+        var model = new NotificationFilterRequestModel
+        {
+            ContinuationToken = continuationToken,
+        };
+        var result = Validate(model);
+        Assert.Single(result);
+        Assert.Contains("Continuation token must be a positive, non zero integer.", result[0].ErrorMessage);
+        Assert.Contains("ContinuationToken", result[0].MemberNames);
+    }
+
+    [Fact]
+    public void Validate_ContinuationTokenMaxLengthExceeded_Invalid()
+    {
+        var model = new NotificationFilterRequestModel
+        {
+            ContinuationToken = "1234567890"
+        };
+        var result = Validate(model);
+        Assert.Single(result);
+        Assert.Contains("The field ContinuationToken must be a string with a maximum length of 9.",
+            result[0].ErrorMessage);
+        Assert.Contains("ContinuationToken", result[0].MemberNames);
+    }
+
+    [Theory]
+    [InlineData(null)]
+    [InlineData("")]
+    [InlineData(" ")]
+    [InlineData("1")]
+    [InlineData("123456789")]
+    public void Validate_ContinuationTokenCorrect_Valid(string? continuationToken)
+    {
+        var model = new NotificationFilterRequestModel
+        {
+            ContinuationToken = continuationToken
+        };
+        var result = Validate(model);
+        Assert.Empty(result);
+    }
+
+    [Theory]
+    [InlineData(9)]
+    [InlineData(1001)]
+    public void Validate_PageSizeInvalidRange_Invalid(int pageSize)
+    {
+        var model = new NotificationFilterRequestModel
+        {
+            PageSize = pageSize
+        };
+        var result = Validate(model);
+        Assert.Single(result);
+        Assert.Contains("The field PageSize must be between 10 and 1000.", result[0].ErrorMessage);
+        Assert.Contains("PageSize", result[0].MemberNames);
+    }
+
+    [Theory]
+    [InlineData(null)]
+    [InlineData(10)]
+    [InlineData(1000)]
+    public void Validate_PageSizeCorrect_Valid(int? pageSize)
+    {
+        var model = pageSize == null
+            ? new NotificationFilterRequestModel()
+            : new NotificationFilterRequestModel
+            {
+                PageSize = pageSize.Value
+            };
+        var result = Validate(model);
+        Assert.Empty(result);
+    }
+
+    private static List<ValidationResult> Validate(NotificationFilterRequestModel model)
+    {
+        var results = new List<ValidationResult>();
+        Validator.TryValidateObject(model, new ValidationContext(model), results, true);
+        return results;
+    }
+}
diff --git a/test/Api.Test/NotificationCenter/Models/Response/NotificationResponseModelTests.cs b/test/Api.Test/NotificationCenter/Models/Response/NotificationResponseModelTests.cs
new file mode 100644
index 0000000000..f0dfc03fec
--- /dev/null
+++ b/test/Api.Test/NotificationCenter/Models/Response/NotificationResponseModelTests.cs
@@ -0,0 +1,43 @@
+#nullable enable
+using Bit.Api.NotificationCenter.Models.Response;
+using Bit.Core.Enums;
+using Bit.Core.NotificationCenter.Enums;
+using Bit.Core.NotificationCenter.Models.Data;
+using Xunit;
+
+namespace Bit.Api.Test.NotificationCenter.Models.Response;
+
+public class NotificationResponseModelTests
+{
+    [Fact]
+    public void Constructor_NotificationStatusDetailsNull_CorrectFields()
+    {
+        Assert.Throws<ArgumentNullException>(() => new NotificationResponseModel(null!));
+    }
+
+    [Fact]
+    public void Constructor_NotificationStatusDetails_CorrectFields()
+    {
+        var notificationStatusDetails = new NotificationStatusDetails
+        {
+            Id = Guid.NewGuid(),
+            Global = true,
+            Priority = Priority.High,
+            ClientType = ClientType.All,
+            Title = "Test Title",
+            Body = "Test Body",
+            RevisionDate = DateTime.UtcNow - TimeSpan.FromMinutes(3),
+            ReadDate = DateTime.UtcNow - TimeSpan.FromMinutes(1),
+            DeletedDate = DateTime.UtcNow,
+        };
+        var model = new NotificationResponseModel(notificationStatusDetails);
+
+        Assert.Equal(model.Id, notificationStatusDetails.Id);
+        Assert.Equal(model.Priority, notificationStatusDetails.Priority);
+        Assert.Equal(model.Title, notificationStatusDetails.Title);
+        Assert.Equal(model.Body, notificationStatusDetails.Body);
+        Assert.Equal(model.Date, notificationStatusDetails.RevisionDate);
+        Assert.Equal(model.ReadDate, notificationStatusDetails.ReadDate);
+        Assert.Equal(model.DeletedDate, notificationStatusDetails.DeletedDate);
+    }
+}
diff --git a/test/Core.Test/NotificationCenter/AutoFixture/NotificationStatusDetailsFixtures.cs b/test/Core.Test/NotificationCenter/AutoFixture/NotificationStatusDetailsFixtures.cs
index 1e1d066d16..71c9878f42 100644
--- a/test/Core.Test/NotificationCenter/AutoFixture/NotificationStatusDetailsFixtures.cs
+++ b/test/Core.Test/NotificationCenter/AutoFixture/NotificationStatusDetailsFixtures.cs
@@ -9,9 +9,32 @@ public class NotificationStatusDetailsCustomization : ICustomization
 {
     public void Customize(IFixture fixture)
     {
-        fixture.Customize<NotificationStatusDetails>(composer => composer.With(n => n.Id, Guid.NewGuid())
-            .With(n => n.UserId, Guid.NewGuid())
-            .With(n => n.OrganizationId, Guid.NewGuid()));
+        fixture.Customize<NotificationStatusDetails>(composer =>
+        {
+            return composer.With(n => n.Id, Guid.NewGuid())
+                .With(n => n.UserId, Guid.NewGuid())
+                .With(n => n.OrganizationId, Guid.NewGuid());
+        });
+    }
+}
+
+public class NotificationStatusDetailsListCustomization(int count) : ICustomization
+{
+    public void Customize(IFixture fixture)
+    {
+        var customization = new NotificationStatusDetailsCustomization();
+        fixture.Customize<IEnumerable<NotificationStatusDetails>>(composer => composer.FromFactory(() =>
+        {
+            var notifications = new List<NotificationStatusDetails>();
+            for (var i = 0; i < count; i++)
+            {
+                customization.Customize(fixture);
+                var notificationStatusDetails = fixture.Create<NotificationStatusDetails>();
+                notifications.Add(notificationStatusDetails);
+            }
+
+            return notifications;
+        }));
     }
 }
 
@@ -19,3 +42,8 @@ public class NotificationStatusDetailsCustomizeAttribute : BitCustomizeAttribute
 {
     public override ICustomization GetCustomization() => new NotificationStatusDetailsCustomization();
 }
+
+public class NotificationStatusDetailsListCustomizeAttribute(int count) : BitCustomizeAttribute
+{
+    public override ICustomization GetCustomization() => new NotificationStatusDetailsListCustomization(count);
+}
diff --git a/test/Core.Test/NotificationCenter/Queries/GetNotificationStatusDetailsForUserQueryTest.cs b/test/Core.Test/NotificationCenter/Queries/GetNotificationStatusDetailsForUserQueryTest.cs
index 7d9c265606..d0c89a45d9 100644
--- a/test/Core.Test/NotificationCenter/Queries/GetNotificationStatusDetailsForUserQueryTest.cs
+++ b/test/Core.Test/NotificationCenter/Queries/GetNotificationStatusDetailsForUserQueryTest.cs
@@ -2,6 +2,7 @@
 using Bit.Core.Context;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
+using Bit.Core.Models.Data;
 using Bit.Core.NotificationCenter.Models.Data;
 using Bit.Core.NotificationCenter.Models.Filter;
 using Bit.Core.NotificationCenter.Queries;
@@ -19,37 +20,49 @@ namespace Bit.Core.Test.NotificationCenter.Queries;
 public class GetNotificationStatusDetailsForUserQueryTest
 {
     private static void Setup(SutProvider<GetNotificationStatusDetailsForUserQuery> sutProvider,
-        List<NotificationStatusDetails> notificationsStatusDetails, NotificationStatusFilter statusFilter, Guid? userId)
+        List<NotificationStatusDetails> notificationsStatusDetails, NotificationStatusFilter statusFilter, Guid? userId,
+        PageOptions pageOptions, string? continuationToken)
     {
         sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
-        sutProvider.GetDependency<INotificationRepository>().GetByUserIdAndStatusAsync(
-                userId.GetValueOrDefault(Guid.NewGuid()), Arg.Any<ClientType>(), statusFilter)
-            .Returns(notificationsStatusDetails);
+        sutProvider.GetDependency<INotificationRepository>()
+            .GetByUserIdAndStatusAsync(userId.GetValueOrDefault(Guid.NewGuid()), Arg.Any<ClientType>(), statusFilter,
+                pageOptions)
+            .Returns(new PagedResult<NotificationStatusDetails>
+            {
+                Data = notificationsStatusDetails,
+                ContinuationToken = continuationToken
+            });
     }
 
     [Theory]
     [BitAutoData]
     public async Task GetByUserIdStatusFilterAsync_NotLoggedIn_NotFoundException(
         SutProvider<GetNotificationStatusDetailsForUserQuery> sutProvider,
-        List<NotificationStatusDetails> notificationsStatusDetails, NotificationStatusFilter notificationStatusFilter)
+        List<NotificationStatusDetails> notificationsStatusDetails, NotificationStatusFilter notificationStatusFilter,
+        PageOptions pageOptions, string? continuationToken)
     {
-        Setup(sutProvider, notificationsStatusDetails, notificationStatusFilter, userId: null);
+        Setup(sutProvider, notificationsStatusDetails, notificationStatusFilter, userId: null, pageOptions,
+            continuationToken);
 
         await Assert.ThrowsAsync<NotFoundException>(() =>
-            sutProvider.Sut.GetByUserIdStatusFilterAsync(notificationStatusFilter));
+            sutProvider.Sut.GetByUserIdStatusFilterAsync(notificationStatusFilter, pageOptions));
     }
 
     [Theory]
     [BitAutoData]
     public async Task GetByUserIdStatusFilterAsync_NotificationsFound_Returned(
         SutProvider<GetNotificationStatusDetailsForUserQuery> sutProvider,
-        List<NotificationStatusDetails> notificationsStatusDetails, NotificationStatusFilter notificationStatusFilter)
+        List<NotificationStatusDetails> notificationsStatusDetails, NotificationStatusFilter notificationStatusFilter,
+        PageOptions pageOptions, string? continuationToken)
     {
-        Setup(sutProvider, notificationsStatusDetails, notificationStatusFilter, Guid.NewGuid());
+        Setup(sutProvider, notificationsStatusDetails, notificationStatusFilter, Guid.NewGuid(), pageOptions,
+            continuationToken);
 
-        var actualNotificationsStatusDetails =
-            await sutProvider.Sut.GetByUserIdStatusFilterAsync(notificationStatusFilter);
+        var actualNotificationsStatusDetailsPagedResult =
+            await sutProvider.Sut.GetByUserIdStatusFilterAsync(notificationStatusFilter, pageOptions);
 
-        Assert.Equal(notificationsStatusDetails, actualNotificationsStatusDetails);
+        Assert.NotNull(actualNotificationsStatusDetailsPagedResult);
+        Assert.Equal(notificationsStatusDetails, actualNotificationsStatusDetailsPagedResult.Data);
+        Assert.Equal(continuationToken, actualNotificationsStatusDetailsPagedResult.ContinuationToken);
     }
 }
diff --git a/util/Migrator/DbScripts/2024-12-18_00_AddPagingToNotificationRead.sql b/util/Migrator/DbScripts/2024-12-18_00_AddPagingToNotificationRead.sql
new file mode 100644
index 0000000000..21e19c193c
--- /dev/null
+++ b/util/Migrator/DbScripts/2024-12-18_00_AddPagingToNotificationRead.sql
@@ -0,0 +1,39 @@
+-- Stored Procedure Notification_ReadByUserIdAndStatus
+
+CREATE OR ALTER PROCEDURE [dbo].[Notification_ReadByUserIdAndStatus]
+    @UserId UNIQUEIDENTIFIER,
+    @ClientType TINYINT,
+    @Read BIT,
+    @Deleted BIT,
+    @PageNumber INT = 1,
+    @PageSize INT = 10
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    SELECT n.*
+    FROM [dbo].[NotificationStatusDetailsView] n
+             LEFT JOIN [dbo].[OrganizationUserView] ou ON n.[OrganizationId] = ou.[OrganizationId]
+        AND ou.[UserId] = @UserId
+    WHERE (n.[NotificationStatusUserId] IS NULL OR n.[NotificationStatusUserId] = @UserId)
+      AND [ClientType] IN (0, CASE WHEN @ClientType != 0 THEN @ClientType END)
+      AND ([Global] = 1
+        OR (n.[UserId] = @UserId
+            AND (n.[OrganizationId] IS NULL
+                OR ou.[OrganizationId] IS NOT NULL))
+        OR (n.[UserId] IS NULL
+            AND ou.[OrganizationId] IS NOT NULL))
+      AND ((@Read IS NULL AND @Deleted IS NULL)
+        OR (n.[NotificationStatusUserId] IS NOT NULL
+            AND (@Read IS NULL
+                OR IIF((@Read = 1 AND n.[ReadDate] IS NOT NULL) OR
+                       (@Read = 0 AND n.[ReadDate] IS NULL),
+                       1, 0) = 1)
+            AND (@Deleted IS NULL
+                OR IIF((@Deleted = 1 AND n.[DeletedDate] IS NOT NULL) OR
+                       (@Deleted = 0 AND n.[DeletedDate] IS NULL),
+                       1, 0) = 1)))
+    ORDER BY [Priority] DESC, n.[CreationDate] DESC
+    OFFSET @PageSize * (@PageNumber - 1) ROWS FETCH NEXT @PageSize ROWS ONLY
+END
+GO

From 322a07477a27c759e5b637662cde0a8001ffef80 Mon Sep 17 00:00:00 2001
From: cyprain-okeke <108260115+cyprain-okeke@users.noreply.github.com>
Date: Wed, 18 Dec 2024 16:31:07 +0100
Subject: [PATCH 083/384] organization status changed code changes (#5113)

* organization status changed code changes

Signed-off-by: Cy Okeke <cokeke@bitwarden.com>

* Add the push notification to subscriptionUpdated

Signed-off-by: Cy Okeke <cokeke@bitwarden.com>

* send notification using the SendPayloadToUser

Signed-off-by: Cy Okeke <cokeke@bitwarden.com>

* Change the implementation to send userId

* Added new implementation for orgstatus sync

* refactor the code and remove private methods

---------

Signed-off-by: Cy Okeke <cokeke@bitwarden.com>
---
 .../Implementations/PaymentSucceededHandler.cs     |  6 +++++-
 .../Implementations/SubscriptionUpdatedHandler.cs  | 11 ++++++++++-
 src/Core/Enums/PushType.cs                         |  1 +
 src/Core/Models/PushNotification.cs                |  6 ++++++
 .../NotificationHubPushNotificationService.cs      | 12 ++++++++++++
 src/Core/Services/IPushNotificationService.cs      |  4 +++-
 .../AzureQueuePushNotificationService.cs           | 12 ++++++++++++
 .../MultiServicePushNotificationService.cs         |  9 ++++++++-
 .../NotificationsApiPushNotificationService.cs     | 14 +++++++++++++-
 .../RelayPushNotificationService.cs                | 14 +++++++++++++-
 .../NoopPushNotificationService.cs                 |  8 +++++++-
 src/Notifications/HubHelpers.cs                    |  7 +++++++
 12 files changed, 97 insertions(+), 7 deletions(-)

diff --git a/src/Billing/Services/Implementations/PaymentSucceededHandler.cs b/src/Billing/Services/Implementations/PaymentSucceededHandler.cs
index 6aa8aa2b9f..49578187f9 100644
--- a/src/Billing/Services/Implementations/PaymentSucceededHandler.cs
+++ b/src/Billing/Services/Implementations/PaymentSucceededHandler.cs
@@ -25,6 +25,7 @@ public class PaymentSucceededHandler : IPaymentSucceededHandler
     private readonly ICurrentContext _currentContext;
     private readonly IUserRepository _userRepository;
     private readonly IStripeEventUtilityService _stripeEventUtilityService;
+    private readonly IPushNotificationService _pushNotificationService;
 
     public PaymentSucceededHandler(
         ILogger<PaymentSucceededHandler> logger,
@@ -37,7 +38,8 @@ public class PaymentSucceededHandler : IPaymentSucceededHandler
         IUserRepository userRepository,
         IStripeEventUtilityService stripeEventUtilityService,
         IUserService userService,
-        IOrganizationService organizationService)
+        IOrganizationService organizationService,
+        IPushNotificationService pushNotificationService)
     {
         _logger = logger;
         _stripeEventService = stripeEventService;
@@ -50,6 +52,7 @@ public class PaymentSucceededHandler : IPaymentSucceededHandler
         _stripeEventUtilityService = stripeEventUtilityService;
         _userService = userService;
         _organizationService = organizationService;
+        _pushNotificationService = pushNotificationService;
     }
 
     /// <summary>
@@ -140,6 +143,7 @@ public class PaymentSucceededHandler : IPaymentSucceededHandler
 
             await _organizationService.EnableAsync(organizationId.Value, subscription.CurrentPeriodEnd);
             var organization = await _organizationRepository.GetByIdAsync(organizationId.Value);
+            await _pushNotificationService.PushSyncOrganizationStatusAsync(organization);
 
             await _referenceEventService.RaiseEventAsync(
                 new ReferenceEvent(ReferenceEventType.Rebilled, organization, _currentContext)
diff --git a/src/Billing/Services/Implementations/SubscriptionUpdatedHandler.cs b/src/Billing/Services/Implementations/SubscriptionUpdatedHandler.cs
index 4b4c9dcf4a..d49b22b7fb 100644
--- a/src/Billing/Services/Implementations/SubscriptionUpdatedHandler.cs
+++ b/src/Billing/Services/Implementations/SubscriptionUpdatedHandler.cs
@@ -1,5 +1,6 @@
 using Bit.Billing.Constants;
 using Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.Interfaces;
+using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Utilities;
 using Stripe;
@@ -15,6 +16,8 @@ public class SubscriptionUpdatedHandler : ISubscriptionUpdatedHandler
     private readonly IStripeFacade _stripeFacade;
     private readonly IOrganizationSponsorshipRenewCommand _organizationSponsorshipRenewCommand;
     private readonly IUserService _userService;
+    private readonly IPushNotificationService _pushNotificationService;
+    private readonly IOrganizationRepository _organizationRepository;
 
     public SubscriptionUpdatedHandler(
         IStripeEventService stripeEventService,
@@ -22,7 +25,9 @@ public class SubscriptionUpdatedHandler : ISubscriptionUpdatedHandler
         IOrganizationService organizationService,
         IStripeFacade stripeFacade,
         IOrganizationSponsorshipRenewCommand organizationSponsorshipRenewCommand,
-        IUserService userService)
+        IUserService userService,
+        IPushNotificationService pushNotificationService,
+        IOrganizationRepository organizationRepository)
     {
         _stripeEventService = stripeEventService;
         _stripeEventUtilityService = stripeEventUtilityService;
@@ -30,6 +35,8 @@ public class SubscriptionUpdatedHandler : ISubscriptionUpdatedHandler
         _stripeFacade = stripeFacade;
         _organizationSponsorshipRenewCommand = organizationSponsorshipRenewCommand;
         _userService = userService;
+        _pushNotificationService = pushNotificationService;
+        _organizationRepository = organizationRepository;
     }
 
     /// <summary>
@@ -70,6 +77,8 @@ public class SubscriptionUpdatedHandler : ISubscriptionUpdatedHandler
             case StripeSubscriptionStatus.Active when organizationId.HasValue:
                 {
                     await _organizationService.EnableAsync(organizationId.Value);
+                    var organization = await _organizationRepository.GetByIdAsync(organizationId.Value);
+                    await _pushNotificationService.PushSyncOrganizationStatusAsync(organization);
                     break;
                 }
             case StripeSubscriptionStatus.Active:
diff --git a/src/Core/Enums/PushType.cs b/src/Core/Enums/PushType.cs
index 9dbef7b8e2..2030b855e2 100644
--- a/src/Core/Enums/PushType.cs
+++ b/src/Core/Enums/PushType.cs
@@ -25,4 +25,5 @@ public enum PushType : byte
     AuthRequestResponse = 16,
 
     SyncOrganizations = 17,
+    SyncOrganizationStatusChanged = 18,
 }
diff --git a/src/Core/Models/PushNotification.cs b/src/Core/Models/PushNotification.cs
index 37b3b25c0d..667080580e 100644
--- a/src/Core/Models/PushNotification.cs
+++ b/src/Core/Models/PushNotification.cs
@@ -50,3 +50,9 @@ public class AuthRequestPushNotification
     public Guid UserId { get; set; }
     public Guid Id { get; set; }
 }
+
+public class OrganizationStatusPushNotification
+{
+    public Guid OrganizationId { get; set; }
+    public bool Enabled { get; set; }
+}
diff --git a/src/Core/NotificationHub/NotificationHubPushNotificationService.cs b/src/Core/NotificationHub/NotificationHubPushNotificationService.cs
index 6143676def..7438e812e0 100644
--- a/src/Core/NotificationHub/NotificationHubPushNotificationService.cs
+++ b/src/Core/NotificationHub/NotificationHubPushNotificationService.cs
@@ -1,5 +1,6 @@
 using System.Text.Json;
 using System.Text.RegularExpressions;
+using Bit.Core.AdminConsole.Entities;
 using Bit.Core.Auth.Entities;
 using Bit.Core.Context;
 using Bit.Core.Enums;
@@ -226,6 +227,17 @@ public class NotificationHubPushNotificationService : IPushNotificationService
         }
     }
 
+    public async Task PushSyncOrganizationStatusAsync(Organization organization)
+    {
+        var message = new OrganizationStatusPushNotification
+        {
+            OrganizationId = organization.Id,
+            Enabled = organization.Enabled
+        };
+
+        await SendPayloadToOrganizationAsync(organization.Id, PushType.SyncOrganizationStatusChanged, message, false);
+    }
+
     private string GetContextIdentifier(bool excludeCurrentContext)
     {
         if (!excludeCurrentContext)
diff --git a/src/Core/Services/IPushNotificationService.cs b/src/Core/Services/IPushNotificationService.cs
index 29a20239d1..6e2e47e27f 100644
--- a/src/Core/Services/IPushNotificationService.cs
+++ b/src/Core/Services/IPushNotificationService.cs
@@ -1,4 +1,5 @@
-using Bit.Core.Auth.Entities;
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.Auth.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Tools.Entities;
 using Bit.Core.Vault.Entities;
@@ -27,4 +28,5 @@ public interface IPushNotificationService
     Task SendPayloadToUserAsync(string userId, PushType type, object payload, string identifier, string deviceId = null);
     Task SendPayloadToOrganizationAsync(string orgId, PushType type, object payload, string identifier,
         string deviceId = null);
+    Task PushSyncOrganizationStatusAsync(Organization organization);
 }
diff --git a/src/Core/Services/Implementations/AzureQueuePushNotificationService.cs b/src/Core/Services/Implementations/AzureQueuePushNotificationService.cs
index 1e4a7314c4..3daadebf3a 100644
--- a/src/Core/Services/Implementations/AzureQueuePushNotificationService.cs
+++ b/src/Core/Services/Implementations/AzureQueuePushNotificationService.cs
@@ -1,5 +1,6 @@
 using System.Text.Json;
 using Azure.Storage.Queues;
+using Bit.Core.AdminConsole.Entities;
 using Bit.Core.Auth.Entities;
 using Bit.Core.Context;
 using Bit.Core.Enums;
@@ -221,4 +222,15 @@ public class AzureQueuePushNotificationService : IPushNotificationService
         // Noop
         return Task.FromResult(0);
     }
+
+    public async Task PushSyncOrganizationStatusAsync(Organization organization)
+    {
+        var message = new OrganizationStatusPushNotification
+        {
+            OrganizationId = organization.Id,
+            Enabled = organization.Enabled
+        };
+        await SendMessageAsync(PushType.SyncOrganizationStatusChanged, message, false);
+    }
+
 }
diff --git a/src/Core/Services/Implementations/MultiServicePushNotificationService.cs b/src/Core/Services/Implementations/MultiServicePushNotificationService.cs
index 00be72c980..185a11adbb 100644
--- a/src/Core/Services/Implementations/MultiServicePushNotificationService.cs
+++ b/src/Core/Services/Implementations/MultiServicePushNotificationService.cs
@@ -1,4 +1,5 @@
-using Bit.Core.Auth.Entities;
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.Auth.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Settings;
 using Bit.Core.Tools.Entities;
@@ -144,6 +145,12 @@ public class MultiServicePushNotificationService : IPushNotificationService
         return Task.FromResult(0);
     }
 
+    public Task PushSyncOrganizationStatusAsync(Organization organization)
+    {
+        PushToServices((s) => s.PushSyncOrganizationStatusAsync(organization));
+        return Task.FromResult(0);
+    }
+
     private void PushToServices(Func<IPushNotificationService, Task> pushFunc)
     {
         if (_services != null)
diff --git a/src/Core/Services/Implementations/NotificationsApiPushNotificationService.cs b/src/Core/Services/Implementations/NotificationsApiPushNotificationService.cs
index 9ec1eb31d4..feec75fbe0 100644
--- a/src/Core/Services/Implementations/NotificationsApiPushNotificationService.cs
+++ b/src/Core/Services/Implementations/NotificationsApiPushNotificationService.cs
@@ -1,4 +1,5 @@
-using Bit.Core.Auth.Entities;
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.Auth.Entities;
 using Bit.Core.Context;
 using Bit.Core.Enums;
 using Bit.Core.Models;
@@ -227,4 +228,15 @@ public class NotificationsApiPushNotificationService : BaseIdentityClientService
         // Noop
         return Task.FromResult(0);
     }
+
+    public async Task PushSyncOrganizationStatusAsync(Organization organization)
+    {
+        var message = new OrganizationStatusPushNotification
+        {
+            OrganizationId = organization.Id,
+            Enabled = organization.Enabled
+        };
+
+        await SendMessageAsync(PushType.SyncOrganizationStatusChanged, message, false);
+    }
 }
diff --git a/src/Core/Services/Implementations/RelayPushNotificationService.cs b/src/Core/Services/Implementations/RelayPushNotificationService.cs
index 6cfc0c0a61..d725296779 100644
--- a/src/Core/Services/Implementations/RelayPushNotificationService.cs
+++ b/src/Core/Services/Implementations/RelayPushNotificationService.cs
@@ -1,4 +1,5 @@
-using Bit.Core.Auth.Entities;
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.Auth.Entities;
 using Bit.Core.Context;
 using Bit.Core.Enums;
 using Bit.Core.IdentityServer;
@@ -251,4 +252,15 @@ public class RelayPushNotificationService : BaseIdentityClientService, IPushNoti
     {
         throw new NotImplementedException();
     }
+
+    public async Task PushSyncOrganizationStatusAsync(Organization organization)
+    {
+        var message = new OrganizationStatusPushNotification
+        {
+            OrganizationId = organization.Id,
+            Enabled = organization.Enabled
+        };
+
+        await SendPayloadToOrganizationAsync(organization.Id, PushType.SyncOrganizationStatusChanged, message, false);
+    }
 }
diff --git a/src/Core/Services/NoopImplementations/NoopPushNotificationService.cs b/src/Core/Services/NoopImplementations/NoopPushNotificationService.cs
index d4eff93ef6..b5e2616220 100644
--- a/src/Core/Services/NoopImplementations/NoopPushNotificationService.cs
+++ b/src/Core/Services/NoopImplementations/NoopPushNotificationService.cs
@@ -1,4 +1,5 @@
-using Bit.Core.Auth.Entities;
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.Auth.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Tools.Entities;
 using Bit.Core.Vault.Entities;
@@ -88,6 +89,11 @@ public class NoopPushNotificationService : IPushNotificationService
         return Task.FromResult(0);
     }
 
+    public Task PushSyncOrganizationStatusAsync(Organization organization)
+    {
+        return Task.FromResult(0);
+    }
+
     public Task PushAuthRequestAsync(AuthRequest authRequest)
     {
         return Task.FromResult(0);
diff --git a/src/Notifications/HubHelpers.cs b/src/Notifications/HubHelpers.cs
index 53edb76389..ce2e6b24ad 100644
--- a/src/Notifications/HubHelpers.cs
+++ b/src/Notifications/HubHelpers.cs
@@ -85,6 +85,13 @@ public static class HubHelpers
                 await hubContext.Clients.User(authRequestNotification.Payload.UserId.ToString())
                     .SendAsync("ReceiveMessage", authRequestNotification, cancellationToken);
                 break;
+            case PushType.SyncOrganizationStatusChanged:
+                var orgStatusNotification =
+                    JsonSerializer.Deserialize<PushNotificationData<OrganizationStatusPushNotification>>(
+                        notificationJson, _deserializerOptions);
+                await hubContext.Clients.Group($"Organization_{orgStatusNotification.Payload.OrganizationId}")
+                    .SendAsync("ReceiveMessage", orgStatusNotification, cancellationToken);
+                break;
             default:
                 break;
         }

From 4f50461521b329d97986b5b18bebbe20c0bd4a2b Mon Sep 17 00:00:00 2001
From: Matt Bishop <mbishop@bitwarden.com>
Date: Wed, 18 Dec 2024 16:00:43 -0500
Subject: [PATCH 084/384] Remove link to missing file (#5166)

---
 bitwarden-server.sln | 1 -
 1 file changed, 1 deletion(-)

diff --git a/bitwarden-server.sln b/bitwarden-server.sln
index ad643c43c3..75e7d7fade 100644
--- a/bitwarden-server.sln
+++ b/bitwarden-server.sln
@@ -18,7 +18,6 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution
 		.editorconfig = .editorconfig
 		TRADEMARK_GUIDELINES.md = TRADEMARK_GUIDELINES.md
 		SECURITY.md = SECURITY.md
-		NuGet.Config = NuGet.Config
 		LICENSE_FAQ.md = LICENSE_FAQ.md
 		LICENSE_BITWARDEN.txt = LICENSE_BITWARDEN.txt
 		LICENSE_AGPL.txt = LICENSE_AGPL.txt

From 2504f36bdc6c8fe7e78f3a5b2e4f402688b7a4cb Mon Sep 17 00:00:00 2001
From: Vijay Oommen <voommen@livefront.com>
Date: Wed, 18 Dec 2024 15:36:50 -0600
Subject: [PATCH 085/384] PM-13227 Rename access insights to access
 intelligence (#5160)

---
 src/Admin/AdminConsole/Views/Shared/_OrganizationForm.cshtml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Admin/AdminConsole/Views/Shared/_OrganizationForm.cshtml b/src/Admin/AdminConsole/Views/Shared/_OrganizationForm.cshtml
index 23d2057d07..cdc7608675 100644
--- a/src/Admin/AdminConsole/Views/Shared/_OrganizationForm.cshtml
+++ b/src/Admin/AdminConsole/Views/Shared/_OrganizationForm.cshtml
@@ -165,7 +165,7 @@
                 </div>
             </div>
             <div class="col-2">
-                <h3>Access Insights</h3>
+                <h3>Access Intelligence</h3>
                 <div class="form-check">
                     <input type="checkbox" class="form-check-input" asp-for="UseRiskInsights" disabled='@(canEditPlan ? null : "disabled")'>
                     <label class="form-check-label" asp-for="UseRiskInsights"></label>

From 0b026404db70c8d43dcc80d0c071daa47060a0c8 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Thu, 19 Dec 2024 13:43:44 +0100
Subject: [PATCH 086/384] [deps] Tools: Update
 Microsoft.Extensions.DependencyInjection to v9 (#5073)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Daniel James Smith <2670567+djsmith85@users.noreply.github.com>
---
 .../Infrastructure.IntegrationTest.csproj                     | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/test/Infrastructure.IntegrationTest/Infrastructure.IntegrationTest.csproj b/test/Infrastructure.IntegrationTest/Infrastructure.IntegrationTest.csproj
index 159572f387..724627cd29 100644
--- a/test/Infrastructure.IntegrationTest/Infrastructure.IntegrationTest.csproj
+++ b/test/Infrastructure.IntegrationTest/Infrastructure.IntegrationTest.csproj
@@ -8,8 +8,8 @@
 
   <ItemGroup>
     <PackageReference Include="Microsoft.Extensions.Configuration" Version="8.0.0" />
-    <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="8.0.1" />
-    <PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="8.0.2" />
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="9.0.0" />
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="9.0.0" />
     <PackageReference Include="Microsoft.Extensions.Logging" Version="8.0.1" />
     <PackageReference Include="Microsoft.Extensions.TimeProvider.Testing" Version="8.10.0" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(MicrosoftNetTestSdkVersion)" />

From cb7cbb630aba46050ef9c235a2a0e4608dda4d83 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Thu, 19 Dec 2024 12:57:03 +0000
Subject: [PATCH 087/384] [deps] Tools: Update
 Microsoft.Extensions.Configuration to v9 (#5072)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 src/Core/Core.csproj                                          | 4 ++--
 .../Infrastructure.IntegrationTest.csproj                     | 2 +-
 test/IntegrationTestCommon/IntegrationTestCommon.csproj       | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/Core/Core.csproj b/src/Core/Core.csproj
index 43068a4ac0..317d74f536 100644
--- a/src/Core/Core.csproj
+++ b/src/Core/Core.csproj
@@ -41,8 +41,8 @@
     <PackageReference Include="Microsoft.Data.SqlClient" Version="5.2.2" />
     <PackageReference Include="Microsoft.Extensions.Caching.Cosmos" Version="1.6.1" />
     <PackageReference Include="Microsoft.Extensions.Caching.SqlServer" Version="8.0.10" />
-    <PackageReference Include="Microsoft.Extensions.Configuration.EnvironmentVariables" Version="8.0.0" />
-    <PackageReference Include="Microsoft.Extensions.Configuration.UserSecrets" Version="8.0.0" />
+    <PackageReference Include="Microsoft.Extensions.Configuration.EnvironmentVariables" Version="9.0.0" />
+    <PackageReference Include="Microsoft.Extensions.Configuration.UserSecrets" Version="9.0.0" />
     <PackageReference Include="Microsoft.Extensions.Identity.Stores" Version="8.0.10" />
     <PackageReference Include="Quartz" Version="3.13.1" />
     <PackageReference Include="SendGrid" Version="9.29.3" />
diff --git a/test/Infrastructure.IntegrationTest/Infrastructure.IntegrationTest.csproj b/test/Infrastructure.IntegrationTest/Infrastructure.IntegrationTest.csproj
index 724627cd29..417525f064 100644
--- a/test/Infrastructure.IntegrationTest/Infrastructure.IntegrationTest.csproj
+++ b/test/Infrastructure.IntegrationTest/Infrastructure.IntegrationTest.csproj
@@ -7,7 +7,7 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.Extensions.Configuration" Version="8.0.0" />
+    <PackageReference Include="Microsoft.Extensions.Configuration" Version="9.0.0" />
     <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="9.0.0" />
     <PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="9.0.0" />
     <PackageReference Include="Microsoft.Extensions.Logging" Version="8.0.1" />
diff --git a/test/IntegrationTestCommon/IntegrationTestCommon.csproj b/test/IntegrationTestCommon/IntegrationTestCommon.csproj
index 3e8e55524b..2a65c4c364 100644
--- a/test/IntegrationTestCommon/IntegrationTestCommon.csproj
+++ b/test/IntegrationTestCommon/IntegrationTestCommon.csproj
@@ -6,7 +6,7 @@
   
   <ItemGroup>
     <PackageReference Include="Microsoft.AspNetCore.Mvc.Testing" Version="8.0.10" />
-    <PackageReference Include="Microsoft.Extensions.Configuration" Version="8.0.0" />
+    <PackageReference Include="Microsoft.Extensions.Configuration" Version="9.0.0" />
   </ItemGroup>
     
   <ItemGroup>

From a3da5b2f0a0f0dfd7f636de3a2d56eb32c30ea13 Mon Sep 17 00:00:00 2001
From: Tom <144813356+ttalty@users.noreply.github.com>
Date: Thu, 19 Dec 2024 11:00:47 -0500
Subject: [PATCH 088/384] Removing access intelligence server side feature flag
 (#5158)

---
 src/Core/Constants.cs | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index 9b51b12d62..cc94cf3dee 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -141,7 +141,6 @@ public static class FeatureFlagKeys
     public const string TrialPayment = "PM-8163-trial-payment";
     public const string RemoveServerVersionHeader = "remove-server-version-header";
     public const string SecureOrgGroupDetails = "pm-3479-secure-org-group-details";
-    public const string AccessIntelligence = "pm-13227-access-intelligence";
     public const string VerifiedSsoDomainEndpoint = "pm-12337-refactor-sso-details-endpoint";
     public const string PM12275_MultiOrganizationEnterprises = "pm-12275-multi-organization-enterprises";
     public const string GeneratorToolsModernization = "generator-tools-modernization";

From eb7454bb8651c099b00a3dcc5dcad76a5402d194 Mon Sep 17 00:00:00 2001
From: Matt Bishop <mbishop@bitwarden.com>
Date: Thu, 19 Dec 2024 14:22:13 -0500
Subject: [PATCH 089/384] Update Duende license from renewal (#5169)

---
 src/Core/Settings/GlobalSettings.cs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Core/Settings/GlobalSettings.cs b/src/Core/Settings/GlobalSettings.cs
index 2ececb9658..cdbfc7cf3a 100644
--- a/src/Core/Settings/GlobalSettings.cs
+++ b/src/Core/Settings/GlobalSettings.cs
@@ -341,7 +341,7 @@ public class GlobalSettings : IGlobalSettings
         public string CertificatePassword { get; set; }
         public string RedisConnectionString { get; set; }
         public string CosmosConnectionString { get; set; }
-        public string LicenseKey { get; set; } = "eyJhbGciOiJQUzI1NiIsImtpZCI6IklkZW50aXR5U2VydmVyTGljZW5zZWtleS83Y2VhZGJiNzgxMzA0NjllODgwNjg5MTAyNTQxNGYxNiIsInR5cCI6ImxpY2Vuc2Urand0In0.eyJpc3MiOiJodHRwczovL2R1ZW5kZXNvZnR3YXJlLmNvbSIsImF1ZCI6IklkZW50aXR5U2VydmVyIiwiaWF0IjoxNzAxODIwODAwLCJleHAiOjE3MzM0NDMyMDAsImNvbXBhbnlfbmFtZSI6IkJpdHdhcmRlbiBJbmMuIiwiY29udGFjdF9pbmZvIjoiY29udGFjdEBkdWVuZGVzb2Z0d2FyZS5jb20iLCJlZGl0aW9uIjoiU3RhcnRlciIsImlkIjoiNDMxOSIsImZlYXR1cmUiOlsiaXN2IiwidW5saW1pdGVkX2NsaWVudHMiXSwicHJvZHVjdCI6IkJpdHdhcmRlbiJ9.iLA771PffgIh0ClRS8OWHbg2cAgjhgOkUjRRkLNr9dpQXhYZkVKdpUn-Gw9T7grsGcAx0f4p-TQmtcCpbN9EJCF5jlF0-NfsRTp_gmCgQ5eXyiE4DzJp2OCrz_3STf07N1dILwhD3nk9rzcA6SRQ4_kja8wAMHKnD5LisW98r5DfRDBecRs16KS5HUhg99DRMR5fd9ntfydVMTC_E23eEOHVLsR4YhiSXaEINPjFDG1czyOBClJItDW8g9X8qlClZegr630UjnKKg06A4usoL25VFHHn8Ew3v-_-XdlWoWsIpMMVvacwZT8rwkxjIesFNsXG6yzuROIhaxAvB1297A";
+        public string LicenseKey { get; set; } = "eyJhbGciOiJQUzI1NiIsImtpZCI6IklkZW50aXR5U2VydmVyTGljZW5zZWtleS83Y2VhZGJiNzgxMzA0NjllODgwNjg5MTAyNTQxNGYxNiIsInR5cCI6ImxpY2Vuc2Urand0In0.eyJpc3MiOiJodHRwczovL2R1ZW5kZXNvZnR3YXJlLmNvbSIsImF1ZCI6IklkZW50aXR5U2VydmVyIiwiaWF0IjoxNzM0NTY2NDAwLCJleHAiOjE3NjQ5NzkyMDAsImNvbXBhbnlfbmFtZSI6IkJpdHdhcmRlbiBJbmMuIiwiY29udGFjdF9pbmZvIjoiY29udGFjdEBkdWVuZGVzb2Z0d2FyZS5jb20iLCJlZGl0aW9uIjoiU3RhcnRlciIsImlkIjoiNjg3OCIsImZlYXR1cmUiOlsiaXN2IiwidW5saW1pdGVkX2NsaWVudHMiXSwicHJvZHVjdCI6IkJpdHdhcmRlbiJ9.TYc88W_t2t0F2AJV3rdyKwGyQKrKFriSAzm1tWFNHNR9QizfC-8bliGdT4Wgeie-ynCXs9wWaF-sKC5emg--qS7oe2iIt67Qd88WS53AwgTvAddQRA4NhGB1R7VM8GAikLieSos-DzzwLYRgjZdmcsprItYGSJuY73r-7-F97ta915majBytVxGF966tT9zF1aYk0bA8FS6DcDYkr5f7Nsy8daS_uIUAgNa_agKXtmQPqKujqtUb6rgWEpSp4OcQcG-8Dpd5jHqoIjouGvY-5LTgk5WmLxi_m-1QISjxUJrUm-UGao3_VwV5KFGqYrz8csdTl-HS40ihWcsWnrV0ug";
     }
 
     public class DataProtectionSettings

From 11325c4d3f4035130ca0b6c980e3338bd53de27b Mon Sep 17 00:00:00 2001
From: Daniel James Smith <2670567+djsmith85@users.noreply.github.com>
Date: Fri, 20 Dec 2024 15:17:38 +0100
Subject: [PATCH 090/384] Renovate: Assign DbOps to
 Microsoft.Extensions.Caching.Cosmos (#5171)

Co-authored-by: Daniel James Smith <djsmith85@users.noreply.github.com>
---
 .github/renovate.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/renovate.json b/.github/renovate.json
index 4ae3cc19d8..536ca306f8 100644
--- a/.github/renovate.json
+++ b/.github/renovate.json
@@ -105,6 +105,7 @@
         "Microsoft.EntityFrameworkCore.Relational",
         "Microsoft.EntityFrameworkCore.Sqlite",
         "Microsoft.EntityFrameworkCore.SqlServer",
+        "Microsoft.Extensions.Caching.Cosmos",
         "Microsoft.Extensions.Caching.SqlServer",
         "Microsoft.Extensions.Caching.StackExchangeRedis",
         "Npgsql.EntityFrameworkCore.PostgreSQL",

From adfe365db92eee1f080261ffdf500627bb04bb2d Mon Sep 17 00:00:00 2001
From: Conner Turnbull <133619638+cturnbull-bitwarden@users.noreply.github.com>
Date: Mon, 23 Dec 2024 11:56:05 -0500
Subject: [PATCH 091/384] Added quartz support to the Billing project (#5186)

---
 src/Billing/Jobs/AliveJob.cs          | 13 ++++++++++
 src/Billing/Jobs/JobsHostedService.cs | 36 +++++++++++++++++++++++++++
 src/Billing/Startup.cs                |  4 +++
 3 files changed, 53 insertions(+)
 create mode 100644 src/Billing/Jobs/AliveJob.cs
 create mode 100644 src/Billing/Jobs/JobsHostedService.cs

diff --git a/src/Billing/Jobs/AliveJob.cs b/src/Billing/Jobs/AliveJob.cs
new file mode 100644
index 0000000000..42f64099ac
--- /dev/null
+++ b/src/Billing/Jobs/AliveJob.cs
@@ -0,0 +1,13 @@
+using Bit.Core.Jobs;
+using Quartz;
+
+namespace Bit.Billing.Jobs;
+
+public class AliveJob(ILogger<AliveJob> logger) : BaseJob(logger)
+{
+    protected override Task ExecuteJobAsync(IJobExecutionContext context)
+    {
+        _logger.LogInformation(Core.Constants.BypassFiltersEventId, null, "Billing service is alive!");
+        return Task.FromResult(0);
+    }
+}
diff --git a/src/Billing/Jobs/JobsHostedService.cs b/src/Billing/Jobs/JobsHostedService.cs
new file mode 100644
index 0000000000..d91ca21520
--- /dev/null
+++ b/src/Billing/Jobs/JobsHostedService.cs
@@ -0,0 +1,36 @@
+using Bit.Core.Jobs;
+using Bit.Core.Settings;
+using Quartz;
+
+namespace Bit.Billing.Jobs;
+
+public class JobsHostedService : BaseJobsHostedService
+{
+    public JobsHostedService(
+        GlobalSettings globalSettings,
+        IServiceProvider serviceProvider,
+        ILogger<JobsHostedService> logger,
+        ILogger<JobListener> listenerLogger)
+        : base(globalSettings, serviceProvider, logger, listenerLogger) { }
+
+    public override async Task StartAsync(CancellationToken cancellationToken)
+    {
+        var everyTopOfTheHourTrigger = TriggerBuilder.Create()
+            .WithIdentity("EveryTopOfTheHourTrigger")
+            .StartNow()
+            .WithCronSchedule("0 0 * * * ?")
+            .Build();
+
+        Jobs = new List<Tuple<Type, ITrigger>>
+        {
+            new Tuple<Type, ITrigger>(typeof(AliveJob), everyTopOfTheHourTrigger)
+        };
+
+        await base.StartAsync(cancellationToken);
+    }
+
+    public static void AddJobsServices(IServiceCollection services)
+    {
+        services.AddTransient<AliveJob>();
+    }
+}
diff --git a/src/Billing/Startup.cs b/src/Billing/Startup.cs
index 7965cbe50f..e3547d943b 100644
--- a/src/Billing/Startup.cs
+++ b/src/Billing/Startup.cs
@@ -100,6 +100,10 @@ public class Startup
         services.AddScoped<IStripeFacade, StripeFacade>();
         services.AddScoped<IStripeEventService, StripeEventService>();
         services.AddScoped<IProviderEventService, ProviderEventService>();
+
+        // Jobs service
+        Jobs.JobsHostedService.AddJobsServices(services);
+        services.AddHostedService<Jobs.JobsHostedService>();
     }
 
     public void Configure(

From c5da5da517038e7a7c27f600bbde52e8f6eaad5c Mon Sep 17 00:00:00 2001
From: Conner Turnbull <133619638+cturnbull-bitwarden@users.noreply.github.com>
Date: Mon, 23 Dec 2024 14:01:53 -0500
Subject: [PATCH 092/384] Added nodejs to the dev container to support building
 Admin (#5187)

* Added nodejs to the dev container to support building Admin

* Updated to use the existing devcontainer node feature

* Moved features up to root
---
 .devcontainer/community_dev/devcontainer.json |  6 +++-
 .devcontainer/internal_dev/devcontainer.json  | 28 +++++++++++++++++--
 2 files changed, 31 insertions(+), 3 deletions(-)

diff --git a/.devcontainer/community_dev/devcontainer.json b/.devcontainer/community_dev/devcontainer.json
index 78a652a84f..ce3b8a21c6 100644
--- a/.devcontainer/community_dev/devcontainer.json
+++ b/.devcontainer/community_dev/devcontainer.json
@@ -3,6 +3,11 @@
   "dockerComposeFile": "../../.devcontainer/bitwarden_common/docker-compose.yml",
   "service": "bitwarden_server",
   "workspaceFolder": "/workspace",
+  "features": {
+    "ghcr.io/devcontainers/features/node:1": {
+      "version": "16"
+    }
+  },
   "mounts": [
     {
       "source": "../../dev/.data/keys",
@@ -13,7 +18,6 @@
   "customizations": {
     "vscode": {
       "settings": {},
-      "features": {},
       "extensions": ["ms-dotnettools.csdevkit"]
     }
   },
diff --git a/.devcontainer/internal_dev/devcontainer.json b/.devcontainer/internal_dev/devcontainer.json
index 78a79180ee..862b9297c4 100644
--- a/.devcontainer/internal_dev/devcontainer.json
+++ b/.devcontainer/internal_dev/devcontainer.json
@@ -6,6 +6,11 @@
   ],
   "service": "bitwarden_server",
   "workspaceFolder": "/workspace",
+  "features": {
+    "ghcr.io/devcontainers/features/node:1": {
+      "version": "16"
+    }
+  },
   "mounts": [
     {
       "source": "../../dev/.data/keys",
@@ -16,12 +21,11 @@
   "customizations": {
     "vscode": {
       "settings": {},
-      "features": {},
       "extensions": ["ms-dotnettools.csdevkit"]
     }
   },
   "postCreateCommand": "bash .devcontainer/internal_dev/postCreateCommand.sh",
-  "forwardPorts": [1080, 1433],
+  "forwardPorts": [1080, 1433, 3306, 5432, 10000, 10001, 10002],
   "portsAttributes": {
     "1080": {
       "label": "Mail Catcher",
@@ -30,6 +34,26 @@
     "1433": {
       "label": "SQL Server",
       "onAutoForward": "notify"
+    },
+    "3306": {
+      "label": "MySQL",
+      "onAutoForward": "notify"
+    },
+    "5432": {
+      "label": "PostgreSQL",
+      "onAutoForward": "notify"
+    },
+    "10000": {
+      "label": "Azurite Storage Blob",
+      "onAutoForward": "notify"
+    },
+    "10001": {
+      "label": "Azurite Storage Queue ",
+      "onAutoForward": "notify"
+    },
+    "10002": {
+      "label": "Azurite Storage Table",
+      "onAutoForward": "notify"
     }
   }
 }

From 0989e7fd5b401278e86549609e2a1f7c8ba0c535 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Mon, 23 Dec 2024 15:39:40 -0500
Subject: [PATCH 093/384] [deps] DbOps: Update
 Microsoft.Extensions.Caching.Cosmos to 1.7.0 (#4721)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 src/Core/Core.csproj | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Core/Core.csproj b/src/Core/Core.csproj
index 317d74f536..e9349c4787 100644
--- a/src/Core/Core.csproj
+++ b/src/Core/Core.csproj
@@ -39,7 +39,7 @@
     <PackageReference Include="Microsoft.Azure.Cosmos" Version="3.46.0" />
     <PackageReference Include="Microsoft.Azure.NotificationHubs" Version="4.2.0" />
     <PackageReference Include="Microsoft.Data.SqlClient" Version="5.2.2" />
-    <PackageReference Include="Microsoft.Extensions.Caching.Cosmos" Version="1.6.1" />
+    <PackageReference Include="Microsoft.Extensions.Caching.Cosmos" Version="1.7.0" />
     <PackageReference Include="Microsoft.Extensions.Caching.SqlServer" Version="8.0.10" />
     <PackageReference Include="Microsoft.Extensions.Configuration.EnvironmentVariables" Version="9.0.0" />
     <PackageReference Include="Microsoft.Extensions.Configuration.UserSecrets" Version="9.0.0" />

From 854119b58c475732fee5b09acab8ca605efd777c Mon Sep 17 00:00:00 2001
From: Robyn MacCallum <robyntmaccallum@gmail.com>
Date: Thu, 26 Dec 2024 14:50:23 -0500
Subject: [PATCH 094/384] Add app review prompt flag (#5190)

---
 src/Core/Constants.cs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index cc94cf3dee..54ff734dc9 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -162,6 +162,7 @@ public static class FeatureFlagKeys
     public const string PrivateKeyRegeneration = "pm-12241-private-key-regeneration";
     public const string AuthenticatorSynciOS = "enable-authenticator-sync-ios";
     public const string AuthenticatorSyncAndroid = "enable-authenticator-sync-android";
+    public const string AppReviewPrompt = "app-review-prompt";
 
     public static List<string> GetAllKeys()
     {

From 235261bf150273e953a9407c57ed1651e64e8574 Mon Sep 17 00:00:00 2001
From: Github Actions <actions@github.com>
Date: Mon, 30 Dec 2024 14:12:55 +0000
Subject: [PATCH 095/384] Bumped version to 2024.12.2

---
 Directory.Build.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Directory.Build.props b/Directory.Build.props
index 05598bbbe1..d7997e3ee7 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -3,7 +3,7 @@
   <PropertyGroup>
     <TargetFramework>net8.0</TargetFramework>
 
-    <Version>2024.12.1</Version>
+    <Version>2024.12.2</Version>
 
     <RootNamespace>Bit.$(MSBuildProjectName)</RootNamespace>
     <ImplicitUsings>enable</ImplicitUsings>

From 83404efebd14dd20ef66d634540353715e456df0 Mon Sep 17 00:00:00 2001
From: Addison Beck <addison@bitwarden.com>
Date: Mon, 30 Dec 2024 10:34:30 -0500
Subject: [PATCH 096/384] Bump version to 2025.1.0 (#5198)

---
 Directory.Build.props | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Directory.Build.props b/Directory.Build.props
index d7997e3ee7..a27c4874f8 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -3,7 +3,7 @@
   <PropertyGroup>
     <TargetFramework>net8.0</TargetFramework>
 
-    <Version>2024.12.2</Version>
+    <Version>2025.1.0</Version>
 
     <RootNamespace>Bit.$(MSBuildProjectName)</RootNamespace>
     <ImplicitUsings>enable</ImplicitUsings>
@@ -64,4 +64,4 @@
     </ItemGroup>
   </Target>
 
-</Project>
\ No newline at end of file
+</Project>

From d924c6721a9a824e57eb244a07583a924e4d26e3 Mon Sep 17 00:00:00 2001
From: cyprain-okeke <108260115+cyprain-okeke@users.noreply.github.com>
Date: Tue, 31 Dec 2024 18:06:29 +0100
Subject: [PATCH 097/384] [PM-15814]Alert owners of reseller-managed orgs to
 renewal events (#5193)

* Changes for the admin console alert

Signed-off-by: Cy Okeke <cokeke@bitwarden.com>

* Fix the failing test

Signed-off-by: Cy Okeke <cokeke@bitwarden.com>

* Add the feature flag

Signed-off-by: Cy Okeke <cokeke@bitwarden.com>

---------

Signed-off-by: Cy Okeke <cokeke@bitwarden.com>
---
 .../Responses/OrganizationMetadataResponse.cs | 12 ++++++++--
 .../Billing/Models/OrganizationMetadata.cs    |  6 ++++-
 .../OrganizationBillingService.cs             | 22 +++++++++++++++++--
 src/Core/Constants.cs                         |  1 +
 .../OrganizationBillingControllerTests.cs     |  2 +-
 5 files changed, 37 insertions(+), 6 deletions(-)

diff --git a/src/Api/Billing/Models/Responses/OrganizationMetadataResponse.cs b/src/Api/Billing/Models/Responses/OrganizationMetadataResponse.cs
index 86cbdb92c3..28f156fa39 100644
--- a/src/Api/Billing/Models/Responses/OrganizationMetadataResponse.cs
+++ b/src/Api/Billing/Models/Responses/OrganizationMetadataResponse.cs
@@ -7,7 +7,11 @@ public record OrganizationMetadataResponse(
     bool IsManaged,
     bool IsOnSecretsManagerStandalone,
     bool IsSubscriptionUnpaid,
-    bool HasSubscription)
+    bool HasSubscription,
+    bool HasOpenInvoice,
+    DateTime? InvoiceDueDate,
+    DateTime? InvoiceCreatedDate,
+    DateTime? SubPeriodEndDate)
 {
     public static OrganizationMetadataResponse From(OrganizationMetadata metadata)
         => new(
@@ -15,5 +19,9 @@ public record OrganizationMetadataResponse(
             metadata.IsManaged,
             metadata.IsOnSecretsManagerStandalone,
             metadata.IsSubscriptionUnpaid,
-            metadata.HasSubscription);
+            metadata.HasSubscription,
+            metadata.HasOpenInvoice,
+            metadata.InvoiceDueDate,
+            metadata.InvoiceCreatedDate,
+            metadata.SubPeriodEndDate);
 }
diff --git a/src/Core/Billing/Models/OrganizationMetadata.cs b/src/Core/Billing/Models/OrganizationMetadata.cs
index 5bdb450dc6..b6442e4c19 100644
--- a/src/Core/Billing/Models/OrganizationMetadata.cs
+++ b/src/Core/Billing/Models/OrganizationMetadata.cs
@@ -5,4 +5,8 @@ public record OrganizationMetadata(
     bool IsManaged,
     bool IsOnSecretsManagerStandalone,
     bool IsSubscriptionUnpaid,
-    bool HasSubscription);
+    bool HasSubscription,
+    bool HasOpenInvoice,
+    DateTime? InvoiceDueDate,
+    DateTime? InvoiceCreatedDate,
+    DateTime? SubPeriodEndDate);
diff --git a/src/Core/Billing/Services/Implementations/OrganizationBillingService.cs b/src/Core/Billing/Services/Implementations/OrganizationBillingService.cs
index eadc589625..6d9c275444 100644
--- a/src/Core/Billing/Services/Implementations/OrganizationBillingService.cs
+++ b/src/Core/Billing/Services/Implementations/OrganizationBillingService.cs
@@ -68,19 +68,25 @@ public class OrganizationBillingService(
         if (string.IsNullOrWhiteSpace(organization.GatewaySubscriptionId))
         {
             return new OrganizationMetadata(isEligibleForSelfHost, isManaged, false,
-                false, false);
+                false, false, false, null, null, null);
         }
 
         var customer = await subscriberService.GetCustomer(organization,
             new CustomerGetOptions { Expand = ["discount.coupon.applies_to"] });
 
         var subscription = await subscriberService.GetSubscription(organization);
+
         var isOnSecretsManagerStandalone = IsOnSecretsManagerStandalone(organization, customer, subscription);
         var isSubscriptionUnpaid = IsSubscriptionUnpaid(subscription);
         var hasSubscription = true;
+        var openInvoice = await HasOpenInvoiceAsync(subscription);
+        var hasOpenInvoice = openInvoice.HasOpenInvoice;
+        var invoiceDueDate = openInvoice.DueDate;
+        var invoiceCreatedDate = openInvoice.CreatedDate;
+        var subPeriodEndDate = subscription?.CurrentPeriodEnd;
 
         return new OrganizationMetadata(isEligibleForSelfHost, isManaged, isOnSecretsManagerStandalone,
-            isSubscriptionUnpaid, hasSubscription);
+            isSubscriptionUnpaid, hasSubscription, hasOpenInvoice, invoiceDueDate, invoiceCreatedDate, subPeriodEndDate);
     }
 
     public async Task UpdatePaymentMethod(
@@ -393,6 +399,18 @@ public class OrganizationBillingService(
         return subscription.Status == "unpaid";
     }
 
+    private async Task<(bool HasOpenInvoice, DateTime? CreatedDate, DateTime? DueDate)> HasOpenInvoiceAsync(Subscription subscription)
+    {
+        if (subscription?.LatestInvoiceId == null)
+        {
+            return (false, null, null);
+        }
 
+        var invoice = await stripeAdapter.InvoiceGetAsync(subscription.LatestInvoiceId, new InvoiceGetOptions());
+
+        return invoice?.Status == "open"
+            ? (true, invoice.Created, invoice.DueDate)
+            : (false, null, null);
+    }
     #endregion
 }
diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index 54ff734dc9..e0c5564ede 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -163,6 +163,7 @@ public static class FeatureFlagKeys
     public const string AuthenticatorSynciOS = "enable-authenticator-sync-ios";
     public const string AuthenticatorSyncAndroid = "enable-authenticator-sync-android";
     public const string AppReviewPrompt = "app-review-prompt";
+    public const string ResellerManagedOrgAlert = "PM-15814-alert-owners-of-reseller-managed-orgs";
 
     public static List<string> GetAllKeys()
     {
diff --git a/test/Api.Test/Billing/Controllers/OrganizationBillingControllerTests.cs b/test/Api.Test/Billing/Controllers/OrganizationBillingControllerTests.cs
index 703475fc57..d500fb354a 100644
--- a/test/Api.Test/Billing/Controllers/OrganizationBillingControllerTests.cs
+++ b/test/Api.Test/Billing/Controllers/OrganizationBillingControllerTests.cs
@@ -52,7 +52,7 @@ public class OrganizationBillingControllerTests
     {
         sutProvider.GetDependency<ICurrentContext>().OrganizationUser(organizationId).Returns(true);
         sutProvider.GetDependency<IOrganizationBillingService>().GetMetadata(organizationId)
-            .Returns(new OrganizationMetadata(true, true, true, true, true));
+            .Returns(new OrganizationMetadata(true, true, true, true, true, true, null, null, null));
 
         var result = await sutProvider.Sut.GetMetadataAsync(organizationId);
 

From 144c0a2fee5517a6e607f87205b3030f153f6a3a Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Tue, 31 Dec 2024 13:49:52 -0500
Subject: [PATCH 098/384] Add missing curly brace (#5203)

---
 .github/workflows/repository-management.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/repository-management.yml b/.github/workflows/repository-management.yml
index 5cf7a91b01..d41ce91ec9 100644
--- a/.github/workflows/repository-management.yml
+++ b/.github/workflows/repository-management.yml
@@ -241,6 +241,7 @@ jobs:
               git cherry-pick --strategy-option=theirs -x $SOURCE_COMMIT
               git push -u origin $destination_branch
             fi
+          }
 
           # If we are cutting 'hotfix-rc':
           if [[ "$CUT_BRANCH" == "hotfix-rc" ]]; then

From bc40884db0121b72de6faa82e1c2e7a7caa86ca6 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Tue, 31 Dec 2024 16:10:22 -0500
Subject: [PATCH 099/384] Remove old unused scripts (#5202)

---
 scripts/bitwarden.ps1 |  3 --
 scripts/bitwarden.sh  | 31 ---------------
 scripts/build         | 47 -----------------------
 scripts/build-docker  | 88 -------------------------------------------
 scripts/deploy-qa     | 42 ---------------------
 scripts/run.ps1       | 16 --------
 scripts/run.sh        | 45 ----------------------
 7 files changed, 272 deletions(-)
 delete mode 100644 scripts/bitwarden.ps1
 delete mode 100755 scripts/bitwarden.sh
 delete mode 100755 scripts/build
 delete mode 100755 scripts/build-docker
 delete mode 100755 scripts/deploy-qa
 delete mode 100644 scripts/run.ps1
 delete mode 100755 scripts/run.sh

diff --git a/scripts/bitwarden.ps1 b/scripts/bitwarden.ps1
deleted file mode 100644
index 3d4f70ac48..0000000000
--- a/scripts/bitwarden.ps1
+++ /dev/null
@@ -1,3 +0,0 @@
-$scriptPath = $MyInvocation.MyCommand.Path
-Invoke-RestMethod -OutFile $scriptPath -Uri "https://go.btwrdn.co/bw-ps"
-Write-Output "We have moved our self-hosted scripts to their own repository (https://github.com/bitwarden/self-host).  Your 'bitwarden.ps1' script has been automatically upgraded. Please run it again."
diff --git a/scripts/bitwarden.sh b/scripts/bitwarden.sh
deleted file mode 100755
index 4f9da295dc..0000000000
--- a/scripts/bitwarden.sh
+++ /dev/null
@@ -1,31 +0,0 @@
-#!/usr/bin/env bash
-set -e
-
-cat << "EOF"
- _     _ _                         _            
-| |__ (_) |___      ____ _ _ __ __| | ___ _ __  
-| '_ \| | __\ \ /\ / / _` | '__/ _` |/ _ \ '_ \ 
-| |_) | | |_ \ V  V / (_| | | | (_| |  __/ | | |
-|_.__/|_|\__| \_/\_/ \__,_|_|  \__,_|\___|_| |_|
-EOF
-
-cat << EOF
-Open source password management solutions
-Copyright 2015-$(date +'%Y'), 8bit Solutions LLC
-https://bitwarden.com, https://github.com/bitwarden
-===================================================
-EOF
-
-DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
-SCRIPT_NAME=$(basename "$0")
-SCRIPT_PATH="$DIR/$SCRIPT_NAME"
-BITWARDEN_SCRIPT_URL="https://go.btwrdn.co/bw-sh"
-
-if curl -L -s -w "http_code %{http_code}" -o $SCRIPT_PATH.1 $BITWARDEN_SCRIPT_URL | grep -q "^http_code 20[0-9]"
-then
-    mv $SCRIPT_PATH.1 $SCRIPT_PATH
-    chmod u+x $SCRIPT_PATH
-    echo "We have moved our self-hosted scripts to their own repository (https://github.com/bitwarden/self-host).  Your 'bitwarden.sh' script has been automatically upgraded. Please run it again."
-else
-    rm -f $SCRIPT_PATH.1
-fi
diff --git a/scripts/build b/scripts/build
deleted file mode 100755
index 38b457f853..0000000000
--- a/scripts/build
+++ /dev/null
@@ -1,47 +0,0 @@
-#!/bin/bash
-
-##############################
-# Builds a specified service
-# Arguments: 
-#   1: Project to build
-#   2: Project path
-##############################
-build() {
-  local project=$1
-  local project_dir=$2
-
-  echo "Building $project"
-  echo "Build Path: $project_dir"
-  echo "=================="
-
-  chmod u+x "$project_dir/build.sh"
-  "$project_dir/build.sh"
-}
-
-# Get Project
-PROJECT=$1; shift
-
-case "$PROJECT" in
-  "admin" | "Admin") build Admin $PWD/src/Admin ;;
-  "api" | "Api") build Api $PWD/src/Api ;;
-  "billing" | "Billing") build Billing $PWD/src/Billing ;;
-  "events" | "Events") build Events $PWD/src/Events ;;
-  "eventsprocessor" | "EventsProcessor") build EventsProcessor $PWD/src/EventsProcessor ;;
-  "icons" | "Icons") build Icons $PWD/src/Icons ;;
-  "identity" | "Identity") build Identity $PWD/src/Identity ;;
-  "notifications" | "Notifications") build Notifications $PWD/src/Notifications ;;
-  "server" | "Server") build Server $PWD/util/Server ;;
-  "sso" | "Sso") build Sso $PWD/bitwarden_license/src/Sso ;;
-  "")
-    build Admin $PWD/src/Admin
-    build Api $PWD/src/Api
-    build Billing $PWD/src/Billing
-    build Events $PWD/src/Events
-    build EventsProcessor $PWD/src/EventsProcessor
-    build Icons $PWD/src/Icons
-    build Identity $PWD/src/Identity
-    build Notifications $PWD/src/Notifications
-    build Server $PWD/util/Server
-    build Sso $PWD/bitwarden_license/src/Sso
-  ;;
-esac
diff --git a/scripts/build-docker b/scripts/build-docker
deleted file mode 100755
index da8a82e864..0000000000
--- a/scripts/build-docker
+++ /dev/null
@@ -1,88 +0,0 @@
-#!/bin/bash
-
-##############################
-# Builds the docker image from a pre-built build directory
-# Arguments: 
-#   1: Project Name
-#   2: Project Directory
-#   3: Docker Tag
-#   4: Docker push
-# Outputs: 
-#   Output to STDOUT or STDERR.
-# Returns: 
-#   Returned values other than the default exit status of the last command run.
-##############################
-docker_build() {
-  local project_name=$1
-  local project_dir=$2
-  local docker_tag=$3
-  local docker_push=$4
-
-  local project_name_lower=$(echo "$project_name" | awk '{print tolower($0)}')
-
-  echo "Building docker image: bitwarden/$project_name_lower:$docker_tag"
-  echo "=============================="
-  docker build -t bitwarden/$project_name_lower:$docker_tag $project_dir
-
-  if [ "$docker_push" == "1" ]; then
-    docker push bitwarden/$project_name_lower:$docker_tag
-  fi
-}
-
-# Get Project
-PROJECT=$1; shift
-
-# Get Params
-TAG="latest"
-PUSH=0
-
-while [ ! $# -eq 0 ]; do
-  case "$1" in
-    -t | --tag)
-      if [[ $2 ]]; then
-        TAG="$2"
-        shift
-      else
-        exp "--tag requires a value"
-      fi
-      ;;
-    --push) PUSH=1 ;;
-    -h | --help ) usage && exit ;;
-    *) usage && exit ;;
-  esac
-  shift
-done
-
-
-case "$PROJECT" in
-  "admin" | "Admin") docker_build Admin $PWD/src/Admin $TAG $PUSH ;;
-  "api" | "Api") docker_build Api $PWD/src/Api $TAG $PUSH ;;
-  "attachments" | "Attachments") docker_build Attachments $PWD/util/Attachments $TAG $PUSH ;;
-  #"billing" | "Billing") docker_build Billing $PWD/src/Billing $TAG $PUSH ;;
-  "events" | "Events") docker_build Events $PWD/src/Events $TAG $PUSH ;;
-  "eventsprocessor" | "EventsProcessor") docker_build EventsProcessor $PWD/src/EventsProcessor $TAG $PUSH ;;
-  "icons" | "Icons") docker_build Icons $PWD/src/Icons $TAG $PUSH ;;
-  "identity" | "Identity") docker_build Identity $PWD/src/Identity $TAG $PUSH ;;
-  "mssql" | "MsSql" | "Mssql") docker_build MsSql $PWD/util/MsSql $TAG $PUSH ;;
-  "nginx" | "Nginx") docker_build Nginx $PWD/util/Nginx $TAG $PUSH ;;
-  "notifications" | "Notifications") docker_build Notifications $PWD/src/Notifications $TAG $PUSH ;;
-  "server" | "Server") docker_build Server $PWD/util/Server $TAG $PUSH ;;
-  "setup" | "Setup") docker_build Setup $PWD/util/Setup $TAG $PUSH ;;
-  "sso" | "Sso") docker_build Sso $PWD/bitwarden_license/src/Sso $TAG $PUSH ;;
-  "")
-    docker_build Admin $PWD/src/Admin $TAG $PUSH
-    docker_build Api $PWD/src/Api $TAG $PUSH
-    docker_build Attachments $PWD/util/Attachments $TAG $PUSH
-    #docker_build Billing $PWD/src/Billing $TAG $PUSH
-    docker_build Events $PWD/src/Events $TAG $PUSH
-    docker_build EventsProcessor $PWD/src/EventsProcessor $TAG $PUSH
-    docker_build Icons $PWD/src/Icons $TAG $PUSH
-    docker_build Identity $PWD/src/Identity $TAG $PUSH
-    docker_build MsSql $PWD/util/MsSql $TAG $PUSH
-    docker_build Nginx $PWD/util/Nginx $TAG $PUSH
-    docker_build Notifications $PWD/src/Notifications $TAG $PUSH
-    docker_build Server $PWD/util/Server $TAG $PUSH
-    docker_build Setup $PWD/util/Setup $TAG $PUSH
-    docker_build Sso $PWD/bitwarden_license/src/Sso $TAG $PUSH
-  ;;
-esac
diff --git a/scripts/deploy-qa b/scripts/deploy-qa
deleted file mode 100755
index 08c124d995..0000000000
--- a/scripts/deploy-qa
+++ /dev/null
@@ -1,42 +0,0 @@
-#!/bin/bash
-
-##############################
-# Builds the docker image from a pre-built build directory
-# Arguments: 
-#   1: Project Name
-#   2: Project Directory
-#   3: Docker Tag
-#   4: Docker push
-##############################
-deploy_app_service() {
-  local project_name=$1
-  local project_dir=$2
-
-  local project_name_lower=$(echo "$project_name" | awk '{print tolower($0)}')
-  local webapp_name=$(az keyvault secret show --vault-name bitwarden-qa-kv --name appservices-$project_name_lower-webapp-name --query value --output tsv)
-
-  cd $project_dir/obj/build-output/publish
-  zip -r $project_name.zip .
-  mv $project_name.zip ../../../
-  #az webapp deploy --resource-group bw-qa-env --name $webapp_name \
-  #  --src-path $project_name.zip --verbose --type zip --restart true --subscription "Bitwarden Test"
-}
-
-PROJECT=$1; shift
-
-case "$PROJECT" in
-  "api" | "Api") deploy_app_service Api $PWD/src/Api ;;
-  "admin" | "Admin") deploy_app_service Admin $PWD/src/Admin ;;
-  "identity" | "Identity") deploy_app_service Identity $PWD/src/Identity ;;
-  "events" | "Events") deploy_app_service Events $PWD/src/Events ;;
-  "billing" | "Billing") deploy_app_service Billing $PWD/src/Billing ;;
-  "sso" | "Sso") deploy_app_service Sso $PWD/bitwarden_license/src/Sso ;;
-  "")
-    deploy_app_service Api $PWD/src/Api 
-    deploy_app_service Admin $PWD/src/Admin 
-    deploy_app_service Identity $PWD/src/Identity 
-    deploy_app_service Events $PWD/src/Events 
-    deploy_app_service Billing $PWD/src/Billing 
-    deploy_app_service Sso $PWD/bitwarden_license/src/Sso 
-  ;;
-esac
diff --git a/scripts/run.ps1 b/scripts/run.ps1
deleted file mode 100644
index a2b5b438ab..0000000000
--- a/scripts/run.ps1
+++ /dev/null
@@ -1,16 +0,0 @@
-$scriptPath = $MyInvocation.MyCommand.Path
-$bitwardenPath = Split-Path $scriptPath | Split-Path | Split-Path
-$files = Get-ChildItem $bitwardenPath
-$scriptFound = $false
-foreach ($file in $files) {
-    if ($file.Name -eq "bitwarden.ps1") {
-        $scriptFound = $true
-        Invoke-RestMethod -OutFile "$($bitwardenPath)/bitwarden.ps1" -Uri "https://go.btwrdn.co/bw-ps"
-        Write-Output "We have moved our self-hosted scripts to their own repository (https://github.com/bitwarden/self-host).  Your 'bitwarden.ps1' script has been automatically upgraded. Please run it again."
-        break
-    }
-}
-
-if (-not $scriptFound) {
-    Write-Output "We have moved our self-hosted scripts to their own repository (https://github.com/bitwarden/self-host).  Please run 'bitwarden.ps1 -updateself' before updating."
-}
diff --git a/scripts/run.sh b/scripts/run.sh
deleted file mode 100755
index 65828bd2f2..0000000000
--- a/scripts/run.sh
+++ /dev/null
@@ -1,45 +0,0 @@
-#!/usr/bin/env bash
-set -e
-
-cat << "EOF"
- _     _ _                         _            
-| |__ (_) |___      ____ _ _ __ __| | ___ _ __  
-| '_ \| | __\ \ /\ / / _` | '__/ _` |/ _ \ '_ \ 
-| |_) | | |_ \ V  V / (_| | | | (_| |  __/ | | |
-|_.__/|_|\__| \_/\_/ \__,_|_|  \__,_|\___|_| |_|
-EOF
-
-cat << EOF
-Open source password management solutions
-Copyright 2015-$(date +'%Y'), 8bit Solutions LLC
-https://bitwarden.com, https://github.com/bitwarden
-===================================================
-EOF
-
-DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
-BITWARDEN_SCRIPT_URL="https://go.btwrdn.co/bw-sh"
-
-cd $DIR
-cd ../../
-
-FOUND=false
-
-for i in *.sh; do
-  if [ $i = "bitwarden.sh" ]
-  then
-    FOUND=true
-    if curl -L -s -w "http_code %{http_code}" -o bitwarden.sh.1 $BITWARDEN_SCRIPT_URL | grep -q "^http_code 20[0-9]"
-    then
-      mv bitwarden.sh.1 bitwarden.sh
-      chmod u+x bitwarden.sh
-      echo "We have moved our self-hosted scripts to their own repository (https://github.com/bitwarden/self-host).  Your 'bitwarden.sh' script has been automatically upgraded. Please run it again."
-    else
-      rm -f bitwarden.sh.1
-    fi
-  fi
-done
-
-if [ $FOUND = false ]
-then
-  echo "We have moved our self-hosted scripts to their own repository (https://github.com/bitwarden/self-host). Please run 'bitwarden.sh updateself' before updating."
-fi

From bad533af8e309aa79dc84bf67872cd3497bde4a4 Mon Sep 17 00:00:00 2001
From: Jonas Hendrickx <jhendrickx@bitwarden.com>
Date: Thu, 2 Jan 2025 16:07:34 +0100
Subject: [PATCH 100/384] =?UTF-8?q?[PM-16611]=20Failing=20unit=20tests=20d?=
 =?UTF-8?q?ue=20to=20previous=20month=20being=20incorrectly=E2=80=A6=20(#5?=
 =?UTF-8?q?207)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../Controllers/ProviderBillingControllerTests.cs | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/test/Api.Test/Billing/Controllers/ProviderBillingControllerTests.cs b/test/Api.Test/Billing/Controllers/ProviderBillingControllerTests.cs
index d46038ae90..644303c873 100644
--- a/test/Api.Test/Billing/Controllers/ProviderBillingControllerTests.cs
+++ b/test/Api.Test/Billing/Controllers/ProviderBillingControllerTests.cs
@@ -260,13 +260,15 @@ public class ProviderBillingControllerTests
 
         var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
 
-        var (thisYear, thisMonth, _) = DateTime.UtcNow;
-        var daysInThisMonth = DateTime.DaysInMonth(thisYear, thisMonth);
+        var now = DateTime.UtcNow;
+        var oneMonthAgo = now.AddMonths(-1);
+
+        var daysInThisMonth = DateTime.DaysInMonth(now.Year, now.Month);
 
         var subscription = new Subscription
         {
             CollectionMethod = StripeConstants.CollectionMethod.ChargeAutomatically,
-            CurrentPeriodEnd = new DateTime(thisYear, thisMonth, daysInThisMonth),
+            CurrentPeriodEnd = new DateTime(now.Year, now.Month, daysInThisMonth),
             Customer = new Customer
             {
                 Address = new Address
@@ -290,15 +292,14 @@ public class ProviderBillingControllerTests
                 options.Expand.Contains("customer.tax_ids") &&
                 options.Expand.Contains("test_clock"))).Returns(subscription);
 
-        var lastMonth = thisMonth - 1;
-        var daysInLastMonth = DateTime.DaysInMonth(thisYear, lastMonth);
+        var daysInLastMonth = DateTime.DaysInMonth(oneMonthAgo.Year, oneMonthAgo.Month);
 
         var overdueInvoice = new Invoice
         {
             Id = "invoice_id",
             Status = "open",
-            Created = new DateTime(thisYear, lastMonth, 1),
-            PeriodEnd = new DateTime(thisYear, lastMonth, daysInLastMonth),
+            Created = new DateTime(oneMonthAgo.Year, oneMonthAgo.Month, 1),
+            PeriodEnd = new DateTime(oneMonthAgo.Year, oneMonthAgo.Month, daysInLastMonth),
             Attempted = true
         };
 

From 1062c6d52279eadf760843bc3ce3935f9b471aa9 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Thu, 2 Jan 2025 16:13:16 +0100
Subject: [PATCH 101/384] [deps] Billing: Update Sentry.Serilog to v5 (#5182)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 src/Core/Core.csproj | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Core/Core.csproj b/src/Core/Core.csproj
index e9349c4787..c5cb31d9c5 100644
--- a/src/Core/Core.csproj
+++ b/src/Core/Core.csproj
@@ -49,7 +49,7 @@
     <PackageReference Include="Serilog.AspNetCore" Version="8.0.3" />
     <PackageReference Include="Serilog.Extensions.Logging" Version="8.0.0" />
     <PackageReference Include="Serilog.Extensions.Logging.File" Version="3.0.0" />
-    <PackageReference Include="Sentry.Serilog" Version="3.41.4" />
+    <PackageReference Include="Sentry.Serilog" Version="5.0.0" />
     <PackageReference Include="Duende.IdentityServer" Version="7.0.8" />
     <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
     <PackageReference Include="Serilog.Sinks.SyslogMessages" Version="4.0.0" />

From 97e11774e3960786c991dc72ca7460b5ee3327b2 Mon Sep 17 00:00:00 2001
From: Jonas Hendrickx <jhendrickx@bitwarden.com>
Date: Thu, 2 Jan 2025 20:27:53 +0100
Subject: [PATCH 102/384] [PM-13999] show estimated tax for taxable countries
 (#5110)

---
 .../Billing/TaxServiceTests.cs                | 151 +++
 .../Auth/Controllers/AccountsController.cs    |   7 +-
 .../Controllers/AccountsBillingController.cs  |  15 +
 .../Billing/Controllers/InvoicesController.cs |  42 +
 .../Controllers/ProviderBillingController.cs  |   1 +
 .../Billing/Controllers/StripeController.cs   |  14 +-
 .../Requests/TaxInformationRequestBody.cs     |   2 +
 .../Billing/Extensions/CurrencyExtensions.cs  |  33 +
 .../Extensions/ServiceCollectionExtensions.cs |   1 +
 .../PreviewIndividualInvoiceRequestModel.cs   |  18 +
 .../PreviewOrganizationInvoiceRequestModel.cs |  37 +
 .../Requests/TaxInformationRequestModel.cs    |  14 +
 .../Responses/PreviewInvoiceResponseModel.cs  |   7 +
 src/Core/Billing/Models/PreviewInvoiceInfo.cs |   7 +
 .../Billing/Models/Sales/OrganizationSale.cs  |   1 +
 src/Core/Billing/Models/TaxIdType.cs          |  22 +
 src/Core/Billing/Models/TaxInformation.cs     | 160 +---
 src/Core/Billing/Services/ITaxService.cs      |  22 +
 .../OrganizationBillingService.cs             |  35 +-
 .../PremiumUserBillingService.cs              |  15 +-
 .../Implementations/SubscriberService.cs      |  62 +-
 src/Core/Billing/Services/TaxService.cs       | 901 ++++++++++++++++++
 src/Core/Billing/Utilities.cs                 |   1 +
 src/Core/Models/Business/TaxInfo.cs           | 208 +---
 src/Core/Services/IPaymentService.cs          |   6 +
 src/Core/Services/IStripeAdapter.cs           |   2 +
 .../Services/Implementations/StripeAdapter.cs |  12 +
 .../Implementations/StripePaymentService.cs   | 420 +++++++-
 .../Services/Implementations/UserService.cs   |   3 +
 .../Services/SubscriberServiceTests.cs        |   3 +-
 .../Core.Test/Models/Business/TaxInfoTests.cs | 114 ---
 .../Services/StripePaymentServiceTests.cs     |  18 +-
 32 files changed, 1806 insertions(+), 548 deletions(-)
 create mode 100644 bitwarden_license/test/Commercial.Core.Test/Billing/TaxServiceTests.cs
 create mode 100644 src/Api/Billing/Controllers/InvoicesController.cs
 create mode 100644 src/Core/Billing/Extensions/CurrencyExtensions.cs
 create mode 100644 src/Core/Billing/Models/Api/Requests/Accounts/PreviewIndividualInvoiceRequestModel.cs
 create mode 100644 src/Core/Billing/Models/Api/Requests/Organizations/PreviewOrganizationInvoiceRequestModel.cs
 create mode 100644 src/Core/Billing/Models/Api/Requests/TaxInformationRequestModel.cs
 create mode 100644 src/Core/Billing/Models/Api/Responses/PreviewInvoiceResponseModel.cs
 create mode 100644 src/Core/Billing/Models/PreviewInvoiceInfo.cs
 create mode 100644 src/Core/Billing/Models/TaxIdType.cs
 create mode 100644 src/Core/Billing/Services/ITaxService.cs
 create mode 100644 src/Core/Billing/Services/TaxService.cs
 delete mode 100644 test/Core.Test/Models/Business/TaxInfoTests.cs

diff --git a/bitwarden_license/test/Commercial.Core.Test/Billing/TaxServiceTests.cs b/bitwarden_license/test/Commercial.Core.Test/Billing/TaxServiceTests.cs
new file mode 100644
index 0000000000..3995fb9de6
--- /dev/null
+++ b/bitwarden_license/test/Commercial.Core.Test/Billing/TaxServiceTests.cs
@@ -0,0 +1,151 @@
+using Bit.Core.Billing.Services;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using Xunit;
+
+namespace Bit.Commercial.Core.Test.Billing;
+
+[SutProviderCustomize]
+public class TaxServiceTests
+{
+    [Theory]
+    [BitAutoData("AD", "A-123456-Z", "ad_nrt")]
+    [BitAutoData("AD", "A123456Z", "ad_nrt")]
+    [BitAutoData("AR", "20-12345678-9", "ar_cuit")]
+    [BitAutoData("AR", "20123456789", "ar_cuit")]
+    [BitAutoData("AU", "01259983598", "au_abn")]
+    [BitAutoData("AU", "123456789123", "au_arn")]
+    [BitAutoData("AT", "ATU12345678", "eu_vat")]
+    [BitAutoData("BH", "123456789012345", "bh_vat")]
+    [BitAutoData("BY", "123456789", "by_tin")]
+    [BitAutoData("BE", "BE0123456789", "eu_vat")]
+    [BitAutoData("BO", "123456789", "bo_tin")]
+    [BitAutoData("BR", "01.234.456/5432-10", "br_cnpj")]
+    [BitAutoData("BR", "01234456543210", "br_cnpj")]
+    [BitAutoData("BR", "123.456.789-87", "br_cpf")]
+    [BitAutoData("BR", "12345678987", "br_cpf")]
+    [BitAutoData("BG", "123456789", "bg_uic")]
+    [BitAutoData("BG", "BG012100705", "eu_vat")]
+    [BitAutoData("CA", "100728494", "ca_bn")]
+    [BitAutoData("CA", "123456789RT0001", "ca_gst_hst")]
+    [BitAutoData("CA", "PST-1234-1234", "ca_pst_bc")]
+    [BitAutoData("CA", "123456-7", "ca_pst_mb")]
+    [BitAutoData("CA", "1234567", "ca_pst_sk")]
+    [BitAutoData("CA", "1234567890TQ1234", "ca_qst")]
+    [BitAutoData("CL", "11.121.326-1", "cl_tin")]
+    [BitAutoData("CL", "11121326-1", "cl_tin")]
+    [BitAutoData("CL", "23.121.326-K", "cl_tin")]
+    [BitAutoData("CL", "43651326-K", "cl_tin")]
+    [BitAutoData("CN", "123456789012345678", "cn_tin")]
+    [BitAutoData("CN", "123456789012345", "cn_tin")]
+    [BitAutoData("CO", "123.456.789-0", "co_nit")]
+    [BitAutoData("CO", "1234567890", "co_nit")]
+    [BitAutoData("CR", "1-234-567890", "cr_tin")]
+    [BitAutoData("CR", "1234567890", "cr_tin")]
+    [BitAutoData("HR", "HR12345678912", "eu_vat")]
+    [BitAutoData("HR", "12345678901", "hr_oib")]
+    [BitAutoData("CY", "CY12345678X", "eu_vat")]
+    [BitAutoData("CZ", "CZ12345678", "eu_vat")]
+    [BitAutoData("DK", "DK12345678", "eu_vat")]
+    [BitAutoData("DO", "123-4567890-1", "do_rcn")]
+    [BitAutoData("DO", "12345678901", "do_rcn")]
+    [BitAutoData("EC", "1234567890001", "ec_ruc")]
+    [BitAutoData("EG", "123456789", "eg_tin")]
+    [BitAutoData("SV", "1234-567890-123-4", "sv_nit")]
+    [BitAutoData("SV", "12345678901234", "sv_nit")]
+    [BitAutoData("EE", "EE123456789", "eu_vat")]
+    [BitAutoData("EU", "EU123456789", "eu_oss_vat")]
+    [BitAutoData("FI", "FI12345678", "eu_vat")]
+    [BitAutoData("FR", "FR12345678901", "eu_vat")]
+    [BitAutoData("GE", "123456789", "ge_vat")]
+    [BitAutoData("DE", "1234567890", "de_stn")]
+    [BitAutoData("DE", "DE123456789", "eu_vat")]
+    [BitAutoData("GR", "EL123456789", "eu_vat")]
+    [BitAutoData("HK", "12345678", "hk_br")]
+    [BitAutoData("HU", "HU12345678", "eu_vat")]
+    [BitAutoData("HU", "12345678-1-23", "hu_tin")]
+    [BitAutoData("HU", "12345678123", "hu_tin")]
+    [BitAutoData("IS", "123456", "is_vat")]
+    [BitAutoData("IN", "12ABCDE1234F1Z5", "in_gst")]
+    [BitAutoData("IN", "12ABCDE3456FGZH", "in_gst")]
+    [BitAutoData("ID", "012.345.678.9-012.345", "id_npwp")]
+    [BitAutoData("ID", "0123456789012345", "id_npwp")]
+    [BitAutoData("IE", "IE1234567A", "eu_vat")]
+    [BitAutoData("IE", "IE1234567AB", "eu_vat")]
+    [BitAutoData("IL", "000012345", "il_vat")]
+    [BitAutoData("IL", "123456789", "il_vat")]
+    [BitAutoData("IT", "IT12345678901", "eu_vat")]
+    [BitAutoData("JP", "1234567890123", "jp_cn")]
+    [BitAutoData("JP", "12345", "jp_rn")]
+    [BitAutoData("KZ", "123456789012", "kz_bin")]
+    [BitAutoData("KE", "P000111111A", "ke_pin")]
+    [BitAutoData("LV", "LV12345678912", "eu_vat")]
+    [BitAutoData("LI", "CHE123456789", "li_uid")]
+    [BitAutoData("LI", "12345", "li_vat")]
+    [BitAutoData("LT", "LT123456789123", "eu_vat")]
+    [BitAutoData("LU", "LU12345678", "eu_vat")]
+    [BitAutoData("MY", "12345678", "my_frp")]
+    [BitAutoData("MY", "C 1234567890", "my_itn")]
+    [BitAutoData("MY", "C1234567890", "my_itn")]
+    [BitAutoData("MY", "A12-3456-78912345", "my_sst")]
+    [BitAutoData("MY", "A12345678912345", "my_sst")]
+    [BitAutoData("MT", "MT12345678", "eu_vat")]
+    [BitAutoData("MX", "ABC010203AB9", "mx_rfc")]
+    [BitAutoData("MD", "1003600", "md_vat")]
+    [BitAutoData("MA", "12345678", "ma_vat")]
+    [BitAutoData("NL", "NL123456789B12", "eu_vat")]
+    [BitAutoData("NZ", "123456789", "nz_gst")]
+    [BitAutoData("NG", "12345678-0001", "ng_tin")]
+    [BitAutoData("NO", "123456789MVA", "no_vat")]
+    [BitAutoData("NO", "1234567", "no_voec")]
+    [BitAutoData("OM", "OM1234567890", "om_vat")]
+    [BitAutoData("PE", "12345678901", "pe_ruc")]
+    [BitAutoData("PH", "123456789012", "ph_tin")]
+    [BitAutoData("PL", "PL1234567890", "eu_vat")]
+    [BitAutoData("PT", "PT123456789", "eu_vat")]
+    [BitAutoData("RO", "RO1234567891", "eu_vat")]
+    [BitAutoData("RO", "1234567890123", "ro_tin")]
+    [BitAutoData("RU", "1234567891", "ru_inn")]
+    [BitAutoData("RU", "123456789", "ru_kpp")]
+    [BitAutoData("SA", "123456789012345", "sa_vat")]
+    [BitAutoData("RS", "123456789", "rs_pib")]
+    [BitAutoData("SG", "M12345678X", "sg_gst")]
+    [BitAutoData("SG", "123456789F", "sg_uen")]
+    [BitAutoData("SK", "SK1234567891", "eu_vat")]
+    [BitAutoData("SI", "SI12345678", "eu_vat")]
+    [BitAutoData("SI", "12345678", "si_tin")]
+    [BitAutoData("ZA", "4123456789", "za_vat")]
+    [BitAutoData("KR", "123-45-67890", "kr_brn")]
+    [BitAutoData("KR", "1234567890", "kr_brn")]
+    [BitAutoData("ES", "A12345678", "es_cif")]
+    [BitAutoData("ES", "ESX1234567X", "eu_vat")]
+    [BitAutoData("SE", "SE123456789012", "eu_vat")]
+    [BitAutoData("CH", "CHE-123.456.789 HR", "ch_uid")]
+    [BitAutoData("CH", "CHE123456789HR", "ch_uid")]
+    [BitAutoData("CH", "CHE-123.456.789 MWST", "ch_vat")]
+    [BitAutoData("CH", "CHE123456789MWST", "ch_vat")]
+    [BitAutoData("TW", "12345678", "tw_vat")]
+    [BitAutoData("TH", "1234567890123", "th_vat")]
+    [BitAutoData("TR", "0123456789", "tr_tin")]
+    [BitAutoData("UA", "123456789", "ua_vat")]
+    [BitAutoData("AE", "123456789012345", "ae_trn")]
+    [BitAutoData("GB", "XI123456789", "eu_vat")]
+    [BitAutoData("GB", "GB123456789", "gb_vat")]
+    [BitAutoData("US", "12-3456789", "us_ein")]
+    [BitAutoData("UY", "123456789012", "uy_ruc")]
+    [BitAutoData("UZ", "123456789", "uz_tin")]
+    [BitAutoData("UZ", "123456789012", "uz_vat")]
+    [BitAutoData("VE", "A-12345678-9", "ve_rif")]
+    [BitAutoData("VE", "A123456789", "ve_rif")]
+    [BitAutoData("VN", "1234567890", "vn_tin")]
+    public void GetStripeTaxCode_WithValidCountryAndTaxId_ReturnsExpectedTaxIdType(
+        string country,
+        string taxId,
+        string expected,
+        SutProvider<TaxService> sutProvider)
+    {
+        var result = sutProvider.Sut.GetStripeTaxCode(country, taxId);
+
+        Assert.Equal(expected, result);
+    }
+}
diff --git a/src/Api/Auth/Controllers/AccountsController.cs b/src/Api/Auth/Controllers/AccountsController.cs
index 1c08ce4f73..a0092357d6 100644
--- a/src/Api/Auth/Controllers/AccountsController.cs
+++ b/src/Api/Auth/Controllers/AccountsController.cs
@@ -666,7 +666,7 @@ public class AccountsController : Controller
             new TaxInfo
             {
                 BillingAddressCountry = model.Country,
-                BillingAddressPostalCode = model.PostalCode,
+                BillingAddressPostalCode = model.PostalCode
             });
 
         var userTwoFactorEnabled = await _userService.TwoFactorIsEnabledAsync(user);
@@ -721,8 +721,13 @@ public class AccountsController : Controller
         await _userService.ReplacePaymentMethodAsync(user, model.PaymentToken, model.PaymentMethodType.Value,
             new TaxInfo
             {
+                BillingAddressLine1 = model.Line1,
+                BillingAddressLine2 = model.Line2,
+                BillingAddressCity = model.City,
+                BillingAddressState = model.State,
                 BillingAddressCountry = model.Country,
                 BillingAddressPostalCode = model.PostalCode,
+                TaxIdNumber = model.TaxId
             });
     }
 
diff --git a/src/Api/Billing/Controllers/AccountsBillingController.cs b/src/Api/Billing/Controllers/AccountsBillingController.cs
index 574ac3e65e..fcb89226e7 100644
--- a/src/Api/Billing/Controllers/AccountsBillingController.cs
+++ b/src/Api/Billing/Controllers/AccountsBillingController.cs
@@ -1,5 +1,6 @@
 #nullable enable
 using Bit.Api.Billing.Models.Responses;
+using Bit.Core.Billing.Models.Api.Requests.Accounts;
 using Bit.Core.Billing.Services;
 using Bit.Core.Services;
 using Bit.Core.Utilities;
@@ -77,4 +78,18 @@ public class AccountsBillingController(
 
         return TypedResults.Ok(transactions);
     }
+
+    [HttpPost("preview-invoice")]
+    public async Task<IResult> PreviewInvoiceAsync([FromBody] PreviewIndividualInvoiceRequestBody model)
+    {
+        var user = await userService.GetUserByPrincipalAsync(User);
+        if (user == null)
+        {
+            throw new UnauthorizedAccessException();
+        }
+
+        var invoice = await paymentService.PreviewInvoiceAsync(model, user.GatewayCustomerId, user.GatewaySubscriptionId);
+
+        return TypedResults.Ok(invoice);
+    }
 }
diff --git a/src/Api/Billing/Controllers/InvoicesController.cs b/src/Api/Billing/Controllers/InvoicesController.cs
new file mode 100644
index 0000000000..686d9b9643
--- /dev/null
+++ b/src/Api/Billing/Controllers/InvoicesController.cs
@@ -0,0 +1,42 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.Billing.Models.Api.Requests.Organizations;
+using Bit.Core.Context;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+
+namespace Bit.Api.Billing.Controllers;
+
+[Route("invoices")]
+[Authorize("Application")]
+public class InvoicesController : BaseBillingController
+{
+    [HttpPost("preview-organization")]
+    public async Task<IResult> PreviewInvoiceAsync(
+        [FromBody] PreviewOrganizationInvoiceRequestBody model,
+        [FromServices] ICurrentContext currentContext,
+        [FromServices] IOrganizationRepository organizationRepository,
+        [FromServices] IPaymentService paymentService)
+    {
+        Organization organization = null;
+        if (model.OrganizationId != default)
+        {
+            if (!await currentContext.EditPaymentMethods(model.OrganizationId))
+            {
+                return Error.Unauthorized();
+            }
+
+            organization = await organizationRepository.GetByIdAsync(model.OrganizationId);
+            if (organization == null)
+            {
+                return Error.NotFound();
+            }
+        }
+
+        var invoice = await paymentService.PreviewInvoiceAsync(model, organization?.GatewayCustomerId,
+            organization?.GatewaySubscriptionId);
+
+        return TypedResults.Ok(invoice);
+    }
+}
diff --git a/src/Api/Billing/Controllers/ProviderBillingController.cs b/src/Api/Billing/Controllers/ProviderBillingController.cs
index f7ddf0853e..c5de63c69b 100644
--- a/src/Api/Billing/Controllers/ProviderBillingController.cs
+++ b/src/Api/Billing/Controllers/ProviderBillingController.cs
@@ -119,6 +119,7 @@ public class ProviderBillingController(
             requestBody.Country,
             requestBody.PostalCode,
             requestBody.TaxId,
+            requestBody.TaxIdType,
             requestBody.Line1,
             requestBody.Line2,
             requestBody.City,
diff --git a/src/Api/Billing/Controllers/StripeController.cs b/src/Api/Billing/Controllers/StripeController.cs
index a4a974bb99..f5e8253bfa 100644
--- a/src/Api/Billing/Controllers/StripeController.cs
+++ b/src/Api/Billing/Controllers/StripeController.cs
@@ -1,4 +1,5 @@
-using Bit.Core.Services;
+using Bit.Core.Billing.Services;
+using Bit.Core.Services;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Http.HttpResults;
 using Microsoft.AspNetCore.Mvc;
@@ -46,4 +47,15 @@ public class StripeController(
 
         return TypedResults.Ok(setupIntent.ClientSecret);
     }
+
+    [HttpGet]
+    [Route("~/tax/is-country-supported")]
+    public IResult IsCountrySupported(
+        [FromQuery] string country,
+        [FromServices] ITaxService taxService)
+    {
+        var isSupported = taxService.IsSupported(country);
+
+        return TypedResults.Ok(isSupported);
+    }
 }
diff --git a/src/Api/Billing/Models/Requests/TaxInformationRequestBody.cs b/src/Api/Billing/Models/Requests/TaxInformationRequestBody.cs
index c5c0fde00b..32ba2effb2 100644
--- a/src/Api/Billing/Models/Requests/TaxInformationRequestBody.cs
+++ b/src/Api/Billing/Models/Requests/TaxInformationRequestBody.cs
@@ -10,6 +10,7 @@ public class TaxInformationRequestBody
     [Required]
     public string PostalCode { get; set; }
     public string TaxId { get; set; }
+    public string TaxIdType { get; set; }
     public string Line1 { get; set; }
     public string Line2 { get; set; }
     public string City { get; set; }
@@ -19,6 +20,7 @@ public class TaxInformationRequestBody
         Country,
         PostalCode,
         TaxId,
+        TaxIdType,
         Line1,
         Line2,
         City,
diff --git a/src/Core/Billing/Extensions/CurrencyExtensions.cs b/src/Core/Billing/Extensions/CurrencyExtensions.cs
new file mode 100644
index 0000000000..cde1a7bea8
--- /dev/null
+++ b/src/Core/Billing/Extensions/CurrencyExtensions.cs
@@ -0,0 +1,33 @@
+namespace Bit.Core.Billing.Extensions;
+
+public static class CurrencyExtensions
+{
+    /// <summary>
+    /// Converts a currency amount in major units to minor units.
+    /// </summary>
+    /// <example>123.99 USD returns 12399 in minor units.</example>
+    public static long ToMinor(this decimal amount)
+    {
+        return Convert.ToInt64(amount * 100);
+    }
+
+    /// <summary>
+    /// Converts a currency amount in minor units to major units.
+    /// </summary>
+    /// <param name="amount"></param>
+    /// <example>12399 in minor units returns 123.99 USD.</example>
+    public static decimal? ToMajor(this long? amount)
+    {
+        return amount?.ToMajor();
+    }
+
+    /// <summary>
+    /// Converts a currency amount in minor units to major units.
+    /// </summary>
+    /// <param name="amount"></param>
+    /// <example>12399 in minor units returns 123.99 USD.</example>
+    public static decimal ToMajor(this long amount)
+    {
+        return Convert.ToDecimal(amount) / 100;
+    }
+}
diff --git a/src/Core/Billing/Extensions/ServiceCollectionExtensions.cs b/src/Core/Billing/Extensions/ServiceCollectionExtensions.cs
index 78253f7399..e9a5d3f736 100644
--- a/src/Core/Billing/Extensions/ServiceCollectionExtensions.cs
+++ b/src/Core/Billing/Extensions/ServiceCollectionExtensions.cs
@@ -12,6 +12,7 @@ public static class ServiceCollectionExtensions
 {
     public static void AddBillingOperations(this IServiceCollection services)
     {
+        services.AddSingleton<ITaxService, TaxService>();
         services.AddTransient<IOrganizationBillingService, OrganizationBillingService>();
         services.AddTransient<IPremiumUserBillingService, PremiumUserBillingService>();
         services.AddTransient<ISetupIntentCache, SetupIntentDistributedCache>();
diff --git a/src/Core/Billing/Models/Api/Requests/Accounts/PreviewIndividualInvoiceRequestModel.cs b/src/Core/Billing/Models/Api/Requests/Accounts/PreviewIndividualInvoiceRequestModel.cs
new file mode 100644
index 0000000000..6dfb9894d5
--- /dev/null
+++ b/src/Core/Billing/Models/Api/Requests/Accounts/PreviewIndividualInvoiceRequestModel.cs
@@ -0,0 +1,18 @@
+using System.ComponentModel.DataAnnotations;
+
+namespace Bit.Core.Billing.Models.Api.Requests.Accounts;
+
+public class PreviewIndividualInvoiceRequestBody
+{
+    [Required]
+    public PasswordManagerRequestModel PasswordManager { get; set; }
+
+    [Required]
+    public TaxInformationRequestModel TaxInformation { get; set; }
+}
+
+public class PasswordManagerRequestModel
+{
+    [Range(0, int.MaxValue)]
+    public int AdditionalStorage { get; set; }
+}
diff --git a/src/Core/Billing/Models/Api/Requests/Organizations/PreviewOrganizationInvoiceRequestModel.cs b/src/Core/Billing/Models/Api/Requests/Organizations/PreviewOrganizationInvoiceRequestModel.cs
new file mode 100644
index 0000000000..18d9c352d7
--- /dev/null
+++ b/src/Core/Billing/Models/Api/Requests/Organizations/PreviewOrganizationInvoiceRequestModel.cs
@@ -0,0 +1,37 @@
+using System.ComponentModel.DataAnnotations;
+using Bit.Core.Billing.Enums;
+
+namespace Bit.Core.Billing.Models.Api.Requests.Organizations;
+
+public class PreviewOrganizationInvoiceRequestBody
+{
+    public Guid OrganizationId { get; set; }
+
+    [Required]
+    public PasswordManagerRequestModel PasswordManager { get; set; }
+
+    public SecretsManagerRequestModel SecretsManager { get; set; }
+
+    [Required]
+    public TaxInformationRequestModel TaxInformation { get; set; }
+}
+
+public class PasswordManagerRequestModel
+{
+    public PlanType Plan { get; set; }
+
+    [Range(0, int.MaxValue)]
+    public int Seats { get; set; }
+
+    [Range(0, int.MaxValue)]
+    public int AdditionalStorage { get; set; }
+}
+
+public class SecretsManagerRequestModel
+{
+    [Range(0, int.MaxValue)]
+    public int Seats { get; set; }
+
+    [Range(0, int.MaxValue)]
+    public int AdditionalMachineAccounts { get; set; }
+}
diff --git a/src/Core/Billing/Models/Api/Requests/TaxInformationRequestModel.cs b/src/Core/Billing/Models/Api/Requests/TaxInformationRequestModel.cs
new file mode 100644
index 0000000000..9cb43645c6
--- /dev/null
+++ b/src/Core/Billing/Models/Api/Requests/TaxInformationRequestModel.cs
@@ -0,0 +1,14 @@
+using System.ComponentModel.DataAnnotations;
+
+namespace Bit.Core.Billing.Models.Api.Requests;
+
+public class TaxInformationRequestModel
+{
+    [Length(2, 2), Required]
+    public string Country { get; set; }
+
+    [Required]
+    public string PostalCode { get; set; }
+
+    public string TaxId { get; set; }
+}
diff --git a/src/Core/Billing/Models/Api/Responses/PreviewInvoiceResponseModel.cs b/src/Core/Billing/Models/Api/Responses/PreviewInvoiceResponseModel.cs
new file mode 100644
index 0000000000..fdde7dae1e
--- /dev/null
+++ b/src/Core/Billing/Models/Api/Responses/PreviewInvoiceResponseModel.cs
@@ -0,0 +1,7 @@
+namespace Bit.Core.Billing.Models.Api.Responses;
+
+public record PreviewInvoiceResponseModel(
+    decimal EffectiveTaxRate,
+    decimal TaxableBaseAmount,
+    decimal TaxAmount,
+    decimal TotalAmount);
diff --git a/src/Core/Billing/Models/PreviewInvoiceInfo.cs b/src/Core/Billing/Models/PreviewInvoiceInfo.cs
new file mode 100644
index 0000000000..16a2019c20
--- /dev/null
+++ b/src/Core/Billing/Models/PreviewInvoiceInfo.cs
@@ -0,0 +1,7 @@
+namespace Bit.Core.Billing.Models;
+
+public record PreviewInvoiceInfo(
+    decimal EffectiveTaxRate,
+    decimal TaxableBaseAmount,
+    decimal TaxAmount,
+    decimal TotalAmount);
diff --git a/src/Core/Billing/Models/Sales/OrganizationSale.cs b/src/Core/Billing/Models/Sales/OrganizationSale.cs
index a19c278c68..43852bb320 100644
--- a/src/Core/Billing/Models/Sales/OrganizationSale.cs
+++ b/src/Core/Billing/Models/Sales/OrganizationSale.cs
@@ -65,6 +65,7 @@ public class OrganizationSale
             signup.TaxInfo.BillingAddressCountry,
             signup.TaxInfo.BillingAddressPostalCode,
             signup.TaxInfo.TaxIdNumber,
+            signup.TaxInfo.TaxIdType,
             signup.TaxInfo.BillingAddressLine1,
             signup.TaxInfo.BillingAddressLine2,
             signup.TaxInfo.BillingAddressCity,
diff --git a/src/Core/Billing/Models/TaxIdType.cs b/src/Core/Billing/Models/TaxIdType.cs
new file mode 100644
index 0000000000..3fc246d68b
--- /dev/null
+++ b/src/Core/Billing/Models/TaxIdType.cs
@@ -0,0 +1,22 @@
+using System.Text.RegularExpressions;
+
+namespace Bit.Core.Billing.Models;
+
+public class TaxIdType
+{
+    /// <summary>
+    /// ISO-3166-2 code for the country.
+    /// </summary>
+    public string Country { get; set; }
+
+    /// <summary>
+    /// The identifier in Stripe for the tax ID type.
+    /// </summary>
+    public string Code { get; set; }
+
+    public Regex ValidationExpression { get; set; }
+
+    public string Description { get; set; }
+
+    public string Example { get; set; }
+}
diff --git a/src/Core/Billing/Models/TaxInformation.cs b/src/Core/Billing/Models/TaxInformation.cs
index 5403f94690..23ed3e5faa 100644
--- a/src/Core/Billing/Models/TaxInformation.cs
+++ b/src/Core/Billing/Models/TaxInformation.cs
@@ -1,5 +1,4 @@
 using Bit.Core.Models.Business;
-using Stripe;
 
 namespace Bit.Core.Billing.Models;
 
@@ -7,6 +6,7 @@ public record TaxInformation(
     string Country,
     string PostalCode,
     string TaxId,
+    string TaxIdType,
     string Line1,
     string Line2,
     string City,
@@ -16,165 +16,9 @@ public record TaxInformation(
         taxInfo.BillingAddressCountry,
         taxInfo.BillingAddressPostalCode,
         taxInfo.TaxIdNumber,
+        taxInfo.TaxIdType,
         taxInfo.BillingAddressLine1,
         taxInfo.BillingAddressLine2,
         taxInfo.BillingAddressCity,
         taxInfo.BillingAddressState);
-
-    public (AddressOptions, List<CustomerTaxIdDataOptions>) GetStripeOptions()
-    {
-        var address = new AddressOptions
-        {
-            Country = Country,
-            PostalCode = PostalCode,
-            Line1 = Line1,
-            Line2 = Line2,
-            City = City,
-            State = State
-        };
-
-        var customerTaxIdDataOptionsList = !string.IsNullOrEmpty(TaxId)
-            ? new List<CustomerTaxIdDataOptions> { new() { Type = GetTaxIdType(), Value = TaxId } }
-            : null;
-
-        return (address, customerTaxIdDataOptionsList);
-    }
-
-    public string GetTaxIdType()
-    {
-        if (string.IsNullOrEmpty(Country) || string.IsNullOrEmpty(TaxId))
-        {
-            return null;
-        }
-
-        switch (Country.ToUpper())
-        {
-            case "AD":
-                return "ad_nrt";
-            case "AE":
-                return "ae_trn";
-            case "AR":
-                return "ar_cuit";
-            case "AU":
-                return "au_abn";
-            case "BO":
-                return "bo_tin";
-            case "BR":
-                return "br_cnpj";
-            case "CA":
-                // May break for those in Québec given the assumption of QST
-                if (State?.Contains("bec") ?? false)
-                {
-                    return "ca_qst";
-                }
-                return "ca_bn";
-            case "CH":
-                return "ch_vat";
-            case "CL":
-                return "cl_tin";
-            case "CN":
-                return "cn_tin";
-            case "CO":
-                return "co_nit";
-            case "CR":
-                return "cr_tin";
-            case "DO":
-                return "do_rcn";
-            case "EC":
-                return "ec_ruc";
-            case "EG":
-                return "eg_tin";
-            case "GE":
-                return "ge_vat";
-            case "ID":
-                return "id_npwp";
-            case "IL":
-                return "il_vat";
-            case "IS":
-                return "is_vat";
-            case "KE":
-                return "ke_pin";
-            case "AT":
-            case "BE":
-            case "BG":
-            case "CY":
-            case "CZ":
-            case "DE":
-            case "DK":
-            case "EE":
-            case "ES":
-            case "FI":
-            case "FR":
-            case "GB":
-            case "GR":
-            case "HR":
-            case "HU":
-            case "IE":
-            case "IT":
-            case "LT":
-            case "LU":
-            case "LV":
-            case "MT":
-            case "NL":
-            case "PL":
-            case "PT":
-            case "RO":
-            case "SE":
-            case "SI":
-            case "SK":
-                return "eu_vat";
-            case "HK":
-                return "hk_br";
-            case "IN":
-                return "in_gst";
-            case "JP":
-                return "jp_cn";
-            case "KR":
-                return "kr_brn";
-            case "LI":
-                return "li_uid";
-            case "MX":
-                return "mx_rfc";
-            case "MY":
-                return "my_sst";
-            case "NO":
-                return "no_vat";
-            case "NZ":
-                return "nz_gst";
-            case "PE":
-                return "pe_ruc";
-            case "PH":
-                return "ph_tin";
-            case "RS":
-                return "rs_pib";
-            case "RU":
-                return "ru_inn";
-            case "SA":
-                return "sa_vat";
-            case "SG":
-                return "sg_gst";
-            case "SV":
-                return "sv_nit";
-            case "TH":
-                return "th_vat";
-            case "TR":
-                return "tr_tin";
-            case "TW":
-                return "tw_vat";
-            case "UA":
-                return "ua_vat";
-            case "US":
-                return "us_ein";
-            case "UY":
-                return "uy_ruc";
-            case "VE":
-                return "ve_rif";
-            case "VN":
-                return "vn_tin";
-            case "ZA":
-                return "za_vat";
-            default:
-                return null;
-        }
-    }
 }
diff --git a/src/Core/Billing/Services/ITaxService.cs b/src/Core/Billing/Services/ITaxService.cs
new file mode 100644
index 0000000000..beee113d17
--- /dev/null
+++ b/src/Core/Billing/Services/ITaxService.cs
@@ -0,0 +1,22 @@
+namespace Bit.Core.Billing.Services;
+
+public interface ITaxService
+{
+    /// <summary>
+    /// Retrieves the Stripe tax code for a given country and tax ID.
+    /// </summary>
+    /// <param name="country"></param>
+    /// <param name="taxId"></param>
+    /// <returns>
+    /// Returns the Stripe tax code if the tax ID is valid for the country.
+    /// Returns null if the tax ID is invalid or the country is not supported.
+    /// </returns>
+    string GetStripeTaxCode(string country, string taxId);
+
+    /// <summary>
+    /// Returns true or false whether charging or storing tax is supported for the given country.
+    /// </summary>
+    /// <param name="country"></param>
+    /// <returns></returns>
+    bool IsSupported(string country);
+}
diff --git a/src/Core/Billing/Services/Implementations/OrganizationBillingService.cs b/src/Core/Billing/Services/Implementations/OrganizationBillingService.cs
index 6d9c275444..8114d5ba65 100644
--- a/src/Core/Billing/Services/Implementations/OrganizationBillingService.cs
+++ b/src/Core/Billing/Services/Implementations/OrganizationBillingService.cs
@@ -28,7 +28,8 @@ public class OrganizationBillingService(
     IOrganizationRepository organizationRepository,
     ISetupIntentCache setupIntentCache,
     IStripeAdapter stripeAdapter,
-    ISubscriberService subscriberService) : IOrganizationBillingService
+    ISubscriberService subscriberService,
+    ITaxService taxService) : IOrganizationBillingService
 {
     public async Task Finalize(OrganizationSale sale)
     {
@@ -173,14 +174,38 @@ public class OrganizationBillingService(
                 throw new BillingException();
             }
 
-            var (address, taxIdData) = customerSetup.TaxInformation.GetStripeOptions();
-
-            customerCreateOptions.Address = address;
+            customerCreateOptions.Address = new AddressOptions
+            {
+                Line1 = customerSetup.TaxInformation.Line1,
+                Line2 = customerSetup.TaxInformation.Line2,
+                City = customerSetup.TaxInformation.City,
+                PostalCode = customerSetup.TaxInformation.PostalCode,
+                State = customerSetup.TaxInformation.State,
+                Country = customerSetup.TaxInformation.Country,
+            };
             customerCreateOptions.Tax = new CustomerTaxOptions
             {
                 ValidateLocation = StripeConstants.ValidateTaxLocationTiming.Immediately
             };
-            customerCreateOptions.TaxIdData = taxIdData;
+
+            if (!string.IsNullOrEmpty(customerSetup.TaxInformation.TaxId))
+            {
+                var taxIdType = taxService.GetStripeTaxCode(customerSetup.TaxInformation.Country,
+                    customerSetup.TaxInformation.TaxId);
+
+                if (taxIdType == null)
+                {
+                    logger.LogWarning("Could not determine tax ID type for organization '{OrganizationID}' in country '{Country}' with tax ID '{TaxID}'.",
+                        organization.Id,
+                        customerSetup.TaxInformation.Country,
+                        customerSetup.TaxInformation.TaxId);
+                }
+
+                customerCreateOptions.TaxIdData =
+                [
+                    new() { Type = taxIdType, Value = customerSetup.TaxInformation.TaxId }
+                ];
+            }
 
             var (paymentMethodType, paymentMethodToken) = customerSetup.TokenizedPaymentSource;
 
diff --git a/src/Core/Billing/Services/Implementations/PremiumUserBillingService.cs b/src/Core/Billing/Services/Implementations/PremiumUserBillingService.cs
index 92c81dae1c..306ee88eaf 100644
--- a/src/Core/Billing/Services/Implementations/PremiumUserBillingService.cs
+++ b/src/Core/Billing/Services/Implementations/PremiumUserBillingService.cs
@@ -82,13 +82,19 @@ public class PremiumUserBillingService(
             throw new BillingException();
         }
 
-        var (address, taxIdData) = customerSetup.TaxInformation.GetStripeOptions();
-
         var subscriberName = user.SubscriberName();
 
         var customerCreateOptions = new CustomerCreateOptions
         {
-            Address = address,
+            Address = new AddressOptions
+            {
+                Line1 = customerSetup.TaxInformation.Line1,
+                Line2 = customerSetup.TaxInformation.Line2,
+                City = customerSetup.TaxInformation.City,
+                PostalCode = customerSetup.TaxInformation.PostalCode,
+                State = customerSetup.TaxInformation.State,
+                Country = customerSetup.TaxInformation.Country,
+            },
             Description = user.Name,
             Email = user.Email,
             Expand = ["tax"],
@@ -113,8 +119,7 @@ public class PremiumUserBillingService(
             Tax = new CustomerTaxOptions
             {
                 ValidateLocation = StripeConstants.ValidateTaxLocationTiming.Immediately
-            },
-            TaxIdData = taxIdData
+            }
         };
 
         var (paymentMethodType, paymentMethodToken) = customerSetup.TokenizedPaymentSource;
diff --git a/src/Core/Billing/Services/Implementations/SubscriberService.cs b/src/Core/Billing/Services/Implementations/SubscriberService.cs
index 9b8f64be82..b2dca19e80 100644
--- a/src/Core/Billing/Services/Implementations/SubscriberService.cs
+++ b/src/Core/Billing/Services/Implementations/SubscriberService.cs
@@ -23,7 +23,8 @@ public class SubscriberService(
     IGlobalSettings globalSettings,
     ILogger<SubscriberService> logger,
     ISetupIntentCache setupIntentCache,
-    IStripeAdapter stripeAdapter) : ISubscriberService
+    IStripeAdapter stripeAdapter,
+    ITaxService taxService) : ISubscriberService
 {
     public async Task CancelSubscription(
         ISubscriber subscriber,
@@ -609,25 +610,54 @@ public class SubscriberService(
             }
         });
 
-        if (!subscriber.IsUser())
+        var taxId = customer.TaxIds?.FirstOrDefault();
+
+        if (taxId != null)
         {
-            var taxId = customer.TaxIds?.FirstOrDefault();
+            await stripeAdapter.TaxIdDeleteAsync(customer.Id, taxId.Id);
+        }
 
-            if (taxId != null)
+        if (string.IsNullOrWhiteSpace(taxInformation.TaxId))
+        {
+            return;
+        }
+
+        var taxIdType = taxInformation.TaxIdType;
+        if (string.IsNullOrWhiteSpace(taxIdType))
+        {
+            taxIdType = taxService.GetStripeTaxCode(taxInformation.Country,
+                taxInformation.TaxId);
+
+            if (taxIdType == null)
             {
-                await stripeAdapter.TaxIdDeleteAsync(customer.Id, taxId.Id);
+                logger.LogWarning("Could not infer tax ID type in country '{Country}' with tax ID '{TaxID}'.",
+                    taxInformation.Country,
+                    taxInformation.TaxId);
+                throw new Exceptions.BadRequestException("billingTaxIdTypeInferenceError");
             }
+        }
 
-            var taxIdType = taxInformation.GetTaxIdType();
-
-            if (!string.IsNullOrWhiteSpace(taxInformation.TaxId) &&
-                !string.IsNullOrWhiteSpace(taxIdType))
+        try
+        {
+            await stripeAdapter.TaxIdCreateAsync(customer.Id,
+                new TaxIdCreateOptions { Type = taxIdType, Value = taxInformation.TaxId });
+        }
+        catch (StripeException e)
+        {
+            switch (e.StripeError.Code)
             {
-                await stripeAdapter.TaxIdCreateAsync(customer.Id, new TaxIdCreateOptions
-                {
-                    Type = taxIdType,
-                    Value = taxInformation.TaxId,
-                });
+                case StripeConstants.ErrorCodes.TaxIdInvalid:
+                    logger.LogWarning("Invalid tax ID '{TaxID}' for country '{Country}'.",
+                        taxInformation.TaxId,
+                        taxInformation.Country);
+                    throw new Exceptions.BadRequestException("billingInvalidTaxIdError");
+                default:
+                    logger.LogError(e,
+                        "Error creating tax ID '{TaxId}' in country '{Country}' for customer '{CustomerID}'.",
+                        taxInformation.TaxId,
+                        taxInformation.Country,
+                        customer.Id);
+                    throw new Exceptions.BadRequestException("billingTaxIdCreationError");
             }
         }
 
@@ -636,8 +666,7 @@ public class SubscriberService(
             await stripeAdapter.SubscriptionUpdateAsync(subscriber.GatewaySubscriptionId,
                 new SubscriptionUpdateOptions
                 {
-                    AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = true },
-                    DefaultTaxRates = []
+                    AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = true }
                 });
         }
 
@@ -770,6 +799,7 @@ public class SubscriberService(
             customer.Address.Country,
             customer.Address.PostalCode,
             customer.TaxIds?.FirstOrDefault()?.Value,
+            customer.TaxIds?.FirstOrDefault()?.Type,
             customer.Address.Line1,
             customer.Address.Line2,
             customer.Address.City,
diff --git a/src/Core/Billing/Services/TaxService.cs b/src/Core/Billing/Services/TaxService.cs
new file mode 100644
index 0000000000..3066be92d1
--- /dev/null
+++ b/src/Core/Billing/Services/TaxService.cs
@@ -0,0 +1,901 @@
+using System.Text.RegularExpressions;
+using Bit.Core.Billing.Models;
+
+namespace Bit.Core.Billing.Services;
+
+public class TaxService : ITaxService
+{
+    /// <summary>
+    /// Retrieves a list of supported tax ID types for customers.
+    /// </summary>
+    /// <remarks>Compiled list from <see href="https://docs.stripe.com/billing/customer/tax-ids">Stripe</see></remarks>
+    private static readonly IEnumerable<TaxIdType> _taxIdTypes =
+    [
+        new()
+        {
+            Country = "AD",
+            Code = "ad_nrt",
+            Description = "Andorran NRT number",
+            Example = "A-123456-Z",
+            ValidationExpression = new Regex("^([A-Z]{1})-?([0-9]{6})-?([A-Z]{1})$")
+        },
+        new()
+        {
+            Country = "AR",
+            Code = "ar_cuit",
+            Description = "Argentinian tax ID number",
+            Example = "12-34567890-1",
+            ValidationExpression = new Regex("^([0-9]{2})-?([0-9]{8})-?([0-9]{1})$")
+        },
+        new()
+        {
+            Country = "AU",
+            Code = "au_abn",
+            Description = "Australian Business Number (AU ABN)",
+            Example = "123456789012",
+            ValidationExpression = new Regex("^[0-9]{11}$")
+        },
+        new()
+        {
+            Country = "AU",
+            Code = "au_arn",
+            Description = "Australian Taxation Office Reference Number",
+            Example = "123456789123",
+            ValidationExpression = new Regex("^[0-9]{12}$")
+        },
+        new()
+        {
+            Country = "AT",
+            Code = "eu_vat",
+            Description = "European VAT number (Austria)",
+            Example = "ATU12345678",
+            ValidationExpression = new Regex("^ATU[0-9]{8}$")
+        },
+        new()
+        {
+            Country = "BH",
+            Code = "bh_vat",
+            Description = "Bahraini VAT Number",
+            Example = "123456789012345",
+            ValidationExpression = new Regex("^[0-9]{15}$")
+        },
+        new()
+        {
+            Country = "BY",
+            Code = "by_tin",
+            Description = "Belarus TIN Number",
+            Example = "123456789",
+            ValidationExpression = new Regex("^[0-9]{9}$")
+        },
+        new()
+        {
+            Country = "BE",
+            Code = "eu_vat",
+            Description = "European VAT number (Belgium)",
+            Example = "BE0123456789",
+            ValidationExpression = new Regex("^BE[0-9]{10}$")
+        },
+        new()
+        {
+            Country = "BO",
+            Code = "bo_tin",
+            Description = "Bolivian tax ID",
+            Example = "123456789",
+            ValidationExpression = new Regex("^[0-9]{9}$")
+        },
+        new()
+        {
+            Country = "BR",
+            Code = "br_cnpj",
+            Description = "Brazilian CNPJ number",
+            Example = "01.234.456/5432-10",
+            ValidationExpression = new Regex("^[0-9]{2}.?[0-9]{3}.?[0-9]{3}/?[0-9]{4}-?[0-9]{2}$")
+        },
+        new()
+        {
+            Country = "BR",
+            Code = "br_cpf",
+            Description = "Brazilian CPF number",
+            Example = "123.456.789-87",
+            ValidationExpression = new Regex("^[0-9]{3}.?[0-9]{3}.?[0-9]{3}-?[0-9]{2}$")
+        },
+        new()
+        {
+            Country = "BG",
+            Code = "bg_uic",
+            Description = "Bulgaria Unified Identification Code",
+            Example = "123456789",
+            ValidationExpression = new Regex("^[0-9]{9}$")
+        },
+        new()
+        {
+            Country = "BG",
+            Code = "eu_vat",
+            Description = "European VAT number (Bulgaria)",
+            Example = "BG0123456789",
+            ValidationExpression = new Regex("^BG[0-9]{9,10}$")
+        },
+        new()
+        {
+            Country = "CA",
+            Code = "ca_bn",
+            Description = "Canadian BN",
+            Example = "123456789",
+            ValidationExpression = new Regex("^[0-9]{9}$")
+        },
+        new()
+        {
+            Country = "CA",
+            Code = "ca_gst_hst",
+            Description = "Canadian GST/HST number",
+            Example = "123456789RT0002",
+            ValidationExpression = new Regex("^[0-9]{9}RT[0-9]{4}$")
+        },
+        new()
+        {
+            Country = "CA",
+            Code = "ca_pst_bc",
+            Description = "Canadian PST number (British Columbia)",
+            Example = "PST-1234-5678",
+            ValidationExpression = new Regex("^PST-[0-9]{4}-[0-9]{4}$")
+        },
+        new()
+        {
+            Country = "CA",
+            Code = "ca_pst_mb",
+            Description = "Canadian PST number (Manitoba)",
+            Example = "123456-7",
+            ValidationExpression = new Regex("^[0-9]{6}-[0-9]{1}$")
+        },
+        new()
+        {
+            Country = "CA",
+            Code = "ca_pst_sk",
+            Description = "Canadian PST number (Saskatchewan)",
+            Example = "1234567",
+            ValidationExpression = new Regex("^[0-9]{7}$")
+        },
+        new()
+        {
+            Country = "CA",
+            Code = "ca_qst",
+            Description = "Canadian QST number (Québec)",
+            Example = "1234567890TQ1234",
+            ValidationExpression = new Regex("^[0-9]{10}TQ[0-9]{4}$")
+        },
+        new()
+        {
+            Country = "CL",
+            Code = "cl_tin",
+            Description = "Chilean TIN",
+            Example = "12.345.678-K",
+            ValidationExpression = new Regex("^[0-9]{2}.?[0-9]{3}.?[0-9]{3}-?[0-9A-Z]{1}$")
+        },
+        new()
+        {
+            Country = "CN",
+            Code = "cn_tin",
+            Description = "Chinese tax ID",
+            Example = "123456789012345678",
+            ValidationExpression = new Regex("^[0-9]{15,18}$")
+        },
+        new()
+        {
+            Country = "CO",
+            Code = "co_nit",
+            Description = "Colombian NIT number",
+            Example = "123.456.789-0",
+            ValidationExpression = new Regex("^[0-9]{3}.?[0-9]{3}.?[0-9]{3}-?[0-9]{1}$")
+        },
+        new()
+        {
+            Country = "CR",
+            Code = "cr_tin",
+            Description = "Costa Rican tax ID",
+            Example = "1-234-567890",
+            ValidationExpression = new Regex("^[0-9]{1}-?[0-9]{3}-?[0-9]{6}$")
+        },
+        new()
+        {
+            Country = "HR",
+            Code = "eu_vat",
+            Description = "European VAT number (Croatia)",
+            Example = "HR12345678912",
+            ValidationExpression = new Regex("^HR[0-9]{11}$")
+        },
+        new()
+        {
+            Country = "HR",
+            Code = "hr_oib",
+            Description = "Croatian Personal Identification Number",
+            Example = "12345678901",
+            ValidationExpression = new Regex("^[0-9]{11}$")
+        },
+        new()
+        {
+            Country = "CY",
+            Code = "eu_vat",
+            Description = "European VAT number (Cyprus)",
+            Example = "CY12345678X",
+            ValidationExpression = new Regex("^CY[0-9]{8}[A-Z]{1}$")
+        },
+        new()
+        {
+            Country = "CZ",
+            Code = "eu_vat",
+            Description = "European VAT number (Czech Republic)",
+            Example = "CZ12345678",
+            ValidationExpression = new Regex("^CZ[0-9]{8,10}$")
+        },
+        new()
+        {
+            Country = "DK",
+            Code = "eu_vat",
+            Description = "European VAT number (Denmark)",
+            Example = "DK12345678",
+            ValidationExpression = new Regex("^DK[0-9]{8}$")
+        },
+        new()
+        {
+            Country = "DO",
+            Code = "do_rcn",
+            Description = "Dominican RCN number",
+            Example = "123-4567890-1",
+            ValidationExpression = new Regex("^[0-9]{3}-?[0-9]{7}-?[0-9]{1}$")
+        },
+        new()
+        {
+            Country = "EC",
+            Code = "ec_ruc",
+            Description = "Ecuadorian RUC number",
+            Example = "1234567890001",
+            ValidationExpression = new Regex("^[0-9]{13}$")
+        },
+        new()
+        {
+            Country = "EG",
+            Code = "eg_tin",
+            Description = "Egyptian Tax Identification Number",
+            Example = "123456789",
+            ValidationExpression = new Regex("^[0-9]{9}$")
+        },
+
+        new()
+        {
+            Country = "SV",
+            Code = "sv_nit",
+            Description = "El Salvadorian NIT number",
+            Example = "1234-567890-123-4",
+            ValidationExpression = new Regex("^[0-9]{4}-?[0-9]{6}-?[0-9]{3}-?[0-9]{1}$")
+        },
+
+        new()
+        {
+            Country = "EE",
+            Code = "eu_vat",
+            Description = "European VAT number (Estonia)",
+            Example = "EE123456789",
+            ValidationExpression = new Regex("^EE[0-9]{9}$")
+        },
+
+        new()
+        {
+            Country = "EU",
+            Code = "eu_oss_vat",
+            Description = "European One Stop Shop VAT number for non-Union scheme",
+            Example = "EU123456789",
+            ValidationExpression = new Regex("^EU[0-9]{9}$")
+        },
+        new()
+        {
+            Country = "FI",
+            Code = "eu_vat",
+            Description = "European VAT number (Finland)",
+            Example = "FI12345678",
+            ValidationExpression = new Regex("^FI[0-9]{8}$")
+        },
+        new()
+        {
+            Country = "FR",
+            Code = "eu_vat",
+            Description = "European VAT number (France)",
+            Example = "FR12345678901",
+            ValidationExpression = new Regex("^FR[0-9A-Z]{2}[0-9]{9}$")
+        },
+        new()
+        {
+            Country = "GE",
+            Code = "ge_vat",
+            Description = "Georgian VAT",
+            Example = "123456789",
+            ValidationExpression = new Regex("^[0-9]{9}$")
+        },
+        new()
+        {
+            Country = "DE",
+            Code = "de_stn",
+            Description = "German Tax Number (Steuernummer)",
+            Example = "1234567890",
+            ValidationExpression = new Regex("^[0-9]{10}$")
+        },
+        new()
+        {
+            Country = "DE",
+            Code = "eu_vat",
+            Description = "European VAT number (Germany)",
+            Example = "DE123456789",
+            ValidationExpression = new Regex("^DE[0-9]{9}$")
+        },
+        new()
+        {
+            Country = "GR",
+            Code = "eu_vat",
+            Description = "European VAT number (Greece)",
+            Example = "EL123456789",
+            ValidationExpression = new Regex("^EL[0-9]{9}$")
+        },
+        new()
+        {
+            Country = "HK",
+            Code = "hk_br",
+            Description = "Hong Kong BR number",
+            Example = "12345678",
+            ValidationExpression = new Regex("^[0-9]{8}$")
+        },
+        new()
+        {
+            Country = "HU",
+            Code = "eu_vat",
+            Description = "European VAT number (Hungaria)",
+            Example = "HU12345678",
+            ValidationExpression = new Regex("^HU[0-9]{8}$")
+        },
+        new()
+        {
+            Country = "HU",
+            Code = "hu_tin",
+            Description = "Hungary tax number (adószám)",
+            Example = "12345678-1-23",
+            ValidationExpression = new Regex("^[0-9]{8}-?[0-9]-?[0-9]{2}$")
+        },
+        new()
+        {
+            Country = "IS",
+            Code = "is_vat",
+            Description = "Icelandic VAT",
+            Example = "123456",
+            ValidationExpression = new Regex("^[0-9]{6}$")
+        },
+        new()
+        {
+            Country = "IN",
+            Code = "in_gst",
+            Description = "Indian GST number",
+            Example = "12ABCDE3456FGZH",
+            ValidationExpression = new Regex("^[0-9]{2}[A-Z]{5}[0-9]{4}[A-Z]{1}[1-9A-Z]{1}Z[0-9A-Z]{1}$")
+        },
+        new()
+        {
+            Country = "ID",
+            Code = "id_npwp",
+            Description = "Indonesian NPWP number",
+            Example = "012.345.678.9-012.345",
+            ValidationExpression = new Regex("^[0-9]{3}.?[0-9]{3}.?[0-9]{3}.?[0-9]{1}-?[0-9]{3}.?[0-9]{3}$")
+        },
+        new()
+        {
+            Country = "IE",
+            Code = "eu_vat",
+            Description = "European VAT number (Ireland)",
+            Example = "IE1234567AB",
+            ValidationExpression = new Regex("^IE[0-9]{7}[A-Z]{1,2}$")
+        },
+        new()
+        {
+            Country = "IL",
+            Code = "il_vat",
+            Description = "Israel VAT",
+            Example = "000012345",
+            ValidationExpression = new Regex("^[0-9]{9}$")
+        },
+        new()
+        {
+            Country = "IT",
+            Code = "eu_vat",
+            Description = "European VAT number (Italy)",
+            Example = "IT12345678912",
+            ValidationExpression = new Regex("^IT[0-9]{11}$")
+        },
+        new()
+        {
+            Country = "JP",
+            Code = "jp_cn",
+            Description = "Japanese Corporate Number (*Hōjin Bangō*)",
+            Example = "1234567891234",
+            ValidationExpression = new Regex("^[0-9]{13}$")
+        },
+        new()
+        {
+            Country = "JP",
+            Code = "jp_rn",
+            Description =
+                "Japanese Registered Foreign Businesses' Registration Number (*Tōroku Kokugai Jigyōsha no Tōroku Bangō*)",
+            Example = "12345",
+            ValidationExpression = new Regex("^[0-9]{5}$")
+        },
+        new()
+        {
+            Country = "JP",
+            Code = "jp_trn",
+            Description = "Japanese Tax Registration Number (*Tōroku Bangō*)",
+            Example = "T1234567891234",
+            ValidationExpression = new Regex("^T[0-9]{13}$")
+        },
+        new()
+        {
+            Country = "KZ",
+            Code = "kz_bin",
+            Description = "Kazakhstani Business Identification Number",
+            Example = "123456789012",
+            ValidationExpression = new Regex("^[0-9]{12}$")
+        },
+        new()
+        {
+            Country = "KE",
+            Code = "ke_pin",
+            Description = "Kenya Revenue Authority Personal Identification Number",
+            Example = "P000111111A",
+            ValidationExpression = new Regex("^[A-Z]{1}[0-9]{9}[A-Z]{1}$")
+        },
+        new()
+        {
+            Country = "LV",
+            Code = "eu_vat",
+            Description = "European VAT number",
+            Example = "LV12345678912",
+            ValidationExpression = new Regex("^LV[0-9]{11}$")
+        },
+        new()
+        {
+            Country = "LI",
+            Code = "li_uid",
+            Description = "Liechtensteinian UID number",
+            Example = "CHE123456789",
+            ValidationExpression = new Regex("^CHE[0-9]{9}$")
+        },
+        new()
+        {
+            Country = "LI",
+            Code = "li_vat",
+            Description = "Liechtensteinian VAT number",
+            Example = "12345",
+            ValidationExpression = new Regex("^[0-9]{5}$")
+        },
+        new()
+        {
+            Country = "LT",
+            Code = "eu_vat",
+            Description = "European VAT number (Lithuania)",
+            Example = "LT123456789123",
+            ValidationExpression = new Regex("^LT[0-9]{9,12}$")
+        },
+        new()
+        {
+            Country = "LU",
+            Code = "eu_vat",
+            Description = "European VAT number (Luxembourg)",
+            Example = "LU12345678",
+            ValidationExpression = new Regex("^LU[0-9]{8}$")
+        },
+        new()
+        {
+            Country = "MY",
+            Code = "my_frp",
+            Description = "Malaysian FRP number",
+            Example = "12345678",
+            ValidationExpression = new Regex("^[0-9]{8}$")
+        },
+        new()
+        {
+            Country = "MY",
+            Code = "my_itn",
+            Description = "Malaysian ITN",
+            Example = "C 1234567890",
+            ValidationExpression = new Regex("^[A-Z]{1} ?[0-9]{10}$")
+        },
+        new()
+        {
+            Country = "MY",
+            Code = "my_sst",
+            Description = "Malaysian SST number",
+            Example = "A12-3456-78912345",
+            ValidationExpression = new Regex("^[A-Z]{1}[0-9]{2}-?[0-9]{4}-?[0-9]{8}$")
+        },
+        new()
+        {
+            Country = "MT",
+            Code = "eu_vat",
+            Description = "European VAT number (Malta)",
+            Example = "MT12345678",
+            ValidationExpression = new Regex("^MT[0-9]{8}$")
+        },
+        new()
+        {
+            Country = "MX",
+            Code = "mx_rfc",
+            Description = "Mexican RFC number",
+            Example = "ABC010203AB9",
+            ValidationExpression = new Regex("^[A-Z]{3}[0-9]{6}[A-Z0-9]{3}$")
+        },
+        new()
+        {
+            Country = "MD",
+            Code = "md_vat",
+            Description = "Moldova VAT Number",
+            Example = "1234567",
+            ValidationExpression = new Regex("^[0-9]{7}$")
+        },
+        new()
+        {
+            Country = "MA",
+            Code = "ma_vat",
+            Description = "Morocco VAT Number",
+            Example = "12345678",
+            ValidationExpression = new Regex("^[0-9]{8}$")
+        },
+        new()
+        {
+            Country = "NL",
+            Code = "eu_vat",
+            Description = "European VAT number (Netherlands)",
+            Example = "NL123456789B12",
+            ValidationExpression = new Regex("^NL[0-9]{9}B[0-9]{2}$")
+        },
+        new()
+        {
+            Country = "NZ",
+            Code = "nz_gst",
+            Description = "New Zealand GST number",
+            Example = "123456789",
+            ValidationExpression = new Regex("^[0-9]{9}$")
+        },
+        new()
+        {
+            Country = "NG",
+            Code = "ng_tin",
+            Description = "Nigerian TIN Number",
+            Example = "12345678-0001",
+            ValidationExpression = new Regex("^[0-9]{8}-[0-9]{4}$")
+        },
+        new()
+        {
+            Country = "NO",
+            Code = "no_vat",
+            Description = "Norwegian VAT number",
+            Example = "123456789MVA",
+            ValidationExpression = new Regex("^[0-9]{9}MVA$")
+        },
+        new()
+        {
+            Country = "NO",
+            Code = "no_voec",
+            Description = "Norwegian VAT on e-commerce number",
+            Example = "1234567",
+            ValidationExpression = new Regex("^[0-9]{7}$")
+        },
+        new()
+        {
+            Country = "OM",
+            Code = "om_vat",
+            Description = "Omani VAT Number",
+            Example = "OM1234567890",
+            ValidationExpression = new Regex("^OM[0-9]{10}$")
+        },
+        new()
+        {
+            Country = "PE",
+            Code = "pe_ruc",
+            Description = "Peruvian RUC number",
+            Example = "12345678901",
+            ValidationExpression = new Regex("^[0-9]{11}$")
+        },
+        new()
+        {
+            Country = "PH",
+            Code = "ph_tin",
+            Description = "Philippines Tax Identification Number",
+            Example = "123456789012",
+            ValidationExpression = new Regex("^[0-9]{12}$")
+        },
+        new()
+        {
+            Country = "PL",
+            Code = "eu_vat",
+            Description = "European VAT number (Poland)",
+            Example = "PL1234567890",
+            ValidationExpression = new Regex("^PL[0-9]{10}$")
+        },
+        new()
+        {
+            Country = "PT",
+            Code = "eu_vat",
+            Description = "European VAT number (Portugal)",
+            Example = "PT123456789",
+            ValidationExpression = new Regex("^PT[0-9]{9}$")
+        },
+        new()
+        {
+            Country = "RO",
+            Code = "eu_vat",
+            Description = "European VAT number (Romania)",
+            Example = "RO1234567891",
+            ValidationExpression = new Regex("^RO[0-9]{2,10}$")
+        },
+        new()
+        {
+            Country = "RO",
+            Code = "ro_tin",
+            Description = "Romanian tax ID number",
+            Example = "1234567890123",
+            ValidationExpression = new Regex("^[0-9]{13}$")
+        },
+        new()
+        {
+            Country = "RU",
+            Code = "ru_inn",
+            Description = "Russian INN",
+            Example = "1234567891",
+            ValidationExpression = new Regex("^[0-9]{10,12}$")
+        },
+        new()
+        {
+            Country = "RU",
+            Code = "ru_kpp",
+            Description = "Russian KPP",
+            Example = "123456789",
+            ValidationExpression = new Regex("^[0-9]{9}$")
+        },
+        new()
+        {
+            Country = "SA",
+            Code = "sa_vat",
+            Description = "Saudi Arabia VAT",
+            Example = "123456789012345",
+            ValidationExpression = new Regex("^[0-9]{15}$")
+        },
+        new()
+        {
+            Country = "RS",
+            Code = "rs_pib",
+            Description = "Serbian PIB number",
+            Example = "123456789",
+            ValidationExpression = new Regex("^[0-9]{9}$")
+        },
+        new()
+        {
+            Country = "SG",
+            Code = "sg_gst",
+            Description = "Singaporean GST",
+            Example = "M12345678X",
+            ValidationExpression = new Regex("^[A-Z]{1}[0-9]{8}[A-Z]{1}$")
+        },
+        new()
+        {
+            Country = "SG",
+            Code = "sg_uen",
+            Description = "Singaporean UEN",
+            Example = "123456789F",
+            ValidationExpression = new Regex("^[0-9]{9}[A-Z]{1}$")
+        },
+        new()
+        {
+            Country = "SK",
+            Code = "eu_vat",
+            Description = "European VAT number (Slovakia)",
+            Example = "SK1234567891",
+            ValidationExpression = new Regex("^SK[0-9]{10}$")
+        },
+        new()
+        {
+            Country = "SI",
+            Code = "eu_vat",
+            Description = "European VAT number (Slovenia)",
+            Example = "SI12345678",
+            ValidationExpression = new Regex("^SI[0-9]{8}$")
+        },
+        new()
+        {
+            Country = "SI",
+            Code = "si_tin",
+            Description = "Slovenia tax number (davčna številka)",
+            Example = "12345678",
+            ValidationExpression = new Regex("^[0-9]{8}$")
+        },
+        new()
+        {
+            Country = "ZA",
+            Code = "za_vat",
+            Description = "South African VAT number",
+            Example = "4123456789",
+            ValidationExpression = new Regex("^[0-9]{10}$")
+        },
+        new()
+        {
+            Country = "KR",
+            Code = "kr_brn",
+            Description = "Korean BRN",
+            Example = "123-45-67890",
+            ValidationExpression = new Regex("^[0-9]{3}-?[0-9]{2}-?[0-9]{5}$")
+        },
+        new()
+        {
+            Country = "ES",
+            Code = "es_cif",
+            Description = "Spanish NIF/CIF number",
+            Example = "A12345678",
+            ValidationExpression = new Regex("^[A-Z]{1}[0-9]{8}$")
+        },
+        new()
+        {
+            Country = "ES",
+            Code = "eu_vat",
+            Description = "European VAT number (Spain)",
+            Example = "ESA1234567Z",
+            ValidationExpression = new Regex("^ES[A-Z]{1}[0-9]{7}[A-Z]{1}$")
+        },
+        new()
+        {
+            Country = "SE",
+            Code = "eu_vat",
+            Description = "European VAT number (Sweden)",
+            Example = "SE123456789123",
+            ValidationExpression = new Regex("^SE[0-9]{12}$")
+        },
+        new()
+        {
+            Country = "CH",
+            Code = "ch_uid",
+            Description = "Switzerland UID number",
+            Example = "CHE-123.456.789 HR",
+            ValidationExpression = new Regex("^CHE-?[0-9]{3}.?[0-9]{3}.?[0-9]{3} ?HR$")
+        },
+        new()
+        {
+            Country = "CH",
+            Code = "ch_vat",
+            Description = "Switzerland VAT number",
+            Example = "CHE-123.456.789 MWST",
+            ValidationExpression = new Regex("^CHE-?[0-9]{3}.?[0-9]{3}.?[0-9]{3} ?MWST$")
+        },
+        new()
+        {
+            Country = "TW",
+            Code = "tw_vat",
+            Description = "Taiwanese VAT",
+            Example = "12345678",
+            ValidationExpression = new Regex("^[0-9]{8}$")
+        },
+        new()
+        {
+            Country = "TZ",
+            Code = "tz_vat",
+            Description = "Tanzania VAT Number",
+            Example = "12345678A",
+            ValidationExpression = new Regex("^[0-9]{8}[A-Z]{1}$")
+        },
+        new()
+        {
+            Country = "TH",
+            Code = "th_vat",
+            Description = "Thai VAT",
+            Example = "1234567891234",
+            ValidationExpression = new Regex("^[0-9]{13}$")
+        },
+        new()
+        {
+            Country = "TR",
+            Code = "tr_tin",
+            Description = "Turkish TIN Number",
+            Example = "0123456789",
+            ValidationExpression = new Regex("^[0-9]{10}$")
+        },
+        new()
+        {
+            Country = "UA",
+            Code = "ua_vat",
+            Description = "Ukrainian VAT",
+            Example = "123456789",
+            ValidationExpression = new Regex("^[0-9]{9}$")
+        },
+        new()
+        {
+            Country = "AE",
+            Code = "ae_trn",
+            Description = "United Arab Emirates TRN",
+            Example = "123456789012345",
+            ValidationExpression = new Regex("^[0-9]{15}$")
+        },
+        new()
+        {
+            Country = "GB",
+            Code = "eu_vat",
+            Description = "Northern Ireland VAT number",
+            Example = "XI123456789",
+            ValidationExpression = new Regex("^XI[0-9]{9}$")
+        },
+        new()
+        {
+            Country = "GB",
+            Code = "gb_vat",
+            Description = "United Kingdom VAT number",
+            Example = "GB123456789",
+            ValidationExpression = new Regex("^GB[0-9]{9}$")
+        },
+        new()
+        {
+            Country = "US",
+            Code = "us_ein",
+            Description = "United States EIN",
+            Example = "12-3456789",
+            ValidationExpression = new Regex("^[0-9]{2}-?[0-9]{7}$")
+        },
+        new()
+        {
+            Country = "UY",
+            Code = "uy_ruc",
+            Description = "Uruguayan RUC number",
+            Example = "123456789012",
+            ValidationExpression = new Regex("^[0-9]{12}$")
+        },
+        new()
+        {
+            Country = "UZ",
+            Code = "uz_tin",
+            Description = "Uzbekistan TIN Number",
+            Example = "123456789",
+            ValidationExpression = new Regex("^[0-9]{9}$")
+        },
+        new()
+        {
+            Country = "UZ",
+            Code = "uz_vat",
+            Description = "Uzbekistan VAT Number",
+            Example = "123456789012",
+            ValidationExpression = new Regex("^[0-9]{12}$")
+        },
+        new()
+        {
+            Country = "VE",
+            Code = "ve_rif",
+            Description = "Venezuelan RIF number",
+            Example = "A-12345678-9",
+            ValidationExpression = new Regex("^[A-Z]{1}-?[0-9]{8}-?[0-9]{1}$")
+        },
+        new()
+        {
+            Country = "VN",
+            Code = "vn_tin",
+            Description = "Vietnamese tax ID number",
+            Example = "1234567890",
+            ValidationExpression = new Regex("^[0-9]{10}$")
+        }
+    ];
+
+    public string GetStripeTaxCode(string country, string taxId)
+    {
+        foreach (var taxIdType in _taxIdTypes.Where(x => x.Country == country))
+        {
+            if (taxIdType.ValidationExpression.IsMatch(taxId))
+            {
+                return taxIdType.Code;
+            }
+        }
+
+        return null;
+    }
+
+    public bool IsSupported(string country)
+    {
+        return _taxIdTypes.Any(x => x.Country == country);
+    }
+}
diff --git a/src/Core/Billing/Utilities.cs b/src/Core/Billing/Utilities.cs
index 28527af0c0..695a3b1bb4 100644
--- a/src/Core/Billing/Utilities.cs
+++ b/src/Core/Billing/Utilities.cs
@@ -83,6 +83,7 @@ public static class Utilities
             customer.Address.Country,
             customer.Address.PostalCode,
             customer.TaxIds?.FirstOrDefault()?.Value,
+            customer.TaxIds?.FirstOrDefault()?.Type,
             customer.Address.Line1,
             customer.Address.Line2,
             customer.Address.City,
diff --git a/src/Core/Models/Business/TaxInfo.cs b/src/Core/Models/Business/TaxInfo.cs
index 4424576ec9..b12c5229b3 100644
--- a/src/Core/Models/Business/TaxInfo.cs
+++ b/src/Core/Models/Business/TaxInfo.cs
@@ -2,18 +2,9 @@
 
 public class TaxInfo
 {
-    private string _taxIdNumber = null;
-    private string _taxIdType = null;
+    public string TaxIdNumber { get; set; }
+    public string TaxIdType { get; set; }
 
-    public string TaxIdNumber
-    {
-        get => _taxIdNumber;
-        set
-        {
-            _taxIdNumber = value;
-            _taxIdType = null;
-        }
-    }
     public string StripeTaxRateId { get; set; }
     public string BillingAddressLine1 { get; set; }
     public string BillingAddressLine2 { get; set; }
@@ -21,201 +12,6 @@ public class TaxInfo
     public string BillingAddressState { get; set; }
     public string BillingAddressPostalCode { get; set; }
     public string BillingAddressCountry { get; set; } = "US";
-    public string TaxIdType
-    {
-        get
-        {
-            if (string.IsNullOrWhiteSpace(BillingAddressCountry) ||
-                string.IsNullOrWhiteSpace(TaxIdNumber))
-            {
-                return null;
-            }
-            if (!string.IsNullOrWhiteSpace(_taxIdType))
-            {
-                return _taxIdType;
-            }
-
-            switch (BillingAddressCountry.ToUpper())
-            {
-                case "AD":
-                    _taxIdType = "ad_nrt";
-                    break;
-                case "AE":
-                    _taxIdType = "ae_trn";
-                    break;
-                case "AR":
-                    _taxIdType = "ar_cuit";
-                    break;
-                case "AU":
-                    _taxIdType = "au_abn";
-                    break;
-                case "BO":
-                    _taxIdType = "bo_tin";
-                    break;
-                case "BR":
-                    _taxIdType = "br_cnpj";
-                    break;
-                case "CA":
-                    // May break for those in Québec given the assumption of QST
-                    if (BillingAddressState?.Contains("bec") ?? false)
-                    {
-                        _taxIdType = "ca_qst";
-                        break;
-                    }
-                    _taxIdType = "ca_bn";
-                    break;
-                case "CH":
-                    _taxIdType = "ch_vat";
-                    break;
-                case "CL":
-                    _taxIdType = "cl_tin";
-                    break;
-                case "CN":
-                    _taxIdType = "cn_tin";
-                    break;
-                case "CO":
-                    _taxIdType = "co_nit";
-                    break;
-                case "CR":
-                    _taxIdType = "cr_tin";
-                    break;
-                case "DO":
-                    _taxIdType = "do_rcn";
-                    break;
-                case "EC":
-                    _taxIdType = "ec_ruc";
-                    break;
-                case "EG":
-                    _taxIdType = "eg_tin";
-                    break;
-                case "GE":
-                    _taxIdType = "ge_vat";
-                    break;
-                case "ID":
-                    _taxIdType = "id_npwp";
-                    break;
-                case "IL":
-                    _taxIdType = "il_vat";
-                    break;
-                case "IS":
-                    _taxIdType = "is_vat";
-                    break;
-                case "KE":
-                    _taxIdType = "ke_pin";
-                    break;
-                case "AT":
-                case "BE":
-                case "BG":
-                case "CY":
-                case "CZ":
-                case "DE":
-                case "DK":
-                case "EE":
-                case "ES":
-                case "FI":
-                case "FR":
-                case "GB":
-                case "GR":
-                case "HR":
-                case "HU":
-                case "IE":
-                case "IT":
-                case "LT":
-                case "LU":
-                case "LV":
-                case "MT":
-                case "NL":
-                case "PL":
-                case "PT":
-                case "RO":
-                case "SE":
-                case "SI":
-                case "SK":
-                    _taxIdType = "eu_vat";
-                    break;
-                case "HK":
-                    _taxIdType = "hk_br";
-                    break;
-                case "IN":
-                    _taxIdType = "in_gst";
-                    break;
-                case "JP":
-                    _taxIdType = "jp_cn";
-                    break;
-                case "KR":
-                    _taxIdType = "kr_brn";
-                    break;
-                case "LI":
-                    _taxIdType = "li_uid";
-                    break;
-                case "MX":
-                    _taxIdType = "mx_rfc";
-                    break;
-                case "MY":
-                    _taxIdType = "my_sst";
-                    break;
-                case "NO":
-                    _taxIdType = "no_vat";
-                    break;
-                case "NZ":
-                    _taxIdType = "nz_gst";
-                    break;
-                case "PE":
-                    _taxIdType = "pe_ruc";
-                    break;
-                case "PH":
-                    _taxIdType = "ph_tin";
-                    break;
-                case "RS":
-                    _taxIdType = "rs_pib";
-                    break;
-                case "RU":
-                    _taxIdType = "ru_inn";
-                    break;
-                case "SA":
-                    _taxIdType = "sa_vat";
-                    break;
-                case "SG":
-                    _taxIdType = "sg_gst";
-                    break;
-                case "SV":
-                    _taxIdType = "sv_nit";
-                    break;
-                case "TH":
-                    _taxIdType = "th_vat";
-                    break;
-                case "TR":
-                    _taxIdType = "tr_tin";
-                    break;
-                case "TW":
-                    _taxIdType = "tw_vat";
-                    break;
-                case "UA":
-                    _taxIdType = "ua_vat";
-                    break;
-                case "US":
-                    _taxIdType = "us_ein";
-                    break;
-                case "UY":
-                    _taxIdType = "uy_ruc";
-                    break;
-                case "VE":
-                    _taxIdType = "ve_rif";
-                    break;
-                case "VN":
-                    _taxIdType = "vn_tin";
-                    break;
-                case "ZA":
-                    _taxIdType = "za_vat";
-                    break;
-                default:
-                    _taxIdType = null;
-                    break;
-            }
-
-            return _taxIdType;
-        }
-    }
 
     public bool HasTaxId
     {
diff --git a/src/Core/Services/IPaymentService.cs b/src/Core/Services/IPaymentService.cs
index bf9d047029..7d0f9d3c63 100644
--- a/src/Core/Services/IPaymentService.cs
+++ b/src/Core/Services/IPaymentService.cs
@@ -1,6 +1,9 @@
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Entities.Provider;
 using Bit.Core.Billing.Models;
+using Bit.Core.Billing.Models.Api.Requests.Accounts;
+using Bit.Core.Billing.Models.Api.Requests.Organizations;
+using Bit.Core.Billing.Models.Api.Responses;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Models.Business;
@@ -59,4 +62,7 @@ public interface IPaymentService
     Task<bool> RisksSubscriptionFailure(Organization organization);
     Task<bool> HasSecretsManagerStandalone(Organization organization);
     Task<(DateTime?, DateTime?)> GetSuspensionDateAsync(Stripe.Subscription subscription);
+    Task<PreviewInvoiceResponseModel> PreviewInvoiceAsync(PreviewIndividualInvoiceRequestBody parameters, string gatewayCustomerId, string gatewaySubscriptionId);
+    Task<PreviewInvoiceResponseModel> PreviewInvoiceAsync(PreviewOrganizationInvoiceRequestBody parameters, string gatewayCustomerId, string gatewaySubscriptionId);
+
 }
diff --git a/src/Core/Services/IStripeAdapter.cs b/src/Core/Services/IStripeAdapter.cs
index 30583ef0b3..ef2e3ab766 100644
--- a/src/Core/Services/IStripeAdapter.cs
+++ b/src/Core/Services/IStripeAdapter.cs
@@ -31,6 +31,7 @@ public interface IStripeAdapter
     Task<Stripe.Invoice> InvoiceUpcomingAsync(Stripe.UpcomingInvoiceOptions options);
     Task<Stripe.Invoice> InvoiceGetAsync(string id, Stripe.InvoiceGetOptions options);
     Task<List<Stripe.Invoice>> InvoiceListAsync(StripeInvoiceListOptions options);
+    Task<Stripe.Invoice> InvoiceCreatePreviewAsync(InvoiceCreatePreviewOptions options);
     Task<List<Stripe.Invoice>> InvoiceSearchAsync(InvoiceSearchOptions options);
     Task<Stripe.Invoice> InvoiceUpdateAsync(string id, Stripe.InvoiceUpdateOptions options);
     Task<Stripe.Invoice> InvoiceFinalizeInvoiceAsync(string id, Stripe.InvoiceFinalizeOptions options);
@@ -42,6 +43,7 @@ public interface IStripeAdapter
     IAsyncEnumerable<Stripe.PaymentMethod> PaymentMethodListAutoPagingAsync(Stripe.PaymentMethodListOptions options);
     Task<Stripe.PaymentMethod> PaymentMethodAttachAsync(string id, Stripe.PaymentMethodAttachOptions options = null);
     Task<Stripe.PaymentMethod> PaymentMethodDetachAsync(string id, Stripe.PaymentMethodDetachOptions options = null);
+    Task<Stripe.Plan> PlanGetAsync(string id, Stripe.PlanGetOptions options = null);
     Task<Stripe.TaxRate> TaxRateCreateAsync(Stripe.TaxRateCreateOptions options);
     Task<Stripe.TaxRate> TaxRateUpdateAsync(string id, Stripe.TaxRateUpdateOptions options);
     Task<Stripe.TaxId> TaxIdCreateAsync(string id, Stripe.TaxIdCreateOptions options);
diff --git a/src/Core/Services/Implementations/StripeAdapter.cs b/src/Core/Services/Implementations/StripeAdapter.cs
index 8d18331456..f4f8efe75f 100644
--- a/src/Core/Services/Implementations/StripeAdapter.cs
+++ b/src/Core/Services/Implementations/StripeAdapter.cs
@@ -15,6 +15,7 @@ public class StripeAdapter : IStripeAdapter
     private readonly Stripe.RefundService _refundService;
     private readonly Stripe.CardService _cardService;
     private readonly Stripe.BankAccountService _bankAccountService;
+    private readonly Stripe.PlanService _planService;
     private readonly Stripe.PriceService _priceService;
     private readonly Stripe.SetupIntentService _setupIntentService;
     private readonly Stripe.TestHelpers.TestClockService _testClockService;
@@ -33,6 +34,7 @@ public class StripeAdapter : IStripeAdapter
         _cardService = new Stripe.CardService();
         _bankAccountService = new Stripe.BankAccountService();
         _priceService = new Stripe.PriceService();
+        _planService = new Stripe.PlanService();
         _setupIntentService = new SetupIntentService();
         _testClockService = new Stripe.TestHelpers.TestClockService();
         _customerBalanceTransactionService = new CustomerBalanceTransactionService();
@@ -133,6 +135,11 @@ public class StripeAdapter : IStripeAdapter
         return invoices;
     }
 
+    public Task<Invoice> InvoiceCreatePreviewAsync(InvoiceCreatePreviewOptions options)
+    {
+        return _invoiceService.CreatePreviewAsync(options);
+    }
+
     public async Task<List<Stripe.Invoice>> InvoiceSearchAsync(InvoiceSearchOptions options)
         => (await _invoiceService.SearchAsync(options)).Data;
 
@@ -184,6 +191,11 @@ public class StripeAdapter : IStripeAdapter
         return _paymentMethodService.DetachAsync(id, options);
     }
 
+    public Task<Stripe.Plan> PlanGetAsync(string id, Stripe.PlanGetOptions options = null)
+    {
+        return _planService.GetAsync(id, options);
+    }
+
     public Task<Stripe.TaxRate> TaxRateCreateAsync(Stripe.TaxRateCreateOptions options)
     {
         return _taxRateService.CreateAsync(options);
diff --git a/src/Core/Services/Implementations/StripePaymentService.cs b/src/Core/Services/Implementations/StripePaymentService.cs
index 259a4eb757..ad8c7a599d 100644
--- a/src/Core/Services/Implementations/StripePaymentService.cs
+++ b/src/Core/Services/Implementations/StripePaymentService.cs
@@ -1,8 +1,13 @@
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Entities.Provider;
 using Bit.Core.Billing.Constants;
+using Bit.Core.Billing.Extensions;
 using Bit.Core.Billing.Models;
+using Bit.Core.Billing.Models.Api.Requests.Accounts;
+using Bit.Core.Billing.Models.Api.Requests.Organizations;
+using Bit.Core.Billing.Models.Api.Responses;
 using Bit.Core.Billing.Models.Business;
+using Bit.Core.Billing.Services;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
@@ -32,6 +37,8 @@ public class StripePaymentService : IPaymentService
     private readonly IStripeAdapter _stripeAdapter;
     private readonly IGlobalSettings _globalSettings;
     private readonly IFeatureService _featureService;
+    private readonly ITaxService _taxService;
+    private readonly ISubscriberService _subscriberService;
 
     public StripePaymentService(
         ITransactionRepository transactionRepository,
@@ -40,7 +47,9 @@ public class StripePaymentService : IPaymentService
         IStripeAdapter stripeAdapter,
         Braintree.IBraintreeGateway braintreeGateway,
         IGlobalSettings globalSettings,
-        IFeatureService featureService)
+        IFeatureService featureService,
+        ITaxService taxService,
+        ISubscriberService subscriberService)
     {
         _transactionRepository = transactionRepository;
         _logger = logger;
@@ -49,6 +58,8 @@ public class StripePaymentService : IPaymentService
         _btGateway = braintreeGateway;
         _globalSettings = globalSettings;
         _featureService = featureService;
+        _taxService = taxService;
+        _subscriberService = subscriberService;
     }
 
     public async Task<string> PurchaseOrganizationAsync(Organization org, PaymentMethodType paymentMethodType,
@@ -112,6 +123,20 @@ public class StripePaymentService : IPaymentService
         Subscription subscription;
         try
         {
+            if (taxInfo.TaxIdNumber != null && taxInfo.TaxIdType == null)
+            {
+                taxInfo.TaxIdType = _taxService.GetStripeTaxCode(taxInfo.BillingAddressCountry,
+                    taxInfo.TaxIdNumber);
+
+                if (taxInfo.TaxIdType == null)
+                {
+                    _logger.LogWarning("Could not infer tax ID type in country '{Country}' with tax ID '{TaxID}'.",
+                        taxInfo.BillingAddressCountry,
+                        taxInfo.TaxIdNumber);
+                    throw new BadRequestException("billingTaxIdTypeInferenceError");
+                }
+            }
+
             var customerCreateOptions = new CustomerCreateOptions
             {
                 Description = org.DisplayBusinessName(),
@@ -146,12 +171,9 @@ public class StripePaymentService : IPaymentService
                     City = taxInfo?.BillingAddressCity,
                     State = taxInfo?.BillingAddressState,
                 },
-                TaxIdData = taxInfo?.HasTaxId != true
-                    ? null
-                    :
-                    [
-                        new CustomerTaxIdDataOptions { Type = taxInfo.TaxIdType, Value = taxInfo.TaxIdNumber, }
-                    ],
+                TaxIdData = taxInfo.HasTaxId
+                    ? [new CustomerTaxIdDataOptions { Type = taxInfo.TaxIdType, Value = taxInfo.TaxIdNumber }]
+                    : null
             };
 
             customerCreateOptions.AddExpand("tax");
@@ -1372,6 +1394,12 @@ public class StripePaymentService : IPaymentService
 
         try
         {
+            if (!string.IsNullOrWhiteSpace(taxInfo.TaxIdNumber))
+            {
+                taxInfo.TaxIdType = taxInfo.TaxIdType ??
+                                    _taxService.GetStripeTaxCode(taxInfo.BillingAddressCountry, taxInfo.TaxIdNumber);
+            }
+
             if (customer == null)
             {
                 customer = await _stripeAdapter.CustomerCreateAsync(new CustomerCreateOptions
@@ -1401,8 +1429,17 @@ public class StripePaymentService : IPaymentService
                         Line1 = taxInfo.BillingAddressLine1 ?? string.Empty,
                         Line2 = taxInfo.BillingAddressLine2,
                         City = taxInfo.BillingAddressCity,
-                        State = taxInfo.BillingAddressState,
+                        State = taxInfo.BillingAddressState
                     },
+                    TaxIdData = string.IsNullOrWhiteSpace(taxInfo.TaxIdNumber)
+                    ? []
+                    : [
+                        new CustomerTaxIdDataOptions
+                        {
+                            Type = taxInfo.TaxIdType,
+                            Value = taxInfo.TaxIdNumber
+                        }
+                    ],
                     Expand = ["sources", "tax", "subscriptions"],
                 });
 
@@ -1458,6 +1495,8 @@ public class StripePaymentService : IPaymentService
                     await _stripeAdapter.PaymentMethodDetachAsync(cardMethod.Id, new PaymentMethodDetachOptions());
                 }
 
+                await _subscriberService.UpdateTaxInformation(subscriber, TaxInformation.From(taxInfo));
+
                 customer = await _stripeAdapter.CustomerUpdateAsync(customer.Id, new CustomerUpdateOptions
                 {
                     Metadata = stripeCustomerMetadata,
@@ -1474,15 +1513,6 @@ public class StripePaymentService : IPaymentService
                             }
                         ]
                     },
-                    Address = taxInfo == null ? null : new AddressOptions
-                    {
-                        Country = taxInfo.BillingAddressCountry,
-                        PostalCode = taxInfo.BillingAddressPostalCode,
-                        Line1 = taxInfo.BillingAddressLine1 ?? string.Empty,
-                        Line2 = taxInfo.BillingAddressLine2,
-                        City = taxInfo.BillingAddressCity,
-                        State = taxInfo.BillingAddressState,
-                    },
                     Expand = ["tax", "subscriptions"]
                 });
             }
@@ -1659,6 +1689,7 @@ public class StripePaymentService : IPaymentService
         return new TaxInfo
         {
             TaxIdNumber = taxId?.Value,
+            TaxIdType = taxId?.Type,
             BillingAddressLine1 = address?.Line1,
             BillingAddressLine2 = address?.Line2,
             BillingAddressCity = address?.City,
@@ -1670,9 +1701,13 @@ public class StripePaymentService : IPaymentService
 
     public async Task SaveTaxInfoAsync(ISubscriber subscriber, TaxInfo taxInfo)
     {
-        if (subscriber != null && !string.IsNullOrWhiteSpace(subscriber.GatewayCustomerId))
+        if (string.IsNullOrWhiteSpace(subscriber?.GatewayCustomerId) || subscriber.IsUser())
         {
-            var customer = await _stripeAdapter.CustomerUpdateAsync(subscriber.GatewayCustomerId, new CustomerUpdateOptions
+            return;
+        }
+
+        var customer = await _stripeAdapter.CustomerUpdateAsync(subscriber.GatewayCustomerId,
+            new CustomerUpdateOptions
             {
                 Address = new AddressOptions
                 {
@@ -1686,23 +1721,59 @@ public class StripePaymentService : IPaymentService
                 Expand = ["tax_ids"]
             });
 
-            if (!subscriber.IsUser() && customer != null)
-            {
-                var taxId = customer.TaxIds?.FirstOrDefault();
+        if (customer == null)
+        {
+            return;
+        }
 
-                if (taxId != null)
-                {
-                    await _stripeAdapter.TaxIdDeleteAsync(customer.Id, taxId.Id);
-                }
-                if (!string.IsNullOrWhiteSpace(taxInfo.TaxIdNumber) &&
-                    !string.IsNullOrWhiteSpace(taxInfo.TaxIdType))
-                {
-                    await _stripeAdapter.TaxIdCreateAsync(customer.Id, new TaxIdCreateOptions
-                    {
-                        Type = taxInfo.TaxIdType,
-                        Value = taxInfo.TaxIdNumber,
-                    });
-                }
+        var taxId = customer.TaxIds?.FirstOrDefault();
+
+        if (taxId != null)
+        {
+            await _stripeAdapter.TaxIdDeleteAsync(customer.Id, taxId.Id);
+        }
+
+        if (string.IsNullOrWhiteSpace(taxInfo.TaxIdNumber))
+        {
+            return;
+        }
+
+        var taxIdType = taxInfo.TaxIdType;
+
+        if (string.IsNullOrWhiteSpace(taxIdType))
+        {
+            taxIdType = _taxService.GetStripeTaxCode(taxInfo.BillingAddressCountry, taxInfo.TaxIdNumber);
+
+            if (taxIdType == null)
+            {
+                _logger.LogWarning("Could not infer tax ID type in country '{Country}' with tax ID '{TaxID}'.",
+                    taxInfo.BillingAddressCountry,
+                    taxInfo.TaxIdNumber);
+                throw new BadRequestException("billingTaxIdTypeInferenceError");
+            }
+        }
+
+        try
+        {
+            await _stripeAdapter.TaxIdCreateAsync(customer.Id,
+                new TaxIdCreateOptions { Type = taxInfo.TaxIdType, Value = taxInfo.TaxIdNumber, });
+        }
+        catch (StripeException e)
+        {
+            switch (e.StripeError.Code)
+            {
+                case StripeConstants.ErrorCodes.TaxIdInvalid:
+                    _logger.LogWarning("Invalid tax ID '{TaxID}' for country '{Country}'.",
+                        taxInfo.TaxIdNumber,
+                        taxInfo.BillingAddressCountry);
+                    throw new BadRequestException("billingInvalidTaxIdError");
+                default:
+                    _logger.LogError(e,
+                        "Error creating tax ID '{TaxId}' in country '{Country}' for customer '{CustomerID}'.",
+                        taxInfo.TaxIdNumber,
+                        taxInfo.BillingAddressCountry,
+                        customer.Id);
+                    throw new BadRequestException("billingTaxIdCreationError");
             }
         }
     }
@@ -1835,6 +1906,285 @@ public class StripePaymentService : IPaymentService
         }
     }
 
+    public async Task<PreviewInvoiceResponseModel> PreviewInvoiceAsync(
+        PreviewIndividualInvoiceRequestBody parameters,
+        string gatewayCustomerId,
+        string gatewaySubscriptionId)
+    {
+        var options = new InvoiceCreatePreviewOptions
+        {
+            AutomaticTax = new InvoiceAutomaticTaxOptions
+            {
+                Enabled = true,
+            },
+            Currency = "usd",
+            Discounts = new List<InvoiceDiscountOptions>(),
+            SubscriptionDetails = new InvoiceSubscriptionDetailsOptions
+            {
+                Items =
+                [
+                    new()
+                    {
+                        Quantity = 1,
+                        Plan = "premium-annually"
+                    },
+
+                    new()
+                    {
+                        Quantity = parameters.PasswordManager.AdditionalStorage,
+                        Plan = "storage-gb-annually"
+                    }
+                ]
+            },
+            CustomerDetails = new InvoiceCustomerDetailsOptions
+            {
+                Address = new AddressOptions
+                {
+                    PostalCode = parameters.TaxInformation.PostalCode,
+                    Country = parameters.TaxInformation.Country,
+                }
+            },
+        };
+
+        if (!string.IsNullOrEmpty(parameters.TaxInformation.TaxId))
+        {
+            var taxIdType = _taxService.GetStripeTaxCode(
+                options.CustomerDetails.Address.Country,
+                parameters.TaxInformation.TaxId);
+
+            if (taxIdType == null)
+            {
+                _logger.LogWarning("Invalid tax ID '{TaxID}' for country '{Country}'.",
+                    parameters.TaxInformation.TaxId,
+                    parameters.TaxInformation.Country);
+                throw new BadRequestException("billingPreviewInvalidTaxIdError");
+            }
+
+            options.CustomerDetails.TaxIds = [
+                new InvoiceCustomerDetailsTaxIdOptions
+                {
+                    Type = taxIdType,
+                    Value = parameters.TaxInformation.TaxId
+                }
+            ];
+        }
+
+        if (gatewayCustomerId != null)
+        {
+            var gatewayCustomer = await _stripeAdapter.CustomerGetAsync(gatewayCustomerId);
+
+            if (gatewayCustomer.Discount != null)
+            {
+                options.Discounts.Add(new InvoiceDiscountOptions
+                {
+                    Discount = gatewayCustomer.Discount.Id
+                });
+            }
+
+            if (gatewaySubscriptionId != null)
+            {
+                var gatewaySubscription = await _stripeAdapter.SubscriptionGetAsync(gatewaySubscriptionId);
+
+                if (gatewaySubscription?.Discount != null)
+                {
+                    options.Discounts.Add(new InvoiceDiscountOptions
+                    {
+                        Discount = gatewaySubscription.Discount.Id
+                    });
+                }
+            }
+        }
+
+        try
+        {
+            var invoice = await _stripeAdapter.InvoiceCreatePreviewAsync(options);
+
+            var effectiveTaxRate = invoice.Tax != null && invoice.TotalExcludingTax != null
+                ? invoice.Tax.Value.ToMajor() / invoice.TotalExcludingTax.Value.ToMajor()
+                : 0M;
+
+            var result = new PreviewInvoiceResponseModel(
+                effectiveTaxRate,
+                invoice.TotalExcludingTax.ToMajor() ?? 0,
+                invoice.Tax.ToMajor() ?? 0,
+                invoice.Total.ToMajor());
+            return result;
+        }
+        catch (StripeException e)
+        {
+            switch (e.StripeError.Code)
+            {
+                case StripeConstants.ErrorCodes.TaxIdInvalid:
+                    _logger.LogWarning("Invalid tax ID '{TaxID}' for country '{Country}'.",
+                        parameters.TaxInformation.TaxId,
+                        parameters.TaxInformation.Country);
+                    throw new BadRequestException("billingPreviewInvalidTaxIdError");
+                default:
+                    _logger.LogError(e, "Unexpected error previewing invoice with tax ID '{TaxId}' in country '{Country}'.",
+                        parameters.TaxInformation.TaxId,
+                        parameters.TaxInformation.Country);
+                    throw new BadRequestException("billingPreviewInvoiceError");
+            }
+        }
+    }
+
+    public async Task<PreviewInvoiceResponseModel> PreviewInvoiceAsync(
+        PreviewOrganizationInvoiceRequestBody parameters,
+        string gatewayCustomerId,
+        string gatewaySubscriptionId)
+    {
+        var plan = Utilities.StaticStore.GetPlan(parameters.PasswordManager.Plan);
+
+        var options = new InvoiceCreatePreviewOptions
+        {
+            AutomaticTax = new InvoiceAutomaticTaxOptions
+            {
+                Enabled = true,
+            },
+            Currency = "usd",
+            Discounts = new List<InvoiceDiscountOptions>(),
+            SubscriptionDetails = new InvoiceSubscriptionDetailsOptions
+            {
+                Items =
+                [
+                    new()
+                    {
+                        Quantity = parameters.PasswordManager.AdditionalStorage,
+                        Plan = plan.PasswordManager.StripeStoragePlanId
+                    }
+                ]
+            },
+            CustomerDetails = new InvoiceCustomerDetailsOptions
+            {
+                Address = new AddressOptions
+                {
+                    PostalCode = parameters.TaxInformation.PostalCode,
+                    Country = parameters.TaxInformation.Country,
+                }
+            },
+        };
+
+        if (plan.PasswordManager.HasAdditionalSeatsOption)
+        {
+            options.SubscriptionDetails.Items.Add(
+                new()
+                {
+                    Quantity = parameters.PasswordManager.Seats,
+                    Plan = plan.PasswordManager.StripeSeatPlanId
+                }
+            );
+        }
+        else
+        {
+            options.SubscriptionDetails.Items.Add(
+                new()
+                {
+                    Quantity = 1,
+                    Plan = plan.PasswordManager.StripePlanId
+                }
+            );
+        }
+
+        if (plan.SupportsSecretsManager)
+        {
+            if (plan.SecretsManager.HasAdditionalSeatsOption)
+            {
+                options.SubscriptionDetails.Items.Add(new()
+                {
+                    Quantity = parameters.SecretsManager?.Seats ?? 0,
+                    Plan = plan.SecretsManager.StripeSeatPlanId
+                });
+            }
+
+            if (plan.SecretsManager.HasAdditionalServiceAccountOption)
+            {
+                options.SubscriptionDetails.Items.Add(new()
+                {
+                    Quantity = parameters.SecretsManager?.AdditionalMachineAccounts ?? 0,
+                    Plan = plan.SecretsManager.StripeServiceAccountPlanId
+                });
+            }
+        }
+
+        if (!string.IsNullOrEmpty(parameters.TaxInformation.TaxId))
+        {
+            var taxIdType = _taxService.GetStripeTaxCode(
+                options.CustomerDetails.Address.Country,
+                parameters.TaxInformation.TaxId);
+
+            if (taxIdType == null)
+            {
+                _logger.LogWarning("Invalid tax ID '{TaxID}' for country '{Country}'.",
+                    parameters.TaxInformation.TaxId,
+                    parameters.TaxInformation.Country);
+                throw new BadRequestException("billingTaxIdTypeInferenceError");
+            }
+
+            options.CustomerDetails.TaxIds = [
+                new InvoiceCustomerDetailsTaxIdOptions
+                {
+                    Type = taxIdType,
+                    Value = parameters.TaxInformation.TaxId
+                }
+            ];
+        }
+
+        if (gatewayCustomerId != null)
+        {
+            var gatewayCustomer = await _stripeAdapter.CustomerGetAsync(gatewayCustomerId);
+
+            if (gatewayCustomer.Discount != null)
+            {
+                options.Discounts.Add(new InvoiceDiscountOptions
+                {
+                    Discount = gatewayCustomer.Discount.Id
+                });
+            }
+
+            var gatewaySubscription = await _stripeAdapter.SubscriptionGetAsync(gatewaySubscriptionId);
+
+            if (gatewaySubscription?.Discount != null)
+            {
+                options.Discounts.Add(new InvoiceDiscountOptions
+                {
+                    Discount = gatewaySubscription.Discount.Id
+                });
+            }
+        }
+
+        try
+        {
+            var invoice = await _stripeAdapter.InvoiceCreatePreviewAsync(options);
+
+            var effectiveTaxRate = invoice.Tax != null && invoice.TotalExcludingTax != null
+                ? invoice.Tax.Value.ToMajor() / invoice.TotalExcludingTax.Value.ToMajor()
+                : 0M;
+
+            var result = new PreviewInvoiceResponseModel(
+                effectiveTaxRate,
+                invoice.TotalExcludingTax.ToMajor() ?? 0,
+                invoice.Tax.ToMajor() ?? 0,
+                invoice.Total.ToMajor());
+            return result;
+        }
+        catch (StripeException e)
+        {
+            switch (e.StripeError.Code)
+            {
+                case StripeConstants.ErrorCodes.TaxIdInvalid:
+                    _logger.LogWarning("Invalid tax ID '{TaxID}' for country '{Country}'.",
+                        parameters.TaxInformation.TaxId,
+                        parameters.TaxInformation.Country);
+                    throw new BadRequestException("billingPreviewInvalidTaxIdError");
+                default:
+                    _logger.LogError(e, "Unexpected error previewing invoice with tax ID '{TaxId}' in country '{Country}'.",
+                        parameters.TaxInformation.TaxId,
+                        parameters.TaxInformation.Country);
+                    throw new BadRequestException("billingPreviewInvoiceError");
+            }
+        }
+    }
+
     private PaymentMethod GetLatestCardPaymentMethod(string customerId)
     {
         var cardPaymentMethods = _stripeAdapter.PaymentMethodListAutoPaging(
diff --git a/src/Core/Services/Implementations/UserService.cs b/src/Core/Services/Implementations/UserService.cs
index cb17d6e26b..a83375271e 100644
--- a/src/Core/Services/Implementations/UserService.cs
+++ b/src/Core/Services/Implementations/UserService.cs
@@ -973,6 +973,9 @@ public class UserService : UserManager<User>, IUserService, IDisposable
             await paymentService.CancelAndRecoverChargesAsync(user);
             throw;
         }
+
+
+
         return new Tuple<bool, string>(string.IsNullOrWhiteSpace(paymentIntentClientSecret),
             paymentIntentClientSecret);
     }
diff --git a/test/Core.Test/Billing/Services/SubscriberServiceTests.cs b/test/Core.Test/Billing/Services/SubscriberServiceTests.cs
index 385b185ffe..9c25ffdc55 100644
--- a/test/Core.Test/Billing/Services/SubscriberServiceTests.cs
+++ b/test/Core.Test/Billing/Services/SubscriberServiceTests.cs
@@ -1545,7 +1545,7 @@ public class SubscriberServiceTests
     {
         var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
 
-        var customer = new Customer { Id = provider.GatewayCustomerId, TaxIds = new StripeList<TaxId> { Data = [new TaxId { Id = "tax_id_1" }] } };
+        var customer = new Customer { Id = provider.GatewayCustomerId, TaxIds = new StripeList<TaxId> { Data = [new TaxId { Id = "tax_id_1", Type = "us_ein" }] } };
 
         stripeAdapter.CustomerGetAsync(provider.GatewayCustomerId, Arg.Is<CustomerGetOptions>(
             options => options.Expand.Contains("tax_ids"))).Returns(customer);
@@ -1554,6 +1554,7 @@ public class SubscriberServiceTests
             "US",
             "12345",
             "123456789",
+            "us_ein",
             "123 Example St.",
             null,
             "Example Town",
diff --git a/test/Core.Test/Models/Business/TaxInfoTests.cs b/test/Core.Test/Models/Business/TaxInfoTests.cs
deleted file mode 100644
index 197948006e..0000000000
--- a/test/Core.Test/Models/Business/TaxInfoTests.cs
+++ /dev/null
@@ -1,114 +0,0 @@
-using Bit.Core.Models.Business;
-using Xunit;
-
-namespace Bit.Core.Test.Models.Business;
-
-public class TaxInfoTests
-{
-    // PH = Placeholder
-    [Theory]
-    [InlineData(null, null, null, null)]
-    [InlineData("", "", null, null)]
-    [InlineData("PH", "", null, null)]
-    [InlineData("", "PH", null, null)]
-    [InlineData("AE", "PH", null, "ae_trn")]
-    [InlineData("AU", "PH", null, "au_abn")]
-    [InlineData("BR", "PH", null, "br_cnpj")]
-    [InlineData("CA", "PH", "bec", "ca_qst")]
-    [InlineData("CA", "PH", null, "ca_bn")]
-    [InlineData("CL", "PH", null, "cl_tin")]
-    [InlineData("AT", "PH", null, "eu_vat")]
-    [InlineData("BE", "PH", null, "eu_vat")]
-    [InlineData("BG", "PH", null, "eu_vat")]
-    [InlineData("CY", "PH", null, "eu_vat")]
-    [InlineData("CZ", "PH", null, "eu_vat")]
-    [InlineData("DE", "PH", null, "eu_vat")]
-    [InlineData("DK", "PH", null, "eu_vat")]
-    [InlineData("EE", "PH", null, "eu_vat")]
-    [InlineData("ES", "PH", null, "eu_vat")]
-    [InlineData("FI", "PH", null, "eu_vat")]
-    [InlineData("FR", "PH", null, "eu_vat")]
-    [InlineData("GB", "PH", null, "eu_vat")]
-    [InlineData("GR", "PH", null, "eu_vat")]
-    [InlineData("HR", "PH", null, "eu_vat")]
-    [InlineData("HU", "PH", null, "eu_vat")]
-    [InlineData("IE", "PH", null, "eu_vat")]
-    [InlineData("IT", "PH", null, "eu_vat")]
-    [InlineData("LT", "PH", null, "eu_vat")]
-    [InlineData("LU", "PH", null, "eu_vat")]
-    [InlineData("LV", "PH", null, "eu_vat")]
-    [InlineData("MT", "PH", null, "eu_vat")]
-    [InlineData("NL", "PH", null, "eu_vat")]
-    [InlineData("PL", "PH", null, "eu_vat")]
-    [InlineData("PT", "PH", null, "eu_vat")]
-    [InlineData("RO", "PH", null, "eu_vat")]
-    [InlineData("SE", "PH", null, "eu_vat")]
-    [InlineData("SI", "PH", null, "eu_vat")]
-    [InlineData("SK", "PH", null, "eu_vat")]
-    [InlineData("HK", "PH", null, "hk_br")]
-    [InlineData("IN", "PH", null, "in_gst")]
-    [InlineData("JP", "PH", null, "jp_cn")]
-    [InlineData("KR", "PH", null, "kr_brn")]
-    [InlineData("LI", "PH", null, "li_uid")]
-    [InlineData("MX", "PH", null, "mx_rfc")]
-    [InlineData("MY", "PH", null, "my_sst")]
-    [InlineData("NO", "PH", null, "no_vat")]
-    [InlineData("NZ", "PH", null, "nz_gst")]
-    [InlineData("RU", "PH", null, "ru_inn")]
-    [InlineData("SA", "PH", null, "sa_vat")]
-    [InlineData("SG", "PH", null, "sg_gst")]
-    [InlineData("TH", "PH", null, "th_vat")]
-    [InlineData("TW", "PH", null, "tw_vat")]
-    [InlineData("US", "PH", null, "us_ein")]
-    [InlineData("ZA", "PH", null, "za_vat")]
-    [InlineData("ABCDEF", "PH", null, null)]
-    public void GetTaxIdType_Success(string billingAddressCountry,
-        string taxIdNumber,
-        string billingAddressState,
-        string expectedTaxIdType)
-    {
-        var taxInfo = new TaxInfo
-        {
-            BillingAddressCountry = billingAddressCountry,
-            TaxIdNumber = taxIdNumber,
-            BillingAddressState = billingAddressState,
-        };
-
-        Assert.Equal(expectedTaxIdType, taxInfo.TaxIdType);
-    }
-
-    [Fact]
-    public void GetTaxIdType_CreateOnce_ReturnCacheSecondTime()
-    {
-        var taxInfo = new TaxInfo
-        {
-            BillingAddressCountry = "US",
-            TaxIdNumber = "PH",
-            BillingAddressState = null,
-        };
-
-        Assert.Equal("us_ein", taxInfo.TaxIdType);
-
-        // Per the current spec even if the values change to something other than null it
-        // will return the cached version of TaxIdType.
-        taxInfo.BillingAddressCountry = "ZA";
-
-        Assert.Equal("us_ein", taxInfo.TaxIdType);
-    }
-
-    [Theory]
-    [InlineData(null, null, false)]
-    [InlineData("123", "US", true)]
-    [InlineData("123", "ZQ12", false)]
-    [InlineData("    ", "US", false)]
-    public void HasTaxId_ReturnsExpected(string taxIdNumber, string billingAddressCountry, bool expected)
-    {
-        var taxInfo = new TaxInfo
-        {
-            TaxIdNumber = taxIdNumber,
-            BillingAddressCountry = billingAddressCountry,
-        };
-
-        Assert.Equal(expected, taxInfo.HasTaxId);
-    }
-}
diff --git a/test/Core.Test/Services/StripePaymentServiceTests.cs b/test/Core.Test/Services/StripePaymentServiceTests.cs
index e15f07b113..35e1901a2f 100644
--- a/test/Core.Test/Services/StripePaymentServiceTests.cs
+++ b/test/Core.Test/Services/StripePaymentServiceTests.cs
@@ -77,7 +77,8 @@ public class StripePaymentServiceTests
             c.Address.Line2 == taxInfo.BillingAddressLine2 &&
             c.Address.City == taxInfo.BillingAddressCity &&
             c.Address.State == taxInfo.BillingAddressState &&
-            c.TaxIdData == null
+            c.TaxIdData.First().Value == taxInfo.TaxIdNumber &&
+            c.TaxIdData.First().Type == taxInfo.TaxIdType
         ));
 
         await stripeAdapter.Received().SubscriptionCreateAsync(Arg.Is<Stripe.SubscriptionCreateOptions>(s =>
@@ -134,7 +135,8 @@ public class StripePaymentServiceTests
             c.Address.Line2 == taxInfo.BillingAddressLine2 &&
             c.Address.City == taxInfo.BillingAddressCity &&
             c.Address.State == taxInfo.BillingAddressState &&
-            c.TaxIdData == null
+            c.TaxIdData.First().Value == taxInfo.TaxIdNumber &&
+            c.TaxIdData.First().Type == taxInfo.TaxIdType
         ));
 
         await stripeAdapter.Received().SubscriptionCreateAsync(Arg.Is<Stripe.SubscriptionCreateOptions>(s =>
@@ -190,7 +192,8 @@ public class StripePaymentServiceTests
             c.Address.Line2 == taxInfo.BillingAddressLine2 &&
             c.Address.City == taxInfo.BillingAddressCity &&
             c.Address.State == taxInfo.BillingAddressState &&
-            c.TaxIdData == null
+            c.TaxIdData.First().Value == taxInfo.TaxIdNumber &&
+            c.TaxIdData.First().Type == taxInfo.TaxIdType
         ));
 
         await stripeAdapter.Received().SubscriptionCreateAsync(Arg.Is<Stripe.SubscriptionCreateOptions>(s =>
@@ -247,7 +250,8 @@ public class StripePaymentServiceTests
             c.Address.Line2 == taxInfo.BillingAddressLine2 &&
             c.Address.City == taxInfo.BillingAddressCity &&
             c.Address.State == taxInfo.BillingAddressState &&
-            c.TaxIdData == null
+            c.TaxIdData.First().Value == taxInfo.TaxIdNumber &&
+            c.TaxIdData.First().Type == taxInfo.TaxIdType
         ));
 
         await stripeAdapter.Received().SubscriptionCreateAsync(Arg.Is<Stripe.SubscriptionCreateOptions>(s =>
@@ -441,7 +445,8 @@ public class StripePaymentServiceTests
             c.Address.Line2 == taxInfo.BillingAddressLine2 &&
             c.Address.City == taxInfo.BillingAddressCity &&
             c.Address.State == taxInfo.BillingAddressState &&
-            c.TaxIdData == null
+            c.TaxIdData.First().Value == taxInfo.TaxIdNumber &&
+            c.TaxIdData.First().Type == taxInfo.TaxIdType
         ));
 
         await stripeAdapter.Received().SubscriptionCreateAsync(Arg.Is<Stripe.SubscriptionCreateOptions>(s =>
@@ -510,7 +515,8 @@ public class StripePaymentServiceTests
             c.Address.Line2 == taxInfo.BillingAddressLine2 &&
             c.Address.City == taxInfo.BillingAddressCity &&
             c.Address.State == taxInfo.BillingAddressState &&
-            c.TaxIdData == null
+            c.TaxIdData.First().Value == taxInfo.TaxIdNumber &&
+            c.TaxIdData.First().Type == taxInfo.TaxIdType
         ));
 
         await stripeAdapter.Received().SubscriptionCreateAsync(Arg.Is<Stripe.SubscriptionCreateOptions>(s =>

From bf2bf3c13f3971e626431c9a1c2d5d324293d2db Mon Sep 17 00:00:00 2001
From: Alex Morask <144709477+amorask-bitwarden@users.noreply.github.com>
Date: Thu, 2 Jan 2025 14:37:12 -0600
Subject: [PATCH 103/384] [PM-14461] Return ProfileOrganizationResponse from
 subscription update (#5103)

* Return ProviderOrganizationResponse from subscription update

* QA: Fix SM trial seat adjustment
---
 .../Controllers/OrganizationsController.cs    | 36 ++++++++++++++-----
 1 file changed, 27 insertions(+), 9 deletions(-)

diff --git a/src/Api/Billing/Controllers/OrganizationsController.cs b/src/Api/Billing/Controllers/OrganizationsController.cs
index ccb30c6a77..7b25114a44 100644
--- a/src/Api/Billing/Controllers/OrganizationsController.cs
+++ b/src/Api/Billing/Controllers/OrganizationsController.cs
@@ -150,7 +150,7 @@ public class OrganizationsController(
 
     [HttpPost("{id}/sm-subscription")]
     [SelfHosted(NotSelfHostedOnly = true)]
-    public async Task PostSmSubscription(Guid id, [FromBody] SecretsManagerSubscriptionUpdateRequestModel model)
+    public async Task<ProfileOrganizationResponseModel> PostSmSubscription(Guid id, [FromBody] SecretsManagerSubscriptionUpdateRequestModel model)
     {
         if (!await currentContext.EditSubscription(id))
         {
@@ -168,17 +168,26 @@ public class OrganizationsController(
         var organizationUpdate = model.ToSecretsManagerSubscriptionUpdate(organization);
 
         await updateSecretsManagerSubscriptionCommand.UpdateSubscriptionAsync(organizationUpdate);
+
+        var userId = userService.GetProperUserId(User)!.Value;
+
+        return await GetProfileOrganizationResponseModelAsync(id, userId);
     }
 
     [HttpPost("{id:guid}/subscription")]
     [SelfHosted(NotSelfHostedOnly = true)]
-    public async Task PostSubscription(Guid id, [FromBody] OrganizationSubscriptionUpdateRequestModel model)
+    public async Task<ProfileOrganizationResponseModel> PostSubscription(Guid id, [FromBody] OrganizationSubscriptionUpdateRequestModel model)
     {
         if (!await currentContext.EditSubscription(id))
         {
             throw new NotFoundException();
         }
+
         await organizationService.UpdateSubscription(id, model.SeatAdjustment, model.MaxAutoscaleSeats);
+
+        var userId = userService.GetProperUserId(User)!.Value;
+
+        return await GetProfileOrganizationResponseModelAsync(id, userId);
     }
 
     [HttpPost("{id:guid}/subscribe-secrets-manager")]
@@ -203,13 +212,7 @@ public class OrganizationsController(
 
         await TryGrantOwnerAccessToSecretsManagerAsync(organization.Id, userId);
 
-        var organizationDetails = await organizationUserRepository.GetDetailsByUserAsync(userId, organization.Id,
-            OrganizationUserStatusType.Confirmed);
-
-        var organizationManagingActiveUser = await userService.GetOrganizationsManagingUserAsync(userId);
-        var organizationIdsManagingActiveUser = organizationManagingActiveUser.Select(o => o.Id);
-
-        return new ProfileOrganizationResponseModel(organizationDetails, organizationIdsManagingActiveUser);
+        return await GetProfileOrganizationResponseModelAsync(organization.Id, userId);
     }
 
     [HttpPost("{id:guid}/seat")]
@@ -391,4 +394,19 @@ public class OrganizationsController(
             await organizationInstallationRepository.ReplaceAsync(organizationInstallation);
         }
     }
+
+    private async Task<ProfileOrganizationResponseModel> GetProfileOrganizationResponseModelAsync(
+        Guid organizationId,
+        Guid userId)
+    {
+        var organizationUserDetails = await organizationUserRepository.GetDetailsByUserAsync(
+            userId,
+            organizationId,
+            OrganizationUserStatusType.Confirmed);
+
+        var organizationIdsManagingActiveUser = (await userService.GetOrganizationsManagingUserAsync(userId))
+            .Select(o => o.Id);
+
+        return new ProfileOrganizationResponseModel(organizationUserDetails, organizationIdsManagingActiveUser);
+    }
 }

From 840ff00189a8b8fd28716964eb65daa123d98009 Mon Sep 17 00:00:00 2001
From: MtnBurrit0 <77340197+mimartin12@users.noreply.github.com>
Date: Thu, 2 Jan 2025 13:58:32 -0700
Subject: [PATCH 104/384] BRE-292: Sync ephemeral environment with GH workflow
 (#5174)

* Add sync_environment call

* Put callable workflow in it's own job

* Switch to context for GitHub input

* Set requirements and inherit secrets

* Add the condition to the job

* Update .github/workflows/build.yml

Co-authored-by: Vince Grassia <593223+vgrassia@users.noreply.github.com>

---------

Co-authored-by: Vince Grassia <593223+vgrassia@users.noreply.github.com>
---
 .github/workflows/build.yml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 420b9b6375..c0b598ea56 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -654,6 +654,21 @@ jobs:
               }
             })
 
+  trigger-ephemeral-environment-sync:
+    name: Trigger Ephemeral Environment Sync
+    needs: trigger-ee-updates
+    if: |
+      github.event_name == 'pull_request_target'
+      && contains(github.event.pull_request.labels.*.name, 'ephemeral-environment')
+    uses: bitwarden/gh-actions/.github/workflows/_ephemeral_environment_manager.yml@main
+    with:
+      ephemeral_env_branch: process.env.GITHUB_HEAD_REF
+      project: server
+      sync_environment: true
+      pull_request_number: ${{ github.event.number }}
+    secrets: inherit
+
+
   check-failures:
     name: Check for failures
     if: always()

From c14b192e0c863334f2cf7184b91fa95957e75300 Mon Sep 17 00:00:00 2001
From: Alex Morask <144709477+amorask-bitwarden@users.noreply.github.com>
Date: Fri, 3 Jan 2025 09:14:07 -0600
Subject: [PATCH 105/384] [PM-16684] Add a Pricing Client and mapping layer
 back to StaticStore.Plan (#5213)

* Add a Pricing Client and mapping layer back to StaticStore.Plan

* Run dotnet format

* Temporarily remove service registration to forego any unforseen side effects

* Run dotnet format
---
 .../Extensions/ServiceCollectionExtensions.cs |   1 +
 src/Core/Billing/Models/StaticStore/Plan.cs   |  12 +
 src/Core/Billing/Pricing/IPricingClient.cs    |  12 +
 src/Core/Billing/Pricing/PlanAdapter.cs       | 232 ++++++++++++++++++
 src/Core/Billing/Pricing/PricingClient.cs     |  92 +++++++
 .../Pricing/Protos/password-manager.proto     |  92 +++++++
 src/Core/Constants.cs                         |   1 +
 src/Core/Core.csproj                          |  11 +
 src/Core/Settings/GlobalSettings.cs           |   2 +-
 9 files changed, 454 insertions(+), 1 deletion(-)
 create mode 100644 src/Core/Billing/Pricing/IPricingClient.cs
 create mode 100644 src/Core/Billing/Pricing/PlanAdapter.cs
 create mode 100644 src/Core/Billing/Pricing/PricingClient.cs
 create mode 100644 src/Core/Billing/Pricing/Protos/password-manager.proto

diff --git a/src/Core/Billing/Extensions/ServiceCollectionExtensions.cs b/src/Core/Billing/Extensions/ServiceCollectionExtensions.cs
index e9a5d3f736..9a7a4107ae 100644
--- a/src/Core/Billing/Extensions/ServiceCollectionExtensions.cs
+++ b/src/Core/Billing/Extensions/ServiceCollectionExtensions.cs
@@ -17,6 +17,7 @@ public static class ServiceCollectionExtensions
         services.AddTransient<IPremiumUserBillingService, PremiumUserBillingService>();
         services.AddTransient<ISetupIntentCache, SetupIntentDistributedCache>();
         services.AddTransient<ISubscriberService, SubscriberService>();
+        // services.AddSingleton<IPricingClient, PricingClient>();
         services.AddLicenseServices();
     }
 }
diff --git a/src/Core/Billing/Models/StaticStore/Plan.cs b/src/Core/Billing/Models/StaticStore/Plan.cs
index 15a618cca0..5dbcd7ddc4 100644
--- a/src/Core/Billing/Models/StaticStore/Plan.cs
+++ b/src/Core/Billing/Models/StaticStore/Plan.cs
@@ -8,8 +8,11 @@ public abstract record Plan
     public ProductTierType ProductTier { get; protected init; }
     public string Name { get; protected init; }
     public bool IsAnnual { get; protected init; }
+    // TODO: Move to the client
     public string NameLocalizationKey { get; protected init; }
+    // TODO: Move to the client
     public string DescriptionLocalizationKey { get; protected init; }
+    // TODO: Remove
     public bool CanBeUsedByBusiness { get; protected init; }
     public int? TrialPeriodDays { get; protected init; }
     public bool HasSelfHost { get; protected init; }
@@ -27,7 +30,9 @@ public abstract record Plan
     public bool UsersGetPremium { get; protected init; }
     public bool HasCustomPermissions { get; protected init; }
     public int UpgradeSortOrder { get; protected init; }
+    // TODO: Move to the client
     public int DisplaySortOrder { get; protected init; }
+    // TODO: Remove
     public int? LegacyYear { get; protected init; }
     public bool Disabled { get; protected init; }
     public PasswordManagerPlanFeatures PasswordManager { get; protected init; }
@@ -45,15 +50,19 @@ public abstract record Plan
         public string StripeServiceAccountPlanId { get; init; }
         public decimal? AdditionalPricePerServiceAccount { get; init; }
         public short BaseServiceAccount { get; init; }
+        // TODO: Unused, remove
         public short? MaxAdditionalServiceAccount { get; init; }
         public bool HasAdditionalServiceAccountOption { get; init; }
         // Seats
         public string StripeSeatPlanId { get; init; }
         public bool HasAdditionalSeatsOption { get; init; }
+        // TODO: Remove, SM is never packaged
         public decimal BasePrice { get; init; }
         public decimal SeatPrice { get; init; }
+        // TODO: Remove, SM is never packaged
         public int BaseSeats { get; init; }
         public short? MaxSeats { get; init; }
+        // TODO: Unused, remove
         public int? MaxAdditionalSeats { get; init; }
         public bool AllowSeatAutoscale { get; init; }
 
@@ -72,8 +81,10 @@ public abstract record Plan
         public decimal ProviderPortalSeatPrice { get; init; }
         public bool AllowSeatAutoscale { get; init; }
         public bool HasAdditionalSeatsOption { get; init; }
+        // TODO: Remove, never set.
         public int? MaxAdditionalSeats { get; init; }
         public int BaseSeats { get; init; }
+        // TODO: Remove premium access as it's deprecated
         public bool HasPremiumAccessOption { get; init; }
         public string StripePremiumAccessPlanId { get; init; }
         public decimal PremiumAccessOptionPrice { get; init; }
@@ -83,6 +94,7 @@ public abstract record Plan
         public bool HasAdditionalStorageOption { get; init; }
         public decimal AdditionalStoragePricePerGb { get; init; }
         public string StripeStoragePlanId { get; init; }
+        // TODO: Remove
         public short? MaxAdditionalStorage { get; init; }
         // Feature
         public short? MaxCollections { get; init; }
diff --git a/src/Core/Billing/Pricing/IPricingClient.cs b/src/Core/Billing/Pricing/IPricingClient.cs
new file mode 100644
index 0000000000..68577f1db3
--- /dev/null
+++ b/src/Core/Billing/Pricing/IPricingClient.cs
@@ -0,0 +1,12 @@
+using Bit.Core.Billing.Enums;
+using Bit.Core.Models.StaticStore;
+
+#nullable enable
+
+namespace Bit.Core.Billing.Pricing;
+
+public interface IPricingClient
+{
+    Task<Plan?> GetPlan(PlanType planType);
+    Task<List<Plan>> ListPlans();
+}
diff --git a/src/Core/Billing/Pricing/PlanAdapter.cs b/src/Core/Billing/Pricing/PlanAdapter.cs
new file mode 100644
index 0000000000..b2b24d4cf9
--- /dev/null
+++ b/src/Core/Billing/Pricing/PlanAdapter.cs
@@ -0,0 +1,232 @@
+using Bit.Core.Billing.Enums;
+using Bit.Core.Models.StaticStore;
+using Proto.Billing.Pricing;
+
+#nullable enable
+
+namespace Bit.Core.Billing.Pricing;
+
+public record PlanAdapter : Plan
+{
+    public PlanAdapter(PlanResponse planResponse)
+    {
+        Type = ToPlanType(planResponse.LookupKey);
+        ProductTier = ToProductTierType(Type);
+        Name = planResponse.Name;
+        IsAnnual = !string.IsNullOrEmpty(planResponse.Cadence) && planResponse.Cadence == "annually";
+        NameLocalizationKey = planResponse.AdditionalData?["nameLocalizationKey"];
+        DescriptionLocalizationKey = planResponse.AdditionalData?["descriptionLocalizationKey"];
+        TrialPeriodDays = planResponse.TrialPeriodDays;
+        HasSelfHost = HasFeature("selfHost");
+        HasPolicies = HasFeature("policies");
+        HasGroups = HasFeature("groups");
+        HasDirectory = HasFeature("directory");
+        HasEvents = HasFeature("events");
+        HasTotp = HasFeature("totp");
+        Has2fa = HasFeature("2fa");
+        HasApi = HasFeature("api");
+        HasSso = HasFeature("sso");
+        HasKeyConnector = HasFeature("keyConnector");
+        HasScim = HasFeature("scim");
+        HasResetPassword = HasFeature("resetPassword");
+        UsersGetPremium = HasFeature("usersGetPremium");
+        UpgradeSortOrder = planResponse.AdditionalData != null
+            ? int.Parse(planResponse.AdditionalData["upgradeSortOrder"])
+            : 0;
+        DisplaySortOrder = planResponse.AdditionalData != null
+            ? int.Parse(planResponse.AdditionalData["displaySortOrder"])
+            : 0;
+        HasCustomPermissions = HasFeature("customPermissions");
+        Disabled = !planResponse.Available;
+        PasswordManager = ToPasswordManagerPlanFeatures(planResponse);
+        SecretsManager = planResponse.SecretsManager != null ? ToSecretsManagerPlanFeatures(planResponse) : null;
+
+        return;
+
+        bool HasFeature(string lookupKey) => planResponse.Features.Any(feature => feature.LookupKey == lookupKey);
+    }
+
+    #region Mappings
+
+    private static PlanType ToPlanType(string lookupKey)
+        => lookupKey switch
+        {
+            "enterprise-annually" => PlanType.EnterpriseAnnually,
+            "enterprise-annually-2019" => PlanType.EnterpriseAnnually2019,
+            "enterprise-annually-2020" => PlanType.EnterpriseAnnually2020,
+            "enterprise-annually-2023" => PlanType.EnterpriseAnnually2023,
+            "enterprise-monthly" => PlanType.EnterpriseMonthly,
+            "enterprise-monthly-2019" => PlanType.EnterpriseMonthly2019,
+            "enterprise-monthly-2020" => PlanType.EnterpriseMonthly2020,
+            "enterprise-monthly-2023" => PlanType.EnterpriseMonthly2023,
+            "families" => PlanType.FamiliesAnnually,
+            "families-2019" => PlanType.FamiliesAnnually2019,
+            "free" => PlanType.Free,
+            "teams-annually" => PlanType.TeamsAnnually,
+            "teams-annually-2019" => PlanType.TeamsAnnually2019,
+            "teams-annually-2020" => PlanType.TeamsAnnually2020,
+            "teams-annually-2023" => PlanType.TeamsAnnually2023,
+            "teams-monthly" => PlanType.TeamsMonthly,
+            "teams-monthly-2019" => PlanType.TeamsMonthly2019,
+            "teams-monthly-2020" => PlanType.TeamsMonthly2020,
+            "teams-monthly-2023" => PlanType.TeamsMonthly2023,
+            "teams-starter" => PlanType.TeamsStarter,
+            "teams-starter-2023" => PlanType.TeamsStarter2023,
+            _ => throw new BillingException() // TODO: Flesh out
+        };
+
+    private static ProductTierType ToProductTierType(PlanType planType)
+        => planType switch
+        {
+            PlanType.Free => ProductTierType.Free,
+            PlanType.FamiliesAnnually or PlanType.FamiliesAnnually2019 => ProductTierType.Families,
+            PlanType.TeamsStarter or PlanType.TeamsStarter2023 => ProductTierType.TeamsStarter,
+            _ when planType.ToString().Contains("Teams") => ProductTierType.Teams,
+            _ when planType.ToString().Contains("Enterprise") => ProductTierType.Enterprise,
+            _ => throw new BillingException() // TODO: Flesh out
+        };
+
+    private static PasswordManagerPlanFeatures ToPasswordManagerPlanFeatures(PlanResponse planResponse)
+    {
+        var stripePlanId = GetStripePlanId(planResponse.Seats);
+        var stripeSeatPlanId = GetStripeSeatPlanId(planResponse.Seats);
+        var stripeProviderPortalSeatPlanId = planResponse.ManagedSeats?.StripePriceId;
+        var basePrice = GetBasePrice(planResponse.Seats);
+        var seatPrice = GetSeatPrice(planResponse.Seats);
+        var providerPortalSeatPrice =
+            planResponse.ManagedSeats != null ? decimal.Parse(planResponse.ManagedSeats.Price) : 0;
+        var scales = planResponse.Seats.KindCase switch
+        {
+            PurchasableDTO.KindOneofCase.Scalable => true,
+            PurchasableDTO.KindOneofCase.Packaged => planResponse.Seats.Packaged.Additional != null,
+            _ => false
+        };
+        var baseSeats = GetBaseSeats(planResponse.Seats);
+        var maxSeats = GetMaxSeats(planResponse.Seats);
+        var baseStorageGb = (short?)planResponse.Storage?.Provided;
+        var hasAdditionalStorageOption = planResponse.Storage != null;
+        var stripeStoragePlanId = planResponse.Storage?.StripePriceId;
+        short? maxCollections =
+            planResponse.AdditionalData != null &&
+            planResponse.AdditionalData.TryGetValue("passwordManager.maxCollections", out var value) ? short.Parse(value) : null;
+
+        return new PasswordManagerPlanFeatures
+        {
+            StripePlanId = stripePlanId,
+            StripeSeatPlanId = stripeSeatPlanId,
+            StripeProviderPortalSeatPlanId = stripeProviderPortalSeatPlanId,
+            BasePrice = basePrice,
+            SeatPrice = seatPrice,
+            ProviderPortalSeatPrice = providerPortalSeatPrice,
+            AllowSeatAutoscale = scales,
+            HasAdditionalSeatsOption = scales,
+            BaseSeats = baseSeats,
+            MaxSeats = maxSeats,
+            BaseStorageGb = baseStorageGb,
+            HasAdditionalStorageOption = hasAdditionalStorageOption,
+            StripeStoragePlanId = stripeStoragePlanId,
+            MaxCollections = maxCollections
+        };
+    }
+
+    private static SecretsManagerPlanFeatures ToSecretsManagerPlanFeatures(PlanResponse planResponse)
+    {
+        var seats = planResponse.SecretsManager.Seats;
+        var serviceAccounts = planResponse.SecretsManager.ServiceAccounts;
+
+        var maxServiceAccounts = GetMaxServiceAccounts(serviceAccounts);
+        var allowServiceAccountsAutoscale = serviceAccounts.KindCase == FreeOrScalableDTO.KindOneofCase.Scalable;
+        var stripeServiceAccountPlanId = GetStripeServiceAccountPlanId(serviceAccounts);
+        var additionalPricePerServiceAccount = GetAdditionalPricePerServiceAccount(serviceAccounts);
+        var baseServiceAccount = GetBaseServiceAccount(serviceAccounts);
+        var hasAdditionalServiceAccountOption = serviceAccounts.KindCase == FreeOrScalableDTO.KindOneofCase.Scalable;
+        var stripeSeatPlanId = GetStripeSeatPlanId(seats);
+        var hasAdditionalSeatsOption = seats.KindCase == FreeOrScalableDTO.KindOneofCase.Scalable;
+        var seatPrice = GetSeatPrice(seats);
+        var maxSeats = GetMaxSeats(seats);
+        var allowSeatAutoscale = seats.KindCase == FreeOrScalableDTO.KindOneofCase.Scalable;
+        var maxProjects =
+            planResponse.AdditionalData != null &&
+            planResponse.AdditionalData.TryGetValue("secretsManager.maxProjects", out var value) ? short.Parse(value) : 0;
+
+        return new SecretsManagerPlanFeatures
+        {
+            MaxServiceAccounts = maxServiceAccounts,
+            AllowServiceAccountsAutoscale = allowServiceAccountsAutoscale,
+            StripeServiceAccountPlanId = stripeServiceAccountPlanId,
+            AdditionalPricePerServiceAccount = additionalPricePerServiceAccount,
+            BaseServiceAccount = baseServiceAccount,
+            HasAdditionalServiceAccountOption = hasAdditionalServiceAccountOption,
+            StripeSeatPlanId = stripeSeatPlanId,
+            HasAdditionalSeatsOption = hasAdditionalSeatsOption,
+            SeatPrice = seatPrice,
+            MaxSeats = maxSeats,
+            AllowSeatAutoscale = allowSeatAutoscale,
+            MaxProjects = maxProjects
+        };
+    }
+
+    private static decimal? GetAdditionalPricePerServiceAccount(FreeOrScalableDTO freeOrScalable)
+        => freeOrScalable.KindCase != FreeOrScalableDTO.KindOneofCase.Scalable
+            ? null
+            : decimal.Parse(freeOrScalable.Scalable.Price);
+
+    private static decimal GetBasePrice(PurchasableDTO purchasable)
+        => purchasable.KindCase != PurchasableDTO.KindOneofCase.Packaged ? 0 : decimal.Parse(purchasable.Packaged.Price);
+
+    private static int GetBaseSeats(PurchasableDTO purchasable)
+        => purchasable.KindCase != PurchasableDTO.KindOneofCase.Packaged ? 0 : purchasable.Packaged.Quantity;
+
+    private static short GetBaseServiceAccount(FreeOrScalableDTO freeOrScalable)
+        => freeOrScalable.KindCase switch
+        {
+            FreeOrScalableDTO.KindOneofCase.Free => (short)freeOrScalable.Free.Quantity,
+            FreeOrScalableDTO.KindOneofCase.Scalable => (short)freeOrScalable.Scalable.Provided,
+            _ => 0
+        };
+
+    private static short? GetMaxSeats(PurchasableDTO purchasable)
+        => purchasable.KindCase != PurchasableDTO.KindOneofCase.Free ? null : (short)purchasable.Free.Quantity;
+
+    private static short? GetMaxSeats(FreeOrScalableDTO freeOrScalable)
+        => freeOrScalable.KindCase != FreeOrScalableDTO.KindOneofCase.Free ? null : (short)freeOrScalable.Free.Quantity;
+
+    private static short? GetMaxServiceAccounts(FreeOrScalableDTO freeOrScalable)
+        => freeOrScalable.KindCase != FreeOrScalableDTO.KindOneofCase.Free ? null : (short)freeOrScalable.Free.Quantity;
+
+    private static decimal GetSeatPrice(PurchasableDTO purchasable)
+        => purchasable.KindCase switch
+        {
+            PurchasableDTO.KindOneofCase.Packaged => purchasable.Packaged.Additional != null ? decimal.Parse(purchasable.Packaged.Additional.Price) : 0,
+            PurchasableDTO.KindOneofCase.Scalable => decimal.Parse(purchasable.Scalable.Price),
+            _ => 0
+        };
+
+    private static decimal GetSeatPrice(FreeOrScalableDTO freeOrScalable)
+        => freeOrScalable.KindCase != FreeOrScalableDTO.KindOneofCase.Scalable
+            ? 0
+            : decimal.Parse(freeOrScalable.Scalable.Price);
+
+    private static string? GetStripePlanId(PurchasableDTO purchasable)
+        => purchasable.KindCase != PurchasableDTO.KindOneofCase.Packaged ? null : purchasable.Packaged.StripePriceId;
+
+    private static string? GetStripeSeatPlanId(PurchasableDTO purchasable)
+        => purchasable.KindCase switch
+        {
+            PurchasableDTO.KindOneofCase.Packaged => purchasable.Packaged.Additional?.StripePriceId,
+            PurchasableDTO.KindOneofCase.Scalable => purchasable.Scalable.StripePriceId,
+            _ => null
+        };
+
+    private static string? GetStripeSeatPlanId(FreeOrScalableDTO freeOrScalable)
+        => freeOrScalable.KindCase != FreeOrScalableDTO.KindOneofCase.Scalable
+            ? null
+            : freeOrScalable.Scalable.StripePriceId;
+
+    private static string? GetStripeServiceAccountPlanId(FreeOrScalableDTO freeOrScalable)
+        => freeOrScalable.KindCase != FreeOrScalableDTO.KindOneofCase.Scalable
+            ? null
+            : freeOrScalable.Scalable.StripePriceId;
+
+    #endregion
+}
diff --git a/src/Core/Billing/Pricing/PricingClient.cs b/src/Core/Billing/Pricing/PricingClient.cs
new file mode 100644
index 0000000000..65fc1761ad
--- /dev/null
+++ b/src/Core/Billing/Pricing/PricingClient.cs
@@ -0,0 +1,92 @@
+using Bit.Core.Billing.Enums;
+using Bit.Core.Models.StaticStore;
+using Bit.Core.Services;
+using Bit.Core.Settings;
+using Bit.Core.Utilities;
+using Google.Protobuf.WellKnownTypes;
+using Grpc.Core;
+using Grpc.Net.Client;
+using Proto.Billing.Pricing;
+
+#nullable enable
+
+namespace Bit.Core.Billing.Pricing;
+
+public class PricingClient(
+    IFeatureService featureService,
+    GlobalSettings globalSettings) : IPricingClient
+{
+    public async Task<Plan?> GetPlan(PlanType planType)
+    {
+        var usePricingService = featureService.IsEnabled(FeatureFlagKeys.UsePricingService);
+
+        if (!usePricingService)
+        {
+            return StaticStore.GetPlan(planType);
+        }
+
+        using var channel = GrpcChannel.ForAddress(globalSettings.PricingUri);
+        var client = new PasswordManager.PasswordManagerClient(channel);
+
+        var lookupKey = ToLookupKey(planType);
+        if (string.IsNullOrEmpty(lookupKey))
+        {
+            return null;
+        }
+
+        try
+        {
+            var response =
+                await client.GetPlanByLookupKeyAsync(new GetPlanByLookupKeyRequest { LookupKey = lookupKey });
+
+            return new PlanAdapter(response);
+        }
+        catch (RpcException rpcException) when (rpcException.StatusCode == StatusCode.NotFound)
+        {
+            return null;
+        }
+    }
+
+    public async Task<List<Plan>> ListPlans()
+    {
+        var usePricingService = featureService.IsEnabled(FeatureFlagKeys.UsePricingService);
+
+        if (!usePricingService)
+        {
+            return StaticStore.Plans.ToList();
+        }
+
+        using var channel = GrpcChannel.ForAddress(globalSettings.PricingUri);
+        var client = new PasswordManager.PasswordManagerClient(channel);
+
+        var response = await client.ListPlansAsync(new Empty());
+        return response.Plans.Select(Plan (plan) => new PlanAdapter(plan)).ToList();
+    }
+
+    private static string? ToLookupKey(PlanType planType)
+        => planType switch
+        {
+            PlanType.EnterpriseAnnually => "enterprise-annually",
+            PlanType.EnterpriseAnnually2019 => "enterprise-annually-2019",
+            PlanType.EnterpriseAnnually2020 => "enterprise-annually-2020",
+            PlanType.EnterpriseAnnually2023 => "enterprise-annually-2023",
+            PlanType.EnterpriseMonthly => "enterprise-monthly",
+            PlanType.EnterpriseMonthly2019 => "enterprise-monthly-2019",
+            PlanType.EnterpriseMonthly2020 => "enterprise-monthly-2020",
+            PlanType.EnterpriseMonthly2023 => "enterprise-monthly-2023",
+            PlanType.FamiliesAnnually => "families",
+            PlanType.FamiliesAnnually2019 => "families-2019",
+            PlanType.Free => "free",
+            PlanType.TeamsAnnually => "teams-annually",
+            PlanType.TeamsAnnually2019 => "teams-annually-2019",
+            PlanType.TeamsAnnually2020 => "teams-annually-2020",
+            PlanType.TeamsAnnually2023 => "teams-annually-2023",
+            PlanType.TeamsMonthly => "teams-monthly",
+            PlanType.TeamsMonthly2019 => "teams-monthly-2019",
+            PlanType.TeamsMonthly2020 => "teams-monthly-2020",
+            PlanType.TeamsMonthly2023 => "teams-monthly-2023",
+            PlanType.TeamsStarter => "teams-starter",
+            PlanType.TeamsStarter2023 => "teams-starter-2023",
+            _ => null
+        };
+}
diff --git a/src/Core/Billing/Pricing/Protos/password-manager.proto b/src/Core/Billing/Pricing/Protos/password-manager.proto
new file mode 100644
index 0000000000..69a4c51bd1
--- /dev/null
+++ b/src/Core/Billing/Pricing/Protos/password-manager.proto
@@ -0,0 +1,92 @@
+syntax = "proto3";
+
+option csharp_namespace = "Proto.Billing.Pricing";
+
+package plans;
+
+import "google/protobuf/empty.proto";
+import "google/protobuf/struct.proto";
+import "google/protobuf/wrappers.proto";
+
+service PasswordManager {
+  rpc GetPlanByLookupKey (GetPlanByLookupKeyRequest) returns (PlanResponse);
+  rpc ListPlans (google.protobuf.Empty) returns (ListPlansResponse);
+}
+
+// Requests
+message GetPlanByLookupKeyRequest {
+  string lookupKey = 1;
+}
+
+// Responses
+message PlanResponse {
+  string name = 1;
+  string lookupKey = 2;
+  string tier = 4;
+  optional string cadence = 6;
+  optional google.protobuf.Int32Value legacyYear = 8;
+  bool available = 9;
+  repeated FeatureDTO features = 10;
+  PurchasableDTO seats = 11;
+  optional ScalableDTO managedSeats = 12;
+  optional ScalableDTO storage = 13;
+  optional SecretsManagerPurchasablesDTO secretsManager = 14;
+  optional google.protobuf.Int32Value trialPeriodDays = 15;
+  repeated string canUpgradeTo = 16;
+  map<string, string> additionalData = 17;
+}
+
+message ListPlansResponse {
+  repeated PlanResponse plans = 1;
+}
+
+// DTOs
+message FeatureDTO {
+  string name = 1;
+  string lookupKey = 2;
+}
+
+message FreeDTO {
+  int32 quantity = 2;
+  string type = 4;
+}
+
+message PackagedDTO {
+  message AdditionalSeats {
+    string stripePriceId = 1;
+    string price = 2;
+  }
+
+  int32 quantity = 2;
+  string stripePriceId = 3;
+  string price = 4;
+  optional AdditionalSeats additional = 5;
+  string type = 6;
+}
+
+message ScalableDTO {
+  int32 provided = 2;
+  string stripePriceId = 6;
+  string price = 7;
+  string type = 9;
+}
+
+message PurchasableDTO {
+  oneof kind {
+    FreeDTO free = 1;
+    PackagedDTO packaged = 2;
+    ScalableDTO scalable = 3;
+  }
+}
+
+message FreeOrScalableDTO {
+  oneof kind {
+    FreeDTO free = 1;
+    ScalableDTO scalable = 2;
+  }
+}
+
+message SecretsManagerPurchasablesDTO {
+  FreeOrScalableDTO seats = 1;
+  FreeOrScalableDTO serviceAccounts = 2;
+}
diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index e0c5564ede..0b7435cf8f 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -164,6 +164,7 @@ public static class FeatureFlagKeys
     public const string AuthenticatorSyncAndroid = "enable-authenticator-sync-android";
     public const string AppReviewPrompt = "app-review-prompt";
     public const string ResellerManagedOrgAlert = "PM-15814-alert-owners-of-reseller-managed-orgs";
+    public const string UsePricingService = "use-pricing-service";
 
     public static List<string> GetAllKeys()
     {
diff --git a/src/Core/Core.csproj b/src/Core/Core.csproj
index c5cb31d9c5..83ac307671 100644
--- a/src/Core/Core.csproj
+++ b/src/Core/Core.csproj
@@ -25,6 +25,12 @@
     <PackageReference Include="AWSSDK.SQS" Version="3.7.400.64" />
     <PackageReference Include="Azure.Data.Tables" Version="12.9.0" />
     <PackageReference Include="Azure.Extensions.AspNetCore.DataProtection.Blobs" Version="1.3.4" />
+    <PackageReference Include="Google.Protobuf" Version="3.29.2" />
+    <PackageReference Include="Grpc.Net.Client" Version="2.67.0" />
+    <PackageReference Include="Grpc.Tools" Version="2.68.1">
+      <PrivateAssets>all</PrivateAssets>
+      <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
+    </PackageReference>
     <PackageReference Include="Microsoft.AspNetCore.DataProtection" Version="8.0.10" />
     <PackageReference Include="Azure.Messaging.ServiceBus" Version="7.18.1" />
     <PackageReference Include="Azure.Storage.Blobs" Version="12.21.2" />
@@ -44,6 +50,7 @@
     <PackageReference Include="Microsoft.Extensions.Configuration.EnvironmentVariables" Version="9.0.0" />
     <PackageReference Include="Microsoft.Extensions.Configuration.UserSecrets" Version="9.0.0" />
     <PackageReference Include="Microsoft.Extensions.Identity.Stores" Version="8.0.10" />
+    <PackageReference Include="OneOf" Version="3.0.271" />
     <PackageReference Include="Quartz" Version="3.13.1" />
     <PackageReference Include="SendGrid" Version="9.29.3" />
     <PackageReference Include="Serilog.AspNetCore" Version="8.0.3" />
@@ -62,6 +69,10 @@
     <PackageReference Include="LaunchDarkly.ServerSdk" Version="8.6.0" />
   </ItemGroup>
 
+  <ItemGroup>
+    <Protobuf Include="Billing\Pricing\Protos\password-manager.proto" GrpcServices="Client" />
+  </ItemGroup>
+  
   <ItemGroup>
     <Folder Include="Resources\" />
     <Folder Include="Properties\" />
diff --git a/src/Core/Settings/GlobalSettings.cs b/src/Core/Settings/GlobalSettings.cs
index cdbfc7cf3a..420151a34f 100644
--- a/src/Core/Settings/GlobalSettings.cs
+++ b/src/Core/Settings/GlobalSettings.cs
@@ -81,8 +81,8 @@ public class GlobalSettings : IGlobalSettings
     public virtual IDomainVerificationSettings DomainVerification { get; set; } = new DomainVerificationSettings();
     public virtual ILaunchDarklySettings LaunchDarkly { get; set; } = new LaunchDarklySettings();
     public virtual string DevelopmentDirectory { get; set; }
-
     public virtual bool EnableEmailVerification { get; set; }
+    public virtual string PricingUri { get; set; }
 
     public string BuildExternalUri(string explicitValue, string name)
     {

From 3a8d10234bd1fbdc54799fa2ba3d37909fa0a373 Mon Sep 17 00:00:00 2001
From: Jonas Hendrickx <jhendrickx@bitwarden.com>
Date: Fri, 3 Jan 2025 16:19:37 +0100
Subject: [PATCH 106/384] [PM-16689] Fix swagger build (#5214)

---
 src/Api/Utilities/ServiceCollectionExtensions.cs | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/Api/Utilities/ServiceCollectionExtensions.cs b/src/Api/Utilities/ServiceCollectionExtensions.cs
index 3d206fd887..270055be8f 100644
--- a/src/Api/Utilities/ServiceCollectionExtensions.cs
+++ b/src/Api/Utilities/ServiceCollectionExtensions.cs
@@ -34,6 +34,9 @@ public static class ServiceCollectionExtensions
                     Url = new Uri("https://github.com/bitwarden/server/blob/master/LICENSE.txt")
                 }
             });
+
+            config.CustomSchemaIds(type => type.FullName);
+
             config.SwaggerDoc("internal", new OpenApiInfo { Title = "Bitwarden Internal API", Version = "latest" });
 
             config.AddSecurityDefinition("oauth2-client-credentials", new OpenApiSecurityScheme

From 4b2030de7715418d6e6ed3ddc9fe9db59e9ddbb1 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Fri, 3 Jan 2025 11:35:28 -0500
Subject: [PATCH 107/384] [deps] BRE: Update anchore/scan-action action to v6
 (#5180)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 .github/workflows/build.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index c0b598ea56..899ca25f4d 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -307,7 +307,7 @@ jobs:
 
       - name: Scan Docker image
         id: container-scan
-        uses: anchore/scan-action@5ed195cc06065322983cae4bb31e2a751feb86fd # v5.2.0
+        uses: anchore/scan-action@abae793926ec39a78ab18002bc7fc45bbbd94342 # v6.0.0
         with:
           image: ${{ steps.image-tags.outputs.primary_tag }}
           fail-build: false

From f74b94b5f71262b52ff18f875416cd661db2f8d2 Mon Sep 17 00:00:00 2001
From: Conner Turnbull <133619638+cturnbull-bitwarden@users.noreply.github.com>
Date: Fri, 3 Jan 2025 15:34:29 -0500
Subject: [PATCH 108/384] [PM-16700] Handling nulls in UserLicenseClaimsFactory
 (#5217)

* Handling nulls in UserLicenseClaimsFactory

* Only setting Token if the flag is enabled
---
 .../UserLicenseClaimsFactory.cs               | 30 ++++++++++++++-----
 .../Services/Implementations/UserService.cs   |  3 ++
 2 files changed, 26 insertions(+), 7 deletions(-)

diff --git a/src/Core/Billing/Licenses/Services/Implementations/UserLicenseClaimsFactory.cs b/src/Core/Billing/Licenses/Services/Implementations/UserLicenseClaimsFactory.cs
index 28c779c3d6..3b7b275469 100644
--- a/src/Core/Billing/Licenses/Services/Implementations/UserLicenseClaimsFactory.cs
+++ b/src/Core/Billing/Licenses/Services/Implementations/UserLicenseClaimsFactory.cs
@@ -12,26 +12,42 @@ public class UserLicenseClaimsFactory : ILicenseClaimsFactory<User>
     {
         var subscriptionInfo = licenseContext.SubscriptionInfo;
 
-        var expires = subscriptionInfo.UpcomingInvoice?.Date?.AddDays(7) ?? entity.PremiumExpirationDate?.AddDays(7);
-        var refresh = subscriptionInfo.UpcomingInvoice?.Date ?? entity.PremiumExpirationDate;
-        var trial = (subscriptionInfo.Subscription?.TrialEndDate.HasValue ?? false) &&
+        var expires = subscriptionInfo?.UpcomingInvoice?.Date?.AddDays(7) ?? entity.PremiumExpirationDate?.AddDays(7);
+        var refresh = subscriptionInfo?.UpcomingInvoice?.Date ?? entity.PremiumExpirationDate;
+        var trial = (subscriptionInfo?.Subscription?.TrialEndDate.HasValue ?? false) &&
                     subscriptionInfo.Subscription.TrialEndDate.Value > DateTime.UtcNow;
 
         var claims = new List<Claim>
         {
             new(nameof(UserLicenseConstants.LicenseType), LicenseType.User.ToString()),
-            new(nameof(UserLicenseConstants.LicenseKey), entity.LicenseKey),
             new(nameof(UserLicenseConstants.Id), entity.Id.ToString()),
             new(nameof(UserLicenseConstants.Name), entity.Name),
             new(nameof(UserLicenseConstants.Email), entity.Email),
             new(nameof(UserLicenseConstants.Premium), entity.Premium.ToString()),
-            new(nameof(UserLicenseConstants.MaxStorageGb), entity.MaxStorageGb.ToString()),
             new(nameof(UserLicenseConstants.Issued), DateTime.UtcNow.ToString(CultureInfo.InvariantCulture)),
-            new(nameof(UserLicenseConstants.Expires), expires.ToString()),
-            new(nameof(UserLicenseConstants.Refresh), refresh.ToString()),
             new(nameof(UserLicenseConstants.Trial), trial.ToString()),
         };
 
+        if (entity.LicenseKey is not null)
+        {
+            claims.Add(new(nameof(UserLicenseConstants.LicenseKey), entity.LicenseKey));
+        }
+
+        if (entity.MaxStorageGb is not null)
+        {
+            claims.Add(new(nameof(UserLicenseConstants.MaxStorageGb), entity.MaxStorageGb.ToString()));
+        }
+
+        if (expires is not null)
+        {
+            claims.Add(new(nameof(UserLicenseConstants.Expires), expires.ToString()));
+        }
+
+        if (refresh is not null)
+        {
+            claims.Add(new(nameof(UserLicenseConstants.Refresh), refresh.ToString()));
+        }
+
         return Task.FromResult(claims);
     }
 }
diff --git a/src/Core/Services/Implementations/UserService.cs b/src/Core/Services/Implementations/UserService.cs
index a83375271e..281a14bc36 100644
--- a/src/Core/Services/Implementations/UserService.cs
+++ b/src/Core/Services/Implementations/UserService.cs
@@ -1143,7 +1143,10 @@ public class UserService : UserManager<User>, IUserService, IDisposable
             ? new UserLicense(user, _licenseService)
             : new UserLicense(user, subscriptionInfo, _licenseService);
 
+        if (_featureService.IsEnabled(FeatureFlagKeys.SelfHostLicenseRefactor))
+        {
         userLicense.Token = await _licenseService.CreateUserTokenAsync(user, subscriptionInfo);
+        }
 
         return userLicense;
     }

From 4871f0b9562f63a741a5024f5c1d2565b68a5bb5 Mon Sep 17 00:00:00 2001
From: Conner Turnbull <133619638+cturnbull-bitwarden@users.noreply.github.com>
Date: Fri, 3 Jan 2025 16:00:52 -0500
Subject: [PATCH 109/384] Ran `dotnet format` (#5218)

* Ran `dotnet format`

* Re-added usings
---
 src/Core/Services/Implementations/UserService.cs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Core/Services/Implementations/UserService.cs b/src/Core/Services/Implementations/UserService.cs
index 281a14bc36..346d77aad4 100644
--- a/src/Core/Services/Implementations/UserService.cs
+++ b/src/Core/Services/Implementations/UserService.cs
@@ -1145,7 +1145,7 @@ public class UserService : UserManager<User>, IUserService, IDisposable
 
         if (_featureService.IsEnabled(FeatureFlagKeys.SelfHostLicenseRefactor))
         {
-        userLicense.Token = await _licenseService.CreateUserTokenAsync(user, subscriptionInfo);
+            userLicense.Token = await _licenseService.CreateUserTokenAsync(user, subscriptionInfo);
         }
 
         return userLicense;

From 066cd4655d204f06c0b47e5183f8f7e5b0e4c237 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Fri, 3 Jan 2025 17:33:57 -0500
Subject: [PATCH 110/384] [deps] BRE: Update codecov/codecov-action action to
 v5 (#5071)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 .github/workflows/test.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 5f3b9871bc..bc04137f9c 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -77,7 +77,7 @@ jobs:
           fail-on-error: true
 
       - name: Upload to codecov.io
-        uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0
+        uses: codecov/codecov-action@1e68e06f1dbfde0e4cefc87efeba9e4643565303 # v5.1.2
         if: ${{ needs.check-test-secrets.outputs.available == 'true' }}
         env:
           CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}

From ff846280e507ca75899142f35048aec54e8f206e Mon Sep 17 00:00:00 2001
From: Jonas Hendrickx <jhendrickx@bitwarden.com>
Date: Sun, 5 Jan 2025 11:14:38 +0100
Subject: [PATCH 111/384] [PM-16682] Provider setup tax information is not
 saved (#5211)

---
 .../Billing/ProviderBillingService.cs         | 31 ++++++++++++++-----
 .../Billing/ProviderBillingServiceTests.cs    | 29 +++++++++++++++++
 2 files changed, 53 insertions(+), 7 deletions(-)

diff --git a/bitwarden_license/src/Commercial.Core/Billing/ProviderBillingService.cs b/bitwarden_license/src/Commercial.Core/Billing/ProviderBillingService.cs
index a6bf62871f..57349042d1 100644
--- a/bitwarden_license/src/Commercial.Core/Billing/ProviderBillingService.cs
+++ b/bitwarden_license/src/Commercial.Core/Billing/ProviderBillingService.cs
@@ -32,7 +32,8 @@ public class ProviderBillingService(
     IProviderOrganizationRepository providerOrganizationRepository,
     IProviderPlanRepository providerPlanRepository,
     IStripeAdapter stripeAdapter,
-    ISubscriberService subscriberService) : IProviderBillingService
+    ISubscriberService subscriberService,
+    ITaxService taxService) : IProviderBillingService
 {
     public async Task ChangePlan(ChangeProviderPlanCommand command)
     {
@@ -335,14 +336,30 @@ public class ProviderBillingService(
             Metadata = new Dictionary<string, string>
             {
                 { "region", globalSettings.BaseServiceUri.CloudRegion }
-            },
-            TaxIdData = taxInfo.HasTaxId ?
-                [
-                    new CustomerTaxIdDataOptions { Type = taxInfo.TaxIdType, Value = taxInfo.TaxIdNumber }
-                ]
-                : null
+            }
         };
 
+        if (!string.IsNullOrEmpty(taxInfo.TaxIdNumber))
+        {
+            var taxIdType = taxService.GetStripeTaxCode(taxInfo.BillingAddressCountry,
+                taxInfo.TaxIdNumber);
+
+            if (taxIdType == null)
+            {
+                logger.LogWarning("Could not infer tax ID type in country '{Country}' with tax ID '{TaxID}'.",
+                    taxInfo.BillingAddressCountry,
+                    taxInfo.TaxIdNumber);
+                throw new BadRequestException("billingTaxIdTypeInferenceError");
+            }
+
+            customerCreateOptions.TaxIdData = taxInfo.HasTaxId
+                ?
+                [
+                    new CustomerTaxIdDataOptions { Type = taxIdType, Value = taxInfo.TaxIdNumber }
+                ]
+                : null;
+        }
+
         try
         {
             return await stripeAdapter.CustomerCreateAsync(customerCreateOptions);
diff --git a/bitwarden_license/test/Commercial.Core.Test/Billing/ProviderBillingServiceTests.cs b/bitwarden_license/test/Commercial.Core.Test/Billing/ProviderBillingServiceTests.cs
index 881a984554..3739603a2d 100644
--- a/bitwarden_license/test/Commercial.Core.Test/Billing/ProviderBillingServiceTests.cs
+++ b/bitwarden_license/test/Commercial.Core.Test/Billing/ProviderBillingServiceTests.cs
@@ -746,6 +746,12 @@ public class ProviderBillingServiceTests
     {
         provider.Name = "MSP";
 
+        sutProvider.GetDependency<ITaxService>()
+            .GetStripeTaxCode(Arg.Is<string>(
+                p => p == taxInfo.BillingAddressCountry),
+                Arg.Is<string>(p => p == taxInfo.TaxIdNumber))
+            .Returns(taxInfo.TaxIdType);
+
         taxInfo.BillingAddressCountry = "AD";
 
         var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
@@ -777,6 +783,29 @@ public class ProviderBillingServiceTests
         Assert.Equivalent(expected, actual);
     }
 
+    [Theory, BitAutoData]
+    public async Task SetupCustomer_Throws_BadRequestException_WhenTaxIdIsInvalid(
+        SutProvider<ProviderBillingService> sutProvider,
+        Provider provider,
+        TaxInfo taxInfo)
+    {
+        provider.Name = "MSP";
+
+        taxInfo.BillingAddressCountry = "AD";
+
+        sutProvider.GetDependency<ITaxService>()
+            .GetStripeTaxCode(Arg.Is<string>(
+                    p => p == taxInfo.BillingAddressCountry),
+                Arg.Is<string>(p => p == taxInfo.TaxIdNumber))
+            .Returns((string)null);
+
+        var actual = await Assert.ThrowsAsync<BadRequestException>(async () =>
+            await sutProvider.Sut.SetupCustomer(provider, taxInfo));
+
+        Assert.IsType<BadRequestException>(actual);
+        Assert.Equal("billingTaxIdTypeInferenceError", actual.Message);
+    }
+
     #endregion
 
     #region SetupSubscription

From 03feb038b795be0f1a26f174689b094d1f968d49 Mon Sep 17 00:00:00 2001
From: Jared McCannon <jmccannon@bitwarden.com>
Date: Mon, 6 Jan 2025 08:06:09 -0600
Subject: [PATCH 112/384] Changing the name of the menu item. (#5216)

---
 src/Admin/Views/Shared/_Layout.cshtml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Admin/Views/Shared/_Layout.cshtml b/src/Admin/Views/Shared/_Layout.cshtml
index b1f0a24420..939eb86b86 100644
--- a/src/Admin/Views/Shared/_Layout.cshtml
+++ b/src/Admin/Views/Shared/_Layout.cshtml
@@ -92,7 +92,7 @@
                                         @if (canPromoteAdmin)
                                         {
                                             <a class="dropdown-item" asp-controller="Tools" asp-action="PromoteAdmin">
-                                                Promote Admin
+                                                Promote Organization Admin
                                             </a>
                                         }
                                         @if (canPromoteProviderServiceUser)

From 217b86ba9e81e5e2f3f68f39fffa871bedccd890 Mon Sep 17 00:00:00 2001
From: Jared McCannon <jmccannon@bitwarden.com>
Date: Mon, 6 Jan 2025 10:34:52 -0600
Subject: [PATCH 113/384] Modified view and models to pull Provider Type from
 the provider table for The ProviderUserOrganizationDetailsViewQuery (#5215)

---
 ...rofileProviderOrganizationResponseModel.cs |  1 +
 .../ProviderUserOrganizationDetails.cs        |  1 +
 ...roviderUserOrganizationDetailsViewQuery.cs |  1 +
 ...derUserProviderOrganizationDetailsView.sql |  3 +-
 ...ProviderOrgDetailsView_AddProviderType.sql | 49 +++++++++++++++++++
 5 files changed, 54 insertions(+), 1 deletion(-)
 create mode 100644 util/Migrator/DbScripts/2025-01-03_00_ProviderUserProviderOrgDetailsView_AddProviderType.sql

diff --git a/src/Api/AdminConsole/Models/Response/ProfileProviderOrganizationResponseModel.cs b/src/Api/AdminConsole/Models/Response/ProfileProviderOrganizationResponseModel.cs
index 7227d7a11a..211476dca1 100644
--- a/src/Api/AdminConsole/Models/Response/ProfileProviderOrganizationResponseModel.cs
+++ b/src/Api/AdminConsole/Models/Response/ProfileProviderOrganizationResponseModel.cs
@@ -43,6 +43,7 @@ public class ProfileProviderOrganizationResponseModel : ProfileOrganizationRespo
         UserId = organization.UserId;
         ProviderId = organization.ProviderId;
         ProviderName = organization.ProviderName;
+        ProviderType = organization.ProviderType;
         ProductTierType = StaticStore.GetPlan(organization.PlanType).ProductTier;
         LimitCollectionCreation = organization.LimitCollectionCreation;
         LimitCollectionDeletion = organization.LimitCollectionDeletion;
diff --git a/src/Core/AdminConsole/Models/Data/Provider/ProviderUserOrganizationDetails.cs b/src/Core/AdminConsole/Models/Data/Provider/ProviderUserOrganizationDetails.cs
index f37cc644d4..bd5592edfc 100644
--- a/src/Core/AdminConsole/Models/Data/Provider/ProviderUserOrganizationDetails.cs
+++ b/src/Core/AdminConsole/Models/Data/Provider/ProviderUserOrganizationDetails.cs
@@ -44,4 +44,5 @@ public class ProviderUserOrganizationDetails
     public bool LimitCollectionDeletion { get; set; }
     public bool AllowAdminAccessToAllCollectionItems { get; set; }
     public bool UseRiskInsights { get; set; }
+    public ProviderType ProviderType { get; set; }
 }
diff --git a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/Queries/ProviderUserOrganizationDetailsViewQuery.cs b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/Queries/ProviderUserOrganizationDetailsViewQuery.cs
index 7d9974d117..3f3d3d389e 100644
--- a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/Queries/ProviderUserOrganizationDetailsViewQuery.cs
+++ b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/Queries/ProviderUserOrganizationDetailsViewQuery.cs
@@ -48,6 +48,7 @@ public class ProviderUserOrganizationDetailsViewQuery : IQuery<ProviderUserOrgan
             LimitCollectionDeletion = x.o.LimitCollectionDeletion,
             AllowAdminAccessToAllCollectionItems = x.o.AllowAdminAccessToAllCollectionItems,
             UseRiskInsights = x.o.UseRiskInsights,
+            ProviderType = x.p.Type
         });
     }
 }
diff --git a/src/Sql/dbo/Views/ProviderUserProviderOrganizationDetailsView.sql b/src/Sql/dbo/Views/ProviderUserProviderOrganizationDetailsView.sql
index a6c96299c2..20b896b6ad 100644
--- a/src/Sql/dbo/Views/ProviderUserProviderOrganizationDetailsView.sql
+++ b/src/Sql/dbo/Views/ProviderUserProviderOrganizationDetailsView.sql
@@ -36,7 +36,8 @@ SELECT
     O.[LimitCollectionCreation],
     O.[LimitCollectionDeletion],
     O.[AllowAdminAccessToAllCollectionItems],
-    O.[UseRiskInsights]
+    O.[UseRiskInsights],
+    P.[Type] ProviderType
 FROM
     [dbo].[ProviderUser] PU
 INNER JOIN
diff --git a/util/Migrator/DbScripts/2025-01-03_00_ProviderUserProviderOrgDetailsView_AddProviderType.sql b/util/Migrator/DbScripts/2025-01-03_00_ProviderUserProviderOrgDetailsView_AddProviderType.sql
new file mode 100644
index 0000000000..aafef5a5b7
--- /dev/null
+++ b/util/Migrator/DbScripts/2025-01-03_00_ProviderUserProviderOrgDetailsView_AddProviderType.sql
@@ -0,0 +1,49 @@
+CREATE OR ALTER VIEW [dbo].[ProviderUserProviderOrganizationDetailsView]
+AS
+SELECT
+    PU.[UserId],
+    PO.[OrganizationId],
+    O.[Name],
+    O.[Enabled],
+    O.[UsePolicies],
+    O.[UseSso],
+    O.[UseKeyConnector],
+    O.[UseScim],
+    O.[UseGroups],
+    O.[UseDirectory],
+    O.[UseEvents],
+    O.[UseTotp],
+    O.[Use2fa],
+    O.[UseApi],
+    O.[UseResetPassword],
+    O.[SelfHost],
+    O.[UsersGetPremium],
+    O.[UseCustomPermissions],
+    O.[Seats],
+    O.[MaxCollections],
+    O.[MaxStorageGb],
+    O.[Identifier],
+    PO.[Key],
+    O.[PublicKey],
+    O.[PrivateKey],
+    PU.[Status],
+    PU.[Type],
+    PO.[ProviderId],
+    PU.[Id] ProviderUserId,
+    P.[Name] ProviderName,
+    O.[PlanType],
+    O.[LimitCollectionCreationDeletion], -- Deprecated https://bitwarden.atlassian.net/browse/PM-10863
+    O.[LimitCollectionCreation],
+    O.[LimitCollectionDeletion],
+    O.[AllowAdminAccessToAllCollectionItems],
+    O.[UseRiskInsights],
+    P.[Type] ProviderType
+FROM
+    [dbo].[ProviderUser] PU
+        INNER JOIN
+    [dbo].[ProviderOrganization] PO ON PO.[ProviderId] = PU.[ProviderId]
+        INNER JOIN
+    [dbo].[Organization] O ON O.[Id] = PO.[OrganizationId]
+        INNER JOIN
+    [dbo].[Provider] P ON P.[Id] = PU.[ProviderId]
+GO

From cd7c4bf6ce080cfe05ab89c2e6e14721065c2728 Mon Sep 17 00:00:00 2001
From: Addison Beck <addison@bitwarden.com>
Date: Mon, 6 Jan 2025 12:10:53 -0500
Subject: [PATCH 114/384] chore: move `Installation` and `Push` to platform's
 domain folders (#5085)

* chore: set up a `CODEOWNERS` space for platform

* chore: move sql objects for `Installation` to platform's domain

* chore: move `Installation` and `PushRelay` code to platform's domain
---
 .github/CODEOWNERS                            |  1 +
 src/Admin/Controllers/ToolsController.cs      |  1 +
 .../Controllers/InstallationsController.cs    |  8 +++-----
 .../Models}/InstallationRequestModel.cs       |  4 ++--
 .../Models}/InstallationResponseModel.cs      |  6 +++---
 .../Push}/Controllers/PushController.cs       |  8 ++++++--
 .../PaymentSucceededHandler.cs                |  1 +
 .../SubscriptionUpdatedHandler.cs             |  1 +
 .../UpdateOrganizationAuthRequestCommand.cs   |  1 +
 ...teManagedOrganizationUserAccountCommand.cs |  1 +
 .../RemoveOrganizationUserCommand.cs          |  1 +
 .../CloudOrganizationSignUpCommand.cs         |  1 +
 .../Implementations/OrganizationService.cs    |  1 +
 .../Implementations/AuthRequestService.cs     |  1 +
 .../TdeOffboardingPasswordCommand.cs          |  1 +
 .../RegenerateUserAsymmetricKeysCommand.cs    |  2 +-
 .../Implementations/RotateUserKeyCommand.cs   |  1 +
 .../NotificationHubPushNotificationService.cs |  2 +-
 .../NotificationHubPushRegistrationService.cs |  2 +-
 .../Cloud/CloudGetOrganizationLicenseQuery.cs |  2 +-
 .../Installations}/Entities/Installation.cs   |  7 ++++++-
 .../Repositories/IInstallationRepository.cs   | 19 +++++++++++++++++++
 .../AzureQueuePushNotificationService.cs      |  2 +-
 .../Services/IPushNotificationService.cs      |  2 +-
 .../Services/IPushRegistrationService.cs      |  2 +-
 .../MultiServicePushNotificationService.cs    |  2 +-
 .../Services}/NoopPushNotificationService.cs  |  2 +-
 .../Services}/NoopPushRegistrationService.cs  |  2 +-
 ...NotificationsApiPushNotificationService.cs |  4 +++-
 .../Services}/RelayPushNotificationService.cs |  3 ++-
 .../Services}/RelayPushRegistrationService.cs |  3 ++-
 .../Repositories/IInstallationRepository.cs   |  9 ---------
 .../Services/Implementations/DeviceService.cs |  1 +
 .../Services/Implementations/UserService.cs   |  1 +
 .../Services/Implementations/SendService.cs   |  1 +
 .../Services/Implementations/CipherService.cs |  1 +
 src/Identity/IdentityServer/ClientStore.cs    |  1 +
 .../DapperServiceCollectionExtensions.cs      |  2 ++
 .../Repositories/InstallationRepository.cs    | 14 +++++++++++---
 .../Models/OrganizationInstallation.cs        |  2 +-
 ...ityFrameworkServiceCollectionExtensions.cs |  2 ++
 .../Installations}/Models/Installation.cs     |  9 +++++----
 .../Repositories/InstallationRepository.cs    | 16 ++++++++++++++++
 .../Repositories/DatabaseContext.cs           |  1 +
 .../Repositories/InstallationRepository.cs    | 15 ---------------
 .../Utilities/ServiceCollectionExtensions.cs  |  2 ++
 .../Stored Procedures/Installation_Create.sql |  0
 .../Installation_DeleteById.sql               |  0
 .../Installation_ReadById.sql                 |  0
 .../Stored Procedures/Installation_Update.sql |  0
 .../dbo/Tables/Installation.sql               |  0
 .../dbo/Views/InstallationView.sql            |  0
 ...dateOrganizationAuthRequestCommandTests.cs |  1 +
 .../Auth/Services/AuthRequestServiceTests.cs  |  1 +
 ...egenerateUserAsymmetricKeysCommandTests.cs |  2 +-
 .../UserKey/RotateUserKeyCommandTests.cs      |  1 +
 ...ficationHubPushNotificationServiceTests.cs |  2 +-
 .../CloudGetOrganizationLicenseQueryTests.cs  |  3 +--
 .../AzureQueuePushNotificationServiceTests.cs |  5 ++---
 ...ultiServicePushNotificationServiceTests.cs |  3 +--
 ...icationsApiPushNotificationServiceTests.cs |  5 ++---
 .../RelayPushNotificationServiceTests.cs      |  3 +--
 .../RelayPushRegistrationServiceTests.cs      |  5 ++---
 test/Core.Test/Services/DeviceServiceTests.cs |  1 +
 test/Core.Test/Services/UserServiceTests.cs   |  1 +
 .../Tools/Services/SendServiceTests.cs        |  1 +
 .../Vault/Services/CipherServiceTests.cs      |  1 +
 .../Endpoints/IdentityServerTests.cs          |  3 ++-
 .../EntityFrameworkRepositoryFixtures.cs      |  1 +
 .../AutoFixture/InstallationFixtures.cs       | 10 +++++-----
 .../Repositories}/InstallationCompare.cs      |  4 ++--
 .../InstallationRepositoryTests.cs            | 19 +++++++++----------
 .../Factories/WebApplicationFactoryBase.cs    |  2 ++
 73 files changed, 152 insertions(+), 93 deletions(-)
 rename src/Api/{ => Platform/Installations}/Controllers/InstallationsController.cs (88%)
 rename src/Api/{Models/Request => Platform/Installations/Models}/InstallationRequestModel.cs (84%)
 rename src/Api/{Models/Response => Platform/Installations/Models}/InstallationResponseModel.cs (78%)
 rename src/Api/{ => Platform/Push}/Controllers/PushController.cs (94%)
 rename src/Core/{ => Platform/Installations}/Entities/Installation.cs (68%)
 create mode 100644 src/Core/Platform/Installations/Repositories/IInstallationRepository.cs
 rename src/Core/{Services/Implementations => Platform/Push/Services}/AzureQueuePushNotificationService.cs (99%)
 rename src/Core/{ => Platform/Push}/Services/IPushNotificationService.cs (97%)
 rename src/Core/{ => Platform/Push}/Services/IPushRegistrationService.cs (93%)
 rename src/Core/{Services/Implementations => Platform/Push/Services}/MultiServicePushNotificationService.cs (99%)
 rename src/Core/{Services/NoopImplementations => Platform/Push/Services}/NoopPushNotificationService.cs (98%)
 rename src/Core/{Services/NoopImplementations => Platform/Push/Services}/NoopPushRegistrationService.cs (94%)
 rename src/Core/{Services/Implementations => Platform/Push/Services}/NotificationsApiPushNotificationService.cs (97%)
 rename src/Core/{Services/Implementations => Platform/Push/Services}/RelayPushNotificationService.cs (99%)
 rename src/Core/{Services/Implementations => Platform/Push/Services}/RelayPushRegistrationService.cs (96%)
 delete mode 100644 src/Core/Repositories/IInstallationRepository.cs
 rename src/Infrastructure.Dapper/{ => Platform/Installations}/Repositories/InstallationRepository.cs (53%)
 rename src/Infrastructure.EntityFramework/{ => Platform/Installations}/Models/Installation.cs (70%)
 create mode 100644 src/Infrastructure.EntityFramework/Platform/Installations/Repositories/InstallationRepository.cs
 delete mode 100644 src/Infrastructure.EntityFramework/Repositories/InstallationRepository.cs
 rename src/Sql/{ => Platform}/dbo/Stored Procedures/Installation_Create.sql (100%)
 rename src/Sql/{ => Platform}/dbo/Stored Procedures/Installation_DeleteById.sql (100%)
 rename src/Sql/{ => Platform}/dbo/Stored Procedures/Installation_ReadById.sql (100%)
 rename src/Sql/{ => Platform}/dbo/Stored Procedures/Installation_Update.sql (100%)
 rename src/Sql/{ => Platform}/dbo/Tables/Installation.sql (100%)
 rename src/Sql/{ => Platform}/dbo/Views/InstallationView.sql (100%)
 rename test/Core.Test/{ => Platform/Push}/Services/AzureQueuePushNotificationServiceTests.cs (90%)
 rename test/Core.Test/{ => Platform/Push}/Services/MultiServicePushNotificationServiceTests.cs (96%)
 rename test/Core.Test/{ => Platform/Push}/Services/NotificationsApiPushNotificationServiceTests.cs (93%)
 rename test/Core.Test/{ => Platform/Push}/Services/RelayPushNotificationServiceTests.cs (95%)
 rename test/Core.Test/{ => Platform/Push}/Services/RelayPushRegistrationServiceTests.cs (91%)
 rename test/Infrastructure.EFIntegration.Test/{Repositories/EqualityComparers => Platform/Installations/Repositories}/InstallationCompare.cs (78%)
 rename test/Infrastructure.EFIntegration.Test/{ => Platform/Installations}/Repositories/InstallationRepositoryTests.cs (64%)

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index 9784e1f9ab..11e79590f2 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -71,6 +71,7 @@ src/Admin/Views/Tools @bitwarden/team-billing-dev
 .github/workflows/repository-management.yml @bitwarden/team-platform-dev
 .github/workflows/test-database.yml @bitwarden/team-platform-dev
 .github/workflows/test.yml @bitwarden/team-platform-dev
+**/*Platform* @bitwarden/team-platform-dev
 
 # Multiple owners - DO NOT REMOVE (BRE)
 **/packages.lock.json
diff --git a/src/Admin/Controllers/ToolsController.cs b/src/Admin/Controllers/ToolsController.cs
index ea91d01cb8..45319cf79c 100644
--- a/src/Admin/Controllers/ToolsController.cs
+++ b/src/Admin/Controllers/ToolsController.cs
@@ -9,6 +9,7 @@ using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Entities;
 using Bit.Core.Models.BitStripe;
 using Bit.Core.OrganizationFeatures.OrganizationLicenses.Interfaces;
+using Bit.Core.Platform.Installations;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Settings;
diff --git a/src/Api/Controllers/InstallationsController.cs b/src/Api/Platform/Installations/Controllers/InstallationsController.cs
similarity index 88%
rename from src/Api/Controllers/InstallationsController.cs
rename to src/Api/Platform/Installations/Controllers/InstallationsController.cs
index a2eeebab37..a9ba4e6c02 100644
--- a/src/Api/Controllers/InstallationsController.cs
+++ b/src/Api/Platform/Installations/Controllers/InstallationsController.cs
@@ -1,12 +1,10 @@
-using Bit.Api.Models.Request;
-using Bit.Api.Models.Response;
-using Bit.Core.Exceptions;
-using Bit.Core.Repositories;
+using Bit.Core.Exceptions;
+using Bit.Core.Platform.Installations;
 using Bit.Core.Utilities;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 
-namespace Bit.Api.Controllers;
+namespace Bit.Api.Platform.Installations;
 
 [Route("installations")]
 [SelfHosted(NotSelfHostedOnly = true)]
diff --git a/src/Api/Models/Request/InstallationRequestModel.cs b/src/Api/Platform/Installations/Models/InstallationRequestModel.cs
similarity index 84%
rename from src/Api/Models/Request/InstallationRequestModel.cs
rename to src/Api/Platform/Installations/Models/InstallationRequestModel.cs
index 65b542e62e..242701a66f 100644
--- a/src/Api/Models/Request/InstallationRequestModel.cs
+++ b/src/Api/Platform/Installations/Models/InstallationRequestModel.cs
@@ -1,8 +1,8 @@
 using System.ComponentModel.DataAnnotations;
-using Bit.Core.Entities;
+using Bit.Core.Platform.Installations;
 using Bit.Core.Utilities;
 
-namespace Bit.Api.Models.Request;
+namespace Bit.Api.Platform.Installations;
 
 public class InstallationRequestModel
 {
diff --git a/src/Api/Models/Response/InstallationResponseModel.cs b/src/Api/Platform/Installations/Models/InstallationResponseModel.cs
similarity index 78%
rename from src/Api/Models/Response/InstallationResponseModel.cs
rename to src/Api/Platform/Installations/Models/InstallationResponseModel.cs
index 2fdc55d847..0be5795275 100644
--- a/src/Api/Models/Response/InstallationResponseModel.cs
+++ b/src/Api/Platform/Installations/Models/InstallationResponseModel.cs
@@ -1,7 +1,7 @@
-using Bit.Core.Entities;
-using Bit.Core.Models.Api;
+using Bit.Core.Models.Api;
+using Bit.Core.Platform.Installations;
 
-namespace Bit.Api.Models.Response;
+namespace Bit.Api.Platform.Installations;
 
 public class InstallationResponseModel : ResponseModel
 {
diff --git a/src/Api/Controllers/PushController.cs b/src/Api/Platform/Push/Controllers/PushController.cs
similarity index 94%
rename from src/Api/Controllers/PushController.cs
rename to src/Api/Platform/Push/Controllers/PushController.cs
index 3839805106..4b9f1c3e11 100644
--- a/src/Api/Controllers/PushController.cs
+++ b/src/Api/Platform/Push/Controllers/PushController.cs
@@ -1,14 +1,18 @@
 using Bit.Core.Context;
 using Bit.Core.Exceptions;
 using Bit.Core.Models.Api;
-using Bit.Core.Services;
+using Bit.Core.Platform.Push;
 using Bit.Core.Settings;
 using Bit.Core.Utilities;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 
-namespace Bit.Api.Controllers;
+namespace Bit.Api.Platform.Push;
 
+/// <summary>
+/// Routes for push relay: functionality that facilitates communication
+/// between self hosted organizations and Bitwarden cloud.
+/// </summary>
 [Route("push")]
 [Authorize("Push")]
 [SelfHosted(NotSelfHostedOnly = true)]
diff --git a/src/Billing/Services/Implementations/PaymentSucceededHandler.cs b/src/Billing/Services/Implementations/PaymentSucceededHandler.cs
index 49578187f9..b16baea52e 100644
--- a/src/Billing/Services/Implementations/PaymentSucceededHandler.cs
+++ b/src/Billing/Services/Implementations/PaymentSucceededHandler.cs
@@ -2,6 +2,7 @@
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Billing.Enums;
 using Bit.Core.Context;
+using Bit.Core.Platform.Push;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Tools.Enums;
diff --git a/src/Billing/Services/Implementations/SubscriptionUpdatedHandler.cs b/src/Billing/Services/Implementations/SubscriptionUpdatedHandler.cs
index d49b22b7fb..6b4fef43d1 100644
--- a/src/Billing/Services/Implementations/SubscriptionUpdatedHandler.cs
+++ b/src/Billing/Services/Implementations/SubscriptionUpdatedHandler.cs
@@ -1,5 +1,6 @@
 using Bit.Billing.Constants;
 using Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.Interfaces;
+using Bit.Core.Platform.Push;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Utilities;
diff --git a/src/Core/AdminConsole/OrganizationAuth/UpdateOrganizationAuthRequestCommand.cs b/src/Core/AdminConsole/OrganizationAuth/UpdateOrganizationAuthRequestCommand.cs
index 407ca61c4d..af966a6e16 100644
--- a/src/Core/AdminConsole/OrganizationAuth/UpdateOrganizationAuthRequestCommand.cs
+++ b/src/Core/AdminConsole/OrganizationAuth/UpdateOrganizationAuthRequestCommand.cs
@@ -7,6 +7,7 @@ using Bit.Core.Auth.Models.Api.Request.AuthRequest;
 using Bit.Core.Auth.Models.Data;
 using Bit.Core.Auth.Services;
 using Bit.Core.Enums;
+using Bit.Core.Platform.Push;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Settings;
diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/DeleteManagedOrganizationUserAccountCommand.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/DeleteManagedOrganizationUserAccountCommand.cs
index cb7e2a6250..010f5de9bf 100644
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/DeleteManagedOrganizationUserAccountCommand.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/DeleteManagedOrganizationUserAccountCommand.cs
@@ -4,6 +4,7 @@ using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
+using Bit.Core.Platform.Push;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Tools.Enums;
diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RemoveOrganizationUserCommand.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RemoveOrganizationUserCommand.cs
index e45f109df1..9375a231ec 100644
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RemoveOrganizationUserCommand.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RemoveOrganizationUserCommand.cs
@@ -3,6 +3,7 @@ using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
+using Bit.Core.Platform.Push;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 
diff --git a/src/Core/AdminConsole/OrganizationFeatures/Organizations/CloudOrganizationSignUpCommand.cs b/src/Core/AdminConsole/OrganizationFeatures/Organizations/CloudOrganizationSignUpCommand.cs
index 3eb4d35ef1..df841adf42 100644
--- a/src/Core/AdminConsole/OrganizationFeatures/Organizations/CloudOrganizationSignUpCommand.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Organizations/CloudOrganizationSignUpCommand.cs
@@ -11,6 +11,7 @@ using Bit.Core.Exceptions;
 using Bit.Core.Models.Business;
 using Bit.Core.Models.Data;
 using Bit.Core.Models.StaticStore;
+using Bit.Core.Platform.Push;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Tools.Enums;
diff --git a/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs b/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
index 1cf22b23ad..9d178697ac 100644
--- a/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
+++ b/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
@@ -27,6 +27,7 @@ using Bit.Core.Models.Data;
 using Bit.Core.Models.Data.Organizations.OrganizationUsers;
 using Bit.Core.Models.Mail;
 using Bit.Core.OrganizationFeatures.OrganizationSubscriptions.Interface;
+using Bit.Core.Platform.Push;
 using Bit.Core.Repositories;
 using Bit.Core.Settings;
 using Bit.Core.Tokens;
diff --git a/src/Core/Auth/Services/Implementations/AuthRequestService.cs b/src/Core/Auth/Services/Implementations/AuthRequestService.cs
index a27112425b..f83c5de1f6 100644
--- a/src/Core/Auth/Services/Implementations/AuthRequestService.cs
+++ b/src/Core/Auth/Services/Implementations/AuthRequestService.cs
@@ -7,6 +7,7 @@ using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
+using Bit.Core.Platform.Push;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Settings;
diff --git a/src/Core/Auth/UserFeatures/TdeOffboardingPassword/TdeOffboardingPasswordCommand.cs b/src/Core/Auth/UserFeatures/TdeOffboardingPassword/TdeOffboardingPasswordCommand.cs
index d33db18e44..8ef586ab51 100644
--- a/src/Core/Auth/UserFeatures/TdeOffboardingPassword/TdeOffboardingPasswordCommand.cs
+++ b/src/Core/Auth/UserFeatures/TdeOffboardingPassword/TdeOffboardingPasswordCommand.cs
@@ -3,6 +3,7 @@ using Bit.Core.Auth.UserFeatures.TdeOffboardingPassword.Interfaces;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
+using Bit.Core.Platform.Push;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Microsoft.AspNetCore.Identity;
diff --git a/src/Core/KeyManagement/Commands/RegenerateUserAsymmetricKeysCommand.cs b/src/Core/KeyManagement/Commands/RegenerateUserAsymmetricKeysCommand.cs
index a54223f685..9b93d44182 100644
--- a/src/Core/KeyManagement/Commands/RegenerateUserAsymmetricKeysCommand.cs
+++ b/src/Core/KeyManagement/Commands/RegenerateUserAsymmetricKeysCommand.cs
@@ -8,7 +8,7 @@ using Bit.Core.Exceptions;
 using Bit.Core.KeyManagement.Commands.Interfaces;
 using Bit.Core.KeyManagement.Models.Data;
 using Bit.Core.KeyManagement.Repositories;
-using Bit.Core.Services;
+using Bit.Core.Platform.Push;
 using Microsoft.Extensions.Logging;
 
 namespace Bit.Core.KeyManagement.Commands;
diff --git a/src/Core/KeyManagement/UserKey/Implementations/RotateUserKeyCommand.cs b/src/Core/KeyManagement/UserKey/Implementations/RotateUserKeyCommand.cs
index 68b2c60293..8cece5f762 100644
--- a/src/Core/KeyManagement/UserKey/Implementations/RotateUserKeyCommand.cs
+++ b/src/Core/KeyManagement/UserKey/Implementations/RotateUserKeyCommand.cs
@@ -1,6 +1,7 @@
 using Bit.Core.Auth.Repositories;
 using Bit.Core.Entities;
 using Bit.Core.KeyManagement.Models.Data;
+using Bit.Core.Platform.Push;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Tools.Repositories;
diff --git a/src/Core/NotificationHub/NotificationHubPushNotificationService.cs b/src/Core/NotificationHub/NotificationHubPushNotificationService.cs
index 7438e812e0..67faff619d 100644
--- a/src/Core/NotificationHub/NotificationHubPushNotificationService.cs
+++ b/src/Core/NotificationHub/NotificationHubPushNotificationService.cs
@@ -6,8 +6,8 @@ using Bit.Core.Context;
 using Bit.Core.Enums;
 using Bit.Core.Models;
 using Bit.Core.Models.Data;
+using Bit.Core.Platform.Push;
 using Bit.Core.Repositories;
-using Bit.Core.Services;
 using Bit.Core.Tools.Entities;
 using Bit.Core.Vault.Entities;
 using Microsoft.AspNetCore.Http;
diff --git a/src/Core/NotificationHub/NotificationHubPushRegistrationService.cs b/src/Core/NotificationHub/NotificationHubPushRegistrationService.cs
index 123152c01c..180b2b641b 100644
--- a/src/Core/NotificationHub/NotificationHubPushRegistrationService.cs
+++ b/src/Core/NotificationHub/NotificationHubPushRegistrationService.cs
@@ -1,7 +1,7 @@
 using Bit.Core.Enums;
 using Bit.Core.Models.Data;
+using Bit.Core.Platform.Push;
 using Bit.Core.Repositories;
-using Bit.Core.Services;
 using Bit.Core.Settings;
 using Microsoft.Azure.NotificationHubs;
 using Microsoft.Extensions.Logging;
diff --git a/src/Core/OrganizationFeatures/OrganizationLicenses/Cloud/CloudGetOrganizationLicenseQuery.cs b/src/Core/OrganizationFeatures/OrganizationLicenses/Cloud/CloudGetOrganizationLicenseQuery.cs
index d7782fcd98..53050c7824 100644
--- a/src/Core/OrganizationFeatures/OrganizationLicenses/Cloud/CloudGetOrganizationLicenseQuery.cs
+++ b/src/Core/OrganizationFeatures/OrganizationLicenses/Cloud/CloudGetOrganizationLicenseQuery.cs
@@ -4,7 +4,7 @@ using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Models.Business;
 using Bit.Core.OrganizationFeatures.OrganizationLicenses.Interfaces;
-using Bit.Core.Repositories;
+using Bit.Core.Platform.Installations;
 using Bit.Core.Services;
 
 namespace Bit.Core.OrganizationFeatures.OrganizationLicenses;
diff --git a/src/Core/Entities/Installation.cs b/src/Core/Platform/Installations/Entities/Installation.cs
similarity index 68%
rename from src/Core/Entities/Installation.cs
rename to src/Core/Platform/Installations/Entities/Installation.cs
index ff30236d3d..63aa5d1e24 100644
--- a/src/Core/Entities/Installation.cs
+++ b/src/Core/Platform/Installations/Entities/Installation.cs
@@ -1,10 +1,15 @@
 using System.ComponentModel.DataAnnotations;
+using Bit.Core.Entities;
 using Bit.Core.Utilities;
 
 #nullable enable
 
-namespace Bit.Core.Entities;
+namespace Bit.Core.Platform.Installations;
 
+/// <summary>
+/// The base entity for the SQL table `dbo.Installation`. Used to store
+/// information pertinent to self hosted Bitwarden installations.
+/// </summary>
 public class Installation : ITableObject<Guid>
 {
     public Guid Id { get; set; }
diff --git a/src/Core/Platform/Installations/Repositories/IInstallationRepository.cs b/src/Core/Platform/Installations/Repositories/IInstallationRepository.cs
new file mode 100644
index 0000000000..5303eb04e6
--- /dev/null
+++ b/src/Core/Platform/Installations/Repositories/IInstallationRepository.cs
@@ -0,0 +1,19 @@
+using Bit.Core.Repositories;
+
+#nullable enable
+
+namespace Bit.Core.Platform.Installations;
+
+/// <summary>
+/// The CRUD repository interface for communicating with `dbo.Installation`,
+/// which is used to store information pertinent to self-hosted
+/// installations.
+/// </summary>
+/// <remarks>
+/// This interface is implemented by `InstallationRepository` in the Dapper
+/// and Entity Framework projects.
+/// </remarks>
+/// <seealso cref="T:Bit.Infrastructure.Dapper.Platform.Installations.Repositories.InstallationRepository"/>
+public interface IInstallationRepository : IRepository<Installation, Guid>
+{
+}
diff --git a/src/Core/Services/Implementations/AzureQueuePushNotificationService.cs b/src/Core/Platform/Push/Services/AzureQueuePushNotificationService.cs
similarity index 99%
rename from src/Core/Services/Implementations/AzureQueuePushNotificationService.cs
rename to src/Core/Platform/Push/Services/AzureQueuePushNotificationService.cs
index 3daadebf3a..332b322be6 100644
--- a/src/Core/Services/Implementations/AzureQueuePushNotificationService.cs
+++ b/src/Core/Platform/Push/Services/AzureQueuePushNotificationService.cs
@@ -11,7 +11,7 @@ using Bit.Core.Utilities;
 using Bit.Core.Vault.Entities;
 using Microsoft.AspNetCore.Http;
 
-namespace Bit.Core.Services;
+namespace Bit.Core.Platform.Push.Internal;
 
 public class AzureQueuePushNotificationService : IPushNotificationService
 {
diff --git a/src/Core/Services/IPushNotificationService.cs b/src/Core/Platform/Push/Services/IPushNotificationService.cs
similarity index 97%
rename from src/Core/Services/IPushNotificationService.cs
rename to src/Core/Platform/Push/Services/IPushNotificationService.cs
index 6e2e47e27f..986b54b6d9 100644
--- a/src/Core/Services/IPushNotificationService.cs
+++ b/src/Core/Platform/Push/Services/IPushNotificationService.cs
@@ -4,7 +4,7 @@ using Bit.Core.Enums;
 using Bit.Core.Tools.Entities;
 using Bit.Core.Vault.Entities;
 
-namespace Bit.Core.Services;
+namespace Bit.Core.Platform.Push;
 
 public interface IPushNotificationService
 {
diff --git a/src/Core/Services/IPushRegistrationService.cs b/src/Core/Platform/Push/Services/IPushRegistrationService.cs
similarity index 93%
rename from src/Core/Services/IPushRegistrationService.cs
rename to src/Core/Platform/Push/Services/IPushRegistrationService.cs
index 985246de0c..482e7ae1c4 100644
--- a/src/Core/Services/IPushRegistrationService.cs
+++ b/src/Core/Platform/Push/Services/IPushRegistrationService.cs
@@ -1,6 +1,6 @@
 using Bit.Core.Enums;
 
-namespace Bit.Core.Services;
+namespace Bit.Core.Platform.Push;
 
 public interface IPushRegistrationService
 {
diff --git a/src/Core/Services/Implementations/MultiServicePushNotificationService.cs b/src/Core/Platform/Push/Services/MultiServicePushNotificationService.cs
similarity index 99%
rename from src/Core/Services/Implementations/MultiServicePushNotificationService.cs
rename to src/Core/Platform/Push/Services/MultiServicePushNotificationService.cs
index 185a11adbb..a291aa037f 100644
--- a/src/Core/Services/Implementations/MultiServicePushNotificationService.cs
+++ b/src/Core/Platform/Push/Services/MultiServicePushNotificationService.cs
@@ -7,7 +7,7 @@ using Bit.Core.Vault.Entities;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
 
-namespace Bit.Core.Services;
+namespace Bit.Core.Platform.Push.Internal;
 
 public class MultiServicePushNotificationService : IPushNotificationService
 {
diff --git a/src/Core/Services/NoopImplementations/NoopPushNotificationService.cs b/src/Core/Platform/Push/Services/NoopPushNotificationService.cs
similarity index 98%
rename from src/Core/Services/NoopImplementations/NoopPushNotificationService.cs
rename to src/Core/Platform/Push/Services/NoopPushNotificationService.cs
index b5e2616220..6d5fbfd9a4 100644
--- a/src/Core/Services/NoopImplementations/NoopPushNotificationService.cs
+++ b/src/Core/Platform/Push/Services/NoopPushNotificationService.cs
@@ -4,7 +4,7 @@ using Bit.Core.Enums;
 using Bit.Core.Tools.Entities;
 using Bit.Core.Vault.Entities;
 
-namespace Bit.Core.Services;
+namespace Bit.Core.Platform.Push.Internal;
 
 public class NoopPushNotificationService : IPushNotificationService
 {
diff --git a/src/Core/Services/NoopImplementations/NoopPushRegistrationService.cs b/src/Core/Platform/Push/Services/NoopPushRegistrationService.cs
similarity index 94%
rename from src/Core/Services/NoopImplementations/NoopPushRegistrationService.cs
rename to src/Core/Platform/Push/Services/NoopPushRegistrationService.cs
index f6279c9467..6d1716a6ce 100644
--- a/src/Core/Services/NoopImplementations/NoopPushRegistrationService.cs
+++ b/src/Core/Platform/Push/Services/NoopPushRegistrationService.cs
@@ -1,6 +1,6 @@
 using Bit.Core.Enums;
 
-namespace Bit.Core.Services;
+namespace Bit.Core.Platform.Push.Internal;
 
 public class NoopPushRegistrationService : IPushRegistrationService
 {
diff --git a/src/Core/Services/Implementations/NotificationsApiPushNotificationService.cs b/src/Core/Platform/Push/Services/NotificationsApiPushNotificationService.cs
similarity index 97%
rename from src/Core/Services/Implementations/NotificationsApiPushNotificationService.cs
rename to src/Core/Platform/Push/Services/NotificationsApiPushNotificationService.cs
index feec75fbe0..adf6d829e7 100644
--- a/src/Core/Services/Implementations/NotificationsApiPushNotificationService.cs
+++ b/src/Core/Platform/Push/Services/NotificationsApiPushNotificationService.cs
@@ -3,13 +3,15 @@ using Bit.Core.Auth.Entities;
 using Bit.Core.Context;
 using Bit.Core.Enums;
 using Bit.Core.Models;
+using Bit.Core.Services;
 using Bit.Core.Settings;
 using Bit.Core.Tools.Entities;
 using Bit.Core.Vault.Entities;
 using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.Logging;
 
-namespace Bit.Core.Services;
+// This service is not in the `Internal` namespace because it has direct external references.
+namespace Bit.Core.Platform.Push;
 
 public class NotificationsApiPushNotificationService : BaseIdentityClientService, IPushNotificationService
 {
diff --git a/src/Core/Services/Implementations/RelayPushNotificationService.cs b/src/Core/Platform/Push/Services/RelayPushNotificationService.cs
similarity index 99%
rename from src/Core/Services/Implementations/RelayPushNotificationService.cs
rename to src/Core/Platform/Push/Services/RelayPushNotificationService.cs
index d725296779..93db0c0c5b 100644
--- a/src/Core/Services/Implementations/RelayPushNotificationService.cs
+++ b/src/Core/Platform/Push/Services/RelayPushNotificationService.cs
@@ -6,13 +6,14 @@ using Bit.Core.IdentityServer;
 using Bit.Core.Models;
 using Bit.Core.Models.Api;
 using Bit.Core.Repositories;
+using Bit.Core.Services;
 using Bit.Core.Settings;
 using Bit.Core.Tools.Entities;
 using Bit.Core.Vault.Entities;
 using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.Logging;
 
-namespace Bit.Core.Services;
+namespace Bit.Core.Platform.Push.Internal;
 
 public class RelayPushNotificationService : BaseIdentityClientService, IPushNotificationService
 {
diff --git a/src/Core/Services/Implementations/RelayPushRegistrationService.cs b/src/Core/Platform/Push/Services/RelayPushRegistrationService.cs
similarity index 96%
rename from src/Core/Services/Implementations/RelayPushRegistrationService.cs
rename to src/Core/Platform/Push/Services/RelayPushRegistrationService.cs
index d0f7736e98..a42a831266 100644
--- a/src/Core/Services/Implementations/RelayPushRegistrationService.cs
+++ b/src/Core/Platform/Push/Services/RelayPushRegistrationService.cs
@@ -1,10 +1,11 @@
 using Bit.Core.Enums;
 using Bit.Core.IdentityServer;
 using Bit.Core.Models.Api;
+using Bit.Core.Services;
 using Bit.Core.Settings;
 using Microsoft.Extensions.Logging;
 
-namespace Bit.Core.Services;
+namespace Bit.Core.Platform.Push.Internal;
 
 public class RelayPushRegistrationService : BaseIdentityClientService, IPushRegistrationService
 {
diff --git a/src/Core/Repositories/IInstallationRepository.cs b/src/Core/Repositories/IInstallationRepository.cs
deleted file mode 100644
index f9c7d85edf..0000000000
--- a/src/Core/Repositories/IInstallationRepository.cs
+++ /dev/null
@@ -1,9 +0,0 @@
-using Bit.Core.Entities;
-
-#nullable enable
-
-namespace Bit.Core.Repositories;
-
-public interface IInstallationRepository : IRepository<Installation, Guid>
-{
-}
diff --git a/src/Core/Services/Implementations/DeviceService.cs b/src/Core/Services/Implementations/DeviceService.cs
index 638e4c5e07..afbc574417 100644
--- a/src/Core/Services/Implementations/DeviceService.cs
+++ b/src/Core/Services/Implementations/DeviceService.cs
@@ -2,6 +2,7 @@
 using Bit.Core.Auth.Utilities;
 using Bit.Core.Entities;
 using Bit.Core.Exceptions;
+using Bit.Core.Platform.Push;
 using Bit.Core.Repositories;
 
 namespace Bit.Core.Services;
diff --git a/src/Core/Services/Implementations/UserService.cs b/src/Core/Services/Implementations/UserService.cs
index 346d77aad4..4d2cb45d93 100644
--- a/src/Core/Services/Implementations/UserService.cs
+++ b/src/Core/Services/Implementations/UserService.cs
@@ -18,6 +18,7 @@ using Bit.Core.Exceptions;
 using Bit.Core.Models.Business;
 using Bit.Core.Models.Data.Organizations.OrganizationUsers;
 using Bit.Core.OrganizationFeatures.OrganizationUsers.Interfaces;
+using Bit.Core.Platform.Push;
 using Bit.Core.Repositories;
 using Bit.Core.Settings;
 using Bit.Core.Tokens;
diff --git a/src/Core/Tools/Services/Implementations/SendService.cs b/src/Core/Tools/Services/Implementations/SendService.cs
index fad941362b..918379d7a5 100644
--- a/src/Core/Tools/Services/Implementations/SendService.cs
+++ b/src/Core/Tools/Services/Implementations/SendService.cs
@@ -6,6 +6,7 @@ using Bit.Core.AdminConsole.Services;
 using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.Exceptions;
+using Bit.Core.Platform.Push;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Settings;
diff --git a/src/Core/Vault/Services/Implementations/CipherService.cs b/src/Core/Vault/Services/Implementations/CipherService.cs
index d6947b5412..d6806bd115 100644
--- a/src/Core/Vault/Services/Implementations/CipherService.cs
+++ b/src/Core/Vault/Services/Implementations/CipherService.cs
@@ -5,6 +5,7 @@ using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
+using Bit.Core.Platform.Push;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Settings;
diff --git a/src/Identity/IdentityServer/ClientStore.cs b/src/Identity/IdentityServer/ClientStore.cs
index 3f1c1c2fd4..c204e364ce 100644
--- a/src/Identity/IdentityServer/ClientStore.cs
+++ b/src/Identity/IdentityServer/ClientStore.cs
@@ -5,6 +5,7 @@ using Bit.Core.Context;
 using Bit.Core.Enums;
 using Bit.Core.Identity;
 using Bit.Core.IdentityServer;
+using Bit.Core.Platform.Installations;
 using Bit.Core.Repositories;
 using Bit.Core.SecretsManager.Models.Data;
 using Bit.Core.SecretsManager.Repositories;
diff --git a/src/Infrastructure.Dapper/DapperServiceCollectionExtensions.cs b/src/Infrastructure.Dapper/DapperServiceCollectionExtensions.cs
index 834f681d28..93814a6d7f 100644
--- a/src/Infrastructure.Dapper/DapperServiceCollectionExtensions.cs
+++ b/src/Infrastructure.Dapper/DapperServiceCollectionExtensions.cs
@@ -3,6 +3,7 @@ using Bit.Core.Auth.Repositories;
 using Bit.Core.Billing.Repositories;
 using Bit.Core.KeyManagement.Repositories;
 using Bit.Core.NotificationCenter.Repositories;
+using Bit.Core.Platform.Installations;
 using Bit.Core.Repositories;
 using Bit.Core.SecretsManager.Repositories;
 using Bit.Core.Tools.Repositories;
@@ -12,6 +13,7 @@ using Bit.Infrastructure.Dapper.Auth.Repositories;
 using Bit.Infrastructure.Dapper.Billing.Repositories;
 using Bit.Infrastructure.Dapper.KeyManagement.Repositories;
 using Bit.Infrastructure.Dapper.NotificationCenter.Repositories;
+using Bit.Infrastructure.Dapper.Platform;
 using Bit.Infrastructure.Dapper.Repositories;
 using Bit.Infrastructure.Dapper.SecretsManager.Repositories;
 using Bit.Infrastructure.Dapper.Tools.Repositories;
diff --git a/src/Infrastructure.Dapper/Repositories/InstallationRepository.cs b/src/Infrastructure.Dapper/Platform/Installations/Repositories/InstallationRepository.cs
similarity index 53%
rename from src/Infrastructure.Dapper/Repositories/InstallationRepository.cs
rename to src/Infrastructure.Dapper/Platform/Installations/Repositories/InstallationRepository.cs
index ae10932699..41ca18950a 100644
--- a/src/Infrastructure.Dapper/Repositories/InstallationRepository.cs
+++ b/src/Infrastructure.Dapper/Platform/Installations/Repositories/InstallationRepository.cs
@@ -1,11 +1,19 @@
-using Bit.Core.Entities;
-using Bit.Core.Repositories;
+using Bit.Core.Platform.Installations;
 using Bit.Core.Settings;
+using Bit.Infrastructure.Dapper.Repositories;
 
 #nullable enable
 
-namespace Bit.Infrastructure.Dapper.Repositories;
+namespace Bit.Infrastructure.Dapper.Platform;
 
+/// <summary>
+/// The CRUD repository for communicating with `dbo.Installation`.
+/// </summary>
+/// <remarks>
+/// If referencing: you probably want the interface `IInstallationRepository`
+/// instead of directly calling this class.
+/// </remarks>
+/// <seealso cref="IInstallationRepository"/>
 public class InstallationRepository : Repository<Installation, Guid>, IInstallationRepository
 {
     public InstallationRepository(GlobalSettings globalSettings)
diff --git a/src/Infrastructure.EntityFramework/Billing/Models/OrganizationInstallation.cs b/src/Infrastructure.EntityFramework/Billing/Models/OrganizationInstallation.cs
index 2f00768206..c59a2accba 100644
--- a/src/Infrastructure.EntityFramework/Billing/Models/OrganizationInstallation.cs
+++ b/src/Infrastructure.EntityFramework/Billing/Models/OrganizationInstallation.cs
@@ -1,6 +1,6 @@
 using AutoMapper;
 using Bit.Infrastructure.EntityFramework.AdminConsole.Models;
-using Bit.Infrastructure.EntityFramework.Models;
+using Bit.Infrastructure.EntityFramework.Platform;
 
 namespace Bit.Infrastructure.EntityFramework.Billing.Models;
 
diff --git a/src/Infrastructure.EntityFramework/EntityFrameworkServiceCollectionExtensions.cs b/src/Infrastructure.EntityFramework/EntityFrameworkServiceCollectionExtensions.cs
index b2eefe4523..f3b96c201b 100644
--- a/src/Infrastructure.EntityFramework/EntityFrameworkServiceCollectionExtensions.cs
+++ b/src/Infrastructure.EntityFramework/EntityFrameworkServiceCollectionExtensions.cs
@@ -4,6 +4,7 @@ using Bit.Core.Billing.Repositories;
 using Bit.Core.Enums;
 using Bit.Core.KeyManagement.Repositories;
 using Bit.Core.NotificationCenter.Repositories;
+using Bit.Core.Platform.Installations;
 using Bit.Core.Repositories;
 using Bit.Core.SecretsManager.Repositories;
 using Bit.Core.Tools.Repositories;
@@ -13,6 +14,7 @@ using Bit.Infrastructure.EntityFramework.Auth.Repositories;
 using Bit.Infrastructure.EntityFramework.Billing.Repositories;
 using Bit.Infrastructure.EntityFramework.KeyManagement.Repositories;
 using Bit.Infrastructure.EntityFramework.NotificationCenter.Repositories;
+using Bit.Infrastructure.EntityFramework.Platform;
 using Bit.Infrastructure.EntityFramework.Repositories;
 using Bit.Infrastructure.EntityFramework.SecretsManager.Repositories;
 using Bit.Infrastructure.EntityFramework.Tools.Repositories;
diff --git a/src/Infrastructure.EntityFramework/Models/Installation.cs b/src/Infrastructure.EntityFramework/Platform/Installations/Models/Installation.cs
similarity index 70%
rename from src/Infrastructure.EntityFramework/Models/Installation.cs
rename to src/Infrastructure.EntityFramework/Platform/Installations/Models/Installation.cs
index c38680a23c..96b60a39ed 100644
--- a/src/Infrastructure.EntityFramework/Models/Installation.cs
+++ b/src/Infrastructure.EntityFramework/Platform/Installations/Models/Installation.cs
@@ -1,8 +1,9 @@
 using AutoMapper;
+using C = Bit.Core.Platform.Installations;
 
-namespace Bit.Infrastructure.EntityFramework.Models;
+namespace Bit.Infrastructure.EntityFramework.Platform;
 
-public class Installation : Core.Entities.Installation
+public class Installation : C.Installation
 {
     // Shadow property - to be introduced by https://bitwarden.atlassian.net/browse/PM-11129
     // This isn't a value or entity used by self hosted servers, but it's
@@ -14,10 +15,10 @@ public class InstallationMapperProfile : Profile
 {
     public InstallationMapperProfile()
     {
-        CreateMap<Core.Entities.Installation, Installation>()
+        CreateMap<C.Installation, Installation>()
             // Shadow property - to be introduced by https://bitwarden.atlassian.net/browse/PM-11129
             .ForMember(i => i.LastActivityDate, opt => opt.Ignore())
             .ReverseMap();
-        CreateMap<Core.Entities.Installation, Installation>().ReverseMap();
+        CreateMap<C.Installation, Installation>().ReverseMap();
     }
 }
diff --git a/src/Infrastructure.EntityFramework/Platform/Installations/Repositories/InstallationRepository.cs b/src/Infrastructure.EntityFramework/Platform/Installations/Repositories/InstallationRepository.cs
new file mode 100644
index 0000000000..255cc76cf2
--- /dev/null
+++ b/src/Infrastructure.EntityFramework/Platform/Installations/Repositories/InstallationRepository.cs
@@ -0,0 +1,16 @@
+using AutoMapper;
+using Bit.Infrastructure.EntityFramework.Repositories;
+using Microsoft.Extensions.DependencyInjection;
+using C = Bit.Core.Platform.Installations;
+using Ef = Bit.Infrastructure.EntityFramework.Platform;
+
+#nullable enable
+
+namespace Bit.Infrastructure.EntityFramework.Platform;
+
+public class InstallationRepository : Repository<C.Installation, Ef.Installation, Guid>, C.IInstallationRepository
+{
+    public InstallationRepository(IServiceScopeFactory serviceScopeFactory, IMapper mapper)
+        : base(serviceScopeFactory, mapper, (DatabaseContext context) => context.Installations)
+    { }
+}
diff --git a/src/Infrastructure.EntityFramework/Repositories/DatabaseContext.cs b/src/Infrastructure.EntityFramework/Repositories/DatabaseContext.cs
index 24ef2ab269..dd1b97b4f2 100644
--- a/src/Infrastructure.EntityFramework/Repositories/DatabaseContext.cs
+++ b/src/Infrastructure.EntityFramework/Repositories/DatabaseContext.cs
@@ -6,6 +6,7 @@ using Bit.Infrastructure.EntityFramework.Billing.Models;
 using Bit.Infrastructure.EntityFramework.Converters;
 using Bit.Infrastructure.EntityFramework.Models;
 using Bit.Infrastructure.EntityFramework.NotificationCenter.Models;
+using Bit.Infrastructure.EntityFramework.Platform;
 using Bit.Infrastructure.EntityFramework.SecretsManager.Models;
 using Bit.Infrastructure.EntityFramework.Tools.Models;
 using Bit.Infrastructure.EntityFramework.Vault.Models;
diff --git a/src/Infrastructure.EntityFramework/Repositories/InstallationRepository.cs b/src/Infrastructure.EntityFramework/Repositories/InstallationRepository.cs
deleted file mode 100644
index 64777a384b..0000000000
--- a/src/Infrastructure.EntityFramework/Repositories/InstallationRepository.cs
+++ /dev/null
@@ -1,15 +0,0 @@
-using AutoMapper;
-using Bit.Core.Repositories;
-using Bit.Infrastructure.EntityFramework.Models;
-using Microsoft.Extensions.DependencyInjection;
-
-#nullable enable
-
-namespace Bit.Infrastructure.EntityFramework.Repositories;
-
-public class InstallationRepository : Repository<Core.Entities.Installation, Installation, Guid>, IInstallationRepository
-{
-    public InstallationRepository(IServiceScopeFactory serviceScopeFactory, IMapper mapper)
-        : base(serviceScopeFactory, mapper, (DatabaseContext context) => context.Installations)
-    { }
-}
diff --git a/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs b/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
index 85bd0301c3..46f8293d3e 100644
--- a/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
+++ b/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
@@ -30,6 +30,8 @@ using Bit.Core.KeyManagement;
 using Bit.Core.NotificationCenter;
 using Bit.Core.NotificationHub;
 using Bit.Core.OrganizationFeatures;
+using Bit.Core.Platform.Push;
+using Bit.Core.Platform.Push.Internal;
 using Bit.Core.Repositories;
 using Bit.Core.Resources;
 using Bit.Core.SecretsManager.Repositories;
diff --git a/src/Sql/dbo/Stored Procedures/Installation_Create.sql b/src/Sql/Platform/dbo/Stored Procedures/Installation_Create.sql
similarity index 100%
rename from src/Sql/dbo/Stored Procedures/Installation_Create.sql
rename to src/Sql/Platform/dbo/Stored Procedures/Installation_Create.sql
diff --git a/src/Sql/dbo/Stored Procedures/Installation_DeleteById.sql b/src/Sql/Platform/dbo/Stored Procedures/Installation_DeleteById.sql
similarity index 100%
rename from src/Sql/dbo/Stored Procedures/Installation_DeleteById.sql
rename to src/Sql/Platform/dbo/Stored Procedures/Installation_DeleteById.sql
diff --git a/src/Sql/dbo/Stored Procedures/Installation_ReadById.sql b/src/Sql/Platform/dbo/Stored Procedures/Installation_ReadById.sql
similarity index 100%
rename from src/Sql/dbo/Stored Procedures/Installation_ReadById.sql
rename to src/Sql/Platform/dbo/Stored Procedures/Installation_ReadById.sql
diff --git a/src/Sql/dbo/Stored Procedures/Installation_Update.sql b/src/Sql/Platform/dbo/Stored Procedures/Installation_Update.sql
similarity index 100%
rename from src/Sql/dbo/Stored Procedures/Installation_Update.sql
rename to src/Sql/Platform/dbo/Stored Procedures/Installation_Update.sql
diff --git a/src/Sql/dbo/Tables/Installation.sql b/src/Sql/Platform/dbo/Tables/Installation.sql
similarity index 100%
rename from src/Sql/dbo/Tables/Installation.sql
rename to src/Sql/Platform/dbo/Tables/Installation.sql
diff --git a/src/Sql/dbo/Views/InstallationView.sql b/src/Sql/Platform/dbo/Views/InstallationView.sql
similarity index 100%
rename from src/Sql/dbo/Views/InstallationView.sql
rename to src/Sql/Platform/dbo/Views/InstallationView.sql
diff --git a/test/Core.Test/AdminConsole/OrganizationAuth/UpdateOrganizationAuthRequestCommandTests.cs b/test/Core.Test/AdminConsole/OrganizationAuth/UpdateOrganizationAuthRequestCommandTests.cs
index 9dcfee78af..0103650777 100644
--- a/test/Core.Test/AdminConsole/OrganizationAuth/UpdateOrganizationAuthRequestCommandTests.cs
+++ b/test/Core.Test/AdminConsole/OrganizationAuth/UpdateOrganizationAuthRequestCommandTests.cs
@@ -6,6 +6,7 @@ using Bit.Core.Auth.Models.Data;
 using Bit.Core.Auth.Services;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
+using Bit.Core.Platform.Push;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Settings;
diff --git a/test/Core.Test/Auth/Services/AuthRequestServiceTests.cs b/test/Core.Test/Auth/Services/AuthRequestServiceTests.cs
index cd7f85ae8b..4e42125dce 100644
--- a/test/Core.Test/Auth/Services/AuthRequestServiceTests.cs
+++ b/test/Core.Test/Auth/Services/AuthRequestServiceTests.cs
@@ -7,6 +7,7 @@ using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
+using Bit.Core.Platform.Push;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Settings;
diff --git a/test/Core.Test/KeyManagement/Commands/RegenerateUserAsymmetricKeysCommandTests.cs b/test/Core.Test/KeyManagement/Commands/RegenerateUserAsymmetricKeysCommandTests.cs
index 3388956156..ba40198ef6 100644
--- a/test/Core.Test/KeyManagement/Commands/RegenerateUserAsymmetricKeysCommandTests.cs
+++ b/test/Core.Test/KeyManagement/Commands/RegenerateUserAsymmetricKeysCommandTests.cs
@@ -8,7 +8,7 @@ using Bit.Core.Exceptions;
 using Bit.Core.KeyManagement.Commands;
 using Bit.Core.KeyManagement.Models.Data;
 using Bit.Core.KeyManagement.Repositories;
-using Bit.Core.Services;
+using Bit.Core.Platform.Push;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
 using NSubstitute;
diff --git a/test/Core.Test/KeyManagement/UserKey/RotateUserKeyCommandTests.cs b/test/Core.Test/KeyManagement/UserKey/RotateUserKeyCommandTests.cs
index b650d17240..53263d8805 100644
--- a/test/Core.Test/KeyManagement/UserKey/RotateUserKeyCommandTests.cs
+++ b/test/Core.Test/KeyManagement/UserKey/RotateUserKeyCommandTests.cs
@@ -3,6 +3,7 @@ using Bit.Core.Auth.Repositories;
 using Bit.Core.Entities;
 using Bit.Core.KeyManagement.Models.Data;
 using Bit.Core.KeyManagement.UserKey.Implementations;
+using Bit.Core.Platform.Push;
 using Bit.Core.Services;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
diff --git a/test/Core.Test/NotificationHub/NotificationHubPushNotificationServiceTests.cs b/test/Core.Test/NotificationHub/NotificationHubPushNotificationServiceTests.cs
index ea9ce54131..c26fc23460 100644
--- a/test/Core.Test/NotificationHub/NotificationHubPushNotificationServiceTests.cs
+++ b/test/Core.Test/NotificationHub/NotificationHubPushNotificationServiceTests.cs
@@ -1,6 +1,6 @@
 using Bit.Core.NotificationHub;
+using Bit.Core.Platform.Push;
 using Bit.Core.Repositories;
-using Bit.Core.Services;
 using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.Logging;
 using NSubstitute;
diff --git a/test/Core.Test/OrganizationFeatures/OrganizationLicenses/CloudGetOrganizationLicenseQueryTests.cs b/test/Core.Test/OrganizationFeatures/OrganizationLicenses/CloudGetOrganizationLicenseQueryTests.cs
index 52bee7068f..44c87f7182 100644
--- a/test/Core.Test/OrganizationFeatures/OrganizationLicenses/CloudGetOrganizationLicenseQueryTests.cs
+++ b/test/Core.Test/OrganizationFeatures/OrganizationLicenses/CloudGetOrganizationLicenseQueryTests.cs
@@ -1,12 +1,11 @@
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Entities.Provider;
 using Bit.Core.AdminConsole.Repositories;
-using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Models.Business;
 using Bit.Core.OrganizationFeatures.OrganizationLicenses;
-using Bit.Core.Repositories;
+using Bit.Core.Platform.Installations;
 using Bit.Core.Services;
 using Bit.Core.Test.AutoFixture;
 using Bit.Test.Common.AutoFixture;
diff --git a/test/Core.Test/Services/AzureQueuePushNotificationServiceTests.cs b/test/Core.Test/Platform/Push/Services/AzureQueuePushNotificationServiceTests.cs
similarity index 90%
rename from test/Core.Test/Services/AzureQueuePushNotificationServiceTests.cs
rename to test/Core.Test/Platform/Push/Services/AzureQueuePushNotificationServiceTests.cs
index 7f9cb750aa..85ce5a79ac 100644
--- a/test/Core.Test/Services/AzureQueuePushNotificationServiceTests.cs
+++ b/test/Core.Test/Platform/Push/Services/AzureQueuePushNotificationServiceTests.cs
@@ -1,10 +1,9 @@
-using Bit.Core.Services;
-using Bit.Core.Settings;
+using Bit.Core.Settings;
 using Microsoft.AspNetCore.Http;
 using NSubstitute;
 using Xunit;
 
-namespace Bit.Core.Test.Services;
+namespace Bit.Core.Platform.Push.Internal.Test;
 
 public class AzureQueuePushNotificationServiceTests
 {
diff --git a/test/Core.Test/Services/MultiServicePushNotificationServiceTests.cs b/test/Core.Test/Platform/Push/Services/MultiServicePushNotificationServiceTests.cs
similarity index 96%
rename from test/Core.Test/Services/MultiServicePushNotificationServiceTests.cs
rename to test/Core.Test/Platform/Push/Services/MultiServicePushNotificationServiceTests.cs
index 68d6c50a7e..021aa7f2cc 100644
--- a/test/Core.Test/Services/MultiServicePushNotificationServiceTests.cs
+++ b/test/Core.Test/Platform/Push/Services/MultiServicePushNotificationServiceTests.cs
@@ -1,12 +1,11 @@
 using AutoFixture;
-using Bit.Core.Services;
 using Bit.Test.Common.AutoFixture;
 using Microsoft.Extensions.Logging;
 using NSubstitute;
 using Xunit;
 using GlobalSettingsCustomization = Bit.Test.Common.AutoFixture.GlobalSettings;
 
-namespace Bit.Core.Test.Services;
+namespace Bit.Core.Platform.Push.Internal.Test;
 
 public class MultiServicePushNotificationServiceTests
 {
diff --git a/test/Core.Test/Services/NotificationsApiPushNotificationServiceTests.cs b/test/Core.Test/Platform/Push/Services/NotificationsApiPushNotificationServiceTests.cs
similarity index 93%
rename from test/Core.Test/Services/NotificationsApiPushNotificationServiceTests.cs
rename to test/Core.Test/Platform/Push/Services/NotificationsApiPushNotificationServiceTests.cs
index d1ba15d6a5..78f60da359 100644
--- a/test/Core.Test/Services/NotificationsApiPushNotificationServiceTests.cs
+++ b/test/Core.Test/Platform/Push/Services/NotificationsApiPushNotificationServiceTests.cs
@@ -1,11 +1,10 @@
-using Bit.Core.Services;
-using Bit.Core.Settings;
+using Bit.Core.Settings;
 using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.Logging;
 using NSubstitute;
 using Xunit;
 
-namespace Bit.Core.Test.Services;
+namespace Bit.Core.Platform.Push.Internal.Test;
 
 public class NotificationsApiPushNotificationServiceTests
 {
diff --git a/test/Core.Test/Services/RelayPushNotificationServiceTests.cs b/test/Core.Test/Platform/Push/Services/RelayPushNotificationServiceTests.cs
similarity index 95%
rename from test/Core.Test/Services/RelayPushNotificationServiceTests.cs
rename to test/Core.Test/Platform/Push/Services/RelayPushNotificationServiceTests.cs
index ccf5e3d4bb..61d7f0a788 100644
--- a/test/Core.Test/Services/RelayPushNotificationServiceTests.cs
+++ b/test/Core.Test/Platform/Push/Services/RelayPushNotificationServiceTests.cs
@@ -1,12 +1,11 @@
 using Bit.Core.Repositories;
-using Bit.Core.Services;
 using Bit.Core.Settings;
 using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.Logging;
 using NSubstitute;
 using Xunit;
 
-namespace Bit.Core.Test.Services;
+namespace Bit.Core.Platform.Push.Internal.Test;
 
 public class RelayPushNotificationServiceTests
 {
diff --git a/test/Core.Test/Services/RelayPushRegistrationServiceTests.cs b/test/Core.Test/Platform/Push/Services/RelayPushRegistrationServiceTests.cs
similarity index 91%
rename from test/Core.Test/Services/RelayPushRegistrationServiceTests.cs
rename to test/Core.Test/Platform/Push/Services/RelayPushRegistrationServiceTests.cs
index 926a19bc00..cfd843d2eb 100644
--- a/test/Core.Test/Services/RelayPushRegistrationServiceTests.cs
+++ b/test/Core.Test/Platform/Push/Services/RelayPushRegistrationServiceTests.cs
@@ -1,10 +1,9 @@
-using Bit.Core.Services;
-using Bit.Core.Settings;
+using Bit.Core.Settings;
 using Microsoft.Extensions.Logging;
 using NSubstitute;
 using Xunit;
 
-namespace Bit.Core.Test.Services;
+namespace Bit.Core.Platform.Push.Internal.Test;
 
 public class RelayPushRegistrationServiceTests
 {
diff --git a/test/Core.Test/Services/DeviceServiceTests.cs b/test/Core.Test/Services/DeviceServiceTests.cs
index cb2aebc992..41ef0b4d74 100644
--- a/test/Core.Test/Services/DeviceServiceTests.cs
+++ b/test/Core.Test/Services/DeviceServiceTests.cs
@@ -3,6 +3,7 @@ using Bit.Core.Auth.Models.Api.Request;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
+using Bit.Core.Platform.Push;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Test.Common.AutoFixture;
diff --git a/test/Core.Test/Services/UserServiceTests.cs b/test/Core.Test/Services/UserServiceTests.cs
index e44609c6d6..74bebf328f 100644
--- a/test/Core.Test/Services/UserServiceTests.cs
+++ b/test/Core.Test/Services/UserServiceTests.cs
@@ -18,6 +18,7 @@ using Bit.Core.Models.Business;
 using Bit.Core.Models.Data.Organizations;
 using Bit.Core.Models.Data.Organizations.OrganizationUsers;
 using Bit.Core.OrganizationFeatures.OrganizationUsers.Interfaces;
+using Bit.Core.Platform.Push;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Settings;
diff --git a/test/Core.Test/Tools/Services/SendServiceTests.cs b/test/Core.Test/Tools/Services/SendServiceTests.cs
index 0174efa67e..7ef6f915dd 100644
--- a/test/Core.Test/Tools/Services/SendServiceTests.cs
+++ b/test/Core.Test/Tools/Services/SendServiceTests.cs
@@ -7,6 +7,7 @@ using Bit.Core.AdminConsole.Services;
 using Bit.Core.Entities;
 using Bit.Core.Exceptions;
 using Bit.Core.Models.Data.Organizations.OrganizationUsers;
+using Bit.Core.Platform.Push;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Test.AutoFixture.CurrentContextFixtures;
diff --git a/test/Core.Test/Vault/Services/CipherServiceTests.cs b/test/Core.Test/Vault/Services/CipherServiceTests.cs
index 0df8f67490..dd34127efe 100644
--- a/test/Core.Test/Vault/Services/CipherServiceTests.cs
+++ b/test/Core.Test/Vault/Services/CipherServiceTests.cs
@@ -3,6 +3,7 @@ using Bit.Core.Billing.Enums;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
+using Bit.Core.Platform.Push;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Test.AutoFixture.CipherFixtures;
diff --git a/test/Identity.IntegrationTest/Endpoints/IdentityServerTests.cs b/test/Identity.IntegrationTest/Endpoints/IdentityServerTests.cs
index ae64b832fe..38a1518d14 100644
--- a/test/Identity.IntegrationTest/Endpoints/IdentityServerTests.cs
+++ b/test/Identity.IntegrationTest/Endpoints/IdentityServerTests.cs
@@ -4,6 +4,7 @@ using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Enums;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Enums;
+using Bit.Core.Platform.Installations;
 using Bit.Core.Repositories;
 using Bit.Identity.IdentityServer;
 using Bit.Identity.Models.Request.Accounts;
@@ -462,7 +463,7 @@ public class IdentityServerTests : IClassFixture<IdentityApplicationFactory>
     }
 
     [Theory, BitAutoData]
-    public async Task TokenEndpoint_GrantTypeClientCredentials_AsInstallation_InstallationExists_Succeeds(Bit.Core.Entities.Installation installation)
+    public async Task TokenEndpoint_GrantTypeClientCredentials_AsInstallation_InstallationExists_Succeeds(Installation installation)
     {
         var installationRepo = _factory.Services.GetRequiredService<IInstallationRepository>();
         installation = await installationRepo.CreateAsync(installation);
diff --git a/test/Infrastructure.EFIntegration.Test/AutoFixture/EntityFrameworkRepositoryFixtures.cs b/test/Infrastructure.EFIntegration.Test/AutoFixture/EntityFrameworkRepositoryFixtures.cs
index 3775c9953d..0ebcf8903d 100644
--- a/test/Infrastructure.EFIntegration.Test/AutoFixture/EntityFrameworkRepositoryFixtures.cs
+++ b/test/Infrastructure.EFIntegration.Test/AutoFixture/EntityFrameworkRepositoryFixtures.cs
@@ -8,6 +8,7 @@ using Bit.Infrastructure.EntityFramework.AdminConsole.Models;
 using Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider;
 using Bit.Infrastructure.EntityFramework.Auth.Models;
 using Bit.Infrastructure.EntityFramework.Models;
+using Bit.Infrastructure.EntityFramework.Platform;
 using Bit.Infrastructure.EntityFramework.Repositories;
 using Bit.Infrastructure.EntityFramework.Tools.Models;
 using Bit.Infrastructure.EntityFramework.Vault.Models;
diff --git a/test/Infrastructure.EFIntegration.Test/AutoFixture/InstallationFixtures.cs b/test/Infrastructure.EFIntegration.Test/AutoFixture/InstallationFixtures.cs
index c090a2e38e..7b57824442 100644
--- a/test/Infrastructure.EFIntegration.Test/AutoFixture/InstallationFixtures.cs
+++ b/test/Infrastructure.EFIntegration.Test/AutoFixture/InstallationFixtures.cs
@@ -1,9 +1,9 @@
 using AutoFixture;
 using AutoFixture.Kernel;
-using Bit.Core.Entities;
-using Bit.Infrastructure.EntityFramework.Repositories;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
+using C = Bit.Core.Platform.Installations;
+using Ef = Bit.Infrastructure.EntityFramework.Platform;
 
 namespace Bit.Infrastructure.EFIntegration.Test.AutoFixture;
 
@@ -17,13 +17,13 @@ internal class InstallationBuilder : ISpecimenBuilder
         }
 
         var type = request as Type;
-        if (type == null || type != typeof(Installation))
+        if (type == null || type != typeof(C.Installation))
         {
             return new NoSpecimen();
         }
 
         var fixture = new Fixture();
-        var obj = fixture.WithAutoNSubstitutions().Create<Installation>();
+        var obj = fixture.WithAutoNSubstitutions().Create<C.Installation>();
         return obj;
     }
 }
@@ -35,7 +35,7 @@ internal class EfInstallation : ICustomization
         fixture.Customizations.Add(new IgnoreVirtualMembersCustomization());
         fixture.Customizations.Add(new GlobalSettingsBuilder());
         fixture.Customizations.Add(new InstallationBuilder());
-        fixture.Customizations.Add(new EfRepositoryListBuilder<InstallationRepository>());
+        fixture.Customizations.Add(new EfRepositoryListBuilder<Ef.InstallationRepository>());
     }
 }
 
diff --git a/test/Infrastructure.EFIntegration.Test/Repositories/EqualityComparers/InstallationCompare.cs b/test/Infrastructure.EFIntegration.Test/Platform/Installations/Repositories/InstallationCompare.cs
similarity index 78%
rename from test/Infrastructure.EFIntegration.Test/Repositories/EqualityComparers/InstallationCompare.cs
rename to test/Infrastructure.EFIntegration.Test/Platform/Installations/Repositories/InstallationCompare.cs
index 7794785b31..9b685f8095 100644
--- a/test/Infrastructure.EFIntegration.Test/Repositories/EqualityComparers/InstallationCompare.cs
+++ b/test/Infrastructure.EFIntegration.Test/Platform/Installations/Repositories/InstallationCompare.cs
@@ -1,7 +1,7 @@
 using System.Diagnostics.CodeAnalysis;
-using Bit.Core.Entities;
+using Bit.Core.Platform.Installations;
 
-namespace Bit.Infrastructure.EFIntegration.Test.Repositories.EqualityComparers;
+namespace Bit.Infrastructure.EFIntegration.Test.Platform;
 
 public class InstallationCompare : IEqualityComparer<Installation>
 {
diff --git a/test/Infrastructure.EFIntegration.Test/Repositories/InstallationRepositoryTests.cs b/test/Infrastructure.EFIntegration.Test/Platform/Installations/Repositories/InstallationRepositoryTests.cs
similarity index 64%
rename from test/Infrastructure.EFIntegration.Test/Repositories/InstallationRepositoryTests.cs
rename to test/Infrastructure.EFIntegration.Test/Platform/Installations/Repositories/InstallationRepositoryTests.cs
index 3e4f7eb5df..e57b2311ef 100644
--- a/test/Infrastructure.EFIntegration.Test/Repositories/InstallationRepositoryTests.cs
+++ b/test/Infrastructure.EFIntegration.Test/Platform/Installations/Repositories/InstallationRepositoryTests.cs
@@ -1,24 +1,23 @@
-using Bit.Core.Entities;
-using Bit.Core.Test.AutoFixture.Attributes;
+using Bit.Core.Test.AutoFixture.Attributes;
 using Bit.Infrastructure.EFIntegration.Test.AutoFixture;
-using Bit.Infrastructure.EFIntegration.Test.Repositories.EqualityComparers;
 using Xunit;
-using EfRepo = Bit.Infrastructure.EntityFramework.Repositories;
-using SqlRepo = Bit.Infrastructure.Dapper.Repositories;
+using C = Bit.Core.Platform.Installations;
+using D = Bit.Infrastructure.Dapper.Platform;
+using Ef = Bit.Infrastructure.EntityFramework.Platform;
 
-namespace Bit.Infrastructure.EFIntegration.Test.Repositories;
+namespace Bit.Infrastructure.EFIntegration.Test.Platform;
 
 public class InstallationRepositoryTests
 {
     [CiSkippedTheory, EfInstallationAutoData]
     public async Task CreateAsync_Works_DataMatches(
-        Installation installation,
+        C.Installation installation,
         InstallationCompare equalityComparer,
-        List<EfRepo.InstallationRepository> suts,
-        SqlRepo.InstallationRepository sqlInstallationRepo
+        List<Ef.InstallationRepository> suts,
+        D.InstallationRepository sqlInstallationRepo
         )
     {
-        var savedInstallations = new List<Installation>();
+        var savedInstallations = new List<C.Installation>();
         foreach (var sut in suts)
         {
             var postEfInstallation = await sut.CreateAsync(installation);
diff --git a/test/IntegrationTestCommon/Factories/WebApplicationFactoryBase.cs b/test/IntegrationTestCommon/Factories/WebApplicationFactoryBase.cs
index 3ce2599705..9474ffb862 100644
--- a/test/IntegrationTestCommon/Factories/WebApplicationFactoryBase.cs
+++ b/test/IntegrationTestCommon/Factories/WebApplicationFactoryBase.cs
@@ -1,5 +1,7 @@
 using AspNetCoreRateLimit;
 using Bit.Core.Auth.Services;
+using Bit.Core.Platform.Push;
+using Bit.Core.Platform.Push.Internal;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Tools.Services;

From 90f7bfe63d39abb32b04206b72e4ebeab8dae458 Mon Sep 17 00:00:00 2001
From: Addison Beck <addison@bitwarden.com>
Date: Mon, 6 Jan 2025 16:22:03 -0500
Subject: [PATCH 115/384] chore: update `LastActivityDate` on installation
 token refresh (#5081)

---
 .../Controllers/InstallationsController.cs    |  9 ++++
 src/Core/Constants.cs                         |  1 +
 .../IUpdateInstallationCommand.cs             | 14 +++++
 .../UpdateInstallationCommand.cs              | 53 +++++++++++++++++++
 .../Installations/Entities/Installation.cs    |  1 +
 .../GetInstallationQuery.cs                   | 30 +++++++++++
 .../IGetInstallationQuery.cs                  | 20 +++++++
 .../PlatformServiceCollectionExtensions.cs    | 19 +++++++
 .../Services/RelayPushRegistrationService.cs  |  1 -
 .../CustomTokenRequestValidator.cs            | 43 +++++++++++++--
 .../WebAuthnGrantValidator.cs                 |  3 +-
 .../Utilities/ServiceCollectionExtensions.cs  |  2 +
 .../UpdateInstallationCommandTests.cs         | 40 ++++++++++++++
 13 files changed, 229 insertions(+), 7 deletions(-)
 create mode 100644 src/Core/Platform/Installations/Commands/UpdateInstallationActivityDateCommand/IUpdateInstallationCommand.cs
 create mode 100644 src/Core/Platform/Installations/Commands/UpdateInstallationActivityDateCommand/UpdateInstallationCommand.cs
 create mode 100644 src/Core/Platform/Installations/Queries/GetInstallationQuery/GetInstallationQuery.cs
 create mode 100644 src/Core/Platform/Installations/Queries/GetInstallationQuery/IGetInstallationQuery.cs
 create mode 100644 src/Core/Platform/PlatformServiceCollectionExtensions.cs
 create mode 100644 test/Core.Test/Platform/Installations/Commands/UpdateInstallationCommandTests.cs

diff --git a/src/Api/Platform/Installations/Controllers/InstallationsController.cs b/src/Api/Platform/Installations/Controllers/InstallationsController.cs
index a9ba4e6c02..96cdc9d95c 100644
--- a/src/Api/Platform/Installations/Controllers/InstallationsController.cs
+++ b/src/Api/Platform/Installations/Controllers/InstallationsController.cs
@@ -6,6 +6,15 @@ using Microsoft.AspNetCore.Mvc;
 
 namespace Bit.Api.Platform.Installations;
 
+/// <summary>
+/// Routes used to manipulate `Installation` objects: a type used to manage
+/// a record of a self hosted installation.
+/// </summary>
+/// <remarks>
+/// This controller is not called from any clients. It's primarily referenced
+/// in the `Setup` project for creating a new self hosted installation.
+/// </remarks>
+/// <seealso>Bit.Setup.Program</seealso>
 [Route("installations")]
 [SelfHosted(NotSelfHostedOnly = true)]
 public class InstallationsController : Controller
diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index 0b7435cf8f..830e3f65b2 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -165,6 +165,7 @@ public static class FeatureFlagKeys
     public const string AppReviewPrompt = "app-review-prompt";
     public const string ResellerManagedOrgAlert = "PM-15814-alert-owners-of-reseller-managed-orgs";
     public const string UsePricingService = "use-pricing-service";
+    public const string RecordInstallationLastActivityDate = "installation-last-activity-date";
 
     public static List<string> GetAllKeys()
     {
diff --git a/src/Core/Platform/Installations/Commands/UpdateInstallationActivityDateCommand/IUpdateInstallationCommand.cs b/src/Core/Platform/Installations/Commands/UpdateInstallationActivityDateCommand/IUpdateInstallationCommand.cs
new file mode 100644
index 0000000000..d0c25b96a4
--- /dev/null
+++ b/src/Core/Platform/Installations/Commands/UpdateInstallationActivityDateCommand/IUpdateInstallationCommand.cs
@@ -0,0 +1,14 @@
+namespace Bit.Core.Platform.Installations;
+
+/// <summary>
+/// Command interface responsible for updating data on an `Installation`
+/// record.
+/// </summary>
+/// <remarks>
+/// This interface is implemented by `UpdateInstallationCommand`
+/// </remarks>
+/// <seealso cref="Bit.Core.Platform.Installations.UpdateInstallationCommand"/>
+public interface IUpdateInstallationCommand
+{
+    Task UpdateLastActivityDateAsync(Guid installationId);
+}
diff --git a/src/Core/Platform/Installations/Commands/UpdateInstallationActivityDateCommand/UpdateInstallationCommand.cs b/src/Core/Platform/Installations/Commands/UpdateInstallationActivityDateCommand/UpdateInstallationCommand.cs
new file mode 100644
index 0000000000..4b0bc3bbe8
--- /dev/null
+++ b/src/Core/Platform/Installations/Commands/UpdateInstallationActivityDateCommand/UpdateInstallationCommand.cs
@@ -0,0 +1,53 @@
+namespace Bit.Core.Platform.Installations;
+
+/// <summary>
+/// Commands responsible for updating an installation from
+/// `InstallationRepository`.
+/// </summary>
+/// <remarks>
+/// If referencing: you probably want the interface
+/// `IUpdateInstallationCommand` instead of directly calling this class.
+/// </remarks>
+/// <seealso cref="IUpdateInstallationCommand"/>
+public class UpdateInstallationCommand : IUpdateInstallationCommand
+{
+    private readonly IGetInstallationQuery _getInstallationQuery;
+    private readonly IInstallationRepository _installationRepository;
+    private readonly TimeProvider _timeProvider;
+
+    public UpdateInstallationCommand(
+        IGetInstallationQuery getInstallationQuery,
+        IInstallationRepository installationRepository,
+        TimeProvider timeProvider
+    )
+    {
+        _getInstallationQuery = getInstallationQuery;
+        _installationRepository = installationRepository;
+        _timeProvider = timeProvider;
+    }
+
+    public async Task UpdateLastActivityDateAsync(Guid installationId)
+    {
+        if (installationId == default)
+        {
+            throw new Exception
+            (
+              "Tried to update the last activity date for " +
+              "an installation, but an invalid installation id was " +
+              "provided."
+            );
+        }
+        var installation = await _getInstallationQuery.GetByIdAsync(installationId);
+        if (installation == null)
+        {
+            throw new Exception
+            (
+              "Tried to update the last activity date for " +
+              $"installation {installationId.ToString()}, but no " +
+              "installation was found for that id."
+            );
+        }
+        installation.LastActivityDate = _timeProvider.GetUtcNow().UtcDateTime;
+        await _installationRepository.UpsertAsync(installation);
+    }
+}
diff --git a/src/Core/Platform/Installations/Entities/Installation.cs b/src/Core/Platform/Installations/Entities/Installation.cs
index 63aa5d1e24..acd53db0fb 100644
--- a/src/Core/Platform/Installations/Entities/Installation.cs
+++ b/src/Core/Platform/Installations/Entities/Installation.cs
@@ -19,6 +19,7 @@ public class Installation : ITableObject<Guid>
     public string Key { get; set; } = null!;
     public bool Enabled { get; set; }
     public DateTime CreationDate { get; internal set; } = DateTime.UtcNow;
+    public DateTime? LastActivityDate { get; internal set; }
 
     public void SetNewId()
     {
diff --git a/src/Core/Platform/Installations/Queries/GetInstallationQuery/GetInstallationQuery.cs b/src/Core/Platform/Installations/Queries/GetInstallationQuery/GetInstallationQuery.cs
new file mode 100644
index 0000000000..b0d8745800
--- /dev/null
+++ b/src/Core/Platform/Installations/Queries/GetInstallationQuery/GetInstallationQuery.cs
@@ -0,0 +1,30 @@
+namespace Bit.Core.Platform.Installations;
+
+/// <summary>
+/// Queries responsible for fetching an installation from
+/// `InstallationRepository`.
+/// </summary>
+/// <remarks>
+/// If referencing: you probably want the interface `IGetInstallationQuery`
+/// instead of directly calling this class.
+/// </remarks>
+/// <seealso cref="IGetInstallationQuery"/>
+public class GetInstallationQuery : IGetInstallationQuery
+{
+    private readonly IInstallationRepository _installationRepository;
+
+    public GetInstallationQuery(IInstallationRepository installationRepository)
+    {
+        _installationRepository = installationRepository;
+    }
+
+    /// <inheritdoc cref="IGetInstallationQuery.GetByIdAsync"/>
+    public async Task<Installation> GetByIdAsync(Guid installationId)
+    {
+        if (installationId == default(Guid))
+        {
+            return null;
+        }
+        return await _installationRepository.GetByIdAsync(installationId);
+    }
+}
diff --git a/src/Core/Platform/Installations/Queries/GetInstallationQuery/IGetInstallationQuery.cs b/src/Core/Platform/Installations/Queries/GetInstallationQuery/IGetInstallationQuery.cs
new file mode 100644
index 0000000000..9615cf986d
--- /dev/null
+++ b/src/Core/Platform/Installations/Queries/GetInstallationQuery/IGetInstallationQuery.cs
@@ -0,0 +1,20 @@
+namespace Bit.Core.Platform.Installations;
+
+/// <summary>
+/// Query interface responsible for fetching an installation from
+/// `InstallationRepository`.
+/// </summary>
+/// <remarks>
+/// This interface is implemented by `GetInstallationQuery`
+/// </remarks>
+/// <seealso cref="GetInstallationQuery"/>
+public interface IGetInstallationQuery
+{
+    /// <summary>
+    /// Retrieves an installation from the `InstallationRepository` by its id.
+    /// </summary>
+    /// <param name="installationId">The GUID id of the installation.</param>
+    /// <returns>A task containing an `Installation`.</returns>
+    /// <seealso cref="T:Bit.Core.Platform.Installations.Repositories.IInstallationRepository"/>
+    Task<Installation> GetByIdAsync(Guid installationId);
+}
diff --git a/src/Core/Platform/PlatformServiceCollectionExtensions.cs b/src/Core/Platform/PlatformServiceCollectionExtensions.cs
new file mode 100644
index 0000000000..bba0b0aedd
--- /dev/null
+++ b/src/Core/Platform/PlatformServiceCollectionExtensions.cs
@@ -0,0 +1,19 @@
+using Bit.Core.Platform.Installations;
+using Microsoft.Extensions.DependencyInjection;
+
+namespace Bit.Core.Platform;
+
+public static class PlatformServiceCollectionExtensions
+{
+    /// <summary>
+    /// Extend DI to include commands and queries exported from the Platform
+    /// domain.
+    /// </summary>
+    public static IServiceCollection AddPlatformServices(this IServiceCollection services)
+    {
+        services.AddScoped<IGetInstallationQuery, GetInstallationQuery>();
+        services.AddScoped<IUpdateInstallationCommand, UpdateInstallationCommand>();
+
+        return services;
+    }
+}
diff --git a/src/Core/Platform/Push/Services/RelayPushRegistrationService.cs b/src/Core/Platform/Push/Services/RelayPushRegistrationService.cs
index a42a831266..79b033e877 100644
--- a/src/Core/Platform/Push/Services/RelayPushRegistrationService.cs
+++ b/src/Core/Platform/Push/Services/RelayPushRegistrationService.cs
@@ -9,7 +9,6 @@ namespace Bit.Core.Platform.Push.Internal;
 
 public class RelayPushRegistrationService : BaseIdentityClientService, IPushRegistrationService
 {
-
     public RelayPushRegistrationService(
         IHttpClientFactory httpFactory,
         GlobalSettings globalSettings,
diff --git a/src/Identity/IdentityServer/RequestValidators/CustomTokenRequestValidator.cs b/src/Identity/IdentityServer/RequestValidators/CustomTokenRequestValidator.cs
index fb7b129b09..597d5257e2 100644
--- a/src/Identity/IdentityServer/RequestValidators/CustomTokenRequestValidator.cs
+++ b/src/Identity/IdentityServer/RequestValidators/CustomTokenRequestValidator.cs
@@ -1,11 +1,13 @@
 using System.Diagnostics;
 using System.Security.Claims;
+using Bit.Core;
 using Bit.Core.AdminConsole.Services;
 using Bit.Core.Auth.Models.Api.Response;
 using Bit.Core.Auth.Repositories;
 using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.IdentityServer;
+using Bit.Core.Platform.Installations;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Settings;
@@ -23,6 +25,7 @@ public class CustomTokenRequestValidator : BaseRequestValidator<CustomTokenReque
     ICustomTokenRequestValidator
 {
     private readonly UserManager<User> _userManager;
+    private readonly IUpdateInstallationCommand _updateInstallationCommand;
 
     public CustomTokenRequestValidator(
         UserManager<User> userManager,
@@ -39,7 +42,8 @@ public class CustomTokenRequestValidator : BaseRequestValidator<CustomTokenReque
         IPolicyService policyService,
         IFeatureService featureService,
         ISsoConfigRepository ssoConfigRepository,
-        IUserDecryptionOptionsBuilder userDecryptionOptionsBuilder
+        IUserDecryptionOptionsBuilder userDecryptionOptionsBuilder,
+        IUpdateInstallationCommand updateInstallationCommand
         )
         : base(
             userManager,
@@ -59,6 +63,7 @@ public class CustomTokenRequestValidator : BaseRequestValidator<CustomTokenReque
             userDecryptionOptionsBuilder)
     {
         _userManager = userManager;
+        _updateInstallationCommand = updateInstallationCommand;
     }
 
     public async Task ValidateAsync(CustomTokenRequestValidationContext context)
@@ -76,16 +81,24 @@ public class CustomTokenRequestValidator : BaseRequestValidator<CustomTokenReque
         }
 
         string[] allowedGrantTypes = ["authorization_code", "client_credentials"];
+        string clientId = context.Result.ValidatedRequest.ClientId;
         if (!allowedGrantTypes.Contains(context.Result.ValidatedRequest.GrantType)
-            || context.Result.ValidatedRequest.ClientId.StartsWith("organization")
-            || context.Result.ValidatedRequest.ClientId.StartsWith("installation")
-            || context.Result.ValidatedRequest.ClientId.StartsWith("internal")
+            || clientId.StartsWith("organization")
+            || clientId.StartsWith("installation")
+            || clientId.StartsWith("internal")
             || context.Result.ValidatedRequest.Client.AllowedScopes.Contains(ApiScopes.ApiSecrets))
         {
             if (context.Result.ValidatedRequest.Client.Properties.TryGetValue("encryptedPayload", out var payload) &&
                 !string.IsNullOrWhiteSpace(payload))
             {
                 context.Result.CustomResponse = new Dictionary<string, object> { { "encrypted_payload", payload } };
+
+            }
+            if (FeatureService.IsEnabled(FeatureFlagKeys.RecordInstallationLastActivityDate)
+                && context.Result.ValidatedRequest.ClientId.StartsWith("installation"))
+            {
+                var installationIdPart = clientId.Split(".")[1];
+                await RecordActivityForInstallation(clientId.Split(".")[1]);
             }
             return;
         }
@@ -152,6 +165,7 @@ public class CustomTokenRequestValidator : BaseRequestValidator<CustomTokenReque
             context.Result.CustomResponse["KeyConnectorUrl"] = userDecryptionOptions.KeyConnectorOption.KeyConnectorUrl;
             context.Result.CustomResponse["ResetMasterPassword"] = false;
         }
+
         return Task.CompletedTask;
     }
 
@@ -202,4 +216,25 @@ public class CustomTokenRequestValidator : BaseRequestValidator<CustomTokenReque
         context.Result.ErrorDescription = requestContext.ValidationErrorResult.ErrorDescription;
         context.Result.CustomResponse = requestContext.CustomResponse;
     }
+
+    /// <summary>
+    /// To help mentally separate organizations that self host from abandoned
+    /// organizations we hook in to the token refresh event for installations
+    /// to write a simple `DateTime.Now` to the database.
+    /// </summary>
+    /// <remarks>
+    /// This works well because installations don't phone home very often.
+    /// Currently self hosted installations only refresh tokens every 24
+    /// hours or so for the sake of hooking in to cloud's push relay service.
+    /// If installations ever start refreshing tokens more frequently we may need to
+    /// adjust this to avoid making a bunch of unnecessary database calls!
+    /// </remarks>
+    private async Task RecordActivityForInstallation(string? installationIdString)
+    {
+        if (!Guid.TryParse(installationIdString, out var installationId))
+        {
+            return;
+        }
+        await _updateInstallationCommand.UpdateLastActivityDateAsync(installationId);
+    }
 }
diff --git a/src/Identity/IdentityServer/RequestValidators/WebAuthnGrantValidator.cs b/src/Identity/IdentityServer/RequestValidators/WebAuthnGrantValidator.cs
index 499c22ad89..085ed15efd 100644
--- a/src/Identity/IdentityServer/RequestValidators/WebAuthnGrantValidator.cs
+++ b/src/Identity/IdentityServer/RequestValidators/WebAuthnGrantValidator.cs
@@ -44,8 +44,7 @@ public class WebAuthnGrantValidator : BaseRequestValidator<ExtensionGrantValidat
         IDataProtectorTokenFactory<WebAuthnLoginAssertionOptionsTokenable> assertionOptionsDataProtector,
         IFeatureService featureService,
         IUserDecryptionOptionsBuilder userDecryptionOptionsBuilder,
-        IAssertWebAuthnLoginCredentialCommand assertWebAuthnLoginCredentialCommand
-        )
+        IAssertWebAuthnLoginCredentialCommand assertWebAuthnLoginCredentialCommand)
         : base(
             userManager,
             userService,
diff --git a/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs b/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
index 46f8293d3e..891b8d6664 100644
--- a/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
+++ b/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
@@ -30,6 +30,7 @@ using Bit.Core.KeyManagement;
 using Bit.Core.NotificationCenter;
 using Bit.Core.NotificationHub;
 using Bit.Core.OrganizationFeatures;
+using Bit.Core.Platform;
 using Bit.Core.Platform.Push;
 using Bit.Core.Platform.Push.Internal;
 using Bit.Core.Repositories;
@@ -126,6 +127,7 @@ public static class ServiceCollectionExtensions
         services.AddReportingServices();
         services.AddKeyManagementServices();
         services.AddNotificationCenterServices();
+        services.AddPlatformServices();
     }
 
     public static void AddTokenizers(this IServiceCollection services)
diff --git a/test/Core.Test/Platform/Installations/Commands/UpdateInstallationCommandTests.cs b/test/Core.Test/Platform/Installations/Commands/UpdateInstallationCommandTests.cs
new file mode 100644
index 0000000000..daa8e1b89c
--- /dev/null
+++ b/test/Core.Test/Platform/Installations/Commands/UpdateInstallationCommandTests.cs
@@ -0,0 +1,40 @@
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using Microsoft.Extensions.Time.Testing;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Core.Platform.Installations.Tests;
+
+[SutProviderCustomize]
+public class UpdateInstallationCommandTests
+{
+    [Theory]
+    [BitAutoData]
+    public async Task UpdateLastActivityDateAsync_ShouldUpdateLastActivityDate(
+        Installation installation
+    )
+    {
+        // Arrange
+        var sutProvider = new SutProvider<UpdateInstallationCommand>()
+            .WithFakeTimeProvider()
+            .Create();
+
+        var someDate = new DateTime(2014, 11, 3, 18, 27, 0, DateTimeKind.Utc);
+        sutProvider.GetDependency<FakeTimeProvider>().SetUtcNow(someDate);
+
+        sutProvider
+            .GetDependency<IGetInstallationQuery>()
+            .GetByIdAsync(installation.Id)
+            .Returns(installation);
+
+        // Act
+        await sutProvider.Sut.UpdateLastActivityDateAsync(installation.Id);
+
+        // Assert
+        await sutProvider
+            .GetDependency<IInstallationRepository>()
+            .Received(1)
+            .UpsertAsync(Arg.Is<Installation>(inst => inst.LastActivityDate == someDate));
+    }
+}

From 2a6abb928d70e3b28ff3df8709101819705a8cf4 Mon Sep 17 00:00:00 2001
From: Jonas Hendrickx <jhendrickx@bitwarden.com>
Date: Tue, 7 Jan 2025 12:45:55 +0100
Subject: [PATCH 116/384] [PM-16483] Change description for creating providers
 (#5206)

---
 src/Core/AdminConsole/Enums/Provider/ProviderType.cs | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/Core/AdminConsole/Enums/Provider/ProviderType.cs b/src/Core/AdminConsole/Enums/Provider/ProviderType.cs
index 50c344ec95..e244b9391e 100644
--- a/src/Core/AdminConsole/Enums/Provider/ProviderType.cs
+++ b/src/Core/AdminConsole/Enums/Provider/ProviderType.cs
@@ -4,10 +4,10 @@ namespace Bit.Core.AdminConsole.Enums.Provider;
 
 public enum ProviderType : byte
 {
-    [Display(ShortName = "MSP", Name = "Managed Service Provider", Description = "Access to clients organization", Order = 0)]
+    [Display(ShortName = "MSP", Name = "Managed Service Provider", Description = "Creates provider portal for client organization management", Order = 0)]
     Msp = 0,
-    [Display(ShortName = "Reseller", Name = "Reseller", Description = "Access to clients billing", Order = 1000)]
+    [Display(ShortName = "Reseller", Name = "Reseller", Description = "Creates Bitwarden Portal page for client organization billing management", Order = 1000)]
     Reseller = 1,
-    [Display(ShortName = "MOE", Name = "Multi-organization Enterprise", Description = "Access to multiple organizations", Order = 1)]
+    [Display(ShortName = "MOE", Name = "Multi-organization Enterprises", Description = "Creates provider portal for multi-organization management", Order = 1)]
     MultiOrganizationEnterprise = 2,
 }

From 0e801ca622f31fa1c82105aabed31f85997c22a2 Mon Sep 17 00:00:00 2001
From: Jimmy Vo <huynhmaivo82@gmail.com>
Date: Tue, 7 Jan 2025 10:01:23 -0500
Subject: [PATCH 117/384] [pm-5966] Fix Entity Framework query for MySQL
 (#5170)

Problem: The Entity Framework query was causing a compile-time error.

Changes:
1. Fixed the query.
2. Renamed the variable to replace the comment.
---
 .../OrganizationDomainRepository.cs           |   9 +-
 .../OrganizationDomainRepositoryTests.cs      | 191 ++++++++++++++++++
 2 files changed, 195 insertions(+), 5 deletions(-)
 create mode 100644 test/Infrastructure.IntegrationTest/AdminConsole/Repositories/OrganizationDomainRepositoryTests.cs

diff --git a/src/Infrastructure.EntityFramework/Repositories/OrganizationDomainRepository.cs b/src/Infrastructure.EntityFramework/Repositories/OrganizationDomainRepository.cs
index 3e2d6e44a4..e339c13351 100644
--- a/src/Infrastructure.EntityFramework/Repositories/OrganizationDomainRepository.cs
+++ b/src/Infrastructure.EntityFramework/Repositories/OrganizationDomainRepository.cs
@@ -147,14 +147,13 @@ public class OrganizationDomainRepository : Repository<Core.Entities.Organizatio
         using var scope = ServiceScopeFactory.CreateScope();
         var dbContext = GetDatabaseContext(scope);
 
-        //Get domains that have not been verified after 72 hours
-        var domains = await dbContext.OrganizationDomains
-            .Where(x => (DateTime.UtcNow - x.CreationDate).Days == 4
-                        && x.VerifiedDate == null)
+        var threeDaysOldUnverifiedDomains = await dbContext.OrganizationDomains
+            .Where(x => x.CreationDate.Date == DateTime.UtcNow.AddDays(-4).Date
+                      && x.VerifiedDate == null)
             .AsNoTracking()
             .ToListAsync();
 
-        return Mapper.Map<List<Core.Entities.OrganizationDomain>>(domains);
+        return Mapper.Map<List<Core.Entities.OrganizationDomain>>(threeDaysOldUnverifiedDomains);
     }
 
     public async Task<bool> DeleteExpiredAsync(int expirationPeriod)
diff --git a/test/Infrastructure.IntegrationTest/AdminConsole/Repositories/OrganizationDomainRepositoryTests.cs b/test/Infrastructure.IntegrationTest/AdminConsole/Repositories/OrganizationDomainRepositoryTests.cs
new file mode 100644
index 0000000000..8e0b502a47
--- /dev/null
+++ b/test/Infrastructure.IntegrationTest/AdminConsole/Repositories/OrganizationDomainRepositoryTests.cs
@@ -0,0 +1,191 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.Entities;
+using Bit.Core.Repositories;
+using Xunit;
+
+namespace Bit.Infrastructure.IntegrationTest.Repositories;
+
+public class OrganizationDomainRepositoryTests
+{
+    [DatabaseTheory, DatabaseData]
+    public async Task GetExpiredOrganizationDomainsAsync_ShouldReturn3DaysOldUnverifiedDomains(
+     IUserRepository userRepository,
+     IOrganizationRepository organizationRepository,
+     IOrganizationDomainRepository organizationDomainRepository)
+    {
+        // Arrange
+        var id = Guid.NewGuid();
+
+        var user1 = await userRepository.CreateAsync(new User
+        {
+            Name = "Test User 1",
+            Email = $"test+{id}@example.com",
+            ApiKey = "TEST",
+            SecurityStamp = "stamp",
+        });
+
+        var organization1 = await organizationRepository.CreateAsync(new Organization
+        {
+            Name = $"Test Org {id}",
+            BillingEmail = user1.Email,
+            Plan = "Test",
+            PrivateKey = "privatekey",
+
+        });
+
+        var organizationDomain1 = new OrganizationDomain
+        {
+            OrganizationId = organization1.Id,
+            DomainName = $"domain2+{id}@example.com",
+            Txt = "btw+12345"
+        };
+        var dummyInterval = 1;
+        organizationDomain1.SetNextRunDate(dummyInterval);
+
+        var beforeValidationDate = DateTime.UtcNow.AddDays(-4).Date;
+
+        await organizationDomainRepository.CreateAsync(organizationDomain1);
+        var organization2 = await organizationRepository.CreateAsync(new Organization
+        {
+            Name = $"Test Org {id}",
+            BillingEmail = user1.Email,
+            Plan = "Test",
+            PrivateKey = "privatekey",
+            CreationDate = beforeValidationDate
+        });
+        var organizationDomain2 = new OrganizationDomain
+        {
+            OrganizationId = organization2.Id,
+            DomainName = $"domain2+{id}@example.com",
+            Txt = "btw+12345",
+            CreationDate = beforeValidationDate
+        };
+        organizationDomain2.SetNextRunDate(dummyInterval);
+        await organizationDomainRepository.CreateAsync(organizationDomain2);
+
+        // Act
+        var domains = await organizationDomainRepository.GetExpiredOrganizationDomainsAsync();
+
+        // Assert
+        var expectedDomain1 = domains.FirstOrDefault(domain => domain.DomainName == organizationDomain1.DomainName);
+        Assert.NotNull(expectedDomain1);
+
+        var expectedDomain2 = domains.FirstOrDefault(domain => domain.DomainName == organizationDomain2.DomainName);
+        Assert.NotNull(expectedDomain2);
+    }
+
+    [DatabaseTheory, DatabaseData]
+    public async Task GetExpiredOrganizationDomainsAsync_ShouldNotReturnDomainsUnder3DaysOld(
+     IUserRepository userRepository,
+     IOrganizationRepository organizationRepository,
+     IOrganizationDomainRepository organizationDomainRepository)
+    {
+        // Arrange
+        var id = Guid.NewGuid();
+
+        var user = await userRepository.CreateAsync(new User
+        {
+            Name = "Test User",
+            Email = $"test+{id}@example.com",
+            ApiKey = "TEST",
+            SecurityStamp = "stamp",
+        });
+
+        var organization = await organizationRepository.CreateAsync(new Organization
+        {
+            Name = $"Test Org {id}",
+            BillingEmail = user.Email,
+            Plan = "Test",
+            PrivateKey = "privatekey",
+
+        });
+
+        var beforeValidationDate = DateTime.UtcNow.AddDays(-1).Date;
+        var organizationDomain = new OrganizationDomain
+        {
+            OrganizationId = organization.Id,
+            DomainName = $"domain{id}@example.com",
+            Txt = "btw+12345",
+            CreationDate = beforeValidationDate
+        };
+        var dummyInterval = 1;
+        organizationDomain.SetNextRunDate(dummyInterval);
+        await organizationDomainRepository.CreateAsync(organizationDomain);
+
+        // Act
+        var domains = await organizationDomainRepository.GetExpiredOrganizationDomainsAsync();
+
+        // Assert
+        var expectedDomain2 = domains.FirstOrDefault(domain => domain.DomainName == organizationDomain.DomainName);
+        Assert.Null(expectedDomain2);
+    }
+
+    [DatabaseTheory, DatabaseData]
+    public async Task GetExpiredOrganizationDomainsAsync_ShouldNotReturnVerifiedDomains(
+     IUserRepository userRepository,
+     IOrganizationRepository organizationRepository,
+     IOrganizationDomainRepository organizationDomainRepository)
+    {
+        // Arrange
+        var id = Guid.NewGuid();
+
+        var user = await userRepository.CreateAsync(new User
+        {
+            Name = "Test User 1",
+            Email = $"test+{id}@example.com",
+            ApiKey = "TEST",
+            SecurityStamp = "stamp",
+        });
+
+        var organization1 = await organizationRepository.CreateAsync(new Organization
+        {
+            Name = $"Test Org {id}",
+            BillingEmail = user.Email,
+            Plan = "Test",
+            PrivateKey = "privatekey",
+
+        });
+
+        var organizationDomain1 = new OrganizationDomain
+        {
+            OrganizationId = organization1.Id,
+            DomainName = $"domain2+{id}@example.com",
+            Txt = "btw+12345"
+        };
+        organizationDomain1.SetVerifiedDate();
+        var dummyInterval = 1;
+
+        organizationDomain1.SetNextRunDate(dummyInterval);
+
+        await organizationDomainRepository.CreateAsync(organizationDomain1);
+
+        var organization2 = await organizationRepository.CreateAsync(new Organization
+        {
+            Name = $"Test Org {id}",
+            BillingEmail = user.Email,
+            Plan = "Test",
+            PrivateKey = "privatekey",
+        });
+
+        var organizationDomain2 = new OrganizationDomain
+        {
+            OrganizationId = organization2.Id,
+            DomainName = $"domain2+{id}@example.com",
+            Txt = "btw+12345"
+        };
+        organizationDomain2.SetNextRunDate(dummyInterval);
+        organizationDomain2.SetVerifiedDate();
+
+        await organizationDomainRepository.CreateAsync(organizationDomain2);
+
+        // Act
+        var domains = await organizationDomainRepository.GetExpiredOrganizationDomainsAsync();
+
+        // Assert
+        var expectedDomain1 = domains.FirstOrDefault(domain => domain.DomainName == organizationDomain1.DomainName);
+        Assert.Null(expectedDomain1);
+
+        var expectedDomain2 = domains.FirstOrDefault(domain => domain.DomainName == organizationDomain2.DomainName);
+        Assert.Null(expectedDomain2);
+    }
+}

From 61a8726492ef614c83c61fd0a4cc2a9437a818d5 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Tue, 7 Jan 2025 11:15:22 -0500
Subject: [PATCH 118/384] [deps] Auth: Lock file maintenance (#5185)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 bitwarden_license/src/Sso/package-lock.json | 120 ++++++--------------
 src/Admin/package-lock.json                 | 120 ++++++--------------
 2 files changed, 70 insertions(+), 170 deletions(-)

diff --git a/bitwarden_license/src/Sso/package-lock.json b/bitwarden_license/src/Sso/package-lock.json
index 67fc4d71f1..f1e23abd60 100644
--- a/bitwarden_license/src/Sso/package-lock.json
+++ b/bitwarden_license/src/Sso/package-lock.json
@@ -779,9 +779,9 @@
       }
     },
     "node_modules/browserslist": {
-      "version": "4.24.2",
-      "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-4.24.2.tgz",
-      "integrity": "sha512-ZIc+Q62revdMcqC6aChtW4jz3My3klmCO1fEmINZY/8J3EpBg5/A/D0AKmBveUh6pgoeycoMkVMko84tuYS+Gg==",
+      "version": "4.24.3",
+      "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-4.24.3.tgz",
+      "integrity": "sha512-1CPmv8iobE2fyRMV97dAcMVegvvWKxmq94hkLiAkUGwKVTyDLw33K+ZxiFrREKmmps4rIw6grcCFCnTMSZ/YiA==",
       "dev": true,
       "funding": [
         {
@@ -799,9 +799,9 @@
       ],
       "license": "MIT",
       "dependencies": {
-        "caniuse-lite": "^1.0.30001669",
-        "electron-to-chromium": "^1.5.41",
-        "node-releases": "^2.0.18",
+        "caniuse-lite": "^1.0.30001688",
+        "electron-to-chromium": "^1.5.73",
+        "node-releases": "^2.0.19",
         "update-browserslist-db": "^1.1.1"
       },
       "bin": {
@@ -819,9 +819,9 @@
       "license": "MIT"
     },
     "node_modules/caniuse-lite": {
-      "version": "1.0.30001688",
-      "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001688.tgz",
-      "integrity": "sha512-Nmqpru91cuABu/DTCXbM2NSRHzM2uVHfPnhJ/1zEAJx/ILBRVmz3pzH4N7DZqbdG0gWClsCC05Oj0mJ/1AWMbA==",
+      "version": "1.0.30001690",
+      "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001690.tgz",
+      "integrity": "sha512-5ExiE3qQN6oF8Clf8ifIDcMRCRE/dMGcETG/XGMD8/XiXm6HXQgQTh1yZYLXXpSOsEUlJm1Xr7kGULZTuGtP/w==",
       "dev": true,
       "funding": [
         {
@@ -840,9 +840,9 @@
       "license": "CC-BY-4.0"
     },
     "node_modules/chokidar": {
-      "version": "4.0.1",
-      "resolved": "https://registry.npmjs.org/chokidar/-/chokidar-4.0.1.tgz",
-      "integrity": "sha512-n8enUVCED/KVRQlab1hr3MVpcVMvxtZjmEa956u+4YijlmQED223XMSYj2tLuKvr4jcCTzNNMpQDUer72MMmzA==",
+      "version": "4.0.3",
+      "resolved": "https://registry.npmjs.org/chokidar/-/chokidar-4.0.3.tgz",
+      "integrity": "sha512-Qgzu8kfBvo+cA4962jnP1KkS6Dop5NS6g7R5LFYJr4b8Ub94PPQXUksCw9PvXoeXPRRddRNC5C1JQUR2SMGtnA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -972,16 +972,16 @@
       }
     },
     "node_modules/electron-to-chromium": {
-      "version": "1.5.73",
-      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.73.tgz",
-      "integrity": "sha512-8wGNxG9tAG5KhGd3eeA0o6ixhiNdgr0DcHWm85XPCphwZgD1lIEoi6t3VERayWao7SF7AAZTw6oARGJeVjH8Kg==",
+      "version": "1.5.75",
+      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.75.tgz",
+      "integrity": "sha512-Lf3++DumRE/QmweGjU+ZcKqQ+3bKkU/qjaKYhIJKEOhgIO9Xs6IiAQFkfFoj+RhgDk4LUeNsLo6plExHqSyu6Q==",
       "dev": true,
       "license": "ISC"
     },
     "node_modules/enhanced-resolve": {
-      "version": "5.17.1",
-      "resolved": "https://registry.npmjs.org/enhanced-resolve/-/enhanced-resolve-5.17.1.tgz",
-      "integrity": "sha512-LMHl3dXhTcfv8gM4kEzIUeTQ+7fpdA0l2tUf34BddXPkz2A5xJ5L/Pchd5BL6rdccM9QGvu0sWZzK1Z1t4wwyg==",
+      "version": "5.18.0",
+      "resolved": "https://registry.npmjs.org/enhanced-resolve/-/enhanced-resolve-5.18.0.tgz",
+      "integrity": "sha512-0/r0MySGYG8YqlayBZ6MuCfECmHFdJ5qyPh8s8wa5Hnm6SaFLSK1VYCbj+NKp090Nm1caZhD+QTnmxO7esYGyQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -1271,9 +1271,9 @@
       }
     },
     "node_modules/is-core-module": {
-      "version": "2.15.1",
-      "resolved": "https://registry.npmjs.org/is-core-module/-/is-core-module-2.15.1.tgz",
-      "integrity": "sha512-z0vtXSwucUJtANQWldhbtbt7BnL0vxiFjIdDLAatwhDYty2bad6s+rijD6Ri4YuYJubLzIJLUidCh09e1djEVQ==",
+      "version": "2.16.1",
+      "resolved": "https://registry.npmjs.org/is-core-module/-/is-core-module-2.16.1.tgz",
+      "integrity": "sha512-UfoeMA6fIJ8wTYFEUjelnaGI67v6+N7qXJEvQuIGa99l4xsCruSYOVSQ0uPANn4dAzm8lkYPaKLrrijLq7x23w==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -1792,19 +1792,22 @@
       }
     },
     "node_modules/resolve": {
-      "version": "1.22.8",
-      "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.22.8.tgz",
-      "integrity": "sha512-oKWePCxqpd6FlLvGV1VU0x7bkPmmCNolxzjMf4NczoDnQcIWrAF+cPtZn5i6n+RfD2d9i0tzpKnG6Yk168yIyw==",
+      "version": "1.22.10",
+      "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.22.10.tgz",
+      "integrity": "sha512-NPRy+/ncIMeDlTAsuqwKIiferiawhefFJtkNSW0qZJEqMEb+qBt/77B/jGeeek+F0uOeN05CDa6HXbbIgtVX4w==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "is-core-module": "^2.13.0",
+        "is-core-module": "^2.16.0",
         "path-parse": "^1.0.7",
         "supports-preserve-symlinks-flag": "^1.0.0"
       },
       "bin": {
         "resolve": "bin/resolve"
       },
+      "engines": {
+        "node": ">= 0.4"
+      },
       "funding": {
         "url": "https://github.com/sponsors/ljharb"
       }
@@ -2082,17 +2085,17 @@
       }
     },
     "node_modules/terser-webpack-plugin": {
-      "version": "5.3.10",
-      "resolved": "https://registry.npmjs.org/terser-webpack-plugin/-/terser-webpack-plugin-5.3.10.tgz",
-      "integrity": "sha512-BKFPWlPDndPs+NGGCr1U59t0XScL5317Y0UReNrHaw9/FwhPENlq6bfgs+4yPfyP51vqC1bQ4rp1EfXW5ZSH9w==",
+      "version": "5.3.11",
+      "resolved": "https://registry.npmjs.org/terser-webpack-plugin/-/terser-webpack-plugin-5.3.11.tgz",
+      "integrity": "sha512-RVCsMfuD0+cTt3EwX8hSl2Ks56EbFHWmhluwcqoPKtBnfjiT6olaq7PRIRfhyU8nnC2MrnDrBLfrD/RGE+cVXQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@jridgewell/trace-mapping": "^0.3.20",
+        "@jridgewell/trace-mapping": "^0.3.25",
         "jest-worker": "^27.4.5",
-        "schema-utils": "^3.1.1",
-        "serialize-javascript": "^6.0.1",
-        "terser": "^5.26.0"
+        "schema-utils": "^4.3.0",
+        "serialize-javascript": "^6.0.2",
+        "terser": "^5.31.1"
       },
       "engines": {
         "node": ">= 10.13.0"
@@ -2116,59 +2119,6 @@
         }
       }
     },
-    "node_modules/terser-webpack-plugin/node_modules/ajv": {
-      "version": "6.12.6",
-      "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.12.6.tgz",
-      "integrity": "sha512-j3fVLgvTo527anyYyJOGTYJbG+vnnQYvE0m5mmkc1TK+nxAppkCLMIL0aZ4dblVCNoGShhm+kzE4ZUykBoMg4g==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "fast-deep-equal": "^3.1.1",
-        "fast-json-stable-stringify": "^2.0.0",
-        "json-schema-traverse": "^0.4.1",
-        "uri-js": "^4.2.2"
-      },
-      "funding": {
-        "type": "github",
-        "url": "https://github.com/sponsors/epoberezkin"
-      }
-    },
-    "node_modules/terser-webpack-plugin/node_modules/ajv-keywords": {
-      "version": "3.5.2",
-      "resolved": "https://registry.npmjs.org/ajv-keywords/-/ajv-keywords-3.5.2.tgz",
-      "integrity": "sha512-5p6WTN0DdTGVQk6VjcEju19IgaHudalcfabD7yhDGeA6bcQnmL+CpveLJq/3hvfwd1aof6L386Ougkx6RfyMIQ==",
-      "dev": true,
-      "license": "MIT",
-      "peerDependencies": {
-        "ajv": "^6.9.1"
-      }
-    },
-    "node_modules/terser-webpack-plugin/node_modules/json-schema-traverse": {
-      "version": "0.4.1",
-      "resolved": "https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-0.4.1.tgz",
-      "integrity": "sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg==",
-      "dev": true,
-      "license": "MIT"
-    },
-    "node_modules/terser-webpack-plugin/node_modules/schema-utils": {
-      "version": "3.3.0",
-      "resolved": "https://registry.npmjs.org/schema-utils/-/schema-utils-3.3.0.tgz",
-      "integrity": "sha512-pN/yOAvcC+5rQ5nERGuwrjLlYvLTbCibnZ1I7B1LaiAz9BRBlE9GMgE/eqV30P7aJQUf7Ddimy/RsbYO/GrVGg==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "@types/json-schema": "^7.0.8",
-        "ajv": "^6.12.5",
-        "ajv-keywords": "^3.5.2"
-      },
-      "engines": {
-        "node": ">= 10.13.0"
-      },
-      "funding": {
-        "type": "opencollective",
-        "url": "https://opencollective.com/webpack"
-      }
-    },
     "node_modules/to-regex-range": {
       "version": "5.0.1",
       "resolved": "https://registry.npmjs.org/to-regex-range/-/to-regex-range-5.0.1.tgz",
diff --git a/src/Admin/package-lock.json b/src/Admin/package-lock.json
index e792106499..cc2693eae6 100644
--- a/src/Admin/package-lock.json
+++ b/src/Admin/package-lock.json
@@ -780,9 +780,9 @@
       }
     },
     "node_modules/browserslist": {
-      "version": "4.24.2",
-      "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-4.24.2.tgz",
-      "integrity": "sha512-ZIc+Q62revdMcqC6aChtW4jz3My3klmCO1fEmINZY/8J3EpBg5/A/D0AKmBveUh6pgoeycoMkVMko84tuYS+Gg==",
+      "version": "4.24.3",
+      "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-4.24.3.tgz",
+      "integrity": "sha512-1CPmv8iobE2fyRMV97dAcMVegvvWKxmq94hkLiAkUGwKVTyDLw33K+ZxiFrREKmmps4rIw6grcCFCnTMSZ/YiA==",
       "dev": true,
       "funding": [
         {
@@ -800,9 +800,9 @@
       ],
       "license": "MIT",
       "dependencies": {
-        "caniuse-lite": "^1.0.30001669",
-        "electron-to-chromium": "^1.5.41",
-        "node-releases": "^2.0.18",
+        "caniuse-lite": "^1.0.30001688",
+        "electron-to-chromium": "^1.5.73",
+        "node-releases": "^2.0.19",
         "update-browserslist-db": "^1.1.1"
       },
       "bin": {
@@ -820,9 +820,9 @@
       "license": "MIT"
     },
     "node_modules/caniuse-lite": {
-      "version": "1.0.30001688",
-      "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001688.tgz",
-      "integrity": "sha512-Nmqpru91cuABu/DTCXbM2NSRHzM2uVHfPnhJ/1zEAJx/ILBRVmz3pzH4N7DZqbdG0gWClsCC05Oj0mJ/1AWMbA==",
+      "version": "1.0.30001690",
+      "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001690.tgz",
+      "integrity": "sha512-5ExiE3qQN6oF8Clf8ifIDcMRCRE/dMGcETG/XGMD8/XiXm6HXQgQTh1yZYLXXpSOsEUlJm1Xr7kGULZTuGtP/w==",
       "dev": true,
       "funding": [
         {
@@ -841,9 +841,9 @@
       "license": "CC-BY-4.0"
     },
     "node_modules/chokidar": {
-      "version": "4.0.1",
-      "resolved": "https://registry.npmjs.org/chokidar/-/chokidar-4.0.1.tgz",
-      "integrity": "sha512-n8enUVCED/KVRQlab1hr3MVpcVMvxtZjmEa956u+4YijlmQED223XMSYj2tLuKvr4jcCTzNNMpQDUer72MMmzA==",
+      "version": "4.0.3",
+      "resolved": "https://registry.npmjs.org/chokidar/-/chokidar-4.0.3.tgz",
+      "integrity": "sha512-Qgzu8kfBvo+cA4962jnP1KkS6Dop5NS6g7R5LFYJr4b8Ub94PPQXUksCw9PvXoeXPRRddRNC5C1JQUR2SMGtnA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -973,16 +973,16 @@
       }
     },
     "node_modules/electron-to-chromium": {
-      "version": "1.5.73",
-      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.73.tgz",
-      "integrity": "sha512-8wGNxG9tAG5KhGd3eeA0o6ixhiNdgr0DcHWm85XPCphwZgD1lIEoi6t3VERayWao7SF7AAZTw6oARGJeVjH8Kg==",
+      "version": "1.5.75",
+      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.75.tgz",
+      "integrity": "sha512-Lf3++DumRE/QmweGjU+ZcKqQ+3bKkU/qjaKYhIJKEOhgIO9Xs6IiAQFkfFoj+RhgDk4LUeNsLo6plExHqSyu6Q==",
       "dev": true,
       "license": "ISC"
     },
     "node_modules/enhanced-resolve": {
-      "version": "5.17.1",
-      "resolved": "https://registry.npmjs.org/enhanced-resolve/-/enhanced-resolve-5.17.1.tgz",
-      "integrity": "sha512-LMHl3dXhTcfv8gM4kEzIUeTQ+7fpdA0l2tUf34BddXPkz2A5xJ5L/Pchd5BL6rdccM9QGvu0sWZzK1Z1t4wwyg==",
+      "version": "5.18.0",
+      "resolved": "https://registry.npmjs.org/enhanced-resolve/-/enhanced-resolve-5.18.0.tgz",
+      "integrity": "sha512-0/r0MySGYG8YqlayBZ6MuCfECmHFdJ5qyPh8s8wa5Hnm6SaFLSK1VYCbj+NKp090Nm1caZhD+QTnmxO7esYGyQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -1272,9 +1272,9 @@
       }
     },
     "node_modules/is-core-module": {
-      "version": "2.15.1",
-      "resolved": "https://registry.npmjs.org/is-core-module/-/is-core-module-2.15.1.tgz",
-      "integrity": "sha512-z0vtXSwucUJtANQWldhbtbt7BnL0vxiFjIdDLAatwhDYty2bad6s+rijD6Ri4YuYJubLzIJLUidCh09e1djEVQ==",
+      "version": "2.16.1",
+      "resolved": "https://registry.npmjs.org/is-core-module/-/is-core-module-2.16.1.tgz",
+      "integrity": "sha512-UfoeMA6fIJ8wTYFEUjelnaGI67v6+N7qXJEvQuIGa99l4xsCruSYOVSQ0uPANn4dAzm8lkYPaKLrrijLq7x23w==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -1793,19 +1793,22 @@
       }
     },
     "node_modules/resolve": {
-      "version": "1.22.8",
-      "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.22.8.tgz",
-      "integrity": "sha512-oKWePCxqpd6FlLvGV1VU0x7bkPmmCNolxzjMf4NczoDnQcIWrAF+cPtZn5i6n+RfD2d9i0tzpKnG6Yk168yIyw==",
+      "version": "1.22.10",
+      "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.22.10.tgz",
+      "integrity": "sha512-NPRy+/ncIMeDlTAsuqwKIiferiawhefFJtkNSW0qZJEqMEb+qBt/77B/jGeeek+F0uOeN05CDa6HXbbIgtVX4w==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "is-core-module": "^2.13.0",
+        "is-core-module": "^2.16.0",
         "path-parse": "^1.0.7",
         "supports-preserve-symlinks-flag": "^1.0.0"
       },
       "bin": {
         "resolve": "bin/resolve"
       },
+      "engines": {
+        "node": ">= 0.4"
+      },
       "funding": {
         "url": "https://github.com/sponsors/ljharb"
       }
@@ -2083,17 +2086,17 @@
       }
     },
     "node_modules/terser-webpack-plugin": {
-      "version": "5.3.10",
-      "resolved": "https://registry.npmjs.org/terser-webpack-plugin/-/terser-webpack-plugin-5.3.10.tgz",
-      "integrity": "sha512-BKFPWlPDndPs+NGGCr1U59t0XScL5317Y0UReNrHaw9/FwhPENlq6bfgs+4yPfyP51vqC1bQ4rp1EfXW5ZSH9w==",
+      "version": "5.3.11",
+      "resolved": "https://registry.npmjs.org/terser-webpack-plugin/-/terser-webpack-plugin-5.3.11.tgz",
+      "integrity": "sha512-RVCsMfuD0+cTt3EwX8hSl2Ks56EbFHWmhluwcqoPKtBnfjiT6olaq7PRIRfhyU8nnC2MrnDrBLfrD/RGE+cVXQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@jridgewell/trace-mapping": "^0.3.20",
+        "@jridgewell/trace-mapping": "^0.3.25",
         "jest-worker": "^27.4.5",
-        "schema-utils": "^3.1.1",
-        "serialize-javascript": "^6.0.1",
-        "terser": "^5.26.0"
+        "schema-utils": "^4.3.0",
+        "serialize-javascript": "^6.0.2",
+        "terser": "^5.31.1"
       },
       "engines": {
         "node": ">= 10.13.0"
@@ -2117,59 +2120,6 @@
         }
       }
     },
-    "node_modules/terser-webpack-plugin/node_modules/ajv": {
-      "version": "6.12.6",
-      "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.12.6.tgz",
-      "integrity": "sha512-j3fVLgvTo527anyYyJOGTYJbG+vnnQYvE0m5mmkc1TK+nxAppkCLMIL0aZ4dblVCNoGShhm+kzE4ZUykBoMg4g==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "fast-deep-equal": "^3.1.1",
-        "fast-json-stable-stringify": "^2.0.0",
-        "json-schema-traverse": "^0.4.1",
-        "uri-js": "^4.2.2"
-      },
-      "funding": {
-        "type": "github",
-        "url": "https://github.com/sponsors/epoberezkin"
-      }
-    },
-    "node_modules/terser-webpack-plugin/node_modules/ajv-keywords": {
-      "version": "3.5.2",
-      "resolved": "https://registry.npmjs.org/ajv-keywords/-/ajv-keywords-3.5.2.tgz",
-      "integrity": "sha512-5p6WTN0DdTGVQk6VjcEju19IgaHudalcfabD7yhDGeA6bcQnmL+CpveLJq/3hvfwd1aof6L386Ougkx6RfyMIQ==",
-      "dev": true,
-      "license": "MIT",
-      "peerDependencies": {
-        "ajv": "^6.9.1"
-      }
-    },
-    "node_modules/terser-webpack-plugin/node_modules/json-schema-traverse": {
-      "version": "0.4.1",
-      "resolved": "https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-0.4.1.tgz",
-      "integrity": "sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg==",
-      "dev": true,
-      "license": "MIT"
-    },
-    "node_modules/terser-webpack-plugin/node_modules/schema-utils": {
-      "version": "3.3.0",
-      "resolved": "https://registry.npmjs.org/schema-utils/-/schema-utils-3.3.0.tgz",
-      "integrity": "sha512-pN/yOAvcC+5rQ5nERGuwrjLlYvLTbCibnZ1I7B1LaiAz9BRBlE9GMgE/eqV30P7aJQUf7Ddimy/RsbYO/GrVGg==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "@types/json-schema": "^7.0.8",
-        "ajv": "^6.12.5",
-        "ajv-keywords": "^3.5.2"
-      },
-      "engines": {
-        "node": ">= 10.13.0"
-      },
-      "funding": {
-        "type": "opencollective",
-        "url": "https://opencollective.com/webpack"
-      }
-    },
     "node_modules/to-regex-range": {
       "version": "5.0.1",
       "resolved": "https://registry.npmjs.org/to-regex-range/-/to-regex-range-5.0.1.tgz",

From eeb1be1dba3bfefea00fc7837f7feca93f95aa37 Mon Sep 17 00:00:00 2001
From: cyprain-okeke <108260115+cyprain-okeke@users.noreply.github.com>
Date: Tue, 7 Jan 2025 20:01:40 +0100
Subject: [PATCH 119/384] [PM-15808]Show suspended org modals for orgs in
 'unpaid' & 'canceled' status (#5228)

* Recreate changes on the closed pr

Signed-off-by: Cy Okeke <cokeke@bitwarden.com>

* Remove unused references

Signed-off-by: Cy Okeke <cokeke@bitwarden.com>

---------

Signed-off-by: Cy Okeke <cokeke@bitwarden.com>
---
 .../OrganizationBillingController.cs          | 38 ++++++++++++++++++-
 .../Responses/OrganizationMetadataResponse.cs |  2 +
 .../Billing/Models/OrganizationMetadata.cs    |  1 +
 .../OrganizationBillingService.cs             | 15 +++++++-
 .../OrganizationBillingControllerTests.cs     |  2 +-
 5 files changed, 54 insertions(+), 4 deletions(-)

diff --git a/src/Api/Billing/Controllers/OrganizationBillingController.cs b/src/Api/Billing/Controllers/OrganizationBillingController.cs
index 7da0a0f602..1c0cfd9388 100644
--- a/src/Api/Billing/Controllers/OrganizationBillingController.cs
+++ b/src/Api/Billing/Controllers/OrganizationBillingController.cs
@@ -1,7 +1,9 @@
 #nullable enable
+using Bit.Api.AdminConsole.Models.Request.Organizations;
 using Bit.Api.Billing.Models.Requests;
 using Bit.Api.Billing.Models.Responses;
 using Bit.Core;
+using Bit.Core.Billing.Models.Sales;
 using Bit.Core.Billing.Services;
 using Bit.Core.Context;
 using Bit.Core.Repositories;
@@ -21,7 +23,8 @@ public class OrganizationBillingController(
     IOrganizationRepository organizationRepository,
     IPaymentService paymentService,
     ISubscriberService subscriberService,
-    IPaymentHistoryService paymentHistoryService) : BaseBillingController
+    IPaymentHistoryService paymentHistoryService,
+    IUserService userService) : BaseBillingController
 {
     [HttpGet("metadata")]
     public async Task<IResult> GetMetadataAsync([FromRoute] Guid organizationId)
@@ -278,4 +281,37 @@ public class OrganizationBillingController(
 
         return TypedResults.Ok();
     }
+
+    [HttpPost("restart-subscription")]
+    public async Task<IResult> RestartSubscriptionAsync([FromRoute] Guid organizationId,
+        [FromBody] OrganizationCreateRequestModel model)
+    {
+        var user = await userService.GetUserByPrincipalAsync(User);
+        if (user == null)
+        {
+            throw new UnauthorizedAccessException();
+        }
+
+        if (!featureService.IsEnabled(FeatureFlagKeys.AC2476_DeprecateStripeSourcesAPI))
+        {
+            return Error.NotFound();
+        }
+
+        if (!await currentContext.EditPaymentMethods(organizationId))
+        {
+            return Error.Unauthorized();
+        }
+
+        var organization = await organizationRepository.GetByIdAsync(organizationId);
+
+        if (organization == null)
+        {
+            return Error.NotFound();
+        }
+        var organizationSignup = model.ToOrganizationSignup(user);
+        var sale = OrganizationSale.From(organization, organizationSignup);
+        await organizationBillingService.Finalize(sale);
+
+        return TypedResults.Ok();
+    }
 }
diff --git a/src/Api/Billing/Models/Responses/OrganizationMetadataResponse.cs b/src/Api/Billing/Models/Responses/OrganizationMetadataResponse.cs
index 28f156fa39..1dfc79be21 100644
--- a/src/Api/Billing/Models/Responses/OrganizationMetadataResponse.cs
+++ b/src/Api/Billing/Models/Responses/OrganizationMetadataResponse.cs
@@ -9,6 +9,7 @@ public record OrganizationMetadataResponse(
     bool IsSubscriptionUnpaid,
     bool HasSubscription,
     bool HasOpenInvoice,
+    bool IsSubscriptionCanceled,
     DateTime? InvoiceDueDate,
     DateTime? InvoiceCreatedDate,
     DateTime? SubPeriodEndDate)
@@ -21,6 +22,7 @@ public record OrganizationMetadataResponse(
             metadata.IsSubscriptionUnpaid,
             metadata.HasSubscription,
             metadata.HasOpenInvoice,
+            metadata.IsSubscriptionCanceled,
             metadata.InvoiceDueDate,
             metadata.InvoiceCreatedDate,
             metadata.SubPeriodEndDate);
diff --git a/src/Core/Billing/Models/OrganizationMetadata.cs b/src/Core/Billing/Models/OrganizationMetadata.cs
index b6442e4c19..4bb9a85825 100644
--- a/src/Core/Billing/Models/OrganizationMetadata.cs
+++ b/src/Core/Billing/Models/OrganizationMetadata.cs
@@ -7,6 +7,7 @@ public record OrganizationMetadata(
     bool IsSubscriptionUnpaid,
     bool HasSubscription,
     bool HasOpenInvoice,
+    bool IsSubscriptionCanceled,
     DateTime? InvoiceDueDate,
     DateTime? InvoiceCreatedDate,
     DateTime? SubPeriodEndDate);
diff --git a/src/Core/Billing/Services/Implementations/OrganizationBillingService.cs b/src/Core/Billing/Services/Implementations/OrganizationBillingService.cs
index 8114d5ba65..ec9770c59e 100644
--- a/src/Core/Billing/Services/Implementations/OrganizationBillingService.cs
+++ b/src/Core/Billing/Services/Implementations/OrganizationBillingService.cs
@@ -69,7 +69,7 @@ public class OrganizationBillingService(
         if (string.IsNullOrWhiteSpace(organization.GatewaySubscriptionId))
         {
             return new OrganizationMetadata(isEligibleForSelfHost, isManaged, false,
-                false, false, false, null, null, null);
+                false, false, false, false, null, null, null);
         }
 
         var customer = await subscriberService.GetCustomer(organization,
@@ -79,6 +79,7 @@ public class OrganizationBillingService(
 
         var isOnSecretsManagerStandalone = IsOnSecretsManagerStandalone(organization, customer, subscription);
         var isSubscriptionUnpaid = IsSubscriptionUnpaid(subscription);
+        var isSubscriptionCanceled = IsSubscriptionCanceled(subscription);
         var hasSubscription = true;
         var openInvoice = await HasOpenInvoiceAsync(subscription);
         var hasOpenInvoice = openInvoice.HasOpenInvoice;
@@ -87,7 +88,7 @@ public class OrganizationBillingService(
         var subPeriodEndDate = subscription?.CurrentPeriodEnd;
 
         return new OrganizationMetadata(isEligibleForSelfHost, isManaged, isOnSecretsManagerStandalone,
-            isSubscriptionUnpaid, hasSubscription, hasOpenInvoice, invoiceDueDate, invoiceCreatedDate, subPeriodEndDate);
+            isSubscriptionUnpaid, hasSubscription, hasOpenInvoice, isSubscriptionCanceled, invoiceDueDate, invoiceCreatedDate, subPeriodEndDate);
     }
 
     public async Task UpdatePaymentMethod(
@@ -437,5 +438,15 @@ public class OrganizationBillingService(
             ? (true, invoice.Created, invoice.DueDate)
             : (false, null, null);
     }
+
+    private static bool IsSubscriptionCanceled(Subscription subscription)
+    {
+        if (subscription == null)
+        {
+            return false;
+        }
+
+        return subscription.Status == "canceled";
+    }
     #endregion
 }
diff --git a/test/Api.Test/Billing/Controllers/OrganizationBillingControllerTests.cs b/test/Api.Test/Billing/Controllers/OrganizationBillingControllerTests.cs
index d500fb354a..a8c3cf15a9 100644
--- a/test/Api.Test/Billing/Controllers/OrganizationBillingControllerTests.cs
+++ b/test/Api.Test/Billing/Controllers/OrganizationBillingControllerTests.cs
@@ -52,7 +52,7 @@ public class OrganizationBillingControllerTests
     {
         sutProvider.GetDependency<ICurrentContext>().OrganizationUser(organizationId).Returns(true);
         sutProvider.GetDependency<IOrganizationBillingService>().GetMetadata(organizationId)
-            .Returns(new OrganizationMetadata(true, true, true, true, true, true, null, null, null));
+            .Returns(new OrganizationMetadata(true, true, true, true, true, true, true, null, null, null));
 
         var result = await sutProvider.Sut.GetMetadataAsync(organizationId);
 

From 5ae232e33697ac6ca1085ac7c2c29010a67cc8f2 Mon Sep 17 00:00:00 2001
From: Addison Beck <addison@bitwarden.com>
Date: Tue, 7 Jan 2025 14:58:30 -0500
Subject: [PATCH 120/384] chore: expand tests of the new
 `UpdateInstallationCommand` (#5227)

---
 .../UpdateInstallationCommandTests.cs         | 43 +++++++++++++++++++
 1 file changed, 43 insertions(+)

diff --git a/test/Core.Test/Platform/Installations/Commands/UpdateInstallationCommandTests.cs b/test/Core.Test/Platform/Installations/Commands/UpdateInstallationCommandTests.cs
index daa8e1b89c..ec04ac711a 100644
--- a/test/Core.Test/Platform/Installations/Commands/UpdateInstallationCommandTests.cs
+++ b/test/Core.Test/Platform/Installations/Commands/UpdateInstallationCommandTests.cs
@@ -9,6 +9,49 @@ namespace Bit.Core.Platform.Installations.Tests;
 [SutProviderCustomize]
 public class UpdateInstallationCommandTests
 {
+    [Theory]
+    [BitAutoData]
+    public async Task UpdateLastActivityDateAsync_WithDefaultGuid_ThrowsException(SutProvider<UpdateInstallationCommand> sutProvider)
+    {
+        // Arrange
+        var defaultGuid = default(Guid);
+
+        // Act & Assert
+        var exception = await Assert.ThrowsAsync<Exception>(
+            () => sutProvider.Sut.UpdateLastActivityDateAsync(defaultGuid));
+
+        Assert.Contains("invalid installation id", exception.Message);
+
+        await sutProvider
+            .GetDependency<IInstallationRepository>()
+            .DidNotReceive()
+            .UpsertAsync(Arg.Any<Installation>());
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task UpdateLastActivityDateAsync_WithNonExistentInstallation_ThrowsException(
+        Guid installationId,
+        SutProvider<UpdateInstallationCommand> sutProvider)
+    {
+        // Arrange
+        sutProvider
+            .GetDependency<IGetInstallationQuery>()
+            .GetByIdAsync(installationId)
+            .Returns((Installation)null);
+
+        // Act & Assert
+        var exception = await Assert.ThrowsAsync<Exception>(
+            () => sutProvider.Sut.UpdateLastActivityDateAsync(installationId));
+
+        Assert.Contains("no installation was found", exception.Message);
+
+        await sutProvider
+            .GetDependency<IInstallationRepository>()
+            .DidNotReceive()
+            .UpsertAsync(Arg.Any<Installation>());
+    }
+
     [Theory]
     [BitAutoData]
     public async Task UpdateLastActivityDateAsync_ShouldUpdateLastActivityDate(

From cc96e35072aaa80b845ed22b6655452112a4b3af Mon Sep 17 00:00:00 2001
From: Patrick-Pimentel-Bitwarden <ppimentel@bitwarden.com>
Date: Tue, 7 Jan 2025 15:52:53 -0500
Subject: [PATCH 121/384] Auth/pm 2996/add auth request data to devices
 response model (#5152)

fix(auth): [PM-2996] Add Pending Auth Request Data to Devices Response
- New stored procedure to fetch the appropriate data.
- Updated devices controller to respond with the new data.
- Tests written at the controller and repository level.
Resolves PM-2996
---
 .github/workflows/test-database.yml           |   4 +-
 src/Api/Controllers/DevicesController.cs      |  15 +-
 src/Core/Auth/Enums/AuthRequestType.cs        |   7 +
 .../DeviceAuthRequestResponseModel.cs         |  51 +++++
 .../Auth/Models/Data/DeviceAuthDetails.cs     |  81 ++++++++
 .../Models/Data/EmergencyAccessDetails.cs     |   3 +-
 .../Implementations/RegisterUserCommand.cs    |   1 -
 src/Core/Repositories/IDeviceRepository.cs    |   7 +-
 src/Core/Settings/IGlobalSettings.cs          |   2 +
 .../Repositories/DeviceRepository.cs          |  25 ++-
 .../Repositories/Repository.cs                |   4 +-
 .../DeviceWithPendingAuthByUserIdQuery.cs     |  38 ++++
 .../Repositories/DeviceRepository.cs          |  26 ++-
 ...dActiveWithPendingAuthRequestsByUserId.sql |  27 +++
 .../Controllers/DevicesControllerTests.cs     |  88 ++++++++
 .../AutoFixture/DeviceFixtures.cs             |   4 +
 .../Repositories/DeviceRepositoryTests.cs     |  13 +-
 .../AuthRequestRepositoryTests.cs             |  14 +-
 .../Repositories/DeviceRepositoryTests.cs     | 191 ++++++++++++++++++
 .../DatabaseDataAttribute.cs                  |  22 +-
 ...2-04_00_AddActiveDeviceWithPendingAuth.sql |  27 +++
 21 files changed, 620 insertions(+), 30 deletions(-)
 create mode 100644 src/Core/Auth/Models/Api/Response/DeviceAuthRequestResponseModel.cs
 create mode 100644 src/Core/Auth/Models/Data/DeviceAuthDetails.cs
 create mode 100644 src/Infrastructure.EntityFramework/Auth/Repositories/Queries/DeviceWithPendingAuthByUserIdQuery.cs
 create mode 100644 src/Sql/Auth/dbo/Stored Procedures/Device_ReadActiveWithPendingAuthRequestsByUserId.sql
 create mode 100644 test/Api.Test/Auth/Controllers/DevicesControllerTests.cs
 create mode 100644 test/Infrastructure.IntegrationTest/Auth/Repositories/DeviceRepositoryTests.cs
 create mode 100644 util/Migrator/DbScripts/2024-12-04_00_AddActiveDeviceWithPendingAuth.sql

diff --git a/.github/workflows/test-database.yml b/.github/workflows/test-database.yml
index 134e96b339..6700438c2a 100644
--- a/.github/workflows/test-database.yml
+++ b/.github/workflows/test-database.yml
@@ -107,7 +107,7 @@ jobs:
         run: 'dotnet ef database update --connection "$CONN_STR" -- --GlobalSettings:MySql:ConnectionString="$CONN_STR"'
         env:
           CONN_STR: "server=localhost;uid=root;pwd=SET_A_PASSWORD_HERE_123;database=vault_dev;Allow User Variables=true"
-      
+
       - name: Migrate MariaDB
         working-directory: "util/MySqlMigrations"
         run: 'dotnet ef database update --connection "$CONN_STR" -- --GlobalSettings:MySql:ConnectionString="$CONN_STR"'
@@ -237,7 +237,7 @@ jobs:
         run: |
           if grep -q "<Operations>" "report.xml"; then
              echo
-             echo "Migrations are out of sync with sqlproj!"
+             echo "Migration files are not in sync with the files in the Sql project. Review to make sure that any stored procedures / other db changes match with the stored procedures in the Sql project."
              exit 1
            else
              echo "Report looks good"
diff --git a/src/Api/Controllers/DevicesController.cs b/src/Api/Controllers/DevicesController.cs
index f55b30eb27..aab898cd62 100644
--- a/src/Api/Controllers/DevicesController.cs
+++ b/src/Api/Controllers/DevicesController.cs
@@ -6,7 +6,6 @@ using Bit.Api.Models.Response;
 using Bit.Core.Auth.Models.Api.Request;
 using Bit.Core.Auth.Models.Api.Response;
 using Bit.Core.Context;
-using Bit.Core.Entities;
 using Bit.Core.Exceptions;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
@@ -70,11 +69,17 @@ public class DevicesController : Controller
     }
 
     [HttpGet("")]
-    public async Task<ListResponseModel<DeviceResponseModel>> Get()
+    public async Task<ListResponseModel<DeviceAuthRequestResponseModel>> Get()
     {
-        ICollection<Device> devices = await _deviceRepository.GetManyByUserIdAsync(_userService.GetProperUserId(User).Value);
-        var responses = devices.Select(d => new DeviceResponseModel(d));
-        return new ListResponseModel<DeviceResponseModel>(responses);
+        var devicesWithPendingAuthData = await _deviceRepository.GetManyByUserIdWithDeviceAuth(_userService.GetProperUserId(User).Value);
+
+        // Convert from DeviceAuthDetails to DeviceAuthRequestResponseModel
+        var deviceAuthRequestResponseList = devicesWithPendingAuthData
+            .Select(DeviceAuthRequestResponseModel.From)
+            .ToList();
+
+        var response = new ListResponseModel<DeviceAuthRequestResponseModel>(deviceAuthRequestResponseList);
+        return response;
     }
 
     [HttpPost("")]
diff --git a/src/Core/Auth/Enums/AuthRequestType.cs b/src/Core/Auth/Enums/AuthRequestType.cs
index fff75e8d22..0a3bf4b3bc 100644
--- a/src/Core/Auth/Enums/AuthRequestType.cs
+++ b/src/Core/Auth/Enums/AuthRequestType.cs
@@ -1,5 +1,12 @@
 namespace Bit.Core.Auth.Enums;
 
+/**
+ * The type of auth request.
+ *
+ * Note:
+ * Used by the Device_ReadActiveWithPendingAuthRequestsByUserId.sql stored procedure.
+ *  If the enum changes be aware of this reference.
+ */
 public enum AuthRequestType : byte
 {
     AuthenticateAndUnlock = 0,
diff --git a/src/Core/Auth/Models/Api/Response/DeviceAuthRequestResponseModel.cs b/src/Core/Auth/Models/Api/Response/DeviceAuthRequestResponseModel.cs
new file mode 100644
index 0000000000..3cfea51ee3
--- /dev/null
+++ b/src/Core/Auth/Models/Api/Response/DeviceAuthRequestResponseModel.cs
@@ -0,0 +1,51 @@
+using Bit.Core.Auth.Models.Data;
+using Bit.Core.Auth.Utilities;
+using Bit.Core.Enums;
+using Bit.Core.Models.Api;
+
+namespace Bit.Core.Auth.Models.Api.Response;
+
+public class DeviceAuthRequestResponseModel : ResponseModel
+{
+    public DeviceAuthRequestResponseModel()
+        : base("device") { }
+
+    public static DeviceAuthRequestResponseModel From(DeviceAuthDetails deviceAuthDetails)
+    {
+        var converted = new DeviceAuthRequestResponseModel
+        {
+            Id = deviceAuthDetails.Id,
+            Name = deviceAuthDetails.Name,
+            Type = deviceAuthDetails.Type,
+            Identifier = deviceAuthDetails.Identifier,
+            CreationDate = deviceAuthDetails.CreationDate,
+            IsTrusted = deviceAuthDetails.IsTrusted()
+        };
+
+        if (deviceAuthDetails.AuthRequestId != null && deviceAuthDetails.AuthRequestCreatedAt != null)
+        {
+            converted.DevicePendingAuthRequest = new PendingAuthRequest
+            {
+                Id = (Guid)deviceAuthDetails.AuthRequestId,
+                CreationDate = (DateTime)deviceAuthDetails.AuthRequestCreatedAt
+            };
+        }
+
+        return converted;
+    }
+
+    public Guid Id { get; set; }
+    public string Name { get; set; }
+    public DeviceType Type { get; set; }
+    public string Identifier { get; set; }
+    public DateTime CreationDate { get; set; }
+    public bool IsTrusted { get; set; }
+
+    public PendingAuthRequest DevicePendingAuthRequest { get; set; }
+
+    public class PendingAuthRequest
+    {
+        public Guid Id { get; set; }
+        public DateTime CreationDate { get; set; }
+    }
+}
diff --git a/src/Core/Auth/Models/Data/DeviceAuthDetails.cs b/src/Core/Auth/Models/Data/DeviceAuthDetails.cs
new file mode 100644
index 0000000000..ef242705f4
--- /dev/null
+++ b/src/Core/Auth/Models/Data/DeviceAuthDetails.cs
@@ -0,0 +1,81 @@
+using Bit.Core.Auth.Utilities;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+
+namespace Bit.Core.Auth.Models.Data;
+
+public class DeviceAuthDetails : Device
+{
+    public bool IsTrusted { get; set; }
+    public Guid? AuthRequestId { get; set; }
+    public DateTime? AuthRequestCreatedAt { get; set; }
+
+    /**
+     * Constructor for EF response.
+     */
+    public DeviceAuthDetails(
+        Device device,
+        Guid? authRequestId,
+        DateTime? authRequestCreationDate)
+    {
+        if (device == null)
+        {
+            throw new ArgumentNullException(nameof(device));
+        }
+
+        Id = device.Id;
+        Name = device.Name;
+        Type = device.Type;
+        Identifier = device.Identifier;
+        CreationDate = device.CreationDate;
+        IsTrusted = device.IsTrusted();
+        AuthRequestId = authRequestId;
+        AuthRequestCreatedAt = authRequestCreationDate;
+    }
+
+    /**
+     * Constructor for dapper response.
+     * Note: if the authRequestId or authRequestCreationDate is null it comes back as
+     * an empty guid and a min value for datetime. That could change if the stored
+     * procedure runs on a different kind of db.
+     */
+    public DeviceAuthDetails(
+        Guid id,
+        Guid userId,
+        string name,
+        short type,
+        string identifier,
+        string pushToken,
+        DateTime creationDate,
+        DateTime revisionDate,
+        string encryptedUserKey,
+        string encryptedPublicKey,
+        string encryptedPrivateKey,
+        bool active,
+        Guid authRequestId,
+        DateTime authRequestCreationDate)
+    {
+        Id = id;
+        Name = name;
+        Type = (DeviceType)type;
+        Identifier = identifier;
+        CreationDate = creationDate;
+        IsTrusted = new Device
+        {
+            Id = id,
+            UserId = userId,
+            Name = name,
+            Type = (DeviceType)type,
+            Identifier = identifier,
+            PushToken = pushToken,
+            RevisionDate = revisionDate,
+            EncryptedUserKey = encryptedUserKey,
+            EncryptedPublicKey = encryptedPublicKey,
+            EncryptedPrivateKey = encryptedPrivateKey,
+            Active = active
+        }.IsTrusted();
+        AuthRequestId = authRequestId != Guid.Empty ? authRequestId : null;
+        AuthRequestCreatedAt =
+            authRequestCreationDate != DateTime.MinValue ? authRequestCreationDate : null;
+    }
+}
diff --git a/src/Core/Auth/Models/Data/EmergencyAccessDetails.cs b/src/Core/Auth/Models/Data/EmergencyAccessDetails.cs
index 3c925d1a80..15ccad9cb1 100644
--- a/src/Core/Auth/Models/Data/EmergencyAccessDetails.cs
+++ b/src/Core/Auth/Models/Data/EmergencyAccessDetails.cs
@@ -1,5 +1,4 @@
-
-using Bit.Core.Auth.Entities;
+using Bit.Core.Auth.Entities;
 
 namespace Bit.Core.Auth.Models.Data;
 
diff --git a/src/Core/Auth/UserFeatures/Registration/Implementations/RegisterUserCommand.cs b/src/Core/Auth/UserFeatures/Registration/Implementations/RegisterUserCommand.cs
index 89851fce23..834d2722cc 100644
--- a/src/Core/Auth/UserFeatures/Registration/Implementations/RegisterUserCommand.cs
+++ b/src/Core/Auth/UserFeatures/Registration/Implementations/RegisterUserCommand.cs
@@ -23,7 +23,6 @@ namespace Bit.Core.Auth.UserFeatures.Registration.Implementations;
 
 public class RegisterUserCommand : IRegisterUserCommand
 {
-
     private readonly IGlobalSettings _globalSettings;
     private readonly IOrganizationUserRepository _organizationUserRepository;
     private readonly IPolicyRepository _policyRepository;
diff --git a/src/Core/Repositories/IDeviceRepository.cs b/src/Core/Repositories/IDeviceRepository.cs
index c5d14a0945..c9809c1de6 100644
--- a/src/Core/Repositories/IDeviceRepository.cs
+++ b/src/Core/Repositories/IDeviceRepository.cs
@@ -1,4 +1,5 @@
-using Bit.Core.Entities;
+using Bit.Core.Auth.Models.Data;
+using Bit.Core.Entities;
 
 #nullable enable
 
@@ -10,5 +11,9 @@ public interface IDeviceRepository : IRepository<Device, Guid>
     Task<Device?> GetByIdentifierAsync(string identifier);
     Task<Device?> GetByIdentifierAsync(string identifier, Guid userId);
     Task<ICollection<Device>> GetManyByUserIdAsync(Guid userId);
+    // DeviceAuthDetails is passed back to decouple the response model from the
+    // repository in case more fields are ever added to the details response for
+    // other requests.
+    Task<ICollection<DeviceAuthDetails>> GetManyByUserIdWithDeviceAuth(Guid userId);
     Task ClearPushTokenAsync(Guid id);
 }
diff --git a/src/Core/Settings/IGlobalSettings.cs b/src/Core/Settings/IGlobalSettings.cs
index 02d151ed95..afe35ed34b 100644
--- a/src/Core/Settings/IGlobalSettings.cs
+++ b/src/Core/Settings/IGlobalSettings.cs
@@ -24,5 +24,7 @@ public interface IGlobalSettings
     IPasswordlessAuthSettings PasswordlessAuth { get; set; }
     IDomainVerificationSettings DomainVerification { get; set; }
     ILaunchDarklySettings LaunchDarkly { get; set; }
+    string DatabaseProvider { get; set; }
+    GlobalSettings.SqlSettings SqlServer { get; set; }
     string DevelopmentDirectory { get; set; }
 }
diff --git a/src/Infrastructure.Dapper/Repositories/DeviceRepository.cs b/src/Infrastructure.Dapper/Repositories/DeviceRepository.cs
index 7216d87f57..4abf4a4649 100644
--- a/src/Infrastructure.Dapper/Repositories/DeviceRepository.cs
+++ b/src/Infrastructure.Dapper/Repositories/DeviceRepository.cs
@@ -1,4 +1,5 @@
 using System.Data;
+using Bit.Core.Auth.Models.Data;
 using Bit.Core.Entities;
 using Bit.Core.Repositories;
 using Bit.Core.Settings;
@@ -11,9 +12,13 @@ namespace Bit.Infrastructure.Dapper.Repositories;
 
 public class DeviceRepository : Repository<Device, Guid>, IDeviceRepository
 {
+    private readonly IGlobalSettings _globalSettings;
+
     public DeviceRepository(GlobalSettings globalSettings)
         : this(globalSettings.SqlServer.ConnectionString, globalSettings.SqlServer.ReadOnlyConnectionString)
-    { }
+    {
+        _globalSettings = globalSettings;
+    }
 
     public DeviceRepository(string connectionString, string readOnlyConnectionString)
         : base(connectionString, readOnlyConnectionString)
@@ -76,6 +81,24 @@ public class DeviceRepository : Repository<Device, Guid>, IDeviceRepository
         }
     }
 
+    public async Task<ICollection<DeviceAuthDetails>> GetManyByUserIdWithDeviceAuth(Guid userId)
+    {
+        var expirationMinutes = _globalSettings.PasswordlessAuth.UserRequestExpiration.TotalMinutes;
+        using (var connection = new SqlConnection(ConnectionString))
+        {
+            var results = await connection.QueryAsync<DeviceAuthDetails>(
+                $"[{Schema}].[{Table}_ReadActiveWithPendingAuthRequestsByUserId]",
+                new
+                {
+                    UserId = userId,
+                    ExpirationMinutes = expirationMinutes
+                },
+                commandType: CommandType.StoredProcedure);
+
+            return results.ToList();
+        }
+    }
+
     public async Task ClearPushTokenAsync(Guid id)
     {
         using (var connection = new SqlConnection(ConnectionString))
diff --git a/src/Infrastructure.Dapper/Repositories/Repository.cs b/src/Infrastructure.Dapper/Repositories/Repository.cs
index fd37b611d0..43bffb3598 100644
--- a/src/Infrastructure.Dapper/Repositories/Repository.cs
+++ b/src/Infrastructure.Dapper/Repositories/Repository.cs
@@ -51,7 +51,7 @@ public abstract class Repository<T, TId> : BaseRepository, IRepository<T, TId>
             var parameters = new DynamicParameters();
             parameters.AddDynamicParams(obj);
             parameters.Add("Id", obj.Id, direction: ParameterDirection.InputOutput);
-            var results = await connection.ExecuteAsync(
+            await connection.ExecuteAsync(
                 $"[{Schema}].[{Table}_Create]",
                 parameters,
                 commandType: CommandType.StoredProcedure);
@@ -64,7 +64,7 @@ public abstract class Repository<T, TId> : BaseRepository, IRepository<T, TId>
     {
         using (var connection = new SqlConnection(ConnectionString))
         {
-            var results = await connection.ExecuteAsync(
+            await connection.ExecuteAsync(
                 $"[{Schema}].[{Table}_Update]",
                 obj,
                 commandType: CommandType.StoredProcedure);
diff --git a/src/Infrastructure.EntityFramework/Auth/Repositories/Queries/DeviceWithPendingAuthByUserIdQuery.cs b/src/Infrastructure.EntityFramework/Auth/Repositories/Queries/DeviceWithPendingAuthByUserIdQuery.cs
new file mode 100644
index 0000000000..5ab6d498e3
--- /dev/null
+++ b/src/Infrastructure.EntityFramework/Auth/Repositories/Queries/DeviceWithPendingAuthByUserIdQuery.cs
@@ -0,0 +1,38 @@
+using Bit.Core.Auth.Enums;
+using Bit.Core.Auth.Models.Data;
+using Bit.Infrastructure.EntityFramework.Repositories;
+
+namespace Bit.Infrastructure.EntityFramework.Auth.Repositories.Queries;
+
+public class DeviceWithPendingAuthByUserIdQuery
+{
+    public IQueryable<DeviceAuthDetails> GetQuery(
+        DatabaseContext dbContext,
+        Guid userId,
+        int expirationMinutes)
+    {
+        var devicesWithAuthQuery = (
+            from device in dbContext.Devices
+            where device.UserId == userId && device.Active
+            select new
+            {
+                device,
+                authRequest =
+                (
+                    from authRequest in dbContext.AuthRequests
+                    where authRequest.RequestDeviceIdentifier == device.Identifier
+                    where authRequest.Type == AuthRequestType.AuthenticateAndUnlock || authRequest.Type == AuthRequestType.Unlock
+                    where authRequest.Approved == null
+                    where authRequest.UserId == userId
+                    where authRequest.CreationDate.AddMinutes(expirationMinutes) > DateTime.UtcNow
+                    orderby authRequest.CreationDate descending
+                    select authRequest
+                ).First()
+            }).Select(deviceWithAuthRequest => new DeviceAuthDetails(
+                deviceWithAuthRequest.device,
+                deviceWithAuthRequest.authRequest.Id,
+                deviceWithAuthRequest.authRequest.CreationDate));
+
+        return devicesWithAuthQuery;
+    }
+}
diff --git a/src/Infrastructure.EntityFramework/Repositories/DeviceRepository.cs b/src/Infrastructure.EntityFramework/Repositories/DeviceRepository.cs
index da82427cbb..ad31d0fb8b 100644
--- a/src/Infrastructure.EntityFramework/Repositories/DeviceRepository.cs
+++ b/src/Infrastructure.EntityFramework/Repositories/DeviceRepository.cs
@@ -1,5 +1,8 @@
 using AutoMapper;
+using Bit.Core.Auth.Models.Data;
 using Bit.Core.Repositories;
+using Bit.Core.Settings;
+using Bit.Infrastructure.EntityFramework.Auth.Repositories.Queries;
 using Bit.Infrastructure.EntityFramework.Models;
 using Microsoft.EntityFrameworkCore;
 using Microsoft.Extensions.DependencyInjection;
@@ -10,9 +13,17 @@ namespace Bit.Infrastructure.EntityFramework.Repositories;
 
 public class DeviceRepository : Repository<Core.Entities.Device, Device, Guid>, IDeviceRepository
 {
-    public DeviceRepository(IServiceScopeFactory serviceScopeFactory, IMapper mapper)
+    private readonly IGlobalSettings _globalSettings;
+
+    public DeviceRepository(
+        IServiceScopeFactory serviceScopeFactory,
+        IMapper mapper,
+        IGlobalSettings globalSettings
+        )
         : base(serviceScopeFactory, mapper, (DatabaseContext context) => context.Devices)
-    { }
+    {
+        _globalSettings = globalSettings;
+    }
 
     public async Task ClearPushTokenAsync(Guid id)
     {
@@ -69,4 +80,15 @@ public class DeviceRepository : Repository<Core.Entities.Device, Device, Guid>,
             return Mapper.Map<List<Core.Entities.Device>>(devices);
         }
     }
+
+    public async Task<ICollection<DeviceAuthDetails>> GetManyByUserIdWithDeviceAuth(Guid userId)
+    {
+        var expirationMinutes = (int)_globalSettings.PasswordlessAuth.UserRequestExpiration.TotalMinutes;
+        using (var scope = ServiceScopeFactory.CreateScope())
+        {
+            var dbContext = GetDatabaseContext(scope);
+            var query = new DeviceWithPendingAuthByUserIdQuery();
+            return await query.GetQuery(dbContext, userId, expirationMinutes).ToListAsync();
+        }
+    }
 }
diff --git a/src/Sql/Auth/dbo/Stored Procedures/Device_ReadActiveWithPendingAuthRequestsByUserId.sql b/src/Sql/Auth/dbo/Stored Procedures/Device_ReadActiveWithPendingAuthRequestsByUserId.sql
new file mode 100644
index 0000000000..015d0f7c1f
--- /dev/null
+++ b/src/Sql/Auth/dbo/Stored Procedures/Device_ReadActiveWithPendingAuthRequestsByUserId.sql	
@@ -0,0 +1,27 @@
+CREATE PROCEDURE [dbo].[Device_ReadActiveWithPendingAuthRequestsByUserId]
+    @UserId UNIQUEIDENTIFIER,
+    @ExpirationMinutes INT
+AS
+BEGIN
+    SET NOCOUNT ON;
+
+    SELECT
+        D.*,
+        AR.Id as AuthRequestId,
+        AR.CreationDate as AuthRequestCreationDate
+    FROM dbo.DeviceView D
+             LEFT JOIN (
+        SELECT TOP 1 -- Take only the top record sorted by auth request creation date
+                     Id,
+                     CreationDate,
+                     RequestDeviceIdentifier
+        FROM dbo.AuthRequestView
+        WHERE Type IN (0, 1) -- Include only AuthenticateAndUnlock and Unlock types, excluding Admin Approval (type 2)
+          AND CreationDate >= DATEADD(MINUTE, -@ExpirationMinutes, GETUTCDATE()) -- Ensure the request hasn't expired
+          AND Approved IS NULL -- Include only requests that haven't been acknowledged or approved
+        ORDER BY CreationDate DESC
+    ) AR ON D.Identifier = AR.RequestDeviceIdentifier
+    WHERE
+        D.UserId = @UserId
+      AND D.Active = 1; -- Include only active devices
+END;
diff --git a/test/Api.Test/Auth/Controllers/DevicesControllerTests.cs b/test/Api.Test/Auth/Controllers/DevicesControllerTests.cs
new file mode 100644
index 0000000000..3dcf2016c4
--- /dev/null
+++ b/test/Api.Test/Auth/Controllers/DevicesControllerTests.cs
@@ -0,0 +1,88 @@
+using Bit.Api.Controllers;
+using Bit.Api.Models.Response;
+using Bit.Core.Auth.Models.Api.Response;
+using Bit.Core.Auth.Models.Data;
+using Bit.Core.Context;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.Core.Settings;
+using Microsoft.Extensions.Logging;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Api.Test.Auth.Controllers;
+
+public class DevicesControllerTest
+{
+    private readonly IDeviceRepository _deviceRepositoryMock;
+    private readonly IDeviceService _deviceServiceMock;
+    private readonly IUserService _userServiceMock;
+    private readonly IUserRepository _userRepositoryMock;
+    private readonly ICurrentContext _currentContextMock;
+    private readonly IGlobalSettings _globalSettingsMock;
+    private readonly ILogger<DevicesController> _loggerMock;
+    private readonly DevicesController _sut;
+
+    public DevicesControllerTest()
+    {
+        _deviceRepositoryMock = Substitute.For<IDeviceRepository>();
+        _deviceServiceMock = Substitute.For<IDeviceService>();
+        _userServiceMock = Substitute.For<IUserService>();
+        _userRepositoryMock = Substitute.For<IUserRepository>();
+        _currentContextMock = Substitute.For<ICurrentContext>();
+        _loggerMock = Substitute.For<ILogger<DevicesController>>();
+
+        _sut = new DevicesController(
+            _deviceRepositoryMock,
+            _deviceServiceMock,
+            _userServiceMock,
+            _userRepositoryMock,
+            _currentContextMock,
+            _loggerMock);
+    }
+
+    [Fact]
+    public async Task Get_ReturnsExpectedResult()
+    {
+        // Arrange
+        var userId = Guid.Parse("AD89E6F8-4E84-4CFE-A978-256CC0DBF974");
+
+        var authDateTimeResponse = new DateTime(2024, 12, 9, 12, 0, 0);
+        var devicesWithPendingAuthData = new List<DeviceAuthDetails>
+        {
+            new (
+                new Device
+                {
+                    Id = Guid.Parse("B3136B10-7818-444F-B05B-4D7A9B8C48BF"),
+                    UserId = userId,
+                    Name = "chrome",
+                    Type = DeviceType.ChromeBrowser,
+                    Identifier = Guid.Parse("811E9254-F77C-48C8-AF0A-A181943F5708").ToString()
+                },
+                Guid.Parse("E09D6943-D574-49E5-AC85-C3F12B4E019E"),
+                authDateTimeResponse)
+        };
+
+        _userServiceMock.GetProperUserId(Arg.Any<System.Security.Claims.ClaimsPrincipal>()).Returns(userId);
+        _deviceRepositoryMock.GetManyByUserIdWithDeviceAuth(userId).Returns(devicesWithPendingAuthData);
+
+        // Act
+        var result = await _sut.Get();
+
+        // Assert
+        Assert.NotNull(result);
+        Assert.IsType<ListResponseModel<DeviceAuthRequestResponseModel>>(result);
+    }
+
+    [Fact]
+    public async Task Get_ThrowsException_WhenUserIdIsInvalid()
+    {
+        // Arrange
+        _userServiceMock.GetProperUserId(Arg.Any<System.Security.Claims.ClaimsPrincipal>()).Returns((Guid?)null);
+
+        // Act & Assert
+        await Assert.ThrowsAsync<InvalidOperationException>(() => _sut.Get());
+    }
+}
diff --git a/test/Infrastructure.EFIntegration.Test/AutoFixture/DeviceFixtures.cs b/test/Infrastructure.EFIntegration.Test/AutoFixture/DeviceFixtures.cs
index da5b5b7676..0ac3881511 100644
--- a/test/Infrastructure.EFIntegration.Test/AutoFixture/DeviceFixtures.cs
+++ b/test/Infrastructure.EFIntegration.Test/AutoFixture/DeviceFixtures.cs
@@ -2,7 +2,9 @@
 using AutoFixture.Kernel;
 using Bit.Core.Entities;
 using Bit.Core.Test.AutoFixture.UserFixtures;
+using Bit.Infrastructure.EFIntegration.Test.Auth.AutoFixture;
 using Bit.Infrastructure.EFIntegration.Test.AutoFixture.Relays;
+using Bit.Infrastructure.EntityFramework.Auth.Repositories;
 using Bit.Infrastructure.EntityFramework.Repositories;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
@@ -39,8 +41,10 @@ internal class EfDevice : ICustomization
         fixture.Customizations.Add(new GlobalSettingsBuilder());
         fixture.Customizations.Add(new DeviceBuilder());
         fixture.Customizations.Add(new UserBuilder());
+        fixture.Customizations.Add(new AuthRequestBuilder());
         fixture.Customizations.Add(new EfRepositoryListBuilder<DeviceRepository>());
         fixture.Customizations.Add(new EfRepositoryListBuilder<UserRepository>());
+        fixture.Customizations.Add(new EfRepositoryListBuilder<AuthRequestRepository>());
     }
 }
 
diff --git a/test/Infrastructure.EFIntegration.Test/Repositories/DeviceRepositoryTests.cs b/test/Infrastructure.EFIntegration.Test/Repositories/DeviceRepositoryTests.cs
index 078fed0469..cc914d9aae 100644
--- a/test/Infrastructure.EFIntegration.Test/Repositories/DeviceRepositoryTests.cs
+++ b/test/Infrastructure.EFIntegration.Test/Repositories/DeviceRepositoryTests.cs
@@ -11,9 +11,13 @@ namespace Bit.Infrastructure.EFIntegration.Test.Repositories;
 public class DeviceRepositoryTests
 {
     [CiSkippedTheory, EfDeviceAutoData]
-    public async Task CreateAsync_Works_DataMatches(Device device, User user,
-        DeviceCompare equalityComparer, List<EfRepo.DeviceRepository> suts,
-        List<EfRepo.UserRepository> efUserRepos, SqlRepo.DeviceRepository sqlDeviceRepo,
+    public async Task CreateAsync_Works_DataMatches(
+        Device device,
+        User user,
+        DeviceCompare equalityComparer,
+        List<EfRepo.DeviceRepository> suts,
+        List<EfRepo.UserRepository> efUserRepos,
+        SqlRepo.DeviceRepository sqlDeviceRepo,
         SqlRepo.UserRepository sqlUserRepo)
     {
         var savedDevices = new List<Device>();
@@ -40,7 +44,6 @@ public class DeviceRepositoryTests
         savedDevices.Add(savedSqlDevice);
 
         var distinctItems = savedDevices.Distinct(equalityComparer);
-        Assert.True(!distinctItems.Skip(1).Any());
+        Assert.False(distinctItems.Skip(1).Any());
     }
-
 }
diff --git a/test/Infrastructure.IntegrationTest/Auth/Repositories/AuthRequestRepositoryTests.cs b/test/Infrastructure.IntegrationTest/Auth/Repositories/AuthRequestRepositoryTests.cs
index 9fddb571b9..8cd8cb607c 100644
--- a/test/Infrastructure.IntegrationTest/Auth/Repositories/AuthRequestRepositoryTests.cs
+++ b/test/Infrastructure.IntegrationTest/Auth/Repositories/AuthRequestRepositoryTests.cs
@@ -8,9 +8,9 @@ namespace Bit.Infrastructure.IntegrationTest.Auth.Repositories;
 
 public class AuthRequestRepositoryTests
 {
-    private readonly static TimeSpan _userRequestExpiration = TimeSpan.FromMinutes(15);
-    private readonly static TimeSpan _adminRequestExpiration = TimeSpan.FromDays(6);
-    private readonly static TimeSpan _afterAdminApprovalExpiration = TimeSpan.FromHours(12);
+    private static readonly TimeSpan _userRequestExpiration = TimeSpan.FromMinutes(15);
+    private static readonly TimeSpan _adminRequestExpiration = TimeSpan.FromDays(6);
+    private static readonly TimeSpan _afterAdminApprovalExpiration = TimeSpan.FromHours(12);
 
     [DatabaseTheory, DatabaseData]
     public async Task DeleteExpiredAsync_Works(
@@ -25,11 +25,11 @@ public class AuthRequestRepositoryTests
             SecurityStamp = "stamp",
         });
 
-        // A user auth request type that has passed it's expiration time, should be deleted.
+        // A user auth request type that has passed its expiration time, should be deleted.
         var userExpiredAuthRequest = await authRequestRepository.CreateAsync(
             CreateAuthRequest(user.Id, AuthRequestType.AuthenticateAndUnlock, CreateExpiredDate(_userRequestExpiration)));
 
-        // An AdminApproval request that hasn't had any action taken on it and has passed it's expiration time, should be deleted.
+        // An AdminApproval request that hasn't had any action taken on it and has passed its expiration time, should be deleted.
         var adminApprovalExpiredAuthRequest = await authRequestRepository.CreateAsync(
             CreateAuthRequest(user.Id, AuthRequestType.AdminApproval, CreateExpiredDate(_adminRequestExpiration)));
 
@@ -37,7 +37,7 @@ public class AuthRequestRepositoryTests
         var adminApprovedExpiredAuthRequest = await authRequestRepository.CreateAsync(
             CreateAuthRequest(user.Id, AuthRequestType.AdminApproval, DateTime.UtcNow.AddDays(-6), true, CreateExpiredDate(_afterAdminApprovalExpiration)));
 
-        // An AdminApproval request that was rejected within it's allowed lifetime but has no gone past it's expiration time, should be deleted.
+        // An AdminApproval request that was rejected within its allowed lifetime but has not gone past its expiration time, should be deleted.
         var adminRejectedExpiredAuthRequest = await authRequestRepository.CreateAsync(
             CreateAuthRequest(user.Id, AuthRequestType.AdminApproval, CreateExpiredDate(_adminRequestExpiration), false, DateTime.UtcNow.AddHours(-1)));
 
@@ -45,7 +45,7 @@ public class AuthRequestRepositoryTests
         var notExpiredUserAuthRequest = await authRequestRepository.CreateAsync(
             CreateAuthRequest(user.Id, AuthRequestType.Unlock, DateTime.UtcNow.AddMinutes(-1)));
 
-        // An AdminApproval AuthRequest that was create 6 days 23 hours 59 minutes 59 seconds ago which is right on the edge of still being valid
+        // An AdminApproval AuthRequest that was created 6 days 23 hours 59 minutes 59 seconds ago which is right on the edge of still being valid
         var notExpiredAdminApprovalRequest = await authRequestRepository.CreateAsync(
             CreateAuthRequest(user.Id, AuthRequestType.AdminApproval, DateTime.UtcNow.Add(new TimeSpan(days: 6, hours: 23, minutes: 59, seconds: 59))));
 
diff --git a/test/Infrastructure.IntegrationTest/Auth/Repositories/DeviceRepositoryTests.cs b/test/Infrastructure.IntegrationTest/Auth/Repositories/DeviceRepositoryTests.cs
new file mode 100644
index 0000000000..a9eec23194
--- /dev/null
+++ b/test/Infrastructure.IntegrationTest/Auth/Repositories/DeviceRepositoryTests.cs
@@ -0,0 +1,191 @@
+using Bit.Core.Auth.Entities;
+using Bit.Core.Auth.Enums;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Repositories;
+using Xunit;
+
+namespace Bit.Infrastructure.IntegrationTest.Auth.Repositories;
+
+public class DeviceRepositoryTests
+{
+    [DatabaseTheory]
+    [DatabaseData]
+    public async Task GetManyByUserIdWithDeviceAuth_Works_ReturnsExpectedResults(
+        IDeviceRepository sutRepository,
+        IUserRepository userRepository,
+        IAuthRequestRepository authRequestRepository)
+    {
+        // Arrange
+        var user = await userRepository.CreateAsync(new User
+        {
+            Name = "Test User",
+            Email = $"test+{Guid.NewGuid()}@email.com",
+            ApiKey = "TEST",
+            SecurityStamp = "stamp",
+        });
+
+        var device = await sutRepository.CreateAsync(new Device
+        {
+            Active = true,
+            Name = "chrome-test",
+            UserId = user.Id,
+            Type = DeviceType.ChromeBrowser,
+            Identifier = Guid.NewGuid().ToString(),
+        });
+
+        var staleAuthRequest = await authRequestRepository.CreateAsync(new AuthRequest
+        {
+            ResponseDeviceId = null,
+            Approved = null,
+            Type = AuthRequestType.AuthenticateAndUnlock,
+            OrganizationId = null,
+            UserId = user.Id,
+            RequestIpAddress = ":1",
+            RequestDeviceIdentifier = device.Identifier,
+            AccessCode = "AccessCode_1234",
+            PublicKey = "PublicKey_1234"
+        });
+        staleAuthRequest.CreationDate = DateTime.UtcNow.AddMinutes(-10);
+        await authRequestRepository.ReplaceAsync(staleAuthRequest);
+
+        var freshAuthRequest = await authRequestRepository.CreateAsync(new AuthRequest
+        {
+            ResponseDeviceId = null,
+            Approved = null,
+            Type = AuthRequestType.AuthenticateAndUnlock,
+            OrganizationId = null,
+            UserId = user.Id,
+            RequestIpAddress = ":1",
+            RequestDeviceIdentifier = device.Identifier,
+            AccessCode = "AccessCode_1234",
+            PublicKey = "PublicKey_1234",
+            Key = "Key_1234",
+            MasterPasswordHash = "MasterPasswordHash_1234"
+        });
+
+        // Act
+        var response = await sutRepository.GetManyByUserIdWithDeviceAuth(user.Id);
+
+        // Assert
+        Assert.NotNull(response.First().AuthRequestId);
+        Assert.NotNull(response.First().AuthRequestCreatedAt);
+        Assert.Equal(response.First().AuthRequestId, freshAuthRequest.Id);
+    }
+
+    [DatabaseTheory]
+    [DatabaseData]
+    public async Task GetManyByUserIdWithDeviceAuth_WorksWithNoAuthRequestAndMultipleDevices_ReturnsExpectedResults(
+        IDeviceRepository sutRepository,
+        IUserRepository userRepository)
+    {
+        // Arrange
+        var user = await userRepository.CreateAsync(new User
+        {
+            Name = "Test User",
+            Email = $"test+{Guid.NewGuid()}@email.com",
+            ApiKey = "TEST",
+            SecurityStamp = "stamp",
+        });
+
+        await sutRepository.CreateAsync(new Device
+        {
+            Active = true,
+            Name = "chrome-test",
+            UserId = user.Id,
+            Type = DeviceType.ChromeBrowser,
+            Identifier = Guid.NewGuid().ToString(),
+        });
+
+        await sutRepository.CreateAsync(new Device
+        {
+            Active = true,
+            Name = "macos-test",
+            UserId = user.Id,
+            Type = DeviceType.MacOsDesktop,
+            Identifier = Guid.NewGuid().ToString(),
+        });
+
+        // Act
+        var response = await sutRepository.GetManyByUserIdWithDeviceAuth(user.Id);
+
+        // Assert
+        Assert.NotNull(response.First());
+        Assert.Null(response.First().AuthRequestId);
+        Assert.True(response.Count == 2);
+    }
+
+    [DatabaseTheory]
+    [DatabaseData]
+    public async Task GetManyByUserIdWithDeviceAuth_FailsToRespondWithAnyAuthData_ReturnsExpectedResults(
+        IDeviceRepository sutRepository,
+        IUserRepository userRepository,
+        IAuthRequestRepository authRequestRepository)
+    {
+        var casesThatCauseNoAuthDataInResponse = new[]
+        {
+            new
+            {
+                authRequestType = AuthRequestType.AdminApproval, // Device typing is wrong
+                authRequestApproved = (bool?)null,
+                expirey = DateTime.UtcNow.AddMinutes(0),
+            },
+            new
+            {
+                authRequestType = AuthRequestType.AuthenticateAndUnlock,
+                authRequestApproved = (bool?)true, // Auth request is already approved
+                expirey = DateTime.UtcNow.AddMinutes(0),
+            },
+            new
+            {
+                authRequestType = AuthRequestType.AuthenticateAndUnlock,
+                authRequestApproved = (bool?)null,
+                expirey = DateTime.UtcNow.AddMinutes(-30), // Past the point of expiring
+            }
+        };
+
+        foreach (var testCase in casesThatCauseNoAuthDataInResponse)
+        {
+            // Arrange
+            var user = await userRepository.CreateAsync(new User
+            {
+                Name = "Test User",
+                Email = $"test+{Guid.NewGuid()}@email.com",
+                ApiKey = "TEST",
+                SecurityStamp = "stamp",
+            });
+
+            var device = await sutRepository.CreateAsync(new Device
+            {
+                Active = true,
+                Name = "chrome-test",
+                UserId = user.Id,
+                Type = DeviceType.ChromeBrowser,
+                Identifier = Guid.NewGuid().ToString(),
+            });
+
+            var authRequest = await authRequestRepository.CreateAsync(new AuthRequest
+            {
+                ResponseDeviceId = null,
+                Approved = testCase.authRequestApproved,
+                Type = testCase.authRequestType,
+                OrganizationId = null,
+                UserId = user.Id,
+                RequestIpAddress = ":1",
+                RequestDeviceIdentifier = device.Identifier,
+                AccessCode = "AccessCode_1234",
+                PublicKey = "PublicKey_1234"
+            });
+
+            authRequest.CreationDate = testCase.expirey;
+            await authRequestRepository.ReplaceAsync(authRequest);
+
+            // Act
+            var response = await sutRepository.GetManyByUserIdWithDeviceAuth(user.Id);
+
+            // Assert
+            Assert.Null(response.First().AuthRequestId);
+            Assert.Null(response.First().AuthRequestCreatedAt);
+        }
+    }
+}
diff --git a/test/Infrastructure.IntegrationTest/DatabaseDataAttribute.cs b/test/Infrastructure.IntegrationTest/DatabaseDataAttribute.cs
index 746ce988a4..498cc668c0 100644
--- a/test/Infrastructure.IntegrationTest/DatabaseDataAttribute.cs
+++ b/test/Infrastructure.IntegrationTest/DatabaseDataAttribute.cs
@@ -41,6 +41,9 @@ public class DatabaseDataAttribute : DataAttribute
 
     protected virtual IEnumerable<IServiceProvider> GetDatabaseProviders(IConfiguration config)
     {
+        // This is for the device repository integration testing.
+        var userRequestExpiration = 15;
+
         var configureLogging = (ILoggingBuilder builder) =>
         {
             if (!config.GetValue<bool>("Quiet"))
@@ -67,11 +70,15 @@ public class DatabaseDataAttribute : DataAttribute
                     {
                         ConnectionString = database.ConnectionString,
                     },
+                    PasswordlessAuth = new GlobalSettings.PasswordlessAuthSettings
+                    {
+                        UserRequestExpiration = TimeSpan.FromMinutes(userRequestExpiration),
+                    }
                 };
                 dapperSqlServerCollection.AddSingleton(globalSettings);
                 dapperSqlServerCollection.AddSingleton<IGlobalSettings>(globalSettings);
                 dapperSqlServerCollection.AddSingleton(database);
-                dapperSqlServerCollection.AddDistributedSqlServerCache((o) =>
+                dapperSqlServerCollection.AddDistributedSqlServerCache(o =>
                 {
                     o.ConnectionString = database.ConnectionString;
                     o.SchemaName = "dbo";
@@ -91,6 +98,17 @@ public class DatabaseDataAttribute : DataAttribute
                 AddCommonServices(efCollection, configureLogging);
                 efCollection.SetupEntityFramework(database.ConnectionString, database.Type);
                 efCollection.AddPasswordManagerEFRepositories(SelfHosted);
+
+                var globalSettings = new GlobalSettings
+                {
+                    PasswordlessAuth = new GlobalSettings.PasswordlessAuthSettings
+                    {
+                        UserRequestExpiration = TimeSpan.FromMinutes(userRequestExpiration),
+                    }
+                };
+                efCollection.AddSingleton(globalSettings);
+                efCollection.AddSingleton<IGlobalSettings>(globalSettings);
+
                 efCollection.AddSingleton(database);
                 efCollection.AddSingleton<IDistributedCache, EntityFrameworkCache>();
 
@@ -117,7 +135,7 @@ public class DatabaseDataAttribute : DataAttribute
 
     private void AddSqlMigrationTester(IServiceCollection services, string connectionString, string migrationName)
     {
-        services.AddSingleton<IMigrationTesterService, SqlMigrationTesterService>(sp => new SqlMigrationTesterService(connectionString, migrationName));
+        services.AddSingleton<IMigrationTesterService, SqlMigrationTesterService>(_ => new SqlMigrationTesterService(connectionString, migrationName));
     }
 
     private void AddEfMigrationTester(IServiceCollection services, SupportedDatabaseProviders databaseType, string migrationName)
diff --git a/util/Migrator/DbScripts/2024-12-04_00_AddActiveDeviceWithPendingAuth.sql b/util/Migrator/DbScripts/2024-12-04_00_AddActiveDeviceWithPendingAuth.sql
new file mode 100644
index 0000000000..1f358d53ab
--- /dev/null
+++ b/util/Migrator/DbScripts/2024-12-04_00_AddActiveDeviceWithPendingAuth.sql
@@ -0,0 +1,27 @@
+CREATE OR ALTER PROCEDURE [dbo].[Device_ReadActiveWithPendingAuthRequestsByUserId]
+    @UserId UNIQUEIDENTIFIER,
+    @ExpirationMinutes INT
+AS
+BEGIN
+    SET NOCOUNT ON;
+
+    SELECT
+        D.*,
+        AR.Id as AuthRequestId,
+        AR.CreationDate as AuthRequestCreationDate
+    FROM dbo.DeviceView D
+             LEFT JOIN (
+        SELECT TOP 1 -- Take only the top record sorted by auth request creation date
+                     Id,
+                     CreationDate,
+                     RequestDeviceIdentifier
+        FROM dbo.AuthRequestView
+        WHERE Type IN (0, 1) -- Include only AuthenticateAndUnlock and Unlock types, excluding Admin Approval (type 2)
+          AND CreationDate >= DATEADD(MINUTE, -@ExpirationMinutes, GETUTCDATE()) -- Ensure the request hasn't expired
+          AND Approved IS NULL -- Include only requests that haven't been acknowledged or approved
+        ORDER BY CreationDate DESC
+    ) AR ON D.Identifier = AR.RequestDeviceIdentifier
+    WHERE
+        D.UserId = @UserId
+      AND D.Active = 1; -- Include only active devices
+END;

From b096568eea702f0ee7d921281fb70c915fe43279 Mon Sep 17 00:00:00 2001
From: Jonas Hendrickx <jhendrickx@bitwarden.com>
Date: Wed, 8 Jan 2025 09:26:40 +0100
Subject: [PATCH 122/384] Revert "Revert [PM-6201] (#5143)" (#5144)

This reverts commit c99b4106f544920ec7496c1cc1e4dbeff6aa597e.
---
 src/Admin/AdminConsole/Models/OrganizationsModel.cs   |  2 ++
 .../AdminConsole/Views/Organizations/Index.cshtml     | 11 +----------
 2 files changed, 3 insertions(+), 10 deletions(-)

diff --git a/src/Admin/AdminConsole/Models/OrganizationsModel.cs b/src/Admin/AdminConsole/Models/OrganizationsModel.cs
index 147c5275f8..a98985ef01 100644
--- a/src/Admin/AdminConsole/Models/OrganizationsModel.cs
+++ b/src/Admin/AdminConsole/Models/OrganizationsModel.cs
@@ -10,4 +10,6 @@ public class OrganizationsModel : PagedModel<Organization>
     public bool? Paid { get; set; }
     public string Action { get; set; }
     public bool SelfHosted { get; set; }
+
+    public double StorageGB(Organization org) => org.Storage.HasValue ? Math.Round(org.Storage.Value / 1073741824D, 2) : 0;
 }
diff --git a/src/Admin/AdminConsole/Views/Organizations/Index.cshtml b/src/Admin/AdminConsole/Views/Organizations/Index.cshtml
index 756cd76f62..d42d0e8aa2 100644
--- a/src/Admin/AdminConsole/Views/Organizations/Index.cshtml
+++ b/src/Admin/AdminConsole/Views/Organizations/Index.cshtml
@@ -81,16 +81,7 @@
                                     <i class="fa fa-smile-o fa-lg fa-fw text-body-secondary" title="Freeloader"></i>
                                 }
                             }
-                            @if(org.MaxStorageGb.HasValue && org.MaxStorageGb > 1)
-                            {
-                                <i class="fa fa-plus-square fa-lg fa-fw"
-                                   title="Additional Storage, @(org.MaxStorageGb - 1) GB"></i>
-                            }
-                            else
-                            {
-                                <i class="fa fa-plus-square-o fa-lg fa-fw text-body-secondary"
-                                   title="No Additional Storage"></i>
-                            }
+                            <i class="fa fa-hdd-o fa-lg fa-fw" title="Used Storage, @Model.StorageGB(org) GB"></i>
                             @if(org.Enabled)
                             {
                                 <i class="fa fa-check-circle fa-lg fa-fw"

From 481a766cd28c18b46cc0f3d7dea227508b38b882 Mon Sep 17 00:00:00 2001
From: Alex Morask <144709477+amorask-bitwarden@users.noreply.github.com>
Date: Wed, 8 Jan 2025 09:49:24 -0500
Subject: [PATCH 123/384] Remove FF (#5163)

---
 .../Controllers/OrganizationsController.cs    |  9 ---
 src/Core/Constants.cs                         |  1 -
 .../OrganizationsControllerTests.cs           | 56 -------------------
 3 files changed, 66 deletions(-)

diff --git a/src/Admin/AdminConsole/Controllers/OrganizationsController.cs b/src/Admin/AdminConsole/Controllers/OrganizationsController.cs
index 4c4df3d15b..86aebfaad7 100644
--- a/src/Admin/AdminConsole/Controllers/OrganizationsController.cs
+++ b/src/Admin/AdminConsole/Controllers/OrganizationsController.cs
@@ -3,7 +3,6 @@ using Bit.Admin.AdminConsole.Models;
 using Bit.Admin.Enums;
 using Bit.Admin.Services;
 using Bit.Admin.Utilities;
-using Bit.Core;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Enums.Provider;
 using Bit.Core.AdminConsole.Providers.Interfaces;
@@ -476,14 +475,6 @@ public class OrganizationsController : Controller
         Organization organization,
         OrganizationEditModel update)
     {
-        var scaleMSPOnClientOrganizationUpdate =
-            _featureService.IsEnabled(FeatureFlagKeys.PM14401_ScaleMSPOnClientOrganizationUpdate);
-
-        if (!scaleMSPOnClientOrganizationUpdate)
-        {
-            return;
-        }
-
         var provider = await _providerRepository.GetByOrganizationIdAsync(organization.Id);
 
         // No scaling required
diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index 830e3f65b2..32561a5839 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -150,7 +150,6 @@ public static class FeatureFlagKeys
     public const string NewDeviceVerificationTemporaryDismiss = "new-device-temporary-dismiss";
     public const string NewDeviceVerificationPermanentDismiss = "new-device-permanent-dismiss";
     public const string SecurityTasks = "security-tasks";
-    public const string PM14401_ScaleMSPOnClientOrganizationUpdate = "PM-14401-scale-msp-on-client-organization-update";
     public const string PM11360RemoveProviderExportPermission = "pm-11360-remove-provider-export-permission";
     public const string DisableFreeFamiliesSponsorship = "PM-12274-disable-free-families-sponsorship";
     public const string MacOsNativeCredentialSync = "macos-native-credential-sync";
diff --git a/test/Admin.Test/AdminConsole/Controllers/OrganizationsControllerTests.cs b/test/Admin.Test/AdminConsole/Controllers/OrganizationsControllerTests.cs
index 485126ebb2..0b5f5c1f01 100644
--- a/test/Admin.Test/AdminConsole/Controllers/OrganizationsControllerTests.cs
+++ b/test/Admin.Test/AdminConsole/Controllers/OrganizationsControllerTests.cs
@@ -1,6 +1,5 @@
 using Bit.Admin.AdminConsole.Controllers;
 using Bit.Admin.AdminConsole.Models;
-using Bit.Core;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Entities.Provider;
 using Bit.Core.AdminConsole.Enums.Provider;
@@ -9,7 +8,6 @@ using Bit.Core.Billing.Enums;
 using Bit.Core.Billing.Services;
 using Bit.Core.Enums;
 using Bit.Core.Repositories;
-using Bit.Core.Services;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
 using NSubstitute;
@@ -22,32 +20,6 @@ public class OrganizationsControllerTests
 {
     #region Edit (POST)
 
-    [BitAutoData]
-    [SutProviderCustomize]
-    [Theory]
-    public async Task Edit_ProviderSeatScaling_RequiredFFDisabled_NoOp(
-        SutProvider<OrganizationsController> sutProvider)
-    {
-        // Arrange
-        var organizationId = new Guid();
-        var update = new OrganizationEditModel { UseSecretsManager = false };
-
-        var organization = new Organization
-        {
-            Id = organizationId
-        };
-
-        sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organizationId)
-            .Returns(organization);
-
-        // Act
-        _ = await sutProvider.Sut.Edit(organizationId, update);
-
-        // Assert
-        await sutProvider.GetDependency<IProviderBillingService>().DidNotReceiveWithAnyArgs()
-            .ScaleSeats(Arg.Any<Provider>(), Arg.Any<PlanType>(), Arg.Any<int>());
-    }
-
     [BitAutoData]
     [SutProviderCustomize]
     [Theory]
@@ -66,10 +38,6 @@ public class OrganizationsControllerTests
         sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organizationId)
             .Returns(organization);
 
-        var featureService = sutProvider.GetDependency<IFeatureService>();
-
-        featureService.IsEnabled(FeatureFlagKeys.PM14401_ScaleMSPOnClientOrganizationUpdate).Returns(true);
-
         var provider = new Provider { Type = ProviderType.Msp, Status = ProviderStatusType.Created };
 
         sutProvider.GetDependency<IProviderRepository>().GetByOrganizationIdAsync(organizationId).Returns(provider);
@@ -101,10 +69,6 @@ public class OrganizationsControllerTests
         sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organizationId)
             .Returns(organization);
 
-        var featureService = sutProvider.GetDependency<IFeatureService>();
-
-        featureService.IsEnabled(FeatureFlagKeys.PM14401_ScaleMSPOnClientOrganizationUpdate).Returns(true);
-
         var provider = new Provider { Type = ProviderType.Msp, Status = ProviderStatusType.Billable };
 
         sutProvider.GetDependency<IProviderRepository>().GetByOrganizationIdAsync(organizationId).Returns(provider);
@@ -143,10 +107,6 @@ public class OrganizationsControllerTests
         sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organizationId)
             .Returns(organization);
 
-        var featureService = sutProvider.GetDependency<IFeatureService>();
-
-        featureService.IsEnabled(FeatureFlagKeys.PM14401_ScaleMSPOnClientOrganizationUpdate).Returns(true);
-
         var provider = new Provider { Type = ProviderType.Msp, Status = ProviderStatusType.Billable };
 
         sutProvider.GetDependency<IProviderRepository>().GetByOrganizationIdAsync(organizationId).Returns(provider);
@@ -185,10 +145,6 @@ public class OrganizationsControllerTests
         sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organizationId)
             .Returns(organization);
 
-        var featureService = sutProvider.GetDependency<IFeatureService>();
-
-        featureService.IsEnabled(FeatureFlagKeys.PM14401_ScaleMSPOnClientOrganizationUpdate).Returns(true);
-
         var provider = new Provider { Type = ProviderType.Msp, Status = ProviderStatusType.Billable };
 
         sutProvider.GetDependency<IProviderRepository>().GetByOrganizationIdAsync(organizationId).Returns(provider);
@@ -227,10 +183,6 @@ public class OrganizationsControllerTests
         sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organizationId)
             .Returns(organization);
 
-        var featureService = sutProvider.GetDependency<IFeatureService>();
-
-        featureService.IsEnabled(FeatureFlagKeys.PM14401_ScaleMSPOnClientOrganizationUpdate).Returns(true);
-
         var provider = new Provider { Type = ProviderType.Msp, Status = ProviderStatusType.Billable };
 
         sutProvider.GetDependency<IProviderRepository>().GetByOrganizationIdAsync(organizationId).Returns(provider);
@@ -271,10 +223,6 @@ public class OrganizationsControllerTests
         sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organizationId)
             .Returns(organization);
 
-        var featureService = sutProvider.GetDependency<IFeatureService>();
-
-        featureService.IsEnabled(FeatureFlagKeys.PM14401_ScaleMSPOnClientOrganizationUpdate).Returns(true);
-
         var provider = new Provider { Type = ProviderType.Msp, Status = ProviderStatusType.Billable };
 
         sutProvider.GetDependency<IProviderRepository>().GetByOrganizationIdAsync(organizationId).Returns(provider);
@@ -314,10 +262,6 @@ public class OrganizationsControllerTests
         sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organizationId)
             .Returns(organization);
 
-        var featureService = sutProvider.GetDependency<IFeatureService>();
-
-        featureService.IsEnabled(FeatureFlagKeys.PM14401_ScaleMSPOnClientOrganizationUpdate).Returns(true);
-
         var provider = new Provider { Type = ProviderType.Msp, Status = ProviderStatusType.Billable };
 
         sutProvider.GetDependency<IProviderRepository>().GetByOrganizationIdAsync(organizationId).Returns(provider);

From a84ef0724c7b0f3dc523de519b943df220b7ac7d Mon Sep 17 00:00:00 2001
From: Ike <137194738+ike-kottlowski@users.noreply.github.com>
Date: Wed, 8 Jan 2025 07:31:24 -0800
Subject: [PATCH 124/384] [PM-15614] Allow Users to opt out of new device
 verification (#5176)

feat(NewDeviceVerification) :
* Created database migration scripts for VerifyDevices column in [dbo].[User].
* Updated DeviceValidator to check if user has opted out of device verification.
* Added endpoint to AccountsController.cs to allow editing of new User.VerifyDevices property.
* Added tests for new methods and endpoint.
* Updating queries to track [dbo].[User].[VerifyDevices].
* Updated DeviceValidator to set `User.EmailVerified` property during the New Device Verification flow.
---
 .../Auth/Controllers/AccountsController.cs    |   19 +-
 .../Accounts/SetVerifyDevicesRequestModel.cs  |    9 +
 ...nticatedSecretVerificationRequestModel.cs} |    2 +-
 src/Core/Entities/User.cs                     |    1 +
 .../RequestValidators/DeviceValidator.cs      |   14 +-
 src/Sql/dbo/Stored Procedures/User_Create.sql |    9 +-
 src/Sql/dbo/Stored Procedures/User_Update.sql |    6 +-
 src/Sql/dbo/Tables/User.sql                   |    3 +-
 .../Controllers/AccountsControllerTests.cs    |   43 +
 .../CloudOrganizationSignUpCommandTests.cs    |    7 +
 .../IdentityServer/DeviceValidatorTests.cs    |   24 +
 ...-18_00_AlterUserTable_AddVerifyDevices.sql |  252 ++
 ...5803_AlterUser_AddVerifyDevice.Designer.cs | 2997 ++++++++++++++++
 ...0241219035803_AlterUser_AddVerifyDevice.cs |   28 +
 .../DatabaseContextModelSnapshot.cs           |    3 +
 ...5734_AlterUser_AddVerifyDevice.Designer.cs | 3003 +++++++++++++++++
 ...0241219035734_AlterUser_AddVerifyDevice.cs |   28 +
 .../DatabaseContextModelSnapshot.cs           |    3 +
 ...5748_AlterUser_AddVerifyDevice.Designer.cs | 2986 ++++++++++++++++
 ...0241219035748_AlterUser_AddVerifyDevice.cs |   28 +
 .../DatabaseContextModelSnapshot.cs           |    3 +
 21 files changed, 9459 insertions(+), 9 deletions(-)
 create mode 100644 src/Api/Auth/Models/Request/Accounts/SetVerifyDevicesRequestModel.cs
 rename src/Api/Auth/Models/Request/Accounts/{UnauthenticatedSecretVerificatioRequestModel.cs => UnauthenticatedSecretVerificationRequestModel.cs} (71%)
 create mode 100644 util/Migrator/DbScripts/2024-12-18_00_AlterUserTable_AddVerifyDevices.sql
 create mode 100644 util/MySqlMigrations/Migrations/20241219035803_AlterUser_AddVerifyDevice.Designer.cs
 create mode 100644 util/MySqlMigrations/Migrations/20241219035803_AlterUser_AddVerifyDevice.cs
 create mode 100644 util/PostgresMigrations/Migrations/20241219035734_AlterUser_AddVerifyDevice.Designer.cs
 create mode 100644 util/PostgresMigrations/Migrations/20241219035734_AlterUser_AddVerifyDevice.cs
 create mode 100644 util/SqliteMigrations/Migrations/20241219035748_AlterUser_AddVerifyDevice.Designer.cs
 create mode 100644 util/SqliteMigrations/Migrations/20241219035748_AlterUser_AddVerifyDevice.cs

diff --git a/src/Api/Auth/Controllers/AccountsController.cs b/src/Api/Auth/Controllers/AccountsController.cs
index a0092357d6..7990a5a18a 100644
--- a/src/Api/Auth/Controllers/AccountsController.cs
+++ b/src/Api/Auth/Controllers/AccountsController.cs
@@ -969,11 +969,28 @@ public class AccountsController : Controller
     [RequireFeature(FeatureFlagKeys.NewDeviceVerification)]
     [AllowAnonymous]
     [HttpPost("resend-new-device-otp")]
-    public async Task ResendNewDeviceOtpAsync([FromBody] UnauthenticatedSecretVerificatioRequestModel request)
+    public async Task ResendNewDeviceOtpAsync([FromBody] UnauthenticatedSecretVerificationRequestModel request)
     {
         await _userService.ResendNewDeviceVerificationEmail(request.Email, request.Secret);
     }
 
+    [RequireFeature(FeatureFlagKeys.NewDeviceVerification)]
+    [HttpPost("verify-devices")]
+    [HttpPut("verify-devices")]
+    public async Task SetUserVerifyDevicesAsync([FromBody] SetVerifyDevicesRequestModel request)
+    {
+        var user = await _userService.GetUserByPrincipalAsync(User) ?? throw new UnauthorizedAccessException();
+
+        if (!await _userService.VerifySecretAsync(user, request.Secret))
+        {
+            await Task.Delay(2000);
+            throw new BadRequestException(string.Empty, "User verification failed.");
+        }
+        user.VerifyDevices = request.VerifyDevices;
+
+        await _userService.SaveUserAsync(user);
+    }
+
     private async Task<IEnumerable<Guid>> GetOrganizationIdsManagingUserAsync(Guid userId)
     {
         var organizationManagingUser = await _userService.GetOrganizationsManagingUserAsync(userId);
diff --git a/src/Api/Auth/Models/Request/Accounts/SetVerifyDevicesRequestModel.cs b/src/Api/Auth/Models/Request/Accounts/SetVerifyDevicesRequestModel.cs
new file mode 100644
index 0000000000..0dcbe1fa11
--- /dev/null
+++ b/src/Api/Auth/Models/Request/Accounts/SetVerifyDevicesRequestModel.cs
@@ -0,0 +1,9 @@
+using System.ComponentModel.DataAnnotations;
+
+namespace Bit.Api.Auth.Models.Request.Accounts;
+
+public class SetVerifyDevicesRequestModel : SecretVerificationRequestModel
+{
+    [Required]
+    public bool VerifyDevices { get; set; }
+}
diff --git a/src/Api/Auth/Models/Request/Accounts/UnauthenticatedSecretVerificatioRequestModel.cs b/src/Api/Auth/Models/Request/Accounts/UnauthenticatedSecretVerificationRequestModel.cs
similarity index 71%
rename from src/Api/Auth/Models/Request/Accounts/UnauthenticatedSecretVerificatioRequestModel.cs
rename to src/Api/Auth/Models/Request/Accounts/UnauthenticatedSecretVerificationRequestModel.cs
index 629896b8c4..abd37023c8 100644
--- a/src/Api/Auth/Models/Request/Accounts/UnauthenticatedSecretVerificatioRequestModel.cs
+++ b/src/Api/Auth/Models/Request/Accounts/UnauthenticatedSecretVerificationRequestModel.cs
@@ -3,7 +3,7 @@ using Bit.Core.Utilities;
 
 namespace Bit.Api.Auth.Models.Request.Accounts;
 
-public class UnauthenticatedSecretVerificatioRequestModel : SecretVerificationRequestModel
+public class UnauthenticatedSecretVerificationRequestModel : SecretVerificationRequestModel
 {
     [Required]
     [StrictEmailAddress]
diff --git a/src/Core/Entities/User.cs b/src/Core/Entities/User.cs
index 0e538b9014..9878c96c1c 100644
--- a/src/Core/Entities/User.cs
+++ b/src/Core/Entities/User.cs
@@ -72,6 +72,7 @@ public class User : ITableObject<Guid>, IStorableSubscriber, IRevisable, ITwoFac
     public DateTime? LastKdfChangeDate { get; set; }
     public DateTime? LastKeyRotationDate { get; set; }
     public DateTime? LastEmailChangeDate { get; set; }
+    public bool VerifyDevices { get; set; } = true;
 
     public void SetNewId()
     {
diff --git a/src/Identity/IdentityServer/RequestValidators/DeviceValidator.cs b/src/Identity/IdentityServer/RequestValidators/DeviceValidator.cs
index d59417bfa7..1b148c5974 100644
--- a/src/Identity/IdentityServer/RequestValidators/DeviceValidator.cs
+++ b/src/Identity/IdentityServer/RequestValidators/DeviceValidator.cs
@@ -115,7 +115,7 @@ public class DeviceValidator(
     /// </summary>
     /// <param name="user">user attempting to authenticate</param>
     /// <param name="ValidatedRequest">The Request is used to check for the NewDeviceOtp and for the raw device data</param>
-    /// <returns>returns deviceValtaionResultType</returns>
+    /// <returns>returns deviceValidationResultType</returns>
     private async Task<DeviceValidationResultType> HandleNewDeviceVerificationAsync(User user, ValidatedRequest request)
     {
         // currently unreachable due to backward compatibility
@@ -125,6 +125,12 @@ public class DeviceValidator(
             return DeviceValidationResultType.InvalidUser;
         }
 
+        // Has the User opted out of new device verification
+        if (!user.VerifyDevices)
+        {
+            return DeviceValidationResultType.Success;
+        }
+
         // CS exception flow
         // Check cache for user information
         var cacheKey = string.Format(AuthConstants.NewDeviceVerificationExceptionCacheKeyFormat, user.Id.ToString());
@@ -146,6 +152,12 @@ public class DeviceValidator(
             var otpValid = await _userService.VerifyOTPAsync(user, newDeviceOtp);
             if (otpValid)
             {
+                // In order to get here they would have to have access to their email so we verify it if it's not already
+                if (!user.EmailVerified)
+                {
+                    user.EmailVerified = true;
+                    await _userService.SaveUserAsync(user);
+                }
                 return DeviceValidationResultType.Success;
             }
             return DeviceValidationResultType.InvalidNewDeviceOtp;
diff --git a/src/Sql/dbo/Stored Procedures/User_Create.sql b/src/Sql/dbo/Stored Procedures/User_Create.sql
index 3aabab8c23..60d9b5eb32 100644
--- a/src/Sql/dbo/Stored Procedures/User_Create.sql	
+++ b/src/Sql/dbo/Stored Procedures/User_Create.sql	
@@ -40,7 +40,8 @@
     @LastPasswordChangeDate DATETIME2(7) = NULL,
     @LastKdfChangeDate DATETIME2(7) = NULL,
     @LastKeyRotationDate DATETIME2(7) = NULL,
-    @LastEmailChangeDate DATETIME2(7) = NULL
+    @LastEmailChangeDate DATETIME2(7) = NULL,
+    @VerifyDevices BIT = 1
 AS
 BEGIN
     SET NOCOUNT ON
@@ -88,7 +89,8 @@ BEGIN
         [LastPasswordChangeDate],
         [LastKdfChangeDate],
         [LastKeyRotationDate],
-        [LastEmailChangeDate]
+        [LastEmailChangeDate],
+        [VerifyDevices]
     )
     VALUES
     (
@@ -133,6 +135,7 @@ BEGIN
         @LastPasswordChangeDate,
         @LastKdfChangeDate,
         @LastKeyRotationDate,
-        @LastEmailChangeDate
+        @LastEmailChangeDate,
+        @VerifyDevices
     )
 END
diff --git a/src/Sql/dbo/Stored Procedures/User_Update.sql b/src/Sql/dbo/Stored Procedures/User_Update.sql
index 5725f243ff..15d04d72f6 100644
--- a/src/Sql/dbo/Stored Procedures/User_Update.sql	
+++ b/src/Sql/dbo/Stored Procedures/User_Update.sql	
@@ -40,7 +40,8 @@
     @LastPasswordChangeDate DATETIME2(7) = NULL,
     @LastKdfChangeDate DATETIME2(7) = NULL,
     @LastKeyRotationDate DATETIME2(7) = NULL,
-    @LastEmailChangeDate DATETIME2(7) = NULL
+    @LastEmailChangeDate DATETIME2(7) = NULL,
+    @VerifyDevices BIT = 1
 AS
 BEGIN
     SET NOCOUNT ON
@@ -88,7 +89,8 @@ BEGIN
         [LastPasswordChangeDate] = @LastPasswordChangeDate,
         [LastKdfChangeDate] = @LastKdfChangeDate,
         [LastKeyRotationDate] = @LastKeyRotationDate,
-        [LastEmailChangeDate] = @LastEmailChangeDate
+        [LastEmailChangeDate] = @LastEmailChangeDate,
+        [VerifyDevices] = @VerifyDevices
     WHERE
         [Id] = @Id
 END
diff --git a/src/Sql/dbo/Tables/User.sql b/src/Sql/dbo/Tables/User.sql
index 0c34784e97..188dd4ea3c 100644
--- a/src/Sql/dbo/Tables/User.sql
+++ b/src/Sql/dbo/Tables/User.sql
@@ -36,11 +36,12 @@
     [UsesKeyConnector]                 BIT              NOT NULL,
     [FailedLoginCount]                 INT              CONSTRAINT [D_User_FailedLoginCount] DEFAULT ((0)) NOT NULL,
     [LastFailedLoginDate]              DATETIME2 (7)    NULL,
-    [AvatarColor]                      VARCHAR(7)       NULL, 
+    [AvatarColor]                      VARCHAR(7)       NULL,
     [LastPasswordChangeDate]           DATETIME2 (7)    NULL,
     [LastKdfChangeDate]                DATETIME2 (7)    NULL,
     [LastKeyRotationDate]              DATETIME2 (7)    NULL,
     [LastEmailChangeDate]              DATETIME2 (7)    NULL,
+    [VerifyDevices]                    BIT              DEFAULT ((1)) NOT NULL,
     CONSTRAINT [PK_User] PRIMARY KEY CLUSTERED ([Id] ASC)
 );
 
diff --git a/test/Api.Test/Auth/Controllers/AccountsControllerTests.cs b/test/Api.Test/Auth/Controllers/AccountsControllerTests.cs
index 4a0a29a5d4..1b8c040789 100644
--- a/test/Api.Test/Auth/Controllers/AccountsControllerTests.cs
+++ b/test/Api.Test/Auth/Controllers/AccountsControllerTests.cs
@@ -563,6 +563,49 @@ public class AccountsControllerTests : IDisposable
         await _userService.Received(1).DeleteAsync(user);
     }
 
+    [Theory]
+    [BitAutoData]
+    public async Task SetVerifyDevices_WhenUserDoesNotExist_ShouldThrowUnauthorizedAccessException(
+        SetVerifyDevicesRequestModel model)
+    {
+        // Arrange
+        _userService.GetUserByPrincipalAsync(Arg.Any<ClaimsPrincipal>()).Returns(Task.FromResult((User)null));
+
+        // Act & Assert
+        await Assert.ThrowsAsync<UnauthorizedAccessException>(() => _sut.SetUserVerifyDevicesAsync(model));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task SetVerifyDevices_WhenInvalidSecret_ShouldFail(
+        User user, SetVerifyDevicesRequestModel model)
+    {
+        // Arrange
+        _userService.GetUserByPrincipalAsync(Arg.Any<ClaimsPrincipal>()).Returns(Task.FromResult((user)));
+        _userService.VerifySecretAsync(user, Arg.Any<string>()).Returns(Task.FromResult(false));
+
+        // Act & Assert
+        await Assert.ThrowsAsync<BadRequestException>(() => _sut.SetUserVerifyDevicesAsync(model));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task SetVerifyDevices_WhenRequestValid_ShouldSucceed(
+        User user, SetVerifyDevicesRequestModel model)
+    {
+        // Arrange
+        user.VerifyDevices = false;
+        model.VerifyDevices = true;
+        _userService.GetUserByPrincipalAsync(Arg.Any<ClaimsPrincipal>()).Returns(Task.FromResult((user)));
+        _userService.VerifySecretAsync(user, Arg.Any<string>()).Returns(Task.FromResult(true));
+
+        // Act
+        await _sut.SetUserVerifyDevicesAsync(model);
+
+        await _userService.Received(1).SaveUserAsync(user);
+        Assert.Equal(model.VerifyDevices, user.VerifyDevices);
+    }
+
     // Below are helper functions that currently belong to this
     // test class, but ultimately may need to be split out into
     // something greater in order to share common test steps with
diff --git a/test/Core.Test/AdminConsole/OrganizationFeatures/Organizations/OrganizationSignUp/CloudOrganizationSignUpCommandTests.cs b/test/Core.Test/AdminConsole/OrganizationFeatures/Organizations/OrganizationSignUp/CloudOrganizationSignUpCommandTests.cs
index 2c32f0504b..a16b48240c 100644
--- a/test/Core.Test/AdminConsole/OrganizationFeatures/Organizations/OrganizationSignUp/CloudOrganizationSignUpCommandTests.cs
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/Organizations/OrganizationSignUp/CloudOrganizationSignUpCommandTests.cs
@@ -36,6 +36,7 @@ public class CloudICloudOrganizationSignUpCommandTests
         signup.PremiumAccessAddon = false;
         signup.UseSecretsManager = false;
         signup.IsFromSecretsManagerTrial = false;
+        signup.IsFromProvider = false;
 
         var result = await sutProvider.Sut.SignUpOrganizationAsync(signup);
 
@@ -85,6 +86,7 @@ public class CloudICloudOrganizationSignUpCommandTests
         signup.PaymentMethodType = PaymentMethodType.Card;
         signup.PremiumAccessAddon = false;
         signup.UseSecretsManager = false;
+        signup.IsFromProvider = false;
 
         // Extract orgUserId when created
         Guid? orgUserId = null;
@@ -128,6 +130,8 @@ public class CloudICloudOrganizationSignUpCommandTests
         signup.PaymentMethodType = PaymentMethodType.Card;
         signup.PremiumAccessAddon = false;
         signup.IsFromSecretsManagerTrial = false;
+        signup.IsFromProvider = false;
+
 
         var result = await sutProvider.Sut.SignUpOrganizationAsync(signup);
 
@@ -196,6 +200,7 @@ public class CloudICloudOrganizationSignUpCommandTests
         signup.PremiumAccessAddon = false;
         signup.AdditionalServiceAccounts = 10;
         signup.AdditionalStorageGb = 0;
+        signup.IsFromProvider = false;
 
         var exception = await Assert.ThrowsAsync<BadRequestException>(
             () => sutProvider.Sut.SignUpOrganizationAsync(signup));
@@ -213,6 +218,7 @@ public class CloudICloudOrganizationSignUpCommandTests
         signup.PaymentMethodType = PaymentMethodType.Card;
         signup.PremiumAccessAddon = false;
         signup.AdditionalServiceAccounts = 10;
+        signup.IsFromProvider = false;
 
         var exception = await Assert.ThrowsAsync<BadRequestException>(
            () => sutProvider.Sut.SignUpOrganizationAsync(signup));
@@ -230,6 +236,7 @@ public class CloudICloudOrganizationSignUpCommandTests
         signup.PaymentMethodType = PaymentMethodType.Card;
         signup.PremiumAccessAddon = false;
         signup.AdditionalServiceAccounts = -10;
+        signup.IsFromProvider = false;
 
         var exception = await Assert.ThrowsAsync<BadRequestException>(
             () => sutProvider.Sut.SignUpOrganizationAsync(signup));
diff --git a/test/Identity.Test/IdentityServer/DeviceValidatorTests.cs b/test/Identity.Test/IdentityServer/DeviceValidatorTests.cs
index 105267ea30..fa3a117c55 100644
--- a/test/Identity.Test/IdentityServer/DeviceValidatorTests.cs
+++ b/test/Identity.Test/IdentityServer/DeviceValidatorTests.cs
@@ -429,6 +429,30 @@ public class DeviceValidatorTests
         Assert.Equal(expectedErrorMessage, actualResponse.Message);
     }
 
+    [Theory, BitAutoData]
+    public async void HandleNewDeviceVerificationAsync_VerifyDevicesFalse_ReturnsSuccess(
+        CustomValidatorRequestContext context,
+        [AuthFixtures.ValidatedTokenRequest] ValidatedTokenRequest request)
+    {
+        // Arrange
+        ArrangeForHandleNewDeviceVerificationTest(context, request);
+        _featureService.IsEnabled(FeatureFlagKeys.NewDeviceVerification).Returns(true);
+        _globalSettings.EnableNewDeviceVerification = true;
+        context.User.VerifyDevices = false;
+
+        // Act
+        var result = await _sut.ValidateRequestDeviceAsync(request, context);
+
+        // Assert
+        await _userService.Received(0).SendOTPAsync(context.User);
+        await _deviceService.Received(1).SaveAsync(Arg.Any<Device>());
+
+        Assert.True(result);
+        Assert.False(context.CustomResponse.ContainsKey("ErrorModel"));
+        Assert.Equal(context.User.Id, context.Device.UserId);
+        Assert.NotNull(context.Device);
+    }
+
     [Theory, BitAutoData]
     public async void HandleNewDeviceVerificationAsync_UserHasCacheValue_ReturnsSuccess(
         CustomValidatorRequestContext context,
diff --git a/util/Migrator/DbScripts/2024-12-18_00_AlterUserTable_AddVerifyDevices.sql b/util/Migrator/DbScripts/2024-12-18_00_AlterUserTable_AddVerifyDevices.sql
new file mode 100644
index 0000000000..f6b778bef5
--- /dev/null
+++ b/util/Migrator/DbScripts/2024-12-18_00_AlterUserTable_AddVerifyDevices.sql
@@ -0,0 +1,252 @@
+IF COL_LENGTH('[dbo].[User]', 'VerifyDevices') IS NULL
+BEGIN
+    ALTER TABLE
+        [dbo].[User]
+    ADD
+        [VerifyDevices] BIT NOT NULL DEFAULT 1
+END
+GO
+
+EXECUTE sp_refreshview 'dbo.UserView'
+GO
+
+CREATE OR ALTER PROCEDURE [dbo].[User_Create]
+    @Id UNIQUEIDENTIFIER OUTPUT,
+    @Name NVARCHAR(50),
+    @Email NVARCHAR(256),
+    @EmailVerified BIT,
+    @MasterPassword NVARCHAR(300),
+    @MasterPasswordHint NVARCHAR(50),
+    @Culture NVARCHAR(10),
+    @SecurityStamp NVARCHAR(50),
+    @TwoFactorProviders NVARCHAR(MAX),
+    @TwoFactorRecoveryCode NVARCHAR(32),
+    @EquivalentDomains NVARCHAR(MAX),
+    @ExcludedGlobalEquivalentDomains NVARCHAR(MAX),
+    @AccountRevisionDate DATETIME2(7),
+    @Key NVARCHAR(MAX),
+    @PublicKey NVARCHAR(MAX),
+    @PrivateKey NVARCHAR(MAX),
+    @Premium BIT,
+    @PremiumExpirationDate DATETIME2(7),
+    @RenewalReminderDate DATETIME2(7),
+    @Storage BIGINT,
+    @MaxStorageGb SMALLINT,
+    @Gateway TINYINT,
+    @GatewayCustomerId VARCHAR(50),
+    @GatewaySubscriptionId VARCHAR(50),
+    @ReferenceData VARCHAR(MAX),
+    @LicenseKey VARCHAR(100),
+    @Kdf TINYINT,
+    @KdfIterations INT,
+    @KdfMemory INT = NULL,
+    @KdfParallelism INT = NULL,
+    @CreationDate DATETIME2(7),
+    @RevisionDate DATETIME2(7),
+    @ApiKey VARCHAR(30),
+    @ForcePasswordReset BIT = 0,
+    @UsesKeyConnector BIT = 0,
+    @FailedLoginCount INT = 0,
+    @LastFailedLoginDate DATETIME2(7),
+    @AvatarColor VARCHAR(7) = NULL,
+    @LastPasswordChangeDate DATETIME2(7) = NULL,
+    @LastKdfChangeDate DATETIME2(7) = NULL,
+    @LastKeyRotationDate DATETIME2(7) = NULL,
+    @LastEmailChangeDate DATETIME2(7) = NULL,
+    @VerifyDevices BIT = 1
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    INSERT INTO [dbo].[User]
+    (
+        [Id],
+        [Name],
+        [Email],
+        [EmailVerified],
+        [MasterPassword],
+        [MasterPasswordHint],
+        [Culture],
+        [SecurityStamp],
+        [TwoFactorProviders],
+        [TwoFactorRecoveryCode],
+        [EquivalentDomains],
+        [ExcludedGlobalEquivalentDomains],
+        [AccountRevisionDate],
+        [Key],
+        [PublicKey],
+        [PrivateKey],
+        [Premium],
+        [PremiumExpirationDate],
+        [RenewalReminderDate],
+        [Storage],
+        [MaxStorageGb],
+        [Gateway],
+        [GatewayCustomerId],
+        [GatewaySubscriptionId],
+        [ReferenceData],
+        [LicenseKey],
+        [Kdf],
+        [KdfIterations],
+        [CreationDate],
+        [RevisionDate],
+        [ApiKey],
+        [ForcePasswordReset],
+        [UsesKeyConnector],
+        [FailedLoginCount],
+        [LastFailedLoginDate],
+        [AvatarColor],
+        [KdfMemory],
+        [KdfParallelism],
+        [LastPasswordChangeDate],
+        [LastKdfChangeDate],
+        [LastKeyRotationDate],
+        [LastEmailChangeDate],
+        [VerifyDevices]
+    )
+    VALUES
+    (
+        @Id,
+        @Name,
+        @Email,
+        @EmailVerified,
+        @MasterPassword,
+        @MasterPasswordHint,
+        @Culture,
+        @SecurityStamp,
+        @TwoFactorProviders,
+        @TwoFactorRecoveryCode,
+        @EquivalentDomains,
+        @ExcludedGlobalEquivalentDomains,
+        @AccountRevisionDate,
+        @Key,
+        @PublicKey,
+        @PrivateKey,
+        @Premium,
+        @PremiumExpirationDate,
+        @RenewalReminderDate,
+        @Storage,
+        @MaxStorageGb,
+        @Gateway,
+        @GatewayCustomerId,
+        @GatewaySubscriptionId,
+        @ReferenceData,
+        @LicenseKey,
+        @Kdf,
+        @KdfIterations,
+        @CreationDate,
+        @RevisionDate,
+        @ApiKey,
+        @ForcePasswordReset,
+        @UsesKeyConnector,
+        @FailedLoginCount,
+        @LastFailedLoginDate,
+        @AvatarColor,
+        @KdfMemory,
+        @KdfParallelism,
+        @LastPasswordChangeDate,
+        @LastKdfChangeDate,
+        @LastKeyRotationDate,
+        @LastEmailChangeDate,
+        @VerifyDevices
+    )
+END
+GO
+
+CREATE OR ALTER PROCEDURE [dbo].[User_Update]
+    @Id UNIQUEIDENTIFIER,
+    @Name NVARCHAR(50),
+    @Email NVARCHAR(256),
+    @EmailVerified BIT,
+    @MasterPassword NVARCHAR(300),
+    @MasterPasswordHint NVARCHAR(50),
+    @Culture NVARCHAR(10),
+    @SecurityStamp NVARCHAR(50),
+    @TwoFactorProviders NVARCHAR(MAX),
+    @TwoFactorRecoveryCode NVARCHAR(32),
+    @EquivalentDomains NVARCHAR(MAX),
+    @ExcludedGlobalEquivalentDomains NVARCHAR(MAX),
+    @AccountRevisionDate DATETIME2(7),
+    @Key NVARCHAR(MAX),
+    @PublicKey NVARCHAR(MAX),
+    @PrivateKey NVARCHAR(MAX),
+    @Premium BIT,
+    @PremiumExpirationDate DATETIME2(7),
+    @RenewalReminderDate DATETIME2(7),
+    @Storage BIGINT,
+    @MaxStorageGb SMALLINT,
+    @Gateway TINYINT,
+    @GatewayCustomerId VARCHAR(50),
+    @GatewaySubscriptionId VARCHAR(50),
+    @ReferenceData VARCHAR(MAX),
+    @LicenseKey VARCHAR(100),
+    @Kdf TINYINT,
+    @KdfIterations INT,
+    @KdfMemory INT = NULL,
+    @KdfParallelism INT = NULL,
+    @CreationDate DATETIME2(7),
+    @RevisionDate DATETIME2(7),
+    @ApiKey VARCHAR(30),
+    @ForcePasswordReset BIT = 0,
+    @UsesKeyConnector BIT = 0,
+    @FailedLoginCount INT,
+    @LastFailedLoginDate DATETIME2(7),
+    @AvatarColor VARCHAR(7),
+    @LastPasswordChangeDate DATETIME2(7) = NULL,
+    @LastKdfChangeDate DATETIME2(7) = NULL,
+    @LastKeyRotationDate DATETIME2(7) = NULL,
+    @LastEmailChangeDate DATETIME2(7) = NULL,
+    @VerifyDevices BIT = 1
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    UPDATE
+        [dbo].[User]
+    SET
+        [Name] = @Name,
+        [Email] = @Email,
+        [EmailVerified] = @EmailVerified,
+        [MasterPassword] = @MasterPassword,
+        [MasterPasswordHint] = @MasterPasswordHint,
+        [Culture] = @Culture,
+        [SecurityStamp] = @SecurityStamp,
+        [TwoFactorProviders] = @TwoFactorProviders,
+        [TwoFactorRecoveryCode] = @TwoFactorRecoveryCode,
+        [EquivalentDomains] = @EquivalentDomains,
+        [ExcludedGlobalEquivalentDomains] = @ExcludedGlobalEquivalentDomains,
+        [AccountRevisionDate] = @AccountRevisionDate,
+        [Key] = @Key,
+        [PublicKey] = @PublicKey,
+        [PrivateKey] = @PrivateKey,
+        [Premium] = @Premium,
+        [PremiumExpirationDate] = @PremiumExpirationDate,
+        [RenewalReminderDate] = @RenewalReminderDate,
+        [Storage] = @Storage,
+        [MaxStorageGb] = @MaxStorageGb,
+        [Gateway] = @Gateway,
+        [GatewayCustomerId] = @GatewayCustomerId,
+        [GatewaySubscriptionId] = @GatewaySubscriptionId,
+        [ReferenceData] = @ReferenceData,
+        [LicenseKey] = @LicenseKey,
+        [Kdf] = @Kdf,
+        [KdfIterations] = @KdfIterations,
+        [KdfMemory] = @KdfMemory,
+        [KdfParallelism] = @KdfParallelism,
+        [CreationDate] = @CreationDate,
+        [RevisionDate] = @RevisionDate,
+        [ApiKey] = @ApiKey,
+        [ForcePasswordReset] = @ForcePasswordReset,
+        [UsesKeyConnector] = @UsesKeyConnector,
+        [FailedLoginCount] = @FailedLoginCount,
+        [LastFailedLoginDate] = @LastFailedLoginDate,
+        [AvatarColor] = @AvatarColor,
+        [LastPasswordChangeDate] = @LastPasswordChangeDate,
+        [LastKdfChangeDate] = @LastKdfChangeDate,
+        [LastKeyRotationDate] = @LastKeyRotationDate,
+        [LastEmailChangeDate] = @LastEmailChangeDate,
+        [VerifyDevices] = @VerifyDevices
+    WHERE
+        [Id] = @Id
+END
+GO
diff --git a/util/MySqlMigrations/Migrations/20241219035803_AlterUser_AddVerifyDevice.Designer.cs b/util/MySqlMigrations/Migrations/20241219035803_AlterUser_AddVerifyDevice.Designer.cs
new file mode 100644
index 0000000000..3c8c56e1cc
--- /dev/null
+++ b/util/MySqlMigrations/Migrations/20241219035803_AlterUser_AddVerifyDevice.Designer.cs
@@ -0,0 +1,2997 @@
+// <auto-generated />
+using System;
+using Bit.Infrastructure.EntityFramework.Repositories;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Metadata;
+using Microsoft.EntityFrameworkCore.Migrations;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
+
+#nullable disable
+
+namespace Bit.MySqlMigrations.Migrations
+{
+    [DbContext(typeof(DatabaseContext))]
+    [Migration("20241219035803_AlterUser_AddVerifyDevice")]
+    partial class AlterUser_AddVerifyDevice
+    {
+        /// <inheritdoc />
+        protected override void BuildTargetModel(ModelBuilder modelBuilder)
+        {
+#pragma warning disable 612, 618
+            modelBuilder
+                .HasAnnotation("ProductVersion", "8.0.8")
+                .HasAnnotation("Relational:MaxIdentifierLength", 64);
+
+            MySqlModelBuilderExtensions.AutoIncrementColumns(modelBuilder);
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("AllowAdminAccessToAllCollectionItems")
+                        .HasColumnType("tinyint(1)")
+                        .HasDefaultValue(true);
+
+                    b.Property<string>("BillingEmail")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasMaxLength(2)
+                        .HasColumnType("varchar(2)");
+
+                    b.Property<string>("BusinessName")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasMaxLength(30)
+                        .HasColumnType("varchar(30)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("Identifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("varchar(100)");
+
+                    b.Property<bool>("LimitCollectionCreation")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("LimitCollectionCreationDeletion")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("LimitCollectionDeletion")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("MaxAutoscaleSmSeats")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("MaxAutoscaleSmServiceAccounts")
+                        .HasColumnType("int");
+
+                    b.Property<short?>("MaxCollections")
+                        .HasColumnType("smallint");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<DateTime?>("OwnersNotifiedOfAutoscaling")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Plan")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<int?>("Seats")
+                        .HasColumnType("int");
+
+                    b.Property<bool>("SelfHost")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<int?>("SmSeats")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("SmServiceAccounts")
+                        .HasColumnType("int");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("bigint");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("longtext");
+
+                    b.Property<bool>("Use2fa")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseApi")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseCustomPermissions")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseDirectory")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseGroups")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseKeyConnector")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UsePasswordManager")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UsePolicies")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseResetPassword")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseRiskInsights")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseScim")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseSecretsManager")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseSso")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseTotp")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UsersGetPremium")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id", "Enabled")
+                        .HasAnnotation("Npgsql:IndexInclude", new[] { "UseTotp" });
+
+                    b.ToTable("Organization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("longtext");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "Type")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Policy", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("BillingEmail")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BillingPhone")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessName")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Provider", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Settings")
+                        .HasColumnType("longtext");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderOrganization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Email")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("ProviderUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("AccessCode")
+                        .HasMaxLength(25)
+                        .HasColumnType("varchar(25)");
+
+                    b.Property<bool?>("Approved")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime?>("AuthenticationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("MasterPasswordHash")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("RequestDeviceIdentifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<byte>("RequestDeviceType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("RequestIpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<DateTime?>("ResponseDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid?>("ResponseDeviceId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ResponseDeviceId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("AuthRequest", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<Guid?>("GranteeId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("GrantorId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("KeyEncrypted")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime?>("LastNotificationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("RecoveryInitiatedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<int>("WaitTimeDays")
+                        .HasColumnType("int");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("GranteeId");
+
+                    b.HasIndex("GrantorId");
+
+                    b.ToTable("EmergencyAccess", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.Grant", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("int");
+
+                    MySqlPropertyBuilderExtensions.UseMySqlIdentityColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("ClientId")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("varchar(200)");
+
+                    b.Property<DateTime?>("ConsumedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Data")
+                        .IsRequired()
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Description")
+                        .HasMaxLength(200)
+                        .HasColumnType("varchar(200)");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("varchar(200)");
+
+                    b.Property<string>("SessionId")
+                        .HasMaxLength(100)
+                        .HasColumnType("varchar(100)");
+
+                    b.Property<string>("SubjectId")
+                        .HasMaxLength(200)
+                        .HasColumnType("varchar(200)");
+
+                    b.Property<string>("Type")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.HasKey("Id")
+                        .HasName("PK_Grant")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpirationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Key")
+                        .IsUnique();
+
+                    b.ToTable("Grant", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    MySqlPropertyBuilderExtensions.UseMySqlIdentityColumn(b.Property<long>("Id"));
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("longtext");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("SsoConfig", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    MySqlPropertyBuilderExtensions.UseMySqlIdentityColumn(b.Property<long>("Id"));
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId");
+
+                    b.HasIndex("OrganizationId", "ExternalId")
+                        .IsUnique()
+                        .HasAnnotation("Npgsql:IndexInclude", new[] { "UserId" })
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "UserId")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SsoUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("AaGuid")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int>("Counter")
+                        .HasColumnType("int");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("CredentialId")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("varchar(2000)");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("varchar(2000)");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("varchar(2000)");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("PublicKey")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("SupportsPrf")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<string>("Type")
+                        .HasMaxLength(20)
+                        .HasColumnType("varchar(20)");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("WebAuthnCredential", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ClientOrganizationMigrationRecord", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("int");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int>("Seats")
+                        .HasColumnType("int");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId", "OrganizationId")
+                        .IsUnique();
+
+                    b.ToTable("ClientOrganizationMigrationRecord", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid>("InstallationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime?>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("InstallationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationInstallation", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int>("AssignedSeats")
+                        .HasColumnType("int");
+
+                    b.Property<Guid?>("ClientId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("ClientName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<DateTime>("Created")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("InvoiceId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("InvoiceNumber")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("PlanName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<decimal>("Total")
+                        .HasColumnType("decimal(65,30)");
+
+                    b.Property<int>("UsedSeats")
+                        .HasColumnType("int");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderInvoiceItem", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int?>("AllocatedSeats")
+                        .HasColumnType("int");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int?>("PurchasedSeats")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("SeatMinimum")
+                        .HasColumnType("int");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("Id", "PlanType")
+                        .IsUnique();
+
+                    b.ToTable("ProviderPlan", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Cache", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(449)
+                        .HasColumnType("varchar(449)");
+
+                    b.Property<DateTime?>("AbsoluteExpiration")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("ExpiresAtTime")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<long?>("SlidingExpirationInSeconds")
+                        .HasColumnType("bigint");
+
+                    b.Property<byte[]>("Value")
+                        .IsRequired()
+                        .HasColumnType("longblob");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpiresAtTime")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Cache", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("varchar(300)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Collection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("CipherId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("CollectionId", "CipherId");
+
+                    b.HasIndex("CipherId");
+
+                    b.ToTable("CollectionCipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("CollectionId", "GroupId");
+
+                    b.HasIndex("GroupId");
+
+                    b.ToTable("CollectionGroups");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("CollectionId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("tinyint(1)")
+                        .HasDefaultValue(true);
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Identifier")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("PushToken")
+                        .HasMaxLength(255)
+                        .HasColumnType("varchar(255)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Identifier")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "Identifier")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Device", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Event", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("ActingUserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("CollectionId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("Date")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte?>("DeviceType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("DomainName")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid?>("GroupId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("InstallationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("IpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("PolicyId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("ProviderOrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("ProviderUserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("SecretId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte?>("SystemUser")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<int>("Type")
+                        .HasColumnType("int");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Date", "OrganizationId", "ActingUserId", "CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Event", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("varchar(300)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(100)
+                        .HasColumnType("varchar(100)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Group", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("GroupId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("GroupUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Installation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(150)
+                        .HasColumnType("varchar(150)");
+
+                    b.Property<DateTime?>("LastActivityDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Installation", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("varchar(30)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Config")
+                        .HasColumnType("longtext");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationConnection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("DomainName")
+                        .IsRequired()
+                        .HasMaxLength(255)
+                        .HasColumnType("varchar(255)");
+
+                    b.Property<int>("JobRunCount")
+                        .HasColumnType("int");
+
+                    b.Property<DateTime?>("LastCheckedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("NextRunDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Txt")
+                        .IsRequired()
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime?>("VerifiedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationDomain", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("FriendlyName")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<DateTime?>("LastSyncDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("OfferedToEmail")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<byte?>("PlanSponsorshipType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("SponsoredOrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("SponsoringOrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("SponsoringOrganizationUserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("ToDelete")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime?>("ValidUntil")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SponsoredOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationUserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationSponsorship", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("AccessSecretsManager")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("varchar(300)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("ResetPasswordKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<short>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int>("AccessCount")
+                        .HasColumnType("int");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("DeletionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("Disabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool?>("HideEmail")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<int?>("MaxAccessCount")
+                        .HasColumnType("int");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Password")
+                        .HasMaxLength(300)
+                        .HasColumnType("varchar(300)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("DeletionDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Send", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.TaxRate", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(40)
+                        .HasColumnType("varchar(40)");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<string>("Country")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("PostalCode")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("varchar(10)");
+
+                    b.Property<decimal>("Rate")
+                        .HasColumnType("decimal(65,30)");
+
+                    b.Property<string>("State")
+                        .HasMaxLength(2)
+                        .HasColumnType("varchar(2)");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("TaxRate", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<decimal>("Amount")
+                        .HasColumnType("decimal(65,30)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Details")
+                        .HasMaxLength(100)
+                        .HasColumnType("varchar(100)");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("GatewayId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte?>("PaymentMethodType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool?>("Refunded")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<decimal?>("RefundedAmount")
+                        .HasColumnType("decimal(65,30)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId", "CreationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Transaction", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("AccountRevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("varchar(30)");
+
+                    b.Property<string>("AvatarColor")
+                        .HasMaxLength(7)
+                        .HasColumnType("varchar(7)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Culture")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("varchar(10)");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<bool>("EmailVerified")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<string>("EquivalentDomains")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("ExcludedGlobalEquivalentDomains")
+                        .HasColumnType("longtext");
+
+                    b.Property<int>("FailedLoginCount")
+                        .HasColumnType("int");
+
+                    b.Property<bool>("ForcePasswordReset")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<byte>("Kdf")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<int>("KdfIterations")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("KdfMemory")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("KdfParallelism")
+                        .HasColumnType("int");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime?>("LastEmailChangeDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("LastFailedLoginDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("LastKdfChangeDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("LastKeyRotationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("LastPasswordChangeDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("varchar(100)");
+
+                    b.Property<string>("MasterPassword")
+                        .HasMaxLength(300)
+                        .HasColumnType("varchar(300)");
+
+                    b.Property<string>("MasterPasswordHint")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<bool>("Premium")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime?>("PremiumExpirationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime?>("RenewalReminderDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("SecurityStamp")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("bigint");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("TwoFactorRecoveryCode")
+                        .HasMaxLength(32)
+                        .HasColumnType("varchar(32)");
+
+                    b.Property<bool>("UsesKeyConnector")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("VerifyDevices")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Email")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Premium", "PremiumExpirationDate", "RenewalReminderDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("User", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Body")
+                        .HasColumnType("longtext");
+
+                    b.Property<byte>("ClientType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("Global")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte>("Priority")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Title")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("ClientType", "Global", "UserId", "OrganizationId", "Priority", "CreationDate")
+                        .IsDescending(false, false, false, false, true, true)
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Notification", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("NotificationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("ReadDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("UserId", "NotificationId")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("NotificationId");
+
+                    b.ToTable("NotificationStatus", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Discriminator")
+                        .IsRequired()
+                        .HasMaxLength(34)
+                        .HasColumnType("varchar(34)");
+
+                    b.Property<bool>("Read")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("Write")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.ToTable("AccessPolicy", (string)null);
+
+                    b.HasDiscriminator().HasValue("AccessPolicy");
+
+                    b.UseTphMappingStrategy();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("ClientSecretHash")
+                        .HasMaxLength(128)
+                        .HasColumnType("varchar(128)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("EncryptedPayload")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("varchar(4000)");
+
+                    b.Property<DateTime?>("ExpireAt")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("varchar(200)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Scope")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("varchar(4000)");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ServiceAccountId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Project", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Note")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Value")
+                        .HasColumnType("longtext");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Secret", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ServiceAccount", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Uri")
+                        .HasColumnType("longtext");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("PasswordHealthReportApplication", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Attachments")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Favorites")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Folders")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte?>("Reprompt")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Cipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Folder", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SecurityTask", (string)null);
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.Property<Guid>("ProjectsId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("SecretsId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("ProjectsId", "SecretsId");
+
+                    b.HasIndex("SecretsId");
+
+                    b.ToTable("ProjectSecret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Policies")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Device", "ResponseDevice")
+                        .WithMany()
+                        .HasForeignKey("ResponseDeviceId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("ResponseDevice");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantee")
+                        .WithMany()
+                        .HasForeignKey("GranteeId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantor")
+                        .WithMany()
+                        .HasForeignKey("GrantorId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Grantee");
+
+                    b.Navigation("Grantor");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoConfigs")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Installation", "Installation")
+                        .WithMany()
+                        .HasForeignKey("InstallationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Installation");
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Collections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CipherId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Collection");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionGroups")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Groups")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Group");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Connections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Domains")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoredOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoredOrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoringOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoringOrganizationId");
+
+                    b.Navigation("SponsoredOrganization");
+
+                    b.Navigation("SponsoringOrganization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Transactions")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Transactions")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", "Notification")
+                        .WithMany()
+                        .HasForeignKey("NotificationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Notification");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Folders")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany()
+                        .HasForeignKey("CipherId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", null)
+                        .WithMany()
+                        .HasForeignKey("ProjectsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", null)
+                        .WithMany()
+                        .HasForeignKey("SecretsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ProjectAccessPolicies")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany()
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Collections");
+
+                    b.Navigation("Connections");
+
+                    b.Navigation("Domains");
+
+                    b.Navigation("Groups");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("Policies");
+
+                    b.Navigation("SsoConfigs");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+
+                    b.Navigation("CollectionGroups");
+
+                    b.Navigation("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Navigation("CollectionUsers");
+
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Folders");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ProjectAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+                });
+#pragma warning restore 612, 618
+        }
+    }
+}
diff --git a/util/MySqlMigrations/Migrations/20241219035803_AlterUser_AddVerifyDevice.cs b/util/MySqlMigrations/Migrations/20241219035803_AlterUser_AddVerifyDevice.cs
new file mode 100644
index 0000000000..f3a3ccd316
--- /dev/null
+++ b/util/MySqlMigrations/Migrations/20241219035803_AlterUser_AddVerifyDevice.cs
@@ -0,0 +1,28 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace Bit.MySqlMigrations.Migrations;
+
+/// <inheritdoc />
+public partial class AlterUser_AddVerifyDevice : Migration
+{
+    /// <inheritdoc />
+    protected override void Up(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.AddColumn<bool>(
+            name: "VerifyDevices",
+            table: "User",
+            type: "tinyint(1)",
+            nullable: false,
+            defaultValue: true);
+    }
+
+    /// <inheritdoc />
+    protected override void Down(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.DropColumn(
+            name: "VerifyDevices",
+            table: "User");
+    }
+}
diff --git a/util/MySqlMigrations/Migrations/DatabaseContextModelSnapshot.cs b/util/MySqlMigrations/Migrations/DatabaseContextModelSnapshot.cs
index ed26d612a2..dcc525c433 100644
--- a/util/MySqlMigrations/Migrations/DatabaseContextModelSnapshot.cs
+++ b/util/MySqlMigrations/Migrations/DatabaseContextModelSnapshot.cs
@@ -1662,6 +1662,9 @@ namespace Bit.MySqlMigrations.Migrations
                     b.Property<bool>("UsesKeyConnector")
                         .HasColumnType("tinyint(1)");
 
+                    b.Property<bool>("VerifyDevices")
+                        .HasColumnType("tinyint(1)");
+
                     b.HasKey("Id");
 
                     b.HasIndex("Email")
diff --git a/util/PostgresMigrations/Migrations/20241219035734_AlterUser_AddVerifyDevice.Designer.cs b/util/PostgresMigrations/Migrations/20241219035734_AlterUser_AddVerifyDevice.Designer.cs
new file mode 100644
index 0000000000..14101cd0b1
--- /dev/null
+++ b/util/PostgresMigrations/Migrations/20241219035734_AlterUser_AddVerifyDevice.Designer.cs
@@ -0,0 +1,3003 @@
+// <auto-generated />
+using System;
+using Bit.Infrastructure.EntityFramework.Repositories;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Migrations;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
+using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata;
+
+#nullable disable
+
+namespace Bit.PostgresMigrations.Migrations
+{
+    [DbContext(typeof(DatabaseContext))]
+    [Migration("20241219035734_AlterUser_AddVerifyDevice")]
+    partial class AlterUser_AddVerifyDevice
+    {
+        /// <inheritdoc />
+        protected override void BuildTargetModel(ModelBuilder modelBuilder)
+        {
+#pragma warning disable 612, 618
+            modelBuilder
+                .HasAnnotation("Npgsql:CollationDefinition:postgresIndetermanisticCollation", "en-u-ks-primary,en-u-ks-primary,icu,False")
+                .HasAnnotation("ProductVersion", "8.0.8")
+                .HasAnnotation("Relational:MaxIdentifierLength", 63);
+
+            NpgsqlModelBuilderExtensions.UseIdentityByDefaultColumns(modelBuilder);
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("AllowAdminAccessToAllCollectionItems")
+                        .HasColumnType("boolean")
+                        .HasDefaultValue(true);
+
+                    b.Property<string>("BillingEmail")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasMaxLength(2)
+                        .HasColumnType("character varying(2)");
+
+                    b.Property<string>("BusinessName")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasMaxLength(30)
+                        .HasColumnType("character varying(30)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("Identifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)")
+                        .UseCollation("postgresIndetermanisticCollation");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<bool>("LimitCollectionCreation")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("LimitCollectionCreationDeletion")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("LimitCollectionDeletion")
+                        .HasColumnType("boolean");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("MaxAutoscaleSmSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("MaxAutoscaleSmServiceAccounts")
+                        .HasColumnType("integer");
+
+                    b.Property<short?>("MaxCollections")
+                        .HasColumnType("smallint");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<DateTime?>("OwnersNotifiedOfAutoscaling")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Plan")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<int?>("Seats")
+                        .HasColumnType("integer");
+
+                    b.Property<bool>("SelfHost")
+                        .HasColumnType("boolean");
+
+                    b.Property<int?>("SmSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("SmServiceAccounts")
+                        .HasColumnType("integer");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("bigint");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("text");
+
+                    b.Property<bool>("Use2fa")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseApi")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseCustomPermissions")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseDirectory")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseGroups")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseKeyConnector")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UsePasswordManager")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UsePolicies")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseResetPassword")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseRiskInsights")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseScim")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseSecretsManager")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseSso")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseTotp")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UsersGetPremium")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id", "Enabled");
+
+                    NpgsqlIndexBuilderExtensions.IncludeProperties(b.HasIndex("Id", "Enabled"), new[] { "UseTotp" });
+
+                    b.ToTable("Organization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("text");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "Type")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Policy", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("BillingEmail")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BillingPhone")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessName")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasColumnType("text");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Provider", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Settings")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderOrganization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Email")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("ProviderUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("AccessCode")
+                        .HasMaxLength(25)
+                        .HasColumnType("character varying(25)");
+
+                    b.Property<bool?>("Approved")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("AuthenticationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<string>("MasterPasswordHash")
+                        .HasColumnType("text");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("RequestDeviceIdentifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<byte>("RequestDeviceType")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("RequestIpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<DateTime?>("ResponseDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid?>("ResponseDeviceId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ResponseDeviceId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("AuthRequest", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<Guid?>("GranteeId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("GrantorId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("KeyEncrypted")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("LastNotificationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("RecoveryInitiatedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<int>("WaitTimeDays")
+                        .HasColumnType("integer");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("GranteeId");
+
+                    b.HasIndex("GrantorId");
+
+                    b.ToTable("EmergencyAccess", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.Grant", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("ClientId")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<DateTime?>("ConsumedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Data")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("Description")
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<string>("SessionId")
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<string>("SubjectId")
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<string>("Type")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.HasKey("Id")
+                        .HasName("PK_Grant")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpirationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Key")
+                        .IsUnique();
+
+                    b.ToTable("Grant", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("Id"));
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("text");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("SsoConfig", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("Id"));
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)")
+                        .UseCollation("postgresIndetermanisticCollation");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId");
+
+                    b.HasIndex("OrganizationId", "ExternalId")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    NpgsqlIndexBuilderExtensions.IncludeProperties(b.HasIndex("OrganizationId", "ExternalId"), new[] { "UserId" });
+
+                    b.HasIndex("OrganizationId", "UserId")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SsoUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("AaGuid")
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("Counter")
+                        .HasColumnType("integer");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("CredentialId")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("character varying(2000)");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("character varying(2000)");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("character varying(2000)");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("PublicKey")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("SupportsPrf")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("Type")
+                        .HasMaxLength(20)
+                        .HasColumnType("character varying(20)");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("WebAuthnCredential", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ClientOrganizationMigrationRecord", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("Seats")
+                        .HasColumnType("integer");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId", "OrganizationId")
+                        .IsUnique();
+
+                    b.ToTable("ClientOrganizationMigrationRecord", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("InstallationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime?>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("InstallationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationInstallation", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("AssignedSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<Guid?>("ClientId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("ClientName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<DateTime>("Created")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("InvoiceId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("InvoiceNumber")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("PlanName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<decimal>("Total")
+                        .HasColumnType("numeric");
+
+                    b.Property<int>("UsedSeats")
+                        .HasColumnType("integer");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderInvoiceItem", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<int?>("AllocatedSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<int?>("PurchasedSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("SeatMinimum")
+                        .HasColumnType("integer");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("Id", "PlanType")
+                        .IsUnique();
+
+                    b.ToTable("ProviderPlan", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Cache", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(449)
+                        .HasColumnType("character varying(449)");
+
+                    b.Property<DateTime?>("AbsoluteExpiration")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("ExpiresAtTime")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<long?>("SlidingExpirationInSeconds")
+                        .HasColumnType("bigint");
+
+                    b.Property<byte[]>("Value")
+                        .IsRequired()
+                        .HasColumnType("bytea");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpiresAtTime")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Cache", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("character varying(300)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Collection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("CipherId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("CollectionId", "CipherId");
+
+                    b.HasIndex("CipherId");
+
+                    b.ToTable("CollectionCipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("CollectionId", "GroupId");
+
+                    b.HasIndex("GroupId");
+
+                    b.ToTable("CollectionGroups");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("CollectionId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("boolean")
+                        .HasDefaultValue(true);
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Identifier")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("PushToken")
+                        .HasMaxLength(255)
+                        .HasColumnType("character varying(255)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Identifier")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "Identifier")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Device", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Event", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("ActingUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("CollectionId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("Date")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte?>("DeviceType")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("DomainName")
+                        .HasColumnType("text");
+
+                    b.Property<Guid?>("GroupId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("InstallationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("IpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("PolicyId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("ProviderOrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("ProviderUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("SecretId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte?>("SystemUser")
+                        .HasColumnType("smallint");
+
+                    b.Property<int>("Type")
+                        .HasColumnType("integer");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Date", "OrganizationId", "ActingUserId", "CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Event", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("character varying(300)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Group", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("GroupId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("GroupUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Installation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(150)
+                        .HasColumnType("character varying(150)");
+
+                    b.Property<DateTime?>("LastActivityDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Installation", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("character varying(30)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Config")
+                        .HasColumnType("text");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationConnection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("DomainName")
+                        .IsRequired()
+                        .HasMaxLength(255)
+                        .HasColumnType("character varying(255)");
+
+                    b.Property<int>("JobRunCount")
+                        .HasColumnType("integer");
+
+                    b.Property<DateTime?>("LastCheckedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("NextRunDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Txt")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("VerifiedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationDomain", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("FriendlyName")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<DateTime?>("LastSyncDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("OfferedToEmail")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<byte?>("PlanSponsorshipType")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("SponsoredOrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("SponsoringOrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("SponsoringOrganizationUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("ToDelete")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("ValidUntil")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SponsoredOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationUserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationSponsorship", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("AccessSecretsManager")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("character varying(300)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ResetPasswordKey")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<short>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("AccessCount")
+                        .HasColumnType("integer");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("DeletionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("Disabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool?>("HideEmail")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<int?>("MaxAccessCount")
+                        .HasColumnType("integer");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Password")
+                        .HasMaxLength(300)
+                        .HasColumnType("character varying(300)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("DeletionDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Send", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.TaxRate", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(40)
+                        .HasColumnType("character varying(40)");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("Country")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("PostalCode")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("character varying(10)");
+
+                    b.Property<decimal>("Rate")
+                        .HasColumnType("numeric");
+
+                    b.Property<string>("State")
+                        .HasMaxLength(2)
+                        .HasColumnType("character varying(2)");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("TaxRate", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<decimal>("Amount")
+                        .HasColumnType("numeric");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Details")
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("GatewayId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte?>("PaymentMethodType")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool?>("Refunded")
+                        .HasColumnType("boolean");
+
+                    b.Property<decimal?>("RefundedAmount")
+                        .HasColumnType("numeric");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId", "CreationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Transaction", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("AccountRevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("character varying(30)");
+
+                    b.Property<string>("AvatarColor")
+                        .HasMaxLength(7)
+                        .HasColumnType("character varying(7)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Culture")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("character varying(10)");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)")
+                        .UseCollation("postgresIndetermanisticCollation");
+
+                    b.Property<bool>("EmailVerified")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("EquivalentDomains")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ExcludedGlobalEquivalentDomains")
+                        .HasColumnType("text");
+
+                    b.Property<int>("FailedLoginCount")
+                        .HasColumnType("integer");
+
+                    b.Property<bool>("ForcePasswordReset")
+                        .HasColumnType("boolean");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<byte>("Kdf")
+                        .HasColumnType("smallint");
+
+                    b.Property<int>("KdfIterations")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("KdfMemory")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("KdfParallelism")
+                        .HasColumnType("integer");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("LastEmailChangeDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("LastFailedLoginDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("LastKdfChangeDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("LastKeyRotationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("LastPasswordChangeDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<string>("MasterPassword")
+                        .HasMaxLength(300)
+                        .HasColumnType("character varying(300)");
+
+                    b.Property<string>("MasterPasswordHint")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<bool>("Premium")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("PremiumExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("RenewalReminderDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("SecurityStamp")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("bigint");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("text");
+
+                    b.Property<string>("TwoFactorRecoveryCode")
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<bool>("UsesKeyConnector")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("VerifyDevices")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Email")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Premium", "PremiumExpirationDate", "RenewalReminderDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("User", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Body")
+                        .HasColumnType("text");
+
+                    b.Property<byte>("ClientType")
+                        .HasColumnType("smallint");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("Global")
+                        .HasColumnType("boolean");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte>("Priority")
+                        .HasColumnType("smallint");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Title")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("ClientType", "Global", "UserId", "OrganizationId", "Priority", "CreationDate")
+                        .IsDescending(false, false, false, false, true, true)
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Notification", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("NotificationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("ReadDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("UserId", "NotificationId")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("NotificationId");
+
+                    b.ToTable("NotificationStatus", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Discriminator")
+                        .IsRequired()
+                        .HasMaxLength(34)
+                        .HasColumnType("character varying(34)");
+
+                    b.Property<bool>("Read")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("Write")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.ToTable("AccessPolicy", (string)null);
+
+                    b.HasDiscriminator().HasValue("AccessPolicy");
+
+                    b.UseTphMappingStrategy();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("ClientSecretHash")
+                        .HasMaxLength(128)
+                        .HasColumnType("character varying(128)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("EncryptedPayload")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("character varying(4000)");
+
+                    b.Property<DateTime?>("ExpireAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Scope")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("character varying(4000)");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ServiceAccountId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Project", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Note")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Value")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Secret", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ServiceAccount", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Uri")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("PasswordHealthReportApplication", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Attachments")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Favorites")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Folders")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte?>("Reprompt")
+                        .HasColumnType("smallint");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Cipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Folder", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SecurityTask", (string)null);
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.Property<Guid>("ProjectsId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("SecretsId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("ProjectsId", "SecretsId");
+
+                    b.HasIndex("SecretsId");
+
+                    b.ToTable("ProjectSecret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Policies")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Device", "ResponseDevice")
+                        .WithMany()
+                        .HasForeignKey("ResponseDeviceId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("ResponseDevice");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantee")
+                        .WithMany()
+                        .HasForeignKey("GranteeId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantor")
+                        .WithMany()
+                        .HasForeignKey("GrantorId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Grantee");
+
+                    b.Navigation("Grantor");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoConfigs")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Installation", "Installation")
+                        .WithMany()
+                        .HasForeignKey("InstallationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Installation");
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Collections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CipherId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Collection");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionGroups")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Groups")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Group");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Connections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Domains")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoredOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoredOrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoringOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoringOrganizationId");
+
+                    b.Navigation("SponsoredOrganization");
+
+                    b.Navigation("SponsoringOrganization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Transactions")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Transactions")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", "Notification")
+                        .WithMany()
+                        .HasForeignKey("NotificationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Notification");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Folders")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany()
+                        .HasForeignKey("CipherId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", null)
+                        .WithMany()
+                        .HasForeignKey("ProjectsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", null)
+                        .WithMany()
+                        .HasForeignKey("SecretsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ProjectAccessPolicies")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany()
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Collections");
+
+                    b.Navigation("Connections");
+
+                    b.Navigation("Domains");
+
+                    b.Navigation("Groups");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("Policies");
+
+                    b.Navigation("SsoConfigs");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+
+                    b.Navigation("CollectionGroups");
+
+                    b.Navigation("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Navigation("CollectionUsers");
+
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Folders");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ProjectAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+                });
+#pragma warning restore 612, 618
+        }
+    }
+}
diff --git a/util/PostgresMigrations/Migrations/20241219035734_AlterUser_AddVerifyDevice.cs b/util/PostgresMigrations/Migrations/20241219035734_AlterUser_AddVerifyDevice.cs
new file mode 100644
index 0000000000..0fa41d6d95
--- /dev/null
+++ b/util/PostgresMigrations/Migrations/20241219035734_AlterUser_AddVerifyDevice.cs
@@ -0,0 +1,28 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace Bit.PostgresMigrations.Migrations;
+
+/// <inheritdoc />
+public partial class AlterUser_AddVerifyDevice : Migration
+{
+    /// <inheritdoc />
+    protected override void Up(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.AddColumn<bool>(
+            name: "VerifyDevices",
+            table: "User",
+            type: "boolean",
+            nullable: false,
+            defaultValue: true);
+    }
+
+    /// <inheritdoc />
+    protected override void Down(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.DropColumn(
+            name: "VerifyDevices",
+            table: "User");
+    }
+}
diff --git a/util/PostgresMigrations/Migrations/DatabaseContextModelSnapshot.cs b/util/PostgresMigrations/Migrations/DatabaseContextModelSnapshot.cs
index 04636ab15d..971ba96310 100644
--- a/util/PostgresMigrations/Migrations/DatabaseContextModelSnapshot.cs
+++ b/util/PostgresMigrations/Migrations/DatabaseContextModelSnapshot.cs
@@ -1668,6 +1668,9 @@ namespace Bit.PostgresMigrations.Migrations
                     b.Property<bool>("UsesKeyConnector")
                         .HasColumnType("boolean");
 
+                    b.Property<bool>("VerifyDevices")
+                        .HasColumnType("boolean");
+
                     b.HasKey("Id");
 
                     b.HasIndex("Email")
diff --git a/util/SqliteMigrations/Migrations/20241219035748_AlterUser_AddVerifyDevice.Designer.cs b/util/SqliteMigrations/Migrations/20241219035748_AlterUser_AddVerifyDevice.Designer.cs
new file mode 100644
index 0000000000..ef2eb70530
--- /dev/null
+++ b/util/SqliteMigrations/Migrations/20241219035748_AlterUser_AddVerifyDevice.Designer.cs
@@ -0,0 +1,2986 @@
+// <auto-generated />
+using System;
+using Bit.Infrastructure.EntityFramework.Repositories;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Migrations;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
+
+#nullable disable
+
+namespace Bit.SqliteMigrations.Migrations
+{
+    [DbContext(typeof(DatabaseContext))]
+    [Migration("20241219035748_AlterUser_AddVerifyDevice")]
+    partial class AlterUser_AddVerifyDevice
+    {
+        /// <inheritdoc />
+        protected override void BuildTargetModel(ModelBuilder modelBuilder)
+        {
+#pragma warning disable 612, 618
+            modelBuilder.HasAnnotation("ProductVersion", "8.0.8");
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("AllowAdminAccessToAllCollectionItems")
+                        .HasColumnType("INTEGER")
+                        .HasDefaultValue(true);
+
+                    b.Property<string>("BillingEmail")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasMaxLength(2)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessName")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasMaxLength(30)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Identifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("LimitCollectionCreation")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("LimitCollectionCreationDeletion")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("LimitCollectionDeletion")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("MaxAutoscaleSmSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("MaxAutoscaleSmServiceAccounts")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<short?>("MaxCollections")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("OwnersNotifiedOfAutoscaling")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Plan")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int?>("Seats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("SelfHost")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("SmSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("SmServiceAccounts")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Use2fa")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseApi")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseCustomPermissions")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseDirectory")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseGroups")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseKeyConnector")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UsePasswordManager")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UsePolicies")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseResetPassword")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseRiskInsights")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseScim")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseSecretsManager")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseSso")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseTotp")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UsersGetPremium")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id", "Enabled")
+                        .HasAnnotation("Npgsql:IndexInclude", new[] { "UseTotp" });
+
+                    b.ToTable("Organization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "Type")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Policy", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BillingEmail")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BillingPhone")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessName")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Provider", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Settings")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderOrganization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Email")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("ProviderUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("AccessCode")
+                        .HasMaxLength(25)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool?>("Approved")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("AuthenticationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("MasterPasswordHash")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("RequestDeviceIdentifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("RequestDeviceType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("RequestIpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ResponseDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ResponseDeviceId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ResponseDeviceId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("AuthRequest", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("GranteeId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("GrantorId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("KeyEncrypted")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastNotificationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("RecoveryInitiatedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int>("WaitTimeDays")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("GranteeId");
+
+                    b.HasIndex("GrantorId");
+
+                    b.ToTable("EmergencyAccess", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.Grant", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("ClientId")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ConsumedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Data")
+                        .IsRequired()
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Description")
+                        .HasMaxLength(200)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("SessionId")
+                        .HasMaxLength(100)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("SubjectId")
+                        .HasMaxLength(200)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Type")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasName("PK_Grant")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpirationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Key")
+                        .IsUnique();
+
+                    b.ToTable("Grant", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("SsoConfig", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId");
+
+                    b.HasIndex("OrganizationId", "ExternalId")
+                        .IsUnique()
+                        .HasAnnotation("Npgsql:IndexInclude", new[] { "UserId" })
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "UserId")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SsoUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("AaGuid")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("Counter")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("CredentialId")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PublicKey")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("SupportsPrf")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Type")
+                        .HasMaxLength(20)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("WebAuthnCredential", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ClientOrganizationMigrationRecord", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("Seats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId", "OrganizationId")
+                        .IsUnique();
+
+                    b.ToTable("ClientOrganizationMigrationRecord", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("InstallationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("InstallationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationInstallation", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("AssignedSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("ClientId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ClientName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("Created")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("InvoiceId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("InvoiceNumber")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PlanName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<decimal>("Total")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("UsedSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderInvoiceItem", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int?>("AllocatedSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int?>("PurchasedSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("SeatMinimum")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("Id", "PlanType")
+                        .IsUnique();
+
+                    b.ToTable("ProviderPlan", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Cache", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(449)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("AbsoluteExpiration")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("ExpiresAtTime")
+                        .HasColumnType("TEXT");
+
+                    b.Property<long?>("SlidingExpirationInSeconds")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte[]>("Value")
+                        .IsRequired()
+                        .HasColumnType("BLOB");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpiresAtTime")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Cache", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Collection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("CipherId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("CollectionId", "CipherId");
+
+                    b.HasIndex("CipherId");
+
+                    b.ToTable("CollectionCipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("CollectionId", "GroupId");
+
+                    b.HasIndex("GroupId");
+
+                    b.ToTable("CollectionGroups");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("CollectionId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("INTEGER")
+                        .HasDefaultValue(true);
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Identifier")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PushToken")
+                        .HasMaxLength(255)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Identifier")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "Identifier")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Device", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Event", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ActingUserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("CollectionId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("Date")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("DeviceType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("DomainName")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("GroupId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("InstallationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("IpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("PolicyId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ProviderOrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ProviderUserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("SecretId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("SystemUser")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Date", "OrganizationId", "ActingUserId", "CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Event", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(100)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Group", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("GroupId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("GroupUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Installation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(150)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastActivityDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Installation", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Config")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationConnection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("DomainName")
+                        .IsRequired()
+                        .HasMaxLength(255)
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("JobRunCount")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("LastCheckedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("NextRunDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Txt")
+                        .IsRequired()
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("VerifiedDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationDomain", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("FriendlyName")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastSyncDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("OfferedToEmail")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("PlanSponsorshipType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("SponsoredOrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("SponsoringOrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("SponsoringOrganizationUserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("ToDelete")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("ValidUntil")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SponsoredOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationUserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationSponsorship", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("AccessSecretsManager")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ResetPasswordKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<short>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("AccessCount")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("DeletionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Disabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool?>("HideEmail")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int?>("MaxAccessCount")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Password")
+                        .HasMaxLength(300)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("DeletionDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Send", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.TaxRate", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(40)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Country")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PostalCode")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("TEXT");
+
+                    b.Property<decimal>("Rate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("State")
+                        .HasMaxLength(2)
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("TaxRate", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<decimal>("Amount")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Details")
+                        .HasMaxLength(100)
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("GatewayId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("PaymentMethodType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool?>("Refunded")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<decimal?>("RefundedAmount")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId", "CreationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Transaction", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("AccountRevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("AvatarColor")
+                        .HasMaxLength(7)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Culture")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("EmailVerified")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("EquivalentDomains")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ExcludedGlobalEquivalentDomains")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("FailedLoginCount")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("ForcePasswordReset")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Kdf")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int>("KdfIterations")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("KdfMemory")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("KdfParallelism")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastEmailChangeDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastFailedLoginDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastKdfChangeDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastKeyRotationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastPasswordChangeDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("MasterPassword")
+                        .HasMaxLength(300)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("MasterPasswordHint")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Premium")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("PremiumExpirationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("RenewalReminderDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("SecurityStamp")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("TwoFactorRecoveryCode")
+                        .HasMaxLength(32)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("UsesKeyConnector")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("VerifyDevices")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Email")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Premium", "PremiumExpirationDate", "RenewalReminderDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("User", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Body")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("ClientType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Global")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Priority")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Title")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("ClientType", "Global", "UserId", "OrganizationId", "Priority", "CreationDate")
+                        .IsDescending(false, false, false, false, true, true)
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Notification", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("NotificationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ReadDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("UserId", "NotificationId")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("NotificationId");
+
+                    b.ToTable("NotificationStatus", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Discriminator")
+                        .IsRequired()
+                        .HasMaxLength(34)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Read")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Write")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.ToTable("AccessPolicy", (string)null);
+
+                    b.HasDiscriminator().HasValue("AccessPolicy");
+
+                    b.UseTphMappingStrategy();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ClientSecretHash")
+                        .HasMaxLength(128)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedPayload")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ExpireAt")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Scope")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ServiceAccountId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Project", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Note")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Value")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Secret", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ServiceAccount", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Uri")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("PasswordHealthReportApplication", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Attachments")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Favorites")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Folders")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("Reprompt")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Cipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Folder", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SecurityTask", (string)null);
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.Property<Guid>("ProjectsId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("SecretsId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("ProjectsId", "SecretsId");
+
+                    b.HasIndex("SecretsId");
+
+                    b.ToTable("ProjectSecret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Policies")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Device", "ResponseDevice")
+                        .WithMany()
+                        .HasForeignKey("ResponseDeviceId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("ResponseDevice");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantee")
+                        .WithMany()
+                        .HasForeignKey("GranteeId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantor")
+                        .WithMany()
+                        .HasForeignKey("GrantorId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Grantee");
+
+                    b.Navigation("Grantor");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoConfigs")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Installation", "Installation")
+                        .WithMany()
+                        .HasForeignKey("InstallationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Installation");
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Collections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CipherId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Collection");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionGroups")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Groups")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Group");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Connections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Domains")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoredOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoredOrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoringOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoringOrganizationId");
+
+                    b.Navigation("SponsoredOrganization");
+
+                    b.Navigation("SponsoringOrganization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Transactions")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Transactions")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", "Notification")
+                        .WithMany()
+                        .HasForeignKey("NotificationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Notification");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Folders")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany()
+                        .HasForeignKey("CipherId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", null)
+                        .WithMany()
+                        .HasForeignKey("ProjectsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", null)
+                        .WithMany()
+                        .HasForeignKey("SecretsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ProjectAccessPolicies")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany()
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Collections");
+
+                    b.Navigation("Connections");
+
+                    b.Navigation("Domains");
+
+                    b.Navigation("Groups");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("Policies");
+
+                    b.Navigation("SsoConfigs");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+
+                    b.Navigation("CollectionGroups");
+
+                    b.Navigation("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Navigation("CollectionUsers");
+
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Folders");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ProjectAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+                });
+#pragma warning restore 612, 618
+        }
+    }
+}
diff --git a/util/SqliteMigrations/Migrations/20241219035748_AlterUser_AddVerifyDevice.cs b/util/SqliteMigrations/Migrations/20241219035748_AlterUser_AddVerifyDevice.cs
new file mode 100644
index 0000000000..da6fdc6f32
--- /dev/null
+++ b/util/SqliteMigrations/Migrations/20241219035748_AlterUser_AddVerifyDevice.cs
@@ -0,0 +1,28 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace Bit.SqliteMigrations.Migrations;
+
+/// <inheritdoc />
+public partial class AlterUser_AddVerifyDevice : Migration
+{
+    /// <inheritdoc />
+    protected override void Up(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.AddColumn<bool>(
+            name: "VerifyDevices",
+            table: "User",
+            type: "INTEGER",
+            nullable: false,
+            defaultValue: true);
+    }
+
+    /// <inheritdoc />
+    protected override void Down(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.DropColumn(
+            name: "VerifyDevices",
+            table: "User");
+    }
+}
diff --git a/util/SqliteMigrations/Migrations/DatabaseContextModelSnapshot.cs b/util/SqliteMigrations/Migrations/DatabaseContextModelSnapshot.cs
index d813ebcbcc..d9be32398b 100644
--- a/util/SqliteMigrations/Migrations/DatabaseContextModelSnapshot.cs
+++ b/util/SqliteMigrations/Migrations/DatabaseContextModelSnapshot.cs
@@ -1651,6 +1651,9 @@ namespace Bit.SqliteMigrations.Migrations
                     b.Property<bool>("UsesKeyConnector")
                         .HasColumnType("INTEGER");
 
+                    b.Property<bool>("VerifyDevices")
+                        .HasColumnType("INTEGER");
+
                     b.HasKey("Id");
 
                     b.HasIndex("Email")

From 377c7925e23895fc39d2f51d2523f3414a4e0afb Mon Sep 17 00:00:00 2001
From: Jared McCannon <jmccannon@bitwarden.com>
Date: Wed, 8 Jan 2025 11:34:05 -0600
Subject: [PATCH 125/384] [PM-16607] - Removed feature flag logic
 pm-3479-secure-org-group-details (#5209)

* Removed feature flag logic pm-3479-secure-org-group-details

* Removing feature flag completely.
---
 .../Controllers/GroupsController.cs           | 20 +++++--------------
 src/Core/Constants.cs                         |  1 -
 2 files changed, 5 insertions(+), 16 deletions(-)

diff --git a/src/Api/AdminConsole/Controllers/GroupsController.cs b/src/Api/AdminConsole/Controllers/GroupsController.cs
index 0e46656994..946d7399c2 100644
--- a/src/Api/AdminConsole/Controllers/GroupsController.cs
+++ b/src/Api/AdminConsole/Controllers/GroupsController.cs
@@ -2,7 +2,6 @@
 using Bit.Api.AdminConsole.Models.Response;
 using Bit.Api.Models.Response;
 using Bit.Api.Vault.AuthorizationHandlers.Collections;
-using Bit.Core;
 using Bit.Core.AdminConsole.OrganizationFeatures.Groups.Authorization;
 using Bit.Core.AdminConsole.OrganizationFeatures.Groups.Interfaces;
 using Bit.Core.AdminConsole.OrganizationFeatures.Shared.Authorization;
@@ -90,7 +89,7 @@ public class GroupsController : Controller
     }
 
     [HttpGet("")]
-    public async Task<ListResponseModel<GroupDetailsResponseModel>> GetOrganizationGroups(Guid orgId)
+    public async Task<ListResponseModel<GroupResponseModel>> GetOrganizationGroups(Guid orgId)
     {
         var authResult = await _authorizationService.AuthorizeAsync(User, new OrganizationScope(orgId), GroupOperations.ReadAll);
         if (!authResult.Succeeded)
@@ -98,24 +97,15 @@ public class GroupsController : Controller
             throw new NotFoundException();
         }
 
-        if (_featureService.IsEnabled(FeatureFlagKeys.SecureOrgGroupDetails))
-        {
-            var groups = await _groupRepository.GetManyByOrganizationIdAsync(orgId);
-            var responses = groups.Select(g => new GroupDetailsResponseModel(g, []));
-            return new ListResponseModel<GroupDetailsResponseModel>(responses);
-        }
-
-        var groupDetails = await _groupRepository.GetManyWithCollectionsByOrganizationIdAsync(orgId);
-        var detailResponses = groupDetails.Select(g => new GroupDetailsResponseModel(g.Item1, g.Item2));
-        return new ListResponseModel<GroupDetailsResponseModel>(detailResponses);
+        var groups = await _groupRepository.GetManyByOrganizationIdAsync(orgId);
+        var responses = groups.Select(g => new GroupResponseModel(g));
+        return new ListResponseModel<GroupResponseModel>(responses);
     }
 
     [HttpGet("details")]
     public async Task<ListResponseModel<GroupDetailsResponseModel>> GetOrganizationGroupDetails(Guid orgId)
     {
-        var authResult = _featureService.IsEnabled(FeatureFlagKeys.SecureOrgGroupDetails)
-            ? await _authorizationService.AuthorizeAsync(User, new OrganizationScope(orgId), GroupOperations.ReadAllDetails)
-            : await _authorizationService.AuthorizeAsync(User, new OrganizationScope(orgId), GroupOperations.ReadAll);
+        var authResult = await _authorizationService.AuthorizeAsync(User, new OrganizationScope(orgId), GroupOperations.ReadAllDetails);
 
         if (!authResult.Succeeded)
         {
diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index 32561a5839..18b61937d9 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -140,7 +140,6 @@ public static class FeatureFlagKeys
     public const string StorageReseedRefactor = "storage-reseed-refactor";
     public const string TrialPayment = "PM-8163-trial-payment";
     public const string RemoveServerVersionHeader = "remove-server-version-header";
-    public const string SecureOrgGroupDetails = "pm-3479-secure-org-group-details";
     public const string VerifiedSsoDomainEndpoint = "pm-12337-refactor-sso-details-endpoint";
     public const string PM12275_MultiOrganizationEnterprises = "pm-12275-multi-organization-enterprises";
     public const string GeneratorToolsModernization = "generator-tools-modernization";

From 92d9b88afbe2b245b975e2cfddec1033a050b304 Mon Sep 17 00:00:00 2001
From: Matt Bishop <mbishop@bitwarden.com>
Date: Wed, 8 Jan 2025 13:54:34 -0500
Subject: [PATCH 126/384] Provide new feature flag context for devices (#5226)

---
 .../Implementations/LaunchDarklyFeatureService.cs     | 11 +++++++++++
 .../Services/LaunchDarklyFeatureServiceTests.cs       |  1 +
 2 files changed, 12 insertions(+)

diff --git a/src/Core/Services/Implementations/LaunchDarklyFeatureService.cs b/src/Core/Services/Implementations/LaunchDarklyFeatureService.cs
index 48d8fa1222..69b8a94e5a 100644
--- a/src/Core/Services/Implementations/LaunchDarklyFeatureService.cs
+++ b/src/Core/Services/Implementations/LaunchDarklyFeatureService.cs
@@ -16,6 +16,7 @@ public class LaunchDarklyFeatureService : IFeatureService
     private readonly ICurrentContext _currentContext;
     private const string _anonymousUser = "25a15cac-58cf-4ac0-ad0f-b17c4bd92294";
 
+    private const string _contextKindDevice = "device";
     private const string _contextKindOrganization = "organization";
     private const string _contextKindServiceAccount = "service-account";
 
@@ -158,6 +159,16 @@ public class LaunchDarklyFeatureService : IFeatureService
 
         var builder = LaunchDarkly.Sdk.Context.MultiBuilder();
 
+        if (!string.IsNullOrWhiteSpace(_currentContext.DeviceIdentifier))
+        {
+            var ldDevice = LaunchDarkly.Sdk.Context.Builder(_currentContext.DeviceIdentifier);
+
+            ldDevice.Kind(_contextKindDevice);
+            SetCommonContextAttributes(ldDevice);
+
+            builder.Add(ldDevice.Build());
+        }
+
         switch (_currentContext.IdentityClientType)
         {
             case IdentityClientType.User:
diff --git a/test/Core.Test/Services/LaunchDarklyFeatureServiceTests.cs b/test/Core.Test/Services/LaunchDarklyFeatureServiceTests.cs
index 35b5e4ea72..a2c86b5a76 100644
--- a/test/Core.Test/Services/LaunchDarklyFeatureServiceTests.cs
+++ b/test/Core.Test/Services/LaunchDarklyFeatureServiceTests.cs
@@ -22,6 +22,7 @@ public class LaunchDarklyFeatureServiceTests
         globalSettings.ProjectName = "LaunchDarkly Tests";
 
         var currentContext = Substitute.For<ICurrentContext>();
+        currentContext.DeviceIdentifier.Returns(Guid.NewGuid().ToString());
         currentContext.UserId.Returns(Guid.NewGuid());
         currentContext.ClientVersion.Returns(new Version(AssemblyHelpers.GetVersion()));
         currentContext.ClientVersionIsPrerelease.Returns(true);

From 90740c336952615ee2d5457a66afe4d43182bbc0 Mon Sep 17 00:00:00 2001
From: Github Actions <actions@github.com>
Date: Wed, 8 Jan 2025 22:14:51 +0000
Subject: [PATCH 127/384] Bumped version to 2025.1.1

---
 Directory.Build.props | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Directory.Build.props b/Directory.Build.props
index a27c4874f8..11478a436b 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -3,7 +3,7 @@
   <PropertyGroup>
     <TargetFramework>net8.0</TargetFramework>
 
-    <Version>2025.1.0</Version>
+    <Version>2025.1.1</Version>
 
     <RootNamespace>Bit.$(MSBuildProjectName)</RootNamespace>
     <ImplicitUsings>enable</ImplicitUsings>
@@ -64,4 +64,4 @@
     </ItemGroup>
   </Target>
 
-</Project>
+</Project>
\ No newline at end of file

From a638f359e9c675027658c43bee1ea08228a5a10d Mon Sep 17 00:00:00 2001
From: Todd Martin <106564991+trmartin4@users.noreply.github.com>
Date: Wed, 8 Jan 2025 18:04:28 -0500
Subject: [PATCH 128/384] Revert updates to Microsoft.Extensions dependencies
 from v9 (#5235)

* Revert "[deps] Tools: Update Microsoft.Extensions.Configuration to v9 (#5072)"

This reverts commit cb7cbb630aba46050ef9c235a2a0e4608dda4d83.

* Revert "[deps] Tools: Update Microsoft.Extensions.DependencyInjection to v9 (#5073)"

This reverts commit 0b026404db70c8d43dcc80d0c071daa47060a0c8.
---
 src/Core/Core.csproj                                        | 4 ++--
 .../Infrastructure.IntegrationTest.csproj                   | 6 +++---
 test/IntegrationTestCommon/IntegrationTestCommon.csproj     | 2 +-
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/Core/Core.csproj b/src/Core/Core.csproj
index 83ac307671..3de32a4a90 100644
--- a/src/Core/Core.csproj
+++ b/src/Core/Core.csproj
@@ -47,8 +47,8 @@
     <PackageReference Include="Microsoft.Data.SqlClient" Version="5.2.2" />
     <PackageReference Include="Microsoft.Extensions.Caching.Cosmos" Version="1.7.0" />
     <PackageReference Include="Microsoft.Extensions.Caching.SqlServer" Version="8.0.10" />
-    <PackageReference Include="Microsoft.Extensions.Configuration.EnvironmentVariables" Version="9.0.0" />
-    <PackageReference Include="Microsoft.Extensions.Configuration.UserSecrets" Version="9.0.0" />
+    <PackageReference Include="Microsoft.Extensions.Configuration.EnvironmentVariables" Version="8.0.0" />
+    <PackageReference Include="Microsoft.Extensions.Configuration.UserSecrets" Version="8.0.0" />
     <PackageReference Include="Microsoft.Extensions.Identity.Stores" Version="8.0.10" />
     <PackageReference Include="OneOf" Version="3.0.271" />
     <PackageReference Include="Quartz" Version="3.13.1" />
diff --git a/test/Infrastructure.IntegrationTest/Infrastructure.IntegrationTest.csproj b/test/Infrastructure.IntegrationTest/Infrastructure.IntegrationTest.csproj
index 417525f064..159572f387 100644
--- a/test/Infrastructure.IntegrationTest/Infrastructure.IntegrationTest.csproj
+++ b/test/Infrastructure.IntegrationTest/Infrastructure.IntegrationTest.csproj
@@ -7,9 +7,9 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.Extensions.Configuration" Version="9.0.0" />
-    <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="9.0.0" />
-    <PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="9.0.0" />
+    <PackageReference Include="Microsoft.Extensions.Configuration" Version="8.0.0" />
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="8.0.1" />
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="8.0.2" />
     <PackageReference Include="Microsoft.Extensions.Logging" Version="8.0.1" />
     <PackageReference Include="Microsoft.Extensions.TimeProvider.Testing" Version="8.10.0" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(MicrosoftNetTestSdkVersion)" />
diff --git a/test/IntegrationTestCommon/IntegrationTestCommon.csproj b/test/IntegrationTestCommon/IntegrationTestCommon.csproj
index 2a65c4c364..3e8e55524b 100644
--- a/test/IntegrationTestCommon/IntegrationTestCommon.csproj
+++ b/test/IntegrationTestCommon/IntegrationTestCommon.csproj
@@ -6,7 +6,7 @@
   
   <ItemGroup>
     <PackageReference Include="Microsoft.AspNetCore.Mvc.Testing" Version="8.0.10" />
-    <PackageReference Include="Microsoft.Extensions.Configuration" Version="9.0.0" />
+    <PackageReference Include="Microsoft.Extensions.Configuration" Version="8.0.0" />
   </ItemGroup>
     
   <ItemGroup>

From 6793c81f07fd6bd1f572071e45eda7819ac84656 Mon Sep 17 00:00:00 2001
From: Jonathan Prusik <jprusik@users.noreply.github.com>
Date: Wed, 8 Jan 2025 18:36:18 -0500
Subject: [PATCH 129/384] add feature flag block-browser-injections-by-domain
 (#5234)

---
 src/Core/Constants.cs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index 18b61937d9..defcc41e93 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -133,6 +133,7 @@ public static class FeatureFlagKeys
     public const string NativeCreateAccountFlow = "native-create-account-flow";
     public const string AccountDeprovisioning = "pm-10308-account-deprovisioning";
     public const string NotificationBarAddLoginImprovements = "notification-bar-add-login-improvements";
+    public const string BlockBrowserInjectionsByDomain = "block-browser-injections-by-domain";
     public const string AC2476_DeprecateStripeSourcesAPI = "AC-2476-deprecate-stripe-sources-api";
     public const string PersistPopupView = "persist-popup-view";
     public const string CipherKeyEncryption = "cipher-key-encryption";

From f2659115264b6d204a34ab8f69d1f73bc9bf7156 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Thu, 9 Jan 2025 10:09:55 +0100
Subject: [PATCH 130/384] [deps] BRE: Update gh minor (#5016)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 .github/workflows/build.yml                 | 32 ++++++++++-----------
 .github/workflows/code-references.yml       |  2 +-
 .github/workflows/repository-management.yml |  6 ++--
 .github/workflows/scan.yml                  |  8 +++---
 .github/workflows/test-database.yml         |  8 +++---
 .github/workflows/test.yml                  |  2 +-
 6 files changed, 29 insertions(+), 29 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 899ca25f4d..510ce3318b 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -30,7 +30,7 @@ jobs:
           ref: ${{ github.event.pull_request.head.sha }}
 
       - name: Set up .NET
-        uses: actions/setup-dotnet@3e891b0cb619bf60e2c25674b222b8940e2c1c25 # v4.1.0
+        uses: actions/setup-dotnet@87b7050bc53ea08284295505d98d2aa94301e852 # v4.2.0
 
       - name: Verify format
         run: dotnet format --verify-no-changes
@@ -81,7 +81,7 @@ jobs:
           ref: ${{ github.event.pull_request.head.sha }}
 
       - name: Set up .NET
-        uses: actions/setup-dotnet@3e891b0cb619bf60e2c25674b222b8940e2c1c25 # v4.1.0
+        uses: actions/setup-dotnet@87b7050bc53ea08284295505d98d2aa94301e852 # v4.2.0
 
       - name: Set up Node
         uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
@@ -120,7 +120,7 @@ jobs:
           ls -atlh ../../../
 
       - name: Upload project artifact
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         with:
           name: ${{ matrix.project_name }}.zip
           path: ${{ matrix.base_path }}/${{ matrix.project_name }}/${{ matrix.project_name }}.zip
@@ -278,7 +278,7 @@ jobs:
 
       - name: Build Docker image
         id: build-docker
-        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
+        uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6.11.0
         with:
           context: ${{ matrix.base_path }}/${{ matrix.project_name }}
           file: ${{ matrix.base_path }}/${{ matrix.project_name }}/Dockerfile
@@ -314,7 +314,7 @@ jobs:
           output-format: sarif
 
       - name: Upload Grype results to GitHub
-        uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
+        uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
         with:
           sarif_file: ${{ steps.container-scan.outputs.sarif }}
 
@@ -329,7 +329,7 @@ jobs:
           ref: ${{ github.event.pull_request.head.sha }}
 
       - name: Set up .NET
-        uses: actions/setup-dotnet@3e891b0cb619bf60e2c25674b222b8940e2c1c25 # v4.1.0
+        uses: actions/setup-dotnet@87b7050bc53ea08284295505d98d2aa94301e852 # v4.2.0
 
       - name: Log in to Azure - production subscription
         uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
@@ -393,7 +393,7 @@ jobs:
         if: |
           github.event_name != 'pull_request_target'
           && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc')
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         with:
           name: docker-stub-US.zip
           path: docker-stub-US.zip
@@ -403,7 +403,7 @@ jobs:
         if: |
           github.event_name != 'pull_request_target'
           && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc')
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         with:
           name: docker-stub-EU.zip
           path: docker-stub-EU.zip
@@ -413,7 +413,7 @@ jobs:
         if: |
           github.event_name != 'pull_request_target'
           && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc')
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         with:
           name: docker-stub-US-sha256.txt
           path: docker-stub-US-sha256.txt
@@ -423,7 +423,7 @@ jobs:
         if: |
           github.event_name != 'pull_request_target'
           && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc')
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         with:
           name: docker-stub-EU-sha256.txt
           path: docker-stub-EU-sha256.txt
@@ -447,7 +447,7 @@ jobs:
           GLOBALSETTINGS__SQLSERVER__CONNECTIONSTRING: "placeholder"
 
       - name: Upload Public API Swagger artifact
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         with:
           name: swagger.json
           path: swagger.json
@@ -481,14 +481,14 @@ jobs:
           GLOBALSETTINGS__SQLSERVER__CONNECTIONSTRING: "placeholder"
 
       - name: Upload Internal API Swagger artifact
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         with:
           name: internal.json
           path: internal.json
           if-no-files-found: error
 
       - name: Upload Identity Swagger artifact
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         with:
           name: identity.json
           path: identity.json
@@ -517,7 +517,7 @@ jobs:
           ref: ${{ github.event.pull_request.head.sha }}
 
       - name: Set up .NET
-        uses: actions/setup-dotnet@3e891b0cb619bf60e2c25674b222b8940e2c1c25 # v4.1.0
+        uses: actions/setup-dotnet@87b7050bc53ea08284295505d98d2aa94301e852 # v4.2.0
 
       - name: Print environment
         run: |
@@ -533,7 +533,7 @@ jobs:
 
       - name: Upload project artifact for Windows
         if: ${{ contains(matrix.target, 'win') == true }}
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         with:
           name: MsSqlMigratorUtility-${{ matrix.target }}
           path: util/MsSqlMigratorUtility/obj/build-output/publish/MsSqlMigratorUtility.exe
@@ -541,7 +541,7 @@ jobs:
 
       - name: Upload project artifact
         if: ${{ contains(matrix.target, 'win') == false }}
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         with:
           name: MsSqlMigratorUtility-${{ matrix.target }}
           path: util/MsSqlMigratorUtility/obj/build-output/publish/MsSqlMigratorUtility
diff --git a/.github/workflows/code-references.yml b/.github/workflows/code-references.yml
index eeb84f745b..7fcf864866 100644
--- a/.github/workflows/code-references.yml
+++ b/.github/workflows/code-references.yml
@@ -37,7 +37,7 @@ jobs:
 
       - name: Collect
         id: collect
-        uses: launchdarkly/find-code-references-in-pull-request@d008aa4f321d8cd35314d9cb095388dcfde84439 # v2.0.0
+        uses: launchdarkly/find-code-references-in-pull-request@b2d44bb453e13c11fd1a6ada7b1e5f9fb0ace629 # v2.0.1
         with:
           project-key: default
           environment-key: dev
diff --git a/.github/workflows/repository-management.yml b/.github/workflows/repository-management.yml
index d41ce91ec9..3d9806a267 100644
--- a/.github/workflows/repository-management.yml
+++ b/.github/workflows/repository-management.yml
@@ -52,7 +52,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Generate GH App token
-        uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
+        uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 # v1.11.1
         id: app-token
         with:
           app-id: ${{ secrets.BW_GHAPP_ID }}
@@ -98,7 +98,7 @@ jobs:
           version: ${{ inputs.version_number_override }}
 
       - name: Generate GH App token
-        uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
+        uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 # v1.11.1
         id: app-token
         with:
           app-id: ${{ secrets.BW_GHAPP_ID }}
@@ -197,7 +197,7 @@ jobs:
       - setup
     steps:
       - name: Generate GH App token
-        uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
+        uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 # v1.11.1
         id: app-token
         with:
           app-id: ${{ secrets.BW_GHAPP_ID }}
diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index f071cb4ec3..e40ff07148 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -31,7 +31,7 @@ jobs:
           ref: ${{  github.event.pull_request.head.sha }}
 
       - name: Scan with Checkmarx
-        uses: checkmarx/ast-github-action@f0869bd1a37fddc06499a096101e6c900e815d81 # 2.0.36
+        uses: checkmarx/ast-github-action@184bf2f64f55d1c93fd6636d539edf274703e434 # 2.0.41
         env:
           INCREMENTAL: "${{ contains(github.event_name, 'pull_request') && '--sast-incremental' || '' }}"
         with:
@@ -46,7 +46,7 @@ jobs:
             --output-path . ${{ env.INCREMENTAL }}
 
       - name: Upload Checkmarx results to GitHub
-        uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
+        uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
         with:
           sarif_file: cx_result.sarif
 
@@ -60,7 +60,7 @@ jobs:
 
     steps:
       - name: Set up JDK 17
-        uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0
+        uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0
         with:
           java-version: 17
           distribution: "zulu"
@@ -72,7 +72,7 @@ jobs:
           ref: ${{  github.event.pull_request.head.sha }}
 
       - name: Set up .NET
-        uses: actions/setup-dotnet@3e891b0cb619bf60e2c25674b222b8940e2c1c25 # v4.1.0
+        uses: actions/setup-dotnet@87b7050bc53ea08284295505d98d2aa94301e852 # v4.2.0
 
       - name: Install SonarCloud scanner
         run: dotnet tool install dotnet-sonarscanner -g
diff --git a/.github/workflows/test-database.yml b/.github/workflows/test-database.yml
index 6700438c2a..0d6361eca8 100644
--- a/.github/workflows/test-database.yml
+++ b/.github/workflows/test-database.yml
@@ -57,7 +57,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Set up .NET
-        uses: actions/setup-dotnet@3e891b0cb619bf60e2c25674b222b8940e2c1c25 # v4.1.0
+        uses: actions/setup-dotnet@87b7050bc53ea08284295505d98d2aa94301e852 # v4.2.0
 
       - name: Restore tools
         run: dotnet tool restore
@@ -186,7 +186,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Set up .NET
-        uses: actions/setup-dotnet@3e891b0cb619bf60e2c25674b222b8940e2c1c25 # v4.1.0
+        uses: actions/setup-dotnet@87b7050bc53ea08284295505d98d2aa94301e852 # v4.2.0
 
       - name: Print environment
         run: |
@@ -200,7 +200,7 @@ jobs:
         shell: pwsh
 
       - name: Upload DACPAC
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         with:
           name: sql.dacpac
           path: Sql.dacpac
@@ -226,7 +226,7 @@ jobs:
         shell: pwsh
 
       - name: Report validation results
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         with:
           name: report.xml
           path: |
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index bc04137f9c..5cc31f5c2f 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -49,7 +49,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Set up .NET
-        uses: actions/setup-dotnet@3e891b0cb619bf60e2c25674b222b8940e2c1c25 # v4.1.0
+        uses: actions/setup-dotnet@87b7050bc53ea08284295505d98d2aa94301e852 # v4.2.0
 
       - name: Print environment
         run: |

From fb72e82d9a409d43f2276d65cd543500c2bda23d Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Thu, 9 Jan 2025 13:26:46 +0100
Subject: [PATCH 131/384] [deps] Tools: Update aws-sdk-net monorepo (#5168)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 src/Core/Core.csproj | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/Core/Core.csproj b/src/Core/Core.csproj
index 3de32a4a90..44b4729a10 100644
--- a/src/Core/Core.csproj
+++ b/src/Core/Core.csproj
@@ -21,8 +21,8 @@
 
   <ItemGroup>
     <PackageReference Include="AspNetCoreRateLimit.Redis" Version="2.0.0" />
-    <PackageReference Include="AWSSDK.SimpleEmail" Version="3.7.402.7" />
-    <PackageReference Include="AWSSDK.SQS" Version="3.7.400.64" />
+    <PackageReference Include="AWSSDK.SimpleEmail" Version="3.7.402.18" />
+    <PackageReference Include="AWSSDK.SQS" Version="3.7.400.75" />
     <PackageReference Include="Azure.Data.Tables" Version="12.9.0" />
     <PackageReference Include="Azure.Extensions.AspNetCore.DataProtection.Blobs" Version="1.3.4" />
     <PackageReference Include="Google.Protobuf" Version="3.29.2" />

From e754ae472921ef7f85c28b5377795b021b62f298 Mon Sep 17 00:00:00 2001
From: Jared McCannon <jmccannon@bitwarden.com>
Date: Thu, 9 Jan 2025 09:35:40 -0600
Subject: [PATCH 132/384] [PM-10319] - Send 2FA Email when policy enabled
 (#5233)

* Correcting which email is sent when enabling 2FA policy.

* Fixing the test.
---
 .../PolicyValidators/TwoFactorAuthenticationPolicyValidator.cs  | 2 +-
 .../TwoFactorAuthenticationPolicyValidatorTests.cs              | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/TwoFactorAuthenticationPolicyValidator.cs b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/TwoFactorAuthenticationPolicyValidator.cs
index c2dd8cff91..33edb0db50 100644
--- a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/TwoFactorAuthenticationPolicyValidator.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/TwoFactorAuthenticationPolicyValidator.cs
@@ -104,7 +104,7 @@ public class TwoFactorAuthenticationPolicyValidator : IPolicyValidator
         }
 
         await Task.WhenAll(currentActiveRevocableOrganizationUsers.Select(x =>
-            _mailService.SendOrganizationUserRevokedForPolicySingleOrgEmailAsync(organization.DisplayName(), x.Email)));
+            _mailService.SendOrganizationUserRevokedForTwoFactoryPolicyEmailAsync(organization.DisplayName(), x.Email)));
     }
 
     private async Task RemoveNonCompliantUsersAsync(Guid organizationId)
diff --git a/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/TwoFactorAuthenticationPolicyValidatorTests.cs b/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/TwoFactorAuthenticationPolicyValidatorTests.cs
index 4e5f1816a5..1ee161e6bc 100644
--- a/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/TwoFactorAuthenticationPolicyValidatorTests.cs
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/TwoFactorAuthenticationPolicyValidatorTests.cs
@@ -351,7 +351,7 @@ public class TwoFactorAuthenticationPolicyValidatorTests
 
         await sutProvider.GetDependency<IMailService>()
             .Received(1)
-            .SendOrganizationUserRevokedForPolicySingleOrgEmailAsync(organization.DisplayName(),
+            .SendOrganizationUserRevokedForTwoFactoryPolicyEmailAsync(organization.DisplayName(),
                 "user3@test.com");
     }
 }

From ced4870309cac00d5eb270ef11f91a9af4757996 Mon Sep 17 00:00:00 2001
From: Jared McCannon <jmccannon@bitwarden.com>
Date: Thu, 9 Jan 2025 10:32:33 -0600
Subject: [PATCH 133/384] Added push notification for when Collection
 management settings have been changed. (#5230)

---
 .../Services/Implementations/OrganizationService.cs |  5 +++++
 src/Core/Enums/PushType.cs                          |  1 +
 src/Core/Models/PushNotification.cs                 |  7 +++++++
 .../NotificationHubPushNotificationService.cs       | 13 +++++++++++++
 .../Services/AzureQueuePushNotificationService.cs   |  8 ++++++++
 .../Push/Services/IPushNotificationService.cs       |  1 +
 .../Services/MultiServicePushNotificationService.cs |  6 ++++++
 .../Push/Services/NoopPushNotificationService.cs    |  2 ++
 .../NotificationsApiPushNotificationService.cs      |  9 +++++++++
 .../Push/Services/RelayPushNotificationService.cs   | 13 +++++++++++++
 src/Notifications/HubHelpers.cs                     |  7 +++++++
 11 files changed, 72 insertions(+)

diff --git a/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs b/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
index 9d178697ac..56467a661a 100644
--- a/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
+++ b/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
@@ -802,6 +802,11 @@ public class OrganizationService : IOrganizationService
                 Description = organization.DisplayBusinessName()
             });
         }
+
+        if (eventType == EventType.Organization_CollectionManagement_Updated)
+        {
+            await _pushNotificationService.PushSyncOrganizationCollectionManagementSettingsAsync(organization);
+        }
     }
 
     public async Task UpdateTwoFactorProviderAsync(Organization organization, TwoFactorProviderType type)
diff --git a/src/Core/Enums/PushType.cs b/src/Core/Enums/PushType.cs
index 2030b855e2..ee1b59990f 100644
--- a/src/Core/Enums/PushType.cs
+++ b/src/Core/Enums/PushType.cs
@@ -26,4 +26,5 @@ public enum PushType : byte
 
     SyncOrganizations = 17,
     SyncOrganizationStatusChanged = 18,
+    SyncOrganizationCollectionSettingChanged = 19,
 }
diff --git a/src/Core/Models/PushNotification.cs b/src/Core/Models/PushNotification.cs
index 667080580e..9907abcb65 100644
--- a/src/Core/Models/PushNotification.cs
+++ b/src/Core/Models/PushNotification.cs
@@ -56,3 +56,10 @@ public class OrganizationStatusPushNotification
     public Guid OrganizationId { get; set; }
     public bool Enabled { get; set; }
 }
+
+public class OrganizationCollectionManagementPushNotification
+{
+    public Guid OrganizationId { get; init; }
+    public bool LimitCollectionCreation { get; init; }
+    public bool LimitCollectionDeletion { get; init; }
+}
diff --git a/src/Core/NotificationHub/NotificationHubPushNotificationService.cs b/src/Core/NotificationHub/NotificationHubPushNotificationService.cs
index 67faff619d..d90ebdd744 100644
--- a/src/Core/NotificationHub/NotificationHubPushNotificationService.cs
+++ b/src/Core/NotificationHub/NotificationHubPushNotificationService.cs
@@ -238,6 +238,19 @@ public class NotificationHubPushNotificationService : IPushNotificationService
         await SendPayloadToOrganizationAsync(organization.Id, PushType.SyncOrganizationStatusChanged, message, false);
     }
 
+    public async Task PushSyncOrganizationCollectionManagementSettingsAsync(Organization organization) =>
+        await SendPayloadToOrganizationAsync(
+            organization.Id,
+            PushType.SyncOrganizationCollectionSettingChanged,
+            new OrganizationCollectionManagementPushNotification
+            {
+                OrganizationId = organization.Id,
+                LimitCollectionCreation = organization.LimitCollectionCreation,
+                LimitCollectionDeletion = organization.LimitCollectionDeletion
+            },
+            false
+        );
+
     private string GetContextIdentifier(bool excludeCurrentContext)
     {
         if (!excludeCurrentContext)
diff --git a/src/Core/Platform/Push/Services/AzureQueuePushNotificationService.cs b/src/Core/Platform/Push/Services/AzureQueuePushNotificationService.cs
index 332b322be6..0503a22a60 100644
--- a/src/Core/Platform/Push/Services/AzureQueuePushNotificationService.cs
+++ b/src/Core/Platform/Push/Services/AzureQueuePushNotificationService.cs
@@ -233,4 +233,12 @@ public class AzureQueuePushNotificationService : IPushNotificationService
         await SendMessageAsync(PushType.SyncOrganizationStatusChanged, message, false);
     }
 
+    public async Task PushSyncOrganizationCollectionManagementSettingsAsync(Organization organization) =>
+        await SendMessageAsync(PushType.SyncOrganizationCollectionSettingChanged,
+            new OrganizationCollectionManagementPushNotification
+            {
+                OrganizationId = organization.Id,
+                LimitCollectionCreation = organization.LimitCollectionCreation,
+                LimitCollectionDeletion = organization.LimitCollectionDeletion
+            }, false);
 }
diff --git a/src/Core/Platform/Push/Services/IPushNotificationService.cs b/src/Core/Platform/Push/Services/IPushNotificationService.cs
index 986b54b6d9..b015c17df2 100644
--- a/src/Core/Platform/Push/Services/IPushNotificationService.cs
+++ b/src/Core/Platform/Push/Services/IPushNotificationService.cs
@@ -29,4 +29,5 @@ public interface IPushNotificationService
     Task SendPayloadToOrganizationAsync(string orgId, PushType type, object payload, string identifier,
         string deviceId = null);
     Task PushSyncOrganizationStatusAsync(Organization organization);
+    Task PushSyncOrganizationCollectionManagementSettingsAsync(Organization organization);
 }
diff --git a/src/Core/Platform/Push/Services/MultiServicePushNotificationService.cs b/src/Core/Platform/Push/Services/MultiServicePushNotificationService.cs
index a291aa037f..f1a5700013 100644
--- a/src/Core/Platform/Push/Services/MultiServicePushNotificationService.cs
+++ b/src/Core/Platform/Push/Services/MultiServicePushNotificationService.cs
@@ -151,6 +151,12 @@ public class MultiServicePushNotificationService : IPushNotificationService
         return Task.FromResult(0);
     }
 
+    public Task PushSyncOrganizationCollectionManagementSettingsAsync(Organization organization)
+    {
+        PushToServices(s => s.PushSyncOrganizationCollectionManagementSettingsAsync(organization));
+        return Task.CompletedTask;
+    }
+
     private void PushToServices(Func<IPushNotificationService, Task> pushFunc)
     {
         if (_services != null)
diff --git a/src/Core/Platform/Push/Services/NoopPushNotificationService.cs b/src/Core/Platform/Push/Services/NoopPushNotificationService.cs
index 6d5fbfd9a4..4a185bee1a 100644
--- a/src/Core/Platform/Push/Services/NoopPushNotificationService.cs
+++ b/src/Core/Platform/Push/Services/NoopPushNotificationService.cs
@@ -94,6 +94,8 @@ public class NoopPushNotificationService : IPushNotificationService
         return Task.FromResult(0);
     }
 
+    public Task PushSyncOrganizationCollectionManagementSettingsAsync(Organization organization) => Task.CompletedTask;
+
     public Task PushAuthRequestAsync(AuthRequest authRequest)
     {
         return Task.FromResult(0);
diff --git a/src/Core/Platform/Push/Services/NotificationsApiPushNotificationService.cs b/src/Core/Platform/Push/Services/NotificationsApiPushNotificationService.cs
index adf6d829e7..849ae1b765 100644
--- a/src/Core/Platform/Push/Services/NotificationsApiPushNotificationService.cs
+++ b/src/Core/Platform/Push/Services/NotificationsApiPushNotificationService.cs
@@ -241,4 +241,13 @@ public class NotificationsApiPushNotificationService : BaseIdentityClientService
 
         await SendMessageAsync(PushType.SyncOrganizationStatusChanged, message, false);
     }
+
+    public async Task PushSyncOrganizationCollectionManagementSettingsAsync(Organization organization) =>
+        await SendMessageAsync(PushType.SyncOrganizationCollectionSettingChanged,
+            new OrganizationCollectionManagementPushNotification
+            {
+                OrganizationId = organization.Id,
+                LimitCollectionCreation = organization.LimitCollectionCreation,
+                LimitCollectionDeletion = organization.LimitCollectionDeletion
+            }, false);
 }
diff --git a/src/Core/Platform/Push/Services/RelayPushNotificationService.cs b/src/Core/Platform/Push/Services/RelayPushNotificationService.cs
index 93db0c0c5b..e41244a1b8 100644
--- a/src/Core/Platform/Push/Services/RelayPushNotificationService.cs
+++ b/src/Core/Platform/Push/Services/RelayPushNotificationService.cs
@@ -264,4 +264,17 @@ public class RelayPushNotificationService : BaseIdentityClientService, IPushNoti
 
         await SendPayloadToOrganizationAsync(organization.Id, PushType.SyncOrganizationStatusChanged, message, false);
     }
+
+    public async Task PushSyncOrganizationCollectionManagementSettingsAsync(Organization organization) =>
+        await SendPayloadToOrganizationAsync(
+            organization.Id,
+            PushType.SyncOrganizationCollectionSettingChanged,
+            new OrganizationCollectionManagementPushNotification
+            {
+                OrganizationId = organization.Id,
+                LimitCollectionCreation = organization.LimitCollectionCreation,
+                LimitCollectionDeletion = organization.LimitCollectionDeletion
+            },
+            false
+        );
 }
diff --git a/src/Notifications/HubHelpers.cs b/src/Notifications/HubHelpers.cs
index ce2e6b24ad..6f49822dc9 100644
--- a/src/Notifications/HubHelpers.cs
+++ b/src/Notifications/HubHelpers.cs
@@ -92,6 +92,13 @@ public static class HubHelpers
                 await hubContext.Clients.Group($"Organization_{orgStatusNotification.Payload.OrganizationId}")
                     .SendAsync("ReceiveMessage", orgStatusNotification, cancellationToken);
                 break;
+            case PushType.SyncOrganizationCollectionSettingChanged:
+                var organizationCollectionSettingsChangedNotification =
+                    JsonSerializer.Deserialize<PushNotificationData<OrganizationStatusPushNotification>>(
+                        notificationJson, _deserializerOptions);
+                await hubContext.Clients.Group($"Organization_{organizationCollectionSettingsChangedNotification.Payload.OrganizationId}")
+                    .SendAsync("ReceiveMessage", organizationCollectionSettingsChangedNotification, cancellationToken);
+                break;
             default:
                 break;
         }

From bd657c76cf392e1a4e5eb0ab3de590b8b06d012e Mon Sep 17 00:00:00 2001
From: MtnBurrit0 <77340197+mimartin12@users.noreply.github.com>
Date: Thu, 9 Jan 2025 10:10:49 -0700
Subject: [PATCH 134/384] Remove unused workflow now that config has been
 migrated. (#5239)

---
 .../cleanup-ephemeral-environment.yml         | 59 -------------------
 1 file changed, 59 deletions(-)
 delete mode 100644 .github/workflows/cleanup-ephemeral-environment.yml

diff --git a/.github/workflows/cleanup-ephemeral-environment.yml b/.github/workflows/cleanup-ephemeral-environment.yml
deleted file mode 100644
index 91e8ff083f..0000000000
--- a/.github/workflows/cleanup-ephemeral-environment.yml
+++ /dev/null
@@ -1,59 +0,0 @@
-name: Ephemeral environment cleanup
-
-on:
-  pull_request:
-    types: [unlabeled]
-
-jobs:
-  validate-pr:
-    name: Validate PR
-    runs-on: ubuntu-24.04
-    outputs:
-      config-exists: ${{ steps.validate-config.outputs.config-exists }}
-    steps:
-      - name: Checkout PR
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        
-      - name: Validate config exists in path
-        id: validate-config
-        run: |
-          if [[ -f "ephemeral-environments/$GITHUB_HEAD_REF.yaml" ]]; then
-            echo "Ephemeral environment config found in path, continuing."
-            echo "config-exists=true" >> $GITHUB_OUTPUT
-          fi
-
-
-  cleanup-config:
-    name: Cleanup ephemeral environment
-    runs-on: ubuntu-24.04
-    needs: validate-pr
-    if: ${{ needs.validate-pr.outputs.config-exists }}
-    steps:
-      - name: Log in to Azure - CI subscription
-        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
-        with:
-          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
-
-      - name: Retrieve GitHub PAT secrets
-        id: retrieve-secret-pat
-        uses: bitwarden/gh-actions/get-keyvault-secrets@main
-        with:
-          keyvault: "bitwarden-ci"
-          secrets: "github-pat-bitwarden-devops-bot-repo-scope"
-
-      - name: Trigger Ephemeral Environment cleanup
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
-        with:
-          github-token: ${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
-          script: |
-            await github.rest.actions.createWorkflowDispatch({
-              owner: 'bitwarden',
-              repo: 'devops',
-              workflow_id: '_ephemeral_environment_pr_manager.yml',
-              ref: 'main',
-              inputs: {
-                ephemeral_env_branch: process.env.GITHUB_HEAD_REF,
-                cleanup_config: true,
-                project: 'server'
-              }
-            })

From 9c6ad877ccd36914d792979aa835fc0ba827d186 Mon Sep 17 00:00:00 2001
From: Github Actions <actions@github.com>
Date: Thu, 9 Jan 2025 17:12:32 +0000
Subject: [PATCH 135/384] Bumped version to 2025.1.2

---
 Directory.Build.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Directory.Build.props b/Directory.Build.props
index 11478a436b..1467c0822c 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -3,7 +3,7 @@
   <PropertyGroup>
     <TargetFramework>net8.0</TargetFramework>
 
-    <Version>2025.1.1</Version>
+    <Version>2025.1.2</Version>
 
     <RootNamespace>Bit.$(MSBuildProjectName)</RootNamespace>
     <ImplicitUsings>enable</ImplicitUsings>

From 28d55350109d5361a4e905fe516e448ae334d4f4 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Thu, 9 Jan 2025 12:33:52 -0500
Subject: [PATCH 136/384] Update checkout action for cherry pick job (#5242)

---
 .github/workflows/repository-management.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/repository-management.yml b/.github/workflows/repository-management.yml
index 3d9806a267..178e29212a 100644
--- a/.github/workflows/repository-management.yml
+++ b/.github/workflows/repository-management.yml
@@ -206,6 +206,7 @@ jobs:
       - name: Check out main branch
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
+          fetch-depth: 0
           ref: main
           token: ${{ steps.app-token.outputs.token }}
 

From 6771f79597fe038ecc605ad5cdd7320039d2d275 Mon Sep 17 00:00:00 2001
From: Conner Turnbull <133619638+cturnbull-bitwarden@users.noreply.github.com>
Date: Thu, 9 Jan 2025 12:40:16 -0500
Subject: [PATCH 137/384] Updated LicensingService to be a singleton again and
 moved IFeatureService up a frame in the call stack (#5238)

---
 .../Cloud/CloudGetOrganizationLicenseQuery.cs | 15 ++++++++-----
 .../Implementations/LicensingService.cs       | 13 -----------
 .../Utilities/ServiceCollectionExtensions.cs  |  2 +-
 .../CloudGetOrganizationLicenseQueryTests.cs  | 22 +++++++++++++++++++
 4 files changed, 33 insertions(+), 19 deletions(-)

diff --git a/src/Core/OrganizationFeatures/OrganizationLicenses/Cloud/CloudGetOrganizationLicenseQuery.cs b/src/Core/OrganizationFeatures/OrganizationLicenses/Cloud/CloudGetOrganizationLicenseQuery.cs
index 53050c7824..0c3bfe16cf 100644
--- a/src/Core/OrganizationFeatures/OrganizationLicenses/Cloud/CloudGetOrganizationLicenseQuery.cs
+++ b/src/Core/OrganizationFeatures/OrganizationLicenses/Cloud/CloudGetOrganizationLicenseQuery.cs
@@ -15,17 +15,20 @@ public class CloudGetOrganizationLicenseQuery : ICloudGetOrganizationLicenseQuer
     private readonly IPaymentService _paymentService;
     private readonly ILicensingService _licensingService;
     private readonly IProviderRepository _providerRepository;
+    private readonly IFeatureService _featureService;
 
     public CloudGetOrganizationLicenseQuery(
         IInstallationRepository installationRepository,
         IPaymentService paymentService,
         ILicensingService licensingService,
-        IProviderRepository providerRepository)
+        IProviderRepository providerRepository,
+        IFeatureService featureService)
     {
         _installationRepository = installationRepository;
         _paymentService = paymentService;
         _licensingService = licensingService;
         _providerRepository = providerRepository;
+        _featureService = featureService;
     }
 
     public async Task<OrganizationLicense> GetLicenseAsync(Organization organization, Guid installationId,
@@ -38,11 +41,13 @@ public class CloudGetOrganizationLicenseQuery : ICloudGetOrganizationLicenseQuer
         }
 
         var subscriptionInfo = await GetSubscriptionAsync(organization);
-
-        return new OrganizationLicense(organization, subscriptionInfo, installationId, _licensingService, version)
+        var license = new OrganizationLicense(organization, subscriptionInfo, installationId, _licensingService, version);
+        if (_featureService.IsEnabled(FeatureFlagKeys.SelfHostLicenseRefactor))
         {
-            Token = await _licensingService.CreateOrganizationTokenAsync(organization, installationId, subscriptionInfo)
-        };
+            license.Token = await _licensingService.CreateOrganizationTokenAsync(organization, installationId, subscriptionInfo);
+        }
+
+        return license;
     }
 
     private async Task<SubscriptionInfo> GetSubscriptionAsync(Organization organization)
diff --git a/src/Core/Services/Implementations/LicensingService.cs b/src/Core/Services/Implementations/LicensingService.cs
index 866f0bb6e1..dd603b4b63 100644
--- a/src/Core/Services/Implementations/LicensingService.cs
+++ b/src/Core/Services/Implementations/LicensingService.cs
@@ -30,7 +30,6 @@ public class LicensingService : ILicensingService
     private readonly ILogger<LicensingService> _logger;
     private readonly ILicenseClaimsFactory<Organization> _organizationLicenseClaimsFactory;
     private readonly ILicenseClaimsFactory<User> _userLicenseClaimsFactory;
-    private readonly IFeatureService _featureService;
 
     private IDictionary<Guid, DateTime> _userCheckCache = new Dictionary<Guid, DateTime>();
 
@@ -42,7 +41,6 @@ public class LicensingService : ILicensingService
         ILogger<LicensingService> logger,
         IGlobalSettings globalSettings,
         ILicenseClaimsFactory<Organization> organizationLicenseClaimsFactory,
-        IFeatureService featureService,
         ILicenseClaimsFactory<User> userLicenseClaimsFactory)
     {
         _userRepository = userRepository;
@@ -51,7 +49,6 @@ public class LicensingService : ILicensingService
         _logger = logger;
         _globalSettings = globalSettings;
         _organizationLicenseClaimsFactory = organizationLicenseClaimsFactory;
-        _featureService = featureService;
         _userLicenseClaimsFactory = userLicenseClaimsFactory;
 
         var certThumbprint = environment.IsDevelopment() ?
@@ -344,11 +341,6 @@ public class LicensingService : ILicensingService
 
     public async Task<string> CreateOrganizationTokenAsync(Organization organization, Guid installationId, SubscriptionInfo subscriptionInfo)
     {
-        if (!_featureService.IsEnabled(FeatureFlagKeys.SelfHostLicenseRefactor))
-        {
-            return null;
-        }
-
         var licenseContext = new LicenseContext
         {
             InstallationId = installationId,
@@ -363,11 +355,6 @@ public class LicensingService : ILicensingService
 
     public async Task<string> CreateUserTokenAsync(User user, SubscriptionInfo subscriptionInfo)
     {
-        if (!_featureService.IsEnabled(FeatureFlagKeys.SelfHostLicenseRefactor))
-        {
-            return null;
-        }
-
         var licenseContext = new LicenseContext { SubscriptionInfo = subscriptionInfo };
         var claims = await _userLicenseClaimsFactory.GenerateClaims(user, licenseContext);
         var audience = $"user:{user.Id}";
diff --git a/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs b/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
index 891b8d6664..63c114405f 100644
--- a/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
+++ b/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
@@ -238,7 +238,7 @@ public static class ServiceCollectionExtensions
         services.AddScoped<IPaymentHistoryService, PaymentHistoryService>();
         services.AddSingleton<IStripeSyncService, StripeSyncService>();
         services.AddSingleton<IMailService, HandlebarsMailService>();
-        services.AddScoped<ILicensingService, LicensingService>();
+        services.AddSingleton<ILicensingService, LicensingService>();
         services.AddSingleton<ILookupClient>(_ =>
         {
             var options = new LookupClientOptions { Timeout = TimeSpan.FromSeconds(15), UseTcpOnly = true };
diff --git a/test/Core.Test/OrganizationFeatures/OrganizationLicenses/CloudGetOrganizationLicenseQueryTests.cs b/test/Core.Test/OrganizationFeatures/OrganizationLicenses/CloudGetOrganizationLicenseQueryTests.cs
index 44c87f7182..650d33f64c 100644
--- a/test/Core.Test/OrganizationFeatures/OrganizationLicenses/CloudGetOrganizationLicenseQueryTests.cs
+++ b/test/Core.Test/OrganizationFeatures/OrganizationLicenses/CloudGetOrganizationLicenseQueryTests.cs
@@ -56,6 +56,7 @@ public class CloudGetOrganizationLicenseQueryTests
         sutProvider.GetDependency<IInstallationRepository>().GetByIdAsync(installationId).Returns(installation);
         sutProvider.GetDependency<IPaymentService>().GetSubscriptionAsync(organization).Returns(subInfo);
         sutProvider.GetDependency<ILicensingService>().SignLicense(Arg.Any<ILicense>()).Returns(licenseSignature);
+        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.SelfHostLicenseRefactor).Returns(false);
 
         var result = await sutProvider.Sut.GetLicenseAsync(organization, installationId);
 
@@ -63,6 +64,27 @@ public class CloudGetOrganizationLicenseQueryTests
         Assert.Equal(organization.Id, result.Id);
         Assert.Equal(installationId, result.InstallationId);
         Assert.Equal(licenseSignature, result.SignatureBytes);
+        Assert.Null(result.Token);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task GetLicenseAsync_WhenFeatureFlagEnabled_CreatesToken(SutProvider<CloudGetOrganizationLicenseQuery> sutProvider,
+        Organization organization, Guid installationId, Installation installation, SubscriptionInfo subInfo,
+        byte[] licenseSignature, string token)
+    {
+        installation.Enabled = true;
+        sutProvider.GetDependency<IInstallationRepository>().GetByIdAsync(installationId).Returns(installation);
+        sutProvider.GetDependency<IPaymentService>().GetSubscriptionAsync(organization).Returns(subInfo);
+        sutProvider.GetDependency<ILicensingService>().SignLicense(Arg.Any<ILicense>()).Returns(licenseSignature);
+        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.SelfHostLicenseRefactor).Returns(true);
+        sutProvider.GetDependency<ILicensingService>()
+            .CreateOrganizationTokenAsync(organization, installationId, subInfo)
+            .Returns(token);
+
+        var result = await sutProvider.Sut.GetLicenseAsync(organization, installationId);
+
+        Assert.Equal(token, result.Token);
     }
 
     [Theory]

From f753829559d8adfeeb413ab53081dba2b8d1d3b8 Mon Sep 17 00:00:00 2001
From: MtnBurrit0 <77340197+mimartin12@users.noreply.github.com>
Date: Thu, 9 Jan 2025 10:50:03 -0700
Subject: [PATCH 138/384] Always update the ephemeral environment when the
 label is added (#5240)

---
 .github/workflows/ephemeral-environment.yml | 38 +++++++++++++++++++++
 1 file changed, 38 insertions(+)
 create mode 100644 .github/workflows/ephemeral-environment.yml

diff --git a/.github/workflows/ephemeral-environment.yml b/.github/workflows/ephemeral-environment.yml
new file mode 100644
index 0000000000..c784d48354
--- /dev/null
+++ b/.github/workflows/ephemeral-environment.yml
@@ -0,0 +1,38 @@
+name: Ephemeral Environment
+
+on:
+  pull_request:
+    types: [labeled]
+
+jobs:
+  trigger-ee-updates:
+    name: Trigger Ephemeral Environment updates
+    runs-on: ubuntu-24.04
+    if: github.event.label.name == 'ephemeral-environment'
+    steps:
+      - name: Log in to Azure - CI subscription
+        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
+        with:
+          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+
+      - name: Retrieve GitHub PAT secrets
+        id: retrieve-secret-pat
+        uses: bitwarden/gh-actions/get-keyvault-secrets@main
+        with:
+          keyvault: "bitwarden-ci"
+          secrets: "github-pat-bitwarden-devops-bot-repo-scope"
+
+      - name: Trigger Ephemeral Environment update
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        with:
+          github-token: ${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
+          script: |
+            await github.rest.actions.createWorkflowDispatch({
+              owner: 'bitwarden',
+              repo: 'devops',
+              workflow_id: '_update_ephemeral_tags.yml',
+              ref: 'main',
+              inputs: {
+                ephemeral_env_branch: process.env.GITHUB_HEAD_REF
+              }
+            })

From fd195e7cf385b6df55e3f525b5267267a047d527 Mon Sep 17 00:00:00 2001
From: Jared McCannon <jmccannon@bitwarden.com>
Date: Thu, 9 Jan 2025 14:13:29 -0600
Subject: [PATCH 139/384] Forgot to remove compliant users from the list.
 (#5241)

---
 .../TwoFactorAuthenticationPolicyValidator.cs     | 15 +++++++++++----
 ...TwoFactorAuthenticationPolicyValidatorTests.cs |  2 +-
 2 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/TwoFactorAuthenticationPolicyValidator.cs b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/TwoFactorAuthenticationPolicyValidator.cs
index 33edb0db50..6c217cecbe 100644
--- a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/TwoFactorAuthenticationPolicyValidator.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/TwoFactorAuthenticationPolicyValidator.cs
@@ -87,16 +87,23 @@ public class TwoFactorAuthenticationPolicyValidator : IPolicyValidator
             return;
         }
 
-        var organizationUsersTwoFactorEnabled =
+        var revocableUsersWithTwoFactorStatus =
             await _twoFactorIsEnabledQuery.TwoFactorIsEnabledAsync(currentActiveRevocableOrganizationUsers);
 
-        if (NonCompliantMembersWillLoseAccess(currentActiveRevocableOrganizationUsers, organizationUsersTwoFactorEnabled))
+        var nonCompliantUsers = revocableUsersWithTwoFactorStatus.Where(x => !x.twoFactorIsEnabled);
+
+        if (!nonCompliantUsers.Any())
+        {
+            return;
+        }
+
+        if (MembersWithNoMasterPasswordWillLoseAccess(currentActiveRevocableOrganizationUsers, nonCompliantUsers))
         {
             throw new BadRequestException(NonCompliantMembersWillLoseAccessMessage);
         }
 
         var commandResult = await _revokeNonCompliantOrganizationUserCommand.RevokeNonCompliantOrganizationUsersAsync(
-            new RevokeOrganizationUsersRequest(organizationId, currentActiveRevocableOrganizationUsers, performedBy));
+            new RevokeOrganizationUsersRequest(organizationId, nonCompliantUsers.Select(x => x.user), performedBy));
 
         if (commandResult.HasErrors)
         {
@@ -141,7 +148,7 @@ public class TwoFactorAuthenticationPolicyValidator : IPolicyValidator
         }
     }
 
-    private static bool NonCompliantMembersWillLoseAccess(
+    private static bool MembersWithNoMasterPasswordWillLoseAccess(
         IEnumerable<OrganizationUserUserDetails> orgUserDetails,
         IEnumerable<(OrganizationUserUserDetails user, bool isTwoFactorEnabled)> organizationUsersTwoFactorEnabled) =>
             orgUserDetails.Any(x =>
diff --git a/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/TwoFactorAuthenticationPolicyValidatorTests.cs b/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/TwoFactorAuthenticationPolicyValidatorTests.cs
index 1ee161e6bc..8c350d4161 100644
--- a/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/TwoFactorAuthenticationPolicyValidatorTests.cs
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/TwoFactorAuthenticationPolicyValidatorTests.cs
@@ -336,7 +336,7 @@ public class TwoFactorAuthenticationPolicyValidatorTests
             .TwoFactorIsEnabledAsync(Arg.Any<IEnumerable<OrganizationUserUserDetails>>())
             .Returns(new List<(OrganizationUserUserDetails user, bool hasTwoFactor)>()
             {
-                (orgUserDetailUserWithout2Fa, true),
+                (orgUserDetailUserWithout2Fa, false)
             });
 
         sutProvider.GetDependency<IRevokeNonCompliantOrganizationUserCommand>()

From a99f82dddd647d8abd166851bcfca07752e1e3ab Mon Sep 17 00:00:00 2001
From: Shane Melton <smelton@bitwarden.com>
Date: Thu, 9 Jan 2025 12:14:24 -0800
Subject: [PATCH 140/384] [PM-14378] SecurityTask Authorization Handler (#5039)

* [PM-14378] Introduce GetCipherPermissionsForOrganization query for Dapper CipherRepository

* [PM-14378] Introduce GetCipherPermissionsForOrganization method for Entity Framework

* [PM-14378] Add integration tests for new repository method

* [PM-14378] Introduce IGetCipherPermissionsForUserQuery CQRS query

* [PM-14378] Introduce SecurityTaskOperationRequirement

* [PM-14378] Introduce SecurityTaskAuthorizationHandler.cs

* [PM-14378] Introduce SecurityTaskOrganizationAuthorizationHandler.cs

* [PM-14378] Register new authorization handlers

* [PM-14378] Formatting

* [PM-14378] Add unit tests for GetCipherPermissionsForUserQuery

* [PM-15378] Cleanup SecurityTaskAuthorizationHandler and add tests

* [PM-14378] Add tests for SecurityTaskOrganizationAuthorizationHandler

* [PM-14378] Formatting

* [PM-14378] Update date in migration file

* [PM-14378] Add missing awaits

* [PM-14378] Bump migration script date

* [PM-14378] Remove Unassigned property from OrganizationCipherPermission as it was making the query too complicated

* [PM-14378] Update sproc to use Union All to improve query performance

* [PM-14378] Bump migration script date
---
 .../Utilities/ServiceCollectionExtensions.cs  |   3 +
 .../SecurityTaskAuthorizationHandler.cs       | 142 ++++++
 .../SecurityTaskOperationRequirement.cs       |  27 ++
 ...ityTaskOrganizationAuthorizationHandler.cs |  47 ++
 .../Data/OrganizationCipherPermission.cs      |  40 ++
 .../GetCipherPermissionsForUserQuery.cs       |  97 ++++
 .../IGetCipherPermissionsForUserQuery.cs      |  19 +
 .../Vault/Repositories/ICipherRepository.cs   |  10 +
 .../Vault/VaultServiceCollectionExtensions.cs |   1 +
 .../Vault/Repositories/CipherRepository.cs    |  14 +
 .../Vault/Repositories/CipherRepository.cs    |  46 ++
 .../CipherOrganizationPermissionsQuery.cs     |  63 +++
 ...ionPermissions_GetManyByOrganizationId.sql |  76 ++++
 .../SecurityTaskAuthorizationHandlerTests.cs  | 430 ++++++++++++++++++
 ...skOrganizationAuthorizationHandlerTests.cs | 104 +++++
 .../GetCipherPermissionsForUserQueryTests.cs  | 238 ++++++++++
 .../Repositories/CipherRepositoryTests.cs     | 235 ++++++++++
 ..._00_CipherOrganizationPermissionsQuery.sql |  77 ++++
 18 files changed, 1669 insertions(+)
 create mode 100644 src/Core/Vault/Authorization/SecurityTasks/SecurityTaskAuthorizationHandler.cs
 create mode 100644 src/Core/Vault/Authorization/SecurityTasks/SecurityTaskOperationRequirement.cs
 create mode 100644 src/Core/Vault/Authorization/SecurityTasks/SecurityTaskOrganizationAuthorizationHandler.cs
 create mode 100644 src/Core/Vault/Models/Data/OrganizationCipherPermission.cs
 create mode 100644 src/Core/Vault/Queries/GetCipherPermissionsForUserQuery.cs
 create mode 100644 src/Core/Vault/Queries/IGetCipherPermissionsForUserQuery.cs
 create mode 100644 src/Infrastructure.EntityFramework/Vault/Repositories/Queries/CipherOrganizationPermissionsQuery.cs
 create mode 100644 src/Sql/Vault/dbo/Stored Procedures/Cipher/CipherOrganizationPermissions_GetManyByOrganizationId.sql
 create mode 100644 test/Core.Test/Vault/Authorization/SecurityTaskAuthorizationHandlerTests.cs
 create mode 100644 test/Core.Test/Vault/Authorization/SecurityTaskOrganizationAuthorizationHandlerTests.cs
 create mode 100644 test/Core.Test/Vault/Queries/GetCipherPermissionsForUserQueryTests.cs
 create mode 100644 util/Migrator/DbScripts/2025-01-08_00_CipherOrganizationPermissionsQuery.sql

diff --git a/src/Api/Utilities/ServiceCollectionExtensions.cs b/src/Api/Utilities/ServiceCollectionExtensions.cs
index 270055be8f..be106786e8 100644
--- a/src/Api/Utilities/ServiceCollectionExtensions.cs
+++ b/src/Api/Utilities/ServiceCollectionExtensions.cs
@@ -4,6 +4,7 @@ using Bit.Core.AdminConsole.OrganizationFeatures.Groups.Authorization;
 using Bit.Core.IdentityServer;
 using Bit.Core.Settings;
 using Bit.Core.Utilities;
+using Bit.Core.Vault.Authorization.SecurityTasks;
 using Bit.SharedWeb.Health;
 using Bit.SharedWeb.Swagger;
 using Microsoft.AspNetCore.Authorization;
@@ -104,5 +105,7 @@ public static class ServiceCollectionExtensions
         services.AddScoped<IAuthorizationHandler, CollectionAuthorizationHandler>();
         services.AddScoped<IAuthorizationHandler, GroupAuthorizationHandler>();
         services.AddScoped<IAuthorizationHandler, VaultExportAuthorizationHandler>();
+        services.AddScoped<IAuthorizationHandler, SecurityTaskAuthorizationHandler>();
+        services.AddScoped<IAuthorizationHandler, SecurityTaskOrganizationAuthorizationHandler>();
     }
 }
diff --git a/src/Core/Vault/Authorization/SecurityTasks/SecurityTaskAuthorizationHandler.cs b/src/Core/Vault/Authorization/SecurityTasks/SecurityTaskAuthorizationHandler.cs
new file mode 100644
index 0000000000..eedae99083
--- /dev/null
+++ b/src/Core/Vault/Authorization/SecurityTasks/SecurityTaskAuthorizationHandler.cs
@@ -0,0 +1,142 @@
+using Bit.Core.Context;
+using Bit.Core.Enums;
+using Bit.Core.Vault.Entities;
+using Bit.Core.Vault.Models.Data;
+using Bit.Core.Vault.Queries;
+using Microsoft.AspNetCore.Authorization;
+
+namespace Bit.Core.Vault.Authorization.SecurityTasks;
+
+public class SecurityTaskAuthorizationHandler : AuthorizationHandler<SecurityTaskOperationRequirement, SecurityTask>
+{
+    private readonly ICurrentContext _currentContext;
+    private readonly IGetCipherPermissionsForUserQuery _getCipherPermissionsForUserQuery;
+
+    private readonly Dictionary<Guid, IDictionary<Guid, OrganizationCipherPermission>> _cipherPermissionCache = new();
+
+    public SecurityTaskAuthorizationHandler(ICurrentContext currentContext, IGetCipherPermissionsForUserQuery getCipherPermissionsForUserQuery)
+    {
+        _currentContext = currentContext;
+        _getCipherPermissionsForUserQuery = getCipherPermissionsForUserQuery;
+    }
+
+    protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context,
+        SecurityTaskOperationRequirement requirement,
+        SecurityTask task)
+    {
+        if (!_currentContext.UserId.HasValue)
+        {
+            return;
+        }
+
+        var org = _currentContext.GetOrganization(task.OrganizationId);
+
+        if (org == null)
+        {
+            // User must be a member of the organization
+            return;
+        }
+
+        var authorized = requirement switch
+        {
+            not null when requirement == SecurityTaskOperations.Read => await CanReadAsync(task, org),
+            not null when requirement == SecurityTaskOperations.Create => await CanCreateAsync(task, org),
+            not null when requirement == SecurityTaskOperations.Update => await CanUpdateAsync(task, org),
+            _ => throw new ArgumentOutOfRangeException(nameof(requirement), requirement, null)
+        };
+
+        if (authorized)
+        {
+            context.Succeed(requirement);
+        }
+    }
+
+    private async Task<bool> CanReadAsync(SecurityTask task, CurrentContextOrganization org)
+    {
+        if (!task.CipherId.HasValue)
+        {
+            // Tasks without cipher IDs are not possible currently
+            return false;
+        }
+
+        if (HasAdminAccessToSecurityTasks(org))
+        {
+            // Admins can read any task for ciphers in the organization
+            return await CipherBelongsToOrgAsync(org, task.CipherId.Value);
+        }
+
+        return await CanReadCipherForOrgAsync(org, task.CipherId.Value);
+    }
+
+    private async Task<bool> CanCreateAsync(SecurityTask task, CurrentContextOrganization org)
+    {
+        if (!task.CipherId.HasValue)
+        {
+            // Tasks without cipher IDs are not possible currently
+            return false;
+        }
+
+        if (!HasAdminAccessToSecurityTasks(org))
+        {
+            // User must be an Admin/Owner or have custom permissions for reporting
+            return false;
+        }
+
+        return await CipherBelongsToOrgAsync(org, task.CipherId.Value);
+    }
+
+    private async Task<bool> CanUpdateAsync(SecurityTask task, CurrentContextOrganization org)
+    {
+        if (!task.CipherId.HasValue)
+        {
+            // Tasks without cipher IDs are not possible currently
+            return false;
+        }
+
+        // Only users that can edit the cipher can update the task
+        return await CanEditCipherForOrgAsync(org, task.CipherId.Value);
+    }
+
+    private async Task<bool> CanEditCipherForOrgAsync(CurrentContextOrganization org, Guid cipherId)
+    {
+        var ciphers = await GetCipherPermissionsForOrgAsync(org);
+
+        return ciphers.TryGetValue(cipherId, out var cipher) && cipher.Edit;
+    }
+
+    private async Task<bool> CanReadCipherForOrgAsync(CurrentContextOrganization org, Guid cipherId)
+    {
+        var ciphers = await GetCipherPermissionsForOrgAsync(org);
+
+        return ciphers.TryGetValue(cipherId, out var cipher) && cipher.Read;
+    }
+
+    private async Task<bool> CipherBelongsToOrgAsync(CurrentContextOrganization org, Guid cipherId)
+    {
+        var ciphers = await GetCipherPermissionsForOrgAsync(org);
+
+        return ciphers.ContainsKey(cipherId);
+    }
+
+    private bool HasAdminAccessToSecurityTasks(CurrentContextOrganization org)
+    {
+        return org is
+        { Type: OrganizationUserType.Admin or OrganizationUserType.Owner } or
+        { Type: OrganizationUserType.Custom, Permissions.AccessReports: true };
+    }
+
+    private async Task<IDictionary<Guid, OrganizationCipherPermission>> GetCipherPermissionsForOrgAsync(CurrentContextOrganization organization)
+    {
+        // Re-use permissions we've already fetched for the organization
+        if (_cipherPermissionCache.TryGetValue(organization.Id, out var cachedCiphers))
+        {
+            return cachedCiphers;
+        }
+
+        var cipherPermissions = await _getCipherPermissionsForUserQuery.GetByOrganization(organization.Id);
+
+        _cipherPermissionCache.Add(organization.Id, cipherPermissions);
+
+        return cipherPermissions;
+    }
+}
diff --git a/src/Core/Vault/Authorization/SecurityTasks/SecurityTaskOperationRequirement.cs b/src/Core/Vault/Authorization/SecurityTasks/SecurityTaskOperationRequirement.cs
new file mode 100644
index 0000000000..4ced1d70b9
--- /dev/null
+++ b/src/Core/Vault/Authorization/SecurityTasks/SecurityTaskOperationRequirement.cs
@@ -0,0 +1,27 @@
+using Microsoft.AspNetCore.Authorization.Infrastructure;
+
+namespace Bit.Core.Vault.Authorization.SecurityTasks;
+
+public class SecurityTaskOperationRequirement : OperationAuthorizationRequirement
+{
+    public SecurityTaskOperationRequirement(string name)
+    {
+        Name = name;
+    }
+}
+
+public static class SecurityTaskOperations
+{
+    public static readonly SecurityTaskOperationRequirement Read = new SecurityTaskOperationRequirement(nameof(Read));
+    public static readonly SecurityTaskOperationRequirement Create = new SecurityTaskOperationRequirement(nameof(Create));
+    public static readonly SecurityTaskOperationRequirement Update = new SecurityTaskOperationRequirement(nameof(Update));
+
+    /// <summary>
+    /// List all security tasks for a specific organization.
+    /// <example><code>
+    /// var orgContext = _currentContext.GetOrganization(organizationId);
+    /// _authorizationService.AuthorizeOrThrowAsync(User, SecurityTaskOperations.ListAllForOrganization, orgContext);
+    /// </code></example>
+    /// </summary>
+    public static readonly SecurityTaskOperationRequirement ListAllForOrganization = new SecurityTaskOperationRequirement(nameof(ListAllForOrganization));
+}
diff --git a/src/Core/Vault/Authorization/SecurityTasks/SecurityTaskOrganizationAuthorizationHandler.cs b/src/Core/Vault/Authorization/SecurityTasks/SecurityTaskOrganizationAuthorizationHandler.cs
new file mode 100644
index 0000000000..ec3800dc94
--- /dev/null
+++ b/src/Core/Vault/Authorization/SecurityTasks/SecurityTaskOrganizationAuthorizationHandler.cs
@@ -0,0 +1,47 @@
+using Bit.Core.Context;
+using Bit.Core.Enums;
+using Microsoft.AspNetCore.Authorization;
+
+namespace Bit.Core.Vault.Authorization.SecurityTasks;
+
+public class
+    SecurityTaskOrganizationAuthorizationHandler : AuthorizationHandler<SecurityTaskOperationRequirement,
+    CurrentContextOrganization>
+{
+    private readonly ICurrentContext _currentContext;
+
+    public SecurityTaskOrganizationAuthorizationHandler(ICurrentContext currentContext)
+    {
+        _currentContext = currentContext;
+    }
+
+    protected override Task HandleRequirementAsync(AuthorizationHandlerContext context,
+        SecurityTaskOperationRequirement requirement,
+        CurrentContextOrganization resource)
+    {
+        if (!_currentContext.UserId.HasValue)
+        {
+            return Task.CompletedTask;
+        }
+
+        var authorized = requirement switch
+        {
+            not null when requirement == SecurityTaskOperations.ListAllForOrganization => CanListAllTasksForOrganization(resource),
+            _ => throw new ArgumentOutOfRangeException(nameof(requirement), requirement, null)
+        };
+
+        if (authorized)
+        {
+            context.Succeed(requirement);
+        }
+
+        return Task.CompletedTask;
+    }
+
+    private static bool CanListAllTasksForOrganization(CurrentContextOrganization org)
+    {
+        return org is
+        { Type: OrganizationUserType.Admin or OrganizationUserType.Owner } or
+        { Type: OrganizationUserType.Custom, Permissions.AccessReports: true };
+    }
+}
diff --git a/src/Core/Vault/Models/Data/OrganizationCipherPermission.cs b/src/Core/Vault/Models/Data/OrganizationCipherPermission.cs
new file mode 100644
index 0000000000..c89284c2b4
--- /dev/null
+++ b/src/Core/Vault/Models/Data/OrganizationCipherPermission.cs
@@ -0,0 +1,40 @@
+namespace Bit.Core.Vault.Models.Data;
+
+/// <summary>
+/// Data model that represents a Users permissions for a given cipher
+/// that belongs to an organization.
+/// To be used internally for authorization.
+/// </summary>
+public class OrganizationCipherPermission
+{
+    /// <summary>
+    /// The cipher Id
+    /// </summary>
+    public Guid Id { get; set; }
+
+    /// <summary>
+    /// The organization Id that the cipher belongs to.
+    /// </summary>
+    public Guid OrganizationId { get; set; }
+
+    /// <summary>
+    /// The user can read the cipher.
+    /// See <see cref="ViewPassword"/> for password visibility.
+    /// </summary>
+    public bool Read { get; set; }
+
+    /// <summary>
+    /// The user has permission to view the password of the cipher.
+    /// </summary>
+    public bool ViewPassword { get; set; }
+
+    /// <summary>
+    /// The user has permission to edit the cipher.
+    /// </summary>
+    public bool Edit { get; set; }
+
+    /// <summary>
+    /// The user has manage level access to the cipher.
+    /// </summary>
+    public bool Manage { get; set; }
+}
diff --git a/src/Core/Vault/Queries/GetCipherPermissionsForUserQuery.cs b/src/Core/Vault/Queries/GetCipherPermissionsForUserQuery.cs
new file mode 100644
index 0000000000..5cce87e958
--- /dev/null
+++ b/src/Core/Vault/Queries/GetCipherPermissionsForUserQuery.cs
@@ -0,0 +1,97 @@
+using Bit.Core.Context;
+using Bit.Core.Enums;
+using Bit.Core.Exceptions;
+using Bit.Core.Services;
+using Bit.Core.Vault.Models.Data;
+using Bit.Core.Vault.Repositories;
+
+namespace Bit.Core.Vault.Queries;
+
+public class GetCipherPermissionsForUserQuery : IGetCipherPermissionsForUserQuery
+{
+    private readonly ICurrentContext _currentContext;
+    private readonly ICipherRepository _cipherRepository;
+    private readonly IApplicationCacheService _applicationCacheService;
+
+    public GetCipherPermissionsForUserQuery(ICurrentContext currentContext, ICipherRepository cipherRepository, IApplicationCacheService applicationCacheService)
+    {
+        _currentContext = currentContext;
+        _cipherRepository = cipherRepository;
+        _applicationCacheService = applicationCacheService;
+    }
+
+    public async Task<IDictionary<Guid, OrganizationCipherPermission>> GetByOrganization(Guid organizationId)
+    {
+        var org = _currentContext.GetOrganization(organizationId);
+        var userId = _currentContext.UserId;
+
+        if (org == null || !userId.HasValue)
+        {
+            throw new NotFoundException();
+        }
+
+        var cipherPermissions =
+            (await _cipherRepository.GetCipherPermissionsForOrganizationAsync(organizationId, userId.Value))
+            .ToList()
+            .ToDictionary(c => c.Id);
+
+        if (await CanEditAllCiphersAsync(org))
+        {
+            foreach (var cipher in cipherPermissions)
+            {
+                cipher.Value.Read = true;
+                cipher.Value.Edit = true;
+                cipher.Value.Manage = true;
+                cipher.Value.ViewPassword = true;
+            }
+        }
+        else if (await CanAccessUnassignedCiphersAsync(org))
+        {
+            var unassignedCiphers = await _cipherRepository.GetManyUnassignedOrganizationDetailsByOrganizationIdAsync(organizationId);
+            foreach (var unassignedCipher in unassignedCiphers)
+            {
+                if (cipherPermissions.TryGetValue(unassignedCipher.Id, out var p))
+                {
+                    p.Read = true;
+                    p.Edit = true;
+                    p.Manage = true;
+                    p.ViewPassword = true;
+                }
+            }
+        }
+
+        return cipherPermissions;
+    }
+
+    private async Task<bool> CanEditAllCiphersAsync(CurrentContextOrganization org)
+    {
+        // Custom users with EditAnyCollection permissions can always edit all ciphers
+        if (org is { Type: OrganizationUserType.Custom, Permissions.EditAnyCollection: true })
+        {
+            return true;
+        }
+
+        var orgAbility = await _applicationCacheService.GetOrganizationAbilityAsync(org.Id);
+
+        // Owners/Admins can only edit all ciphers if the organization has the setting enabled
+        if (orgAbility is { AllowAdminAccessToAllCollectionItems: true } && org is
+            { Type: OrganizationUserType.Admin or OrganizationUserType.Owner })
+        {
+            return true;
+        }
+
+        return false;
+    }
+
+    private async Task<bool> CanAccessUnassignedCiphersAsync(CurrentContextOrganization org)
+    {
+        if (org is
+        { Type: OrganizationUserType.Owner or OrganizationUserType.Admin } or
+        { Permissions.EditAnyCollection: true })
+        {
+            return true;
+        }
+
+        return false;
+    }
+}
diff --git a/src/Core/Vault/Queries/IGetCipherPermissionsForUserQuery.cs b/src/Core/Vault/Queries/IGetCipherPermissionsForUserQuery.cs
new file mode 100644
index 0000000000..3ab40f26f0
--- /dev/null
+++ b/src/Core/Vault/Queries/IGetCipherPermissionsForUserQuery.cs
@@ -0,0 +1,19 @@
+using Bit.Core.Vault.Models.Data;
+
+namespace Bit.Core.Vault.Queries;
+
+public interface IGetCipherPermissionsForUserQuery
+{
+    /// <summary>
+    /// Retrieves the permissions of every organization cipher (including unassigned) for the
+    /// ICurrentContext's user.
+    ///
+    /// It considers the Collection Management setting for allowing Admin/Owners access to all ciphers.
+    /// </summary>
+    /// <remarks>
+    /// The primary use case of this query is internal cipher authorization logic.
+    /// </remarks>
+    /// <param name="organizationId"></param>
+    /// <returns>A dictionary of CipherIds and a corresponding OrganizationCipherPermission</returns>
+    public Task<IDictionary<Guid, OrganizationCipherPermission>> GetByOrganization(Guid organizationId);
+}
diff --git a/src/Core/Vault/Repositories/ICipherRepository.cs b/src/Core/Vault/Repositories/ICipherRepository.cs
index f3f34c595b..2950cb99c2 100644
--- a/src/Core/Vault/Repositories/ICipherRepository.cs
+++ b/src/Core/Vault/Repositories/ICipherRepository.cs
@@ -39,6 +39,16 @@ public interface ICipherRepository : IRepository<Cipher, Guid>
     Task<DateTime> RestoreByIdsOrganizationIdAsync(IEnumerable<Guid> ids, Guid organizationId);
     Task DeleteDeletedAsync(DateTime deletedDateBefore);
 
+    /// <summary>
+    /// Low-level query to get all cipher permissions for a user in an organization. DOES NOT consider the user's
+    /// organization role, any collection management settings on the organization, or special unassigned cipher
+    /// permissions.
+    ///
+    /// Recommended to use <see cref="IGetCipherPermissionsForUserQuery"/> instead to handle those cases.
+    /// </summary>
+    Task<ICollection<OrganizationCipherPermission>> GetCipherPermissionsForOrganizationAsync(Guid organizationId,
+        Guid userId);
+
     /// <summary>
     /// Updates encrypted data for ciphers during a key rotation
     /// </summary>
diff --git a/src/Core/Vault/VaultServiceCollectionExtensions.cs b/src/Core/Vault/VaultServiceCollectionExtensions.cs
index 15cb01f1a0..4995d0405f 100644
--- a/src/Core/Vault/VaultServiceCollectionExtensions.cs
+++ b/src/Core/Vault/VaultServiceCollectionExtensions.cs
@@ -19,5 +19,6 @@ public static class VaultServiceCollectionExtensions
         services.AddScoped<IOrganizationCiphersQuery, OrganizationCiphersQuery>();
         services.AddScoped<IGetTaskDetailsForUserQuery, GetTaskDetailsForUserQuery>();
         services.AddScoped<IMarkTaskAsCompleteCommand, MarkTaskAsCompletedCommand>();
+        services.AddScoped<IGetCipherPermissionsForUserQuery, GetCipherPermissionsForUserQuery>();
     }
 }
diff --git a/src/Infrastructure.Dapper/Vault/Repositories/CipherRepository.cs b/src/Infrastructure.Dapper/Vault/Repositories/CipherRepository.cs
index 69b1383f4b..098e8299e4 100644
--- a/src/Infrastructure.Dapper/Vault/Repositories/CipherRepository.cs
+++ b/src/Infrastructure.Dapper/Vault/Repositories/CipherRepository.cs
@@ -309,6 +309,20 @@ public class CipherRepository : Repository<Cipher, Guid>, ICipherRepository
         }
     }
 
+    public async Task<ICollection<OrganizationCipherPermission>> GetCipherPermissionsForOrganizationAsync(
+        Guid organizationId, Guid userId)
+    {
+        using (var connection = new SqlConnection(ConnectionString))
+        {
+            var results = await connection.QueryAsync<OrganizationCipherPermission>(
+                $"[{Schema}].[CipherOrganizationPermissions_GetManyByOrganizationId]",
+                new { OrganizationId = organizationId, UserId = userId },
+                commandType: CommandType.StoredProcedure);
+
+            return results.ToList();
+        }
+    }
+
     /// <inheritdoc />
     public UpdateEncryptedDataForKeyRotation UpdateForKeyRotation(
         Guid userId, IEnumerable<Cipher> ciphers)
diff --git a/src/Infrastructure.EntityFramework/Vault/Repositories/CipherRepository.cs b/src/Infrastructure.EntityFramework/Vault/Repositories/CipherRepository.cs
index c12167a78c..6a4ffb4b35 100644
--- a/src/Infrastructure.EntityFramework/Vault/Repositories/CipherRepository.cs
+++ b/src/Infrastructure.EntityFramework/Vault/Repositories/CipherRepository.cs
@@ -302,6 +302,52 @@ public class CipherRepository : Repository<Core.Vault.Entities.Cipher, Cipher, G
         }
     }
 
+    public async Task<ICollection<OrganizationCipherPermission>>
+        GetCipherPermissionsForOrganizationAsync(Guid organizationId, Guid userId)
+    {
+        using (var scope = ServiceScopeFactory.CreateScope())
+        {
+            var dbContext = GetDatabaseContext(scope);
+            var query = new CipherOrganizationPermissionsQuery(organizationId, userId).Run(dbContext);
+
+            ICollection<OrganizationCipherPermission> permissions;
+
+            // SQLite does not support the GROUP BY clause
+            if (dbContext.Database.IsSqlite())
+            {
+                permissions = (await query.ToListAsync())
+                    .GroupBy(c => new { c.Id, c.OrganizationId })
+                    .Select(g => new OrganizationCipherPermission
+                    {
+                        Id = g.Key.Id,
+                        OrganizationId = g.Key.OrganizationId,
+                        Read = Convert.ToBoolean(g.Max(c => Convert.ToInt32(c.Read))),
+                        ViewPassword = Convert.ToBoolean(g.Max(c => Convert.ToInt32(c.ViewPassword))),
+                        Edit = Convert.ToBoolean(g.Max(c => Convert.ToInt32(c.Edit))),
+                        Manage = Convert.ToBoolean(g.Max(c => Convert.ToInt32(c.Manage))),
+                    }).ToList();
+            }
+            else
+            {
+                var groupByQuery = from p in query
+                                   group p by new { p.Id, p.OrganizationId }
+                    into g
+                                   select new OrganizationCipherPermission
+                                   {
+                                       Id = g.Key.Id,
+                                       OrganizationId = g.Key.OrganizationId,
+                                       Read = Convert.ToBoolean(g.Max(c => Convert.ToInt32(c.Read))),
+                                       ViewPassword = Convert.ToBoolean(g.Max(c => Convert.ToInt32(c.ViewPassword))),
+                                       Edit = Convert.ToBoolean(g.Max(c => Convert.ToInt32(c.Edit))),
+                                       Manage = Convert.ToBoolean(g.Max(c => Convert.ToInt32(c.Manage))),
+                                   };
+                permissions = await groupByQuery.ToListAsync();
+            }
+
+            return permissions;
+        }
+    }
+
     public async Task<CipherDetails> GetByIdAsync(Guid id, Guid userId)
     {
         using (var scope = ServiceScopeFactory.CreateScope())
diff --git a/src/Infrastructure.EntityFramework/Vault/Repositories/Queries/CipherOrganizationPermissionsQuery.cs b/src/Infrastructure.EntityFramework/Vault/Repositories/Queries/CipherOrganizationPermissionsQuery.cs
new file mode 100644
index 0000000000..89e70f4f92
--- /dev/null
+++ b/src/Infrastructure.EntityFramework/Vault/Repositories/Queries/CipherOrganizationPermissionsQuery.cs
@@ -0,0 +1,63 @@
+using Bit.Core.Vault.Models.Data;
+using Bit.Infrastructure.EntityFramework.Repositories;
+using Bit.Infrastructure.EntityFramework.Repositories.Queries;
+
+namespace Bit.Infrastructure.EntityFramework.Vault.Repositories.Queries;
+
+public class CipherOrganizationPermissionsQuery : IQuery<OrganizationCipherPermission>
+{
+    private readonly Guid _organizationId;
+    private readonly Guid _userId;
+
+    public CipherOrganizationPermissionsQuery(Guid organizationId, Guid userId)
+    {
+        _organizationId = organizationId;
+        _userId = userId;
+    }
+
+    public IQueryable<OrganizationCipherPermission> Run(DatabaseContext dbContext)
+    {
+        return from c in dbContext.Ciphers
+
+               join ou in dbContext.OrganizationUsers
+                   on new { CipherUserId = c.UserId, c.OrganizationId, UserId = (Guid?)_userId } equals
+                   new { CipherUserId = (Guid?)null, OrganizationId = (Guid?)ou.OrganizationId, ou.UserId, }
+
+               join o in dbContext.Organizations
+                   on new { c.OrganizationId, OuOrganizationId = ou.OrganizationId, Enabled = true } equals
+                   new { OrganizationId = (Guid?)o.Id, OuOrganizationId = o.Id, o.Enabled }
+
+               join cc in dbContext.CollectionCiphers
+                   on c.Id equals cc.CipherId into cc_g
+               from cc in cc_g.DefaultIfEmpty()
+
+               join cu in dbContext.CollectionUsers
+                   on new { cc.CollectionId, OrganizationUserId = ou.Id } equals
+                   new { cu.CollectionId, cu.OrganizationUserId } into cu_g
+               from cu in cu_g.DefaultIfEmpty()
+
+               join gu in dbContext.GroupUsers
+                   on new { CollectionId = (Guid?)cu.CollectionId, OrganizationUserId = ou.Id } equals
+                   new { CollectionId = (Guid?)null, gu.OrganizationUserId } into gu_g
+               from gu in gu_g.DefaultIfEmpty()
+
+               join g in dbContext.Groups
+                   on gu.GroupId equals g.Id into g_g
+               from g in g_g.DefaultIfEmpty()
+
+               join cg in dbContext.CollectionGroups
+                   on new { cc.CollectionId, gu.GroupId } equals
+                   new { cg.CollectionId, cg.GroupId } into cg_g
+               from cg in cg_g.DefaultIfEmpty()
+
+               select new OrganizationCipherPermission()
+               {
+                   Id = c.Id,
+                   OrganizationId = o.Id,
+                   Read = cu != null || cg != null,
+                   ViewPassword = !((bool?)cu.HidePasswords ?? (bool?)cg.HidePasswords ?? true),
+                   Edit = !((bool?)cu.ReadOnly ?? (bool?)cg.ReadOnly ?? true),
+                   Manage = (bool?)cu.Manage ?? (bool?)cg.Manage ?? false,
+               };
+    }
+}
diff --git a/src/Sql/Vault/dbo/Stored Procedures/Cipher/CipherOrganizationPermissions_GetManyByOrganizationId.sql b/src/Sql/Vault/dbo/Stored Procedures/Cipher/CipherOrganizationPermissions_GetManyByOrganizationId.sql
new file mode 100644
index 0000000000..3fb5b53da7
--- /dev/null
+++ b/src/Sql/Vault/dbo/Stored Procedures/Cipher/CipherOrganizationPermissions_GetManyByOrganizationId.sql	
@@ -0,0 +1,76 @@
+CREATE PROCEDURE [dbo].[CipherOrganizationPermissions_GetManyByOrganizationId]
+    @OrganizationId UNIQUEIDENTIFIER,
+    @UserId UNIQUEIDENTIFIER
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    ;WITH BaseCiphers AS (
+        SELECT C.[Id], C.[OrganizationId]
+        FROM [dbo].[CipherDetails](@UserId) C
+        INNER JOIN [OrganizationUser] OU ON
+            C.[UserId] IS NULL
+            AND C.[OrganizationId] = @OrganizationId
+            AND OU.[UserId] = @UserId
+        INNER JOIN [dbo].[Organization] O ON
+            O.[Id] = OU.[OrganizationId]
+            AND O.[Id] = C.[OrganizationId]
+            AND O.[Enabled] = 1
+    ),
+    UserPermissions AS (
+        SELECT DISTINCT
+            CC.[CipherId],
+            CASE WHEN CC.[CollectionId] IS NULL THEN 0 ELSE 1 END as [Read],
+            CASE WHEN CU.[HidePasswords] = 0 THEN 1 ELSE 0 END as [ViewPassword],
+            CASE WHEN CU.[ReadOnly] = 0 THEN 1 ELSE 0 END as [Edit],
+            COALESCE(CU.[Manage], 0) as [Manage]
+        FROM [dbo].[CollectionCipher] CC
+        INNER JOIN [dbo].[CollectionUser] CU ON
+            CU.[CollectionId] = CC.[CollectionId]
+            AND CU.[OrganizationUserId] = (
+                SELECT [Id] FROM [OrganizationUser]
+                WHERE [UserId] = @UserId
+                AND [OrganizationId] = @OrganizationId
+            )
+    ),
+    GroupPermissions AS (
+        SELECT DISTINCT
+            CC.[CipherId],
+            CASE WHEN CC.[CollectionId] IS NULL THEN 0 ELSE 1 END as [Read],
+            CASE WHEN CG.[HidePasswords] = 0 THEN 1 ELSE 0 END as [ViewPassword],
+            CASE WHEN CG.[ReadOnly] = 0 THEN 1 ELSE 0 END as [Edit],
+            COALESCE(CG.[Manage], 0) as [Manage]
+        FROM [dbo].[CollectionCipher] CC
+        INNER JOIN [dbo].[CollectionGroup] CG ON
+            CG.[CollectionId] = CC.[CollectionId]
+        INNER JOIN [dbo].[GroupUser] GU ON
+            GU.[GroupId] = CG.[GroupId]
+            AND GU.[OrganizationUserId] = (
+                SELECT [Id] FROM [OrganizationUser]
+                WHERE [UserId] = @UserId
+                AND [OrganizationId] = @OrganizationId
+            )
+        WHERE NOT EXISTS (
+            SELECT 1
+            FROM UserPermissions UP
+            WHERE UP.[CipherId] = CC.[CipherId]
+        )
+    ),
+    CombinedPermissions AS (
+        SELECT CipherId, [Read], ViewPassword, Edit, Manage
+        FROM UserPermissions
+        UNION ALL
+        SELECT CipherId, [Read], ViewPassword, Edit, Manage
+        FROM GroupPermissions
+    )
+    SELECT
+        C.[Id],
+        C.[OrganizationId],
+        ISNULL(MAX(P.[Read]), 0) as [Read],
+        ISNULL(MAX(P.[ViewPassword]), 0) as [ViewPassword],
+        ISNULL(MAX(P.[Edit]), 0) as [Edit],
+        ISNULL(MAX(P.[Manage]), 0) as [Manage]
+    FROM BaseCiphers C
+    LEFT JOIN CombinedPermissions P ON P.CipherId = C.[Id]
+    GROUP BY C.[Id], C.[OrganizationId]
+END
diff --git a/test/Core.Test/Vault/Authorization/SecurityTaskAuthorizationHandlerTests.cs b/test/Core.Test/Vault/Authorization/SecurityTaskAuthorizationHandlerTests.cs
new file mode 100644
index 0000000000..43bdceac98
--- /dev/null
+++ b/test/Core.Test/Vault/Authorization/SecurityTaskAuthorizationHandlerTests.cs
@@ -0,0 +1,430 @@
+using System.Security.Claims;
+using Bit.Core.Context;
+using Bit.Core.Enums;
+using Bit.Core.Test.AdminConsole.AutoFixture;
+using Bit.Core.Vault.Authorization.SecurityTasks;
+using Bit.Core.Vault.Entities;
+using Bit.Core.Vault.Models.Data;
+using Bit.Core.Vault.Queries;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using Microsoft.AspNetCore.Authorization;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Core.Test.Vault.Authorization;
+
+[SutProviderCustomize]
+public class SecurityTaskAuthorizationHandlerTests
+{
+    [Theory, CurrentContextOrganizationCustomize, BitAutoData]
+    public async Task MissingOrg_Failure(
+        CurrentContextOrganization organization,
+        SutProvider<SecurityTaskAuthorizationHandler> sutProvider)
+    {
+        var userId = Guid.NewGuid();
+        var task = new SecurityTask
+        {
+            OrganizationId = organization.Id,
+            CipherId = Guid.NewGuid()
+        };
+
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns((CurrentContextOrganization)null);
+
+        var context = new AuthorizationHandlerContext(
+            new[] { SecurityTaskOperations.Read },
+            new ClaimsPrincipal(),
+            task);
+
+        await sutProvider.Sut.HandleAsync(context);
+
+        Assert.False(context.HasSucceeded);
+    }
+
+    [Theory, CurrentContextOrganizationCustomize, BitAutoData]
+    public async Task MissingCipherId_Failure(
+        CurrentContextOrganization organization,
+        SutProvider<SecurityTaskAuthorizationHandler> sutProvider)
+    {
+        var operations = new[]
+        {
+            SecurityTaskOperations.Read, SecurityTaskOperations.Create, SecurityTaskOperations.Update
+        };
+        var userId = Guid.NewGuid();
+        var task = new SecurityTask
+        {
+            OrganizationId = organization.Id,
+            CipherId = null
+        };
+
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+
+        foreach (var operation in operations)
+        {
+            var context = new AuthorizationHandlerContext(
+                new[] { operation },
+                new ClaimsPrincipal(),
+                task);
+
+            await sutProvider.Sut.HandleAsync(context);
+
+            Assert.False(context.HasSucceeded, operation.ToString());
+        }
+
+    }
+
+    [Theory, CurrentContextOrganizationCustomize(Type = OrganizationUserType.User), BitAutoData]
+    public async Task Read_User_CanReadCipher_Success(
+        CurrentContextOrganization organization,
+        SutProvider<SecurityTaskAuthorizationHandler> sutProvider)
+    {
+        var userId = Guid.NewGuid();
+        var task = new SecurityTask
+        {
+            OrganizationId = organization.Id,
+            CipherId = Guid.NewGuid()
+        };
+        var cipherPermissions = new OrganizationCipherPermission
+        {
+            Id = task.CipherId.Value,
+            Read = true
+        };
+
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<IGetCipherPermissionsForUserQuery>().GetByOrganization(organization.Id).Returns(new Dictionary<Guid, OrganizationCipherPermission>
+        {
+            { task.CipherId.Value, cipherPermissions }
+        });
+
+        var context = new AuthorizationHandlerContext(
+            new[] { SecurityTaskOperations.Read },
+            new ClaimsPrincipal(),
+            task);
+
+        await sutProvider.Sut.HandleAsync(context);
+
+        Assert.True(context.HasSucceeded);
+    }
+
+    [Theory, CurrentContextOrganizationCustomize(Type = OrganizationUserType.Admin), BitAutoData]
+    public async Task Read_Admin_Success(
+        CurrentContextOrganization organization,
+        SutProvider<SecurityTaskAuthorizationHandler> sutProvider)
+    {
+        var userId = Guid.NewGuid();
+        var task = new SecurityTask
+        {
+            OrganizationId = organization.Id,
+            CipherId = Guid.NewGuid()
+        };
+        var cipherPermissions = new OrganizationCipherPermission
+        {
+            Id = task.CipherId.Value,
+        };
+
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<IGetCipherPermissionsForUserQuery>().GetByOrganization(organization.Id).Returns(new Dictionary<Guid, OrganizationCipherPermission>
+        {
+            { task.CipherId.Value, cipherPermissions }
+        });
+
+        var context = new AuthorizationHandlerContext(
+            new[] { SecurityTaskOperations.Read },
+            new ClaimsPrincipal(),
+            task);
+
+        await sutProvider.Sut.HandleAsync(context);
+
+        Assert.True(context.HasSucceeded);
+    }
+
+    [Theory, CurrentContextOrganizationCustomize(Type = OrganizationUserType.Admin), BitAutoData]
+    public async Task Read_Admin_MissingCipher_Failure(
+        CurrentContextOrganization organization,
+        SutProvider<SecurityTaskAuthorizationHandler> sutProvider)
+    {
+        var userId = Guid.NewGuid();
+        var task = new SecurityTask
+        {
+            OrganizationId = organization.Id,
+            CipherId = Guid.NewGuid()
+        };
+
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<IGetCipherPermissionsForUserQuery>().GetByOrganization(organization.Id).Returns(new Dictionary<Guid, OrganizationCipherPermission>());
+
+        var context = new AuthorizationHandlerContext(
+            new[] { SecurityTaskOperations.Read },
+            new ClaimsPrincipal(),
+            task);
+
+        await sutProvider.Sut.HandleAsync(context);
+
+        Assert.False(context.HasSucceeded);
+    }
+
+    [Theory, CurrentContextOrganizationCustomize(Type = OrganizationUserType.User), BitAutoData]
+    public async Task Read_User_CannotReadCipher_Failure(
+        CurrentContextOrganization organization,
+        SutProvider<SecurityTaskAuthorizationHandler> sutProvider)
+    {
+        var userId = Guid.NewGuid();
+        var task = new SecurityTask
+        {
+            OrganizationId = organization.Id,
+            CipherId = Guid.NewGuid()
+        };
+        var cipherPermissions = new OrganizationCipherPermission
+        {
+            Id = task.CipherId.Value,
+            Read = false
+        };
+
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<IGetCipherPermissionsForUserQuery>().GetByOrganization(organization.Id).Returns(new Dictionary<Guid, OrganizationCipherPermission>
+        {
+            { task.CipherId.Value, cipherPermissions }
+        });
+
+        var context = new AuthorizationHandlerContext(
+            new[] { SecurityTaskOperations.Read },
+            new ClaimsPrincipal(),
+            task);
+
+        await sutProvider.Sut.HandleAsync(context);
+
+        Assert.False(context.HasSucceeded);
+    }
+
+    [Theory, CurrentContextOrganizationCustomize(Type = OrganizationUserType.User), BitAutoData]
+    public async Task Create_User_Failure(
+        CurrentContextOrganization organization,
+        SutProvider<SecurityTaskAuthorizationHandler> sutProvider)
+    {
+        var userId = Guid.NewGuid();
+        var task = new SecurityTask
+        {
+            OrganizationId = organization.Id,
+            CipherId = Guid.NewGuid()
+        };
+        var cipherPermissions = new OrganizationCipherPermission
+        {
+            Id = task.CipherId.Value,
+            Read = true,
+            Edit = true,
+        };
+
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<IGetCipherPermissionsForUserQuery>().GetByOrganization(organization.Id).Returns(new Dictionary<Guid, OrganizationCipherPermission>
+        {
+            { task.CipherId.Value, cipherPermissions }
+        });
+
+        var context = new AuthorizationHandlerContext(
+            new[] { SecurityTaskOperations.Create },
+            new ClaimsPrincipal(),
+            task);
+
+        await sutProvider.Sut.HandleAsync(context);
+
+        Assert.False(context.HasSucceeded);
+    }
+
+    [Theory, CurrentContextOrganizationCustomize(Type = OrganizationUserType.Admin), BitAutoData]
+    public async Task Create_Admin_MissingCipher_Failure(
+        CurrentContextOrganization organization,
+        SutProvider<SecurityTaskAuthorizationHandler> sutProvider)
+    {
+        var userId = Guid.NewGuid();
+        var task = new SecurityTask
+        {
+            OrganizationId = organization.Id,
+            CipherId = Guid.NewGuid()
+        };
+
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<IGetCipherPermissionsForUserQuery>().GetByOrganization(organization.Id).Returns(new Dictionary<Guid, OrganizationCipherPermission>());
+
+        var context = new AuthorizationHandlerContext(
+            new[] { SecurityTaskOperations.Create },
+            new ClaimsPrincipal(),
+            task);
+
+        await sutProvider.Sut.HandleAsync(context);
+
+        Assert.False(context.HasSucceeded);
+    }
+
+    [Theory, CurrentContextOrganizationCustomize(Type = OrganizationUserType.Admin), BitAutoData]
+    public async Task Create_Admin_Success(
+        CurrentContextOrganization organization,
+        SutProvider<SecurityTaskAuthorizationHandler> sutProvider)
+    {
+        var userId = Guid.NewGuid();
+        var task = new SecurityTask
+        {
+            OrganizationId = organization.Id,
+            CipherId = Guid.NewGuid()
+        };
+        var cipherPermissions = new OrganizationCipherPermission
+        {
+            Id = task.CipherId.Value,
+            Read = true,
+            Edit = true,
+        };
+
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<IGetCipherPermissionsForUserQuery>().GetByOrganization(organization.Id).Returns(new Dictionary<Guid, OrganizationCipherPermission>
+        {
+            { task.CipherId.Value, cipherPermissions }
+        });
+
+        var context = new AuthorizationHandlerContext(
+            new[] { SecurityTaskOperations.Create },
+            new ClaimsPrincipal(),
+            task);
+
+        await sutProvider.Sut.HandleAsync(context);
+
+        Assert.True(context.HasSucceeded);
+    }
+
+    [Theory, CurrentContextOrganizationCustomize(Type = OrganizationUserType.User), BitAutoData]
+    public async Task Update_User_CanEditCipher_Success(
+    CurrentContextOrganization organization,
+    SutProvider<SecurityTaskAuthorizationHandler> sutProvider)
+    {
+        var userId = Guid.NewGuid();
+        var task = new SecurityTask
+        {
+            OrganizationId = organization.Id,
+            CipherId = Guid.NewGuid()
+        };
+        var cipherPermissions = new OrganizationCipherPermission
+        {
+            Id = task.CipherId.Value,
+            Read = true,
+            Edit = true
+        };
+
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<IGetCipherPermissionsForUserQuery>().GetByOrganization(organization.Id).Returns(new Dictionary<Guid, OrganizationCipherPermission>
+        {
+            { task.CipherId.Value, cipherPermissions }
+        });
+
+        var context = new AuthorizationHandlerContext(
+            new[] { SecurityTaskOperations.Update },
+            new ClaimsPrincipal(),
+            task);
+
+        await sutProvider.Sut.HandleAsync(context);
+
+        Assert.True(context.HasSucceeded);
+    }
+
+    [Theory, CurrentContextOrganizationCustomize(Type = OrganizationUserType.Admin), BitAutoData]
+    public async Task Update_Admin_CanEditCipher_Success(
+        CurrentContextOrganization organization,
+        SutProvider<SecurityTaskAuthorizationHandler> sutProvider)
+    {
+        var userId = Guid.NewGuid();
+        var task = new SecurityTask
+        {
+            OrganizationId = organization.Id,
+            CipherId = Guid.NewGuid()
+        };
+        var cipherPermissions = new OrganizationCipherPermission
+        {
+            Id = task.CipherId.Value,
+            Edit = true
+        };
+
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<IGetCipherPermissionsForUserQuery>().GetByOrganization(organization.Id).Returns(new Dictionary<Guid, OrganizationCipherPermission>
+        {
+            { task.CipherId.Value, cipherPermissions }
+        });
+
+        var context = new AuthorizationHandlerContext(
+            new[] { SecurityTaskOperations.Update },
+            new ClaimsPrincipal(),
+            task);
+
+        await sutProvider.Sut.HandleAsync(context);
+
+        Assert.True(context.HasSucceeded);
+    }
+
+    [Theory, CurrentContextOrganizationCustomize(Type = OrganizationUserType.Admin), BitAutoData]
+    public async Task Read_Admin_ReadonlyCipher_Failure(
+        CurrentContextOrganization organization,
+        SutProvider<SecurityTaskAuthorizationHandler> sutProvider)
+    {
+        var userId = Guid.NewGuid();
+        var task = new SecurityTask
+        {
+            OrganizationId = organization.Id,
+            CipherId = Guid.NewGuid()
+        };
+
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<IGetCipherPermissionsForUserQuery>().GetByOrganization(organization.Id).Returns(new Dictionary<Guid, OrganizationCipherPermission>());
+
+        var context = new AuthorizationHandlerContext(
+            new[] { SecurityTaskOperations.Update },
+            new ClaimsPrincipal(),
+            task);
+
+        await sutProvider.Sut.HandleAsync(context);
+
+        Assert.False(context.HasSucceeded);
+    }
+
+    [Theory, CurrentContextOrganizationCustomize(Type = OrganizationUserType.User), BitAutoData]
+    public async Task Update_User_CannotEditCipher_Failure(
+        CurrentContextOrganization organization,
+        SutProvider<SecurityTaskAuthorizationHandler> sutProvider)
+    {
+        var userId = Guid.NewGuid();
+        var task = new SecurityTask
+        {
+            OrganizationId = organization.Id,
+            CipherId = Guid.NewGuid()
+        };
+        var cipherPermissions = new OrganizationCipherPermission
+        {
+            Id = task.CipherId.Value,
+            Read = true,
+            Edit = false
+        };
+
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<IGetCipherPermissionsForUserQuery>().GetByOrganization(organization.Id).Returns(new Dictionary<Guid, OrganizationCipherPermission>
+        {
+            { task.CipherId.Value, cipherPermissions }
+        });
+
+        var context = new AuthorizationHandlerContext(
+            new[] { SecurityTaskOperations.Update },
+            new ClaimsPrincipal(),
+            task);
+
+        await sutProvider.Sut.HandleAsync(context);
+
+        Assert.False(context.HasSucceeded);
+    }
+}
diff --git a/test/Core.Test/Vault/Authorization/SecurityTaskOrganizationAuthorizationHandlerTests.cs b/test/Core.Test/Vault/Authorization/SecurityTaskOrganizationAuthorizationHandlerTests.cs
new file mode 100644
index 0000000000..d0b2ecbcf0
--- /dev/null
+++ b/test/Core.Test/Vault/Authorization/SecurityTaskOrganizationAuthorizationHandlerTests.cs
@@ -0,0 +1,104 @@
+using System.Security.Claims;
+using Bit.Core.Context;
+using Bit.Core.Enums;
+using Bit.Core.Test.AdminConsole.AutoFixture;
+using Bit.Core.Vault.Authorization.SecurityTasks;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using Microsoft.AspNetCore.Authorization;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Core.Test.Vault.Authorization;
+
+[SutProviderCustomize]
+public class SecurityTaskOrganizationAuthorizationHandlerTests
+{
+    [Theory, CurrentContextOrganizationCustomize, BitAutoData]
+    public async Task MissingOrg_Failure(
+        CurrentContextOrganization organization,
+        SutProvider<SecurityTaskOrganizationAuthorizationHandler> sutProvider)
+    {
+        var userId = Guid.NewGuid();
+
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns((CurrentContextOrganization)null);
+
+        var context = new AuthorizationHandlerContext(
+            new[] { SecurityTaskOperations.ListAllForOrganization },
+            new ClaimsPrincipal(),
+            organization);
+
+        await sutProvider.Sut.HandleAsync(context);
+
+        Assert.False(context.HasSucceeded);
+    }
+
+    [Theory, CurrentContextOrganizationCustomize, BitAutoData]
+    public async Task MissingUserId_Failure(
+        CurrentContextOrganization organization,
+        SutProvider<SecurityTaskOrganizationAuthorizationHandler> sutProvider)
+    {
+        var userId = Guid.NewGuid();
+
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(null as Guid?);
+
+        var context = new AuthorizationHandlerContext(
+            new[] { SecurityTaskOperations.ListAllForOrganization },
+            new ClaimsPrincipal(),
+            organization);
+
+        await sutProvider.Sut.HandleAsync(context);
+
+        Assert.False(context.HasSucceeded);
+    }
+
+    [Theory, CurrentContextOrganizationCustomize]
+    [BitAutoData(OrganizationUserType.Owner)]
+    [BitAutoData(OrganizationUserType.Admin)]
+    [BitAutoData(OrganizationUserType.Custom)]
+    public async Task ListAllForOrganization_Admin_Success(
+        OrganizationUserType userType,
+        CurrentContextOrganization organization,
+        SutProvider<SecurityTaskOrganizationAuthorizationHandler> sutProvider)
+    {
+        var userId = Guid.NewGuid();
+        organization.Type = userType;
+        if (organization.Type == OrganizationUserType.Custom)
+        {
+            organization.Permissions.AccessReports = true;
+        }
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+
+        var context = new AuthorizationHandlerContext(
+            new[] { SecurityTaskOperations.ListAllForOrganization },
+            new ClaimsPrincipal(),
+            organization);
+
+        await sutProvider.Sut.HandleAsync(context);
+
+        Assert.True(context.HasSucceeded);
+    }
+
+    [Theory, CurrentContextOrganizationCustomize(Type = OrganizationUserType.User), BitAutoData]
+    public async Task ListAllForOrganization_User_Failure(
+        CurrentContextOrganization organization,
+        SutProvider<SecurityTaskOrganizationAuthorizationHandler> sutProvider)
+    {
+        var userId = Guid.NewGuid();
+
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+
+        var context = new AuthorizationHandlerContext(
+            new[] { SecurityTaskOperations.ListAllForOrganization },
+            new ClaimsPrincipal(),
+            organization);
+
+        await sutProvider.Sut.HandleAsync(context);
+
+        Assert.False(context.HasSucceeded);
+    }
+
+}
diff --git a/test/Core.Test/Vault/Queries/GetCipherPermissionsForUserQueryTests.cs b/test/Core.Test/Vault/Queries/GetCipherPermissionsForUserQueryTests.cs
new file mode 100644
index 0000000000..0afac58925
--- /dev/null
+++ b/test/Core.Test/Vault/Queries/GetCipherPermissionsForUserQueryTests.cs
@@ -0,0 +1,238 @@
+using Bit.Core.Context;
+using Bit.Core.Enums;
+using Bit.Core.Models.Data.Organizations;
+using Bit.Core.Services;
+using Bit.Core.Vault.Models.Data;
+using Bit.Core.Vault.Queries;
+using Bit.Core.Vault.Repositories;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Core.Test.Vault.Queries;
+
+[SutProviderCustomize]
+public class GetCipherPermissionsForUserQueryTests
+{
+    private static Guid _noAccessCipherId = Guid.NewGuid();
+    private static Guid _readOnlyCipherId = Guid.NewGuid();
+    private static Guid _editCipherId = Guid.NewGuid();
+    private static Guid _manageCipherId = Guid.NewGuid();
+    private static Guid _readExceptPasswordCipherId = Guid.NewGuid();
+    private static Guid _unassignedCipherId = Guid.NewGuid();
+
+    private static List<Guid> _cipherIds = new[]
+    {
+        _noAccessCipherId,
+        _readOnlyCipherId,
+        _editCipherId,
+        _manageCipherId,
+        _readExceptPasswordCipherId,
+        _unassignedCipherId
+    }.ToList();
+
+
+    [Theory, BitAutoData]
+    public async Task GetCipherPermissionsForUserQuery_Base(Guid userId, CurrentContextOrganization org, SutProvider<GetCipherPermissionsForUserQuery> sutProvider
+    )
+    {
+        var organizationId = org.Id;
+        org.Type = OrganizationUserType.User;
+        org.Permissions.EditAnyCollection = false;
+        var cipherPermissions = CreateCipherPermissions();
+
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organizationId).Returns(org);
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
+
+        sutProvider.GetDependency<ICipherRepository>().GetCipherPermissionsForOrganizationAsync(organizationId, userId)
+            .Returns(cipherPermissions);
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetManyUnassignedOrganizationDetailsByOrganizationIdAsync(organizationId)
+            .Returns(new List<CipherOrganizationDetails>
+            {
+                new() { Id = _unassignedCipherId }
+            });
+
+        var result = await sutProvider.Sut.GetByOrganization(organizationId);
+
+        Assert.Equal(6, result.Count);
+        Assert.All(result, x => Assert.Contains(x.Key, _cipherIds));
+        Assert.False(result[_noAccessCipherId].Read);
+        Assert.True(result[_readOnlyCipherId].Read);
+        Assert.False(result[_readOnlyCipherId].Edit);
+        Assert.True(result[_editCipherId].Edit);
+        Assert.True(result[_manageCipherId].Manage);
+        Assert.True(result[_readExceptPasswordCipherId].Read);
+        Assert.False(result[_readExceptPasswordCipherId].ViewPassword);
+        Assert.False(result[_unassignedCipherId].Read);
+    }
+
+    [Theory, BitAutoData]
+    public async Task GetCipherPermissionsForUserQuery_CanEditAllCiphers_CustomUser(Guid userId, CurrentContextOrganization org, SutProvider<GetCipherPermissionsForUserQuery> sutProvider
+    )
+    {
+        var organizationId = org.Id;
+        var cipherPermissions = CreateCipherPermissions();
+        org.Permissions.EditAnyCollection = true;
+        org.Type = OrganizationUserType.Custom;
+
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organizationId).Returns(org);
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
+
+        sutProvider.GetDependency<ICipherRepository>().GetCipherPermissionsForOrganizationAsync(organizationId, userId)
+            .Returns(cipherPermissions);
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetManyUnassignedOrganizationDetailsByOrganizationIdAsync(organizationId)
+            .Returns(new List<CipherOrganizationDetails>
+            {
+                new() { Id = _unassignedCipherId }
+            });
+
+        var result = await sutProvider.Sut.GetByOrganization(organizationId);
+
+        Assert.Equal(6, result.Count);
+        Assert.All(result, x => Assert.Contains(x.Key, _cipherIds));
+        Assert.All(result, x => Assert.True(x.Value.Read && x.Value.Edit && x.Value.Manage && x.Value.ViewPassword));
+    }
+
+    [Theory, BitAutoData]
+    public async Task GetCipherPermissionsForUserQuery_CanEditAllCiphers_Admin(Guid userId, CurrentContextOrganization org, SutProvider<GetCipherPermissionsForUserQuery> sutProvider
+    )
+    {
+        var organizationId = org.Id;
+        var cipherPermissions = CreateCipherPermissions();
+        org.Permissions.EditAnyCollection = false;
+        org.Type = OrganizationUserType.Admin;
+
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organizationId).Returns(org);
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
+
+        sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilityAsync(org.Id).Returns(new OrganizationAbility
+        {
+            AllowAdminAccessToAllCollectionItems = true
+        });
+
+        sutProvider.GetDependency<ICipherRepository>().GetCipherPermissionsForOrganizationAsync(organizationId, userId)
+            .Returns(cipherPermissions);
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetManyUnassignedOrganizationDetailsByOrganizationIdAsync(organizationId)
+            .Returns(new List<CipherOrganizationDetails>
+            {
+                new() { Id = _unassignedCipherId }
+            });
+
+        var result = await sutProvider.Sut.GetByOrganization(organizationId);
+
+        Assert.Equal(6, result.Count);
+        Assert.All(result, x => Assert.Contains(x.Key, _cipherIds));
+        Assert.All(result, x => Assert.True(x.Value.Read && x.Value.Edit && x.Value.Manage && x.Value.ViewPassword));
+    }
+
+    [Theory, BitAutoData]
+    public async Task GetCipherPermissionsForUserQuery_CanEditUnassignedCiphers(Guid userId, CurrentContextOrganization org, SutProvider<GetCipherPermissionsForUserQuery> sutProvider
+    )
+    {
+        var organizationId = org.Id;
+        var cipherPermissions = CreateCipherPermissions();
+        org.Type = OrganizationUserType.Owner;
+        org.Permissions.EditAnyCollection = false;
+
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organizationId).Returns(org);
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
+
+        sutProvider.GetDependency<ICipherRepository>().GetCipherPermissionsForOrganizationAsync(organizationId, userId)
+            .Returns(cipherPermissions);
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetManyUnassignedOrganizationDetailsByOrganizationIdAsync(organizationId)
+            .Returns(new List<CipherOrganizationDetails>
+            {
+                new() { Id = _unassignedCipherId }
+            });
+
+        var result = await sutProvider.Sut.GetByOrganization(organizationId);
+
+        Assert.Equal(6, result.Count);
+        Assert.All(result, x => Assert.Contains(x.Key, _cipherIds));
+        Assert.False(result[_noAccessCipherId].Read);
+        Assert.True(result[_readOnlyCipherId].Read);
+        Assert.False(result[_readOnlyCipherId].Edit);
+        Assert.True(result[_editCipherId].Edit);
+        Assert.True(result[_manageCipherId].Manage);
+        Assert.True(result[_readExceptPasswordCipherId].Read);
+        Assert.False(result[_readExceptPasswordCipherId].ViewPassword);
+
+        Assert.True(result[_unassignedCipherId].Read);
+        Assert.True(result[_unassignedCipherId].Edit);
+        Assert.True(result[_unassignedCipherId].ViewPassword);
+        Assert.True(result[_unassignedCipherId].Manage);
+    }
+
+    private List<OrganizationCipherPermission> CreateCipherPermissions()
+    {
+        // User has no relationship with the cipher
+        var noAccessCipher = new OrganizationCipherPermission
+        {
+            Id = _noAccessCipherId,
+            Read = false,
+            Edit = false,
+            Manage = false,
+            ViewPassword = false,
+        };
+
+        var readOnlyCipher = new OrganizationCipherPermission
+        {
+            Id = _readOnlyCipherId,
+            Read = true,
+            Edit = false,
+            Manage = false,
+            ViewPassword = true,
+        };
+
+        var editCipher = new OrganizationCipherPermission
+        {
+            Id = _editCipherId,
+            Read = true,
+            Edit = true,
+            Manage = false,
+            ViewPassword = true,
+        };
+
+        var manageCipher = new OrganizationCipherPermission
+        {
+            Id = _manageCipherId,
+            Read = true,
+            Edit = true,
+            Manage = true,
+            ViewPassword = true,
+        };
+
+        var readExceptPasswordCipher = new OrganizationCipherPermission
+        {
+            Id = _readExceptPasswordCipherId,
+            Read = true,
+            Edit = false,
+            Manage = false,
+            ViewPassword = false,
+        };
+
+        var unassignedCipher = new OrganizationCipherPermission
+        {
+            Id = _unassignedCipherId,
+            Read = false,
+            Edit = false,
+            Manage = false,
+            ViewPassword = false,
+        };
+
+        return new List<OrganizationCipherPermission>
+        {
+            noAccessCipher,
+            readOnlyCipher,
+            editCipher,
+            manageCipher,
+            readExceptPasswordCipher,
+            unassignedCipher
+        };
+    }
+}
diff --git a/test/Infrastructure.IntegrationTest/Vault/Repositories/CipherRepositoryTests.cs b/test/Infrastructure.IntegrationTest/Vault/Repositories/CipherRepositoryTests.cs
index ce9b5ef7ae..97f370bbcd 100644
--- a/test/Infrastructure.IntegrationTest/Vault/Repositories/CipherRepositoryTests.cs
+++ b/test/Infrastructure.IntegrationTest/Vault/Repositories/CipherRepositoryTests.cs
@@ -1,5 +1,6 @@
 using System.Text.Json;
 using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Models.Data;
@@ -198,4 +199,238 @@ public class CipherRepositoryTests
         Assert.NotEqual(default, userProperty);
         Assert.Equal(folder.Id, userProperty.Value.GetGuid());
     }
+
+    [DatabaseTheory, DatabaseData]
+    public async Task GetCipherPermissionsForOrganizationAsync_Works(
+        ICipherRepository cipherRepository,
+        IUserRepository userRepository,
+        ICollectionCipherRepository collectionCipherRepository,
+        ICollectionRepository collectionRepository,
+        IOrganizationRepository organizationRepository,
+        IOrganizationUserRepository organizationUserRepository,
+        IGroupRepository groupRepository
+        )
+    {
+
+        var user = await userRepository.CreateAsync(new User
+        {
+            Name = "Test User",
+            Email = $"test+{Guid.NewGuid()}@email.com",
+            ApiKey = "TEST",
+            SecurityStamp = "stamp",
+        });
+
+        var organization = await organizationRepository.CreateAsync(new Organization
+        {
+            Name = "Test Organization",
+            BillingEmail = user.Email,
+            Plan = "Test"
+        });
+
+        var orgUser = await organizationUserRepository.CreateAsync(new OrganizationUser
+        {
+            UserId = user.Id,
+            OrganizationId = organization.Id,
+            Status = OrganizationUserStatusType.Confirmed,
+            Type = OrganizationUserType.Owner,
+        });
+
+        // A group that will be assigned Edit permissions to any collections
+        var editGroup = await groupRepository.CreateAsync(new Group
+        {
+            OrganizationId = organization.Id,
+            Name = "Edit Group",
+        });
+        await groupRepository.UpdateUsersAsync(editGroup.Id, new[] { orgUser.Id });
+
+        // MANAGE
+
+        var manageCollection = await collectionRepository.CreateAsync(new Collection
+        {
+            Name = "Manage Collection",
+            OrganizationId = organization.Id
+        });
+
+        var manageCipher = await cipherRepository.CreateAsync(new Cipher
+        {
+            Type = CipherType.Login,
+            OrganizationId = organization.Id,
+            Data = ""
+        });
+
+        await collectionCipherRepository.UpdateCollectionsForAdminAsync(manageCipher.Id, organization.Id,
+            new List<Guid> { manageCollection.Id });
+
+        await collectionRepository.UpdateUsersAsync(manageCollection.Id, new List<CollectionAccessSelection>
+        {
+            new()
+            {
+                Id = orgUser.Id,
+                HidePasswords = false,
+                ReadOnly = false,
+                Manage = true
+            }
+        });
+
+        // EDIT
+
+        var editCollection = await collectionRepository.CreateAsync(new Collection
+        {
+            Name = "Edit Collection",
+            OrganizationId = organization.Id
+        });
+
+        var editCipher = await cipherRepository.CreateAsync(new Cipher
+        {
+            Type = CipherType.Login,
+            OrganizationId = organization.Id,
+            Data = ""
+        });
+
+        await collectionCipherRepository.UpdateCollectionsForAdminAsync(editCipher.Id, organization.Id,
+            new List<Guid> { editCollection.Id });
+
+        await collectionRepository.UpdateUsersAsync(editCollection.Id,
+            new List<CollectionAccessSelection>
+            {
+                new() { Id = orgUser.Id, HidePasswords = false, ReadOnly = false, Manage = false }
+            });
+
+        // EDIT EXCEPT PASSWORD
+
+        var editExceptPasswordCollection = await collectionRepository.CreateAsync(new Collection
+        {
+            Name = "Edit Except Password Collection",
+            OrganizationId = organization.Id
+        });
+
+        var editExceptPasswordCipher = await cipherRepository.CreateAsync(new Cipher
+        {
+            Type = CipherType.Login,
+            OrganizationId = organization.Id,
+            Data = ""
+        });
+
+        await collectionCipherRepository.UpdateCollectionsForAdminAsync(editExceptPasswordCipher.Id, organization.Id,
+            new List<Guid> { editExceptPasswordCollection.Id });
+
+        await collectionRepository.UpdateUsersAsync(editExceptPasswordCollection.Id, new List<CollectionAccessSelection>
+        {
+            new() { Id = orgUser.Id, HidePasswords = true, ReadOnly = false, Manage = false }
+        });
+
+        // VIEW ONLY
+
+        var viewOnlyCollection = await collectionRepository.CreateAsync(new Collection
+        {
+            Name = "View Only Collection",
+            OrganizationId = organization.Id
+        });
+
+        var viewOnlyCipher = await cipherRepository.CreateAsync(new Cipher
+        {
+            Type = CipherType.Login,
+            OrganizationId = organization.Id,
+            Data = ""
+        });
+
+        await collectionCipherRepository.UpdateCollectionsForAdminAsync(viewOnlyCipher.Id, organization.Id,
+            new List<Guid> { viewOnlyCollection.Id });
+
+        await collectionRepository.UpdateUsersAsync(viewOnlyCollection.Id,
+            new List<CollectionAccessSelection>
+            {
+                new() { Id = orgUser.Id, HidePasswords = false, ReadOnly = true, Manage = false }
+            });
+
+        // Assign the EditGroup to this View Only collection. The user belongs to this group.
+        // The user permissions specified above (ViewOnly) should take precedence.
+        await groupRepository.ReplaceAsync(editGroup,
+            new[]
+            {
+                new CollectionAccessSelection
+                {
+                    Id = viewOnlyCollection.Id, HidePasswords = false, ReadOnly = false, Manage = false
+                },
+            });
+
+        // VIEW EXCEPT PASSWORD
+
+        var viewExceptPasswordCollection = await collectionRepository.CreateAsync(new Collection
+        {
+            Name = "View Except Password Collection",
+            OrganizationId = organization.Id
+        });
+
+        var viewExceptPasswordCipher = await cipherRepository.CreateAsync(new Cipher
+        {
+            Type = CipherType.Login,
+            OrganizationId = organization.Id,
+            Data = ""
+        });
+
+        await collectionCipherRepository.UpdateCollectionsForAdminAsync(viewExceptPasswordCipher.Id, organization.Id,
+            new List<Guid> { viewExceptPasswordCollection.Id });
+
+        await collectionRepository.UpdateUsersAsync(viewExceptPasswordCollection.Id,
+            new List<CollectionAccessSelection>
+            {
+                new() { Id = orgUser.Id, HidePasswords = true, ReadOnly = true, Manage = false }
+            });
+
+        // UNASSIGNED
+
+        var unassignedCipher = await cipherRepository.CreateAsync(new Cipher
+        {
+            Type = CipherType.Login,
+            OrganizationId = organization.Id,
+            Data = ""
+        });
+
+        var permissions = await cipherRepository.GetCipherPermissionsForOrganizationAsync(organization.Id, user.Id);
+
+        Assert.NotEmpty(permissions);
+
+        var manageCipherPermission = permissions.FirstOrDefault(c => c.Id == manageCipher.Id);
+        Assert.NotNull(manageCipherPermission);
+        Assert.True(manageCipherPermission.Manage);
+        Assert.True(manageCipherPermission.Edit);
+        Assert.True(manageCipherPermission.Read);
+        Assert.True(manageCipherPermission.ViewPassword);
+
+        var editCipherPermission = permissions.FirstOrDefault(c => c.Id == editCipher.Id);
+        Assert.NotNull(editCipherPermission);
+        Assert.False(editCipherPermission.Manage);
+        Assert.True(editCipherPermission.Edit);
+        Assert.True(editCipherPermission.Read);
+        Assert.True(editCipherPermission.ViewPassword);
+
+        var editExceptPasswordCipherPermission = permissions.FirstOrDefault(c => c.Id == editExceptPasswordCipher.Id);
+        Assert.NotNull(editExceptPasswordCipherPermission);
+        Assert.False(editExceptPasswordCipherPermission.Manage);
+        Assert.True(editExceptPasswordCipherPermission.Edit);
+        Assert.True(editExceptPasswordCipherPermission.Read);
+        Assert.False(editExceptPasswordCipherPermission.ViewPassword);
+
+        var viewOnlyCipherPermission = permissions.FirstOrDefault(c => c.Id == viewOnlyCipher.Id);
+        Assert.NotNull(viewOnlyCipherPermission);
+        Assert.False(viewOnlyCipherPermission.Manage);
+        Assert.False(viewOnlyCipherPermission.Edit);
+        Assert.True(viewOnlyCipherPermission.Read);
+        Assert.True(viewOnlyCipherPermission.ViewPassword);
+
+        var viewExceptPasswordCipherPermission = permissions.FirstOrDefault(c => c.Id == viewExceptPasswordCipher.Id);
+        Assert.NotNull(viewExceptPasswordCipherPermission);
+        Assert.False(viewExceptPasswordCipherPermission.Manage);
+        Assert.False(viewExceptPasswordCipherPermission.Edit);
+        Assert.True(viewExceptPasswordCipherPermission.Read);
+        Assert.False(viewExceptPasswordCipherPermission.ViewPassword);
+
+        var unassignedCipherPermission = permissions.FirstOrDefault(c => c.Id == unassignedCipher.Id);
+        Assert.NotNull(unassignedCipherPermission);
+        Assert.False(unassignedCipherPermission.Manage);
+        Assert.False(unassignedCipherPermission.Edit);
+        Assert.False(unassignedCipherPermission.Read);
+        Assert.False(unassignedCipherPermission.ViewPassword);
+    }
 }
diff --git a/util/Migrator/DbScripts/2025-01-08_00_CipherOrganizationPermissionsQuery.sql b/util/Migrator/DbScripts/2025-01-08_00_CipherOrganizationPermissionsQuery.sql
new file mode 100644
index 0000000000..2da5f5c393
--- /dev/null
+++ b/util/Migrator/DbScripts/2025-01-08_00_CipherOrganizationPermissionsQuery.sql
@@ -0,0 +1,77 @@
+CREATE OR ALTER PROCEDURE [dbo].[CipherOrganizationPermissions_GetManyByOrganizationId]
+    @OrganizationId UNIQUEIDENTIFIER,
+    @UserId UNIQUEIDENTIFIER
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    ;WITH BaseCiphers AS (
+        SELECT C.[Id], C.[OrganizationId]
+        FROM [dbo].[CipherDetails](@UserId) C
+        INNER JOIN [OrganizationUser] OU ON
+            C.[UserId] IS NULL
+            AND C.[OrganizationId] = @OrganizationId
+            AND OU.[UserId] = @UserId
+        INNER JOIN [dbo].[Organization] O ON
+            O.[Id] = OU.[OrganizationId]
+            AND O.[Id] = C.[OrganizationId]
+            AND O.[Enabled] = 1
+    ),
+    UserPermissions AS (
+        SELECT DISTINCT
+            CC.[CipherId],
+            CASE WHEN CC.[CollectionId] IS NULL THEN 0 ELSE 1 END as [Read],
+            CASE WHEN CU.[HidePasswords] = 0 THEN 1 ELSE 0 END as [ViewPassword],
+            CASE WHEN CU.[ReadOnly] = 0 THEN 1 ELSE 0 END as [Edit],
+            COALESCE(CU.[Manage], 0) as [Manage]
+        FROM [dbo].[CollectionCipher] CC
+        INNER JOIN [dbo].[CollectionUser] CU ON
+            CU.[CollectionId] = CC.[CollectionId]
+            AND CU.[OrganizationUserId] = (
+                SELECT [Id] FROM [OrganizationUser]
+                WHERE [UserId] = @UserId
+                AND [OrganizationId] = @OrganizationId
+            )
+    ),
+    GroupPermissions AS (
+        SELECT DISTINCT
+            CC.[CipherId],
+            CASE WHEN CC.[CollectionId] IS NULL THEN 0 ELSE 1 END as [Read],
+            CASE WHEN CG.[HidePasswords] = 0 THEN 1 ELSE 0 END as [ViewPassword],
+            CASE WHEN CG.[ReadOnly] = 0 THEN 1 ELSE 0 END as [Edit],
+            COALESCE(CG.[Manage], 0) as [Manage]
+        FROM [dbo].[CollectionCipher] CC
+        INNER JOIN [dbo].[CollectionGroup] CG ON
+            CG.[CollectionId] = CC.[CollectionId]
+        INNER JOIN [dbo].[GroupUser] GU ON
+            GU.[GroupId] = CG.[GroupId]
+            AND GU.[OrganizationUserId] = (
+                SELECT [Id] FROM [OrganizationUser]
+                WHERE [UserId] = @UserId
+                AND [OrganizationId] = @OrganizationId
+            )
+        WHERE NOT EXISTS (
+            SELECT 1
+            FROM UserPermissions UP
+            WHERE UP.[CipherId] = CC.[CipherId]
+        )
+    ),
+    CombinedPermissions AS (
+        SELECT CipherId, [Read], ViewPassword, Edit, Manage
+        FROM UserPermissions
+        UNION ALL
+        SELECT CipherId, [Read], ViewPassword, Edit, Manage
+        FROM GroupPermissions
+    )
+    SELECT
+        C.[Id],
+        C.[OrganizationId],
+        ISNULL(MAX(P.[Read]), 0) as [Read],
+        ISNULL(MAX(P.[ViewPassword]), 0) as [ViewPassword],
+        ISNULL(MAX(P.[Edit]), 0) as [Edit],
+        ISNULL(MAX(P.[Manage]), 0) as [Manage]
+    FROM BaseCiphers C
+    LEFT JOIN CombinedPermissions P ON P.CipherId = C.[Id]
+    GROUP BY C.[Id], C.[OrganizationId]
+END
+GO

From 0605590ed2b1275bc9b6d02719bcd02ba9daa065 Mon Sep 17 00:00:00 2001
From: Shane Melton <smelton@bitwarden.com>
Date: Thu, 9 Jan 2025 12:40:12 -0800
Subject: [PATCH 141/384] [PM-14380] Add GET /tasks/organization endpoint
 (#5149)

* [PM-14380] Add GetManyByOrganizationIdStatusAsync to SecurityTaskRepository

* [PM-14380] Introduce IGetTasksForOrganizationQuery

* [PM-14380] Add /tasks/organization endpoint

* [PM-14380] Add unit tests

* [PM-14380] Formatting

* [PM-14380] Bump migration script date

* [PM-14380] Bump migration script date
---
 .../Controllers/SecurityTaskController.cs     | 19 +++-
 .../Queries/GetTasksForOrganizationQuery.cs   | 44 +++++++++
 .../Queries/IGetTasksForOrganizationQuery.cs  | 15 +++
 .../Repositories/ISecurityTaskRepository.cs   |  8 ++
 .../Repositories/SecurityTaskRepository.cs    | 14 +++
 .../Repositories/SecurityTaskRepository.cs    | 27 ++++++
 ...ecurityTask_ReadByOrganizationIdStatus.sql | 19 ++++
 .../GetTasksForOrganizationQueryTests.cs      | 92 +++++++++++++++++++
 ...1-09_00_SecurityTaskReadByOrganization.sql | 20 ++++
 9 files changed, 257 insertions(+), 1 deletion(-)
 create mode 100644 src/Core/Vault/Queries/GetTasksForOrganizationQuery.cs
 create mode 100644 src/Core/Vault/Queries/IGetTasksForOrganizationQuery.cs
 create mode 100644 src/Sql/Vault/dbo/Stored Procedures/SecurityTask/SecurityTask_ReadByOrganizationIdStatus.sql
 create mode 100644 test/Core.Test/Vault/Queries/GetTasksForOrganizationQueryTests.cs
 create mode 100644 util/Migrator/DbScripts/2025-01-09_00_SecurityTaskReadByOrganization.sql

diff --git a/src/Api/Vault/Controllers/SecurityTaskController.cs b/src/Api/Vault/Controllers/SecurityTaskController.cs
index a0b18cb847..14ef0e5e4e 100644
--- a/src/Api/Vault/Controllers/SecurityTaskController.cs
+++ b/src/Api/Vault/Controllers/SecurityTaskController.cs
@@ -19,15 +19,18 @@ public class SecurityTaskController : Controller
     private readonly IUserService _userService;
     private readonly IGetTaskDetailsForUserQuery _getTaskDetailsForUserQuery;
     private readonly IMarkTaskAsCompleteCommand _markTaskAsCompleteCommand;
+    private readonly IGetTasksForOrganizationQuery _getTasksForOrganizationQuery;
 
     public SecurityTaskController(
         IUserService userService,
         IGetTaskDetailsForUserQuery getTaskDetailsForUserQuery,
-        IMarkTaskAsCompleteCommand markTaskAsCompleteCommand)
+        IMarkTaskAsCompleteCommand markTaskAsCompleteCommand,
+        IGetTasksForOrganizationQuery getTasksForOrganizationQuery)
     {
         _userService = userService;
         _getTaskDetailsForUserQuery = getTaskDetailsForUserQuery;
         _markTaskAsCompleteCommand = markTaskAsCompleteCommand;
+        _getTasksForOrganizationQuery = getTasksForOrganizationQuery;
     }
 
     /// <summary>
@@ -54,4 +57,18 @@ public class SecurityTaskController : Controller
         await _markTaskAsCompleteCommand.CompleteAsync(taskId);
         return NoContent();
     }
+
+    /// <summary>
+    /// Retrieves security tasks for an organization. Restricted to organization administrators.
+    /// </summary>
+    /// <param name="organizationId">The organization Id</param>
+    /// <param name="status">Optional filter for task status. If not provided, returns tasks of all statuses.</param>
+    [HttpGet("organization")]
+    public async Task<ListResponseModel<SecurityTasksResponseModel>> ListForOrganization(
+        [FromQuery] Guid organizationId, [FromQuery] SecurityTaskStatus? status)
+    {
+        var securityTasks = await _getTasksForOrganizationQuery.GetTasksAsync(organizationId, status);
+        var response = securityTasks.Select(x => new SecurityTasksResponseModel(x)).ToList();
+        return new ListResponseModel<SecurityTasksResponseModel>(response);
+    }
 }
diff --git a/src/Core/Vault/Queries/GetTasksForOrganizationQuery.cs b/src/Core/Vault/Queries/GetTasksForOrganizationQuery.cs
new file mode 100644
index 0000000000..8f71f3cc3b
--- /dev/null
+++ b/src/Core/Vault/Queries/GetTasksForOrganizationQuery.cs
@@ -0,0 +1,44 @@
+using Bit.Core.Context;
+using Bit.Core.Exceptions;
+using Bit.Core.Utilities;
+using Bit.Core.Vault.Authorization.SecurityTasks;
+using Bit.Core.Vault.Entities;
+using Bit.Core.Vault.Enums;
+using Bit.Core.Vault.Repositories;
+using Microsoft.AspNetCore.Authorization;
+
+namespace Bit.Core.Vault.Queries;
+
+public class GetTasksForOrganizationQuery : IGetTasksForOrganizationQuery
+{
+    private readonly ISecurityTaskRepository _securityTaskRepository;
+    private readonly IAuthorizationService _authorizationService;
+    private readonly ICurrentContext _currentContext;
+
+    public GetTasksForOrganizationQuery(
+        ISecurityTaskRepository securityTaskRepository,
+        IAuthorizationService authorizationService,
+        ICurrentContext currentContext
+    )
+    {
+        _securityTaskRepository = securityTaskRepository;
+        _authorizationService = authorizationService;
+        _currentContext = currentContext;
+    }
+
+    public async Task<ICollection<SecurityTask>> GetTasksAsync(Guid organizationId,
+        SecurityTaskStatus? status = null)
+    {
+        var organization = _currentContext.GetOrganization(organizationId);
+        var userId = _currentContext.UserId;
+
+        if (organization == null || !userId.HasValue)
+        {
+            throw new NotFoundException();
+        }
+
+        await _authorizationService.AuthorizeOrThrowAsync(_currentContext.HttpContext.User, organization, SecurityTaskOperations.ListAllForOrganization);
+
+        return (await _securityTaskRepository.GetManyByOrganizationIdStatusAsync(organizationId, status)).ToList();
+    }
+}
diff --git a/src/Core/Vault/Queries/IGetTasksForOrganizationQuery.cs b/src/Core/Vault/Queries/IGetTasksForOrganizationQuery.cs
new file mode 100644
index 0000000000..c61f379008
--- /dev/null
+++ b/src/Core/Vault/Queries/IGetTasksForOrganizationQuery.cs
@@ -0,0 +1,15 @@
+using Bit.Core.Vault.Entities;
+using Bit.Core.Vault.Enums;
+
+namespace Bit.Core.Vault.Queries;
+
+public interface IGetTasksForOrganizationQuery
+{
+    /// <summary>
+    /// Retrieves all security tasks for an organization.
+    /// </summary>
+    /// <param name="organizationId">The Id of the organization</param>
+    /// <param name="status">Optional filter for task status. If not provided, returns tasks of all statuses</param>
+    /// <returns>A collection of security tasks</returns>
+    Task<ICollection<SecurityTask>> GetTasksAsync(Guid organizationId, SecurityTaskStatus? status = null);
+}
diff --git a/src/Core/Vault/Repositories/ISecurityTaskRepository.cs b/src/Core/Vault/Repositories/ISecurityTaskRepository.cs
index 34f1f2ee64..c236172533 100644
--- a/src/Core/Vault/Repositories/ISecurityTaskRepository.cs
+++ b/src/Core/Vault/Repositories/ISecurityTaskRepository.cs
@@ -13,4 +13,12 @@ public interface ISecurityTaskRepository : IRepository<SecurityTask, Guid>
     /// <param name="status">Optional filter for task status. If not provided, returns tasks of all statuses</param>
     /// <returns></returns>
     Task<ICollection<SecurityTask>> GetManyByUserIdStatusAsync(Guid userId, SecurityTaskStatus? status = null);
+
+    /// <summary>
+    /// Retrieves all security tasks for an organization.
+    /// </summary>
+    /// <param name="organizationId">The id of the organization</param>
+    /// <param name="status">Optional filter for task status. If not provided, returns tasks of all statuses</param>
+    /// <returns></returns>
+    Task<ICollection<SecurityTask>> GetManyByOrganizationIdStatusAsync(Guid organizationId, SecurityTaskStatus? status = null);
 }
diff --git a/src/Infrastructure.Dapper/Vault/Repositories/SecurityTaskRepository.cs b/src/Infrastructure.Dapper/Vault/Repositories/SecurityTaskRepository.cs
index dfe8a04814..35dace9a9e 100644
--- a/src/Infrastructure.Dapper/Vault/Repositories/SecurityTaskRepository.cs
+++ b/src/Infrastructure.Dapper/Vault/Repositories/SecurityTaskRepository.cs
@@ -32,4 +32,18 @@ public class SecurityTaskRepository : Repository<SecurityTask, Guid>, ISecurityT
 
         return results.ToList();
     }
+
+    /// <inheritdoc />
+    public async Task<ICollection<SecurityTask>> GetManyByOrganizationIdStatusAsync(Guid organizationId,
+        SecurityTaskStatus? status = null)
+    {
+        await using var connection = new SqlConnection(ConnectionString);
+
+        var results = await connection.QueryAsync<SecurityTask>(
+            $"[{Schema}].[SecurityTask_ReadByOrganizationIdStatus]",
+            new { OrganizationId = organizationId, Status = status },
+            commandType: CommandType.StoredProcedure);
+
+        return results.ToList();
+    }
 }
diff --git a/src/Infrastructure.EntityFramework/Vault/Repositories/SecurityTaskRepository.cs b/src/Infrastructure.EntityFramework/Vault/Repositories/SecurityTaskRepository.cs
index bd56df1bcf..5adfdc4c76 100644
--- a/src/Infrastructure.EntityFramework/Vault/Repositories/SecurityTaskRepository.cs
+++ b/src/Infrastructure.EntityFramework/Vault/Repositories/SecurityTaskRepository.cs
@@ -25,4 +25,31 @@ public class SecurityTaskRepository : Repository<Core.Vault.Entities.SecurityTas
         var data = await query.Run(dbContext).ToListAsync();
         return data;
     }
+
+    /// <inheritdoc />
+    public async Task<ICollection<Core.Vault.Entities.SecurityTask>> GetManyByOrganizationIdStatusAsync(Guid organizationId,
+        SecurityTaskStatus? status = null)
+    {
+        using var scope = ServiceScopeFactory.CreateScope();
+        var dbContext = GetDatabaseContext(scope);
+        var query = from st in dbContext.SecurityTasks
+                    join o in dbContext.Organizations
+                        on st.OrganizationId equals o.Id
+                    where
+                        o.Enabled &&
+                        st.OrganizationId == organizationId &&
+                        (status == null || st.Status == status)
+                    select new Core.Vault.Entities.SecurityTask
+                    {
+                        Id = st.Id,
+                        OrganizationId = st.OrganizationId,
+                        CipherId = st.CipherId,
+                        Status = st.Status,
+                        Type = st.Type,
+                        CreationDate = st.CreationDate,
+                        RevisionDate = st.RevisionDate,
+                    };
+
+        return await query.OrderByDescending(st => st.CreationDate).ToListAsync();
+    }
 }
diff --git a/src/Sql/Vault/dbo/Stored Procedures/SecurityTask/SecurityTask_ReadByOrganizationIdStatus.sql b/src/Sql/Vault/dbo/Stored Procedures/SecurityTask/SecurityTask_ReadByOrganizationIdStatus.sql
new file mode 100644
index 0000000000..19e436e71d
--- /dev/null
+++ b/src/Sql/Vault/dbo/Stored Procedures/SecurityTask/SecurityTask_ReadByOrganizationIdStatus.sql	
@@ -0,0 +1,19 @@
+CREATE PROCEDURE [dbo].[SecurityTask_ReadByOrganizationIdStatus]
+    @OrganizationId UNIQUEIDENTIFIER,
+    @Status TINYINT = NULL
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    SELECT
+        ST.*
+    FROM
+        [dbo].[SecurityTaskView] ST
+    INNER JOIN
+        [dbo].[Organization] O ON O.[Id] = ST.[OrganizationId]
+    WHERE
+        ST.[OrganizationId] = @OrganizationId
+        AND O.[Enabled] = 1
+        AND ST.[Status] = COALESCE(@Status, ST.[Status])
+    ORDER BY ST.[CreationDate] DESC
+END
diff --git a/test/Core.Test/Vault/Queries/GetTasksForOrganizationQueryTests.cs b/test/Core.Test/Vault/Queries/GetTasksForOrganizationQueryTests.cs
new file mode 100644
index 0000000000..59ec7350da
--- /dev/null
+++ b/test/Core.Test/Vault/Queries/GetTasksForOrganizationQueryTests.cs
@@ -0,0 +1,92 @@
+using System.Security.Claims;
+using Bit.Core.Context;
+using Bit.Core.Exceptions;
+using Bit.Core.Vault.Authorization.SecurityTasks;
+using Bit.Core.Vault.Entities;
+using Bit.Core.Vault.Enums;
+using Bit.Core.Vault.Queries;
+using Bit.Core.Vault.Repositories;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using Microsoft.AspNetCore.Authorization;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Core.Test.Vault.Queries;
+
+[SutProviderCustomize]
+public class GetTasksForOrganizationQueryTests
+{
+    [Theory, BitAutoData]
+    public async Task GetTasksAsync_Success(
+        Guid userId, CurrentContextOrganization org,
+        SutProvider<GetTasksForOrganizationQuery> sutProvider)
+    {
+        var status = SecurityTaskStatus.Pending;
+        sutProvider.GetDependency<ICurrentContext>().HttpContext.User.Returns(new ClaimsPrincipal());
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(org.Id).Returns(org);
+        sutProvider.GetDependency<IAuthorizationService>().AuthorizeAsync(
+            Arg.Any<ClaimsPrincipal>(), org, Arg.Is<IEnumerable<IAuthorizationRequirement>>(
+                e => e.Contains(SecurityTaskOperations.ListAllForOrganization)
+            )
+        ).Returns(AuthorizationResult.Success());
+        sutProvider.GetDependency<ISecurityTaskRepository>().GetManyByOrganizationIdStatusAsync(org.Id, status).Returns(new List<SecurityTask>()
+        {
+            new() { Id = Guid.NewGuid() },
+            new() { Id = Guid.NewGuid() },
+        });
+
+        var result = await sutProvider.Sut.GetTasksAsync(org.Id, status);
+
+        Assert.Equal(2, result.Count);
+        sutProvider.GetDependency<IAuthorizationService>().Received(1).AuthorizeAsync(
+            Arg.Any<ClaimsPrincipal>(), org, Arg.Is<IEnumerable<IAuthorizationRequirement>>(
+                e => e.Contains(SecurityTaskOperations.ListAllForOrganization)
+            )
+        );
+        sutProvider.GetDependency<ISecurityTaskRepository>().Received(1).GetManyByOrganizationIdStatusAsync(org.Id, SecurityTaskStatus.Pending);
+    }
+
+    [Theory, BitAutoData]
+    public async Task GetTaskAsync_MissingOrg_Failure(Guid userId, SutProvider<GetTasksForOrganizationQuery> sutProvider)
+    {
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(Arg.Any<Guid>()).Returns((CurrentContextOrganization)null);
+
+        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.GetTasksAsync(Guid.NewGuid()));
+    }
+
+    [Theory, BitAutoData]
+    public async Task GetTaskAsync_MissingUser_Failure(CurrentContextOrganization org, SutProvider<GetTasksForOrganizationQuery> sutProvider)
+    {
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(null as Guid?);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(org.Id).Returns(org);
+
+        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.GetTasksAsync(org.Id));
+    }
+
+    [Theory, BitAutoData]
+    public async Task GetTasksAsync_Unauthorized_Failure(
+        Guid userId, CurrentContextOrganization org,
+        SutProvider<GetTasksForOrganizationQuery> sutProvider)
+    {
+        sutProvider.GetDependency<ICurrentContext>().HttpContext.User.Returns(new ClaimsPrincipal());
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(org.Id).Returns(org);
+        sutProvider.GetDependency<IAuthorizationService>().AuthorizeAsync(
+            Arg.Any<ClaimsPrincipal>(), org, Arg.Is<IEnumerable<IAuthorizationRequirement>>(
+                e => e.Contains(SecurityTaskOperations.ListAllForOrganization)
+            )
+        ).Returns(AuthorizationResult.Failed());
+
+        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.GetTasksAsync(org.Id));
+
+        sutProvider.GetDependency<IAuthorizationService>().Received(1).AuthorizeAsync(
+            Arg.Any<ClaimsPrincipal>(), org, Arg.Is<IEnumerable<IAuthorizationRequirement>>(
+                e => e.Contains(SecurityTaskOperations.ListAllForOrganization)
+            )
+        );
+        sutProvider.GetDependency<ISecurityTaskRepository>().Received(0).GetManyByOrganizationIdStatusAsync(org.Id, SecurityTaskStatus.Pending);
+    }
+}
diff --git a/util/Migrator/DbScripts/2025-01-09_00_SecurityTaskReadByOrganization.sql b/util/Migrator/DbScripts/2025-01-09_00_SecurityTaskReadByOrganization.sql
new file mode 100644
index 0000000000..11774e2092
--- /dev/null
+++ b/util/Migrator/DbScripts/2025-01-09_00_SecurityTaskReadByOrganization.sql
@@ -0,0 +1,20 @@
+CREATE OR ALTER PROCEDURE [dbo].[SecurityTask_ReadByOrganizationIdStatus]
+    @OrganizationId UNIQUEIDENTIFIER,
+    @Status TINYINT = NULL
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    SELECT
+        ST.*
+    FROM
+        [dbo].[SecurityTaskView] ST
+    INNER JOIN
+        [dbo].[Organization] O ON O.[Id] = ST.[OrganizationId]
+    WHERE
+        ST.[OrganizationId] = @OrganizationId
+        AND O.[Enabled] = 1
+        AND ST.[Status] = COALESCE(@Status, ST.[Status])
+    ORDER BY ST.[CreationDate] DESC
+END
+GO

From 6bad785072b4bee5e9e29485a9a1aac9b9633003 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Thu, 9 Jan 2025 14:05:26 -0700
Subject: [PATCH 142/384] [deps] DbOps: Update dbup-sqlserver to v6 (#4951)

* [deps] DbOps: Update dbup-sqlserver to v6

* Update Migrator.csproj

Update to 6.0.4

* Update Migrator.csproj

Change back to DBup 6.0.0

* update DbUpLogger.cs methods from the IUpgradeLog interface.

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: rkac-bw <148072202+rkac-bw@users.noreply.github.com>
Co-authored-by: Robert Y <rkac@bitwarden.com>
---
 util/Migrator/DbUpLogger.cs   | 23 +++++++++++++++++++----
 util/Migrator/Migrator.csproj |  2 +-
 2 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/util/Migrator/DbUpLogger.cs b/util/Migrator/DbUpLogger.cs
index a65b3ec0ed..2587ce4d80 100644
--- a/util/Migrator/DbUpLogger.cs
+++ b/util/Migrator/DbUpLogger.cs
@@ -13,18 +13,33 @@ public class DbUpLogger : IUpgradeLog
         _logger = logger;
     }
 
-    public void WriteError(string format, params object[] args)
+    public void LogTrace(string format, params object[] args)
     {
-        _logger.LogError(Constants.BypassFiltersEventId, format, args);
+        _logger.LogTrace(Constants.BypassFiltersEventId, format, args);
     }
 
-    public void WriteInformation(string format, params object[] args)
+    public void LogDebug(string format, params object[] args)
+    {
+        _logger.LogDebug(Constants.BypassFiltersEventId, format, args);
+    }
+
+    public void LogInformation(string format, params object[] args)
     {
         _logger.LogInformation(Constants.BypassFiltersEventId, format, args);
     }
 
-    public void WriteWarning(string format, params object[] args)
+    public void LogWarning(string format, params object[] args)
     {
         _logger.LogWarning(Constants.BypassFiltersEventId, format, args);
     }
+
+    public void LogError(string format, params object[] args)
+    {
+        _logger.LogError(Constants.BypassFiltersEventId, format, args);
+    }
+
+    public void LogError(Exception ex, string format, params object[] args)
+    {
+        _logger.LogError(Constants.BypassFiltersEventId, ex, format, args);
+    }
 }
diff --git a/util/Migrator/Migrator.csproj b/util/Migrator/Migrator.csproj
index 25f5f255a2..b425babea3 100644
--- a/util/Migrator/Migrator.csproj
+++ b/util/Migrator/Migrator.csproj
@@ -6,7 +6,7 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="dbup-sqlserver" Version="5.0.41" />
+    <PackageReference Include="dbup-sqlserver" Version="6.0.0" />
     <PackageReference Include="Microsoft.Extensions.Logging" Version="8.0.1" />
   </ItemGroup>
 

From 1988f1402e55db782708c31f7c16a96faaea9da4 Mon Sep 17 00:00:00 2001
From: Maciej Zieniuk <167752252+mzieniukbw@users.noreply.github.com>
Date: Fri, 10 Jan 2025 00:43:24 +0100
Subject: [PATCH 143/384] Repeating pattern values for BitAutoData attribute
 (#5167)

* Repeating pattern values for BitAutoData attribute

* nullable enabled, added documentation

* execute test method even if no repeating pattern data provided (empty array).

* RepeatingPatternBitAutoDataAttribute unit tests
---
 .../RepeatingPatternBitAutoDataAttribute.cs   | 112 +++++++
 ...peatingPatternBitAutoDataAttributeTests.cs | 290 ++++++++++++++++++
 2 files changed, 402 insertions(+)
 create mode 100644 test/Common/AutoFixture/Attributes/RepeatingPatternBitAutoDataAttribute.cs
 create mode 100644 test/Common/AutoFixture/Attributes/RepeatingPatternBitAutoDataAttributeTests.cs

diff --git a/test/Common/AutoFixture/Attributes/RepeatingPatternBitAutoDataAttribute.cs b/test/Common/AutoFixture/Attributes/RepeatingPatternBitAutoDataAttribute.cs
new file mode 100644
index 0000000000..48b8c1e92c
--- /dev/null
+++ b/test/Common/AutoFixture/Attributes/RepeatingPatternBitAutoDataAttribute.cs
@@ -0,0 +1,112 @@
+#nullable enable
+using System.Reflection;
+
+namespace Bit.Test.Common.AutoFixture.Attributes;
+
+/// <summary>
+/// This attribute helps to generate all possible combinations of the provided pattern values for a given number of parameters.
+/// <remarks>
+/// <para>
+/// The repeating pattern values should be provided as an array for each parameter. Currently supports up to 3 parameters.
+/// </para>
+/// <para>
+/// The attribute is a variation of the <see cref="BitAutoDataAttribute"/> attribute and can be used in the same way, except that all fixed value parameters needs to be provided as an array.
+/// </para>
+/// <para>
+/// Note: Use it with caution. While this attribute is useful for handling repeating parameters, having too many parameters should be avoided as it is considered a code smell in most of the cases.
+/// If your test requires more than 2 repeating parameters, or the test have too many conditions that change the behavior of the test, consider refactoring the test by splitting it into multiple smaller ones.
+/// </para>
+/// </remarks>
+/// <example>
+/// 1st example:
+/// <code>
+/// [RepeatingPatternBitAutoData([false], [1,2,3])]
+/// public void TestMethod(bool first, int second, SomeOtherData third, ...)
+/// </code>
+/// Would generate the following test cases:
+/// <list type="bullet">
+/// <item>false, 1</item>
+/// <item>false, 2</item>
+/// <item>false, 3</item>
+/// </list>
+/// 2nd example:
+/// <code>
+/// [RepeatingPatternBitAutoData([false, true], [false, true], [false, true])]
+/// public void TestMethod(bool first, bool second, bool third)
+/// </code>
+/// Would generate the following test cases:
+/// <list type="bullet">
+/// <item>false, false, false</item>
+/// <item>false, false, true</item>
+/// <item>false, true, false</item>
+/// <item>false, true, true</item>
+/// <item>true, false, false</item>
+/// <item>true, false, true</item>
+/// <item>true, true, false</item>
+/// <item>true, true, true</item>
+/// </list>
+/// </example>
+/// </summary>
+public class RepeatingPatternBitAutoDataAttribute : BitAutoDataAttribute
+{
+    private readonly List<object?[]> _repeatingDataList;
+
+    public RepeatingPatternBitAutoDataAttribute(object?[] first)
+    {
+        _repeatingDataList = AllValues([first]);
+    }
+
+    public RepeatingPatternBitAutoDataAttribute(object?[] first, object?[] second)
+    {
+        _repeatingDataList = AllValues([first, second]);
+    }
+
+    public RepeatingPatternBitAutoDataAttribute(object?[] first, object?[] second, object?[] third)
+    {
+        _repeatingDataList = AllValues([first, second, third]);
+    }
+
+    public override IEnumerable<object?[]> GetData(MethodInfo testMethod)
+    {
+        if (_repeatingDataList.Count == 0)
+        {
+            yield return base.GetData(testMethod).First();
+        }
+
+        foreach (var repeatingData in _repeatingDataList)
+        {
+            var bitData = base.GetData(testMethod).First();
+            for (var i = 0; i < repeatingData.Length; i++)
+            {
+                bitData[i] = repeatingData[i];
+            }
+
+            yield return bitData;
+        }
+    }
+
+    private static List<object?[]> AllValues(object?[][] parameterToPatternValues)
+    {
+        var result = new List<object?[]>();
+        GenerateCombinations(parameterToPatternValues, new object[parameterToPatternValues.Length], 0, result);
+        return result;
+    }
+
+    private static void GenerateCombinations(object?[][] parameterToPatternValues, object?[] current, int index,
+        List<object?[]> result)
+    {
+        if (index == current.Length)
+        {
+            result.Add((object[])current.Clone());
+            return;
+        }
+
+        var patternValues = parameterToPatternValues[index];
+
+        foreach (var value in patternValues)
+        {
+            current[index] = value;
+            GenerateCombinations(parameterToPatternValues, current, index + 1, result);
+        }
+    }
+}
diff --git a/test/Common/AutoFixture/Attributes/RepeatingPatternBitAutoDataAttributeTests.cs b/test/Common/AutoFixture/Attributes/RepeatingPatternBitAutoDataAttributeTests.cs
new file mode 100644
index 0000000000..b23fda8657
--- /dev/null
+++ b/test/Common/AutoFixture/Attributes/RepeatingPatternBitAutoDataAttributeTests.cs
@@ -0,0 +1,290 @@
+#nullable enable
+using Xunit;
+
+namespace Bit.Test.Common.AutoFixture.Attributes;
+
+public class RepeatingPatternBitAutoDataAttributeTests
+{
+    public class OneParam1 : IClassFixture<TestDataContext>
+    {
+        private readonly TestDataContext _context;
+
+        public OneParam1(TestDataContext context)
+        {
+            context.SetData(1, [], [], []);
+            _context = context;
+        }
+
+        [Theory]
+        [RepeatingPatternBitAutoData([])]
+        public void NoPattern_NoTestExecution(string autoDataFilled)
+        {
+            Assert.NotEmpty(autoDataFilled);
+            _context.TestExecuted();
+        }
+    }
+
+    public class OneParam2 : IClassFixture<TestDataContext>
+    {
+        private readonly TestDataContext _context;
+
+        public OneParam2(TestDataContext context)
+        {
+            context.SetData(2, [false, true], [], []);
+            _context = context;
+        }
+
+        [Theory]
+        [RepeatingPatternBitAutoData([false, true])]
+        public void TrueFalsePattern_2Executions(bool first, string autoDataFilled)
+        {
+            Assert.True(_context.ExpectedBooleans1.Remove(first));
+            Assert.NotEmpty(autoDataFilled);
+            _context.TestExecuted();
+        }
+    }
+
+    public class OneParam3 : IClassFixture<TestDataContext>
+    {
+        private readonly TestDataContext _context;
+
+        public OneParam3(TestDataContext context)
+        {
+            context.SetData(4, [], [], [null, "", " ", "\t"]);
+            _context = context;
+        }
+
+        [Theory]
+        [RepeatingPatternBitAutoData([null, "", " ", "\t"])]
+        public void NullableEmptyStringPattern_4Executions(string? first, string autoDataFilled)
+        {
+            Assert.True(_context.ExpectedStrings.Remove(first));
+            Assert.NotEmpty(autoDataFilled);
+            _context.TestExecuted();
+        }
+    }
+
+    public class OneParam4 : IClassFixture<TestDataContext>
+    {
+        private readonly TestDataContext _context;
+
+        public OneParam4(TestDataContext context)
+        {
+            context.SetData(6, [], [], [null, "", " ", "\t", "\n", " \t\n"]);
+            _context = context;
+        }
+
+        [Theory]
+        [RepeatingPatternBitAutoData([null, "", " ", "\t"])] // 4 executions
+        [BitAutoData("\n")] // 1 execution
+        [BitAutoData(" \t\n", "test data")] // 1 execution
+        public void MixedPatternsWithBitAutoData_6Executions(string? first, string autoDataFilled)
+        {
+            Assert.True(_context.ExpectedStrings.Remove(first));
+            Assert.NotEmpty(autoDataFilled);
+            if (first == " \t\n")
+            {
+                Assert.Equal("test data", autoDataFilled);
+            }
+
+            _context.TestExecuted();
+        }
+    }
+
+    public class TwoParams1 : IClassFixture<TestDataContext>
+    {
+        private readonly TestDataContext _context;
+
+        public TwoParams1(TestDataContext context)
+        {
+            context.SetData(8, TestDataContext.GenerateData([false, true], 4), [],
+                TestDataContext.GenerateData([null, "", " ", "\t"], 2));
+            _context = context;
+        }
+
+        [Theory]
+        [RepeatingPatternBitAutoData([false, true], [null, "", " ", "\t"])]
+        public void TrueFalsePatternFirstNullableEmptyStringPatternSecond_8Executions(
+            bool first, string? second,
+            string autoDataFilled)
+        {
+            Assert.True(_context.ExpectedBooleans1.Remove(first));
+            Assert.True(_context.ExpectedStrings.Remove(second));
+            Assert.NotEmpty(autoDataFilled);
+            _context.TestExecuted();
+        }
+    }
+
+    public class TwoParams2 : IClassFixture<TestDataContext>
+    {
+        private readonly TestDataContext _context;
+
+        public TwoParams2(TestDataContext context)
+        {
+            context.SetData(8, TestDataContext.GenerateData([false, true], 4), [],
+                TestDataContext.GenerateData([null, "", " ", "\t"], 2));
+            _context = context;
+        }
+
+        [Theory]
+        [RepeatingPatternBitAutoData([null, "", " ", "\t"], [false, true])]
+        public void NullableEmptyStringPatternFirstTrueFalsePatternSecond_8Executions(
+            string? first, bool second,
+            string autoDataFilled)
+        {
+            Assert.True(_context.ExpectedStrings.Remove(first));
+            Assert.True(_context.ExpectedBooleans1.Remove(second));
+            Assert.NotEmpty(autoDataFilled);
+            _context.TestExecuted();
+        }
+    }
+
+    public class TwoParams3 : IClassFixture<TestDataContext>
+    {
+        private readonly TestDataContext _context;
+
+        public TwoParams3(TestDataContext context)
+        {
+            var expectedBooleans1 = TestDataContext.GenerateData([false], 4);
+            expectedBooleans1.AddRange(TestDataContext.GenerateData([true], 5));
+            var expectedStrings = TestDataContext.GenerateData([null, "", " "], 2);
+            expectedStrings.AddRange(["\t", "\n", " \t\n"]);
+            context.SetData(9, expectedBooleans1, [], expectedStrings);
+            _context = context;
+        }
+
+        [Theory]
+        [RepeatingPatternBitAutoData([null, "", " "], [false, true])] // 6 executions
+        [RepeatingPatternBitAutoData(["\t"], [false])] // 1 execution
+        [BitAutoData("\n", true)] // 1 execution
+        [BitAutoData(" \t\n", true, "test data")] // 1 execution
+        public void MixedPatternsWithBitAutoData_9Executions(
+            string? first, bool second,
+            string autoDataFilled)
+        {
+            Assert.True(_context.ExpectedStrings.Remove(first));
+            Assert.True(_context.ExpectedBooleans1.Remove(second));
+            Assert.NotEmpty(autoDataFilled);
+            if (first == " \t\n")
+            {
+                Assert.Equal("test data", autoDataFilled);
+            }
+
+            _context.TestExecuted();
+        }
+    }
+
+    public class ThreeParams1 : IClassFixture<TestDataContext>
+    {
+        private readonly TestDataContext _context;
+
+        public ThreeParams1(TestDataContext context)
+        {
+            context.SetData(16, TestDataContext.GenerateData([false, true], 8),
+                TestDataContext.GenerateData([false, true], 8),
+                TestDataContext.GenerateData([null, "", " ", "\t"], 4));
+            _context = context;
+        }
+
+        [Theory]
+        [RepeatingPatternBitAutoData([false, true], [null, "", " ", "\t"], [false, true])]
+        public void TrueFalsePatternFirstNullableEmptyStringPatternSecondFalsePatternThird_16Executions(
+            bool first, string? second, bool third,
+            string autoDataFilled)
+        {
+            Assert.True(_context.ExpectedBooleans1.Remove(first));
+            Assert.True(_context.ExpectedStrings.Remove(second));
+            Assert.True(_context.ExpectedBooleans2.Remove(third));
+            Assert.NotEmpty(autoDataFilled);
+            _context.TestExecuted();
+        }
+    }
+
+    public class ThreeParams2 : IClassFixture<TestDataContext>
+    {
+        private readonly TestDataContext _context;
+
+        public ThreeParams2(TestDataContext context)
+        {
+            var expectedBooleans1 = TestDataContext.GenerateData([false, true], 6);
+            expectedBooleans1.AddRange(TestDataContext.GenerateData([true], 3));
+            var expectedBooleans2 = TestDataContext.GenerateData([false, true], 7);
+            expectedBooleans2.Add(true);
+            var expectedStrings = TestDataContext.GenerateData([null, "", " "], 4);
+            expectedStrings.AddRange(["\t", "\t", " \t\n"]);
+            context.SetData(15, expectedBooleans1, expectedBooleans2, expectedStrings);
+            _context = context;
+        }
+
+        [Theory]
+        [RepeatingPatternBitAutoData([false, true], [null, "", " "], [false, true])] // 12 executions
+        [RepeatingPatternBitAutoData([true], ["\t"], [false, true])] // 2 executions
+        [BitAutoData(true, " \t\n", true, "test data")] // 1 execution
+        public void MixedPatternsWithBitAutoData_15Executions(
+            bool first, string? second, bool third,
+            string autoDataFilled)
+        {
+            Assert.True(_context.ExpectedBooleans1.Remove(first));
+            Assert.True(_context.ExpectedStrings.Remove(second));
+            Assert.True(_context.ExpectedBooleans2.Remove(third));
+            Assert.NotEmpty(autoDataFilled);
+            if (second == " \t\n")
+            {
+                Assert.Equal("test data", autoDataFilled);
+            }
+
+            _context.TestExecuted();
+        }
+    }
+}
+
+public class TestDataContext : IDisposable
+{
+    internal List<bool> ExpectedBooleans1 = [];
+    internal List<bool> ExpectedBooleans2 = [];
+
+    internal List<string?> ExpectedStrings = [];
+
+    private int _expectedExecutionCount;
+    private bool _dataSet;
+
+    public void TestExecuted()
+    {
+        _expectedExecutionCount--;
+    }
+
+    public void SetData(int expectedExecutionCount, List<bool> expectedBooleans1, List<bool> expectedBooleans2,
+        List<string?> expectedStrings)
+    {
+        if (_dataSet)
+        {
+            return;
+        }
+
+        _expectedExecutionCount = expectedExecutionCount;
+        ExpectedBooleans1 = expectedBooleans1;
+        ExpectedBooleans2 = expectedBooleans2;
+        ExpectedStrings = expectedStrings;
+
+        _dataSet = true;
+    }
+
+    public static List<T> GenerateData<T>(List<T> list, int count)
+    {
+        var repeatedList = new List<T>();
+        for (var i = 0; i < count; i++)
+        {
+            repeatedList.AddRange(list);
+        }
+
+        return repeatedList;
+    }
+
+    public void Dispose()
+    {
+        Assert.Equal(0, _expectedExecutionCount);
+        Assert.Empty(ExpectedBooleans1);
+        Assert.Empty(ExpectedBooleans2);
+        Assert.Empty(ExpectedStrings);
+    }
+}

From ce2ecf9da08ed7a4c4357db80acbd71599967759 Mon Sep 17 00:00:00 2001
From: Ike <137194738+ike-kottlowski@users.noreply.github.com>
Date: Thu, 9 Jan 2025 18:10:54 -0800
Subject: [PATCH 144/384] [PM-12995] Create UI elements for New Device
 Verification in Admin Portal (#5165)

* feat(NewDeviceVerification) :
- Added constant to constants in Bit.Core because the cache key format needs to be shared between the Identity Server and the MVC project Admin.
- Updated DeviceValidator class to handle checking cache for user information to allow pass through.
- Updated and Added tests to handle new flow.
- Adding exception flow to admin project. Added tests for new methods in UserService.
---
 src/Admin/Controllers/UsersController.cs      |  19 ++-
 src/Admin/Models/UserEditModel.cs             |   7 +-
 src/Admin/Views/Users/Edit.cshtml             | 136 +++++++++++-------
 src/Core/Services/IUserService.cs             |  11 ++
 .../Services/Implementations/UserService.cs   |  30 +++-
 test/Core.Test/Services/UserServiceTests.cs   | 104 +++++++++++++-
 6 files changed, 253 insertions(+), 54 deletions(-)

diff --git a/src/Admin/Controllers/UsersController.cs b/src/Admin/Controllers/UsersController.cs
index 54e43d8b4f..a988cc2af7 100644
--- a/src/Admin/Controllers/UsersController.cs
+++ b/src/Admin/Controllers/UsersController.cs
@@ -107,7 +107,8 @@ public class UsersController : Controller
         var billingHistoryInfo = await _paymentService.GetBillingHistoryAsync(user);
         var isTwoFactorEnabled = await _twoFactorIsEnabledQuery.TwoFactorIsEnabledAsync(user);
         var verifiedDomain = await AccountDeprovisioningEnabled(user.Id);
-        return View(new UserEditModel(user, isTwoFactorEnabled, ciphers, billingInfo, billingHistoryInfo, _globalSettings, verifiedDomain));
+        var deviceVerificationRequired = await _userService.ActiveNewDeviceVerificationException(user.Id);
+        return View(new UserEditModel(user, isTwoFactorEnabled, ciphers, billingInfo, billingHistoryInfo, _globalSettings, verifiedDomain, deviceVerificationRequired));
     }
 
     [HttpPost]
@@ -162,6 +163,22 @@ public class UsersController : Controller
         return RedirectToAction("Index");
     }
 
+    [HttpPost]
+    [ValidateAntiForgeryToken]
+    [RequirePermission(Permission.User_GeneralDetails_View)]
+    [RequireFeature(FeatureFlagKeys.NewDeviceVerification)]
+    public async Task<IActionResult> ToggleNewDeviceVerification(Guid id)
+    {
+        var user = await _userRepository.GetByIdAsync(id);
+        if (user == null)
+        {
+            return RedirectToAction("Index");
+        }
+
+        await _userService.ToggleNewDeviceVerificationException(user.Id);
+        return RedirectToAction("Edit", new { id });
+    }
+
     // TODO: Feature flag to be removed in PM-14207
     private async Task<bool?> AccountDeprovisioningEnabled(Guid userId)
     {
diff --git a/src/Admin/Models/UserEditModel.cs b/src/Admin/Models/UserEditModel.cs
index ed2d653246..2597da6e96 100644
--- a/src/Admin/Models/UserEditModel.cs
+++ b/src/Admin/Models/UserEditModel.cs
@@ -18,10 +18,13 @@ public class UserEditModel
         BillingInfo billingInfo,
         BillingHistoryInfo billingHistoryInfo,
         GlobalSettings globalSettings,
-        bool? claimedAccount)
+        bool? claimedAccount,
+        bool? activeNewDeviceVerificationException)
     {
         User = UserViewModel.MapViewModel(user, isTwoFactorEnabled, ciphers, claimedAccount);
 
+        ActiveNewDeviceVerificationException = activeNewDeviceVerificationException ?? false;
+
         BillingInfo = billingInfo;
         BillingHistoryInfo = billingHistoryInfo;
         BraintreeMerchantId = globalSettings.Braintree.MerchantId;
@@ -44,6 +47,8 @@ public class UserEditModel
     public string RandomLicenseKey => CoreHelpers.SecureRandomString(20);
     public string OneYearExpirationDate => DateTime.Now.AddYears(1).ToString("yyyy-MM-ddTHH:mm");
     public string BraintreeMerchantId { get; init; }
+    public bool ActiveNewDeviceVerificationException { get; init; }
+
 
     [Display(Name = "Name")]
     public string Name { get; init; }
diff --git a/src/Admin/Views/Users/Edit.cshtml b/src/Admin/Views/Users/Edit.cshtml
index d9fc07884d..417d9fb9a2 100644
--- a/src/Admin/Views/Users/Edit.cshtml
+++ b/src/Admin/Views/Users/Edit.cshtml
@@ -1,11 +1,14 @@
 @using Bit.Admin.Enums;
 @inject Bit.Admin.Services.IAccessControlService AccessControlService
+@inject Bit.Core.Services.IFeatureService FeatureService
 @inject IWebHostEnvironment HostingEnvironment
 @model UserEditModel
 @{
     ViewData["Title"] = "User: " + Model.User.Email;
 
     var canViewUserInformation = AccessControlService.UserHasPermission(Permission.User_UserInformation_View);
+    var canViewNewDeviceException = AccessControlService.UserHasPermission(Permission.User_UserInformation_View) &&
+                                    FeatureService.IsEnabled(Bit.Core.FeatureFlagKeys.NewDeviceVerification);
     var canViewBillingInformation = AccessControlService.UserHasPermission(Permission.User_BillingInformation_View);
     var canViewGeneral = AccessControlService.UserHasPermission(Permission.User_GeneralDetails_View);
     var canViewPremium = AccessControlService.UserHasPermission(Permission.User_Premium_View);
@@ -32,7 +35,11 @@
                 // Premium
                 document.getElementById('@(nameof(Model.MaxStorageGb))').value = '1';
                 document.getElementById('@(nameof(Model.Premium))').checked = true;
+    using Stripe.Entitlements;
                 // Licensing
+    using Bit.Core;
+    using Stripe.Entitlements;
+                using Microsoft.Identity.Client.Extensibility;
                 document.getElementById('@(nameof(Model.LicenseKey))').value = '@Model.RandomLicenseKey';
                 document.getElementById('@(nameof(Model.PremiumExpirationDate))').value =
                     '@Model.OneYearExpirationDate';
@@ -47,13 +54,13 @@
 
                 if (gateway.value === '@((byte)Bit.Core.Enums.GatewayType.Stripe)') {
                     const url = '@(HostingEnvironment.IsDevelopment()
-                                     ? "https://dashboard.stripe.com/test"
-                                     : "https://dashboard.stripe.com")';
+                ? "https://dashboard.stripe.com/test"
+                    : "https://dashboard.stripe.com")';
                     window.open(`${url}/customers/${customerId.value}/`, '_blank');
                 } else if (gateway.value === '@((byte)Bit.Core.Enums.GatewayType.Braintree)') {
                     const url = '@(HostingEnvironment.IsDevelopment()
-                                     ? $"https://www.sandbox.braintreegateway.com/merchants/{Model.BraintreeMerchantId}"
-                                     : $"https://www.braintreegateway.com/merchants/{Model.BraintreeMerchantId}")';
+                ? $"https://www.sandbox.braintreegateway.com/merchants/{Model.BraintreeMerchantId}"
+                    : $"https://www.braintreegateway.com/merchants/{Model.BraintreeMerchantId}")';
                     window.open(`${url}/${customerId.value}`, '_blank');
                 }
             });
@@ -67,13 +74,13 @@
 
                 if (gateway.value === '@((byte)Bit.Core.Enums.GatewayType.Stripe)') {
                     const url = '@(HostingEnvironment.IsDevelopment() || HostingEnvironment.IsEnvironment("QA")
-                                     ? "https://dashboard.stripe.com/test"
-                                     : "https://dashboard.stripe.com")'
+                ? "https://dashboard.stripe.com/test"
+                    : "https://dashboard.stripe.com")'
                     window.open(`${url}/subscriptions/${subId.value}`, '_blank');
                 } else if (gateway.value === '@((byte)Bit.Core.Enums.GatewayType.Braintree)') {
                     const url = '@(HostingEnvironment.IsDevelopment() || HostingEnvironment.IsEnvironment("QA")
-                                     ? $"https://www.sandbox.braintreegateway.com/merchants/{Model.BraintreeMerchantId}"
-                                     : $"https://www.braintreegateway.com/merchants/{Model.BraintreeMerchantId}")';
+                ? $"https://www.sandbox.braintreegateway.com/merchants/{Model.BraintreeMerchantId}"
+                    : $"https://www.braintreegateway.com/merchants/{Model.BraintreeMerchantId}")';
                     window.open(`${url}/subscriptions/${subId.value}`, '_blank');
                 }
             });
@@ -88,11 +95,40 @@
     <h2>User Information</h2>
     @await Html.PartialAsync("_ViewInformation", Model.User)
 }
+@if (canViewNewDeviceException)
+{
+    <h2>New Device Verification </h2>
+    <dl class="row">
+        <dt class="col d-flex">
+            <form asp-action="ToggleNewDeviceVerification" asp-route-id="@Model.User.Id" method="post">
+                @if (Model.ActiveNewDeviceVerificationException)
+                {
+                    <p>Status: Bypassed</p>
+                    <button type="submit" class="btn btn-success" id="new-device-verification-exception">Require New
+                        Device Verification</button>
+                }
+                else
+                {
+                    <p>Status: Required</p>
+                    <button type="submit" class="btn btn-outline-danger" id="new-device-verification-exception">Bypass New
+                        Device Verification</button>
+                }
+            </form>
+
+        </dt>
+    </dl>
+}
 @if (canViewBillingInformation)
 {
     <h2>Billing Information</h2>
     @await Html.PartialAsync("_BillingInformation",
-        new BillingInformationModel { BillingInfo = Model.BillingInfo, BillingHistoryInfo = Model.BillingHistoryInfo, UserId = Model.User.Id, Entity = "User" })
+        new BillingInformationModel
+{
+    BillingInfo = Model.BillingInfo,
+    BillingHistoryInfo = Model.BillingHistoryInfo,
+    UserId = Model.User.Id,
+    Entity = "User"
+})
 }
 @if (canViewGeneral)
 {
@@ -109,7 +145,7 @@
         <label class="form-check-label" asp-for="EmailVerified"></label>
     </div>
 }
-    <form method="post" id="edit-form">
+<form method="post" id="edit-form">
     @if (canViewPremium)
     {
         <h2>Premium</h2>
@@ -139,54 +175,56 @@
             <div class="col-sm">
                 <div class="mb-3">
                     <label asp-for="PremiumExpirationDate" class="form-label"></label>
-                    <input type="datetime-local" class="form-control" asp-for="PremiumExpirationDate" readonly='@(!canEditLicensing)'>
+                    <input type="datetime-local" class="form-control" asp-for="PremiumExpirationDate"
+                        readonly='@(!canEditLicensing)'>
                 </div>
             </div>
         </div>
     }
-@if (canViewBilling)
-{
-    <h2>Billing</h2>
-    <div class="row">
-        <div class="col-md">
-            <div class="mb-3">
-                <label asp-for="Gateway" class="form-label"></label>
-                <select class="form-select" asp-for="Gateway" disabled='@(canEditBilling ? null : "disabled")'
+    @if (canViewBilling)
+    {
+        <h2>Billing</h2>
+        <div class="row">
+            <div class="col-md">
+                <div class="mb-3">
+                    <label asp-for="Gateway" class="form-label"></label>
+                    <select class="form-select" asp-for="Gateway" disabled='@(canEditBilling ? null : "disabled")'
                         asp-items="Html.GetEnumSelectList<Bit.Core.Enums.GatewayType>()">
-                    <option value="">--</option>
-                </select>
+                        <option value="">--</option>
+                    </select>
+                </div>
             </div>
-        </div>
-        <div class="col-md">
-            <div class="mb-3">
-                <label asp-for="GatewayCustomerId" class="form-label"></label>
-                <div class="input-group">
-                    <input type="text" class="form-control" asp-for="GatewayCustomerId" readonly='@(!canEditBilling)'>
-                    @if (canLaunchGateway)
-                    {
-                        <button class="btn btn-secondary" type="button" id="gateway-customer-link">
-                            <i class="fa fa-external-link"></i>
-                        </button>
-                    }
+            <div class="col-md">
+                <div class="mb-3">
+                    <label asp-for="GatewayCustomerId" class="form-label"></label>
+                    <div class="input-group">
+                        <input type="text" class="form-control" asp-for="GatewayCustomerId" readonly='@(!canEditBilling)'>
+                        @if (canLaunchGateway)
+                        {
+                            <button class="btn btn-secondary" type="button" id="gateway-customer-link">
+                                <i class="fa fa-external-link"></i>
+                            </button>
+                        }
+                    </div>
+                </div>
+            </div>
+            <div class="col-md">
+                <div class="mb-3">
+                    <label asp-for="GatewaySubscriptionId" class="form-label"></label>
+                    <div class="input-group">
+                        <input type="text" class="form-control" asp-for="GatewaySubscriptionId"
+                            readonly='@(!canEditBilling)'>
+                        @if (canLaunchGateway)
+                        {
+                            <button class="btn btn-secondary" type="button" id="gateway-subscription-link">
+                                <i class="fa fa-external-link"></i>
+                            </button>
+                        }
+                    </div>
                 </div>
             </div>
         </div>
-        <div class="col-md">
-            <div class="mb-3">
-                <label asp-for="GatewaySubscriptionId" class="form-label"></label>
-                <div class="input-group">
-                    <input type="text" class="form-control" asp-for="GatewaySubscriptionId" readonly='@(!canEditBilling)'>
-                    @if (canLaunchGateway)
-                    {
-                        <button class="btn btn-secondary" type="button" id="gateway-subscription-link">
-                            <i class="fa fa-external-link"></i>
-                        </button>
-                    }
-                </div>
-            </div>
-        </div>
-    </div>
-}
+    }
 </form>
 <div class="d-flex mt-4">
     <button type="submit" class="btn btn-primary" form="edit-form">Save</button>
diff --git a/src/Core/Services/IUserService.cs b/src/Core/Services/IUserService.cs
index f0ba535266..0886d18897 100644
--- a/src/Core/Services/IUserService.cs
+++ b/src/Core/Services/IUserService.cs
@@ -77,6 +77,17 @@ public interface IUserService
     Task<bool> VerifyOTPAsync(User user, string token);
     Task<bool> VerifySecretAsync(User user, string secret, bool isSettingMFA = false);
     Task ResendNewDeviceVerificationEmail(string email, string secret);
+    /// <summary>
+    /// We use this method to check if the user has an active new device verification bypass
+    /// </summary>
+    /// <param name="userId">self</param>
+    /// <returns>returns true if the value is found in the cache</returns>
+    Task<bool> ActiveNewDeviceVerificationException(Guid userId);
+    /// <summary>
+    /// We use this method to toggle the new device verification bypass
+    /// </summary>
+    /// <param name="userId">Id of user bypassing new device verification</param>
+    Task ToggleNewDeviceVerificationException(Guid userId);
 
     void SetTwoFactorProvider(User user, TwoFactorProviderType type, bool setEnabled = true);
 
diff --git a/src/Core/Services/Implementations/UserService.cs b/src/Core/Services/Implementations/UserService.cs
index 4d2cb45d93..4944dfe9e7 100644
--- a/src/Core/Services/Implementations/UserService.cs
+++ b/src/Core/Services/Implementations/UserService.cs
@@ -31,6 +31,7 @@ using Fido2NetLib;
 using Fido2NetLib.Objects;
 using Microsoft.AspNetCore.DataProtection;
 using Microsoft.AspNetCore.Identity;
+using Microsoft.Extensions.Caching.Distributed;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 using File = System.IO.File;
@@ -72,6 +73,7 @@ public class UserService : UserManager<User>, IUserService, IDisposable
     private readonly IPremiumUserBillingService _premiumUserBillingService;
     private readonly IRemoveOrganizationUserCommand _removeOrganizationUserCommand;
     private readonly IRevokeNonCompliantOrganizationUserCommand _revokeNonCompliantOrganizationUserCommand;
+    private readonly IDistributedCache _distributedCache;
 
     public UserService(
         IUserRepository userRepository,
@@ -107,7 +109,8 @@ public class UserService : UserManager<User>, IUserService, IDisposable
         IFeatureService featureService,
         IPremiumUserBillingService premiumUserBillingService,
         IRemoveOrganizationUserCommand removeOrganizationUserCommand,
-        IRevokeNonCompliantOrganizationUserCommand revokeNonCompliantOrganizationUserCommand)
+        IRevokeNonCompliantOrganizationUserCommand revokeNonCompliantOrganizationUserCommand,
+        IDistributedCache distributedCache)
         : base(
               store,
               optionsAccessor,
@@ -149,6 +152,7 @@ public class UserService : UserManager<User>, IUserService, IDisposable
         _premiumUserBillingService = premiumUserBillingService;
         _removeOrganizationUserCommand = removeOrganizationUserCommand;
         _revokeNonCompliantOrganizationUserCommand = revokeNonCompliantOrganizationUserCommand;
+        _distributedCache = distributedCache;
     }
 
     public Guid? GetProperUserId(ClaimsPrincipal principal)
@@ -1471,6 +1475,30 @@ public class UserService : UserManager<User>, IUserService, IDisposable
         }
     }
 
+    public async Task<bool> ActiveNewDeviceVerificationException(Guid userId)
+    {
+        var cacheKey = string.Format(AuthConstants.NewDeviceVerificationExceptionCacheKeyFormat, userId.ToString());
+        var cacheValue = await _distributedCache.GetAsync(cacheKey);
+        return cacheValue != null;
+    }
+
+    public async Task ToggleNewDeviceVerificationException(Guid userId)
+    {
+        var cacheKey = string.Format(AuthConstants.NewDeviceVerificationExceptionCacheKeyFormat, userId.ToString());
+        var cacheValue = await _distributedCache.GetAsync(cacheKey);
+        if (cacheValue != null)
+        {
+            await _distributedCache.RemoveAsync(cacheKey);
+        }
+        else
+        {
+            await _distributedCache.SetAsync(cacheKey, new byte[1], new DistributedCacheEntryOptions
+            {
+                AbsoluteExpirationRelativeToNow = TimeSpan.FromHours(24)
+            });
+        }
+    }
+
     private async Task SendAppropriateWelcomeEmailAsync(User user, string initiationPath)
     {
         var isFromMarketingWebsite = initiationPath.Contains("Secrets Manager trial");
diff --git a/test/Core.Test/Services/UserServiceTests.cs b/test/Core.Test/Services/UserServiceTests.cs
index 74bebf328f..a07cc1907f 100644
--- a/test/Core.Test/Services/UserServiceTests.cs
+++ b/test/Core.Test/Services/UserServiceTests.cs
@@ -32,6 +32,7 @@ using Bit.Test.Common.Helpers;
 using Fido2NetLib;
 using Microsoft.AspNetCore.DataProtection;
 using Microsoft.AspNetCore.Identity;
+using Microsoft.Extensions.Caching.Distributed;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 using NSubstitute;
@@ -242,7 +243,43 @@ public class UserServiceTests
             });
 
         // HACK: SutProvider is being weird about not injecting the IPasswordHasher that I configured
-        var sut = RebuildSut(sutProvider);
+        var sut = new UserService(
+            sutProvider.GetDependency<IUserRepository>(),
+            sutProvider.GetDependency<ICipherRepository>(),
+            sutProvider.GetDependency<IOrganizationUserRepository>(),
+            sutProvider.GetDependency<IOrganizationRepository>(),
+            sutProvider.GetDependency<IMailService>(),
+            sutProvider.GetDependency<IPushNotificationService>(),
+            sutProvider.GetDependency<IUserStore<User>>(),
+            sutProvider.GetDependency<IOptions<IdentityOptions>>(),
+            sutProvider.GetDependency<IPasswordHasher<User>>(),
+            sutProvider.GetDependency<IEnumerable<IUserValidator<User>>>(),
+            sutProvider.GetDependency<IEnumerable<IPasswordValidator<User>>>(),
+            sutProvider.GetDependency<ILookupNormalizer>(),
+            sutProvider.GetDependency<IdentityErrorDescriber>(),
+            sutProvider.GetDependency<IServiceProvider>(),
+            sutProvider.GetDependency<ILogger<UserManager<User>>>(),
+            sutProvider.GetDependency<ILicensingService>(),
+            sutProvider.GetDependency<IEventService>(),
+            sutProvider.GetDependency<IApplicationCacheService>(),
+            sutProvider.GetDependency<IDataProtectionProvider>(),
+            sutProvider.GetDependency<IPaymentService>(),
+            sutProvider.GetDependency<IPolicyRepository>(),
+            sutProvider.GetDependency<IPolicyService>(),
+            sutProvider.GetDependency<IReferenceEventService>(),
+            sutProvider.GetDependency<IFido2>(),
+            sutProvider.GetDependency<ICurrentContext>(),
+            sutProvider.GetDependency<IGlobalSettings>(),
+            sutProvider.GetDependency<IAcceptOrgUserCommand>(),
+            sutProvider.GetDependency<IProviderUserRepository>(),
+            sutProvider.GetDependency<IStripeSyncService>(),
+            new FakeDataProtectorTokenFactory<OrgUserInviteTokenable>(),
+            sutProvider.GetDependency<IFeatureService>(),
+            sutProvider.GetDependency<IPremiumUserBillingService>(),
+            sutProvider.GetDependency<IRemoveOrganizationUserCommand>(),
+            sutProvider.GetDependency<IRevokeNonCompliantOrganizationUserCommand>(),
+            sutProvider.GetDependency<IDistributedCache>()
+            );
 
         var actualIsVerified = await sut.VerifySecretAsync(user, secret);
 
@@ -582,6 +619,68 @@ public class UserServiceTests
         }
     }
 
+    [Theory, BitAutoData]
+    public async Task ActiveNewDeviceVerificationException_UserNotInCache_ReturnsFalseAsync(
+        SutProvider<UserService> sutProvider)
+    {
+        sutProvider.GetDependency<IDistributedCache>()
+            .GetAsync(Arg.Any<string>())
+            .Returns(null as byte[]);
+
+        var result = await sutProvider.Sut.ActiveNewDeviceVerificationException(Guid.NewGuid());
+
+        Assert.False(result);
+    }
+
+    [Theory, BitAutoData]
+    public async Task ActiveNewDeviceVerificationException_UserInCache_ReturnsTrueAsync(
+        SutProvider<UserService> sutProvider)
+    {
+        sutProvider.GetDependency<IDistributedCache>()
+            .GetAsync(Arg.Any<string>())
+            .Returns([1]);
+
+        var result = await sutProvider.Sut.ActiveNewDeviceVerificationException(Guid.NewGuid());
+
+        Assert.True(result);
+    }
+
+    [Theory, BitAutoData]
+    public async Task ToggleNewDeviceVerificationException_UserInCache_RemovesUserFromCache(
+        SutProvider<UserService> sutProvider)
+    {
+        sutProvider.GetDependency<IDistributedCache>()
+            .GetAsync(Arg.Any<string>())
+            .Returns([1]);
+
+        await sutProvider.Sut.ToggleNewDeviceVerificationException(Guid.NewGuid());
+
+        await sutProvider.GetDependency<IDistributedCache>()
+                .DidNotReceive()
+                .SetAsync(Arg.Any<string>(), Arg.Any<byte[]>(), Arg.Any<DistributedCacheEntryOptions>());
+        await sutProvider.GetDependency<IDistributedCache>()
+                .Received(1)
+                .RemoveAsync(Arg.Any<string>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task ToggleNewDeviceVerificationException_UserNotInCache_AddsUserToCache(
+        SutProvider<UserService> sutProvider)
+    {
+        sutProvider.GetDependency<IDistributedCache>()
+            .GetAsync(Arg.Any<string>())
+            .Returns(null as byte[]);
+
+        await sutProvider.Sut.ToggleNewDeviceVerificationException(Guid.NewGuid());
+
+        await sutProvider.GetDependency<IDistributedCache>()
+                .Received(1)
+                .SetAsync(Arg.Any<string>(), Arg.Any<byte[]>(), Arg.Any<DistributedCacheEntryOptions>());
+        await sutProvider.GetDependency<IDistributedCache>()
+                .DidNotReceive()
+                .RemoveAsync(Arg.Any<string>());
+    }
+
     private static void SetupUserAndDevice(User user,
         bool shouldHavePassword)
     {
@@ -670,7 +769,8 @@ public class UserServiceTests
             sutProvider.GetDependency<IFeatureService>(),
             sutProvider.GetDependency<IPremiumUserBillingService>(),
             sutProvider.GetDependency<IRemoveOrganizationUserCommand>(),
-            sutProvider.GetDependency<IRevokeNonCompliantOrganizationUserCommand>()
+            sutProvider.GetDependency<IRevokeNonCompliantOrganizationUserCommand>(),
+            sutProvider.GetDependency<IDistributedCache>()
             );
     }
 }

From 8a68f075ccf65345cbe679296cef5a55443bb9b7 Mon Sep 17 00:00:00 2001
From: Bernd Schoolmann <mail@quexten.com>
Date: Fri, 10 Jan 2025 11:55:40 +0100
Subject: [PATCH 145/384] Remove block legacy users feature flag (#5212)

---
 src/Core/Constants.cs                                    | 1 -
 .../RequestValidators/BaseRequestValidator.cs            | 9 +++------
 .../IdentityServer/BaseRequestValidatorTests.cs          | 1 -
 3 files changed, 3 insertions(+), 8 deletions(-)

diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index defcc41e93..f06f63573d 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -115,7 +115,6 @@ public static class FeatureFlagKeys
     public const string PM4154BulkEncryptionService = "PM-4154-bulk-encryption-service";
     public const string VaultBulkManagementAction = "vault-bulk-management-action";
     public const string MemberAccessReport = "ac-2059-member-access-report";
-    public const string BlockLegacyUsers = "block-legacy-users";
     public const string InlineMenuFieldQualification = "inline-menu-field-qualification";
     public const string TwoFactorComponentRefactor = "two-factor-component-refactor";
     public const string InlineMenuPositioningImprovements = "inline-menu-positioning-improvements";
diff --git a/src/Identity/IdentityServer/RequestValidators/BaseRequestValidator.cs b/src/Identity/IdentityServer/RequestValidators/BaseRequestValidator.cs
index 78c00f86d5..ea207a7aaa 100644
--- a/src/Identity/IdentityServer/RequestValidators/BaseRequestValidator.cs
+++ b/src/Identity/IdentityServer/RequestValidators/BaseRequestValidator.cs
@@ -183,13 +183,10 @@ public abstract class BaseRequestValidator<T> where T : class
         }
 
         // 5. Force legacy users to the web for migration
-        if (FeatureService.IsEnabled(FeatureFlagKeys.BlockLegacyUsers))
+        if (UserService.IsLegacyUser(user) && request.ClientId != "web")
         {
-            if (UserService.IsLegacyUser(user) && request.ClientId != "web")
-            {
-                await FailAuthForLegacyUserAsync(user, context);
-                return;
-            }
+            await FailAuthForLegacyUserAsync(user, context);
+            return;
         }
 
         await BuildSuccessResultAsync(user, context, validatorContext.Device, returnRememberMeToken);
diff --git a/test/Identity.Test/IdentityServer/BaseRequestValidatorTests.cs b/test/Identity.Test/IdentityServer/BaseRequestValidatorTests.cs
index 02b6982419..916b52e1d0 100644
--- a/test/Identity.Test/IdentityServer/BaseRequestValidatorTests.cs
+++ b/test/Identity.Test/IdentityServer/BaseRequestValidatorTests.cs
@@ -369,7 +369,6 @@ public class BaseRequestValidatorTests
         context.CustomValidatorRequestContext.CaptchaResponse.IsBot = false;
         context.ValidatedTokenRequest.ClientId = "Not Web";
         _sut.isValid = true;
-        _featureService.IsEnabled(FeatureFlagKeys.BlockLegacyUsers).Returns(true);
         _twoFactorAuthenticationValidator
             .RequiresTwoFactorAsync(Arg.Any<User>(), Arg.Any<ValidatedTokenRequest>())
             .Returns(Task.FromResult(new Tuple<bool, Organization>(false, null)));

From fbfabf2651276242b35e06706657d19a5a0450bc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rui=20Tom=C3=A9?=
 <108268980+r-tome@users.noreply.github.com>
Date: Fri, 10 Jan 2025 14:45:09 +0000
Subject: [PATCH 146/384] [PM-15547] Fix two-factor authentication revocation
 logic and update related tests (#5246)

* Fix two-factor authentication revocation logic and update related tests

* Refine test for RevokeNonCompliantOrganizationUserCommand to assert single user revocation
---
 .../Services/Implementations/UserService.cs   |  5 +-
 ...onCompliantOrganizationUserCommandTests.cs |  2 +-
 test/Core.Test/Services/UserServiceTests.cs   | 71 ++++++++++++++++---
 3 files changed, 63 insertions(+), 15 deletions(-)

diff --git a/src/Core/Services/Implementations/UserService.cs b/src/Core/Services/Implementations/UserService.cs
index 4944dfe9e7..78da7b42e3 100644
--- a/src/Core/Services/Implementations/UserService.cs
+++ b/src/Core/Services/Implementations/UserService.cs
@@ -1372,17 +1372,16 @@ public class UserService : UserManager<User>, IUserService, IDisposable
     private async Task CheckPoliciesOnTwoFactorRemovalAsync(User user)
     {
         var twoFactorPolicies = await _policyService.GetPoliciesApplicableToUserAsync(user.Id, PolicyType.TwoFactorAuthentication);
-        var organizationsManagingUser = await GetOrganizationsManagingUserAsync(user.Id);
 
         var removeOrgUserTasks = twoFactorPolicies.Select(async p =>
         {
             var organization = await _organizationRepository.GetByIdAsync(p.OrganizationId);
-            if (_featureService.IsEnabled(FeatureFlagKeys.AccountDeprovisioning) && organizationsManagingUser.Any(o => o.Id == p.OrganizationId))
+            if (_featureService.IsEnabled(FeatureFlagKeys.AccountDeprovisioning))
             {
                 await _revokeNonCompliantOrganizationUserCommand.RevokeNonCompliantOrganizationUsersAsync(
                     new RevokeOrganizationUsersRequest(
                         p.OrganizationId,
-                        [new OrganizationUserUserDetails { UserId = user.Id, OrganizationId = p.OrganizationId }],
+                        [new OrganizationUserUserDetails { Id = p.OrganizationUserId, OrganizationId = p.OrganizationId }],
                         new SystemUser(EventSystemUser.TwoFactorDisabled)));
                 await _mailService.SendOrganizationUserRevokedForTwoFactoryPolicyEmailAsync(organization.DisplayName(), user.Email);
             }
diff --git a/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/RevokeNonCompliantOrganizationUserCommandTests.cs b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/RevokeNonCompliantOrganizationUserCommandTests.cs
index 3653cd27d7..0ccad9e5c7 100644
--- a/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/RevokeNonCompliantOrganizationUserCommandTests.cs
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/RevokeNonCompliantOrganizationUserCommandTests.cs
@@ -162,7 +162,7 @@ public class RevokeNonCompliantOrganizationUserCommandTests
 
         await sutProvider.GetDependency<IOrganizationUserRepository>()
             .Received(1)
-            .RevokeManyByIdAsync(Arg.Any<IEnumerable<Guid>>());
+            .RevokeManyByIdAsync(Arg.Is<IEnumerable<Guid>>(x => x.Count() == 1 && x.Contains(userToRevoke.Id)));
 
         Assert.True(result.Success);
 
diff --git a/test/Core.Test/Services/UserServiceTests.cs b/test/Core.Test/Services/UserServiceTests.cs
index a07cc1907f..d8a0ade1fa 100644
--- a/test/Core.Test/Services/UserServiceTests.cs
+++ b/test/Core.Test/Services/UserServiceTests.cs
@@ -454,8 +454,10 @@ public class UserServiceTests
     }
 
     [Theory, BitAutoData]
-    public async Task DisableTwoFactorProviderAsync_WithAccountDeprovisioningEnabled_WhenOrganizationHas2FAPolicyEnabled_WhenUserIsManaged_DisablingAllProviders_RemovesOrRevokesUserAndSendsEmail(
-        SutProvider<UserService> sutProvider, User user, Organization organization1, Organization organization2)
+    public async Task DisableTwoFactorProviderAsync_WithAccountDeprovisioningEnabled_WhenOrganizationHas2FAPolicyEnabled_DisablingAllProviders_RevokesUserAndSendsEmail(
+        SutProvider<UserService> sutProvider, User user,
+        Organization organization1, Guid organizationUserId1,
+        Organization organization2, Guid organizationUserId2)
     {
         // Arrange
         user.SetTwoFactorProviders(new Dictionary<TwoFactorProviderType, TwoFactorProvider>
@@ -464,6 +466,7 @@ public class UserServiceTests
         });
         organization1.Enabled = organization2.Enabled = true;
         organization1.UseSso = organization2.UseSso = true;
+
         sutProvider.GetDependency<IFeatureService>()
             .IsEnabled(FeatureFlagKeys.AccountDeprovisioning)
             .Returns(true);
@@ -474,12 +477,14 @@ public class UserServiceTests
                 new OrganizationUserPolicyDetails
                 {
                     OrganizationId = organization1.Id,
+                    OrganizationUserId = organizationUserId1,
                     PolicyType = PolicyType.TwoFactorAuthentication,
                     PolicyEnabled = true
                 },
                 new OrganizationUserPolicyDetails
                 {
                     OrganizationId = organization2.Id,
+                    OrganizationUserId = organizationUserId2,
                     PolicyType = PolicyType.TwoFactorAuthentication,
                     PolicyEnabled = true
                 }
@@ -490,9 +495,6 @@ public class UserServiceTests
         sutProvider.GetDependency<IOrganizationRepository>()
             .GetByIdAsync(organization2.Id)
             .Returns(organization2);
-        sutProvider.GetDependency<IOrganizationRepository>()
-            .GetByVerifiedUserEmailDomainAsync(user.Id)
-            .Returns(new[] { organization1 });
         var expectedSavedProviders = JsonHelpers.LegacySerialize(new Dictionary<TwoFactorProviderType, TwoFactorProvider>(), JsonHelpers.LegacyEnumKeyResolver);
 
         // Act
@@ -506,24 +508,71 @@ public class UserServiceTests
             .Received(1)
             .LogUserEventAsync(user.Id, EventType.User_Disabled2fa);
 
-        // Revoke the user from the first organization because they are managed by it
+        // Revoke the user from the first organization
         await sutProvider.GetDependency<IRevokeNonCompliantOrganizationUserCommand>()
             .Received(1)
             .RevokeNonCompliantOrganizationUsersAsync(
                 Arg.Is<RevokeOrganizationUsersRequest>(r => r.OrganizationId == organization1.Id &&
-                    r.OrganizationUsers.First().UserId == user.Id &&
+                    r.OrganizationUsers.First().Id == organizationUserId1 &&
                     r.OrganizationUsers.First().OrganizationId == organization1.Id));
         await sutProvider.GetDependency<IMailService>()
             .Received(1)
             .SendOrganizationUserRevokedForTwoFactoryPolicyEmailAsync(organization1.DisplayName(), user.Email);
 
-        // Remove the user from the second organization because they are not managed by it
-        await sutProvider.GetDependency<IRemoveOrganizationUserCommand>()
+        // Remove the user from the second organization
+        await sutProvider.GetDependency<IRevokeNonCompliantOrganizationUserCommand>()
             .Received(1)
-            .RemoveUserAsync(organization2.Id, user.Id);
+            .RevokeNonCompliantOrganizationUsersAsync(
+                Arg.Is<RevokeOrganizationUsersRequest>(r => r.OrganizationId == organization2.Id &&
+                    r.OrganizationUsers.First().Id == organizationUserId2 &&
+                    r.OrganizationUsers.First().OrganizationId == organization2.Id));
         await sutProvider.GetDependency<IMailService>()
             .Received(1)
-            .SendOrganizationUserRemovedForPolicyTwoStepEmailAsync(organization2.DisplayName(), user.Email);
+            .SendOrganizationUserRevokedForTwoFactoryPolicyEmailAsync(organization2.DisplayName(), user.Email);
+    }
+
+    [Theory, BitAutoData]
+    public async Task DisableTwoFactorProviderAsync_WithAccountDeprovisioningEnabled_UserHasOneProviderEnabled_DoesNotRemoveUserFromOrganization(
+        SutProvider<UserService> sutProvider, User user, Organization organization)
+    {
+        // Arrange
+        user.SetTwoFactorProviders(new Dictionary<TwoFactorProviderType, TwoFactorProvider>
+        {
+            [TwoFactorProviderType.Email] = new() { Enabled = true },
+            [TwoFactorProviderType.Remember] = new() { Enabled = true }
+        });
+        sutProvider.GetDependency<IPolicyService>()
+            .GetPoliciesApplicableToUserAsync(user.Id, PolicyType.TwoFactorAuthentication)
+            .Returns(
+            [
+                new OrganizationUserPolicyDetails
+                {
+                    OrganizationId = organization.Id,
+                    PolicyType = PolicyType.TwoFactorAuthentication,
+                    PolicyEnabled = true
+                }
+            ]);
+        sutProvider.GetDependency<IOrganizationRepository>()
+            .GetByIdAsync(organization.Id)
+            .Returns(organization);
+        var expectedSavedProviders = JsonHelpers.LegacySerialize(new Dictionary<TwoFactorProviderType, TwoFactorProvider>
+        {
+            [TwoFactorProviderType.Remember] = new() { Enabled = true }
+        }, JsonHelpers.LegacyEnumKeyResolver);
+
+        // Act
+        await sutProvider.Sut.DisableTwoFactorProviderAsync(user, TwoFactorProviderType.Email);
+
+        // Assert
+        await sutProvider.GetDependency<IUserRepository>()
+            .Received(1)
+            .ReplaceAsync(Arg.Is<User>(u => u.Id == user.Id && u.TwoFactorProviders == expectedSavedProviders));
+        await sutProvider.GetDependency<IRevokeNonCompliantOrganizationUserCommand>()
+            .DidNotReceiveWithAnyArgs()
+            .RevokeNonCompliantOrganizationUsersAsync(default);
+        await sutProvider.GetDependency<IMailService>()
+            .DidNotReceiveWithAnyArgs()
+            .SendOrganizationUserRevokedForTwoFactoryPolicyEmailAsync(default, default);
     }
 
     [Theory, BitAutoData]

From 45d2c5315d7b629268b01d03340bcf0cc7c7f86c Mon Sep 17 00:00:00 2001
From: Jonas Hendrickx <jhendrickx@bitwarden.com>
Date: Fri, 10 Jan 2025 16:39:02 +0100
Subject: [PATCH 147/384] [PM-14894] Drop Tax Rate tables - Stage 1 (#5236)

---
 src/Admin/Controllers/ToolsController.cs      | 163 --------
 src/Admin/Models/TaxRateAddEditModel.cs       |  10 -
 src/Admin/Models/TaxRatesModel.cs             |   8 -
 src/Admin/Views/Shared/_Layout.cshtml         |   9 +-
 src/Admin/Views/Tools/TaxRate.cshtml          | 127 -------
 src/Admin/Views/Tools/TaxRateAddEdit.cshtml   | 356 ------------------
 src/Api/Controllers/PlansController.cs        |  13 -
 .../Models/Response/TaxRateResponseModel.cs   |  28 --
 src/Billing/Services/IStripeFacade.cs         |   6 -
 .../Services/Implementations/StripeFacade.cs  |   8 -
 .../Business/SubscriptionCreateOptions.cs     |   5 -
 src/Core/Models/Business/TaxInfo.cs           |   1 -
 src/Core/Repositories/ITaxRateRepository.cs   |  13 -
 src/Core/Services/IPaymentService.cs          |   3 -
 src/Core/Services/IStripeAdapter.cs           |   3 -
 .../Services/Implementations/StripeAdapter.cs |  12 -
 .../Implementations/StripePaymentService.cs   |  48 ---
 .../DapperServiceCollectionExtensions.cs      |   1 -
 .../Repositories/TaxRateRepository.cs         |  70 ----
 ...ityFrameworkServiceCollectionExtensions.cs |   1 -
 .../Repositories/TaxRateRepository.cs         |  68 ----
 .../AutoFixture/TaxRateFixtures.cs            |  56 ---
 .../Repositories/TaxRateRepositoryTests.cs    |  39 --
 23 files changed, 1 insertion(+), 1047 deletions(-)
 delete mode 100644 src/Admin/Models/TaxRateAddEditModel.cs
 delete mode 100644 src/Admin/Models/TaxRatesModel.cs
 delete mode 100644 src/Admin/Views/Tools/TaxRate.cshtml
 delete mode 100644 src/Admin/Views/Tools/TaxRateAddEdit.cshtml
 delete mode 100644 src/Api/Models/Response/TaxRateResponseModel.cs
 delete mode 100644 src/Core/Repositories/ITaxRateRepository.cs
 delete mode 100644 src/Infrastructure.Dapper/Repositories/TaxRateRepository.cs
 delete mode 100644 src/Infrastructure.EntityFramework/Repositories/TaxRateRepository.cs
 delete mode 100644 test/Infrastructure.EFIntegration.Test/AutoFixture/TaxRateFixtures.cs
 delete mode 100644 test/Infrastructure.EFIntegration.Test/Repositories/TaxRateRepositoryTests.cs

diff --git a/src/Admin/Controllers/ToolsController.cs b/src/Admin/Controllers/ToolsController.cs
index 45319cf79c..a84fb681e2 100644
--- a/src/Admin/Controllers/ToolsController.cs
+++ b/src/Admin/Controllers/ToolsController.cs
@@ -16,7 +16,6 @@ using Bit.Core.Settings;
 using Bit.Core.Utilities;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
-using TaxRate = Bit.Core.Entities.TaxRate;
 
 namespace Bit.Admin.Controllers;
 
@@ -33,7 +32,6 @@ public class ToolsController : Controller
     private readonly IOrganizationUserRepository _organizationUserRepository;
     private readonly IProviderUserRepository _providerUserRepository;
     private readonly IPaymentService _paymentService;
-    private readonly ITaxRateRepository _taxRateRepository;
     private readonly IStripeAdapter _stripeAdapter;
     private readonly IWebHostEnvironment _environment;
 
@@ -46,7 +44,6 @@ public class ToolsController : Controller
         IInstallationRepository installationRepository,
         IOrganizationUserRepository organizationUserRepository,
         IProviderUserRepository providerUserRepository,
-        ITaxRateRepository taxRateRepository,
         IPaymentService paymentService,
         IStripeAdapter stripeAdapter,
         IWebHostEnvironment environment)
@@ -59,7 +56,6 @@ public class ToolsController : Controller
         _installationRepository = installationRepository;
         _organizationUserRepository = organizationUserRepository;
         _providerUserRepository = providerUserRepository;
-        _taxRateRepository = taxRateRepository;
         _paymentService = paymentService;
         _stripeAdapter = stripeAdapter;
         _environment = environment;
@@ -346,165 +342,6 @@ public class ToolsController : Controller
         }
     }
 
-    [RequirePermission(Permission.Tools_ManageTaxRates)]
-    public async Task<IActionResult> TaxRate(int page = 1, int count = 25)
-    {
-        if (page < 1)
-        {
-            page = 1;
-        }
-
-        if (count < 1)
-        {
-            count = 1;
-        }
-
-        var skip = (page - 1) * count;
-        var rates = await _taxRateRepository.SearchAsync(skip, count);
-        return View(new TaxRatesModel
-        {
-            Items = rates.ToList(),
-            Page = page,
-            Count = count
-        });
-    }
-
-    [RequirePermission(Permission.Tools_ManageTaxRates)]
-    public async Task<IActionResult> TaxRateAddEdit(string stripeTaxRateId = null)
-    {
-        if (string.IsNullOrWhiteSpace(stripeTaxRateId))
-        {
-            return View(new TaxRateAddEditModel());
-        }
-
-        var rate = await _taxRateRepository.GetByIdAsync(stripeTaxRateId);
-        var model = new TaxRateAddEditModel()
-        {
-            StripeTaxRateId = stripeTaxRateId,
-            Country = rate.Country,
-            State = rate.State,
-            PostalCode = rate.PostalCode,
-            Rate = rate.Rate
-        };
-
-        return View(model);
-    }
-
-    [ValidateAntiForgeryToken]
-    [RequirePermission(Permission.Tools_ManageTaxRates)]
-    public async Task<IActionResult> TaxRateUpload(IFormFile file)
-    {
-        if (file == null || file.Length == 0)
-        {
-            throw new ArgumentNullException(nameof(file));
-        }
-
-        // Build rates and validate them first before updating DB & Stripe
-        var taxRateUpdates = new List<TaxRate>();
-        var currentTaxRates = await _taxRateRepository.GetAllActiveAsync();
-        using var reader = new StreamReader(file.OpenReadStream());
-        while (!reader.EndOfStream)
-        {
-            var line = await reader.ReadLineAsync();
-            if (string.IsNullOrWhiteSpace(line))
-            {
-                continue;
-            }
-            var taxParts = line.Split(',');
-            if (taxParts.Length < 2)
-            {
-                throw new Exception($"This line is not in the format of <postal code>,<rate>,<state code>,<country code>: {line}");
-            }
-            var postalCode = taxParts[0].Trim();
-            if (string.IsNullOrWhiteSpace(postalCode))
-            {
-                throw new Exception($"'{line}' is not valid, the first element must contain a postal code.");
-            }
-            if (!decimal.TryParse(taxParts[1], out var rate) || rate <= 0M || rate > 100)
-            {
-                throw new Exception($"{taxParts[1]} is not a valid rate/decimal for {postalCode}");
-            }
-            var state = taxParts.Length > 2 ? taxParts[2] : null;
-            var country = (taxParts.Length > 3 ? taxParts[3] : null);
-            if (string.IsNullOrWhiteSpace(country))
-            {
-                country = "US";
-            }
-            var taxRate = currentTaxRates.FirstOrDefault(r => r.Country == country && r.PostalCode == postalCode) ??
-                new TaxRate
-                {
-                    Country = country,
-                    PostalCode = postalCode,
-                    Active = true,
-                };
-            taxRate.Rate = rate;
-            taxRate.State = state ?? taxRate.State;
-            taxRateUpdates.Add(taxRate);
-        }
-
-        foreach (var taxRate in taxRateUpdates)
-        {
-            if (!string.IsNullOrWhiteSpace(taxRate.Id))
-            {
-                await _paymentService.UpdateTaxRateAsync(taxRate);
-            }
-            else
-            {
-                await _paymentService.CreateTaxRateAsync(taxRate);
-            }
-        }
-
-        return RedirectToAction("TaxRate");
-    }
-
-    [HttpPost]
-    [ValidateAntiForgeryToken]
-    [RequirePermission(Permission.Tools_ManageTaxRates)]
-    public async Task<IActionResult> TaxRateAddEdit(TaxRateAddEditModel model)
-    {
-        var existingRateCheck = await _taxRateRepository.GetByLocationAsync(new TaxRate() { Country = model.Country, PostalCode = model.PostalCode });
-        if (existingRateCheck.Any())
-        {
-            ModelState.AddModelError(nameof(model.PostalCode), "A tax rate already exists for this Country/Postal Code combination.");
-        }
-
-        if (!ModelState.IsValid)
-        {
-            return View(model);
-        }
-
-        var taxRate = new TaxRate()
-        {
-            Id = model.StripeTaxRateId,
-            Country = model.Country,
-            State = model.State,
-            PostalCode = model.PostalCode,
-            Rate = model.Rate
-        };
-
-        if (!string.IsNullOrWhiteSpace(model.StripeTaxRateId))
-        {
-            await _paymentService.UpdateTaxRateAsync(taxRate);
-        }
-        else
-        {
-            await _paymentService.CreateTaxRateAsync(taxRate);
-        }
-
-        return RedirectToAction("TaxRate");
-    }
-
-    [RequirePermission(Permission.Tools_ManageTaxRates)]
-    public async Task<IActionResult> TaxRateArchive(string stripeTaxRateId)
-    {
-        if (!string.IsNullOrWhiteSpace(stripeTaxRateId))
-        {
-            await _paymentService.ArchiveTaxRateAsync(new TaxRate() { Id = stripeTaxRateId });
-        }
-
-        return RedirectToAction("TaxRate");
-    }
-
     [RequirePermission(Permission.Tools_ManageStripeSubscriptions)]
     public async Task<IActionResult> StripeSubscriptions(StripeSubscriptionListOptions options)
     {
diff --git a/src/Admin/Models/TaxRateAddEditModel.cs b/src/Admin/Models/TaxRateAddEditModel.cs
deleted file mode 100644
index bfa87d7cc8..0000000000
--- a/src/Admin/Models/TaxRateAddEditModel.cs
+++ /dev/null
@@ -1,10 +0,0 @@
-namespace Bit.Admin.Models;
-
-public class TaxRateAddEditModel
-{
-    public string StripeTaxRateId { get; set; }
-    public string Country { get; set; }
-    public string State { get; set; }
-    public string PostalCode { get; set; }
-    public decimal Rate { get; set; }
-}
diff --git a/src/Admin/Models/TaxRatesModel.cs b/src/Admin/Models/TaxRatesModel.cs
deleted file mode 100644
index 0af073f384..0000000000
--- a/src/Admin/Models/TaxRatesModel.cs
+++ /dev/null
@@ -1,8 +0,0 @@
-using Bit.Core.Entities;
-
-namespace Bit.Admin.Models;
-
-public class TaxRatesModel : PagedModel<TaxRate>
-{
-    public string Message { get; set; }
-}
diff --git a/src/Admin/Views/Shared/_Layout.cshtml b/src/Admin/Views/Shared/_Layout.cshtml
index 939eb86b86..361c1f9a57 100644
--- a/src/Admin/Views/Shared/_Layout.cshtml
+++ b/src/Admin/Views/Shared/_Layout.cshtml
@@ -16,13 +16,12 @@
     var canPromoteProviderServiceUser = FeatureService.IsEnabled(FeatureFlagKeys.PromoteProviderServiceUserTool) &&
                                         AccessControlService.UserHasPermission(Permission.Tools_PromoteProviderServiceUser);
     var canGenerateLicense = AccessControlService.UserHasPermission(Permission.Tools_GenerateLicenseFile);
-    var canManageTaxRates = AccessControlService.UserHasPermission(Permission.Tools_ManageTaxRates);
     var canManageStripeSubscriptions = AccessControlService.UserHasPermission(Permission.Tools_ManageStripeSubscriptions);
     var canProcessStripeEvents = AccessControlService.UserHasPermission(Permission.Tools_ProcessStripeEvents);
     var canMigrateProviders = AccessControlService.UserHasPermission(Permission.Tools_MigrateProviders);
 
     var canViewTools = canChargeBraintree || canCreateTransaction || canPromoteAdmin || canPromoteProviderServiceUser ||
-                        canGenerateLicense || canManageTaxRates || canManageStripeSubscriptions;
+                        canGenerateLicense || canManageStripeSubscriptions;
 }
 
 <!DOCTYPE html>
@@ -107,12 +106,6 @@
                                                 Generate License
                                             </a>
                                         }
-                                        @if (canManageTaxRates)
-                                        {
-                                            <a class="dropdown-item" asp-controller="Tools" asp-action="TaxRate">
-                                                Manage Tax Rates
-                                            </a>
-                                        }
                                         @if (canManageStripeSubscriptions)
                                         {
                                             <a class="dropdown-item" asp-controller="Tools" asp-action="StripeSubscriptions">
diff --git a/src/Admin/Views/Tools/TaxRate.cshtml b/src/Admin/Views/Tools/TaxRate.cshtml
deleted file mode 100644
index 902390190c..0000000000
--- a/src/Admin/Views/Tools/TaxRate.cshtml
+++ /dev/null
@@ -1,127 +0,0 @@
-@model TaxRatesModel
-@{
-    ViewData["Title"] = "Tax Rates";
-}
-
-<h1>Manage Tax Rates</h1>
-
-<h2>Bulk Upload Tax Rates</h2>
-<section>
-    <p>
-        Upload a CSV file containing multiple tax rates in bulk in order to update existing rates by country
-        and postal code OR to create new rates where a currently active rate is not found already.
-    </p>
-    <p>CSV Upload Format</p>
-    <ul>
-        <li><b>Postal Code</b> (required) - The postal code for the tax rate.</li>
-        <li><b>Rate</b> (required) - The effective tax rate for this postal code.</li>
-        <li><b>State</b> (<i>optional</i>) - The ISO-2 character code for the state. Optional but recommended.</li>
-        <li><b>Country</b> (<i>optional</i>) - The ISO-2 character country code, defaults to "US" if not provided.</li>
-    </ul>
-    <p>Example (white-space is ignored):</p>
-    <div class="card mb-2">
-        <div class="card-body">
-            <pre class="mb-0">87654,8.25,FL,US
-22334,8.5,CA
-11223,7</pre>
-        </div>
-    </div>
-    <form method="post" enctype="multipart/form-data" asp-action="TaxRateUpload">
-        <div class="mb-3">
-            <input type="file" class="form-control" name="file" />
-        </div>
-        <div class="mb-3">
-            <input type="submit" value="Upload" class="btn btn-primary" />
-        </div>
-    </form>
-</section>
-
-<hr class="my-4">
-<h2>View &amp; Manage Tax Rates</h2>
-<a class="btn btn-primary mb-3" asp-controller="Tools" asp-action="TaxRateAddEdit">Add a Rate</a>
-<div class="table-responsive">
-    <table class="table table-striped table-hover align-middle">
-        <thead>
-            <tr>
-                <th style="width: 190px;">Id</th>
-                <th style="width: 80px;">Country</th>
-                <th style="width: 80px;">State</th>
-                <th style="width: 150px;">Postal Code</th>
-                <th style="width: 160px;">Tax Rate</th>
-                <th style="width: 80px;"></th>
-            </tr>
-        </thead>
-        <tbody>
-            @if(!Model.Items.Any())
-            {
-                <tr>
-                    <td colspan="6">No results to list.</td>
-                </tr>
-            }
-            else
-            {
-                @foreach(var rate in Model.Items)
-                {
-                    <tr>
-                        <td>
-                            @{
-                                var taxRateToEdit = new Dictionary<string, string>
-                                {
-                                    { "id", rate.Id },
-                                    { "stripeTaxRateId", rate.Id }
-                                };
-                            }
-                            <a asp-controller="Tools" asp-action="TaxRateAddEdit" asp-all-route-data="taxRateToEdit">@rate.Id</a>
-                        </td>
-                        <td>
-                            @rate.Country
-                        </td>
-                        <td>
-                            @rate.State
-                        </td>
-                        <td>
-                            @rate.PostalCode
-                        </td>
-                        <td>
-                            @rate.Rate%
-                        </td>
-                        <td>
-                            <a class="delete-button" data-id="@rate.Id" asp-controller="Tools" asp-action="TaxRateArchive" asp-route-stripeTaxRateId="@rate.Id">
-                                <i class="fa fa-trash fa-lg fa-fw"></i>
-                            </a>
-                        </td>
-                    </tr>
-                }
-            }
-        </tbody>
-    </table>
-</div>
-
-<nav aria-label="Tax rates pagination">
-    <ul class="pagination">
-        @if(Model.PreviousPage.HasValue)
-        {
-            <li class="page-item">
-                <a class="page-link" asp-controller="Tools" asp-action="TaxRate" asp-route-page="@Model.PreviousPage.Value" asp-route-count="@Model.Count">Previous</a>
-            </li>
-        }
-        else
-        {
-            <li class="page-item disabled">
-                <a class="page-link" href="#" tabindex="-1">Previous</a>
-            </li>
-        }
-        @if(Model.NextPage.HasValue)
-        {
-            <li class="page-item">
-                <a class="page-link" asp-controller="Tools" asp-action="TaxRate" asp-route-page="@Model.NextPage.Value" asp-route-count="@Model.Count">Next</a>
-            </li>
-        }
-        else
-        {
-            <li class="page-item disabled">
-                <a class="page-link" href="#" tabindex="-1">Next</a>
-            </li>
-        }
-    </ul>
-</nav>
diff --git a/src/Admin/Views/Tools/TaxRateAddEdit.cshtml b/src/Admin/Views/Tools/TaxRateAddEdit.cshtml
deleted file mode 100644
index ea6bd15561..0000000000
--- a/src/Admin/Views/Tools/TaxRateAddEdit.cshtml
+++ /dev/null
@@ -1,356 +0,0 @@
-@model TaxRateAddEditModel
-@{
-    ViewData["Title"] = "Add/Edit Tax Rate";
-}
-
-
-<h1>@(string.IsNullOrWhiteSpace(Model.StripeTaxRateId) ? "Create" : "Edit") Tax Rate</h1>
-
-@if (!string.IsNullOrWhiteSpace(Model.StripeTaxRateId))
-{
-    <p>Note: Updating a Tax Rate archives the currently selected rate and creates a new rate with a new ID. The previous data still exists in a disabled state.</p>
-}
-
-<form method="post">
-    <div asp-validation-summary="All" class="alert alert-danger"></div>
-    <input type="hidden" asp-for="StripeTaxRateId">
-    <div class="row">
-        <div class="col-md">
-            <div class="form-group">
-                <label asp-for="Country"></label>
-                <select asp-for="Country" class="form-control" required>
-                    <option value="">-- Select --</option>
-                    <option value="US">United States</option>
-                    <option value="CN">China</option>
-                    <option value="FR">France</option>
-                    <option value="DE">Germany</option>
-                    <option value="CA">Canada</option>
-                    <option value="GB">United Kingdom</option>
-                    <option value="AU">Australia</option>
-                    <option value="IN">India</option>
-                    <option value="-" disabled></option>
-                    <option value="AF">Afghanistan</option>
-                    <option value="AX">Åland Islands</option>
-                    <option value="AL">Albania</option>
-                    <option value="DZ">Algeria</option>
-                    <option value="AS">American Samoa</option>
-                    <option value="AD">Andorra</option>
-                    <option value="AO">Angola</option>
-                    <option value="AI">Anguilla</option>
-                    <option value="AQ">Antarctica</option>
-                    <option value="AG">Antigua and Barbuda</option>
-                    <option value="AR">Argentina</option>
-                    <option value="AM">Armenia</option>
-                    <option value="AW">Aruba</option>
-                    <option value="AT">Austria</option>
-                    <option value="AZ">Azerbaijan</option>
-                    <option value="BS">Bahamas</option>
-                    <option value="BH">Bahrain</option>
-                    <option value="BD">Bangladesh</option>
-                    <option value="BB">Barbados</option>
-                    <option value="BY">Belarus</option>
-                    <option value="BE">Belgium</option>
-                    <option value="BZ">Belize</option>
-                    <option value="BJ">Benin</option>
-                    <option value="BM">Bermuda</option>
-                    <option value="BT">Bhutan</option>
-                    <option value="BO">Bolivia, Plurinational State of</option>
-                    <option value="BQ">Bonaire, Sint Eustatius and Saba</option>
-                    <option value="BA">Bosnia and Herzegovina</option>
-                    <option value="BW">Botswana</option>
-                    <option value="BV">Bouvet Island</option>
-                    <option value="BR">Brazil</option>
-                    <option value="IO">British Indian Ocean Territory</option>
-                    <option value="BN">Brunei Darussalam</option>
-                    <option value="BG">Bulgaria</option>
-                    <option value="BF">Burkina Faso</option>
-                    <option value="BI">Burundi</option>
-                    <option value="KH">Cambodia</option>
-                    <option value="CM">Cameroon</option>
-                    <option value="CV">Cape Verde</option>
-                    <option value="KY">Cayman Islands</option>
-                    <option value="CF">Central African Republic</option>
-                    <option value="TD">Chad</option>
-                    <option value="CL">Chile</option>
-                    <option value="CX">Christmas Island</option>
-                    <option value="CC">Cocos (Keeling) Islands</option>
-                    <option value="CO">Colombia</option>
-                    <option value="KM">Comoros</option>
-                    <option value="CG">Congo</option>
-                    <option value="CD">Congo, the Democratic Republic of the</option>
-                    <option value="CK">Cook Islands</option>
-                    <option value="CR">Costa Rica</option>
-                    <option value="CI">Côte d'Ivoire</option>
-                    <option value="HR">Croatia</option>
-                    <option value="CU">Cuba</option>
-                    <option value="CW">Curaçao</option>
-                    <option value="CY">Cyprus</option>
-                    <option value="CZ">Czech Republic</option>
-                    <option value="DK">Denmark</option>
-                    <option value="DJ">Djibouti</option>
-                    <option value="DM">Dominica</option>
-                    <option value="DO">Dominican Republic</option>
-                    <option value="EC">Ecuador</option>
-                    <option value="EG">Egypt</option>
-                    <option value="SV">El Salvador</option>
-                    <option value="GQ">Equatorial Guinea</option>
-                    <option value="ER">Eritrea</option>
-                    <option value="EE">Estonia</option>
-                    <option value="ET">Ethiopia</option>
-                    <option value="FK">Falkland Islands (Malvinas)</option>
-                    <option value="FO">Faroe Islands</option>
-                    <option value="FJ">Fiji</option>
-                    <option value="FI">Finland</option>
-                    <option value="GF">French Guiana</option>
-                    <option value="PF">French Polynesia</option>
-                    <option value="TF">French Southern Territories</option>
-                    <option value="GA">Gabon</option>
-                    <option value="GM">Gambia</option>
-                    <option value="GE">Georgia</option>
-                    <option value="GH">Ghana</option>
-                    <option value="GI">Gibraltar</option>
-                    <option value="GR">Greece</option>
-                    <option value="GL">Greenland</option>
-                    <option value="GD">Grenada</option>
-                    <option value="GP">Guadeloupe</option>
-                    <option value="GU">Guam</option>
-                    <option value="GT">Guatemala</option>
-                    <option value="GG">Guernsey</option>
-                    <option value="GN">Guinea</option>
-                    <option value="GW">Guinea-Bissau</option>
-                    <option value="GY">Guyana</option>
-                    <option value="HT">Haiti</option>
-                    <option value="HM">Heard Island and McDonald Islands</option>
-                    <option value="VA">Holy See (Vatican City State)</option>
-                    <option value="HN">Honduras</option>
-                    <option value="HK">Hong Kong</option>
-                    <option value="HU">Hungary</option>
-                    <option value="IS">Iceland</option>
-                    <option value="ID">Indonesia</option>
-                    <option value="IR">Iran, Islamic Republic of</option>
-                    <option value="IQ">Iraq</option>
-                    <option value="IE">Ireland</option>
-                    <option value="IM">Isle of Man</option>
-                    <option value="IL">Israel</option>
-                    <option value="IT">Italy</option>
-                    <option value="JM">Jamaica</option>
-                    <option value="JP">Japan</option>
-                    <option value="JE">Jersey</option>
-                    <option value="JO">Jordan</option>
-                    <option value="KZ">Kazakhstan</option>
-                    <option value="KE">Kenya</option>
-                    <option value="KI">Kiribati</option>
-                    <option value="KP">Korea, Democratic People's Republic of</option>
-                    <option value="KR">Korea, Republic of</option>
-                    <option value="KW">Kuwait</option>
-                    <option value="KG">Kyrgyzstan</option>
-                    <option value="LA">Lao People's Democratic Republic</option>
-                    <option value="LV">Latvia</option>
-                    <option value="LB">Lebanon</option>
-                    <option value="LS">Lesotho</option>
-                    <option value="LR">Liberia</option>
-                    <option value="LY">Libya</option>
-                    <option value="LI">Liechtenstein</option>
-                    <option value="LT">Lithuania</option>
-                    <option value="LU">Luxembourg</option>
-                    <option value="MO">Macao</option>
-                    <option value="MK">Macedonia, the former Yugoslav Republic of</option>
-                    <option value="MG">Madagascar</option>
-                    <option value="MW">Malawi</option>
-                    <option value="MY">Malaysia</option>
-                    <option value="MV">Maldives</option>
-                    <option value="ML">Mali</option>
-                    <option value="MT">Malta</option>
-                    <option value="MH">Marshall Islands</option>
-                    <option value="MQ">Martinique</option>
-                    <option value="MR">Mauritania</option>
-                    <option value="MU">Mauritius</option>
-                    <option value="YT">Mayotte</option>
-                    <option value="MX">Mexico</option>
-                    <option value="FM">Micronesia, Federated States of</option>
-                    <option value="MD">Moldova, Republic of</option>
-                    <option value="MC">Monaco</option>
-                    <option value="MN">Mongolia</option>
-                    <option value="ME">Montenegro</option>
-                    <option value="MS">Montserrat</option>
-                    <option value="MA">Morocco</option>
-                    <option value="MZ">Mozambique</option>
-                    <option value="MM">Myanmar</option>
-                    <option value="NA">Namibia</option>
-                    <option value="NR">Nauru</option>
-                    <option value="NP">Nepal</option>
-                    <option value="NL">Netherlands</option>
-                    <option value="NC">New Caledonia</option>
-                    <option value="NZ">New Zealand</option>
-                    <option value="NI">Nicaragua</option>
-                    <option value="NE">Niger</option>
-                    <option value="NG">Nigeria</option>
-                    <option value="NU">Niue</option>
-                    <option value="NF">Norfolk Island</option>
-                    <option value="MP">Northern Mariana Islands</option>
-                    <option value="NO">Norway</option>
-                    <option value="OM">Oman</option>
-                    <option value="PK">Pakistan</option>
-                    <option value="PW">Palau</option>
-                    <option value="PS">Palestinian Territory, Occupied</option>
-                    <option value="PA">Panama</option>
-                    <option value="PG">Papua New Guinea</option>
-                    <option value="PY">Paraguay</option>
-                    <option value="PE">Peru</option>
-                    <option value="PH">Philippines</option>
-                    <option value="PN">Pitcairn</option>
-                    <option value="PL">Poland</option>
-                    <option value="PT">Portugal</option>
-                    <option value="PR">Puerto Rico</option>
-                    <option value="QA">Qatar</option>
-                    <option value="RE">Réunion</option>
-                    <option value="RO">Romania</option>
-                    <option value="RU">Russian Federation</option>
-                    <option value="RW">Rwanda</option>
-                    <option value="BL">Saint Barthélemy</option>
-                    <option value="SH">Saint Helena, Ascension and Tristan da Cunha</option>
-                    <option value="KN">Saint Kitts and Nevis</option>
-                    <option value="LC">Saint Lucia</option>
-                    <option value="MF">Saint Martin (French part)</option>
-                    <option value="PM">Saint Pierre and Miquelon</option>
-                    <option value="VC">Saint Vincent and the Grenadines</option>
-                    <option value="WS">Samoa</option>
-                    <option value="SM">San Marino</option>
-                    <option value="ST">Sao Tome and Principe</option>
-                    <option value="SA">Saudi Arabia</option>
-                    <option value="SN">Senegal</option>
-                    <option value="RS">Serbia</option>
-                    <option value="SC">Seychelles</option>
-                    <option value="SL">Sierra Leone</option>
-                    <option value="SG">Singapore</option>
-                    <option value="SX">Sint Maarten (Dutch part)</option>
-                    <option value="SK">Slovakia</option>
-                    <option value="SI">Slovenia</option>
-                    <option value="SB">Solomon Islands</option>
-                    <option value="SO">Somalia</option>
-                    <option value="ZA">South Africa</option>
-                    <option value="GS">South Georgia and the South Sandwich Islands</option>
-                    <option value="SS">South Sudan</option>
-                    <option value="ES">Spain</option>
-                    <option value="LK">Sri Lanka</option>
-                    <option value="SD">Sudan</option>
-                    <option value="SR">Suriname</option>
-                    <option value="SJ">Svalbard and Jan Mayen</option>
-                    <option value="SZ">Swaziland</option>
-                    <option value="SE">Sweden</option>
-                    <option value="CH">Switzerland</option>
-                    <option value="SY">Syrian Arab Republic</option>
-                    <option value="TW">Taiwan</option>
-                    <option value="TJ">Tajikistan</option>
-                    <option value="TZ">Tanzania, United Republic of</option>
-                    <option value="TH">Thailand</option>
-                    <option value="TL">Timor-Leste</option>
-                    <option value="TG">Togo</option>
-                    <option value="TK">Tokelau</option>
-                    <option value="TO">Tonga</option>
-                    <option value="TT">Trinidad and Tobago</option>
-                    <option value="TN">Tunisia</option>
-                    <option value="TR">Turkey</option>
-                    <option value="TM">Turkmenistan</option>
-                    <option value="TC">Turks and Caicos Islands</option>
-                    <option value="TV">Tuvalu</option>
-                    <option value="UG">Uganda</option>
-                    <option value="UA">Ukraine</option>
-                    <option value="AE">United Arab Emirates</option>
-                    <option value="UM">United States Minor Outlying Islands</option>
-                    <option value="UY">Uruguay</option>
-                    <option value="UZ">Uzbekistan</option>
-                    <option value="VU">Vanuatu</option>
-                    <option value="VE">Venezuela, Bolivarian Republic of</option>
-                    <option value="VN">Viet Nam</option>
-                    <option value="VG">Virgin Islands, British</option>
-                    <option value="VI">Virgin Islands, U.S.</option>
-                    <option value="WF">Wallis and Futuna</option>
-                    <option value="EH">Western Sahara</option>
-                    <option value="YE">Yemen</option>
-                    <option value="ZM">Zambia</option>
-                    <option value="ZW">Zimbabwe</option>
-                </select>
-            </div>
-        </div>
-        <div class="col-md">
-            <div class="form-group">
-                <label asp-for="State"></label>
-                <select asp-for="State" class="form-control">
-                    <option value="">-- Select --</option>
-                    <option value="AL">Alabama</option>
-                    <option value="AK">Alaska</option>
-                    <option value="AZ">Arizona</option>
-                    <option value="AR">Arkansas</option>
-                    <option value="CA">California</option>
-                    <option value="CO">Colorado</option>
-                    <option value="CT">Connecticut</option>
-                    <option value="DE">Delaware</option>
-                    <option value="DC">District Of Columbia</option>
-                    <option value="FL">Florida</option>
-                    <option value="GA">Georgia</option>
-                    <option value="HI">Hawaii</option>
-                    <option value="ID">Idaho</option>
-                    <option value="IL">Illinois</option>
-                    <option value="IN">Indiana</option>
-                    <option value="IA">Iowa</option>
-                    <option value="KS">Kansas</option>
-                    <option value="KY">Kentucky</option>
-                    <option value="LA">Louisiana</option>
-                    <option value="ME">Maine</option>
-                    <option value="MD">Maryland</option>
-                    <option value="MA">Massachusetts</option>
-                    <option value="MI">Michigan</option>
-                    <option value="MN">Minnesota</option>
-                    <option value="MS">Mississippi</option>
-                    <option value="MO">Missouri</option>
-                    <option value="MT">Montana</option>
-                    <option value="NE">Nebraska</option>
-                    <option value="NV">Nevada</option>
-                    <option value="NH">New Hampshire</option>
-                    <option value="NJ">New Jersey</option>
-                    <option value="NM">New Mexico</option>
-                    <option value="NY">New York</option>
-                    <option value="NC">North Carolina</option>
-                    <option value="ND">North Dakota</option>
-                    <option value="OH">Ohio</option>
-                    <option value="OK">Oklahoma</option>
-                    <option value="OR">Oregon</option>
-                    <option value="PA">Pennsylvania</option>
-                    <option value="RI">Rhode Island</option>
-                    <option value="SC">South Carolina</option>
-                    <option value="SD">South Dakota</option>
-                    <option value="TN">Tennessee</option>
-                    <option value="TX">Texas</option>
-                    <option value="UT">Utah</option>
-                    <option value="VT">Vermont</option>
-                    <option value="VA">Virginia</option>
-                    <option value="WA">Washington</option>
-                    <option value="WV">West Virginia</option>
-                    <option value="WI">Wisconsin</option>
-                    <option value="WY">Wyoming</option>
-                </select>				
-            </div>
-        </div>
-    </div>
-    <div class="row">
-        <div class="col-md">
-            <div class="form-group">
-                <label asp-for="PostalCode">Postal Code</label>
-                <input type="text" class="form-control" asp-for="PostalCode" required maxlength="10">
-            </div>
-        </div>
-        <div class="col-md">
-            <div class="form-group">
-                <label asp-for="Rate">Tax Rate</label>
-                <div class="input-group">
-                    <input type="text" class="form-control" asp-for="Rate" pattern="^\d{0,3}.\d{0,3}$" required>
-                    <div class="input-group-append">
-                        <span class="input-group-text">%</span>
-                    </div>
-                </div>
-            </div>
-        </div>
-    </div>
-    <button type="submit" class="btn btn-primary mb-2">@(string.IsNullOrWhiteSpace(Model.StripeTaxRateId) ? "Create" : "Save")</button>
-</form>
diff --git a/src/Api/Controllers/PlansController.cs b/src/Api/Controllers/PlansController.cs
index 80aca2d827..c2ee494322 100644
--- a/src/Api/Controllers/PlansController.cs
+++ b/src/Api/Controllers/PlansController.cs
@@ -1,5 +1,4 @@
 using Bit.Api.Models.Response;
-using Bit.Core.Repositories;
 using Bit.Core.Utilities;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
@@ -10,10 +9,6 @@ namespace Bit.Api.Controllers;
 [Authorize("Web")]
 public class PlansController : Controller
 {
-    private readonly ITaxRateRepository _taxRateRepository;
-
-    public PlansController(ITaxRateRepository taxRateRepository) => _taxRateRepository = taxRateRepository;
-
     [HttpGet("")]
     [AllowAnonymous]
     public ListResponseModel<PlanResponseModel> Get()
@@ -21,12 +16,4 @@ public class PlansController : Controller
         var responses = StaticStore.Plans.Select(plan => new PlanResponseModel(plan));
         return new ListResponseModel<PlanResponseModel>(responses);
     }
-
-    [HttpGet("sales-tax-rates")]
-    public async Task<ListResponseModel<TaxRateResponseModel>> GetTaxRates()
-    {
-        var data = await _taxRateRepository.GetAllActiveAsync();
-        var responses = data.Select(x => new TaxRateResponseModel(x));
-        return new ListResponseModel<TaxRateResponseModel>(responses);
-    }
 }
diff --git a/src/Api/Models/Response/TaxRateResponseModel.cs b/src/Api/Models/Response/TaxRateResponseModel.cs
deleted file mode 100644
index 2c3335314c..0000000000
--- a/src/Api/Models/Response/TaxRateResponseModel.cs
+++ /dev/null
@@ -1,28 +0,0 @@
-using Bit.Core.Entities;
-using Bit.Core.Models.Api;
-
-namespace Bit.Api.Models.Response;
-
-public class TaxRateResponseModel : ResponseModel
-{
-    public TaxRateResponseModel(TaxRate taxRate)
-        : base("profile")
-    {
-        if (taxRate == null)
-        {
-            throw new ArgumentNullException(nameof(taxRate));
-        }
-
-        Id = taxRate.Id;
-        Country = taxRate.Country;
-        State = taxRate.State;
-        PostalCode = taxRate.PostalCode;
-        Rate = taxRate.Rate;
-    }
-
-    public string Id { get; set; }
-    public string Country { get; set; }
-    public string State { get; set; }
-    public string PostalCode { get; set; }
-    public decimal Rate { get; set; }
-}
diff --git a/src/Billing/Services/IStripeFacade.cs b/src/Billing/Services/IStripeFacade.cs
index f793846a53..77ba9a1ad4 100644
--- a/src/Billing/Services/IStripeFacade.cs
+++ b/src/Billing/Services/IStripeFacade.cs
@@ -80,12 +80,6 @@ public interface IStripeFacade
         RequestOptions requestOptions = null,
         CancellationToken cancellationToken = default);
 
-    Task<TaxRate> GetTaxRate(
-        string taxRateId,
-        TaxRateGetOptions options = null,
-        RequestOptions requestOptions = null,
-        CancellationToken cancellationToken = default);
-
     Task<Discount> DeleteCustomerDiscount(
         string customerId,
         RequestOptions requestOptions = null,
diff --git a/src/Billing/Services/Implementations/StripeFacade.cs b/src/Billing/Services/Implementations/StripeFacade.cs
index 4204946781..91e0c1c33a 100644
--- a/src/Billing/Services/Implementations/StripeFacade.cs
+++ b/src/Billing/Services/Implementations/StripeFacade.cs
@@ -10,7 +10,6 @@ public class StripeFacade : IStripeFacade
     private readonly InvoiceService _invoiceService = new();
     private readonly PaymentMethodService _paymentMethodService = new();
     private readonly SubscriptionService _subscriptionService = new();
-    private readonly TaxRateService _taxRateService = new();
     private readonly DiscountService _discountService = new();
 
     public async Task<Charge> GetCharge(
@@ -99,13 +98,6 @@ public class StripeFacade : IStripeFacade
         CancellationToken cancellationToken = default) =>
         await _subscriptionService.CancelAsync(subscriptionId, options, requestOptions, cancellationToken);
 
-    public async Task<TaxRate> GetTaxRate(
-        string taxRateId,
-        TaxRateGetOptions options = null,
-        RequestOptions requestOptions = null,
-        CancellationToken cancellationToken = default) =>
-        await _taxRateService.GetAsync(taxRateId, options, requestOptions, cancellationToken);
-
     public async Task<Discount> DeleteCustomerDiscount(
         string customerId,
         RequestOptions requestOptions = null,
diff --git a/src/Core/Models/Business/SubscriptionCreateOptions.cs b/src/Core/Models/Business/SubscriptionCreateOptions.cs
index 64626780ef..2d42ee66f7 100644
--- a/src/Core/Models/Business/SubscriptionCreateOptions.cs
+++ b/src/Core/Models/Business/SubscriptionCreateOptions.cs
@@ -34,11 +34,6 @@ public class OrganizationSubscriptionOptionsBase : SubscriptionCreateOptions
         AddPremiumAccessAddon(plan, premiumAccessAddon);
         AddPasswordManagerSeat(plan, additionalSeats);
         AddAdditionalStorage(plan, additionalStorageGb);
-
-        if (!string.IsNullOrWhiteSpace(taxInfo?.StripeTaxRateId))
-        {
-            DefaultTaxRates = new List<string> { taxInfo.StripeTaxRateId };
-        }
     }
 
     private void AddSecretsManagerSeat(Plan plan, int additionalSmSeats)
diff --git a/src/Core/Models/Business/TaxInfo.cs b/src/Core/Models/Business/TaxInfo.cs
index b12c5229b3..82a6ddfc3e 100644
--- a/src/Core/Models/Business/TaxInfo.cs
+++ b/src/Core/Models/Business/TaxInfo.cs
@@ -5,7 +5,6 @@ public class TaxInfo
     public string TaxIdNumber { get; set; }
     public string TaxIdType { get; set; }
 
-    public string StripeTaxRateId { get; set; }
     public string BillingAddressLine1 { get; set; }
     public string BillingAddressLine2 { get; set; }
     public string BillingAddressCity { get; set; }
diff --git a/src/Core/Repositories/ITaxRateRepository.cs b/src/Core/Repositories/ITaxRateRepository.cs
deleted file mode 100644
index c4d9e41238..0000000000
--- a/src/Core/Repositories/ITaxRateRepository.cs
+++ /dev/null
@@ -1,13 +0,0 @@
-using Bit.Core.Entities;
-
-#nullable enable
-
-namespace Bit.Core.Repositories;
-
-public interface ITaxRateRepository : IRepository<TaxRate, string>
-{
-    Task<ICollection<TaxRate>> SearchAsync(int skip, int count);
-    Task<ICollection<TaxRate>> GetAllActiveAsync();
-    Task ArchiveAsync(TaxRate model);
-    Task<ICollection<TaxRate>> GetByLocationAsync(TaxRate taxRate);
-}
diff --git a/src/Core/Services/IPaymentService.cs b/src/Core/Services/IPaymentService.cs
index 7d0f9d3c63..5bd2bede33 100644
--- a/src/Core/Services/IPaymentService.cs
+++ b/src/Core/Services/IPaymentService.cs
@@ -54,9 +54,6 @@ public interface IPaymentService
     Task<SubscriptionInfo> GetSubscriptionAsync(ISubscriber subscriber);
     Task<TaxInfo> GetTaxInfoAsync(ISubscriber subscriber);
     Task SaveTaxInfoAsync(ISubscriber subscriber, TaxInfo taxInfo);
-    Task<TaxRate> CreateTaxRateAsync(TaxRate taxRate);
-    Task UpdateTaxRateAsync(TaxRate taxRate);
-    Task ArchiveTaxRateAsync(TaxRate taxRate);
     Task<string> AddSecretsManagerToSubscription(Organization org, Plan plan, int additionalSmSeats,
         int additionalServiceAccount);
     Task<bool> RisksSubscriptionFailure(Organization organization);
diff --git a/src/Core/Services/IStripeAdapter.cs b/src/Core/Services/IStripeAdapter.cs
index ef2e3ab766..cb95732a6e 100644
--- a/src/Core/Services/IStripeAdapter.cs
+++ b/src/Core/Services/IStripeAdapter.cs
@@ -43,9 +43,6 @@ public interface IStripeAdapter
     IAsyncEnumerable<Stripe.PaymentMethod> PaymentMethodListAutoPagingAsync(Stripe.PaymentMethodListOptions options);
     Task<Stripe.PaymentMethod> PaymentMethodAttachAsync(string id, Stripe.PaymentMethodAttachOptions options = null);
     Task<Stripe.PaymentMethod> PaymentMethodDetachAsync(string id, Stripe.PaymentMethodDetachOptions options = null);
-    Task<Stripe.Plan> PlanGetAsync(string id, Stripe.PlanGetOptions options = null);
-    Task<Stripe.TaxRate> TaxRateCreateAsync(Stripe.TaxRateCreateOptions options);
-    Task<Stripe.TaxRate> TaxRateUpdateAsync(string id, Stripe.TaxRateUpdateOptions options);
     Task<Stripe.TaxId> TaxIdCreateAsync(string id, Stripe.TaxIdCreateOptions options);
     Task<Stripe.TaxId> TaxIdDeleteAsync(string customerId, string taxIdId, Stripe.TaxIdDeleteOptions options = null);
     Task<Stripe.StripeList<Stripe.Charge>> ChargeListAsync(Stripe.ChargeListOptions options);
diff --git a/src/Core/Services/Implementations/StripeAdapter.cs b/src/Core/Services/Implementations/StripeAdapter.cs
index f4f8efe75f..f7f4fea066 100644
--- a/src/Core/Services/Implementations/StripeAdapter.cs
+++ b/src/Core/Services/Implementations/StripeAdapter.cs
@@ -9,7 +9,6 @@ public class StripeAdapter : IStripeAdapter
     private readonly Stripe.SubscriptionService _subscriptionService;
     private readonly Stripe.InvoiceService _invoiceService;
     private readonly Stripe.PaymentMethodService _paymentMethodService;
-    private readonly Stripe.TaxRateService _taxRateService;
     private readonly Stripe.TaxIdService _taxIdService;
     private readonly Stripe.ChargeService _chargeService;
     private readonly Stripe.RefundService _refundService;
@@ -27,7 +26,6 @@ public class StripeAdapter : IStripeAdapter
         _subscriptionService = new Stripe.SubscriptionService();
         _invoiceService = new Stripe.InvoiceService();
         _paymentMethodService = new Stripe.PaymentMethodService();
-        _taxRateService = new Stripe.TaxRateService();
         _taxIdService = new Stripe.TaxIdService();
         _chargeService = new Stripe.ChargeService();
         _refundService = new Stripe.RefundService();
@@ -196,16 +194,6 @@ public class StripeAdapter : IStripeAdapter
         return _planService.GetAsync(id, options);
     }
 
-    public Task<Stripe.TaxRate> TaxRateCreateAsync(Stripe.TaxRateCreateOptions options)
-    {
-        return _taxRateService.CreateAsync(options);
-    }
-
-    public Task<Stripe.TaxRate> TaxRateUpdateAsync(string id, Stripe.TaxRateUpdateOptions options)
-    {
-        return _taxRateService.UpdateAsync(id, options);
-    }
-
     public Task<Stripe.TaxId> TaxIdCreateAsync(string id, Stripe.TaxIdCreateOptions options)
     {
         return _taxIdService.CreateAsync(id, options);
diff --git a/src/Core/Services/Implementations/StripePaymentService.cs b/src/Core/Services/Implementations/StripePaymentService.cs
index ad8c7a599d..bf39085ea9 100644
--- a/src/Core/Services/Implementations/StripePaymentService.cs
+++ b/src/Core/Services/Implementations/StripePaymentService.cs
@@ -19,7 +19,6 @@ using Microsoft.Extensions.Logging;
 using Stripe;
 using PaymentMethod = Stripe.PaymentMethod;
 using StaticStore = Bit.Core.Models.StaticStore;
-using TaxRate = Bit.Core.Entities.TaxRate;
 
 namespace Bit.Core.Services;
 
@@ -33,7 +32,6 @@ public class StripePaymentService : IPaymentService
     private readonly ITransactionRepository _transactionRepository;
     private readonly ILogger<StripePaymentService> _logger;
     private readonly Braintree.IBraintreeGateway _btGateway;
-    private readonly ITaxRateRepository _taxRateRepository;
     private readonly IStripeAdapter _stripeAdapter;
     private readonly IGlobalSettings _globalSettings;
     private readonly IFeatureService _featureService;
@@ -43,7 +41,6 @@ public class StripePaymentService : IPaymentService
     public StripePaymentService(
         ITransactionRepository transactionRepository,
         ILogger<StripePaymentService> logger,
-        ITaxRateRepository taxRateRepository,
         IStripeAdapter stripeAdapter,
         Braintree.IBraintreeGateway braintreeGateway,
         IGlobalSettings globalSettings,
@@ -53,7 +50,6 @@ public class StripePaymentService : IPaymentService
     {
         _transactionRepository = transactionRepository;
         _logger = logger;
-        _taxRateRepository = taxRateRepository;
         _stripeAdapter = stripeAdapter;
         _btGateway = braintreeGateway;
         _globalSettings = globalSettings;
@@ -1778,50 +1774,6 @@ public class StripePaymentService : IPaymentService
         }
     }
 
-    public async Task<TaxRate> CreateTaxRateAsync(TaxRate taxRate)
-    {
-        var stripeTaxRateOptions = new TaxRateCreateOptions()
-        {
-            DisplayName = $"{taxRate.Country} - {taxRate.PostalCode}",
-            Inclusive = false,
-            Percentage = taxRate.Rate,
-            Active = true
-        };
-        var stripeTaxRate = await _stripeAdapter.TaxRateCreateAsync(stripeTaxRateOptions);
-        taxRate.Id = stripeTaxRate.Id;
-        await _taxRateRepository.CreateAsync(taxRate);
-        return taxRate;
-    }
-
-    public async Task UpdateTaxRateAsync(TaxRate taxRate)
-    {
-        if (string.IsNullOrWhiteSpace(taxRate.Id))
-        {
-            return;
-        }
-
-        await ArchiveTaxRateAsync(taxRate);
-        await CreateTaxRateAsync(taxRate);
-    }
-
-    public async Task ArchiveTaxRateAsync(TaxRate taxRate)
-    {
-        if (string.IsNullOrWhiteSpace(taxRate.Id))
-        {
-            return;
-        }
-
-        var updatedStripeTaxRate = await _stripeAdapter.TaxRateUpdateAsync(
-                taxRate.Id,
-                new TaxRateUpdateOptions() { Active = false }
-        );
-        if (!updatedStripeTaxRate.Active)
-        {
-            taxRate.Active = false;
-            await _taxRateRepository.ArchiveAsync(taxRate);
-        }
-    }
-
     public async Task<string> AddSecretsManagerToSubscription(
         Organization org,
         StaticStore.Plan plan,
diff --git a/src/Infrastructure.Dapper/DapperServiceCollectionExtensions.cs b/src/Infrastructure.Dapper/DapperServiceCollectionExtensions.cs
index 93814a6d7f..26abf5632c 100644
--- a/src/Infrastructure.Dapper/DapperServiceCollectionExtensions.cs
+++ b/src/Infrastructure.Dapper/DapperServiceCollectionExtensions.cs
@@ -51,7 +51,6 @@ public static class DapperServiceCollectionExtensions
         services.AddSingleton<ISendRepository, SendRepository>();
         services.AddSingleton<ISsoConfigRepository, SsoConfigRepository>();
         services.AddSingleton<ISsoUserRepository, SsoUserRepository>();
-        services.AddSingleton<ITaxRateRepository, TaxRateRepository>();
         services.AddSingleton<ITransactionRepository, TransactionRepository>();
         services.AddSingleton<IUserRepository, UserRepository>();
         services.AddSingleton<IOrganizationDomainRepository, OrganizationDomainRepository>();
diff --git a/src/Infrastructure.Dapper/Repositories/TaxRateRepository.cs b/src/Infrastructure.Dapper/Repositories/TaxRateRepository.cs
deleted file mode 100644
index be60017262..0000000000
--- a/src/Infrastructure.Dapper/Repositories/TaxRateRepository.cs
+++ /dev/null
@@ -1,70 +0,0 @@
-using System.Data;
-using Bit.Core.Entities;
-using Bit.Core.Repositories;
-using Bit.Core.Settings;
-using Dapper;
-using Microsoft.Data.SqlClient;
-
-#nullable enable
-
-namespace Bit.Infrastructure.Dapper.Repositories;
-
-public class TaxRateRepository : Repository<TaxRate, string>, ITaxRateRepository
-{
-    public TaxRateRepository(GlobalSettings globalSettings)
-        : this(globalSettings.SqlServer.ConnectionString, globalSettings.SqlServer.ReadOnlyConnectionString)
-    { }
-
-    public TaxRateRepository(string connectionString, string readOnlyConnectionString)
-        : base(connectionString, readOnlyConnectionString)
-    { }
-
-    public async Task<ICollection<TaxRate>> SearchAsync(int skip, int count)
-    {
-        using (var connection = new SqlConnection(ConnectionString))
-        {
-            var results = await connection.QueryAsync<TaxRate>(
-                $"[{Schema}].[TaxRate_Search]",
-                new { Skip = skip, Count = count },
-                commandType: CommandType.StoredProcedure);
-
-            return results.ToList();
-        }
-    }
-
-    public async Task<ICollection<TaxRate>> GetAllActiveAsync()
-    {
-        using (var connection = new SqlConnection(ConnectionString))
-        {
-            var results = await connection.QueryAsync<TaxRate>(
-                $"[{Schema}].[TaxRate_ReadAllActive]",
-                commandType: CommandType.StoredProcedure);
-
-            return results.ToList();
-        }
-    }
-
-    public async Task ArchiveAsync(TaxRate model)
-    {
-        using (var connection = new SqlConnection(ConnectionString))
-        {
-            var results = await connection.ExecuteAsync(
-                $"[{Schema}].[TaxRate_Archive]",
-                new { Id = model.Id },
-                commandType: CommandType.StoredProcedure);
-        }
-    }
-
-    public async Task<ICollection<TaxRate>> GetByLocationAsync(TaxRate model)
-    {
-        using (var connection = new SqlConnection(ConnectionString))
-        {
-            var results = await connection.QueryAsync<TaxRate>(
-                $"[{Schema}].[TaxRate_ReadByLocation]",
-                new { Country = model.Country, PostalCode = model.PostalCode },
-                commandType: CommandType.StoredProcedure);
-
-            return results.ToList();
-        }
-    }
-}
diff --git a/src/Infrastructure.EntityFramework/EntityFrameworkServiceCollectionExtensions.cs b/src/Infrastructure.EntityFramework/EntityFrameworkServiceCollectionExtensions.cs
index f3b96c201b..3f805bbe2c 100644
--- a/src/Infrastructure.EntityFramework/EntityFrameworkServiceCollectionExtensions.cs
+++ b/src/Infrastructure.EntityFramework/EntityFrameworkServiceCollectionExtensions.cs
@@ -88,7 +88,6 @@ public static class EntityFrameworkServiceCollectionExtensions
         services.AddSingleton<ISendRepository, SendRepository>();
         services.AddSingleton<ISsoConfigRepository, SsoConfigRepository>();
         services.AddSingleton<ISsoUserRepository, SsoUserRepository>();
-        services.AddSingleton<ITaxRateRepository, TaxRateRepository>();
         services.AddSingleton<ITransactionRepository, TransactionRepository>();
         services.AddSingleton<IUserRepository, UserRepository>();
         services.AddSingleton<IOrganizationDomainRepository, OrganizationDomainRepository>();
diff --git a/src/Infrastructure.EntityFramework/Repositories/TaxRateRepository.cs b/src/Infrastructure.EntityFramework/Repositories/TaxRateRepository.cs
deleted file mode 100644
index 38fcaaa1aa..0000000000
--- a/src/Infrastructure.EntityFramework/Repositories/TaxRateRepository.cs
+++ /dev/null
@@ -1,68 +0,0 @@
-using AutoMapper;
-using Bit.Core.Repositories;
-using Bit.Infrastructure.EntityFramework.Models;
-using Microsoft.EntityFrameworkCore;
-using Microsoft.Extensions.DependencyInjection;
-
-#nullable enable
-
-namespace Bit.Infrastructure.EntityFramework.Repositories;
-
-public class TaxRateRepository : Repository<Core.Entities.TaxRate, TaxRate, string>, ITaxRateRepository
-{
-    public TaxRateRepository(IServiceScopeFactory serviceScopeFactory, IMapper mapper)
-        : base(serviceScopeFactory, mapper, (DatabaseContext context) => context.TaxRates)
-    { }
-
-    public async Task ArchiveAsync(Core.Entities.TaxRate model)
-    {
-        using (var scope = ServiceScopeFactory.CreateScope())
-        {
-            var dbContext = GetDatabaseContext(scope);
-            await dbContext.TaxRates
-                .Where(tr => tr.Id == model.Id)
-                .ExecuteUpdateAsync(property => property.SetProperty(tr => tr.Active, false));
-        }
-    }
-
-    public async Task<ICollection<Core.Entities.TaxRate>> GetAllActiveAsync()
-    {
-        using (var scope = ServiceScopeFactory.CreateScope())
-        {
-            var dbContext = GetDatabaseContext(scope);
-            var results = await dbContext.TaxRates
-                .Where(t => t.Active)
-                .ToListAsync();
-            return Mapper.Map<List<Core.Entities.TaxRate>>(results);
-        }
-    }
-
-    public async Task<ICollection<Core.Entities.TaxRate>> GetByLocationAsync(Core.Entities.TaxRate taxRate)
-    {
-        using (var scope = ServiceScopeFactory.CreateScope())
-        {
-            var dbContext = GetDatabaseContext(scope);
-            var results = await dbContext.TaxRates
-                .Where(t => t.Active &&
-                    t.Country == taxRate.Country &&
-                    t.PostalCode == taxRate.PostalCode)
-                .ToListAsync();
-            return Mapper.Map<List<Core.Entities.TaxRate>>(results);
-        }
-    }
-
-    public async Task<ICollection<Core.Entities.TaxRate>> SearchAsync(int skip, int count)
-    {
-        using (var scope = ServiceScopeFactory.CreateScope())
-        {
-            var dbContext = GetDatabaseContext(scope);
-            var results = await dbContext.TaxRates
-                .Skip(skip)
-                .Take(count)
-                .Where(t => t.Active)
-                .OrderBy(t => t.Country).ThenByDescending(t => t.PostalCode)
-                .ToListAsync();
-            return Mapper.Map<List<Core.Entities.TaxRate>>(results);
-        }
-    }
-}
diff --git a/test/Infrastructure.EFIntegration.Test/AutoFixture/TaxRateFixtures.cs b/test/Infrastructure.EFIntegration.Test/AutoFixture/TaxRateFixtures.cs
deleted file mode 100644
index c8cd8c692c..0000000000
--- a/test/Infrastructure.EFIntegration.Test/AutoFixture/TaxRateFixtures.cs
+++ /dev/null
@@ -1,56 +0,0 @@
-using AutoFixture;
-using AutoFixture.Kernel;
-using Bit.Core.Entities;
-using Bit.Infrastructure.EFIntegration.Test.AutoFixture.Relays;
-using Bit.Infrastructure.EntityFramework.Repositories;
-using Bit.Test.Common.AutoFixture;
-using Bit.Test.Common.AutoFixture.Attributes;
-
-namespace Bit.Infrastructure.EFIntegration.Test.AutoFixture;
-
-internal class TaxRateBuilder : ISpecimenBuilder
-{
-    public object Create(object request, ISpecimenContext context)
-    {
-        if (context == null)
-        {
-            throw new ArgumentNullException(nameof(context));
-        }
-
-        var type = request as Type;
-        if (type == null || type != typeof(TaxRate))
-        {
-            return new NoSpecimen();
-        }
-
-        var fixture = new Fixture();
-        fixture.Customizations.Insert(0, new MaxLengthStringRelay());
-        var obj = fixture.WithAutoNSubstitutions().Create<TaxRate>();
-        return obj;
-    }
-}
-
-internal class EfTaxRate : ICustomization
-{
-    public void Customize(IFixture fixture)
-    {
-        fixture.Customizations.Add(new IgnoreVirtualMembersCustomization());
-        fixture.Customizations.Add(new GlobalSettingsBuilder());
-        fixture.Customizations.Add(new TaxRateBuilder());
-        fixture.Customizations.Add(new EfRepositoryListBuilder<TaxRateRepository>());
-    }
-}
-
-internal class EfTaxRateAutoDataAttribute : CustomAutoDataAttribute
-{
-    public EfTaxRateAutoDataAttribute() : base(new SutProviderCustomization(), new EfTaxRate())
-    { }
-}
-
-internal class InlineEfTaxRateAutoDataAttribute : InlineCustomAutoDataAttribute
-{
-    public InlineEfTaxRateAutoDataAttribute(params object[] values) : base(new[] { typeof(SutProviderCustomization),
-        typeof(EfTaxRate) }, values)
-    { }
-}
-
diff --git a/test/Infrastructure.EFIntegration.Test/Repositories/TaxRateRepositoryTests.cs b/test/Infrastructure.EFIntegration.Test/Repositories/TaxRateRepositoryTests.cs
deleted file mode 100644
index e2c6d03b44..0000000000
--- a/test/Infrastructure.EFIntegration.Test/Repositories/TaxRateRepositoryTests.cs
+++ /dev/null
@@ -1,39 +0,0 @@
-using Bit.Core.Entities;
-using Bit.Core.Test.AutoFixture.Attributes;
-using Bit.Infrastructure.EFIntegration.Test.AutoFixture;
-using Bit.Infrastructure.EFIntegration.Test.Repositories.EqualityComparers;
-using Xunit;
-using EfRepo = Bit.Infrastructure.EntityFramework.Repositories;
-using SqlRepo = Bit.Infrastructure.Dapper.Repositories;
-
-namespace Bit.Infrastructure.EFIntegration.Test.Repositories;
-
-public class TaxRateRepositoryTests
-{
-    [CiSkippedTheory, EfTaxRateAutoData]
-    public async Task CreateAsync_Works_DataMatches(
-        TaxRate taxRate,
-        TaxRateCompare equalityComparer,
-        List<EfRepo.TaxRateRepository> suts,
-        SqlRepo.TaxRateRepository sqlTaxRateRepo
-        )
-    {
-        var savedTaxRates = new List<TaxRate>();
-        foreach (var sut in suts)
-        {
-            var i = suts.IndexOf(sut);
-            var postEfTaxRate = await sut.CreateAsync(taxRate);
-            sut.ClearChangeTracking();
-
-            var savedTaxRate = await sut.GetByIdAsync(postEfTaxRate.Id);
-            savedTaxRates.Add(savedTaxRate);
-        }
-
-        var sqlTaxRate = await sqlTaxRateRepo.CreateAsync(taxRate);
-        var savedSqlTaxRate = await sqlTaxRateRepo.GetByIdAsync(sqlTaxRate.Id);
-        savedTaxRates.Add(savedSqlTaxRate);
-
-        var distinctItems = savedTaxRates.Distinct(equalityComparer);
-        Assert.True(!distinctItems.Skip(1).Any());
-    }
-}

From 904692a9b61debbb3d6b9d1f7041aa00d550440e Mon Sep 17 00:00:00 2001
From: Jimmy Vo <huynhmaivo82@gmail.com>
Date: Fri, 10 Jan 2025 13:43:58 -0500
Subject: [PATCH 148/384] [pm-10860] Fix provider name encoding issue. (#5244)

Prevent double encoding, as Handlebars encode strings by default.
---
 src/Core/Services/Implementations/HandlebarsMailService.cs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Core/Services/Implementations/HandlebarsMailService.cs b/src/Core/Services/Implementations/HandlebarsMailService.cs
index deae80c056..556483d8f4 100644
--- a/src/Core/Services/Implementations/HandlebarsMailService.cs
+++ b/src/Core/Services/Implementations/HandlebarsMailService.cs
@@ -863,7 +863,7 @@ public class HandlebarsMailService : IMailService
         var message = CreateDefaultMessage($"Join {providerName}", email);
         var model = new ProviderUserInvitedViewModel
         {
-            ProviderName = CoreHelpers.SanitizeForEmail(providerName),
+            ProviderName = CoreHelpers.SanitizeForEmail(providerName, false),
             Email = WebUtility.UrlEncode(providerUser.Email),
             ProviderId = providerUser.ProviderId.ToString(),
             ProviderUserId = providerUser.Id.ToString(),

From 730f83b4259d150665261ce9d810c891b94ad071 Mon Sep 17 00:00:00 2001
From: Jared McCannon <jmccannon@bitwarden.com>
Date: Fri, 10 Jan 2025 14:19:52 -0600
Subject: [PATCH 149/384] Fixing misspelling. made changes to domain claim
 email. (#5248)

---
 .../TwoFactorAuthenticationPolicyValidator.cs               | 2 +-
 .../AdminConsole/DomainClaimedByOrganization.html.hbs       | 6 +-----
 src/Core/Services/IMailService.cs                           | 2 +-
 src/Core/Services/Implementations/HandlebarsMailService.cs  | 4 ++--
 src/Core/Services/Implementations/UserService.cs            | 2 +-
 src/Core/Services/NoopImplementations/NoopMailService.cs    | 2 +-
 .../TwoFactorAuthenticationPolicyValidatorTests.cs          | 2 +-
 test/Core.Test/Services/UserServiceTests.cs                 | 6 +++---
 8 files changed, 11 insertions(+), 15 deletions(-)

diff --git a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/TwoFactorAuthenticationPolicyValidator.cs b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/TwoFactorAuthenticationPolicyValidator.cs
index 6c217cecbe..04984b17be 100644
--- a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/TwoFactorAuthenticationPolicyValidator.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/TwoFactorAuthenticationPolicyValidator.cs
@@ -111,7 +111,7 @@ public class TwoFactorAuthenticationPolicyValidator : IPolicyValidator
         }
 
         await Task.WhenAll(currentActiveRevocableOrganizationUsers.Select(x =>
-            _mailService.SendOrganizationUserRevokedForTwoFactoryPolicyEmailAsync(organization.DisplayName(), x.Email)));
+            _mailService.SendOrganizationUserRevokedForTwoFactorPolicyEmailAsync(organization.DisplayName(), x.Email)));
     }
 
     private async Task RemoveNonCompliantUsersAsync(Guid organizationId)
diff --git a/src/Core/MailTemplates/Handlebars/AdminConsole/DomainClaimedByOrganization.html.hbs b/src/Core/MailTemplates/Handlebars/AdminConsole/DomainClaimedByOrganization.html.hbs
index ad2245e585..f10c47c78f 100644
--- a/src/Core/MailTemplates/Handlebars/AdminConsole/DomainClaimedByOrganization.html.hbs
+++ b/src/Core/MailTemplates/Handlebars/AdminConsole/DomainClaimedByOrganization.html.hbs
@@ -1,14 +1,10 @@
 {{#>TitleContactUsHtmlLayout}}
     <table width="100%" border="0" cellpadding="0" cellspacing="0" style="display: table; width:100%; padding: 30px; text-align: left;" align="center">
-        <tr>
-            <td display="display: table-cell">
-                As a member of {{OrganizationName}}, your Bitwarden account is claimed and owned by your organization.
-            </td>
-        </tr>
         <tr>
             <td style="font-family:'Helvetica Neue', Helvetica, Arial, sans-serif; font-style: normal; font-weight: 400; font-size: 16px; line-height: 24px; margin-top: 30px; margin-bottom: 25px; margin-left: 35px; margin-right: 35px;">
                 <b>Here's what that means:</b>
                 <ul>
+                    <li>Your Bitwarden account is owned by {{OrganizationName}}</li>
                     <li>Your administrators can delete your account at any time</li>
                     <li>You cannot leave the organization</li>
                 </ul>
diff --git a/src/Core/Services/IMailService.cs b/src/Core/Services/IMailService.cs
index 0f69d8daaf..09bae38a03 100644
--- a/src/Core/Services/IMailService.cs
+++ b/src/Core/Services/IMailService.cs
@@ -36,7 +36,7 @@ public interface IMailService
     Task SendOrganizationAcceptedEmailAsync(Organization organization, string userIdentifier, IEnumerable<string> adminEmails, bool hasAccessSecretsManager = false);
     Task SendOrganizationConfirmedEmailAsync(string organizationName, string email, bool hasAccessSecretsManager = false);
     Task SendOrganizationUserRemovedForPolicyTwoStepEmailAsync(string organizationName, string email);
-    Task SendOrganizationUserRevokedForTwoFactoryPolicyEmailAsync(string organizationName, string email);
+    Task SendOrganizationUserRevokedForTwoFactorPolicyEmailAsync(string organizationName, string email);
     Task SendOrganizationUserRevokedForPolicySingleOrgEmailAsync(string organizationName, string email);
     Task SendPasswordlessSignInAsync(string returnUrl, string token, string email);
     Task SendInvoiceUpcoming(
diff --git a/src/Core/Services/Implementations/HandlebarsMailService.cs b/src/Core/Services/Implementations/HandlebarsMailService.cs
index 556483d8f4..c4ca48d3a3 100644
--- a/src/Core/Services/Implementations/HandlebarsMailService.cs
+++ b/src/Core/Services/Implementations/HandlebarsMailService.cs
@@ -295,7 +295,7 @@ public class HandlebarsMailService : IMailService
         await _mailDeliveryService.SendEmailAsync(message);
     }
 
-    public async Task SendOrganizationUserRevokedForTwoFactoryPolicyEmailAsync(string organizationName, string email)
+    public async Task SendOrganizationUserRevokedForTwoFactorPolicyEmailAsync(string organizationName, string email)
     {
         var message = CreateDefaultMessage($"You have been revoked from {organizationName}", email);
         var model = new OrganizationUserRevokedForPolicyTwoFactorViewModel
@@ -472,7 +472,7 @@ public class HandlebarsMailService : IMailService
                 "AdminConsole.DomainClaimedByOrganization",
                 new ClaimedDomainUserNotificationViewModel
                 {
-                    TitleFirst = $"Hey {emailAddress}, your account is owned by {org.DisplayName()}",
+                    TitleFirst = $"Your Bitwarden account is claimed by {org.DisplayName()}",
                     OrganizationName = CoreHelpers.SanitizeForEmail(org.DisplayName(), false)
                 });
     }
diff --git a/src/Core/Services/Implementations/UserService.cs b/src/Core/Services/Implementations/UserService.cs
index 78da7b42e3..1dd8c3f8ca 100644
--- a/src/Core/Services/Implementations/UserService.cs
+++ b/src/Core/Services/Implementations/UserService.cs
@@ -1383,7 +1383,7 @@ public class UserService : UserManager<User>, IUserService, IDisposable
                         p.OrganizationId,
                         [new OrganizationUserUserDetails { Id = p.OrganizationUserId, OrganizationId = p.OrganizationId }],
                         new SystemUser(EventSystemUser.TwoFactorDisabled)));
-                await _mailService.SendOrganizationUserRevokedForTwoFactoryPolicyEmailAsync(organization.DisplayName(), user.Email);
+                await _mailService.SendOrganizationUserRevokedForTwoFactorPolicyEmailAsync(organization.DisplayName(), user.Email);
             }
             else
             {
diff --git a/src/Core/Services/NoopImplementations/NoopMailService.cs b/src/Core/Services/NoopImplementations/NoopMailService.cs
index 4ce188c86b..0e07436fd1 100644
--- a/src/Core/Services/NoopImplementations/NoopMailService.cs
+++ b/src/Core/Services/NoopImplementations/NoopMailService.cs
@@ -80,7 +80,7 @@ public class NoopMailService : IMailService
         return Task.FromResult(0);
     }
 
-    public Task SendOrganizationUserRevokedForTwoFactoryPolicyEmailAsync(string organizationName, string email) =>
+    public Task SendOrganizationUserRevokedForTwoFactorPolicyEmailAsync(string organizationName, string email) =>
         Task.CompletedTask;
 
     public Task SendOrganizationUserRevokedForPolicySingleOrgEmailAsync(string organizationName, string email) =>
diff --git a/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/TwoFactorAuthenticationPolicyValidatorTests.cs b/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/TwoFactorAuthenticationPolicyValidatorTests.cs
index 8c350d4161..0edc2b5973 100644
--- a/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/TwoFactorAuthenticationPolicyValidatorTests.cs
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/TwoFactorAuthenticationPolicyValidatorTests.cs
@@ -351,7 +351,7 @@ public class TwoFactorAuthenticationPolicyValidatorTests
 
         await sutProvider.GetDependency<IMailService>()
             .Received(1)
-            .SendOrganizationUserRevokedForTwoFactoryPolicyEmailAsync(organization.DisplayName(),
+            .SendOrganizationUserRevokedForTwoFactorPolicyEmailAsync(organization.DisplayName(),
                 "user3@test.com");
     }
 }
diff --git a/test/Core.Test/Services/UserServiceTests.cs b/test/Core.Test/Services/UserServiceTests.cs
index d8a0ade1fa..9539767f6f 100644
--- a/test/Core.Test/Services/UserServiceTests.cs
+++ b/test/Core.Test/Services/UserServiceTests.cs
@@ -517,7 +517,7 @@ public class UserServiceTests
                     r.OrganizationUsers.First().OrganizationId == organization1.Id));
         await sutProvider.GetDependency<IMailService>()
             .Received(1)
-            .SendOrganizationUserRevokedForTwoFactoryPolicyEmailAsync(organization1.DisplayName(), user.Email);
+            .SendOrganizationUserRevokedForTwoFactorPolicyEmailAsync(organization1.DisplayName(), user.Email);
 
         // Remove the user from the second organization
         await sutProvider.GetDependency<IRevokeNonCompliantOrganizationUserCommand>()
@@ -528,7 +528,7 @@ public class UserServiceTests
                     r.OrganizationUsers.First().OrganizationId == organization2.Id));
         await sutProvider.GetDependency<IMailService>()
             .Received(1)
-            .SendOrganizationUserRevokedForTwoFactoryPolicyEmailAsync(organization2.DisplayName(), user.Email);
+            .SendOrganizationUserRevokedForTwoFactorPolicyEmailAsync(organization2.DisplayName(), user.Email);
     }
 
     [Theory, BitAutoData]
@@ -572,7 +572,7 @@ public class UserServiceTests
             .RevokeNonCompliantOrganizationUsersAsync(default);
         await sutProvider.GetDependency<IMailService>()
             .DidNotReceiveWithAnyArgs()
-            .SendOrganizationUserRevokedForTwoFactoryPolicyEmailAsync(default, default);
+            .SendOrganizationUserRevokedForTwoFactorPolicyEmailAsync(default, default);
     }
 
     [Theory, BitAutoData]

From aa0b35a345618e10f41e41bcb431d16043179d80 Mon Sep 17 00:00:00 2001
From: Kyle Spearrin <kspearrin@users.noreply.github.com>
Date: Fri, 10 Jan 2025 15:54:53 -0500
Subject: [PATCH 150/384] [PM-15608] Create more KDF defaults for prelogin
 (#5122)

* kdf defaults on null map to email hash

* cleanup code. add some randomness as well

* remove null check

* fix test

* move to private method

* remove random options

* tests for random defaults

* SetDefaultKdfHmacKey for old test
---
 src/Core/Settings/GlobalSettings.cs           |  1 +
 .../Controllers/AccountsController.cs         | 73 +++++++++++++++++--
 .../Controllers/AccountsControllerTests.cs    | 67 ++++++++++++++++-
 3 files changed, 132 insertions(+), 9 deletions(-)

diff --git a/src/Core/Settings/GlobalSettings.cs b/src/Core/Settings/GlobalSettings.cs
index 420151a34f..97d66aed53 100644
--- a/src/Core/Settings/GlobalSettings.cs
+++ b/src/Core/Settings/GlobalSettings.cs
@@ -82,6 +82,7 @@ public class GlobalSettings : IGlobalSettings
     public virtual ILaunchDarklySettings LaunchDarkly { get; set; } = new LaunchDarklySettings();
     public virtual string DevelopmentDirectory { get; set; }
     public virtual bool EnableEmailVerification { get; set; }
+    public virtual string KdfDefaultHashKey { get; set; }
     public virtual string PricingUri { get; set; }
 
     public string BuildExternalUri(string explicitValue, string name)
diff --git a/src/Identity/Controllers/AccountsController.cs b/src/Identity/Controllers/AccountsController.cs
index 40c926bda0..c1ecff9620 100644
--- a/src/Identity/Controllers/AccountsController.cs
+++ b/src/Identity/Controllers/AccountsController.cs
@@ -1,4 +1,5 @@
 using System.Diagnostics;
+using System.Text;
 using Bit.Core;
 using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Models.Api.Request.Accounts;
@@ -15,6 +16,7 @@ using Bit.Core.Exceptions;
 using Bit.Core.Models.Data;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
+using Bit.Core.Settings;
 using Bit.Core.Tokens;
 using Bit.Core.Tools.Enums;
 using Bit.Core.Tools.Models.Business;
@@ -44,6 +46,41 @@ public class AccountsController : Controller
     private readonly IFeatureService _featureService;
     private readonly IDataProtectorTokenFactory<RegistrationEmailVerificationTokenable> _registrationEmailVerificationTokenDataFactory;
 
+    private readonly byte[] _defaultKdfHmacKey = null;
+    private static readonly List<UserKdfInformation> _defaultKdfResults =
+    [
+        // The first result (index 0) should always return the "normal" default.
+        new()
+        {
+            Kdf = KdfType.PBKDF2_SHA256,
+            KdfIterations = AuthConstants.PBKDF2_ITERATIONS.Default,
+        },
+        // We want more weight for this default, so add it again
+        new()
+        {
+            Kdf = KdfType.PBKDF2_SHA256,
+            KdfIterations = AuthConstants.PBKDF2_ITERATIONS.Default,
+        },
+        // Add some other possible defaults...
+        new()
+        {
+            Kdf = KdfType.PBKDF2_SHA256,
+            KdfIterations = 100_000,
+        },
+        new()
+        {
+            Kdf = KdfType.PBKDF2_SHA256,
+            KdfIterations = 5_000,
+        },
+        new()
+        {
+            Kdf = KdfType.Argon2id,
+            KdfIterations = AuthConstants.ARGON2_ITERATIONS.Default,
+            KdfMemory = AuthConstants.ARGON2_MEMORY.Default,
+            KdfParallelism = AuthConstants.ARGON2_PARALLELISM.Default,
+        }
+    ];
+
     public AccountsController(
         ICurrentContext currentContext,
         ILogger<AccountsController> logger,
@@ -55,7 +92,8 @@ public class AccountsController : Controller
         ISendVerificationEmailForRegistrationCommand sendVerificationEmailForRegistrationCommand,
         IReferenceEventService referenceEventService,
         IFeatureService featureService,
-        IDataProtectorTokenFactory<RegistrationEmailVerificationTokenable> registrationEmailVerificationTokenDataFactory
+        IDataProtectorTokenFactory<RegistrationEmailVerificationTokenable> registrationEmailVerificationTokenDataFactory,
+        GlobalSettings globalSettings
         )
     {
         _currentContext = currentContext;
@@ -69,6 +107,11 @@ public class AccountsController : Controller
         _referenceEventService = referenceEventService;
         _featureService = featureService;
         _registrationEmailVerificationTokenDataFactory = registrationEmailVerificationTokenDataFactory;
+
+        if (CoreHelpers.SettingHasValue(globalSettings.KdfDefaultHashKey))
+        {
+            _defaultKdfHmacKey = Encoding.UTF8.GetBytes(globalSettings.KdfDefaultHashKey);
+        }
     }
 
     [HttpPost("register")]
@@ -217,11 +260,7 @@ public class AccountsController : Controller
         var kdfInformation = await _userRepository.GetKdfInformationByEmailAsync(model.Email);
         if (kdfInformation == null)
         {
-            kdfInformation = new UserKdfInformation
-            {
-                Kdf = KdfType.PBKDF2_SHA256,
-                KdfIterations = AuthConstants.PBKDF2_ITERATIONS.Default,
-            };
+            kdfInformation = GetDefaultKdf(model.Email);
         }
         return new PreloginResponseModel(kdfInformation);
     }
@@ -240,4 +279,26 @@ public class AccountsController : Controller
             Token = token
         };
     }
+
+    private UserKdfInformation GetDefaultKdf(string email)
+    {
+        if (_defaultKdfHmacKey == null)
+        {
+            return _defaultKdfResults[0];
+        }
+        else
+        {
+            // Compute the HMAC hash of the email
+            var hmacMessage = Encoding.UTF8.GetBytes(email.Trim().ToLowerInvariant());
+            using var hmac = new System.Security.Cryptography.HMACSHA256(_defaultKdfHmacKey);
+            var hmacHash = hmac.ComputeHash(hmacMessage);
+            // Convert the hash to a number
+            var hashHex = BitConverter.ToString(hmacHash).Replace("-", string.Empty).ToLowerInvariant();
+            var hashFirst8Bytes = hashHex.Substring(0, 16);
+            var hashNumber = long.Parse(hashFirst8Bytes, System.Globalization.NumberStyles.HexNumber);
+            // Find the default KDF value for this hash number
+            var hashIndex = (int)(Math.Abs(hashNumber) % _defaultKdfResults.Count);
+            return _defaultKdfResults[hashIndex];
+        }
+    }
 }
diff --git a/test/Identity.Test/Controllers/AccountsControllerTests.cs b/test/Identity.Test/Controllers/AccountsControllerTests.cs
index 8acebbabe0..03db0a5904 100644
--- a/test/Identity.Test/Controllers/AccountsControllerTests.cs
+++ b/test/Identity.Test/Controllers/AccountsControllerTests.cs
@@ -1,4 +1,6 @@
-using Bit.Core;
+using System.Reflection;
+using System.Text;
+using Bit.Core;
 using Bit.Core.Auth.Models.Api.Request.Accounts;
 using Bit.Core.Auth.Models.Business.Tokenables;
 using Bit.Core.Auth.Services;
@@ -11,6 +13,7 @@ using Bit.Core.Exceptions;
 using Bit.Core.Models.Data;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
+using Bit.Core.Settings;
 using Bit.Core.Tokens;
 using Bit.Core.Tools.Enums;
 using Bit.Core.Tools.Models.Business;
@@ -42,6 +45,7 @@ public class AccountsControllerTests : IDisposable
     private readonly IReferenceEventService _referenceEventService;
     private readonly IFeatureService _featureService;
     private readonly IDataProtectorTokenFactory<RegistrationEmailVerificationTokenable> _registrationEmailVerificationTokenDataFactory;
+    private readonly GlobalSettings _globalSettings;
 
 
     public AccountsControllerTests()
@@ -57,6 +61,7 @@ public class AccountsControllerTests : IDisposable
         _referenceEventService = Substitute.For<IReferenceEventService>();
         _featureService = Substitute.For<IFeatureService>();
         _registrationEmailVerificationTokenDataFactory = Substitute.For<IDataProtectorTokenFactory<RegistrationEmailVerificationTokenable>>();
+        _globalSettings = Substitute.For<GlobalSettings>();
 
         _sut = new AccountsController(
             _currentContext,
@@ -69,7 +74,8 @@ public class AccountsControllerTests : IDisposable
             _sendVerificationEmailForRegistrationCommand,
             _referenceEventService,
             _featureService,
-            _registrationEmailVerificationTokenDataFactory
+            _registrationEmailVerificationTokenDataFactory,
+            _globalSettings
         );
     }
 
@@ -95,8 +101,9 @@ public class AccountsControllerTests : IDisposable
     }
 
     [Fact]
-    public async Task PostPrelogin_WhenUserDoesNotExist_ShouldDefaultToPBKDF()
+    public async Task PostPrelogin_WhenUserDoesNotExistAndNoDefaultKdfHmacKeySet_ShouldDefaultToPBKDF()
     {
+        SetDefaultKdfHmacKey(null);
         _userRepository.GetKdfInformationByEmailAsync(Arg.Any<string>()).Returns(Task.FromResult<UserKdfInformation?>(null));
 
         var response = await _sut.PostPrelogin(new PreloginRequestModel { Email = "user@example.com" });
@@ -105,6 +112,38 @@ public class AccountsControllerTests : IDisposable
         Assert.Equal(AuthConstants.PBKDF2_ITERATIONS.Default, response.KdfIterations);
     }
 
+    [Theory]
+    [BitAutoData]
+    public async Task PostPrelogin_WhenUserDoesNotExistAndDefaultKdfHmacKeyIsSet_ShouldComputeHmacAndReturnExpectedKdf(string email)
+    {
+        // Arrange:
+        var defaultKey = Encoding.UTF8.GetBytes("my-secret-key");
+        SetDefaultKdfHmacKey(defaultKey);
+
+        _userRepository.GetKdfInformationByEmailAsync(Arg.Any<string>()).Returns(Task.FromResult<UserKdfInformation?>(null));
+
+        var fieldInfo = typeof(AccountsController).GetField("_defaultKdfResults", BindingFlags.NonPublic | BindingFlags.Static);
+        if (fieldInfo == null)
+            throw new InvalidOperationException("Field '_defaultKdfResults' not found.");
+
+        var defaultKdfResults = (List<UserKdfInformation>)fieldInfo.GetValue(null)!;
+
+        var expectedIndex = GetExpectedKdfIndex(email, defaultKey, defaultKdfResults);
+        var expectedKdf = defaultKdfResults[expectedIndex];
+
+        // Act
+        var response = await _sut.PostPrelogin(new PreloginRequestModel { Email = email });
+
+        // Assert: Ensure the returned KDF matches the expected one from the computed hash
+        Assert.Equal(expectedKdf.Kdf, response.Kdf);
+        Assert.Equal(expectedKdf.KdfIterations, response.KdfIterations);
+        if (expectedKdf.Kdf == KdfType.Argon2id)
+        {
+            Assert.Equal(expectedKdf.KdfMemory, response.KdfMemory);
+            Assert.Equal(expectedKdf.KdfParallelism, response.KdfParallelism);
+        }
+    }
+
     [Fact]
     public async Task PostRegister_ShouldRegisterUser()
     {
@@ -484,6 +523,28 @@ public class AccountsControllerTests : IDisposable
         ));
     }
 
+    private void SetDefaultKdfHmacKey(byte[]? newKey)
+    {
+        var fieldInfo = typeof(AccountsController).GetField("_defaultKdfHmacKey", BindingFlags.NonPublic | BindingFlags.Instance);
+        if (fieldInfo == null)
+        {
+            throw new InvalidOperationException("Field '_defaultKdfHmacKey' not found.");
+        }
 
+        fieldInfo.SetValue(_sut, newKey);
+    }
 
+    private int GetExpectedKdfIndex(string email, byte[] defaultKey, List<UserKdfInformation> defaultKdfResults)
+    {
+        // Compute the HMAC hash of the email
+        var hmacMessage = Encoding.UTF8.GetBytes(email.Trim().ToLowerInvariant());
+        using var hmac = new System.Security.Cryptography.HMACSHA256(defaultKey);
+        var hmacHash = hmac.ComputeHash(hmacMessage);
+
+        // Convert the hash to a number and calculate the index
+        var hashHex = BitConverter.ToString(hmacHash).Replace("-", string.Empty).ToLowerInvariant();
+        var hashFirst8Bytes = hashHex.Substring(0, 16);
+        var hashNumber = long.Parse(hashFirst8Bytes, System.Globalization.NumberStyles.HexNumber);
+        return (int)(Math.Abs(hashNumber) % defaultKdfResults.Count);
+    }
 }

From 72bb06a9d766a758c530cbd276cc96c71d759b23 Mon Sep 17 00:00:00 2001
From: Jared Snider <116684653+JaredSnider-Bitwarden@users.noreply.github.com>
Date: Fri, 10 Jan 2025 21:55:34 -0500
Subject: [PATCH 151/384] Auth/PM-16947 - Device Management - Adjust Device +
 pending auth request get query (#5250)

* Added userId check on query

* Added required field to inner select

* PM-16947 - Update to filter inner subquery on user id per discussion with Robert

* Updated to use new query with ROW_NUMBER

* More query optimizations to eliminate returning old requests for a device

* Fixed approval condition to be NULL as 0 means denied.

* Added negation of @ExpirationMinutes

---------

Co-authored-by: Todd Martin <tmartin@bitwarden.com>
---
 ...dActiveWithPendingAuthRequestsByUserId.sql | 25 +++++++++-------
 ...dActiveWithPendingAuthRequestsByUserId.sql | 29 +++++++++++++++++++
 2 files changed, 43 insertions(+), 11 deletions(-)
 create mode 100644 util/Migrator/DbScripts/2025-01-10_00_ReadActiveWithPendingAuthRequestsByUserId.sql

diff --git a/src/Sql/Auth/dbo/Stored Procedures/Device_ReadActiveWithPendingAuthRequestsByUserId.sql b/src/Sql/Auth/dbo/Stored Procedures/Device_ReadActiveWithPendingAuthRequestsByUserId.sql
index 015d0f7c1f..f40e9149c0 100644
--- a/src/Sql/Auth/dbo/Stored Procedures/Device_ReadActiveWithPendingAuthRequestsByUserId.sql	
+++ b/src/Sql/Auth/dbo/Stored Procedures/Device_ReadActiveWithPendingAuthRequestsByUserId.sql	
@@ -10,18 +10,21 @@ BEGIN
         AR.Id as AuthRequestId,
         AR.CreationDate as AuthRequestCreationDate
     FROM dbo.DeviceView D
-             LEFT JOIN (
-        SELECT TOP 1 -- Take only the top record sorted by auth request creation date
-                     Id,
-                     CreationDate,
-                     RequestDeviceIdentifier
+    LEFT JOIN (
+        SELECT 
+            Id,
+            CreationDate,
+            RequestDeviceIdentifier,
+            Approved,
+            ROW_NUMBER() OVER (PARTITION BY RequestDeviceIdentifier ORDER BY CreationDate DESC) as rn
         FROM dbo.AuthRequestView
-        WHERE Type IN (0, 1) -- Include only AuthenticateAndUnlock and Unlock types, excluding Admin Approval (type 2)
-          AND CreationDate >= DATEADD(MINUTE, -@ExpirationMinutes, GETUTCDATE()) -- Ensure the request hasn't expired
-          AND Approved IS NULL -- Include only requests that haven't been acknowledged or approved
-        ORDER BY CreationDate DESC
-    ) AR ON D.Identifier = AR.RequestDeviceIdentifier
+        WHERE Type IN (0, 1)  -- AuthenticateAndUnlock and Unlock types only
+            AND CreationDate >= DATEADD(MINUTE, -@ExpirationMinutes, GETUTCDATE()) -- Ensure the request hasn't expired
+            AND UserId = @UserId --  Requests for this user only
+    ) AR -- This join will get the most recent request per device, regardless of approval status 
+    ON D.Identifier = AR.RequestDeviceIdentifier AND AR.rn = 1 AND AR.Approved IS NULL  -- Get only the most recent unapproved request per device
     WHERE
-        D.UserId = @UserId
+        D.UserId = @UserId -- Include only devices for this user
       AND D.Active = 1; -- Include only active devices
 END;
+
diff --git a/util/Migrator/DbScripts/2025-01-10_00_ReadActiveWithPendingAuthRequestsByUserId.sql b/util/Migrator/DbScripts/2025-01-10_00_ReadActiveWithPendingAuthRequestsByUserId.sql
new file mode 100644
index 0000000000..10319f3207
--- /dev/null
+++ b/util/Migrator/DbScripts/2025-01-10_00_ReadActiveWithPendingAuthRequestsByUserId.sql
@@ -0,0 +1,29 @@
+CREATE OR ALTER PROCEDURE [dbo].[Device_ReadActiveWithPendingAuthRequestsByUserId]
+    @UserId UNIQUEIDENTIFIER,
+    @ExpirationMinutes INT
+AS
+BEGIN
+    SET NOCOUNT ON;
+
+    SELECT
+        D.*,
+        AR.Id as AuthRequestId,
+        AR.CreationDate as AuthRequestCreationDate
+    FROM dbo.DeviceView D
+    LEFT JOIN (
+        SELECT 
+            Id,
+            CreationDate,
+            RequestDeviceIdentifier,
+            Approved,
+            ROW_NUMBER() OVER (PARTITION BY RequestDeviceIdentifier ORDER BY CreationDate DESC) as rn
+        FROM dbo.AuthRequestView
+        WHERE Type IN (0, 1)  -- AuthenticateAndUnlock and Unlock types only
+            AND CreationDate >= DATEADD(MINUTE, -@ExpirationMinutes, GETUTCDATE()) -- Ensure the request hasn't expired
+            AND UserId = @UserId --  Requests for this user only
+    ) AR -- This join will get the most recent request per device, regardless of approval status 
+    ON D.Identifier = AR.RequestDeviceIdentifier AND AR.rn = 1 AND AR.Approved IS NULL  -- Get only the most recent unapproved request per device
+    WHERE
+        D.UserId = @UserId -- Include only devices for this user
+      AND D.Active = 1; -- Include only active devices
+END;

From 6c7b881e5160e93a527aa3d603c85fd9af8b9f80 Mon Sep 17 00:00:00 2001
From: Github Actions <actions@github.com>
Date: Mon, 13 Jan 2025 20:04:15 +0000
Subject: [PATCH 152/384] Bumped version to 2025.1.3

---
 Directory.Build.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Directory.Build.props b/Directory.Build.props
index 1467c0822c..40e6fdd202 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -3,7 +3,7 @@
   <PropertyGroup>
     <TargetFramework>net8.0</TargetFramework>
 
-    <Version>2025.1.2</Version>
+    <Version>2025.1.3</Version>
 
     <RootNamespace>Bit.$(MSBuildProjectName)</RootNamespace>
     <ImplicitUsings>enable</ImplicitUsings>

From 82508fb7a962ee81fd3d1210b4fdc8b5f512c93f Mon Sep 17 00:00:00 2001
From: Vincent Salucci <26154748+vincentsalucci@users.noreply.github.com>
Date: Mon, 13 Jan 2025 14:54:32 -0600
Subject: [PATCH 153/384] fix: remove delete from cs/billing and create new
 RequestDelete perm, refs PM-17014 (#5258)

---
 src/Admin/AdminConsole/Views/Organizations/Edit.cshtml | 6 +++++-
 src/Admin/Enums/Permissions.cs                         | 1 +
 src/Admin/Utilities/RolePermissionMapping.cs           | 6 ++++--
 3 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/src/Admin/AdminConsole/Views/Organizations/Edit.cshtml b/src/Admin/AdminConsole/Views/Organizations/Edit.cshtml
index f7207fc7e8..3ac716a6d4 100644
--- a/src/Admin/AdminConsole/Views/Organizations/Edit.cshtml
+++ b/src/Admin/AdminConsole/Views/Organizations/Edit.cshtml
@@ -10,6 +10,7 @@
     var canViewOrganizationInformation = AccessControlService.UserHasPermission(Permission.Org_OrgInformation_View);
     var canViewBillingInformation = AccessControlService.UserHasPermission(Permission.Org_BillingInformation_View);
     var canInitiateTrial = AccessControlService.UserHasPermission(Permission.Org_InitiateTrial);
+    var canRequestDelete = AccessControlService.UserHasPermission(Permission.Org_RequestDelete);
     var canDelete = AccessControlService.UserHasPermission(Permission.Org_Delete);
     var canUnlinkFromProvider = AccessControlService.UserHasPermission(Permission.Provider_Edit);
 }
@@ -120,12 +121,15 @@
                 Unlink provider
             </button>
         }
-        @if (canDelete)
+        @if (canRequestDelete)
         {
             <form asp-action="DeleteInitiation" asp-route-id="@Model.Organization.Id" id="initiate-delete-form">
                 <input type="hidden" name="AdminEmail" id="AdminEmail" />
                 <button class="btn btn-danger me-2" type="submit">Request Delete</button>
             </form>
+        }
+        @if (canDelete)
+        {
             <form asp-action="Delete" asp-route-id="@Model.Organization.Id"
                   onsubmit="return confirm('Are you sure you want to hard delete this organization?')">
                 <button class="btn btn-outline-danger" type="submit">Delete</button>
diff --git a/src/Admin/Enums/Permissions.cs b/src/Admin/Enums/Permissions.cs
index c878267f89..c544cb2106 100644
--- a/src/Admin/Enums/Permissions.cs
+++ b/src/Admin/Enums/Permissions.cs
@@ -24,6 +24,7 @@ public enum Permission
     Org_CheckEnabledBox,
     Org_BusinessInformation_View,
     Org_InitiateTrial,
+    Org_RequestDelete,
     Org_Delete,
     Org_BillingInformation_View,
     Org_BillingInformation_DownloadInvoice,
diff --git a/src/Admin/Utilities/RolePermissionMapping.cs b/src/Admin/Utilities/RolePermissionMapping.cs
index 9cee571aba..381cf914aa 100644
--- a/src/Admin/Utilities/RolePermissionMapping.cs
+++ b/src/Admin/Utilities/RolePermissionMapping.cs
@@ -30,6 +30,7 @@ public static class RolePermissionMapping
                 Permission.Org_BusinessInformation_View,
                 Permission.Org_InitiateTrial,
                 Permission.Org_Delete,
+                Permission.Org_RequestDelete,
                 Permission.Org_BillingInformation_View,
                 Permission.Org_BillingInformation_DownloadInvoice,
                 Permission.Org_Plan_View,
@@ -74,6 +75,7 @@ public static class RolePermissionMapping
                 Permission.Org_GeneralDetails_View,
                 Permission.Org_BusinessInformation_View,
                 Permission.Org_Delete,
+                Permission.Org_RequestDelete,
                 Permission.Org_BillingInformation_View,
                 Permission.Org_BillingInformation_DownloadInvoice,
                 Permission.Org_BillingInformation_CreateEditTransaction,
@@ -114,7 +116,6 @@ public static class RolePermissionMapping
                 Permission.User_Billing_LaunchGateway,
                 Permission.Org_List_View,
                 Permission.Org_OrgInformation_View,
-                Permission.Org_Delete,
                 Permission.Org_GeneralDetails_View,
                 Permission.Org_BusinessInformation_View,
                 Permission.Org_BillingInformation_View,
@@ -124,6 +125,7 @@ public static class RolePermissionMapping
                 Permission.Org_Licensing_View,
                 Permission.Org_Billing_View,
                 Permission.Org_Billing_LaunchGateway,
+                Permission.Org_RequestDelete,
                 Permission.Provider_List_View,
                 Permission.Provider_View
             }
@@ -157,7 +159,7 @@ public static class RolePermissionMapping
                 Permission.Org_Billing_View,
                 Permission.Org_Billing_Edit,
                 Permission.Org_Billing_LaunchGateway,
-                Permission.Org_Delete,
+                Permission.Org_RequestDelete,
                 Permission.Provider_Edit,
                 Permission.Provider_View,
                 Permission.Provider_List_View,

From 0645f51b65f972617f24f701bae3f856c2196943 Mon Sep 17 00:00:00 2001
From: Matt Andreko <mandreko@bitwarden.com>
Date: Mon, 13 Jan 2025 17:02:35 -0500
Subject: [PATCH 154/384] Removed unnecessary github token (#5259)

---
 .github/workflows/scan.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index e40ff07148..156ebee165 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -80,7 +80,6 @@ jobs:
       - name: Scan with SonarCloud
         env:
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           dotnet-sonarscanner begin /k:"${{ github.repository_owner }}_${{ github.event.repository.name }}" \
           /d:sonar.test.inclusions=test/,bitwarden_license/test/ \

From 1c73a997d9831d9dc0bd792345d050ed1acc3a8d Mon Sep 17 00:00:00 2001
From: Jimmy Vo <huynhmaivo82@gmail.com>
Date: Tue, 14 Jan 2025 13:36:28 -0500
Subject: [PATCH 155/384] [14026] Update endpoint document model type (#5191)

---
 src/Api/AdminConsole/Public/Controllers/PoliciesController.cs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Api/AdminConsole/Public/Controllers/PoliciesController.cs b/src/Api/AdminConsole/Public/Controllers/PoliciesController.cs
index a22c05ed62..d261a3c555 100644
--- a/src/Api/AdminConsole/Public/Controllers/PoliciesController.cs
+++ b/src/Api/AdminConsole/Public/Controllers/PoliciesController.cs
@@ -41,7 +41,7 @@ public class PoliciesController : Controller
     /// </remarks>
     /// <param name="type">The type of policy to be retrieved.</param>
     [HttpGet("{type}")]
-    [ProducesResponseType(typeof(GroupResponseModel), (int)HttpStatusCode.OK)]
+    [ProducesResponseType(typeof(PolicyResponseModel), (int)HttpStatusCode.OK)]
     [ProducesResponseType((int)HttpStatusCode.NotFound)]
     public async Task<IActionResult> Get(PolicyType type)
     {

From 79810b78fff8eb2047a64740fc432177848e5041 Mon Sep 17 00:00:00 2001
From: Jimmy Vo <huynhmaivo82@gmail.com>
Date: Tue, 14 Jan 2025 13:38:32 -0500
Subject: [PATCH 156/384] [pm-14415] Add recommended extensions for VS Code.
 (#5249)

---
 .vscode/extensions.json | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
 create mode 100644 .vscode/extensions.json

diff --git a/.vscode/extensions.json b/.vscode/extensions.json
new file mode 100644
index 0000000000..3282b1c509
--- /dev/null
+++ b/.vscode/extensions.json
@@ -0,0 +1,18 @@
+{
+  "recommendations": [
+    "nick-rudenko.back-n-forth",
+    "streetsidesoftware.code-spell-checker",
+    "MS-vsliveshare.vsliveshare",
+
+    "mhutchie.git-graph",
+    "donjayamanne.githistory",
+    "eamodio.gitlens",
+
+    "jakebathman.mysql-syntax",
+    "ckolkman.vscode-postgres",
+
+    "ms-dotnettools.csharp",
+    "formulahendry.dotnet-test-explorer",
+    "adrianwilczynski.user-secrets"
+  ]
+}

From 95893bd0b1eddd60bd3639314ce5259d68e2dc1f Mon Sep 17 00:00:00 2001
From: Graham Walker <ghwtx@icloud.com>
Date: Tue, 14 Jan 2025 13:16:59 -0600
Subject: [PATCH 157/384] PM-16170 removing deprecated send file endpoint
 (#5222)

---
 src/Api/Tools/Controllers/SendsController.cs | 27 --------------------
 1 file changed, 27 deletions(-)

diff --git a/src/Api/Tools/Controllers/SendsController.cs b/src/Api/Tools/Controllers/SendsController.cs
index f7f3f692a8..3b5534bed0 100644
--- a/src/Api/Tools/Controllers/SendsController.cs
+++ b/src/Api/Tools/Controllers/SendsController.cs
@@ -9,7 +9,6 @@ using Bit.Core.Context;
 using Bit.Core.Exceptions;
 using Bit.Core.Services;
 using Bit.Core.Settings;
-using Bit.Core.Tools.Entities;
 using Bit.Core.Tools.Enums;
 using Bit.Core.Tools.Models.Data;
 using Bit.Core.Tools.Repositories;
@@ -163,32 +162,6 @@ public class SendsController : Controller
         return new SendResponseModel(send, _globalSettings);
     }
 
-    [HttpPost("file")]
-    [Obsolete("Deprecated File Send API", false)]
-    [RequestSizeLimit(Constants.FileSize101mb)]
-    [DisableFormValueModelBinding]
-    public async Task<SendResponseModel> PostFile()
-    {
-        if (!Request?.ContentType.Contains("multipart/") ?? true)
-        {
-            throw new BadRequestException("Invalid content.");
-        }
-
-        Send send = null;
-        await Request.GetSendFileAsync(async (stream, fileName, model) =>
-        {
-            model.ValidateCreation();
-            var userId = _userService.GetProperUserId(User).Value;
-            var (madeSend, madeData) = model.ToSend(userId, fileName, _sendService);
-            send = madeSend;
-            await _sendService.SaveFileSendAsync(send, madeData, model.FileLength.GetValueOrDefault(0));
-            await _sendService.UploadFileToExistingSendAsync(stream, send);
-        });
-
-        return new SendResponseModel(send, _globalSettings);
-    }
-
-
     [HttpPost("file/v2")]
     public async Task<SendFileUploadDataResponseModel> PostFile([FromBody] SendRequestModel model)
     {

From becc6b2da14d4ed77298892fea7df65dc89a00fb Mon Sep 17 00:00:00 2001
From: Jonathan Prusik <jprusik@users.noreply.github.com>
Date: Tue, 14 Jan 2025 15:47:35 -0500
Subject: [PATCH 158/384] add NotificationRefresh feature flag (#5262)

Co-authored-by: Evan Bassler <ebassler@livefront.com>
---
 src/Core/Constants.cs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index f06f63573d..62ce964001 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -133,6 +133,7 @@ public static class FeatureFlagKeys
     public const string AccountDeprovisioning = "pm-10308-account-deprovisioning";
     public const string NotificationBarAddLoginImprovements = "notification-bar-add-login-improvements";
     public const string BlockBrowserInjectionsByDomain = "block-browser-injections-by-domain";
+    public const string NotificationRefresh = "notification-refresh";
     public const string AC2476_DeprecateStripeSourcesAPI = "AC-2476-deprecate-stripe-sources-api";
     public const string PersistPopupView = "persist-popup-view";
     public const string CipherKeyEncryption = "cipher-key-encryption";

From 34ce4805685291ffd51a6301737225e67df82caa Mon Sep 17 00:00:00 2001
From: Patrick-Pimentel-Bitwarden <ppimentel@bitwarden.com>
Date: Wed, 15 Jan 2025 09:31:59 -0500
Subject: [PATCH 159/384] fix(email-feature-flags): [PM-7882] Email
 Verification - Removed the email feature flag from server. (#5232)

---
 src/Identity/Billing/Controller/AccountsController.cs | 5 +----
 src/Identity/Controllers/AccountsController.cs        | 4 ----
 2 files changed, 1 insertion(+), 8 deletions(-)

diff --git a/src/Identity/Billing/Controller/AccountsController.cs b/src/Identity/Billing/Controller/AccountsController.cs
index f06fc7bf2c..aada40bcb2 100644
--- a/src/Identity/Billing/Controller/AccountsController.cs
+++ b/src/Identity/Billing/Controller/AccountsController.cs
@@ -1,11 +1,9 @@
-using Bit.Core;
-using Bit.Core.Billing.Models.Api.Requests.Accounts;
+using Bit.Core.Billing.Models.Api.Requests.Accounts;
 using Bit.Core.Billing.TrialInitiation.Registration;
 using Bit.Core.Context;
 using Bit.Core.Tools.Enums;
 using Bit.Core.Tools.Models.Business;
 using Bit.Core.Tools.Services;
-using Bit.Core.Utilities;
 using Bit.SharedWeb.Utilities;
 using Microsoft.AspNetCore.Mvc;
 
@@ -18,7 +16,6 @@ public class AccountsController(
     ISendTrialInitiationEmailForRegistrationCommand sendTrialInitiationEmailForRegistrationCommand,
     IReferenceEventService referenceEventService) : Microsoft.AspNetCore.Mvc.Controller
 {
-    [RequireFeature(FeatureFlagKeys.EmailVerification)]
     [HttpPost("trial/send-verification-email")]
     public async Task<IActionResult> PostTrialInitiationSendVerificationEmailAsync([FromBody] TrialSendVerificationEmailRequestModel model)
     {
diff --git a/src/Identity/Controllers/AccountsController.cs b/src/Identity/Controllers/AccountsController.cs
index c1ecff9620..f2f68dbec1 100644
--- a/src/Identity/Controllers/AccountsController.cs
+++ b/src/Identity/Controllers/AccountsController.cs
@@ -21,7 +21,6 @@ using Bit.Core.Tokens;
 using Bit.Core.Tools.Enums;
 using Bit.Core.Tools.Models.Business;
 using Bit.Core.Tools.Services;
-using Bit.Core.Utilities;
 using Bit.Identity.Models.Request.Accounts;
 using Bit.Identity.Models.Response.Accounts;
 using Bit.SharedWeb.Utilities;
@@ -125,7 +124,6 @@ public class AccountsController : Controller
         return await ProcessRegistrationResult(identityResult, user, delaysEnabled: true);
     }
 
-    [RequireFeature(FeatureFlagKeys.EmailVerification)]
     [HttpPost("register/send-verification-email")]
     public async Task<IActionResult> PostRegisterSendVerificationEmail([FromBody] RegisterSendVerificationEmailRequestModel model)
     {
@@ -149,7 +147,6 @@ public class AccountsController : Controller
         return NoContent();
     }
 
-    [RequireFeature(FeatureFlagKeys.EmailVerification)]
     [HttpPost("register/verification-email-clicked")]
     public async Task<IActionResult> PostRegisterVerificationEmailClicked([FromBody] RegisterVerificationEmailClickedRequestModel model)
     {
@@ -182,7 +179,6 @@ public class AccountsController : Controller
 
     }
 
-    [RequireFeature(FeatureFlagKeys.EmailVerification)]
     [HttpPost("register/finish")]
     public async Task<RegisterResponseModel> PostRegisterFinish([FromBody] RegisterFinishRequestModel model)
     {

From a3e3c7f96c09266584d7576253f9c7e7ece0acdb Mon Sep 17 00:00:00 2001
From: Todd Martin <106564991+trmartin4@users.noreply.github.com>
Date: Wed, 15 Jan 2025 09:45:13 -0500
Subject: [PATCH 160/384] fix: Added web browser clients to allowed approving
 device types

---
 src/Identity/Utilities/LoginApprovingDeviceTypes.cs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/Identity/Utilities/LoginApprovingDeviceTypes.cs b/src/Identity/Utilities/LoginApprovingDeviceTypes.cs
index 46b4606ccf..b8b11a4d19 100644
--- a/src/Identity/Utilities/LoginApprovingDeviceTypes.cs
+++ b/src/Identity/Utilities/LoginApprovingDeviceTypes.cs
@@ -12,6 +12,7 @@ public static class LoginApprovingDeviceTypes
         var deviceTypes = new List<DeviceType>();
         deviceTypes.AddRange(DeviceTypes.DesktopTypes);
         deviceTypes.AddRange(DeviceTypes.MobileTypes);
+        deviceTypes.AddRange(DeviceTypes.BrowserTypes);
         _deviceTypes = deviceTypes.AsReadOnly();
     }
 

From cc2128c97a74030c530e8f72d929e109ea473df8 Mon Sep 17 00:00:00 2001
From: Jonas Hendrickx <jhendrickx@bitwarden.com>
Date: Wed, 15 Jan 2025 16:05:27 +0100
Subject: [PATCH 161/384] =?UTF-8?q?[PM-16979]=20Avoid=20returning=20Billin?=
 =?UTF-8?q?gTaxIdTypeInterferenceError=20when=20an=20=E2=80=A6=20(#5252)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* [PM-16979] Avoid returning BillingTaxIdTypeInterferenceError when an empty tax id string is passed

* tests

* fix tests
---
 .../Implementations/StripePaymentService.cs   |  4 +-
 .../Services/StripePaymentServiceTests.cs     | 71 +++++++++++++++++++
 2 files changed, 73 insertions(+), 2 deletions(-)

diff --git a/src/Core/Services/Implementations/StripePaymentService.cs b/src/Core/Services/Implementations/StripePaymentService.cs
index bf39085ea9..98d3549c14 100644
--- a/src/Core/Services/Implementations/StripePaymentService.cs
+++ b/src/Core/Services/Implementations/StripePaymentService.cs
@@ -119,7 +119,7 @@ public class StripePaymentService : IPaymentService
         Subscription subscription;
         try
         {
-            if (taxInfo.TaxIdNumber != null && taxInfo.TaxIdType == null)
+            if (!string.IsNullOrWhiteSpace(taxInfo.TaxIdNumber))
             {
                 taxInfo.TaxIdType = _taxService.GetStripeTaxCode(taxInfo.BillingAddressCountry,
                     taxInfo.TaxIdNumber);
@@ -2058,7 +2058,7 @@ public class StripePaymentService : IPaymentService
             }
         }
 
-        if (!string.IsNullOrEmpty(parameters.TaxInformation.TaxId))
+        if (!string.IsNullOrWhiteSpace(parameters.TaxInformation.TaxId))
         {
             var taxIdType = _taxService.GetStripeTaxCode(
                 options.CustomerDetails.Address.Country,
diff --git a/test/Core.Test/Services/StripePaymentServiceTests.cs b/test/Core.Test/Services/StripePaymentServiceTests.cs
index 35e1901a2f..11a19656e1 100644
--- a/test/Core.Test/Services/StripePaymentServiceTests.cs
+++ b/test/Core.Test/Services/StripePaymentServiceTests.cs
@@ -1,5 +1,6 @@
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.Billing.Enums;
+using Bit.Core.Billing.Services;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Models.Business;
@@ -39,6 +40,11 @@ public class StripePaymentServiceTests
     {
         var plan = StaticStore.GetPlan(PlanType.EnterpriseAnnually);
 
+        sutProvider
+            .GetDependency<ITaxService>()
+            .GetStripeTaxCode(Arg.Is<string>(p => p == taxInfo.BillingAddressCountry), Arg.Is<string>(p => p == taxInfo.TaxIdNumber))
+            .Returns(taxInfo.TaxIdType);
+
         var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
         stripeAdapter.CustomerCreateAsync(default).ReturnsForAnyArgs(new Stripe.Customer
         {
@@ -95,6 +101,12 @@ public class StripePaymentServiceTests
     {
         var plan = StaticStore.GetPlan(PlanType.EnterpriseAnnually);
         organization.UseSecretsManager = true;
+
+        sutProvider
+            .GetDependency<ITaxService>()
+            .GetStripeTaxCode(Arg.Is<string>(p => p == taxInfo.BillingAddressCountry), Arg.Is<string>(p => p == taxInfo.TaxIdNumber))
+            .Returns(taxInfo.TaxIdType);
+
         var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
         stripeAdapter.CustomerCreateAsync(default).ReturnsForAnyArgs(new Stripe.Customer
         {
@@ -152,6 +164,12 @@ public class StripePaymentServiceTests
     {
         var plan = StaticStore.GetPlan(PlanType.EnterpriseAnnually);
         organization.UseSecretsManager = true;
+
+        sutProvider
+            .GetDependency<ITaxService>()
+            .GetStripeTaxCode(Arg.Is<string>(p => p == taxInfo.BillingAddressCountry), Arg.Is<string>(p => p == taxInfo.TaxIdNumber))
+            .Returns(taxInfo.TaxIdType);
+
         var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
         stripeAdapter.CustomerCreateAsync(default).ReturnsForAnyArgs(new Stripe.Customer
         {
@@ -210,6 +228,11 @@ public class StripePaymentServiceTests
         var plan = StaticStore.GetPlan(PlanType.EnterpriseAnnually);
         paymentToken = "pm_" + paymentToken;
 
+        sutProvider
+            .GetDependency<ITaxService>()
+            .GetStripeTaxCode(Arg.Is<string>(p => p == taxInfo.BillingAddressCountry), Arg.Is<string>(p => p == taxInfo.TaxIdNumber))
+            .Returns(taxInfo.TaxIdType);
+
         var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
         stripeAdapter.CustomerCreateAsync(default).ReturnsForAnyArgs(new Stripe.Customer
         {
@@ -397,6 +420,11 @@ public class StripePaymentServiceTests
     {
         var plan = StaticStore.GetPlan(PlanType.EnterpriseAnnually);
 
+        sutProvider
+            .GetDependency<ITaxService>()
+            .GetStripeTaxCode(Arg.Is<string>(p => p == taxInfo.BillingAddressCountry), Arg.Is<string>(p => p == taxInfo.TaxIdNumber))
+            .Returns(taxInfo.TaxIdType);
+
         var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
         stripeAdapter.CustomerCreateAsync(default).ReturnsForAnyArgs(new Stripe.Customer
         {
@@ -462,6 +490,12 @@ public class StripePaymentServiceTests
     {
         var plan = StaticStore.GetPlan(PlanType.EnterpriseAnnually);
         organization.UseSecretsManager = true;
+
+        sutProvider
+            .GetDependency<ITaxService>()
+            .GetStripeTaxCode(Arg.Is<string>(p => p == taxInfo.BillingAddressCountry), Arg.Is<string>(p => p == taxInfo.TaxIdNumber))
+            .Returns(taxInfo.TaxIdType);
+
         var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
         stripeAdapter.CustomerCreateAsync(default).ReturnsForAnyArgs(new Stripe.Customer
         {
@@ -610,6 +644,43 @@ public class StripePaymentServiceTests
         await braintreeGateway.Customer.Received(1).DeleteAsync("Braintree-Id");
     }
 
+    [Theory]
+    [BitAutoData("ES", "A5372895732985327895237")]
+    public async Task PurchaseOrganizationAsync_ThrowsBadRequestException_WhenTaxIdInvalid(string country, string taxId, SutProvider<StripePaymentService> sutProvider, Organization organization, string paymentToken, TaxInfo taxInfo)
+    {
+        taxInfo.BillingAddressCountry = country;
+        taxInfo.TaxIdNumber = taxId;
+        taxInfo.TaxIdType = null;
+
+        var plan = StaticStore.GetPlan(PlanType.EnterpriseAnnually);
+        organization.UseSecretsManager = true;
+        var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
+        stripeAdapter.CustomerCreateAsync(default).ReturnsForAnyArgs(new Stripe.Customer
+        {
+            Id = "C-1",
+        });
+        stripeAdapter.SubscriptionCreateAsync(default).ReturnsForAnyArgs(new Stripe.Subscription
+        {
+            Id = "S-1",
+            CurrentPeriodEnd = DateTime.Today.AddDays(10),
+        });
+        sutProvider.GetDependency<IGlobalSettings>()
+            .BaseServiceUri.CloudRegion
+            .Returns("US");
+        sutProvider
+            .GetDependency<ITaxService>()
+            .GetStripeTaxCode(Arg.Is<string>(p => p == country), Arg.Is<string>(p => p == taxId))
+            .Returns((string)null);
+
+        var actual = await Assert.ThrowsAsync<BadRequestException>(async () => await sutProvider.Sut.PurchaseOrganizationAsync(organization, PaymentMethodType.Card, paymentToken, plan, 0, 0, false, taxInfo, false, 8, 10));
+
+        Assert.Equal("billingTaxIdTypeInferenceError", actual.Message);
+
+        await stripeAdapter.Received(0).CustomerCreateAsync(Arg.Any<Stripe.CustomerCreateOptions>());
+        await stripeAdapter.Received(0).SubscriptionCreateAsync(Arg.Any<Stripe.SubscriptionCreateOptions>());
+    }
+
+
     [Theory, BitAutoData]
     public async Task UpgradeFreeOrganizationAsync_Success(SutProvider<StripePaymentService> sutProvider,
         Organization organization, TaxInfo taxInfo)

From adab8e622a7b5a0cca583d54092854563691c2e5 Mon Sep 17 00:00:00 2001
From: Jonas Hendrickx <jhendrickx@bitwarden.com>
Date: Wed, 15 Jan 2025 16:05:38 +0100
Subject: [PATCH 162/384] [PM-17064] 500 error on Free org Upgrade with Saved
 Payment Method (#5266)

---
 src/Core/Services/Implementations/StripePaymentService.cs | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/Core/Services/Implementations/StripePaymentService.cs b/src/Core/Services/Implementations/StripePaymentService.cs
index 98d3549c14..510a1b7c3a 100644
--- a/src/Core/Services/Implementations/StripePaymentService.cs
+++ b/src/Core/Services/Implementations/StripePaymentService.cs
@@ -2087,12 +2087,12 @@ public class StripePaymentService : IPaymentService
 
             if (gatewayCustomer.Discount != null)
             {
-                options.Discounts.Add(new InvoiceDiscountOptions
-                {
-                    Discount = gatewayCustomer.Discount.Id
-                });
+                options.Discounts.Add(new InvoiceDiscountOptions { Discount = gatewayCustomer.Discount.Id });
             }
+        }
 
+        if (gatewaySubscriptionId != null)
+        {
             var gatewaySubscription = await _stripeAdapter.SubscriptionGetAsync(gatewaySubscriptionId);
 
             if (gatewaySubscription?.Discount != null)

From ed14f28644e9a6c847f5792e1571294a8569b13d Mon Sep 17 00:00:00 2001
From: Patrick-Pimentel-Bitwarden <ppimentel@bitwarden.com>
Date: Wed, 15 Jan 2025 11:04:51 -0500
Subject: [PATCH 163/384] fix(email-feature-flags): [PM-7882] Email
 Verification - Added back in needed import. (#5268)

---
 src/Identity/Controllers/AccountsController.cs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/Identity/Controllers/AccountsController.cs b/src/Identity/Controllers/AccountsController.cs
index f2f68dbec1..c840a7ddc5 100644
--- a/src/Identity/Controllers/AccountsController.cs
+++ b/src/Identity/Controllers/AccountsController.cs
@@ -21,6 +21,7 @@ using Bit.Core.Tokens;
 using Bit.Core.Tools.Enums;
 using Bit.Core.Tools.Models.Business;
 using Bit.Core.Tools.Services;
+using Bit.Core.Utilities;
 using Bit.Identity.Models.Request.Accounts;
 using Bit.Identity.Models.Response.Accounts;
 using Bit.SharedWeb.Utilities;

From 04402c1316328c1c0b72a344a95dec245cb2b00e Mon Sep 17 00:00:00 2001
From: Conner Turnbull <133619638+cturnbull-bitwarden@users.noreply.github.com>
Date: Wed, 15 Jan 2025 12:35:07 -0500
Subject: [PATCH 164/384] Updated null checks to also check for empty string or
 whitespace (#5272)

---
 src/Core/Services/Implementations/StripePaymentService.cs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/Core/Services/Implementations/StripePaymentService.cs b/src/Core/Services/Implementations/StripePaymentService.cs
index 510a1b7c3a..e14467f943 100644
--- a/src/Core/Services/Implementations/StripePaymentService.cs
+++ b/src/Core/Services/Implementations/StripePaymentService.cs
@@ -2081,7 +2081,7 @@ public class StripePaymentService : IPaymentService
             ];
         }
 
-        if (gatewayCustomerId != null)
+        if (!string.IsNullOrWhiteSpace(gatewayCustomerId))
         {
             var gatewayCustomer = await _stripeAdapter.CustomerGetAsync(gatewayCustomerId);
 
@@ -2091,7 +2091,7 @@ public class StripePaymentService : IPaymentService
             }
         }
 
-        if (gatewaySubscriptionId != null)
+        if (!string.IsNullOrWhiteSpace(gatewaySubscriptionId))
         {
             var gatewaySubscription = await _stripeAdapter.SubscriptionGetAsync(gatewaySubscriptionId);
 

From d231070cac463f8dbebf434f8620175801b64b6f Mon Sep 17 00:00:00 2001
From: Matt Andreko <mandreko@bitwarden.com>
Date: Wed, 15 Jan 2025 14:16:18 -0500
Subject: [PATCH 165/384] Removed unnecessary CODECOV_TOKEN with updated
 codecov-action (#5271)

---
 .github/workflows/test.yml | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 5cc31f5c2f..817547fc65 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -78,6 +78,3 @@ jobs:
 
       - name: Upload to codecov.io
         uses: codecov/codecov-action@1e68e06f1dbfde0e4cefc87efeba9e4643565303 # v5.1.2
-        if: ${{ needs.check-test-secrets.outputs.available == 'true' }}
-        env:
-          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}

From b42e4a2261c63f7a192db244dd4202cde814e045 Mon Sep 17 00:00:00 2001
From: Todd Martin <106564991+trmartin4@users.noreply.github.com>
Date: Wed, 15 Jan 2025 15:04:05 -0500
Subject: [PATCH 166/384] Adjust handling of GH action dependencies for CI/CD
 partnership (#5274)

---
 .github/renovate.json | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/renovate.json b/.github/renovate.json
index 536ca306f8..affa29bea9 100644
--- a/.github/renovate.json
+++ b/.github/renovate.json
@@ -12,20 +12,20 @@
     {
       "groupName": "dockerfile minor",
       "matchManagers": ["dockerfile"],
-      "matchUpdateTypes": ["minor", "patch"]
+      "matchUpdateTypes": ["minor"]
     },
     {
       "groupName": "docker-compose minor",
       "matchManagers": ["docker-compose"],
-      "matchUpdateTypes": ["minor", "patch"]
+      "matchUpdateTypes": ["minor"]
     },
     {
-      "groupName": "gh minor",
+      "groupName": "github-action minor",
       "matchManagers": ["github-actions"],
-      "matchUpdateTypes": ["minor", "patch"]
+      "matchUpdateTypes": ["minor"]
     },
     {
-      "matchManagers": ["github-actions", "dockerfile", "docker-compose"],
+      "matchManagers": ["dockerfile", "docker-compose"],
       "commitMessagePrefix": "[deps] BRE:"
     },
     {

From 42c8c3b6f6c40b773bd37f21649536bf03f990ff Mon Sep 17 00:00:00 2001
From: Kyle Spearrin <kspearrin@users.noreply.github.com>
Date: Wed, 15 Jan 2025 21:52:11 -0500
Subject: [PATCH 167/384] [PM-17143] Add sso external id to member response
 model (#5273)

---
 .../Public/Models/Response/MemberResponseModel.cs          | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/Api/AdminConsole/Public/Models/Response/MemberResponseModel.cs b/src/Api/AdminConsole/Public/Models/Response/MemberResponseModel.cs
index 499c27cfc9..91e8788d01 100644
--- a/src/Api/AdminConsole/Public/Models/Response/MemberResponseModel.cs
+++ b/src/Api/AdminConsole/Public/Models/Response/MemberResponseModel.cs
@@ -50,6 +50,7 @@ public class MemberResponseModel : MemberBaseModel, IResponseModel
         Status = user.Status;
         Collections = collections?.Select(c => new AssociationWithPermissionsResponseModel(c));
         ResetPasswordEnrolled = user.ResetPasswordKey != null;
+        SsoExternalId = user.SsoExternalId;
     }
 
     /// <summary>
@@ -104,4 +105,10 @@ public class MemberResponseModel : MemberBaseModel, IResponseModel
     /// </summary>
     [Required]
     public bool ResetPasswordEnrolled { get; }
+
+    /// <summary>
+    /// SSO external identifier for linking this member to an identity provider.
+    /// </summary>
+    /// <example>sso_external_id_123456</example>
+    public string SsoExternalId { get; set; }
 }

From 5201085ecbb333b785b290c2d3f7f77f73ee1940 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rui=20Tom=C3=A9?=
 <108268980+r-tome@users.noreply.github.com>
Date: Thu, 16 Jan 2025 10:54:31 +0000
Subject: [PATCH 168/384] [PM-15193] Remove PromoteProviderServiceUser feature
 flag and checks from ToolsController and layout (#5255)

---
 src/Admin/Controllers/ToolsController.cs | 3 ---
 src/Admin/Views/Shared/_Layout.cshtml    | 5 +----
 src/Core/Constants.cs                    | 1 -
 3 files changed, 1 insertion(+), 8 deletions(-)

diff --git a/src/Admin/Controllers/ToolsController.cs b/src/Admin/Controllers/ToolsController.cs
index a84fb681e2..eaf3de4be5 100644
--- a/src/Admin/Controllers/ToolsController.cs
+++ b/src/Admin/Controllers/ToolsController.cs
@@ -3,7 +3,6 @@ using System.Text.Json;
 using Bit.Admin.Enums;
 using Bit.Admin.Models;
 using Bit.Admin.Utilities;
-using Bit.Core;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Entities;
@@ -222,7 +221,6 @@ public class ToolsController : Controller
         return RedirectToAction("Edit", "Organizations", new { id = model.OrganizationId.Value });
     }
 
-    [RequireFeature(FeatureFlagKeys.PromoteProviderServiceUserTool)]
     [RequirePermission(Permission.Tools_PromoteProviderServiceUser)]
     public IActionResult PromoteProviderServiceUser()
     {
@@ -231,7 +229,6 @@ public class ToolsController : Controller
 
     [HttpPost]
     [ValidateAntiForgeryToken]
-    [RequireFeature(FeatureFlagKeys.PromoteProviderServiceUserTool)]
     [RequirePermission(Permission.Tools_PromoteProviderServiceUser)]
     public async Task<IActionResult> PromoteProviderServiceUser(PromoteProviderServiceUserModel model)
     {
diff --git a/src/Admin/Views/Shared/_Layout.cshtml b/src/Admin/Views/Shared/_Layout.cshtml
index 361c1f9a57..1661a8bbc3 100644
--- a/src/Admin/Views/Shared/_Layout.cshtml
+++ b/src/Admin/Views/Shared/_Layout.cshtml
@@ -1,10 +1,8 @@
 @using Bit.Admin.Enums;
-@using Bit.Core
 
 @inject SignInManager<IdentityUser> SignInManager
 @inject Bit.Core.Settings.GlobalSettings GlobalSettings
 @inject Bit.Admin.Services.IAccessControlService AccessControlService
-@inject Bit.Core.Services.IFeatureService FeatureService
 
 @{
     var canViewUsers = AccessControlService.UserHasPermission(Permission.User_List_View);
@@ -13,8 +11,7 @@
     var canChargeBraintree = AccessControlService.UserHasPermission(Permission.Tools_ChargeBrainTreeCustomer);
     var canCreateTransaction = AccessControlService.UserHasPermission(Permission.Tools_CreateEditTransaction);
     var canPromoteAdmin = AccessControlService.UserHasPermission(Permission.Tools_PromoteAdmin);
-    var canPromoteProviderServiceUser = FeatureService.IsEnabled(FeatureFlagKeys.PromoteProviderServiceUserTool) &&
-                                        AccessControlService.UserHasPermission(Permission.Tools_PromoteProviderServiceUser);
+    var canPromoteProviderServiceUser = AccessControlService.UserHasPermission(Permission.Tools_PromoteProviderServiceUser);
     var canGenerateLicense = AccessControlService.UserHasPermission(Permission.Tools_GenerateLicenseFile);
     var canManageStripeSubscriptions = AccessControlService.UserHasPermission(Permission.Tools_ManageStripeSubscriptions);
     var canProcessStripeEvents = AccessControlService.UserHasPermission(Permission.Tools_ProcessStripeEvents);
diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index 62ce964001..c34303429c 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -157,7 +157,6 @@ public static class FeatureFlagKeys
     public const string InlineMenuTotp = "inline-menu-totp";
     public const string PM12443RemovePagingLogic = "pm-12443-remove-paging-logic";
     public const string SelfHostLicenseRefactor = "pm-11516-self-host-license-refactor";
-    public const string PromoteProviderServiceUserTool = "pm-15128-promote-provider-service-user-tool";
     public const string PrivateKeyRegeneration = "pm-12241-private-key-regeneration";
     public const string AuthenticatorSynciOS = "enable-authenticator-sync-ios";
     public const string AuthenticatorSyncAndroid = "enable-authenticator-sync-android";

From a015f429c28636fce62e033e95d85ca83273c9f3 Mon Sep 17 00:00:00 2001
From: Ike <137194738+ike-kottlowski@users.noreply.github.com>
Date: Thu, 16 Jan 2025 09:07:54 -0800
Subject: [PATCH 169/384] PM-12995 device exception cache permissions update
 (#5277)

* feat(newDeviceVerification) :
- adding more granular permissions for the login exception button.
- fixed access to the button for different permissions
---
 src/Admin/Controllers/UsersController.cs     |  2 +-
 src/Admin/Enums/Permissions.cs               |  1 +
 src/Admin/Utilities/RolePermissionMapping.cs | 13 ++++++++-----
 src/Admin/Views/Users/Edit.cshtml            |  2 +-
 4 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/src/Admin/Controllers/UsersController.cs b/src/Admin/Controllers/UsersController.cs
index a988cc2af7..38e863aae7 100644
--- a/src/Admin/Controllers/UsersController.cs
+++ b/src/Admin/Controllers/UsersController.cs
@@ -165,7 +165,7 @@ public class UsersController : Controller
 
     [HttpPost]
     [ValidateAntiForgeryToken]
-    [RequirePermission(Permission.User_GeneralDetails_View)]
+    [RequirePermission(Permission.User_NewDeviceException_Edit)]
     [RequireFeature(FeatureFlagKeys.NewDeviceVerification)]
     public async Task<IActionResult> ToggleNewDeviceVerification(Guid id)
     {
diff --git a/src/Admin/Enums/Permissions.cs b/src/Admin/Enums/Permissions.cs
index c544cb2106..20c500c061 100644
--- a/src/Admin/Enums/Permissions.cs
+++ b/src/Admin/Enums/Permissions.cs
@@ -17,6 +17,7 @@ public enum Permission
     User_Billing_View,
     User_Billing_Edit,
     User_Billing_LaunchGateway,
+    User_NewDeviceException_Edit,
 
     Org_List_View,
     Org_OrgInformation_View,
diff --git a/src/Admin/Utilities/RolePermissionMapping.cs b/src/Admin/Utilities/RolePermissionMapping.cs
index 381cf914aa..4b5a4e3802 100644
--- a/src/Admin/Utilities/RolePermissionMapping.cs
+++ b/src/Admin/Utilities/RolePermissionMapping.cs
@@ -12,7 +12,6 @@ public static class RolePermissionMapping
                 Permission.User_List_View,
                 Permission.User_UserInformation_View,
                 Permission.User_GeneralDetails_View,
-                Permission.Org_CheckEnabledBox,
                 Permission.User_Delete,
                 Permission.User_UpgradePremium,
                 Permission.User_BillingInformation_View,
@@ -24,6 +23,8 @@ public static class RolePermissionMapping
                 Permission.User_Billing_View,
                 Permission.User_Billing_Edit,
                 Permission.User_Billing_LaunchGateway,
+                Permission.User_NewDeviceException_Edit,
+                Permission.Org_CheckEnabledBox,
                 Permission.Org_List_View,
                 Permission.Org_OrgInformation_View,
                 Permission.Org_GeneralDetails_View,
@@ -57,7 +58,6 @@ public static class RolePermissionMapping
                 Permission.User_List_View,
                 Permission.User_UserInformation_View,
                 Permission.User_GeneralDetails_View,
-                Permission.Org_CheckEnabledBox,
                 Permission.User_Delete,
                 Permission.User_UpgradePremium,
                 Permission.User_BillingInformation_View,
@@ -70,6 +70,8 @@ public static class RolePermissionMapping
                 Permission.User_Billing_View,
                 Permission.User_Billing_Edit,
                 Permission.User_Billing_LaunchGateway,
+                Permission.User_NewDeviceException_Edit,
+                Permission.Org_CheckEnabledBox,
                 Permission.Org_List_View,
                 Permission.Org_OrgInformation_View,
                 Permission.Org_GeneralDetails_View,
@@ -106,7 +108,6 @@ public static class RolePermissionMapping
                 Permission.User_List_View,
                 Permission.User_UserInformation_View,
                 Permission.User_GeneralDetails_View,
-                Permission.Org_CheckEnabledBox,
                 Permission.User_UpgradePremium,
                 Permission.User_BillingInformation_View,
                 Permission.User_BillingInformation_DownloadInvoice,
@@ -114,6 +115,8 @@ public static class RolePermissionMapping
                 Permission.User_Licensing_View,
                 Permission.User_Billing_View,
                 Permission.User_Billing_LaunchGateway,
+                Permission.User_NewDeviceException_Edit,
+                Permission.Org_CheckEnabledBox,
                 Permission.Org_List_View,
                 Permission.Org_OrgInformation_View,
                 Permission.Org_GeneralDetails_View,
@@ -135,7 +138,6 @@ public static class RolePermissionMapping
                 Permission.User_List_View,
                 Permission.User_UserInformation_View,
                 Permission.User_GeneralDetails_View,
-                Permission.Org_CheckEnabledBox,
                 Permission.User_UpgradePremium,
                 Permission.User_BillingInformation_View,
                 Permission.User_BillingInformation_DownloadInvoice,
@@ -146,6 +148,7 @@ public static class RolePermissionMapping
                 Permission.User_Billing_View,
                 Permission.User_Billing_Edit,
                 Permission.User_Billing_LaunchGateway,
+                Permission.Org_CheckEnabledBox,
                 Permission.Org_List_View,
                 Permission.Org_OrgInformation_View,
                 Permission.Org_GeneralDetails_View,
@@ -177,12 +180,12 @@ public static class RolePermissionMapping
                 Permission.User_List_View,
                 Permission.User_UserInformation_View,
                 Permission.User_GeneralDetails_View,
-                Permission.Org_CheckEnabledBox,
                 Permission.User_BillingInformation_View,
                 Permission.User_BillingInformation_DownloadInvoice,
                 Permission.User_Premium_View,
                 Permission.User_Licensing_View,
                 Permission.User_Licensing_Edit,
+                Permission.Org_CheckEnabledBox,
                 Permission.Org_List_View,
                 Permission.Org_OrgInformation_View,
                 Permission.Org_GeneralDetails_View,
diff --git a/src/Admin/Views/Users/Edit.cshtml b/src/Admin/Views/Users/Edit.cshtml
index 417d9fb9a2..495fc43c2f 100644
--- a/src/Admin/Views/Users/Edit.cshtml
+++ b/src/Admin/Views/Users/Edit.cshtml
@@ -7,7 +7,7 @@
     ViewData["Title"] = "User: " + Model.User.Email;
 
     var canViewUserInformation = AccessControlService.UserHasPermission(Permission.User_UserInformation_View);
-    var canViewNewDeviceException = AccessControlService.UserHasPermission(Permission.User_UserInformation_View) &&
+    var canViewNewDeviceException = AccessControlService.UserHasPermission(Permission.User_NewDeviceException_Edit) &&
                                     FeatureService.IsEnabled(Bit.Core.FeatureFlagKeys.NewDeviceVerification);
     var canViewBillingInformation = AccessControlService.UserHasPermission(Permission.User_BillingInformation_View);
     var canViewGeneral = AccessControlService.UserHasPermission(Permission.User_GeneralDetails_View);

From d8b4a4a28d40c2e5ab5571d35017c18fb5dc2ff2 Mon Sep 17 00:00:00 2001
From: Addison Beck <addison@bitwarden.com>
Date: Thu, 16 Jan 2025 14:35:00 -0500
Subject: [PATCH 170/384] Drop `LimitCollectionCreationDeletion` from the
 database (#4810)

* Drop a MSSQL column

* Delete property from `Organization` entity

* Generate EF migrations
---
 .../AdminConsole/Models/Organization.cs       |    6 -
 .../Stored Procedures/Organization_Create.sql |    6 -
 .../Organization_ReadAbilities.sql            |    1 -
 .../Stored Procedures/Organization_Update.sql |    5 -
 src/Sql/dbo/Tables/Organization.sql           |    1 -
 ...rganizationUserOrganizationDetailsView.sql |    1 -
 ...derUserProviderOrganizationDetailsView.sql |    1 -
 ...izationLimitCollectionCreationDeletion.sql |  485 +++
 ...imitCollectionCreationDeletion.Designer.cs | 2994 ++++++++++++++++
 ...214_DropLimitCollectionCreationDeletion.cs |   28 +
 .../DatabaseContextModelSnapshot.cs           |   63 +-
 ...imitCollectionCreationDeletion.Designer.cs | 3000 +++++++++++++++++
 ...219_DropLimitCollectionCreationDeletion.cs |   28 +
 .../DatabaseContextModelSnapshot.cs           |   63 +-
 ...imitCollectionCreationDeletion.Designer.cs | 2983 ++++++++++++++++
 ...222_DropLimitCollectionCreationDeletion.cs |   28 +
 .../DatabaseContextModelSnapshot.cs           |   63 +-
 17 files changed, 9636 insertions(+), 120 deletions(-)
 create mode 100644 util/Migrator/DbScripts/2025-01-16_00_DropOrganizationLimitCollectionCreationDeletion.sql
 create mode 100644 util/MySqlMigrations/Migrations/20250116163214_DropLimitCollectionCreationDeletion.Designer.cs
 create mode 100644 util/MySqlMigrations/Migrations/20250116163214_DropLimitCollectionCreationDeletion.cs
 create mode 100644 util/PostgresMigrations/Migrations/20250116163219_DropLimitCollectionCreationDeletion.Designer.cs
 create mode 100644 util/PostgresMigrations/Migrations/20250116163219_DropLimitCollectionCreationDeletion.cs
 create mode 100644 util/SqliteMigrations/Migrations/20250116163222_DropLimitCollectionCreationDeletion.Designer.cs
 create mode 100644 util/SqliteMigrations/Migrations/20250116163222_DropLimitCollectionCreationDeletion.cs

diff --git a/src/Infrastructure.EntityFramework/AdminConsole/Models/Organization.cs b/src/Infrastructure.EntityFramework/AdminConsole/Models/Organization.cs
index 39968142bb..d7f83d829d 100644
--- a/src/Infrastructure.EntityFramework/AdminConsole/Models/Organization.cs
+++ b/src/Infrastructure.EntityFramework/AdminConsole/Models/Organization.cs
@@ -9,11 +9,6 @@ namespace Bit.Infrastructure.EntityFramework.AdminConsole.Models;
 
 public class Organization : Core.AdminConsole.Entities.Organization
 {
-    // Shadow property. To be removed by
-    // https://bitwarden.atlassian.net/browse/PM-10863.
-    // This was replaced with `LimitCollectionCreation` and
-    // `LimitCollectionDeletion`.
-    public bool LimitCollectionCreationDeletion { get; set; }
     public virtual ICollection<Cipher> Ciphers { get; set; }
     public virtual ICollection<OrganizationUser> OrganizationUsers { get; set; }
     public virtual ICollection<Group> Groups { get; set; }
@@ -43,7 +38,6 @@ public class OrganizationMapperProfile : Profile
             .ForMember(org => org.ApiKeys, opt => opt.Ignore())
             .ForMember(org => org.Connections, opt => opt.Ignore())
             .ForMember(org => org.Domains, opt => opt.Ignore())
-            .ForMember(org => org.LimitCollectionCreationDeletion, opt => opt.Ignore())
             .ReverseMap();
 
         CreateProjection<Organization, SelfHostedOrganizationDetails>()
diff --git a/src/Sql/dbo/Stored Procedures/Organization_Create.sql b/src/Sql/dbo/Stored Procedures/Organization_Create.sql
index d33269063f..9f12a3f347 100644
--- a/src/Sql/dbo/Stored Procedures/Organization_Create.sql	
+++ b/src/Sql/dbo/Stored Procedures/Organization_Create.sql	
@@ -51,7 +51,6 @@ CREATE PROCEDURE [dbo].[Organization_Create]
     @MaxAutoscaleSmSeats INT= null,
     @MaxAutoscaleSmServiceAccounts INT = null,
     @SecretsManagerBeta BIT = 0,
-    @LimitCollectionCreationDeletion BIT = NULL, -- Deprecated https://bitwarden.atlassian.net/browse/PM-10863
     @LimitCollectionCreation BIT = NULL,
     @LimitCollectionDeletion BIT = NULL,
     @AllowAdminAccessToAllCollectionItems BIT = 0,
@@ -60,9 +59,6 @@ AS
 BEGIN
     SET NOCOUNT ON
 
-    SET @LimitCollectionCreation = COALESCE(@LimitCollectionCreation, @LimitCollectionCreationDeletion, 0);
-    SET @LimitCollectionDeletion = COALESCE(@LimitCollectionDeletion, @LimitCollectionCreationDeletion, 0);
-
     INSERT INTO [dbo].[Organization]
     (
         [Id],
@@ -117,7 +113,6 @@ BEGIN
         [MaxAutoscaleSmSeats],
         [MaxAutoscaleSmServiceAccounts],
         [SecretsManagerBeta],
-        [LimitCollectionCreationDeletion], -- Deprecated https://bitwarden.atlassian.net/browse/PM-10863
         [LimitCollectionCreation],
         [LimitCollectionDeletion],
         [AllowAdminAccessToAllCollectionItems],
@@ -177,7 +172,6 @@ BEGIN
         @MaxAutoscaleSmSeats,
         @MaxAutoscaleSmServiceAccounts,
         @SecretsManagerBeta,
-        COALESCE(@LimitCollectionCreation, @LimitCollectionDeletion, 0), -- Deprecated https://bitwarden.atlassian.net/browse/PM-10863)
         @LimitCollectionCreation,
         @LimitCollectionDeletion,
         @AllowAdminAccessToAllCollectionItems,
diff --git a/src/Sql/dbo/Stored Procedures/Organization_ReadAbilities.sql b/src/Sql/dbo/Stored Procedures/Organization_ReadAbilities.sql
index 056bc1416c..5959742dae 100644
--- a/src/Sql/dbo/Stored Procedures/Organization_ReadAbilities.sql	
+++ b/src/Sql/dbo/Stored Procedures/Organization_ReadAbilities.sql	
@@ -21,7 +21,6 @@ BEGIN
         [UseResetPassword],
         [UsePolicies],
         [Enabled],
-        [LimitCollectionCreationDeletion], -- Deprecated https://bitwarden.atlassian.net/browse/PM-10863
         [LimitCollectionCreation],
         [LimitCollectionDeletion],
         [AllowAdminAccessToAllCollectionItems],
diff --git a/src/Sql/dbo/Stored Procedures/Organization_Update.sql b/src/Sql/dbo/Stored Procedures/Organization_Update.sql
index 1bbcb7ebc8..a1af26851e 100644
--- a/src/Sql/dbo/Stored Procedures/Organization_Update.sql	
+++ b/src/Sql/dbo/Stored Procedures/Organization_Update.sql	
@@ -51,7 +51,6 @@ CREATE PROCEDURE [dbo].[Organization_Update]
     @MaxAutoscaleSmSeats INT = null,
     @MaxAutoscaleSmServiceAccounts INT = null,
     @SecretsManagerBeta BIT = 0,
-    @LimitCollectionCreationDeletion BIT = null, -- Deprecated https://bitwarden.atlassian.net/browse/PM-10863
     @LimitCollectionCreation BIT = null,
     @LimitCollectionDeletion BIT = null,
     @AllowAdminAccessToAllCollectionItems BIT = 0,
@@ -60,9 +59,6 @@ AS
 BEGIN
     SET NOCOUNT ON
 
-    SET @LimitCollectionCreation = COALESCE(@LimitCollectionCreation, @LimitCollectionCreationDeletion, 0);
-    SET @LimitCollectionDeletion = COALESCE(@LimitCollectionDeletion, @LimitCollectionCreationDeletion, 0);
-
     UPDATE
         [dbo].[Organization]
     SET
@@ -117,7 +113,6 @@ BEGIN
         [MaxAutoscaleSmSeats] = @MaxAutoscaleSmSeats,
         [MaxAutoscaleSmServiceAccounts] = @MaxAutoscaleSmServiceAccounts,
         [SecretsManagerBeta] = @SecretsManagerBeta,
-        [LimitCollectionCreationDeletion] = COALESCE(@LimitCollectionCreation, @LimitCollectionDeletion, 0),
         [LimitCollectionCreation] = @LimitCollectionCreation,
         [LimitCollectionDeletion] = @LimitCollectionDeletion,
         [AllowAdminAccessToAllCollectionItems] = @AllowAdminAccessToAllCollectionItems,
diff --git a/src/Sql/dbo/Tables/Organization.sql b/src/Sql/dbo/Tables/Organization.sql
index 279b78bfc1..2178494c19 100644
--- a/src/Sql/dbo/Tables/Organization.sql
+++ b/src/Sql/dbo/Tables/Organization.sql
@@ -51,7 +51,6 @@ CREATE TABLE [dbo].[Organization] (
     [MaxAutoscaleSmSeats]           INT              NULL,
     [MaxAutoscaleSmServiceAccounts] INT              NULL,
     [SecretsManagerBeta]            BIT              NOT NULL CONSTRAINT [DF_Organization_SecretsManagerBeta] DEFAULT (0),
-    [LimitCollectionCreationDeletion]   BIT              NOT NULL CONSTRAINT [DF_Organization_LimitCollectionCreationDeletion] DEFAULT (0),
     [LimitCollectionCreation]       BIT              NOT NULL CONSTRAINT [DF_Organization_LimitCollectionCreation] DEFAULT (0),
     [LimitCollectionDeletion]       BIT              NOT NULL CONSTRAINT [DF_Organization_LimitCollectionDeletion] DEFAULT (0),
     [AllowAdminAccessToAllCollectionItems]   BIT              NOT NULL CONSTRAINT [DF_Organization_AllowAdminAccessToAllCollectionItems] DEFAULT (0),
diff --git a/src/Sql/dbo/Views/OrganizationUserOrganizationDetailsView.sql b/src/Sql/dbo/Views/OrganizationUserOrganizationDetailsView.sql
index c4f79e0c69..fc7ab1d31a 100644
--- a/src/Sql/dbo/Views/OrganizationUserOrganizationDetailsView.sql
+++ b/src/Sql/dbo/Views/OrganizationUserOrganizationDetailsView.sql
@@ -46,7 +46,6 @@ SELECT
     O.[UsePasswordManager],
     O.[SmSeats],
     O.[SmServiceAccounts],
-    O.[LimitCollectionCreationDeletion], -- Deprecated https://bitwarden.atlassian.net/browse/PM-10863
     O.[LimitCollectionCreation],
     O.[LimitCollectionDeletion],
     O.[AllowAdminAccessToAllCollectionItems],
diff --git a/src/Sql/dbo/Views/ProviderUserProviderOrganizationDetailsView.sql b/src/Sql/dbo/Views/ProviderUserProviderOrganizationDetailsView.sql
index 20b896b6ad..4915a406a1 100644
--- a/src/Sql/dbo/Views/ProviderUserProviderOrganizationDetailsView.sql
+++ b/src/Sql/dbo/Views/ProviderUserProviderOrganizationDetailsView.sql
@@ -32,7 +32,6 @@ SELECT
     PU.[Id] ProviderUserId,
     P.[Name] ProviderName,
     O.[PlanType],
-    O.[LimitCollectionCreationDeletion], -- Deprecated https://bitwarden.atlassian.net/browse/PM-10863
     O.[LimitCollectionCreation],
     O.[LimitCollectionDeletion],
     O.[AllowAdminAccessToAllCollectionItems],
diff --git a/util/Migrator/DbScripts/2025-01-16_00_DropOrganizationLimitCollectionCreationDeletion.sql b/util/Migrator/DbScripts/2025-01-16_00_DropOrganizationLimitCollectionCreationDeletion.sql
new file mode 100644
index 0000000000..34a14900f6
--- /dev/null
+++ b/util/Migrator/DbScripts/2025-01-16_00_DropOrganizationLimitCollectionCreationDeletion.sql
@@ -0,0 +1,485 @@
+-- Finalise removal of Organization.LimitCollectionCreationDeletion column
+
+-- Drop default constraint
+IF OBJECT_ID('[dbo].[DF_Organization_LimitCollectionCreationDeletion]', 'D') IS NOT NULL
+BEGIN
+    ALTER TABLE
+        [dbo].[Organization]
+    DROP CONSTRAINT
+        [DF_Organization_LimitCollectionCreationDeletion]
+END
+GO
+
+-- Drop the column
+IF COL_LENGTH('[dbo].[Organization]', 'LimitCollectionCreationDeletion') IS NOT NULL
+BEGIN
+    ALTER TABLE
+        [dbo].[Organization]
+    DROP COLUMN
+        [LimitCollectionCreationDeletion]
+END
+GO
+
+-- Refresh Views
+CREATE OR ALTER VIEW [dbo].[OrganizationUserOrganizationDetailsView]
+AS
+SELECT
+    OU.[UserId],
+    OU.[OrganizationId],
+    OU.[Id] OrganizationUserId,
+    O.[Name],
+    O.[Enabled],
+    O.[PlanType],
+    O.[UsePolicies],
+    O.[UseSso],
+    O.[UseKeyConnector],
+    O.[UseScim],
+    O.[UseGroups],
+    O.[UseDirectory],
+    O.[UseEvents],
+    O.[UseTotp],
+    O.[Use2fa],
+    O.[UseApi],
+    O.[UseResetPassword],
+    O.[SelfHost],
+    O.[UsersGetPremium],
+    O.[UseCustomPermissions],
+    O.[UseSecretsManager],
+    O.[Seats],
+    O.[MaxCollections],
+    O.[MaxStorageGb],
+    O.[Identifier],
+    OU.[Key],
+    OU.[ResetPasswordKey],
+    O.[PublicKey],
+    O.[PrivateKey],
+    OU.[Status],
+    OU.[Type],
+    SU.[ExternalId] SsoExternalId,
+    OU.[Permissions],
+    PO.[ProviderId],
+    P.[Name] ProviderName,
+    P.[Type] ProviderType,
+    SS.[Data] SsoConfig,
+    OS.[FriendlyName] FamilySponsorshipFriendlyName,
+    OS.[LastSyncDate] FamilySponsorshipLastSyncDate,
+    OS.[ToDelete] FamilySponsorshipToDelete,
+    OS.[ValidUntil] FamilySponsorshipValidUntil,
+    OU.[AccessSecretsManager],
+    O.[UsePasswordManager],
+    O.[SmSeats],
+    O.[SmServiceAccounts],
+    O.[LimitCollectionCreation],
+    O.[LimitCollectionDeletion],
+    O.[AllowAdminAccessToAllCollectionItems],
+    O.[UseRiskInsights]
+FROM
+    [dbo].[OrganizationUser] OU
+LEFT JOIN
+    [dbo].[Organization] O ON O.[Id] = OU.[OrganizationId]
+LEFT JOIN
+    [dbo].[SsoUser] SU ON SU.[UserId] = OU.[UserId] AND SU.[OrganizationId] = OU.[OrganizationId]
+LEFT JOIN
+    [dbo].[ProviderOrganization] PO ON PO.[OrganizationId] = O.[Id]
+LEFT JOIN
+    [dbo].[Provider] P ON P.[Id] = PO.[ProviderId]
+LEFT JOIN
+    [dbo].[SsoConfig] SS ON SS.[OrganizationId] = OU.[OrganizationId]
+LEFT JOIN
+    [dbo].[OrganizationSponsorship] OS ON OS.[SponsoringOrganizationUserID] = OU.[Id]
+GO
+
+CREATE OR ALTER VIEW [dbo].[ProviderUserProviderOrganizationDetailsView]
+AS
+SELECT
+    PU.[UserId],
+    PO.[OrganizationId],
+    O.[Name],
+    O.[Enabled],
+    O.[UsePolicies],
+    O.[UseSso],
+    O.[UseKeyConnector],
+    O.[UseScim],
+    O.[UseGroups],
+    O.[UseDirectory],
+    O.[UseEvents],
+    O.[UseTotp],
+    O.[Use2fa],
+    O.[UseApi],
+    O.[UseResetPassword],
+    O.[SelfHost],
+    O.[UsersGetPremium],
+    O.[UseCustomPermissions],
+    O.[Seats],
+    O.[MaxCollections],
+    O.[MaxStorageGb],
+    O.[Identifier],
+    PO.[Key],
+    O.[PublicKey],
+    O.[PrivateKey],
+    PU.[Status],
+    PU.[Type],
+    PO.[ProviderId],
+    PU.[Id] ProviderUserId,
+    P.[Name] ProviderName,
+    O.[PlanType],
+    O.[LimitCollectionCreation],
+    O.[LimitCollectionDeletion],
+    O.[AllowAdminAccessToAllCollectionItems],
+    O.[UseRiskInsights],
+    P.[Type] ProviderType
+FROM
+    [dbo].[ProviderUser] PU
+INNER JOIN
+    [dbo].[ProviderOrganization] PO ON PO.[ProviderId] = PU.[ProviderId]
+INNER JOIN
+    [dbo].[Organization] O ON O.[Id] = PO.[OrganizationId]
+INNER JOIN
+    [dbo].[Provider] P ON P.[Id] = PU.[ProviderId]
+GO
+
+-- Refresh Stored Procedures
+CREATE OR ALTER PROCEDURE [dbo].[Organization_Create]
+    @Id UNIQUEIDENTIFIER OUTPUT,
+    @Identifier NVARCHAR(50),
+    @Name NVARCHAR(50),
+    @BusinessName NVARCHAR(50),
+    @BusinessAddress1 NVARCHAR(50),
+    @BusinessAddress2 NVARCHAR(50),
+    @BusinessAddress3 NVARCHAR(50),
+    @BusinessCountry VARCHAR(2),
+    @BusinessTaxNumber NVARCHAR(30),
+    @BillingEmail NVARCHAR(256),
+    @Plan NVARCHAR(50),
+    @PlanType TINYINT,
+    @Seats INT,
+    @MaxCollections SMALLINT,
+    @UsePolicies BIT,
+    @UseSso BIT,
+    @UseGroups BIT,
+    @UseDirectory BIT,
+    @UseEvents BIT,
+    @UseTotp BIT,
+    @Use2fa BIT,
+    @UseApi BIT,
+    @UseResetPassword BIT,
+    @SelfHost BIT,
+    @UsersGetPremium BIT,
+    @Storage BIGINT,
+    @MaxStorageGb SMALLINT,
+    @Gateway TINYINT,
+    @GatewayCustomerId VARCHAR(50),
+    @GatewaySubscriptionId VARCHAR(50),
+    @ReferenceData VARCHAR(MAX),
+    @Enabled BIT,
+    @LicenseKey VARCHAR(100),
+    @PublicKey VARCHAR(MAX),
+    @PrivateKey VARCHAR(MAX),
+    @TwoFactorProviders NVARCHAR(MAX),
+    @ExpirationDate DATETIME2(7),
+    @CreationDate DATETIME2(7),
+    @RevisionDate DATETIME2(7),
+    @OwnersNotifiedOfAutoscaling DATETIME2(7),
+    @MaxAutoscaleSeats INT,
+    @UseKeyConnector BIT = 0,
+    @UseScim BIT = 0,
+    @UseCustomPermissions BIT = 0,
+    @UseSecretsManager BIT = 0,
+    @Status TINYINT = 0,
+    @UsePasswordManager BIT = 1,
+    @SmSeats INT = null,
+    @SmServiceAccounts INT = null,
+    @MaxAutoscaleSmSeats INT= null,
+    @MaxAutoscaleSmServiceAccounts INT = null,
+    @SecretsManagerBeta BIT = 0,
+    @LimitCollectionCreation BIT = NULL,
+    @LimitCollectionDeletion BIT = NULL,
+    @AllowAdminAccessToAllCollectionItems BIT = 0,
+    @UseRiskInsights BIT = 0
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    INSERT INTO [dbo].[Organization]
+    (
+        [Id],
+        [Identifier],
+        [Name],
+        [BusinessName],
+        [BusinessAddress1],
+        [BusinessAddress2],
+        [BusinessAddress3],
+        [BusinessCountry],
+        [BusinessTaxNumber],
+        [BillingEmail],
+        [Plan],
+        [PlanType],
+        [Seats],
+        [MaxCollections],
+        [UsePolicies],
+        [UseSso],
+        [UseGroups],
+        [UseDirectory],
+        [UseEvents],
+        [UseTotp],
+        [Use2fa],
+        [UseApi],
+        [UseResetPassword],
+        [SelfHost],
+        [UsersGetPremium],
+        [Storage],
+        [MaxStorageGb],
+        [Gateway],
+        [GatewayCustomerId],
+        [GatewaySubscriptionId],
+        [ReferenceData],
+        [Enabled],
+        [LicenseKey],
+        [PublicKey],
+        [PrivateKey],
+        [TwoFactorProviders],
+        [ExpirationDate],
+        [CreationDate],
+        [RevisionDate],
+        [OwnersNotifiedOfAutoscaling],
+        [MaxAutoscaleSeats],
+        [UseKeyConnector],
+        [UseScim],
+        [UseCustomPermissions],
+        [UseSecretsManager],
+        [Status],
+        [UsePasswordManager],
+        [SmSeats],
+        [SmServiceAccounts],
+        [MaxAutoscaleSmSeats],
+        [MaxAutoscaleSmServiceAccounts],
+        [SecretsManagerBeta],
+        [LimitCollectionCreation],
+        [LimitCollectionDeletion],
+        [AllowAdminAccessToAllCollectionItems],
+        [UseRiskInsights]
+    )
+    VALUES
+    (
+        @Id,
+        @Identifier,
+        @Name,
+        @BusinessName,
+        @BusinessAddress1,
+        @BusinessAddress2,
+        @BusinessAddress3,
+        @BusinessCountry,
+        @BusinessTaxNumber,
+        @BillingEmail,
+        @Plan,
+        @PlanType,
+        @Seats,
+        @MaxCollections,
+        @UsePolicies,
+        @UseSso,
+        @UseGroups,
+        @UseDirectory,
+        @UseEvents,
+        @UseTotp,
+        @Use2fa,
+        @UseApi,
+        @UseResetPassword,
+        @SelfHost,
+        @UsersGetPremium,
+        @Storage,
+        @MaxStorageGb,
+        @Gateway,
+        @GatewayCustomerId,
+        @GatewaySubscriptionId,
+        @ReferenceData,
+        @Enabled,
+        @LicenseKey,
+        @PublicKey,
+        @PrivateKey,
+        @TwoFactorProviders,
+        @ExpirationDate,
+        @CreationDate,
+        @RevisionDate,
+        @OwnersNotifiedOfAutoscaling,
+        @MaxAutoscaleSeats,
+        @UseKeyConnector,
+        @UseScim,
+        @UseCustomPermissions,
+        @UseSecretsManager,
+        @Status,
+        @UsePasswordManager,
+        @SmSeats,
+        @SmServiceAccounts,
+        @MaxAutoscaleSmSeats,
+        @MaxAutoscaleSmServiceAccounts,
+        @SecretsManagerBeta,
+        @LimitCollectionCreation,
+        @LimitCollectionDeletion,
+        @AllowAdminAccessToAllCollectionItems,
+        @UseRiskInsights
+    )
+END
+GO
+
+CREATE OR ALTER PROCEDURE [dbo].[Organization_ReadAbilities]
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    SELECT
+        [Id],
+        [UseEvents],
+        [Use2fa],
+        CASE
+        WHEN [Use2fa] = 1 AND [TwoFactorProviders] IS NOT NULL AND [TwoFactorProviders] != '{}' THEN
+            1
+        ELSE
+            0
+        END AS [Using2fa],
+        [UsersGetPremium],
+        [UseCustomPermissions],
+        [UseSso],
+        [UseKeyConnector],
+        [UseScim],
+        [UseResetPassword],
+        [UsePolicies],
+        [Enabled],
+        [LimitCollectionCreation],
+        [LimitCollectionDeletion],
+        [AllowAdminAccessToAllCollectionItems],
+        [UseRiskInsights]
+    FROM
+        [dbo].[Organization]
+END
+GO
+
+CREATE OR ALTER PROCEDURE [dbo].[Organization_Update]
+    @Id UNIQUEIDENTIFIER,
+    @Identifier NVARCHAR(50),
+    @Name NVARCHAR(50),
+    @BusinessName NVARCHAR(50),
+    @BusinessAddress1 NVARCHAR(50),
+    @BusinessAddress2 NVARCHAR(50),
+    @BusinessAddress3 NVARCHAR(50),
+    @BusinessCountry VARCHAR(2),
+    @BusinessTaxNumber NVARCHAR(30),
+    @BillingEmail NVARCHAR(256),
+    @Plan NVARCHAR(50),
+    @PlanType TINYINT,
+    @Seats INT,
+    @MaxCollections SMALLINT,
+    @UsePolicies BIT,
+    @UseSso BIT,
+    @UseGroups BIT,
+    @UseDirectory BIT,
+    @UseEvents BIT,
+    @UseTotp BIT,
+    @Use2fa BIT,
+    @UseApi BIT,
+    @UseResetPassword BIT,
+    @SelfHost BIT,
+    @UsersGetPremium BIT,
+    @Storage BIGINT,
+    @MaxStorageGb SMALLINT,
+    @Gateway TINYINT,
+    @GatewayCustomerId VARCHAR(50),
+    @GatewaySubscriptionId VARCHAR(50),
+    @ReferenceData VARCHAR(MAX),
+    @Enabled BIT,
+    @LicenseKey VARCHAR(100),
+    @PublicKey VARCHAR(MAX),
+    @PrivateKey VARCHAR(MAX),
+    @TwoFactorProviders NVARCHAR(MAX),
+    @ExpirationDate DATETIME2(7),
+    @CreationDate DATETIME2(7),
+    @RevisionDate DATETIME2(7),
+    @OwnersNotifiedOfAutoscaling DATETIME2(7),
+    @MaxAutoscaleSeats INT,
+    @UseKeyConnector BIT = 0,
+    @UseScim BIT = 0,
+    @UseCustomPermissions BIT = 0,
+    @UseSecretsManager BIT = 0,
+    @Status TINYINT = 0,
+    @UsePasswordManager BIT = 1,
+    @SmSeats INT = null,
+    @SmServiceAccounts INT = null,
+    @MaxAutoscaleSmSeats INT = null,
+    @MaxAutoscaleSmServiceAccounts INT = null,
+    @SecretsManagerBeta BIT = 0,
+    @LimitCollectionCreation BIT = null,
+    @LimitCollectionDeletion BIT = null,
+    @AllowAdminAccessToAllCollectionItems BIT = 0,
+    @UseRiskInsights BIT = 0
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    UPDATE
+        [dbo].[Organization]
+    SET
+        [Identifier] = @Identifier,
+        [Name] = @Name,
+        [BusinessName] = @BusinessName,
+        [BusinessAddress1] = @BusinessAddress1,
+        [BusinessAddress2] = @BusinessAddress2,
+        [BusinessAddress3] = @BusinessAddress3,
+        [BusinessCountry] = @BusinessCountry,
+        [BusinessTaxNumber] = @BusinessTaxNumber,
+        [BillingEmail] = @BillingEmail,
+        [Plan] = @Plan,
+        [PlanType] = @PlanType,
+        [Seats] = @Seats,
+        [MaxCollections] = @MaxCollections,
+        [UsePolicies] = @UsePolicies,
+        [UseSso] = @UseSso,
+        [UseGroups] = @UseGroups,
+        [UseDirectory] = @UseDirectory,
+        [UseEvents] = @UseEvents,
+        [UseTotp] = @UseTotp,
+        [Use2fa] = @Use2fa,
+        [UseApi] = @UseApi,
+        [UseResetPassword] = @UseResetPassword,
+        [SelfHost] = @SelfHost,
+        [UsersGetPremium] = @UsersGetPremium,
+        [Storage] = @Storage,
+        [MaxStorageGb] = @MaxStorageGb,
+        [Gateway] = @Gateway,
+        [GatewayCustomerId] = @GatewayCustomerId,
+        [GatewaySubscriptionId] = @GatewaySubscriptionId,
+        [ReferenceData] = @ReferenceData,
+        [Enabled] = @Enabled,
+        [LicenseKey] = @LicenseKey,
+        [PublicKey] = @PublicKey,
+        [PrivateKey] = @PrivateKey,
+        [TwoFactorProviders] = @TwoFactorProviders,
+        [ExpirationDate] = @ExpirationDate,
+        [CreationDate] = @CreationDate,
+        [RevisionDate] = @RevisionDate,
+        [OwnersNotifiedOfAutoscaling] = @OwnersNotifiedOfAutoscaling,
+        [MaxAutoscaleSeats] = @MaxAutoscaleSeats,
+        [UseKeyConnector] = @UseKeyConnector,
+        [UseScim] = @UseScim,
+        [UseCustomPermissions] = @UseCustomPermissions,
+        [UseSecretsManager] = @UseSecretsManager,
+        [Status] = @Status,
+        [UsePasswordManager] = @UsePasswordManager,
+        [SmSeats] = @SmSeats,
+        [SmServiceAccounts] = @SmServiceAccounts,
+        [MaxAutoscaleSmSeats] = @MaxAutoscaleSmSeats,
+        [MaxAutoscaleSmServiceAccounts] = @MaxAutoscaleSmServiceAccounts,
+        [SecretsManagerBeta] = @SecretsManagerBeta,
+        [LimitCollectionCreation] = @LimitCollectionCreation,
+        [LimitCollectionDeletion] = @LimitCollectionDeletion,
+        [AllowAdminAccessToAllCollectionItems] = @AllowAdminAccessToAllCollectionItems,
+        [UseRiskInsights] = @UseRiskInsights
+    WHERE
+        [Id] = @Id
+END
+GO
+
+CREATE OR ALTER VIEW [dbo].[OrganizationView]
+AS
+SELECT
+    *
+FROM
+    [dbo].[Organization]
diff --git a/util/MySqlMigrations/Migrations/20250116163214_DropLimitCollectionCreationDeletion.Designer.cs b/util/MySqlMigrations/Migrations/20250116163214_DropLimitCollectionCreationDeletion.Designer.cs
new file mode 100644
index 0000000000..8431d0d4ed
--- /dev/null
+++ b/util/MySqlMigrations/Migrations/20250116163214_DropLimitCollectionCreationDeletion.Designer.cs
@@ -0,0 +1,2994 @@
+// <auto-generated />
+using System;
+using Bit.Infrastructure.EntityFramework.Repositories;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Metadata;
+using Microsoft.EntityFrameworkCore.Migrations;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
+
+#nullable disable
+
+namespace Bit.MySqlMigrations.Migrations
+{
+    [DbContext(typeof(DatabaseContext))]
+    [Migration("20250116163214_DropLimitCollectionCreationDeletion")]
+    partial class DropLimitCollectionCreationDeletion
+    {
+        /// <inheritdoc />
+        protected override void BuildTargetModel(ModelBuilder modelBuilder)
+        {
+#pragma warning disable 612, 618
+            modelBuilder
+                .HasAnnotation("ProductVersion", "8.0.8")
+                .HasAnnotation("Relational:MaxIdentifierLength", 64);
+
+            MySqlModelBuilderExtensions.AutoIncrementColumns(modelBuilder);
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("AllowAdminAccessToAllCollectionItems")
+                        .HasColumnType("tinyint(1)")
+                        .HasDefaultValue(true);
+
+                    b.Property<string>("BillingEmail")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasMaxLength(2)
+                        .HasColumnType("varchar(2)");
+
+                    b.Property<string>("BusinessName")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasMaxLength(30)
+                        .HasColumnType("varchar(30)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("Identifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("varchar(100)");
+
+                    b.Property<bool>("LimitCollectionCreation")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("LimitCollectionDeletion")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("MaxAutoscaleSmSeats")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("MaxAutoscaleSmServiceAccounts")
+                        .HasColumnType("int");
+
+                    b.Property<short?>("MaxCollections")
+                        .HasColumnType("smallint");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<DateTime?>("OwnersNotifiedOfAutoscaling")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Plan")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<int?>("Seats")
+                        .HasColumnType("int");
+
+                    b.Property<bool>("SelfHost")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<int?>("SmSeats")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("SmServiceAccounts")
+                        .HasColumnType("int");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("bigint");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("longtext");
+
+                    b.Property<bool>("Use2fa")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseApi")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseCustomPermissions")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseDirectory")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseGroups")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseKeyConnector")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UsePasswordManager")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UsePolicies")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseResetPassword")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseRiskInsights")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseScim")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseSecretsManager")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseSso")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseTotp")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UsersGetPremium")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id", "Enabled")
+                        .HasAnnotation("Npgsql:IndexInclude", new[] { "UseTotp" });
+
+                    b.ToTable("Organization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("longtext");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "Type")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Policy", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("BillingEmail")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BillingPhone")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessName")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Provider", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Settings")
+                        .HasColumnType("longtext");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderOrganization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Email")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("ProviderUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("AccessCode")
+                        .HasMaxLength(25)
+                        .HasColumnType("varchar(25)");
+
+                    b.Property<bool?>("Approved")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime?>("AuthenticationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("MasterPasswordHash")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("RequestDeviceIdentifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<byte>("RequestDeviceType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("RequestIpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<DateTime?>("ResponseDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid?>("ResponseDeviceId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ResponseDeviceId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("AuthRequest", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<Guid?>("GranteeId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("GrantorId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("KeyEncrypted")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime?>("LastNotificationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("RecoveryInitiatedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<int>("WaitTimeDays")
+                        .HasColumnType("int");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("GranteeId");
+
+                    b.HasIndex("GrantorId");
+
+                    b.ToTable("EmergencyAccess", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.Grant", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("int");
+
+                    MySqlPropertyBuilderExtensions.UseMySqlIdentityColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("ClientId")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("varchar(200)");
+
+                    b.Property<DateTime?>("ConsumedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Data")
+                        .IsRequired()
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Description")
+                        .HasMaxLength(200)
+                        .HasColumnType("varchar(200)");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("varchar(200)");
+
+                    b.Property<string>("SessionId")
+                        .HasMaxLength(100)
+                        .HasColumnType("varchar(100)");
+
+                    b.Property<string>("SubjectId")
+                        .HasMaxLength(200)
+                        .HasColumnType("varchar(200)");
+
+                    b.Property<string>("Type")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.HasKey("Id")
+                        .HasName("PK_Grant")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpirationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Key")
+                        .IsUnique();
+
+                    b.ToTable("Grant", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    MySqlPropertyBuilderExtensions.UseMySqlIdentityColumn(b.Property<long>("Id"));
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("longtext");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("SsoConfig", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    MySqlPropertyBuilderExtensions.UseMySqlIdentityColumn(b.Property<long>("Id"));
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId");
+
+                    b.HasIndex("OrganizationId", "ExternalId")
+                        .IsUnique()
+                        .HasAnnotation("Npgsql:IndexInclude", new[] { "UserId" })
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "UserId")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SsoUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("AaGuid")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int>("Counter")
+                        .HasColumnType("int");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("CredentialId")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("varchar(2000)");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("varchar(2000)");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("varchar(2000)");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("PublicKey")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("SupportsPrf")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<string>("Type")
+                        .HasMaxLength(20)
+                        .HasColumnType("varchar(20)");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("WebAuthnCredential", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ClientOrganizationMigrationRecord", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("int");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int>("Seats")
+                        .HasColumnType("int");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId", "OrganizationId")
+                        .IsUnique();
+
+                    b.ToTable("ClientOrganizationMigrationRecord", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid>("InstallationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime?>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("InstallationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationInstallation", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int>("AssignedSeats")
+                        .HasColumnType("int");
+
+                    b.Property<Guid?>("ClientId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("ClientName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<DateTime>("Created")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("InvoiceId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("InvoiceNumber")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("PlanName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<decimal>("Total")
+                        .HasColumnType("decimal(65,30)");
+
+                    b.Property<int>("UsedSeats")
+                        .HasColumnType("int");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderInvoiceItem", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int?>("AllocatedSeats")
+                        .HasColumnType("int");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int?>("PurchasedSeats")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("SeatMinimum")
+                        .HasColumnType("int");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("Id", "PlanType")
+                        .IsUnique();
+
+                    b.ToTable("ProviderPlan", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Cache", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(449)
+                        .HasColumnType("varchar(449)");
+
+                    b.Property<DateTime?>("AbsoluteExpiration")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("ExpiresAtTime")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<long?>("SlidingExpirationInSeconds")
+                        .HasColumnType("bigint");
+
+                    b.Property<byte[]>("Value")
+                        .IsRequired()
+                        .HasColumnType("longblob");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpiresAtTime")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Cache", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("varchar(300)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Collection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("CipherId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("CollectionId", "CipherId");
+
+                    b.HasIndex("CipherId");
+
+                    b.ToTable("CollectionCipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("CollectionId", "GroupId");
+
+                    b.HasIndex("GroupId");
+
+                    b.ToTable("CollectionGroups");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("CollectionId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("tinyint(1)")
+                        .HasDefaultValue(true);
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Identifier")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("PushToken")
+                        .HasMaxLength(255)
+                        .HasColumnType("varchar(255)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Identifier")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "Identifier")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Device", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Event", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("ActingUserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("CollectionId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("Date")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte?>("DeviceType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("DomainName")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid?>("GroupId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("InstallationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("IpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("PolicyId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("ProviderOrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("ProviderUserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("SecretId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte?>("SystemUser")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<int>("Type")
+                        .HasColumnType("int");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Date", "OrganizationId", "ActingUserId", "CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Event", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("varchar(300)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(100)
+                        .HasColumnType("varchar(100)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Group", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("GroupId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("GroupUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("varchar(30)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Config")
+                        .HasColumnType("longtext");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationConnection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("DomainName")
+                        .IsRequired()
+                        .HasMaxLength(255)
+                        .HasColumnType("varchar(255)");
+
+                    b.Property<int>("JobRunCount")
+                        .HasColumnType("int");
+
+                    b.Property<DateTime?>("LastCheckedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("NextRunDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Txt")
+                        .IsRequired()
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime?>("VerifiedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationDomain", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("FriendlyName")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<DateTime?>("LastSyncDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("OfferedToEmail")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<byte?>("PlanSponsorshipType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("SponsoredOrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("SponsoringOrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("SponsoringOrganizationUserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("ToDelete")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime?>("ValidUntil")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SponsoredOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationUserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationSponsorship", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("AccessSecretsManager")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("varchar(300)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("ResetPasswordKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<short>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int>("AccessCount")
+                        .HasColumnType("int");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("DeletionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("Disabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool?>("HideEmail")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<int?>("MaxAccessCount")
+                        .HasColumnType("int");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Password")
+                        .HasMaxLength(300)
+                        .HasColumnType("varchar(300)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("DeletionDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Send", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.TaxRate", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(40)
+                        .HasColumnType("varchar(40)");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<string>("Country")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("PostalCode")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("varchar(10)");
+
+                    b.Property<decimal>("Rate")
+                        .HasColumnType("decimal(65,30)");
+
+                    b.Property<string>("State")
+                        .HasMaxLength(2)
+                        .HasColumnType("varchar(2)");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("TaxRate", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<decimal>("Amount")
+                        .HasColumnType("decimal(65,30)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Details")
+                        .HasMaxLength(100)
+                        .HasColumnType("varchar(100)");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("GatewayId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte?>("PaymentMethodType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool?>("Refunded")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<decimal?>("RefundedAmount")
+                        .HasColumnType("decimal(65,30)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId", "CreationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Transaction", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("AccountRevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("varchar(30)");
+
+                    b.Property<string>("AvatarColor")
+                        .HasMaxLength(7)
+                        .HasColumnType("varchar(7)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Culture")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("varchar(10)");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<bool>("EmailVerified")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<string>("EquivalentDomains")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("ExcludedGlobalEquivalentDomains")
+                        .HasColumnType("longtext");
+
+                    b.Property<int>("FailedLoginCount")
+                        .HasColumnType("int");
+
+                    b.Property<bool>("ForcePasswordReset")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<byte>("Kdf")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<int>("KdfIterations")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("KdfMemory")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("KdfParallelism")
+                        .HasColumnType("int");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime?>("LastEmailChangeDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("LastFailedLoginDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("LastKdfChangeDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("LastKeyRotationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("LastPasswordChangeDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("varchar(100)");
+
+                    b.Property<string>("MasterPassword")
+                        .HasMaxLength(300)
+                        .HasColumnType("varchar(300)");
+
+                    b.Property<string>("MasterPasswordHint")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<bool>("Premium")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime?>("PremiumExpirationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime?>("RenewalReminderDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("SecurityStamp")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("bigint");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("TwoFactorRecoveryCode")
+                        .HasMaxLength(32)
+                        .HasColumnType("varchar(32)");
+
+                    b.Property<bool>("UsesKeyConnector")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("VerifyDevices")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Email")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Premium", "PremiumExpirationDate", "RenewalReminderDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("User", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Body")
+                        .HasColumnType("longtext");
+
+                    b.Property<byte>("ClientType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("Global")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte>("Priority")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Title")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("ClientType", "Global", "UserId", "OrganizationId", "Priority", "CreationDate")
+                        .IsDescending(false, false, false, false, true, true)
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Notification", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("NotificationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("ReadDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("UserId", "NotificationId")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("NotificationId");
+
+                    b.ToTable("NotificationStatus", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Platform.Installation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(150)
+                        .HasColumnType("varchar(150)");
+
+                    b.Property<DateTime?>("LastActivityDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Installation", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Discriminator")
+                        .IsRequired()
+                        .HasMaxLength(34)
+                        .HasColumnType("varchar(34)");
+
+                    b.Property<bool>("Read")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("Write")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.ToTable("AccessPolicy", (string)null);
+
+                    b.HasDiscriminator().HasValue("AccessPolicy");
+
+                    b.UseTphMappingStrategy();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("ClientSecretHash")
+                        .HasMaxLength(128)
+                        .HasColumnType("varchar(128)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("EncryptedPayload")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("varchar(4000)");
+
+                    b.Property<DateTime?>("ExpireAt")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("varchar(200)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Scope")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("varchar(4000)");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ServiceAccountId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Project", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Note")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Value")
+                        .HasColumnType("longtext");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Secret", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ServiceAccount", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Uri")
+                        .HasColumnType("longtext");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("PasswordHealthReportApplication", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Attachments")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Favorites")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Folders")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte?>("Reprompt")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Cipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Folder", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SecurityTask", (string)null);
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.Property<Guid>("ProjectsId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("SecretsId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("ProjectsId", "SecretsId");
+
+                    b.HasIndex("SecretsId");
+
+                    b.ToTable("ProjectSecret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Policies")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Device", "ResponseDevice")
+                        .WithMany()
+                        .HasForeignKey("ResponseDeviceId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("ResponseDevice");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantee")
+                        .WithMany()
+                        .HasForeignKey("GranteeId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantor")
+                        .WithMany()
+                        .HasForeignKey("GrantorId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Grantee");
+
+                    b.Navigation("Grantor");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoConfigs")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Platform.Installation", "Installation")
+                        .WithMany()
+                        .HasForeignKey("InstallationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Installation");
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Collections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CipherId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Collection");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionGroups")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Groups")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Group");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Connections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Domains")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoredOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoredOrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoringOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoringOrganizationId");
+
+                    b.Navigation("SponsoredOrganization");
+
+                    b.Navigation("SponsoringOrganization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Transactions")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Transactions")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", "Notification")
+                        .WithMany()
+                        .HasForeignKey("NotificationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Notification");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Folders")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany()
+                        .HasForeignKey("CipherId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", null)
+                        .WithMany()
+                        .HasForeignKey("ProjectsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", null)
+                        .WithMany()
+                        .HasForeignKey("SecretsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ProjectAccessPolicies")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany()
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Collections");
+
+                    b.Navigation("Connections");
+
+                    b.Navigation("Domains");
+
+                    b.Navigation("Groups");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("Policies");
+
+                    b.Navigation("SsoConfigs");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+
+                    b.Navigation("CollectionGroups");
+
+                    b.Navigation("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Navigation("CollectionUsers");
+
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Folders");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ProjectAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+                });
+#pragma warning restore 612, 618
+        }
+    }
+}
diff --git a/util/MySqlMigrations/Migrations/20250116163214_DropLimitCollectionCreationDeletion.cs b/util/MySqlMigrations/Migrations/20250116163214_DropLimitCollectionCreationDeletion.cs
new file mode 100644
index 0000000000..3248d1df9d
--- /dev/null
+++ b/util/MySqlMigrations/Migrations/20250116163214_DropLimitCollectionCreationDeletion.cs
@@ -0,0 +1,28 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace Bit.MySqlMigrations.Migrations;
+
+/// <inheritdoc />
+public partial class DropLimitCollectionCreationDeletion : Migration
+{
+    /// <inheritdoc />
+    protected override void Up(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.DropColumn(
+            name: "LimitCollectionCreationDeletion",
+            table: "Organization");
+    }
+
+    /// <inheritdoc />
+    protected override void Down(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.AddColumn<bool>(
+            name: "LimitCollectionCreationDeletion",
+            table: "Organization",
+            type: "tinyint(1)",
+            nullable: false,
+            defaultValue: false);
+    }
+}
diff --git a/util/MySqlMigrations/Migrations/DatabaseContextModelSnapshot.cs b/util/MySqlMigrations/Migrations/DatabaseContextModelSnapshot.cs
index dcc525c433..46d2a2e5fd 100644
--- a/util/MySqlMigrations/Migrations/DatabaseContextModelSnapshot.cs
+++ b/util/MySqlMigrations/Migrations/DatabaseContextModelSnapshot.cs
@@ -91,9 +91,6 @@ namespace Bit.MySqlMigrations.Migrations
                     b.Property<bool>("LimitCollectionCreation")
                         .HasColumnType("tinyint(1)");
 
-                    b.Property<bool>("LimitCollectionCreationDeletion")
-                        .HasColumnType("tinyint(1)");
-
                     b.Property<bool>("LimitCollectionDeletion")
                         .HasColumnType("tinyint(1)");
 
@@ -1144,35 +1141,6 @@ namespace Bit.MySqlMigrations.Migrations
                     b.ToTable("GroupUser", (string)null);
                 });
 
-            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Installation", b =>
-                {
-                    b.Property<Guid>("Id")
-                        .HasColumnType("char(36)");
-
-                    b.Property<DateTime>("CreationDate")
-                        .HasColumnType("datetime(6)");
-
-                    b.Property<string>("Email")
-                        .IsRequired()
-                        .HasMaxLength(256)
-                        .HasColumnType("varchar(256)");
-
-                    b.Property<bool>("Enabled")
-                        .HasColumnType("tinyint(1)");
-
-                    b.Property<string>("Key")
-                        .IsRequired()
-                        .HasMaxLength(150)
-                        .HasColumnType("varchar(150)");
-
-                    b.Property<DateTime?>("LastActivityDate")
-                        .HasColumnType("datetime(6)");
-
-                    b.HasKey("Id");
-
-                    b.ToTable("Installation", (string)null);
-                });
-
             modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
                 {
                     b.Property<Guid>("Id")
@@ -1748,6 +1716,35 @@ namespace Bit.MySqlMigrations.Migrations
                     b.ToTable("NotificationStatus", (string)null);
                 });
 
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Platform.Installation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(150)
+                        .HasColumnType("varchar(150)");
+
+                    b.Property<DateTime?>("LastActivityDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Installation", (string)null);
+                });
+
             modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy", b =>
                 {
                     b.Property<Guid>("Id")
@@ -2373,7 +2370,7 @@ namespace Bit.MySqlMigrations.Migrations
 
             modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
                 {
-                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Installation", "Installation")
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Platform.Installation", "Installation")
                         .WithMany()
                         .HasForeignKey("InstallationId")
                         .OnDelete(DeleteBehavior.Cascade)
diff --git a/util/PostgresMigrations/Migrations/20250116163219_DropLimitCollectionCreationDeletion.Designer.cs b/util/PostgresMigrations/Migrations/20250116163219_DropLimitCollectionCreationDeletion.Designer.cs
new file mode 100644
index 0000000000..e88fa1485c
--- /dev/null
+++ b/util/PostgresMigrations/Migrations/20250116163219_DropLimitCollectionCreationDeletion.Designer.cs
@@ -0,0 +1,3000 @@
+// <auto-generated />
+using System;
+using Bit.Infrastructure.EntityFramework.Repositories;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Migrations;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
+using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata;
+
+#nullable disable
+
+namespace Bit.PostgresMigrations.Migrations
+{
+    [DbContext(typeof(DatabaseContext))]
+    [Migration("20250116163219_DropLimitCollectionCreationDeletion")]
+    partial class DropLimitCollectionCreationDeletion
+    {
+        /// <inheritdoc />
+        protected override void BuildTargetModel(ModelBuilder modelBuilder)
+        {
+#pragma warning disable 612, 618
+            modelBuilder
+                .HasAnnotation("Npgsql:CollationDefinition:postgresIndetermanisticCollation", "en-u-ks-primary,en-u-ks-primary,icu,False")
+                .HasAnnotation("ProductVersion", "8.0.8")
+                .HasAnnotation("Relational:MaxIdentifierLength", 63);
+
+            NpgsqlModelBuilderExtensions.UseIdentityByDefaultColumns(modelBuilder);
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("AllowAdminAccessToAllCollectionItems")
+                        .HasColumnType("boolean")
+                        .HasDefaultValue(true);
+
+                    b.Property<string>("BillingEmail")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasMaxLength(2)
+                        .HasColumnType("character varying(2)");
+
+                    b.Property<string>("BusinessName")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasMaxLength(30)
+                        .HasColumnType("character varying(30)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("Identifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)")
+                        .UseCollation("postgresIndetermanisticCollation");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<bool>("LimitCollectionCreation")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("LimitCollectionDeletion")
+                        .HasColumnType("boolean");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("MaxAutoscaleSmSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("MaxAutoscaleSmServiceAccounts")
+                        .HasColumnType("integer");
+
+                    b.Property<short?>("MaxCollections")
+                        .HasColumnType("smallint");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<DateTime?>("OwnersNotifiedOfAutoscaling")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Plan")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<int?>("Seats")
+                        .HasColumnType("integer");
+
+                    b.Property<bool>("SelfHost")
+                        .HasColumnType("boolean");
+
+                    b.Property<int?>("SmSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("SmServiceAccounts")
+                        .HasColumnType("integer");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("bigint");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("text");
+
+                    b.Property<bool>("Use2fa")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseApi")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseCustomPermissions")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseDirectory")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseGroups")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseKeyConnector")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UsePasswordManager")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UsePolicies")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseResetPassword")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseRiskInsights")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseScim")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseSecretsManager")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseSso")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseTotp")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UsersGetPremium")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id", "Enabled");
+
+                    NpgsqlIndexBuilderExtensions.IncludeProperties(b.HasIndex("Id", "Enabled"), new[] { "UseTotp" });
+
+                    b.ToTable("Organization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("text");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "Type")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Policy", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("BillingEmail")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BillingPhone")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessName")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasColumnType("text");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Provider", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Settings")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderOrganization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Email")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("ProviderUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("AccessCode")
+                        .HasMaxLength(25)
+                        .HasColumnType("character varying(25)");
+
+                    b.Property<bool?>("Approved")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("AuthenticationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<string>("MasterPasswordHash")
+                        .HasColumnType("text");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("RequestDeviceIdentifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<byte>("RequestDeviceType")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("RequestIpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<DateTime?>("ResponseDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid?>("ResponseDeviceId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ResponseDeviceId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("AuthRequest", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<Guid?>("GranteeId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("GrantorId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("KeyEncrypted")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("LastNotificationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("RecoveryInitiatedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<int>("WaitTimeDays")
+                        .HasColumnType("integer");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("GranteeId");
+
+                    b.HasIndex("GrantorId");
+
+                    b.ToTable("EmergencyAccess", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.Grant", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("ClientId")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<DateTime?>("ConsumedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Data")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("Description")
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<string>("SessionId")
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<string>("SubjectId")
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<string>("Type")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.HasKey("Id")
+                        .HasName("PK_Grant")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpirationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Key")
+                        .IsUnique();
+
+                    b.ToTable("Grant", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("Id"));
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("text");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("SsoConfig", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("Id"));
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)")
+                        .UseCollation("postgresIndetermanisticCollation");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId");
+
+                    b.HasIndex("OrganizationId", "ExternalId")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    NpgsqlIndexBuilderExtensions.IncludeProperties(b.HasIndex("OrganizationId", "ExternalId"), new[] { "UserId" });
+
+                    b.HasIndex("OrganizationId", "UserId")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SsoUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("AaGuid")
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("Counter")
+                        .HasColumnType("integer");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("CredentialId")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("character varying(2000)");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("character varying(2000)");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("character varying(2000)");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("PublicKey")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("SupportsPrf")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("Type")
+                        .HasMaxLength(20)
+                        .HasColumnType("character varying(20)");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("WebAuthnCredential", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ClientOrganizationMigrationRecord", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("Seats")
+                        .HasColumnType("integer");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId", "OrganizationId")
+                        .IsUnique();
+
+                    b.ToTable("ClientOrganizationMigrationRecord", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("InstallationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime?>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("InstallationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationInstallation", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("AssignedSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<Guid?>("ClientId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("ClientName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<DateTime>("Created")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("InvoiceId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("InvoiceNumber")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("PlanName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<decimal>("Total")
+                        .HasColumnType("numeric");
+
+                    b.Property<int>("UsedSeats")
+                        .HasColumnType("integer");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderInvoiceItem", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<int?>("AllocatedSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<int?>("PurchasedSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("SeatMinimum")
+                        .HasColumnType("integer");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("Id", "PlanType")
+                        .IsUnique();
+
+                    b.ToTable("ProviderPlan", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Cache", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(449)
+                        .HasColumnType("character varying(449)");
+
+                    b.Property<DateTime?>("AbsoluteExpiration")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("ExpiresAtTime")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<long?>("SlidingExpirationInSeconds")
+                        .HasColumnType("bigint");
+
+                    b.Property<byte[]>("Value")
+                        .IsRequired()
+                        .HasColumnType("bytea");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpiresAtTime")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Cache", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("character varying(300)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Collection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("CipherId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("CollectionId", "CipherId");
+
+                    b.HasIndex("CipherId");
+
+                    b.ToTable("CollectionCipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("CollectionId", "GroupId");
+
+                    b.HasIndex("GroupId");
+
+                    b.ToTable("CollectionGroups");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("CollectionId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("boolean")
+                        .HasDefaultValue(true);
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Identifier")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("PushToken")
+                        .HasMaxLength(255)
+                        .HasColumnType("character varying(255)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Identifier")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "Identifier")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Device", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Event", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("ActingUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("CollectionId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("Date")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte?>("DeviceType")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("DomainName")
+                        .HasColumnType("text");
+
+                    b.Property<Guid?>("GroupId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("InstallationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("IpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("PolicyId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("ProviderOrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("ProviderUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("SecretId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte?>("SystemUser")
+                        .HasColumnType("smallint");
+
+                    b.Property<int>("Type")
+                        .HasColumnType("integer");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Date", "OrganizationId", "ActingUserId", "CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Event", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("character varying(300)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Group", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("GroupId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("GroupUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("character varying(30)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Config")
+                        .HasColumnType("text");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationConnection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("DomainName")
+                        .IsRequired()
+                        .HasMaxLength(255)
+                        .HasColumnType("character varying(255)");
+
+                    b.Property<int>("JobRunCount")
+                        .HasColumnType("integer");
+
+                    b.Property<DateTime?>("LastCheckedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("NextRunDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Txt")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("VerifiedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationDomain", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("FriendlyName")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<DateTime?>("LastSyncDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("OfferedToEmail")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<byte?>("PlanSponsorshipType")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("SponsoredOrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("SponsoringOrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("SponsoringOrganizationUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("ToDelete")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("ValidUntil")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SponsoredOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationUserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationSponsorship", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("AccessSecretsManager")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("character varying(300)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ResetPasswordKey")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<short>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("AccessCount")
+                        .HasColumnType("integer");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("DeletionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("Disabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool?>("HideEmail")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<int?>("MaxAccessCount")
+                        .HasColumnType("integer");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Password")
+                        .HasMaxLength(300)
+                        .HasColumnType("character varying(300)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("DeletionDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Send", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.TaxRate", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(40)
+                        .HasColumnType("character varying(40)");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("Country")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("PostalCode")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("character varying(10)");
+
+                    b.Property<decimal>("Rate")
+                        .HasColumnType("numeric");
+
+                    b.Property<string>("State")
+                        .HasMaxLength(2)
+                        .HasColumnType("character varying(2)");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("TaxRate", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<decimal>("Amount")
+                        .HasColumnType("numeric");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Details")
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("GatewayId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte?>("PaymentMethodType")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool?>("Refunded")
+                        .HasColumnType("boolean");
+
+                    b.Property<decimal?>("RefundedAmount")
+                        .HasColumnType("numeric");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId", "CreationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Transaction", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("AccountRevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("character varying(30)");
+
+                    b.Property<string>("AvatarColor")
+                        .HasMaxLength(7)
+                        .HasColumnType("character varying(7)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Culture")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("character varying(10)");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)")
+                        .UseCollation("postgresIndetermanisticCollation");
+
+                    b.Property<bool>("EmailVerified")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("EquivalentDomains")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ExcludedGlobalEquivalentDomains")
+                        .HasColumnType("text");
+
+                    b.Property<int>("FailedLoginCount")
+                        .HasColumnType("integer");
+
+                    b.Property<bool>("ForcePasswordReset")
+                        .HasColumnType("boolean");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<byte>("Kdf")
+                        .HasColumnType("smallint");
+
+                    b.Property<int>("KdfIterations")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("KdfMemory")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("KdfParallelism")
+                        .HasColumnType("integer");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("LastEmailChangeDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("LastFailedLoginDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("LastKdfChangeDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("LastKeyRotationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("LastPasswordChangeDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<string>("MasterPassword")
+                        .HasMaxLength(300)
+                        .HasColumnType("character varying(300)");
+
+                    b.Property<string>("MasterPasswordHint")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<bool>("Premium")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("PremiumExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("RenewalReminderDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("SecurityStamp")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("bigint");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("text");
+
+                    b.Property<string>("TwoFactorRecoveryCode")
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<bool>("UsesKeyConnector")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("VerifyDevices")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Email")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Premium", "PremiumExpirationDate", "RenewalReminderDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("User", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Body")
+                        .HasColumnType("text");
+
+                    b.Property<byte>("ClientType")
+                        .HasColumnType("smallint");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("Global")
+                        .HasColumnType("boolean");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte>("Priority")
+                        .HasColumnType("smallint");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Title")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("ClientType", "Global", "UserId", "OrganizationId", "Priority", "CreationDate")
+                        .IsDescending(false, false, false, false, true, true)
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Notification", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("NotificationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("ReadDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("UserId", "NotificationId")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("NotificationId");
+
+                    b.ToTable("NotificationStatus", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Platform.Installation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(150)
+                        .HasColumnType("character varying(150)");
+
+                    b.Property<DateTime?>("LastActivityDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Installation", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Discriminator")
+                        .IsRequired()
+                        .HasMaxLength(34)
+                        .HasColumnType("character varying(34)");
+
+                    b.Property<bool>("Read")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("Write")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.ToTable("AccessPolicy", (string)null);
+
+                    b.HasDiscriminator().HasValue("AccessPolicy");
+
+                    b.UseTphMappingStrategy();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("ClientSecretHash")
+                        .HasMaxLength(128)
+                        .HasColumnType("character varying(128)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("EncryptedPayload")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("character varying(4000)");
+
+                    b.Property<DateTime?>("ExpireAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Scope")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("character varying(4000)");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ServiceAccountId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Project", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Note")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Value")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Secret", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ServiceAccount", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Uri")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("PasswordHealthReportApplication", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Attachments")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Favorites")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Folders")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte?>("Reprompt")
+                        .HasColumnType("smallint");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Cipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Folder", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SecurityTask", (string)null);
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.Property<Guid>("ProjectsId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("SecretsId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("ProjectsId", "SecretsId");
+
+                    b.HasIndex("SecretsId");
+
+                    b.ToTable("ProjectSecret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Policies")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Device", "ResponseDevice")
+                        .WithMany()
+                        .HasForeignKey("ResponseDeviceId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("ResponseDevice");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantee")
+                        .WithMany()
+                        .HasForeignKey("GranteeId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantor")
+                        .WithMany()
+                        .HasForeignKey("GrantorId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Grantee");
+
+                    b.Navigation("Grantor");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoConfigs")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Platform.Installation", "Installation")
+                        .WithMany()
+                        .HasForeignKey("InstallationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Installation");
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Collections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CipherId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Collection");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionGroups")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Groups")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Group");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Connections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Domains")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoredOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoredOrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoringOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoringOrganizationId");
+
+                    b.Navigation("SponsoredOrganization");
+
+                    b.Navigation("SponsoringOrganization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Transactions")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Transactions")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", "Notification")
+                        .WithMany()
+                        .HasForeignKey("NotificationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Notification");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Folders")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany()
+                        .HasForeignKey("CipherId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", null)
+                        .WithMany()
+                        .HasForeignKey("ProjectsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", null)
+                        .WithMany()
+                        .HasForeignKey("SecretsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ProjectAccessPolicies")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany()
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Collections");
+
+                    b.Navigation("Connections");
+
+                    b.Navigation("Domains");
+
+                    b.Navigation("Groups");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("Policies");
+
+                    b.Navigation("SsoConfigs");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+
+                    b.Navigation("CollectionGroups");
+
+                    b.Navigation("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Navigation("CollectionUsers");
+
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Folders");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ProjectAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+                });
+#pragma warning restore 612, 618
+        }
+    }
+}
diff --git a/util/PostgresMigrations/Migrations/20250116163219_DropLimitCollectionCreationDeletion.cs b/util/PostgresMigrations/Migrations/20250116163219_DropLimitCollectionCreationDeletion.cs
new file mode 100644
index 0000000000..677dec53ac
--- /dev/null
+++ b/util/PostgresMigrations/Migrations/20250116163219_DropLimitCollectionCreationDeletion.cs
@@ -0,0 +1,28 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace Bit.PostgresMigrations.Migrations;
+
+/// <inheritdoc />
+public partial class DropLimitCollectionCreationDeletion : Migration
+{
+    /// <inheritdoc />
+    protected override void Up(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.DropColumn(
+            name: "LimitCollectionCreationDeletion",
+            table: "Organization");
+    }
+
+    /// <inheritdoc />
+    protected override void Down(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.AddColumn<bool>(
+            name: "LimitCollectionCreationDeletion",
+            table: "Organization",
+            type: "boolean",
+            nullable: false,
+            defaultValue: false);
+    }
+}
diff --git a/util/PostgresMigrations/Migrations/DatabaseContextModelSnapshot.cs b/util/PostgresMigrations/Migrations/DatabaseContextModelSnapshot.cs
index 971ba96310..29672b80a9 100644
--- a/util/PostgresMigrations/Migrations/DatabaseContextModelSnapshot.cs
+++ b/util/PostgresMigrations/Migrations/DatabaseContextModelSnapshot.cs
@@ -93,9 +93,6 @@ namespace Bit.PostgresMigrations.Migrations
                     b.Property<bool>("LimitCollectionCreation")
                         .HasColumnType("boolean");
 
-                    b.Property<bool>("LimitCollectionCreationDeletion")
-                        .HasColumnType("boolean");
-
                     b.Property<bool>("LimitCollectionDeletion")
                         .HasColumnType("boolean");
 
@@ -1149,35 +1146,6 @@ namespace Bit.PostgresMigrations.Migrations
                     b.ToTable("GroupUser", (string)null);
                 });
 
-            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Installation", b =>
-                {
-                    b.Property<Guid>("Id")
-                        .HasColumnType("uuid");
-
-                    b.Property<DateTime>("CreationDate")
-                        .HasColumnType("timestamp with time zone");
-
-                    b.Property<string>("Email")
-                        .IsRequired()
-                        .HasMaxLength(256)
-                        .HasColumnType("character varying(256)");
-
-                    b.Property<bool>("Enabled")
-                        .HasColumnType("boolean");
-
-                    b.Property<string>("Key")
-                        .IsRequired()
-                        .HasMaxLength(150)
-                        .HasColumnType("character varying(150)");
-
-                    b.Property<DateTime?>("LastActivityDate")
-                        .HasColumnType("timestamp with time zone");
-
-                    b.HasKey("Id");
-
-                    b.ToTable("Installation", (string)null);
-                });
-
             modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
                 {
                     b.Property<Guid>("Id")
@@ -1754,6 +1722,35 @@ namespace Bit.PostgresMigrations.Migrations
                     b.ToTable("NotificationStatus", (string)null);
                 });
 
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Platform.Installation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(150)
+                        .HasColumnType("character varying(150)");
+
+                    b.Property<DateTime?>("LastActivityDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Installation", (string)null);
+                });
+
             modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy", b =>
                 {
                     b.Property<Guid>("Id")
@@ -2379,7 +2376,7 @@ namespace Bit.PostgresMigrations.Migrations
 
             modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
                 {
-                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Installation", "Installation")
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Platform.Installation", "Installation")
                         .WithMany()
                         .HasForeignKey("InstallationId")
                         .OnDelete(DeleteBehavior.Cascade)
diff --git a/util/SqliteMigrations/Migrations/20250116163222_DropLimitCollectionCreationDeletion.Designer.cs b/util/SqliteMigrations/Migrations/20250116163222_DropLimitCollectionCreationDeletion.Designer.cs
new file mode 100644
index 0000000000..53111def25
--- /dev/null
+++ b/util/SqliteMigrations/Migrations/20250116163222_DropLimitCollectionCreationDeletion.Designer.cs
@@ -0,0 +1,2983 @@
+// <auto-generated />
+using System;
+using Bit.Infrastructure.EntityFramework.Repositories;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Migrations;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
+
+#nullable disable
+
+namespace Bit.SqliteMigrations.Migrations
+{
+    [DbContext(typeof(DatabaseContext))]
+    [Migration("20250116163222_DropLimitCollectionCreationDeletion")]
+    partial class DropLimitCollectionCreationDeletion
+    {
+        /// <inheritdoc />
+        protected override void BuildTargetModel(ModelBuilder modelBuilder)
+        {
+#pragma warning disable 612, 618
+            modelBuilder.HasAnnotation("ProductVersion", "8.0.8");
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("AllowAdminAccessToAllCollectionItems")
+                        .HasColumnType("INTEGER")
+                        .HasDefaultValue(true);
+
+                    b.Property<string>("BillingEmail")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasMaxLength(2)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessName")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasMaxLength(30)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Identifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("LimitCollectionCreation")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("LimitCollectionDeletion")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("MaxAutoscaleSmSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("MaxAutoscaleSmServiceAccounts")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<short?>("MaxCollections")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("OwnersNotifiedOfAutoscaling")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Plan")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int?>("Seats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("SelfHost")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("SmSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("SmServiceAccounts")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Use2fa")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseApi")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseCustomPermissions")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseDirectory")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseGroups")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseKeyConnector")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UsePasswordManager")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UsePolicies")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseResetPassword")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseRiskInsights")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseScim")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseSecretsManager")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseSso")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseTotp")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UsersGetPremium")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id", "Enabled")
+                        .HasAnnotation("Npgsql:IndexInclude", new[] { "UseTotp" });
+
+                    b.ToTable("Organization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "Type")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Policy", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BillingEmail")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BillingPhone")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessName")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Provider", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Settings")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderOrganization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Email")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("ProviderUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("AccessCode")
+                        .HasMaxLength(25)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool?>("Approved")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("AuthenticationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("MasterPasswordHash")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("RequestDeviceIdentifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("RequestDeviceType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("RequestIpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ResponseDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ResponseDeviceId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ResponseDeviceId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("AuthRequest", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("GranteeId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("GrantorId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("KeyEncrypted")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastNotificationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("RecoveryInitiatedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int>("WaitTimeDays")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("GranteeId");
+
+                    b.HasIndex("GrantorId");
+
+                    b.ToTable("EmergencyAccess", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.Grant", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("ClientId")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ConsumedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Data")
+                        .IsRequired()
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Description")
+                        .HasMaxLength(200)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("SessionId")
+                        .HasMaxLength(100)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("SubjectId")
+                        .HasMaxLength(200)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Type")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasName("PK_Grant")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpirationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Key")
+                        .IsUnique();
+
+                    b.ToTable("Grant", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("SsoConfig", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId");
+
+                    b.HasIndex("OrganizationId", "ExternalId")
+                        .IsUnique()
+                        .HasAnnotation("Npgsql:IndexInclude", new[] { "UserId" })
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "UserId")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SsoUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("AaGuid")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("Counter")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("CredentialId")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PublicKey")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("SupportsPrf")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Type")
+                        .HasMaxLength(20)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("WebAuthnCredential", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ClientOrganizationMigrationRecord", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("Seats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId", "OrganizationId")
+                        .IsUnique();
+
+                    b.ToTable("ClientOrganizationMigrationRecord", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("InstallationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("InstallationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationInstallation", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("AssignedSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("ClientId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ClientName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("Created")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("InvoiceId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("InvoiceNumber")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PlanName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<decimal>("Total")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("UsedSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderInvoiceItem", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int?>("AllocatedSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int?>("PurchasedSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("SeatMinimum")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("Id", "PlanType")
+                        .IsUnique();
+
+                    b.ToTable("ProviderPlan", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Cache", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(449)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("AbsoluteExpiration")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("ExpiresAtTime")
+                        .HasColumnType("TEXT");
+
+                    b.Property<long?>("SlidingExpirationInSeconds")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte[]>("Value")
+                        .IsRequired()
+                        .HasColumnType("BLOB");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpiresAtTime")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Cache", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Collection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("CipherId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("CollectionId", "CipherId");
+
+                    b.HasIndex("CipherId");
+
+                    b.ToTable("CollectionCipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("CollectionId", "GroupId");
+
+                    b.HasIndex("GroupId");
+
+                    b.ToTable("CollectionGroups");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("CollectionId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("INTEGER")
+                        .HasDefaultValue(true);
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Identifier")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PushToken")
+                        .HasMaxLength(255)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Identifier")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "Identifier")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Device", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Event", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ActingUserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("CollectionId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("Date")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("DeviceType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("DomainName")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("GroupId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("InstallationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("IpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("PolicyId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ProviderOrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ProviderUserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("SecretId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("SystemUser")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Date", "OrganizationId", "ActingUserId", "CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Event", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(100)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Group", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("GroupId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("GroupUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Config")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationConnection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("DomainName")
+                        .IsRequired()
+                        .HasMaxLength(255)
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("JobRunCount")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("LastCheckedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("NextRunDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Txt")
+                        .IsRequired()
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("VerifiedDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationDomain", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("FriendlyName")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastSyncDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("OfferedToEmail")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("PlanSponsorshipType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("SponsoredOrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("SponsoringOrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("SponsoringOrganizationUserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("ToDelete")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("ValidUntil")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SponsoredOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationUserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationSponsorship", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("AccessSecretsManager")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ResetPasswordKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<short>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("AccessCount")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("DeletionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Disabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool?>("HideEmail")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int?>("MaxAccessCount")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Password")
+                        .HasMaxLength(300)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("DeletionDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Send", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.TaxRate", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(40)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Country")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PostalCode")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("TEXT");
+
+                    b.Property<decimal>("Rate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("State")
+                        .HasMaxLength(2)
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("TaxRate", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<decimal>("Amount")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Details")
+                        .HasMaxLength(100)
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("GatewayId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("PaymentMethodType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool?>("Refunded")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<decimal?>("RefundedAmount")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId", "CreationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Transaction", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("AccountRevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("AvatarColor")
+                        .HasMaxLength(7)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Culture")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("EmailVerified")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("EquivalentDomains")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ExcludedGlobalEquivalentDomains")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("FailedLoginCount")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("ForcePasswordReset")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Kdf")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int>("KdfIterations")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("KdfMemory")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("KdfParallelism")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastEmailChangeDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastFailedLoginDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastKdfChangeDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastKeyRotationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastPasswordChangeDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("MasterPassword")
+                        .HasMaxLength(300)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("MasterPasswordHint")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Premium")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("PremiumExpirationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("RenewalReminderDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("SecurityStamp")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("TwoFactorRecoveryCode")
+                        .HasMaxLength(32)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("UsesKeyConnector")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("VerifyDevices")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Email")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Premium", "PremiumExpirationDate", "RenewalReminderDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("User", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Body")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("ClientType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Global")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Priority")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Title")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("ClientType", "Global", "UserId", "OrganizationId", "Priority", "CreationDate")
+                        .IsDescending(false, false, false, false, true, true)
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Notification", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("NotificationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ReadDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("UserId", "NotificationId")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("NotificationId");
+
+                    b.ToTable("NotificationStatus", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Platform.Installation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(150)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastActivityDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Installation", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Discriminator")
+                        .IsRequired()
+                        .HasMaxLength(34)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Read")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Write")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.ToTable("AccessPolicy", (string)null);
+
+                    b.HasDiscriminator().HasValue("AccessPolicy");
+
+                    b.UseTphMappingStrategy();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ClientSecretHash")
+                        .HasMaxLength(128)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedPayload")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ExpireAt")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Scope")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ServiceAccountId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Project", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Note")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Value")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Secret", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ServiceAccount", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Uri")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("PasswordHealthReportApplication", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Attachments")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Favorites")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Folders")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("Reprompt")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Cipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Folder", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SecurityTask", (string)null);
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.Property<Guid>("ProjectsId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("SecretsId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("ProjectsId", "SecretsId");
+
+                    b.HasIndex("SecretsId");
+
+                    b.ToTable("ProjectSecret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Policies")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Device", "ResponseDevice")
+                        .WithMany()
+                        .HasForeignKey("ResponseDeviceId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("ResponseDevice");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantee")
+                        .WithMany()
+                        .HasForeignKey("GranteeId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantor")
+                        .WithMany()
+                        .HasForeignKey("GrantorId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Grantee");
+
+                    b.Navigation("Grantor");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoConfigs")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Platform.Installation", "Installation")
+                        .WithMany()
+                        .HasForeignKey("InstallationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Installation");
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Collections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CipherId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Collection");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionGroups")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Groups")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Group");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Connections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Domains")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoredOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoredOrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoringOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoringOrganizationId");
+
+                    b.Navigation("SponsoredOrganization");
+
+                    b.Navigation("SponsoringOrganization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Transactions")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Transactions")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", "Notification")
+                        .WithMany()
+                        .HasForeignKey("NotificationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Notification");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Folders")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany()
+                        .HasForeignKey("CipherId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", null)
+                        .WithMany()
+                        .HasForeignKey("ProjectsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", null)
+                        .WithMany()
+                        .HasForeignKey("SecretsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ProjectAccessPolicies")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany()
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Collections");
+
+                    b.Navigation("Connections");
+
+                    b.Navigation("Domains");
+
+                    b.Navigation("Groups");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("Policies");
+
+                    b.Navigation("SsoConfigs");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+
+                    b.Navigation("CollectionGroups");
+
+                    b.Navigation("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Navigation("CollectionUsers");
+
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Folders");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ProjectAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+                });
+#pragma warning restore 612, 618
+        }
+    }
+}
diff --git a/util/SqliteMigrations/Migrations/20250116163222_DropLimitCollectionCreationDeletion.cs b/util/SqliteMigrations/Migrations/20250116163222_DropLimitCollectionCreationDeletion.cs
new file mode 100644
index 0000000000..34275a491e
--- /dev/null
+++ b/util/SqliteMigrations/Migrations/20250116163222_DropLimitCollectionCreationDeletion.cs
@@ -0,0 +1,28 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace Bit.SqliteMigrations.Migrations;
+
+/// <inheritdoc />
+public partial class DropLimitCollectionCreationDeletion : Migration
+{
+    /// <inheritdoc />
+    protected override void Up(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.DropColumn(
+            name: "LimitCollectionCreationDeletion",
+            table: "Organization");
+    }
+
+    /// <inheritdoc />
+    protected override void Down(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.AddColumn<bool>(
+            name: "LimitCollectionCreationDeletion",
+            table: "Organization",
+            type: "INTEGER",
+            nullable: false,
+            defaultValue: false);
+    }
+}
diff --git a/util/SqliteMigrations/Migrations/DatabaseContextModelSnapshot.cs b/util/SqliteMigrations/Migrations/DatabaseContextModelSnapshot.cs
index d9be32398b..d71327ec3c 100644
--- a/util/SqliteMigrations/Migrations/DatabaseContextModelSnapshot.cs
+++ b/util/SqliteMigrations/Migrations/DatabaseContextModelSnapshot.cs
@@ -86,9 +86,6 @@ namespace Bit.SqliteMigrations.Migrations
                     b.Property<bool>("LimitCollectionCreation")
                         .HasColumnType("INTEGER");
 
-                    b.Property<bool>("LimitCollectionCreationDeletion")
-                        .HasColumnType("INTEGER");
-
                     b.Property<bool>("LimitCollectionDeletion")
                         .HasColumnType("INTEGER");
 
@@ -1133,35 +1130,6 @@ namespace Bit.SqliteMigrations.Migrations
                     b.ToTable("GroupUser", (string)null);
                 });
 
-            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Installation", b =>
-                {
-                    b.Property<Guid>("Id")
-                        .HasColumnType("TEXT");
-
-                    b.Property<DateTime>("CreationDate")
-                        .HasColumnType("TEXT");
-
-                    b.Property<string>("Email")
-                        .IsRequired()
-                        .HasMaxLength(256)
-                        .HasColumnType("TEXT");
-
-                    b.Property<bool>("Enabled")
-                        .HasColumnType("INTEGER");
-
-                    b.Property<string>("Key")
-                        .IsRequired()
-                        .HasMaxLength(150)
-                        .HasColumnType("TEXT");
-
-                    b.Property<DateTime?>("LastActivityDate")
-                        .HasColumnType("TEXT");
-
-                    b.HasKey("Id");
-
-                    b.ToTable("Installation", (string)null);
-                });
-
             modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
                 {
                     b.Property<Guid>("Id")
@@ -1737,6 +1705,35 @@ namespace Bit.SqliteMigrations.Migrations
                     b.ToTable("NotificationStatus", (string)null);
                 });
 
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Platform.Installation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(150)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastActivityDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Installation", (string)null);
+                });
+
             modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy", b =>
                 {
                     b.Property<Guid>("Id")
@@ -2362,7 +2359,7 @@ namespace Bit.SqliteMigrations.Migrations
 
             modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
                 {
-                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Installation", "Installation")
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Platform.Installation", "Installation")
                         .WithMany()
                         .HasForeignKey("InstallationId")
                         .OnDelete(DeleteBehavior.Cascade)

From 677265b1e1c34f36a7192668613c779c9726fd78 Mon Sep 17 00:00:00 2001
From: Conner Turnbull <133619638+cturnbull-bitwarden@users.noreply.github.com>
Date: Thu, 16 Jan 2025 15:27:48 -0500
Subject: [PATCH 171/384] [PM-17177] Added additional validation to ensure
 license claim values aren't null (#5280)

* Added additional validation to ensure license claim values aren't null

* Added extra not null validation for any property with a type that can possibly be null
---
 .../OrganizationLicenseClaimsFactory.cs       | 62 +++++++++++++++----
 .../UserLicenseClaimsFactory.cs               | 22 ++++---
 2 files changed, 66 insertions(+), 18 deletions(-)

diff --git a/src/Core/Billing/Licenses/Services/Implementations/OrganizationLicenseClaimsFactory.cs b/src/Core/Billing/Licenses/Services/Implementations/OrganizationLicenseClaimsFactory.cs
index 1aac7bb1d8..e436102012 100644
--- a/src/Core/Billing/Licenses/Services/Implementations/OrganizationLicenseClaimsFactory.cs
+++ b/src/Core/Billing/Licenses/Services/Implementations/OrganizationLicenseClaimsFactory.cs
@@ -22,16 +22,9 @@ public class OrganizationLicenseClaimsFactory : ILicenseClaimsFactory<Organizati
         var claims = new List<Claim>
         {
             new(nameof(OrganizationLicenseConstants.LicenseType), LicenseType.Organization.ToString()),
-            new Claim(nameof(OrganizationLicenseConstants.LicenseKey), entity.LicenseKey),
-            new(nameof(OrganizationLicenseConstants.InstallationId), licenseContext.InstallationId.ToString()),
             new(nameof(OrganizationLicenseConstants.Id), entity.Id.ToString()),
-            new(nameof(OrganizationLicenseConstants.Name), entity.Name),
-            new(nameof(OrganizationLicenseConstants.BillingEmail), entity.BillingEmail),
             new(nameof(OrganizationLicenseConstants.Enabled), entity.Enabled.ToString()),
-            new(nameof(OrganizationLicenseConstants.Plan), entity.Plan),
             new(nameof(OrganizationLicenseConstants.PlanType), entity.PlanType.ToString()),
-            new(nameof(OrganizationLicenseConstants.Seats), entity.Seats.ToString()),
-            new(nameof(OrganizationLicenseConstants.MaxCollections), entity.MaxCollections.ToString()),
             new(nameof(OrganizationLicenseConstants.UsePolicies), entity.UsePolicies.ToString()),
             new(nameof(OrganizationLicenseConstants.UseSso), entity.UseSso.ToString()),
             new(nameof(OrganizationLicenseConstants.UseKeyConnector), entity.UseKeyConnector.ToString()),
@@ -43,32 +36,79 @@ public class OrganizationLicenseClaimsFactory : ILicenseClaimsFactory<Organizati
             new(nameof(OrganizationLicenseConstants.Use2fa), entity.Use2fa.ToString()),
             new(nameof(OrganizationLicenseConstants.UseApi), entity.UseApi.ToString()),
             new(nameof(OrganizationLicenseConstants.UseResetPassword), entity.UseResetPassword.ToString()),
-            new(nameof(OrganizationLicenseConstants.MaxStorageGb), entity.MaxStorageGb.ToString()),
             new(nameof(OrganizationLicenseConstants.SelfHost), entity.SelfHost.ToString()),
             new(nameof(OrganizationLicenseConstants.UsersGetPremium), entity.UsersGetPremium.ToString()),
             new(nameof(OrganizationLicenseConstants.UseCustomPermissions), entity.UseCustomPermissions.ToString()),
-            new(nameof(OrganizationLicenseConstants.Issued), DateTime.UtcNow.ToString(CultureInfo.InvariantCulture)),
             new(nameof(OrganizationLicenseConstants.UsePasswordManager), entity.UsePasswordManager.ToString()),
             new(nameof(OrganizationLicenseConstants.UseSecretsManager), entity.UseSecretsManager.ToString()),
-            new(nameof(OrganizationLicenseConstants.SmSeats), entity.SmSeats.ToString()),
-            new(nameof(OrganizationLicenseConstants.SmServiceAccounts), entity.SmServiceAccounts.ToString()),
             // LimitCollectionCreationDeletion was split and removed from the
             // license. Left here with an assignment from the new values for
             // backwards compatibility.
             new(nameof(OrganizationLicenseConstants.LimitCollectionCreationDeletion),
                 (entity.LimitCollectionCreation || entity.LimitCollectionDeletion).ToString()),
             new(nameof(OrganizationLicenseConstants.AllowAdminAccessToAllCollectionItems), entity.AllowAdminAccessToAllCollectionItems.ToString()),
+            new(nameof(OrganizationLicenseConstants.Issued), DateTime.UtcNow.ToString(CultureInfo.InvariantCulture)),
             new(nameof(OrganizationLicenseConstants.Expires), expires.ToString(CultureInfo.InvariantCulture)),
             new(nameof(OrganizationLicenseConstants.Refresh), refresh.ToString(CultureInfo.InvariantCulture)),
             new(nameof(OrganizationLicenseConstants.ExpirationWithoutGracePeriod), expirationWithoutGracePeriod.ToString(CultureInfo.InvariantCulture)),
             new(nameof(OrganizationLicenseConstants.Trial), trial.ToString()),
         };
 
+        if (entity.Name is not null)
+        {
+            claims.Add(new(nameof(OrganizationLicenseConstants.Name), entity.Name));
+        }
+
+        if (entity.BillingEmail is not null)
+        {
+            claims.Add(new(nameof(OrganizationLicenseConstants.BillingEmail), entity.BillingEmail));
+        }
+
+        if (entity.Plan is not null)
+        {
+            claims.Add(new(nameof(OrganizationLicenseConstants.Plan), entity.Plan));
+        }
+
         if (entity.BusinessName is not null)
         {
             claims.Add(new Claim(nameof(OrganizationLicenseConstants.BusinessName), entity.BusinessName));
         }
 
+        if (entity.LicenseKey is not null)
+        {
+            claims.Add(new Claim(nameof(OrganizationLicenseConstants.LicenseKey), entity.LicenseKey));
+        }
+
+        if (licenseContext.InstallationId.HasValue)
+        {
+            claims.Add(new Claim(nameof(OrganizationLicenseConstants.InstallationId), licenseContext.InstallationId.ToString()));
+        }
+
+        if (entity.Seats.HasValue)
+        {
+            claims.Add(new Claim(nameof(OrganizationLicenseConstants.Seats), entity.Seats.ToString()));
+        }
+
+        if (entity.MaxCollections.HasValue)
+        {
+            claims.Add(new Claim(nameof(OrganizationLicenseConstants.MaxCollections), entity.MaxCollections.ToString()));
+        }
+
+        if (entity.MaxStorageGb.HasValue)
+        {
+            claims.Add(new Claim(nameof(OrganizationLicenseConstants.MaxStorageGb), entity.MaxStorageGb.ToString()));
+        }
+
+        if (entity.SmSeats.HasValue)
+        {
+            claims.Add(new Claim(nameof(OrganizationLicenseConstants.SmSeats), entity.SmSeats.ToString()));
+        }
+
+        if (entity.SmServiceAccounts.HasValue)
+        {
+            claims.Add(new Claim(nameof(OrganizationLicenseConstants.SmServiceAccounts), entity.SmServiceAccounts.ToString()));
+        }
+
         return Task.FromResult(claims);
     }
 
diff --git a/src/Core/Billing/Licenses/Services/Implementations/UserLicenseClaimsFactory.cs b/src/Core/Billing/Licenses/Services/Implementations/UserLicenseClaimsFactory.cs
index 3b7b275469..2aaa5efdc1 100644
--- a/src/Core/Billing/Licenses/Services/Implementations/UserLicenseClaimsFactory.cs
+++ b/src/Core/Billing/Licenses/Services/Implementations/UserLicenseClaimsFactory.cs
@@ -21,31 +21,39 @@ public class UserLicenseClaimsFactory : ILicenseClaimsFactory<User>
         {
             new(nameof(UserLicenseConstants.LicenseType), LicenseType.User.ToString()),
             new(nameof(UserLicenseConstants.Id), entity.Id.ToString()),
-            new(nameof(UserLicenseConstants.Name), entity.Name),
-            new(nameof(UserLicenseConstants.Email), entity.Email),
             new(nameof(UserLicenseConstants.Premium), entity.Premium.ToString()),
             new(nameof(UserLicenseConstants.Issued), DateTime.UtcNow.ToString(CultureInfo.InvariantCulture)),
             new(nameof(UserLicenseConstants.Trial), trial.ToString()),
         };
 
+        if (entity.Email is not null)
+        {
+            claims.Add(new(nameof(UserLicenseConstants.Email), entity.Email));
+        }
+
+        if (entity.Name is not null)
+        {
+            claims.Add(new(nameof(UserLicenseConstants.Name), entity.Name));
+        }
+
         if (entity.LicenseKey is not null)
         {
             claims.Add(new(nameof(UserLicenseConstants.LicenseKey), entity.LicenseKey));
         }
 
-        if (entity.MaxStorageGb is not null)
+        if (entity.MaxStorageGb.HasValue)
         {
             claims.Add(new(nameof(UserLicenseConstants.MaxStorageGb), entity.MaxStorageGb.ToString()));
         }
 
-        if (expires is not null)
+        if (expires.HasValue)
         {
-            claims.Add(new(nameof(UserLicenseConstants.Expires), expires.ToString()));
+            claims.Add(new(nameof(UserLicenseConstants.Expires), expires.Value.ToString(CultureInfo.InvariantCulture)));
         }
 
-        if (refresh is not null)
+        if (refresh.HasValue)
         {
-            claims.Add(new(nameof(UserLicenseConstants.Refresh), refresh.ToString()));
+            claims.Add(new(nameof(UserLicenseConstants.Refresh), refresh.Value.ToString(CultureInfo.InvariantCulture)));
         }
 
         return Task.FromResult(claims);

From 0c29e9227c9fbf0946793373d21e3dc1439299d3 Mon Sep 17 00:00:00 2001
From: Thomas Rittson <31796059+eliykat@users.noreply.github.com>
Date: Fri, 17 Jan 2025 08:28:23 +1000
Subject: [PATCH 172/384] Remove provider-export-permission feature flag
 (#5263)

* also remove old CipherService and CollectionService methods
  only used by old export code
---
 .../OrganizationExportController.cs           | 55 +------------------
 src/Core/Constants.cs                         |  1 -
 src/Core/Context/ICurrentContext.cs           |  2 +
 src/Core/Services/ICollectionService.cs       |  2 -
 .../Implementations/CollectionService.cs      | 27 ---------
 src/Core/Vault/Services/ICipherService.cs     |  1 -
 .../Services/Implementations/CipherService.cs | 29 ----------
 .../Services/CollectionServiceTests.cs        | 30 ----------
 8 files changed, 3 insertions(+), 144 deletions(-)

diff --git a/src/Api/Tools/Controllers/OrganizationExportController.cs b/src/Api/Tools/Controllers/OrganizationExportController.cs
index 144e1be69e..520746f139 100644
--- a/src/Api/Tools/Controllers/OrganizationExportController.cs
+++ b/src/Api/Tools/Controllers/OrganizationExportController.cs
@@ -1,16 +1,11 @@
-using Bit.Api.Models.Response;
-using Bit.Api.Tools.Authorization;
+using Bit.Api.Tools.Authorization;
 using Bit.Api.Tools.Models.Response;
-using Bit.Api.Vault.Models.Response;
-using Bit.Core;
 using Bit.Core.AdminConsole.OrganizationFeatures.Shared.Authorization;
 using Bit.Core.Context;
-using Bit.Core.Entities;
 using Bit.Core.Exceptions;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Settings;
-using Bit.Core.Vault.Models.Data;
 using Bit.Core.Vault.Queries;
 using Bit.Core.Vault.Services;
 using Microsoft.AspNetCore.Authorization;
@@ -56,39 +51,6 @@ public class OrganizationExportController : Controller
 
     [HttpGet("export")]
     public async Task<IActionResult> Export(Guid organizationId)
-    {
-        if (_featureService.IsEnabled(FeatureFlagKeys.PM11360RemoveProviderExportPermission))
-        {
-            return await Export_vNext(organizationId);
-        }
-
-        var userId = _userService.GetProperUserId(User).Value;
-
-        IEnumerable<Collection> orgCollections = await _collectionService.GetOrganizationCollectionsAsync(organizationId);
-        (IEnumerable<CipherOrganizationDetails> orgCiphers, Dictionary<Guid, IGrouping<Guid, CollectionCipher>> collectionCiphersGroupDict) = await _cipherService.GetOrganizationCiphers(userId, organizationId);
-
-        if (_currentContext.ClientVersion == null || _currentContext.ClientVersion >= new Version("2023.1.0"))
-        {
-            var organizationExportResponseModel = new OrganizationExportResponseModel
-            {
-                Collections = orgCollections.Select(c => new CollectionResponseModel(c)),
-                Ciphers = orgCiphers.Select(c => new CipherMiniDetailsResponseModel(c, _globalSettings, collectionCiphersGroupDict, c.OrganizationUseTotp))
-            };
-
-            return Ok(organizationExportResponseModel);
-        }
-
-        // Backward compatibility with versions before 2023.1.0 that use ListResponseModel
-        var organizationExportListResponseModel = new OrganizationExportListResponseModel
-        {
-            Collections = GetOrganizationCollectionsResponse(orgCollections),
-            Ciphers = GetOrganizationCiphersResponse(orgCiphers, collectionCiphersGroupDict)
-        };
-
-        return Ok(organizationExportListResponseModel);
-    }
-
-    private async Task<IActionResult> Export_vNext(Guid organizationId)
     {
         var canExportAll = await _authorizationService.AuthorizeAsync(User, new OrganizationScope(organizationId),
             VaultExportOperations.ExportWholeVault);
@@ -116,19 +78,4 @@ public class OrganizationExportController : Controller
         // Unauthorized
         throw new NotFoundException();
     }
-
-    private ListResponseModel<CollectionResponseModel> GetOrganizationCollectionsResponse(IEnumerable<Collection> orgCollections)
-    {
-        var collections = orgCollections.Select(c => new CollectionResponseModel(c));
-        return new ListResponseModel<CollectionResponseModel>(collections);
-    }
-
-    private ListResponseModel<CipherMiniDetailsResponseModel> GetOrganizationCiphersResponse(IEnumerable<CipherOrganizationDetails> orgCiphers,
-        Dictionary<Guid, IGrouping<Guid, CollectionCipher>> collectionCiphersGroupDict)
-    {
-        var responses = orgCiphers.Select(c => new CipherMiniDetailsResponseModel(c, _globalSettings,
-            collectionCiphersGroupDict, c.OrganizationUseTotp));
-
-        return new ListResponseModel<CipherMiniDetailsResponseModel>(responses);
-    }
 }
diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index c34303429c..656e943dc0 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -150,7 +150,6 @@ public static class FeatureFlagKeys
     public const string NewDeviceVerificationTemporaryDismiss = "new-device-temporary-dismiss";
     public const string NewDeviceVerificationPermanentDismiss = "new-device-permanent-dismiss";
     public const string SecurityTasks = "security-tasks";
-    public const string PM11360RemoveProviderExportPermission = "pm-11360-remove-provider-export-permission";
     public const string DisableFreeFamiliesSponsorship = "PM-12274-disable-free-families-sponsorship";
     public const string MacOsNativeCredentialSync = "macos-native-credential-sync";
     public const string PM9111ExtensionPersistAddEditForm = "pm-9111-extension-persist-add-edit-form";
diff --git a/src/Core/Context/ICurrentContext.cs b/src/Core/Context/ICurrentContext.cs
index 3d3a5960b7..9361480229 100644
--- a/src/Core/Context/ICurrentContext.cs
+++ b/src/Core/Context/ICurrentContext.cs
@@ -43,7 +43,9 @@ public interface ICurrentContext
     Task<bool> AccessEventLogs(Guid orgId);
     Task<bool> AccessImportExport(Guid orgId);
     Task<bool> AccessReports(Guid orgId);
+    [Obsolete("Deprecated. Use an authorization handler checking the specific permissions required instead.")]
     Task<bool> EditAnyCollection(Guid orgId);
+    [Obsolete("Deprecated. Use an authorization handler checking the specific permissions required instead.")]
     Task<bool> ViewAllCollections(Guid orgId);
     Task<bool> ManageGroups(Guid orgId);
     Task<bool> ManagePolicies(Guid orgId);
diff --git a/src/Core/Services/ICollectionService.cs b/src/Core/Services/ICollectionService.cs
index 27c4118197..c116e5f076 100644
--- a/src/Core/Services/ICollectionService.cs
+++ b/src/Core/Services/ICollectionService.cs
@@ -7,6 +7,4 @@ public interface ICollectionService
 {
     Task SaveAsync(Collection collection, IEnumerable<CollectionAccessSelection> groups = null, IEnumerable<CollectionAccessSelection> users = null);
     Task DeleteUserAsync(Collection collection, Guid organizationUserId);
-    [Obsolete("Pre-Flexible Collections logic.")]
-    Task<IEnumerable<Collection>> GetOrganizationCollectionsAsync(Guid organizationId);
 }
diff --git a/src/Core/Services/Implementations/CollectionService.cs b/src/Core/Services/Implementations/CollectionService.cs
index e779ac289f..f6e9735f4e 100644
--- a/src/Core/Services/Implementations/CollectionService.cs
+++ b/src/Core/Services/Implementations/CollectionService.cs
@@ -95,31 +95,4 @@ public class CollectionService : ICollectionService
         await _collectionRepository.DeleteUserAsync(collection.Id, organizationUserId);
         await _eventService.LogOrganizationUserEventAsync(orgUser, Enums.EventType.OrganizationUser_Updated);
     }
-
-    public async Task<IEnumerable<Collection>> GetOrganizationCollectionsAsync(Guid organizationId)
-    {
-        if (
-            !await _currentContext.ViewAllCollections(organizationId) &&
-            !await _currentContext.ManageUsers(organizationId) &&
-            !await _currentContext.ManageGroups(organizationId) &&
-            !await _currentContext.AccessImportExport(organizationId)
-        )
-        {
-            throw new NotFoundException();
-        }
-
-        IEnumerable<Collection> orgCollections;
-        if (await _currentContext.ViewAllCollections(organizationId) || await _currentContext.AccessImportExport(organizationId))
-        {
-            // Admins, Owners, Providers and Custom (with collection management or import/export permissions) can access all items even if not assigned to them
-            orgCollections = await _collectionRepository.GetManyByOrganizationIdAsync(organizationId);
-        }
-        else
-        {
-            var collections = await _collectionRepository.GetManyByUserIdAsync(_currentContext.UserId.Value);
-            orgCollections = collections.Where(c => c.OrganizationId == organizationId);
-        }
-
-        return orgCollections;
-    }
 }
diff --git a/src/Core/Vault/Services/ICipherService.cs b/src/Core/Vault/Services/ICipherService.cs
index 83cd729e13..27b84e4a47 100644
--- a/src/Core/Vault/Services/ICipherService.cs
+++ b/src/Core/Vault/Services/ICipherService.cs
@@ -39,5 +39,4 @@ public interface ICipherService
     Task UploadFileForExistingAttachmentAsync(Stream stream, Cipher cipher, CipherAttachment.MetaData attachmentId);
     Task<AttachmentResponseData> GetAttachmentDownloadDataAsync(Cipher cipher, string attachmentId);
     Task<bool> ValidateCipherAttachmentFile(Cipher cipher, CipherAttachment.MetaData attachmentData);
-    Task<(IEnumerable<CipherOrganizationDetails>, Dictionary<Guid, IGrouping<Guid, CollectionCipher>>)> GetOrganizationCiphers(Guid userId, Guid organizationId);
 }
diff --git a/src/Core/Vault/Services/Implementations/CipherService.cs b/src/Core/Vault/Services/Implementations/CipherService.cs
index d6806bd115..196ec6ef3d 100644
--- a/src/Core/Vault/Services/Implementations/CipherService.cs
+++ b/src/Core/Vault/Services/Implementations/CipherService.cs
@@ -956,35 +956,6 @@ public class CipherService : ICipherService
         return restoringCiphers;
     }
 
-    public async Task<(IEnumerable<CipherOrganizationDetails>, Dictionary<Guid, IGrouping<Guid, CollectionCipher>>)> GetOrganizationCiphers(Guid userId, Guid organizationId)
-    {
-        if (!await _currentContext.ViewAllCollections(organizationId) && !await _currentContext.AccessReports(organizationId) && !await _currentContext.AccessImportExport(organizationId))
-        {
-            throw new NotFoundException();
-        }
-
-        IEnumerable<CipherOrganizationDetails> orgCiphers;
-        if (await _currentContext.AccessImportExport(organizationId))
-        {
-            // Admins, Owners, Providers and Custom (with import/export permission) can access all items even if not assigned to them
-            orgCiphers = await _cipherRepository.GetManyOrganizationDetailsByOrganizationIdAsync(organizationId);
-        }
-        else
-        {
-            var ciphers = await _cipherRepository.GetManyByUserIdAsync(userId, withOrganizations: true);
-            orgCiphers = ciphers.Where(c => c.OrganizationId == organizationId);
-        }
-
-        var orgCipherIds = orgCiphers.Select(c => c.Id);
-
-        var collectionCiphers = await _collectionCipherRepository.GetManyByOrganizationIdAsync(organizationId);
-        var collectionCiphersGroupDict = collectionCiphers
-            .Where(c => orgCipherIds.Contains(c.CipherId))
-            .GroupBy(c => c.CipherId).ToDictionary(s => s.Key);
-
-        return (orgCiphers, collectionCiphersGroupDict);
-    }
-
     private async Task<bool> UserCanEditAsync(Cipher cipher, Guid userId)
     {
         if (!cipher.OrganizationId.HasValue && cipher.UserId.HasValue && cipher.UserId.Value == userId)
diff --git a/test/Core.Test/Services/CollectionServiceTests.cs b/test/Core.Test/Services/CollectionServiceTests.cs
index 26e47e83e8..6d788deb05 100644
--- a/test/Core.Test/Services/CollectionServiceTests.cs
+++ b/test/Core.Test/Services/CollectionServiceTests.cs
@@ -1,5 +1,4 @@
 using Bit.Core.AdminConsole.Entities;
-using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
@@ -176,33 +175,4 @@ public class CollectionServiceTest
         await sutProvider.GetDependency<IEventService>().DidNotReceiveWithAnyArgs()
             .LogOrganizationUserEventAsync<OrganizationUser>(default, default);
     }
-
-    [Theory, BitAutoData]
-    public async Task GetOrganizationCollectionsAsync_WithViewAllCollectionsTrue_ReturnsAllOrganizationCollections(
-        Collection collection, Guid organizationId, Guid userId, SutProvider<CollectionService> sutProvider)
-    {
-        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
-        sutProvider.GetDependency<ICollectionRepository>()
-            .GetManyByOrganizationIdAsync(organizationId)
-            .Returns(new List<Collection> { collection });
-        sutProvider.GetDependency<ICurrentContext>().ViewAllCollections(organizationId).Returns(true);
-
-        var result = await sutProvider.Sut.GetOrganizationCollectionsAsync(organizationId);
-
-        Assert.Single(result);
-        Assert.Equal(collection, result.First());
-
-        await sutProvider.GetDependency<ICollectionRepository>().Received(1).GetManyByOrganizationIdAsync(organizationId);
-        await sutProvider.GetDependency<ICollectionRepository>().DidNotReceiveWithAnyArgs().GetManyByUserIdAsync(default);
-    }
-
-    [Theory, BitAutoData]
-    public async Task GetOrganizationCollectionsAsync_WithViewAssignedCollectionsFalse_ThrowsBadRequestException(
-        Guid organizationId, SutProvider<CollectionService> sutProvider)
-    {
-        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.GetOrganizationCollectionsAsync(organizationId));
-
-        await sutProvider.GetDependency<ICollectionRepository>().DidNotReceiveWithAnyArgs().GetManyByOrganizationIdAsync(default);
-        await sutProvider.GetDependency<ICollectionRepository>().DidNotReceiveWithAnyArgs().GetManyByUserIdAsync(default);
-    }
 }

From 5423e5d52fe2aac28db457107579aa91709c9bb7 Mon Sep 17 00:00:00 2001
From: Daniel James Smith <2670567+djsmith85@users.noreply.github.com>
Date: Fri, 17 Jan 2025 15:58:04 +0100
Subject: [PATCH 173/384] Remove feature flag "browser-fileless-import" (#5282)

Co-authored-by: Daniel James Smith <djsmith85@users.noreply.github.com>
---
 src/Core/Constants.cs | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index 656e943dc0..059ca6a1cc 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -101,7 +101,6 @@ public static class AuthenticationSchemes
 
 public static class FeatureFlagKeys
 {
-    public const string BrowserFilelessImport = "browser-fileless-import";
     public const string ReturnErrorOnExistingKeypair = "return-error-on-existing-keypair";
     public const string UseTreeWalkerApiForPageDetailsCollection = "use-tree-walker-api-for-page-details-collection";
     public const string ItemShare = "item-share";

From 04e5626c577f9765b79439cdc09009ab25808173 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rui=20Tom=C3=A9?=
 <108268980+r-tome@users.noreply.github.com>
Date: Mon, 20 Jan 2025 14:59:10 +0000
Subject: [PATCH 174/384] [PM-16777] Fix exception when bulk restoring revoked
 users who never accepted invitations (#5224)

* Fix null handling for UserId in Two Factor Authentication checks

* Add tests for restoring users with and without 2FA policies
---
 .../Implementations/OrganizationService.cs    |   6 +-
 .../Services/OrganizationServiceTests.cs      | 103 ++++++++++++++++++
 2 files changed, 107 insertions(+), 2 deletions(-)

diff --git a/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs b/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
index 56467a661a..b2037644e6 100644
--- a/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
+++ b/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
@@ -2165,7 +2165,8 @@ public class OrganizationService : IOrganizationService
 
         // Query Two Factor Authentication status for all users in the organization
         // This is an optimization to avoid querying the Two Factor Authentication status for each user individually
-        var organizationUsersTwoFactorEnabled = await _twoFactorIsEnabledQuery.TwoFactorIsEnabledAsync(filteredUsers.Select(ou => ou.UserId.Value));
+        var organizationUsersTwoFactorEnabled = await _twoFactorIsEnabledQuery.TwoFactorIsEnabledAsync(
+            filteredUsers.Where(ou => ou.UserId.HasValue).Select(ou => ou.UserId.Value));
 
         var result = new List<Tuple<OrganizationUser, string>>();
 
@@ -2188,7 +2189,8 @@ public class OrganizationService : IOrganizationService
                     throw new BadRequestException("Only owners can restore other owners.");
                 }
 
-                var twoFactorIsEnabled = organizationUsersTwoFactorEnabled.FirstOrDefault(ou => ou.userId == organizationUser.UserId.Value).twoFactorIsEnabled;
+                var twoFactorIsEnabled = organizationUser.UserId.HasValue
+                    && organizationUsersTwoFactorEnabled.FirstOrDefault(ou => ou.userId == organizationUser.UserId.Value).twoFactorIsEnabled;
                 await CheckPoliciesBeforeRestoreAsync(organizationUser, twoFactorIsEnabled);
 
                 var status = GetPriorActiveOrganizationUserStatusType(organizationUser);
diff --git a/test/Core.Test/AdminConsole/Services/OrganizationServiceTests.cs b/test/Core.Test/AdminConsole/Services/OrganizationServiceTests.cs
index fc839030aa..45cab3912c 100644
--- a/test/Core.Test/AdminConsole/Services/OrganizationServiceTests.cs
+++ b/test/Core.Test/AdminConsole/Services/OrganizationServiceTests.cs
@@ -2180,4 +2180,107 @@ OrganizationUserInvite invite, SutProvider<OrganizationService> sutProvider)
             }
         );
     }
+
+    [Theory, BitAutoData]
+    public async Task RestoreUsers_Success(Organization organization,
+        [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
+        [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser orgUser1,
+        [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser orgUser2,
+        SutProvider<OrganizationService> sutProvider)
+    {
+        // Arrange
+        RestoreRevokeUser_Setup(organization, owner, orgUser1, sutProvider);
+        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
+        var eventService = sutProvider.GetDependency<IEventService>();
+        var twoFactorIsEnabledQuery = sutProvider.GetDependency<ITwoFactorIsEnabledQuery>();
+        var userService = Substitute.For<IUserService>();
+
+        orgUser1.Email = orgUser2.Email = null; // Mock that users were previously confirmed
+        orgUser1.OrganizationId = orgUser2.OrganizationId = organization.Id;
+        organizationUserRepository
+            .GetManyAsync(Arg.Is<IEnumerable<Guid>>(ids => ids.Contains(orgUser1.Id) && ids.Contains(orgUser2.Id)))
+            .Returns(new[] { orgUser1, orgUser2 });
+
+        twoFactorIsEnabledQuery
+            .TwoFactorIsEnabledAsync(Arg.Is<IEnumerable<Guid>>(ids => ids.Contains(orgUser1.UserId!.Value) && ids.Contains(orgUser2.UserId!.Value)))
+            .Returns(new List<(Guid userId, bool twoFactorIsEnabled)>
+            {
+                (orgUser1.UserId!.Value, true),
+                (orgUser2.UserId!.Value, false)
+            });
+
+        // Act
+        var result = await sutProvider.Sut.RestoreUsersAsync(organization.Id, new[] { orgUser1.Id, orgUser2.Id }, owner.Id, userService);
+
+        // Assert
+        Assert.Equal(2, result.Count);
+        Assert.All(result, r => Assert.Empty(r.Item2)); // No error messages
+        await organizationUserRepository
+            .Received(1)
+            .RestoreAsync(orgUser1.Id, OrganizationUserStatusType.Confirmed);
+        await organizationUserRepository
+            .Received(1)
+            .RestoreAsync(orgUser2.Id, OrganizationUserStatusType.Confirmed);
+        await eventService.Received(1)
+            .LogOrganizationUserEventAsync(orgUser1, EventType.OrganizationUser_Restored);
+        await eventService.Received(1)
+            .LogOrganizationUserEventAsync(orgUser2, EventType.OrganizationUser_Restored);
+    }
+
+    [Theory, BitAutoData]
+    public async Task RestoreUsers_With2FAPolicy_BlocksNonCompliantUser(Organization organization,
+        [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
+        [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser orgUser1,
+        [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser orgUser2,
+        [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser orgUser3,
+        SutProvider<OrganizationService> sutProvider)
+    {
+        // Arrange
+        RestoreRevokeUser_Setup(organization, owner, orgUser1, sutProvider);
+        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
+        var userRepository = sutProvider.GetDependency<IUserRepository>();
+        var policyService = sutProvider.GetDependency<IPolicyService>();
+        var userService = Substitute.For<IUserService>();
+
+        orgUser1.Email = orgUser2.Email = null;
+        orgUser3.UserId = null;
+        orgUser3.Key = null;
+        orgUser1.OrganizationId = orgUser2.OrganizationId = orgUser3.OrganizationId = organization.Id;
+        organizationUserRepository
+            .GetManyAsync(Arg.Is<IEnumerable<Guid>>(ids => ids.Contains(orgUser1.Id) && ids.Contains(orgUser2.Id) && ids.Contains(orgUser3.Id)))
+            .Returns(new[] { orgUser1, orgUser2, orgUser3 });
+
+        userRepository.GetByIdAsync(orgUser2.UserId!.Value).Returns(new User { Email = "test@example.com" });
+
+        // Setup 2FA policy
+        policyService.GetPoliciesApplicableToUserAsync(Arg.Any<Guid>(), PolicyType.TwoFactorAuthentication, Arg.Any<OrganizationUserStatusType>())
+            .Returns(new[] { new OrganizationUserPolicyDetails { OrganizationId = organization.Id, PolicyType = PolicyType.TwoFactorAuthentication } });
+
+        // User1 has 2FA, User2 doesn't
+        sutProvider.GetDependency<ITwoFactorIsEnabledQuery>()
+            .TwoFactorIsEnabledAsync(Arg.Is<IEnumerable<Guid>>(ids => ids.Contains(orgUser1.UserId!.Value) && ids.Contains(orgUser2.UserId!.Value)))
+            .Returns(new List<(Guid userId, bool twoFactorIsEnabled)>
+            {
+                (orgUser1.UserId!.Value, true),
+                (orgUser2.UserId!.Value, false)
+            });
+
+        // Act
+        var result = await sutProvider.Sut.RestoreUsersAsync(organization.Id, new[] { orgUser1.Id, orgUser2.Id, orgUser3.Id }, owner.Id, userService);
+
+        // Assert
+        Assert.Equal(3, result.Count);
+        Assert.Empty(result[0].Item2); // First user should succeed
+        Assert.Contains("two-step login", result[1].Item2); // Second user should fail
+        Assert.Empty(result[2].Item2); // Third user should succeed
+        await organizationUserRepository
+            .Received(1)
+            .RestoreAsync(orgUser1.Id, OrganizationUserStatusType.Confirmed);
+        await organizationUserRepository
+            .DidNotReceive()
+            .RestoreAsync(orgUser2.Id, Arg.Any<OrganizationUserStatusType>());
+        await organizationUserRepository
+            .Received(1)
+            .RestoreAsync(orgUser3.Id, OrganizationUserStatusType.Invited);
+    }
 }

From ee2d7df061fdcfdae97cbeea46869e0e58497854 Mon Sep 17 00:00:00 2001
From: Jimmy Vo <huynhmaivo82@gmail.com>
Date: Mon, 20 Jan 2025 10:49:33 -0500
Subject: [PATCH 175/384] [pm-16949] Include revoked users in applicable
 policies (#5261)

---
 .../Services/Implementations/OrganizationService.cs             | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs b/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
index b2037644e6..8743e51ff2 100644
--- a/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
+++ b/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
@@ -2249,7 +2249,7 @@ public class OrganizationService : IOrganizationService
         if (!userHasTwoFactorEnabled)
         {
             var invitedTwoFactorPolicies = await _policyService.GetPoliciesApplicableToUserAsync(userId,
-                PolicyType.TwoFactorAuthentication, OrganizationUserStatusType.Invited);
+                PolicyType.TwoFactorAuthentication, OrganizationUserStatusType.Revoked);
             if (invitedTwoFactorPolicies.Any(p => p.OrganizationId == orgUser.OrganizationId))
             {
                 twoFactorCompliant = false;

From 0de108e0518e5b47c6b3204c53deb2b82221dfc6 Mon Sep 17 00:00:00 2001
From: Jonas Hendrickx <jhendrickx@bitwarden.com>
Date: Mon, 20 Jan 2025 16:50:11 +0100
Subject: [PATCH 176/384] [PM-16682] Fix tax id not being saved for providers
 (#5257)

---
 .../Commercial.Core/Billing/ProviderBillingService.cs  | 10 ++++------
 src/Core/Models/Business/TaxInfo.cs                    |  6 ------
 .../Services/Implementations/StripePaymentService.cs   |  2 +-
 3 files changed, 5 insertions(+), 13 deletions(-)

diff --git a/bitwarden_license/src/Commercial.Core/Billing/ProviderBillingService.cs b/bitwarden_license/src/Commercial.Core/Billing/ProviderBillingService.cs
index 57349042d1..2b834947af 100644
--- a/bitwarden_license/src/Commercial.Core/Billing/ProviderBillingService.cs
+++ b/bitwarden_license/src/Commercial.Core/Billing/ProviderBillingService.cs
@@ -352,12 +352,10 @@ public class ProviderBillingService(
                 throw new BadRequestException("billingTaxIdTypeInferenceError");
             }
 
-            customerCreateOptions.TaxIdData = taxInfo.HasTaxId
-                ?
-                [
-                    new CustomerTaxIdDataOptions { Type = taxIdType, Value = taxInfo.TaxIdNumber }
-                ]
-                : null;
+            customerCreateOptions.TaxIdData =
+            [
+                new CustomerTaxIdDataOptions { Type = taxIdType, Value = taxInfo.TaxIdNumber }
+            ];
         }
 
         try
diff --git a/src/Core/Models/Business/TaxInfo.cs b/src/Core/Models/Business/TaxInfo.cs
index 82a6ddfc3e..80a63473a7 100644
--- a/src/Core/Models/Business/TaxInfo.cs
+++ b/src/Core/Models/Business/TaxInfo.cs
@@ -11,10 +11,4 @@ public class TaxInfo
     public string BillingAddressState { get; set; }
     public string BillingAddressPostalCode { get; set; }
     public string BillingAddressCountry { get; set; } = "US";
-
-    public bool HasTaxId
-    {
-        get => !string.IsNullOrWhiteSpace(TaxIdNumber) &&
-            !string.IsNullOrWhiteSpace(TaxIdType);
-    }
 }
diff --git a/src/Core/Services/Implementations/StripePaymentService.cs b/src/Core/Services/Implementations/StripePaymentService.cs
index e14467f943..3f9c5c53c6 100644
--- a/src/Core/Services/Implementations/StripePaymentService.cs
+++ b/src/Core/Services/Implementations/StripePaymentService.cs
@@ -167,7 +167,7 @@ public class StripePaymentService : IPaymentService
                     City = taxInfo?.BillingAddressCity,
                     State = taxInfo?.BillingAddressState,
                 },
-                TaxIdData = taxInfo.HasTaxId
+                TaxIdData = !string.IsNullOrWhiteSpace(taxInfo.TaxIdNumber)
                     ? [new CustomerTaxIdDataOptions { Type = taxInfo.TaxIdType, Value = taxInfo.TaxIdNumber }]
                     : null
             };

From 9efcbec041902a64c366e539cbdf3dabc9b62958 Mon Sep 17 00:00:00 2001
From: Ike <137194738+ike-kottlowski@users.noreply.github.com>
Date: Mon, 20 Jan 2025 16:35:43 -0800
Subject: [PATCH 177/384] [PM-15605] Return VerifyDevices in Profile sync
 response (#5264)

* feat (NewDeviceVerification) :
- Database migration scripts for VerifyDevices column in [dbo].[User].
- Updated DeviceValidator to check if user has opted out of device verification.
- Added endpoint to AccountsController.cs to allow editing of new User.VerifyDevices property.
- Added tests for new methods and endpoint.
- Removed Anon attribute from the POST account/verify-devices endpoint.
- Updating queries to track dbo.User.VerifyDevices.
- Added update to verify email to the new device verification flow.
- Updating some tests for CloudOrganizationSignUpCommand that were failing.
- Updating ProfileResponseModel to include the new VerifyDevices data to hydrate the state in the web client.
---
 src/Api/Models/Response/ProfileResponseModel.cs | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/Api/Models/Response/ProfileResponseModel.cs b/src/Api/Models/Response/ProfileResponseModel.cs
index a6ed4ebfa2..82ffb05b0b 100644
--- a/src/Api/Models/Response/ProfileResponseModel.cs
+++ b/src/Api/Models/Response/ProfileResponseModel.cs
@@ -37,6 +37,7 @@ public class ProfileResponseModel : ResponseModel
         UsesKeyConnector = user.UsesKeyConnector;
         AvatarColor = user.AvatarColor;
         CreationDate = user.CreationDate;
+        VerifyDevices = user.VerifyDevices;
         Organizations = organizationsUserDetails?.Select(o => new ProfileOrganizationResponseModel(o, organizationIdsManagingUser));
         Providers = providerUserDetails?.Select(p => new ProfileProviderResponseModel(p));
         ProviderOrganizations =
@@ -62,6 +63,7 @@ public class ProfileResponseModel : ResponseModel
     public bool UsesKeyConnector { get; set; }
     public string AvatarColor { get; set; }
     public DateTime CreationDate { get; set; }
+    public bool VerifyDevices { get; set; }
     public IEnumerable<ProfileOrganizationResponseModel> Organizations { get; set; }
     public IEnumerable<ProfileProviderResponseModel> Providers { get; set; }
     public IEnumerable<ProfileProviderOrganizationResponseModel> ProviderOrganizations { get; set; }

From edb74add5040c7b848e85170c75692653e2b0518 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rui=20Tom=C3=A9?=
 <108268980+r-tome@users.noreply.github.com>
Date: Tue, 21 Jan 2025 10:15:02 +0000
Subject: [PATCH 178/384] [PM-14243] Free organization limit is not enforced
 when editing user (#5155)

* Enforce free organization limit when updating user

* Add test for throwing error on accepting admin user joining multiple free organizations

* Add test for throwing BadRequest when free organization admin attempts to sign up for another free organization

* Fix user ID handling in UpdateOrganizationUserCommand for free organizations

* Rename parameter 'user' to 'organizationUser' in UpdateUserAsync method for clarity
---
 .../IUpdateOrganizationUserCommand.cs         |  2 +-
 .../UpdateOrganizationUserCommand.cs          | 52 ++++++++++++-------
 .../AcceptOrgUserCommandTests.cs              | 24 +++++++++
 .../UpdateOrganizationUserCommandTests.cs     | 31 +++++++++++
 .../CloudOrganizationSignUpCommandTests.cs    | 23 ++++++++
 5 files changed, 113 insertions(+), 19 deletions(-)

diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Interfaces/IUpdateOrganizationUserCommand.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Interfaces/IUpdateOrganizationUserCommand.cs
index c7298e1cd9..0cd5a3295f 100644
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Interfaces/IUpdateOrganizationUserCommand.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Interfaces/IUpdateOrganizationUserCommand.cs
@@ -6,6 +6,6 @@ namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interface
 
 public interface IUpdateOrganizationUserCommand
 {
-    Task UpdateUserAsync(OrganizationUser user, Guid? savingUserId,
+    Task UpdateUserAsync(OrganizationUser organizationUser, Guid? savingUserId,
         List<CollectionAccessSelection>? collectionAccess, IEnumerable<Guid>? groupAccess);
 }
diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/UpdateOrganizationUserCommand.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/UpdateOrganizationUserCommand.cs
index c5a4b3da1d..3dd55f9893 100644
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/UpdateOrganizationUserCommand.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/UpdateOrganizationUserCommand.cs
@@ -1,6 +1,7 @@
 #nullable enable
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
 using Bit.Core.AdminConsole.Repositories;
+using Bit.Core.Billing.Enums;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
@@ -49,48 +50,64 @@ public class UpdateOrganizationUserCommand : IUpdateOrganizationUserCommand
     /// <summary>
     /// Update an organization user.
     /// </summary>
-    /// <param name="user">The modified user to save.</param>
+    /// <param name="organizationUser">The modified organization user to save.</param>
     /// <param name="savingUserId">The userId of the currently logged in user who is making the change.</param>
     /// <param name="collectionAccess">The user's updated collection access. If set to null, this removes all collection access.</param>
     /// <param name="groupAccess">The user's updated group access. If set to null, groups are not updated.</param>
     /// <exception cref="BadRequestException"></exception>
-    public async Task UpdateUserAsync(OrganizationUser user, Guid? savingUserId,
+    public async Task UpdateUserAsync(OrganizationUser organizationUser, Guid? savingUserId,
         List<CollectionAccessSelection>? collectionAccess, IEnumerable<Guid>? groupAccess)
     {
         // Avoid multiple enumeration
         collectionAccess = collectionAccess?.ToList();
         groupAccess = groupAccess?.ToList();
 
-        if (user.Id.Equals(default(Guid)))
+        if (organizationUser.Id.Equals(default(Guid)))
         {
             throw new BadRequestException("Invite the user first.");
         }
 
-        var originalUser = await _organizationUserRepository.GetByIdAsync(user.Id);
-        if (originalUser == null || user.OrganizationId != originalUser.OrganizationId)
+        var originalOrganizationUser = await _organizationUserRepository.GetByIdAsync(organizationUser.Id);
+        if (originalOrganizationUser == null || organizationUser.OrganizationId != originalOrganizationUser.OrganizationId)
         {
             throw new NotFoundException();
         }
 
+        var organization = await _organizationRepository.GetByIdAsync(organizationUser.OrganizationId);
+        if (organization == null)
+        {
+            throw new NotFoundException();
+        }
+
+        if (organizationUser.UserId.HasValue && organization.PlanType == PlanType.Free && organizationUser.Type is OrganizationUserType.Admin or OrganizationUserType.Owner)
+        {
+            // Since free organizations only supports a few users there is not much point in avoiding N+1 queries for this.
+            var adminCount = await _organizationUserRepository.GetCountByFreeOrganizationAdminUserAsync(organizationUser.UserId.Value);
+            if (adminCount > 0)
+            {
+                throw new BadRequestException("User can only be an admin of one free organization.");
+            }
+        }
+
         if (collectionAccess?.Any() == true)
         {
-            await ValidateCollectionAccessAsync(originalUser, collectionAccess.ToList());
+            await ValidateCollectionAccessAsync(originalOrganizationUser, collectionAccess.ToList());
         }
 
         if (groupAccess?.Any() == true)
         {
-            await ValidateGroupAccessAsync(originalUser, groupAccess.ToList());
+            await ValidateGroupAccessAsync(originalOrganizationUser, groupAccess.ToList());
         }
 
         if (savingUserId.HasValue)
         {
-            await _organizationService.ValidateOrganizationUserUpdatePermissions(user.OrganizationId, user.Type, originalUser.Type, user.GetPermissions());
+            await _organizationService.ValidateOrganizationUserUpdatePermissions(organizationUser.OrganizationId, organizationUser.Type, originalOrganizationUser.Type, organizationUser.GetPermissions());
         }
 
-        await _organizationService.ValidateOrganizationCustomPermissionsEnabledAsync(user.OrganizationId, user.Type);
+        await _organizationService.ValidateOrganizationCustomPermissionsEnabledAsync(organizationUser.OrganizationId, organizationUser.Type);
 
-        if (user.Type != OrganizationUserType.Owner &&
-            !await _hasConfirmedOwnersExceptQuery.HasConfirmedOwnersExceptAsync(user.OrganizationId, new[] { user.Id }))
+        if (organizationUser.Type != OrganizationUserType.Owner &&
+            !await _hasConfirmedOwnersExceptQuery.HasConfirmedOwnersExceptAsync(organizationUser.OrganizationId, new[] { organizationUser.Id }))
         {
             throw new BadRequestException("Organization must have at least one confirmed owner.");
         }
@@ -106,26 +123,25 @@ public class UpdateOrganizationUserCommand : IUpdateOrganizationUserCommand
 
         // Only autoscale (if required) after all validation has passed so that we know it's a valid request before
         // updating Stripe
-        if (!originalUser.AccessSecretsManager && user.AccessSecretsManager)
+        if (!originalOrganizationUser.AccessSecretsManager && organizationUser.AccessSecretsManager)
         {
-            var additionalSmSeatsRequired = await _countNewSmSeatsRequiredQuery.CountNewSmSeatsRequiredAsync(user.OrganizationId, 1);
+            var additionalSmSeatsRequired = await _countNewSmSeatsRequiredQuery.CountNewSmSeatsRequiredAsync(organizationUser.OrganizationId, 1);
             if (additionalSmSeatsRequired > 0)
             {
-                var organization = await _organizationRepository.GetByIdAsync(user.OrganizationId);
                 var update = new SecretsManagerSubscriptionUpdate(organization, true)
-                    .AdjustSeats(additionalSmSeatsRequired);
+                   .AdjustSeats(additionalSmSeatsRequired);
                 await _updateSecretsManagerSubscriptionCommand.UpdateSubscriptionAsync(update);
             }
         }
 
-        await _organizationUserRepository.ReplaceAsync(user, collectionAccess);
+        await _organizationUserRepository.ReplaceAsync(organizationUser, collectionAccess);
 
         if (groupAccess != null)
         {
-            await _organizationUserRepository.UpdateGroupsAsync(user.Id, groupAccess);
+            await _organizationUserRepository.UpdateGroupsAsync(organizationUser.Id, groupAccess);
         }
 
-        await _eventService.LogOrganizationUserEventAsync(user, EventType.OrganizationUser_Updated);
+        await _eventService.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Updated);
     }
 
     private async Task ValidateCollectionAccessAsync(OrganizationUser originalUser,
diff --git a/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/AcceptOrgUserCommandTests.cs b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/AcceptOrgUserCommandTests.cs
index eca4f449b0..2dda23481a 100644
--- a/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/AcceptOrgUserCommandTests.cs
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/AcceptOrgUserCommandTests.cs
@@ -2,6 +2,7 @@
 using Bit.Core.AdminConsole.Enums;
 using Bit.Core.AdminConsole.Services;
 using Bit.Core.Auth.Models.Business.Tokenables;
+using Bit.Core.Billing.Enums;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
@@ -182,6 +183,29 @@ public class AcceptOrgUserCommandTests
             exception.Message);
     }
 
+    [Theory]
+    [BitAutoData(OrganizationUserType.Admin)]
+    [BitAutoData(OrganizationUserType.Owner)]
+    public async Task AcceptOrgUser_AdminOfFreePlanTryingToJoinSecondFreeOrg_ThrowsBadRequest(
+        OrganizationUserType userType,
+        SutProvider<AcceptOrgUserCommand> sutProvider,
+        User user, Organization org, OrganizationUser orgUser, OrganizationUserUserDetails adminUserDetails)
+    {
+        // Arrange
+        SetupCommonAcceptOrgUserMocks(sutProvider, user, org, orgUser, adminUserDetails);
+        org.PlanType = PlanType.Free;
+        orgUser.Type = userType;
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetCountByFreeOrganizationAdminUserAsync(user.Id)
+            .Returns(1);
+
+        // Act & Assert
+        var exception = await Assert.ThrowsAsync<BadRequestException>(() =>
+            sutProvider.Sut.AcceptOrgUserAsync(orgUser, user, _userService));
+
+        Assert.Equal("You can only be an admin of one free organization.", exception.Message);
+    }
 
     // AcceptOrgUserByOrgIdAsync tests --------------------------------------------------------------------------------
 
diff --git a/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/UpdateOrganizationUserCommandTests.cs b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/UpdateOrganizationUserCommandTests.cs
index 73bf00474b..cd03f9583b 100644
--- a/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/UpdateOrganizationUserCommandTests.cs
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/UpdateOrganizationUserCommandTests.cs
@@ -3,6 +3,7 @@ using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
 using Bit.Core.AdminConsole.Repositories;
+using Bit.Core.Billing.Enums;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
@@ -144,6 +145,7 @@ public class UpdateOrganizationUserCommandTests
         newUserData.Id = oldUserData.Id;
         newUserData.UserId = oldUserData.UserId;
         newUserData.OrganizationId = savingUser.OrganizationId = oldUserData.OrganizationId = organization.Id;
+        newUserData.Type = OrganizationUserType.Admin;
         newUserData.Permissions = JsonSerializer.Serialize(permissions, new JsonSerializerOptions
         {
             PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
@@ -159,6 +161,10 @@ public class UpdateOrganizationUserCommandTests
             .Returns(callInfo => callInfo.Arg<IEnumerable<Guid>>()
                 .Select(guid => new Group { Id = guid, OrganizationId = oldUserData.OrganizationId }).ToList());
 
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetCountByFreeOrganizationAdminUserAsync(newUserData.Id)
+            .Returns(0);
+
         await sutProvider.Sut.UpdateUserAsync(newUserData, savingUser.UserId, collections, groups);
 
         var organizationService = sutProvider.GetDependency<IOrganizationService>();
@@ -175,6 +181,31 @@ public class UpdateOrganizationUserCommandTests
             Arg.Is<IEnumerable<Guid>>(i => i.Contains(newUserData.Id)));
     }
 
+    [Theory]
+    [BitAutoData(OrganizationUserType.Admin)]
+    [BitAutoData(OrganizationUserType.Owner)]
+    public async Task UpdateUserAsync_WhenUpdatingUserToAdminOrOwner_WithUserAlreadyAdminOfAnotherFreeOrganization_Throws(
+        OrganizationUserType userType,
+        OrganizationUser oldUserData,
+        OrganizationUser newUserData,
+        Organization organization,
+        SutProvider<UpdateOrganizationUserCommand> sutProvider)
+    {
+        organization.PlanType = PlanType.Free;
+        newUserData.Type = userType;
+
+        Setup(sutProvider, organization, newUserData, oldUserData);
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetCountByFreeOrganizationAdminUserAsync(newUserData.UserId!.Value)
+            .Returns(1);
+
+        // Assert
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.UpdateUserAsync(newUserData, null, null, null));
+        Assert.Contains("User can only be an admin of one free organization.", exception.Message);
+    }
+
     private void Setup(SutProvider<UpdateOrganizationUserCommand> sutProvider, Organization organization,
         OrganizationUser newUser, OrganizationUser oldUser)
     {
diff --git a/test/Core.Test/AdminConsole/OrganizationFeatures/Organizations/OrganizationSignUp/CloudOrganizationSignUpCommandTests.cs b/test/Core.Test/AdminConsole/OrganizationFeatures/Organizations/OrganizationSignUp/CloudOrganizationSignUpCommandTests.cs
index a16b48240c..46b4f0b334 100644
--- a/test/Core.Test/AdminConsole/OrganizationFeatures/Organizations/OrganizationSignUp/CloudOrganizationSignUpCommandTests.cs
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/Organizations/OrganizationSignUp/CloudOrganizationSignUpCommandTests.cs
@@ -242,4 +242,27 @@ public class CloudICloudOrganizationSignUpCommandTests
             () => sutProvider.Sut.SignUpOrganizationAsync(signup));
         Assert.Contains("You can't subtract Machine Accounts!", exception.Message);
     }
+
+    [Theory]
+    [BitAutoData]
+    public async Task SignUpAsync_Free_ExistingFreeOrgAdmin_ThrowsBadRequest(
+        SutProvider<CloudOrganizationSignUpCommand> sutProvider)
+    {
+        // Arrange
+        var signup = new OrganizationSignup
+        {
+            Plan = PlanType.Free,
+            IsFromProvider = false,
+            Owner = new User { Id = Guid.NewGuid() }
+        };
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetCountByFreeOrganizationAdminUserAsync(signup.Owner.Id)
+            .Returns(1);
+
+        // Act & Assert
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.SignUpOrganizationAsync(signup));
+        Assert.Contains("You can only be an admin of one free organization.", exception.Message);
+    }
 }

From f1893c256c9c71fe5e51aa9ce8257f1d336a83e9 Mon Sep 17 00:00:00 2001
From: Brandon Treston <btreston@bitwarden.com>
Date: Tue, 21 Jan 2025 09:53:12 -0500
Subject: [PATCH 179/384] remove feature flag (#5284)

Clients PR was merged, now merging server PR.
---
 src/Core/Constants.cs | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index 059ca6a1cc..0ebb64ad98 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -153,7 +153,6 @@ public static class FeatureFlagKeys
     public const string MacOsNativeCredentialSync = "macos-native-credential-sync";
     public const string PM9111ExtensionPersistAddEditForm = "pm-9111-extension-persist-add-edit-form";
     public const string InlineMenuTotp = "inline-menu-totp";
-    public const string PM12443RemovePagingLogic = "pm-12443-remove-paging-logic";
     public const string SelfHostLicenseRefactor = "pm-11516-self-host-license-refactor";
     public const string PrivateKeyRegeneration = "pm-12241-private-key-regeneration";
     public const string AuthenticatorSynciOS = "enable-authenticator-sync-ios";

From a9ef4750466fde62ddc1a74a9a5599d9bfb53562 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Tue, 21 Jan 2025 10:56:17 -0800
Subject: [PATCH 180/384] [deps]: Update github-action minor (#5296)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 .github/workflows/build.yml           | 22 +++++++++++-----------
 .github/workflows/code-references.yml |  2 +-
 .github/workflows/release.yml         |  2 +-
 .github/workflows/stale-bot.yml       |  2 +-
 .github/workflows/test-database.yml   |  4 ++--
 5 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 510ce3318b..7d64612aba 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -120,7 +120,7 @@ jobs:
           ls -atlh ../../../
 
       - name: Upload project artifact
-        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: ${{ matrix.project_name }}.zip
           path: ${{ matrix.base_path }}/${{ matrix.project_name }}/${{ matrix.project_name }}.zip
@@ -278,7 +278,7 @@ jobs:
 
       - name: Build Docker image
         id: build-docker
-        uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6.11.0
+        uses: docker/build-push-action@67a2d409c0a876cbe6b11854e3e25193efe4e62d # v6.12.0
         with:
           context: ${{ matrix.base_path }}/${{ matrix.project_name }}
           file: ${{ matrix.base_path }}/${{ matrix.project_name }}/Dockerfile
@@ -393,7 +393,7 @@ jobs:
         if: |
           github.event_name != 'pull_request_target'
           && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc')
-        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: docker-stub-US.zip
           path: docker-stub-US.zip
@@ -403,7 +403,7 @@ jobs:
         if: |
           github.event_name != 'pull_request_target'
           && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc')
-        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: docker-stub-EU.zip
           path: docker-stub-EU.zip
@@ -413,7 +413,7 @@ jobs:
         if: |
           github.event_name != 'pull_request_target'
           && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc')
-        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: docker-stub-US-sha256.txt
           path: docker-stub-US-sha256.txt
@@ -423,7 +423,7 @@ jobs:
         if: |
           github.event_name != 'pull_request_target'
           && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc')
-        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: docker-stub-EU-sha256.txt
           path: docker-stub-EU-sha256.txt
@@ -447,7 +447,7 @@ jobs:
           GLOBALSETTINGS__SQLSERVER__CONNECTIONSTRING: "placeholder"
 
       - name: Upload Public API Swagger artifact
-        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: swagger.json
           path: swagger.json
@@ -481,14 +481,14 @@ jobs:
           GLOBALSETTINGS__SQLSERVER__CONNECTIONSTRING: "placeholder"
 
       - name: Upload Internal API Swagger artifact
-        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: internal.json
           path: internal.json
           if-no-files-found: error
 
       - name: Upload Identity Swagger artifact
-        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: identity.json
           path: identity.json
@@ -533,7 +533,7 @@ jobs:
 
       - name: Upload project artifact for Windows
         if: ${{ contains(matrix.target, 'win') == true }}
-        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: MsSqlMigratorUtility-${{ matrix.target }}
           path: util/MsSqlMigratorUtility/obj/build-output/publish/MsSqlMigratorUtility.exe
@@ -541,7 +541,7 @@ jobs:
 
       - name: Upload project artifact
         if: ${{ contains(matrix.target, 'win') == false }}
-        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: MsSqlMigratorUtility-${{ matrix.target }}
           path: util/MsSqlMigratorUtility/obj/build-output/publish/MsSqlMigratorUtility
diff --git a/.github/workflows/code-references.yml b/.github/workflows/code-references.yml
index 7fcf864866..ce8cb8e467 100644
--- a/.github/workflows/code-references.yml
+++ b/.github/workflows/code-references.yml
@@ -37,7 +37,7 @@ jobs:
 
       - name: Collect
         id: collect
-        uses: launchdarkly/find-code-references-in-pull-request@b2d44bb453e13c11fd1a6ada7b1e5f9fb0ace629 # v2.0.1
+        uses: launchdarkly/find-code-references-in-pull-request@30f4c4ab2949bbf258b797ced2fbf6dea34df9ce # v2.1.0
         with:
           project-key: default
           environment-key: dev
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 0809ff833f..f749d2e4f0 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -85,7 +85,7 @@ jobs:
 
       - name: Create release
         if: ${{ inputs.release_type != 'Dry Run' }}
-        uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0
+        uses: ncipollo/release-action@cdcc88a9acf3ca41c16c37bb7d21b9ad48560d87 # v1.15.0
         with:
           artifacts: "docker-stub-US.zip,
             docker-stub-US-sha256.txt,
diff --git a/.github/workflows/stale-bot.yml b/.github/workflows/stale-bot.yml
index f8a25288f2..9420f71cb3 100644
--- a/.github/workflows/stale-bot.yml
+++ b/.github/workflows/stale-bot.yml
@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Check
-        uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0
+        uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
         with:
           stale-issue-label: "needs-reply"
           stale-pr-label: "needs-changes"
diff --git a/.github/workflows/test-database.yml b/.github/workflows/test-database.yml
index 0d6361eca8..b7b06688b4 100644
--- a/.github/workflows/test-database.yml
+++ b/.github/workflows/test-database.yml
@@ -200,7 +200,7 @@ jobs:
         shell: pwsh
 
       - name: Upload DACPAC
-        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: sql.dacpac
           path: Sql.dacpac
@@ -226,7 +226,7 @@ jobs:
         shell: pwsh
 
       - name: Report validation results
-        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: report.xml
           path: |

From 7462352e18944ffc7b898108e463994dd4c550f6 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Tue, 21 Jan 2025 14:49:20 -0500
Subject: [PATCH 181/384] [deps] DbOps: Update Microsoft.Azure.Cosmos to 3.46.1
 (#5290)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 src/Core/Core.csproj | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Core/Core.csproj b/src/Core/Core.csproj
index 44b4729a10..ddd9fc26bb 100644
--- a/src/Core/Core.csproj
+++ b/src/Core/Core.csproj
@@ -42,7 +42,7 @@
     <PackageReference Include="Handlebars.Net" Version="2.1.6" />
     <PackageReference Include="MailKit" Version="4.9.0" />    
     <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.10" />
-    <PackageReference Include="Microsoft.Azure.Cosmos" Version="3.46.0" />
+    <PackageReference Include="Microsoft.Azure.Cosmos" Version="3.46.1" />
     <PackageReference Include="Microsoft.Azure.NotificationHubs" Version="4.2.0" />
     <PackageReference Include="Microsoft.Data.SqlClient" Version="5.2.2" />
     <PackageReference Include="Microsoft.Extensions.Caching.Cosmos" Version="1.7.0" />

From 4069ac3a4b728184fc425442af9975ed76e847a3 Mon Sep 17 00:00:00 2001
From: Jimmy Vo <huynhmaivo82@gmail.com>
Date: Tue, 21 Jan 2025 15:51:34 -0500
Subject: [PATCH 182/384] Add limit item deletion organization setting
 migration (#5283)

---
 .../AdminConsole/Entities/Organization.cs     |    6 +
 .../Stored Procedures/Organization_Create.sql |    9 +-
 .../Organization_ReadAbilities.sql            |    3 +-
 .../Stored Procedures/Organization_Update.sql |    6 +-
 src/Sql/dbo/Tables/Organization.sql           |    1 +
 ...rganizationUserOrganizationDetailsView.sql |    3 +-
 ...derUserProviderOrganizationDetailsView.sql |    3 +-
 .../2025-01-16_01_LimitItemDeletion.sql       |  487 +++
 ...250116221304_LimitItemDeletion.Designer.cs | 2997 ++++++++++++++++
 .../20250116221304_LimitItemDeletion.cs       |   28 +
 .../DatabaseContextModelSnapshot.cs           |    3 +
 ...250116221314_LimitItemDeletion.Designer.cs | 3003 +++++++++++++++++
 .../20250116221314_LimitItemDeletion.cs       |   28 +
 .../DatabaseContextModelSnapshot.cs           |    3 +
 ...250116221310_LimitItemDeletion.Designer.cs | 2986 ++++++++++++++++
 .../20250116221310_LimitItemDeletion.cs       |   28 +
 .../DatabaseContextModelSnapshot.cs           |    3 +
 17 files changed, 9589 insertions(+), 8 deletions(-)
 create mode 100644 util/Migrator/DbScripts/2025-01-16_01_LimitItemDeletion.sql
 create mode 100644 util/MySqlMigrations/Migrations/20250116221304_LimitItemDeletion.Designer.cs
 create mode 100644 util/MySqlMigrations/Migrations/20250116221304_LimitItemDeletion.cs
 create mode 100644 util/PostgresMigrations/Migrations/20250116221314_LimitItemDeletion.Designer.cs
 create mode 100644 util/PostgresMigrations/Migrations/20250116221314_LimitItemDeletion.cs
 create mode 100644 util/SqliteMigrations/Migrations/20250116221310_LimitItemDeletion.Designer.cs
 create mode 100644 util/SqliteMigrations/Migrations/20250116221310_LimitItemDeletion.cs

diff --git a/src/Core/AdminConsole/Entities/Organization.cs b/src/Core/AdminConsole/Entities/Organization.cs
index 37e21d7f57..54661e22a7 100644
--- a/src/Core/AdminConsole/Entities/Organization.cs
+++ b/src/Core/AdminConsole/Entities/Organization.cs
@@ -103,6 +103,12 @@ public class Organization : ITableObject<Guid>, IStorableSubscriber, IRevisable,
     /// </summary>
     public bool AllowAdminAccessToAllCollectionItems { get; set; }
 
+    /// <summary>
+    /// If set to true, members can only delete items when they have a Can Manage permission over the collection.
+    /// If set to false, members can delete items when they have a Can Manage OR Can Edit permission over the collection.
+    /// </summary>
+    public bool LimitItemDeletion { get; set; }
+
     /// <summary>
     /// Risk Insights is a reporting feature that provides insights into the security of an organization's vault.
     /// </summary>
diff --git a/src/Sql/dbo/Stored Procedures/Organization_Create.sql b/src/Sql/dbo/Stored Procedures/Organization_Create.sql
index 9f12a3f347..25dfcf893d 100644
--- a/src/Sql/dbo/Stored Procedures/Organization_Create.sql	
+++ b/src/Sql/dbo/Stored Procedures/Organization_Create.sql	
@@ -54,7 +54,8 @@ CREATE PROCEDURE [dbo].[Organization_Create]
     @LimitCollectionCreation BIT = NULL,
     @LimitCollectionDeletion BIT = NULL,
     @AllowAdminAccessToAllCollectionItems BIT = 0,
-    @UseRiskInsights BIT = 0
+    @UseRiskInsights BIT = 0,
+    @LimitItemDeletion BIT = 0
 AS
 BEGIN
     SET NOCOUNT ON
@@ -116,7 +117,8 @@ BEGIN
         [LimitCollectionCreation],
         [LimitCollectionDeletion],
         [AllowAdminAccessToAllCollectionItems],
-        [UseRiskInsights]
+        [UseRiskInsights],
+        [LimitItemDeletion]
     )
     VALUES
     (
@@ -175,6 +177,7 @@ BEGIN
         @LimitCollectionCreation,
         @LimitCollectionDeletion,
         @AllowAdminAccessToAllCollectionItems,
-        @UseRiskInsights
+        @UseRiskInsights,
+        @LimitItemDeletion
     )
 END
diff --git a/src/Sql/dbo/Stored Procedures/Organization_ReadAbilities.sql b/src/Sql/dbo/Stored Procedures/Organization_ReadAbilities.sql
index 5959742dae..49ee0f9c1c 100644
--- a/src/Sql/dbo/Stored Procedures/Organization_ReadAbilities.sql	
+++ b/src/Sql/dbo/Stored Procedures/Organization_ReadAbilities.sql	
@@ -24,7 +24,8 @@ BEGIN
         [LimitCollectionCreation],
         [LimitCollectionDeletion],
         [AllowAdminAccessToAllCollectionItems],
-        [UseRiskInsights]
+        [UseRiskInsights],
+        [LimitItemDeletion]
     FROM
         [dbo].[Organization]
 END
diff --git a/src/Sql/dbo/Stored Procedures/Organization_Update.sql b/src/Sql/dbo/Stored Procedures/Organization_Update.sql
index a1af26851e..6e9fe88f48 100644
--- a/src/Sql/dbo/Stored Procedures/Organization_Update.sql	
+++ b/src/Sql/dbo/Stored Procedures/Organization_Update.sql	
@@ -54,7 +54,8 @@ CREATE PROCEDURE [dbo].[Organization_Update]
     @LimitCollectionCreation BIT = null,
     @LimitCollectionDeletion BIT = null,
     @AllowAdminAccessToAllCollectionItems BIT = 0,
-    @UseRiskInsights BIT = 0
+    @UseRiskInsights BIT = 0,
+    @LimitItemDeletion BIT = 0
 AS
 BEGIN
     SET NOCOUNT ON
@@ -116,7 +117,8 @@ BEGIN
         [LimitCollectionCreation] = @LimitCollectionCreation,
         [LimitCollectionDeletion] = @LimitCollectionDeletion,
         [AllowAdminAccessToAllCollectionItems] = @AllowAdminAccessToAllCollectionItems,
-        [UseRiskInsights] = @UseRiskInsights
+        [UseRiskInsights] = @UseRiskInsights,
+        [LimitItemDeletion] = @LimitItemDeletion
     WHERE
         [Id] = @Id
 END
diff --git a/src/Sql/dbo/Tables/Organization.sql b/src/Sql/dbo/Tables/Organization.sql
index 2178494c19..6d10126972 100644
--- a/src/Sql/dbo/Tables/Organization.sql
+++ b/src/Sql/dbo/Tables/Organization.sql
@@ -53,6 +53,7 @@ CREATE TABLE [dbo].[Organization] (
     [SecretsManagerBeta]            BIT              NOT NULL CONSTRAINT [DF_Organization_SecretsManagerBeta] DEFAULT (0),
     [LimitCollectionCreation]       BIT              NOT NULL CONSTRAINT [DF_Organization_LimitCollectionCreation] DEFAULT (0),
     [LimitCollectionDeletion]       BIT              NOT NULL CONSTRAINT [DF_Organization_LimitCollectionDeletion] DEFAULT (0),
+    [LimitItemDeletion]             BIT              NOT NULL CONSTRAINT [DF_Organization_LimitItemDeletion] DEFAULT (0),
     [AllowAdminAccessToAllCollectionItems]   BIT              NOT NULL CONSTRAINT [DF_Organization_AllowAdminAccessToAllCollectionItems] DEFAULT (0),
     [UseRiskInsights]               BIT              NOT NULL CONSTRAINT [DF_Organization_UseRiskInsights] DEFAULT (0),
     CONSTRAINT [PK_Organization] PRIMARY KEY CLUSTERED ([Id] ASC)
diff --git a/src/Sql/dbo/Views/OrganizationUserOrganizationDetailsView.sql b/src/Sql/dbo/Views/OrganizationUserOrganizationDetailsView.sql
index fc7ab1d31a..70c7413b75 100644
--- a/src/Sql/dbo/Views/OrganizationUserOrganizationDetailsView.sql
+++ b/src/Sql/dbo/Views/OrganizationUserOrganizationDetailsView.sql
@@ -49,7 +49,8 @@ SELECT
     O.[LimitCollectionCreation],
     O.[LimitCollectionDeletion],
     O.[AllowAdminAccessToAllCollectionItems],
-    O.[UseRiskInsights]
+    O.[UseRiskInsights],
+    O.[LimitItemDeletion]
 FROM
     [dbo].[OrganizationUser] OU
 LEFT JOIN
diff --git a/src/Sql/dbo/Views/ProviderUserProviderOrganizationDetailsView.sql b/src/Sql/dbo/Views/ProviderUserProviderOrganizationDetailsView.sql
index 4915a406a1..be6b6fdd0e 100644
--- a/src/Sql/dbo/Views/ProviderUserProviderOrganizationDetailsView.sql
+++ b/src/Sql/dbo/Views/ProviderUserProviderOrganizationDetailsView.sql
@@ -36,7 +36,8 @@ SELECT
     O.[LimitCollectionDeletion],
     O.[AllowAdminAccessToAllCollectionItems],
     O.[UseRiskInsights],
-    P.[Type] ProviderType
+    P.[Type] ProviderType,
+    O.[LimitItemDeletion]
 FROM
     [dbo].[ProviderUser] PU
 INNER JOIN
diff --git a/util/Migrator/DbScripts/2025-01-16_01_LimitItemDeletion.sql b/util/Migrator/DbScripts/2025-01-16_01_LimitItemDeletion.sql
new file mode 100644
index 0000000000..f207365471
--- /dev/null
+++ b/util/Migrator/DbScripts/2025-01-16_01_LimitItemDeletion.sql
@@ -0,0 +1,487 @@
+
+-- Add Columns
+IF COL_LENGTH('[dbo].[Organization]', 'LimitItemDeletion') IS NULL
+BEGIN
+    ALTER TABLE
+        [dbo].[Organization]
+    ADD
+        [LimitItemDeletion] BIT NOT NULL CONSTRAINT [DF_Organization_LimitItemDeletion] DEFAULT (0)
+END
+GO
+
+
+-- Refresh Views
+
+CREATE OR ALTER VIEW [dbo].[ProviderUserProviderOrganizationDetailsView]
+AS
+SELECT
+    PU.[UserId],
+    PO.[OrganizationId],
+    O.[Name],
+    O.[Enabled],
+    O.[UsePolicies],
+    O.[UseSso],
+    O.[UseKeyConnector],
+    O.[UseScim],
+    O.[UseGroups],
+    O.[UseDirectory],
+    O.[UseEvents],
+    O.[UseTotp],
+    O.[Use2fa],
+    O.[UseApi],
+    O.[UseResetPassword],
+    O.[SelfHost],
+    O.[UsersGetPremium],
+    O.[UseCustomPermissions],
+    O.[Seats],
+    O.[MaxCollections],
+    O.[MaxStorageGb],
+    O.[Identifier],
+    PO.[Key],
+    O.[PublicKey],
+    O.[PrivateKey],
+    PU.[Status],
+    PU.[Type],
+    PO.[ProviderId],
+    PU.[Id] ProviderUserId,
+    P.[Name] ProviderName,
+    O.[PlanType],
+    O.[LimitCollectionCreation],
+    O.[LimitCollectionDeletion],
+    O.[AllowAdminAccessToAllCollectionItems],
+    O.[UseRiskInsights],
+    P.[Type] ProviderType,
+    O.[LimitItemDeletion]
+FROM
+    [dbo].[ProviderUser] PU
+INNER JOIN
+    [dbo].[ProviderOrganization] PO ON PO.[ProviderId] = PU.[ProviderId]
+INNER JOIN
+    [dbo].[Organization] O ON O.[Id] = PO.[OrganizationId]
+INNER JOIN
+    [dbo].[Provider] P ON P.[Id] = PU.[ProviderId]
+
+GO
+
+CREATE OR ALTER VIEW [dbo].[OrganizationUserOrganizationDetailsView]
+AS
+SELECT
+    OU.[UserId],
+    OU.[OrganizationId],
+    OU.[Id] OrganizationUserId,
+    O.[Name],
+    O.[Enabled],
+    O.[PlanType],
+    O.[UsePolicies],
+    O.[UseSso],
+    O.[UseKeyConnector],
+    O.[UseScim],
+    O.[UseGroups],
+    O.[UseDirectory],
+    O.[UseEvents],
+    O.[UseTotp],
+    O.[Use2fa],
+    O.[UseApi],
+    O.[UseResetPassword],
+    O.[SelfHost],
+    O.[UsersGetPremium],
+    O.[UseCustomPermissions],
+    O.[UseSecretsManager],
+    O.[Seats],
+    O.[MaxCollections],
+    O.[MaxStorageGb],
+    O.[Identifier],
+    OU.[Key],
+    OU.[ResetPasswordKey],
+    O.[PublicKey],
+    O.[PrivateKey],
+    OU.[Status],
+    OU.[Type],
+    SU.[ExternalId] SsoExternalId,
+    OU.[Permissions],
+    PO.[ProviderId],
+    P.[Name] ProviderName,
+    P.[Type] ProviderType,
+    SS.[Data] SsoConfig,
+    OS.[FriendlyName] FamilySponsorshipFriendlyName,
+    OS.[LastSyncDate] FamilySponsorshipLastSyncDate,
+    OS.[ToDelete] FamilySponsorshipToDelete,
+    OS.[ValidUntil] FamilySponsorshipValidUntil,
+    OU.[AccessSecretsManager],
+    O.[UsePasswordManager],
+    O.[SmSeats],
+    O.[SmServiceAccounts],
+    O.[LimitCollectionCreation],
+    O.[LimitCollectionDeletion],
+    O.[AllowAdminAccessToAllCollectionItems],
+    O.[UseRiskInsights],
+    O.[LimitItemDeletion]
+FROM
+    [dbo].[OrganizationUser] OU
+LEFT JOIN
+    [dbo].[Organization] O ON O.[Id] = OU.[OrganizationId]
+LEFT JOIN
+    [dbo].[SsoUser] SU ON SU.[UserId] = OU.[UserId] AND SU.[OrganizationId] = OU.[OrganizationId]
+LEFT JOIN
+    [dbo].[ProviderOrganization] PO ON PO.[OrganizationId] = O.[Id]
+LEFT JOIN
+    [dbo].[Provider] P ON P.[Id] = PO.[ProviderId]
+LEFT JOIN
+    [dbo].[SsoConfig] SS ON SS.[OrganizationId] = OU.[OrganizationId]
+LEFT JOIN
+    [dbo].[OrganizationSponsorship] OS ON OS.[SponsoringOrganizationUserID] = OU.[Id]
+
+GO
+
+
+-- Refresh Stored Procedures
+
+CREATE OR ALTER PROCEDURE [dbo].[Organization_Create]
+    @Id UNIQUEIDENTIFIER OUTPUT,
+    @Identifier NVARCHAR(50),
+    @Name NVARCHAR(50),
+    @BusinessName NVARCHAR(50),
+    @BusinessAddress1 NVARCHAR(50),
+    @BusinessAddress2 NVARCHAR(50),
+    @BusinessAddress3 NVARCHAR(50),
+    @BusinessCountry VARCHAR(2),
+    @BusinessTaxNumber NVARCHAR(30),
+    @BillingEmail NVARCHAR(256),
+    @Plan NVARCHAR(50),
+    @PlanType TINYINT,
+    @Seats INT,
+    @MaxCollections SMALLINT,
+    @UsePolicies BIT,
+    @UseSso BIT,
+    @UseGroups BIT,
+    @UseDirectory BIT,
+    @UseEvents BIT,
+    @UseTotp BIT,
+    @Use2fa BIT,
+    @UseApi BIT,
+    @UseResetPassword BIT,
+    @SelfHost BIT,
+    @UsersGetPremium BIT,
+    @Storage BIGINT,
+    @MaxStorageGb SMALLINT,
+    @Gateway TINYINT,
+    @GatewayCustomerId VARCHAR(50),
+    @GatewaySubscriptionId VARCHAR(50),
+    @ReferenceData VARCHAR(MAX),
+    @Enabled BIT,
+    @LicenseKey VARCHAR(100),
+    @PublicKey VARCHAR(MAX),
+    @PrivateKey VARCHAR(MAX),
+    @TwoFactorProviders NVARCHAR(MAX),
+    @ExpirationDate DATETIME2(7),
+    @CreationDate DATETIME2(7),
+    @RevisionDate DATETIME2(7),
+    @OwnersNotifiedOfAutoscaling DATETIME2(7),
+    @MaxAutoscaleSeats INT,
+    @UseKeyConnector BIT = 0,
+    @UseScim BIT = 0,
+    @UseCustomPermissions BIT = 0,
+    @UseSecretsManager BIT = 0,
+    @Status TINYINT = 0,
+    @UsePasswordManager BIT = 1,
+    @SmSeats INT = null,
+    @SmServiceAccounts INT = null,
+    @MaxAutoscaleSmSeats INT= null,
+    @MaxAutoscaleSmServiceAccounts INT = null,
+    @SecretsManagerBeta BIT = 0,
+    @LimitCollectionCreation BIT = NULL,
+    @LimitCollectionDeletion BIT = NULL,
+    @AllowAdminAccessToAllCollectionItems BIT = 0,
+    @UseRiskInsights BIT = 0,
+    @LimitItemDeletion BIT = 0
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    INSERT INTO [dbo].[Organization]
+    (
+        [Id],
+        [Identifier],
+        [Name],
+        [BusinessName],
+        [BusinessAddress1],
+        [BusinessAddress2],
+        [BusinessAddress3],
+        [BusinessCountry],
+        [BusinessTaxNumber],
+        [BillingEmail],
+        [Plan],
+        [PlanType],
+        [Seats],
+        [MaxCollections],
+        [UsePolicies],
+        [UseSso],
+        [UseGroups],
+        [UseDirectory],
+        [UseEvents],
+        [UseTotp],
+        [Use2fa],
+        [UseApi],
+        [UseResetPassword],
+        [SelfHost],
+        [UsersGetPremium],
+        [Storage],
+        [MaxStorageGb],
+        [Gateway],
+        [GatewayCustomerId],
+        [GatewaySubscriptionId],
+        [ReferenceData],
+        [Enabled],
+        [LicenseKey],
+        [PublicKey],
+        [PrivateKey],
+        [TwoFactorProviders],
+        [ExpirationDate],
+        [CreationDate],
+        [RevisionDate],
+        [OwnersNotifiedOfAutoscaling],
+        [MaxAutoscaleSeats],
+        [UseKeyConnector],
+        [UseScim],
+        [UseCustomPermissions],
+        [UseSecretsManager],
+        [Status],
+        [UsePasswordManager],
+        [SmSeats],
+        [SmServiceAccounts],
+        [MaxAutoscaleSmSeats],
+        [MaxAutoscaleSmServiceAccounts],
+        [SecretsManagerBeta],
+        [LimitCollectionCreation],
+        [LimitCollectionDeletion],
+        [AllowAdminAccessToAllCollectionItems],
+        [UseRiskInsights],
+        [LimitItemDeletion]
+    )
+    VALUES
+    (
+        @Id,
+        @Identifier,
+        @Name,
+        @BusinessName,
+        @BusinessAddress1,
+        @BusinessAddress2,
+        @BusinessAddress3,
+        @BusinessCountry,
+        @BusinessTaxNumber,
+        @BillingEmail,
+        @Plan,
+        @PlanType,
+        @Seats,
+        @MaxCollections,
+        @UsePolicies,
+        @UseSso,
+        @UseGroups,
+        @UseDirectory,
+        @UseEvents,
+        @UseTotp,
+        @Use2fa,
+        @UseApi,
+        @UseResetPassword,
+        @SelfHost,
+        @UsersGetPremium,
+        @Storage,
+        @MaxStorageGb,
+        @Gateway,
+        @GatewayCustomerId,
+        @GatewaySubscriptionId,
+        @ReferenceData,
+        @Enabled,
+        @LicenseKey,
+        @PublicKey,
+        @PrivateKey,
+        @TwoFactorProviders,
+        @ExpirationDate,
+        @CreationDate,
+        @RevisionDate,
+        @OwnersNotifiedOfAutoscaling,
+        @MaxAutoscaleSeats,
+        @UseKeyConnector,
+        @UseScim,
+        @UseCustomPermissions,
+        @UseSecretsManager,
+        @Status,
+        @UsePasswordManager,
+        @SmSeats,
+        @SmServiceAccounts,
+        @MaxAutoscaleSmSeats,
+        @MaxAutoscaleSmServiceAccounts,
+        @SecretsManagerBeta,
+        @LimitCollectionCreation,
+        @LimitCollectionDeletion,
+        @AllowAdminAccessToAllCollectionItems,
+        @UseRiskInsights,
+        @LimitItemDeletion
+    )
+END
+
+GO
+
+CREATE OR ALTER PROCEDURE [dbo].[Organization_ReadAbilities]
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    SELECT
+        [Id],
+        [UseEvents],
+        [Use2fa],
+        CASE
+        WHEN [Use2fa] = 1 AND [TwoFactorProviders] IS NOT NULL AND [TwoFactorProviders] != '{}' THEN
+            1
+        ELSE
+            0
+        END AS [Using2fa],
+        [UsersGetPremium],
+        [UseCustomPermissions],
+        [UseSso],
+        [UseKeyConnector],
+        [UseScim],
+        [UseResetPassword],
+        [UsePolicies],
+        [Enabled],
+        [LimitCollectionCreation],
+        [LimitCollectionDeletion],
+        [AllowAdminAccessToAllCollectionItems],
+        [UseRiskInsights],
+        [LimitItemDeletion]
+    FROM
+        [dbo].[Organization]
+END
+
+GO
+
+
+
+CREATE OR ALTER PROCEDURE [dbo].[Organization_Update]
+    @Id UNIQUEIDENTIFIER,
+    @Identifier NVARCHAR(50),
+    @Name NVARCHAR(50),
+    @BusinessName NVARCHAR(50),
+    @BusinessAddress1 NVARCHAR(50),
+    @BusinessAddress2 NVARCHAR(50),
+    @BusinessAddress3 NVARCHAR(50),
+    @BusinessCountry VARCHAR(2),
+    @BusinessTaxNumber NVARCHAR(30),
+    @BillingEmail NVARCHAR(256),
+    @Plan NVARCHAR(50),
+    @PlanType TINYINT,
+    @Seats INT,
+    @MaxCollections SMALLINT,
+    @UsePolicies BIT,
+    @UseSso BIT,
+    @UseGroups BIT,
+    @UseDirectory BIT,
+    @UseEvents BIT,
+    @UseTotp BIT,
+    @Use2fa BIT,
+    @UseApi BIT,
+    @UseResetPassword BIT,
+    @SelfHost BIT,
+    @UsersGetPremium BIT,
+    @Storage BIGINT,
+    @MaxStorageGb SMALLINT,
+    @Gateway TINYINT,
+    @GatewayCustomerId VARCHAR(50),
+    @GatewaySubscriptionId VARCHAR(50),
+    @ReferenceData VARCHAR(MAX),
+    @Enabled BIT,
+    @LicenseKey VARCHAR(100),
+    @PublicKey VARCHAR(MAX),
+    @PrivateKey VARCHAR(MAX),
+    @TwoFactorProviders NVARCHAR(MAX),
+    @ExpirationDate DATETIME2(7),
+    @CreationDate DATETIME2(7),
+    @RevisionDate DATETIME2(7),
+    @OwnersNotifiedOfAutoscaling DATETIME2(7),
+    @MaxAutoscaleSeats INT,
+    @UseKeyConnector BIT = 0,
+    @UseScim BIT = 0,
+    @UseCustomPermissions BIT = 0,
+    @UseSecretsManager BIT = 0,
+    @Status TINYINT = 0,
+    @UsePasswordManager BIT = 1,
+    @SmSeats INT = null,
+    @SmServiceAccounts INT = null,
+    @MaxAutoscaleSmSeats INT = null,
+    @MaxAutoscaleSmServiceAccounts INT = null,
+    @SecretsManagerBeta BIT = 0,
+    @LimitCollectionCreation BIT = null,
+    @LimitCollectionDeletion BIT = null,
+    @AllowAdminAccessToAllCollectionItems BIT = 0,
+    @UseRiskInsights BIT = 0,
+    @LimitItemDeletion BIT = 0
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    UPDATE
+        [dbo].[Organization]
+    SET
+        [Identifier] = @Identifier,
+        [Name] = @Name,
+        [BusinessName] = @BusinessName,
+        [BusinessAddress1] = @BusinessAddress1,
+        [BusinessAddress2] = @BusinessAddress2,
+        [BusinessAddress3] = @BusinessAddress3,
+        [BusinessCountry] = @BusinessCountry,
+        [BusinessTaxNumber] = @BusinessTaxNumber,
+        [BillingEmail] = @BillingEmail,
+        [Plan] = @Plan,
+        [PlanType] = @PlanType,
+        [Seats] = @Seats,
+        [MaxCollections] = @MaxCollections,
+        [UsePolicies] = @UsePolicies,
+        [UseSso] = @UseSso,
+        [UseGroups] = @UseGroups,
+        [UseDirectory] = @UseDirectory,
+        [UseEvents] = @UseEvents,
+        [UseTotp] = @UseTotp,
+        [Use2fa] = @Use2fa,
+        [UseApi] = @UseApi,
+        [UseResetPassword] = @UseResetPassword,
+        [SelfHost] = @SelfHost,
+        [UsersGetPremium] = @UsersGetPremium,
+        [Storage] = @Storage,
+        [MaxStorageGb] = @MaxStorageGb,
+        [Gateway] = @Gateway,
+        [GatewayCustomerId] = @GatewayCustomerId,
+        [GatewaySubscriptionId] = @GatewaySubscriptionId,
+        [ReferenceData] = @ReferenceData,
+        [Enabled] = @Enabled,
+        [LicenseKey] = @LicenseKey,
+        [PublicKey] = @PublicKey,
+        [PrivateKey] = @PrivateKey,
+        [TwoFactorProviders] = @TwoFactorProviders,
+        [ExpirationDate] = @ExpirationDate,
+        [CreationDate] = @CreationDate,
+        [RevisionDate] = @RevisionDate,
+        [OwnersNotifiedOfAutoscaling] = @OwnersNotifiedOfAutoscaling,
+        [MaxAutoscaleSeats] = @MaxAutoscaleSeats,
+        [UseKeyConnector] = @UseKeyConnector,
+        [UseScim] = @UseScim,
+        [UseCustomPermissions] = @UseCustomPermissions,
+        [UseSecretsManager] = @UseSecretsManager,
+        [Status] = @Status,
+        [UsePasswordManager] = @UsePasswordManager,
+        [SmSeats] = @SmSeats,
+        [SmServiceAccounts] = @SmServiceAccounts,
+        [MaxAutoscaleSmSeats] = @MaxAutoscaleSmSeats,
+        [MaxAutoscaleSmServiceAccounts] = @MaxAutoscaleSmServiceAccounts,
+        [SecretsManagerBeta] = @SecretsManagerBeta,
+        [LimitCollectionCreation] = @LimitCollectionCreation,
+        [LimitCollectionDeletion] = @LimitCollectionDeletion,
+        [AllowAdminAccessToAllCollectionItems] = @AllowAdminAccessToAllCollectionItems,
+        [UseRiskInsights] = @UseRiskInsights,
+        [LimitItemDeletion] = @LimitItemDeletion
+    WHERE
+        [Id] = @Id
+END
+
+
+GO
diff --git a/util/MySqlMigrations/Migrations/20250116221304_LimitItemDeletion.Designer.cs b/util/MySqlMigrations/Migrations/20250116221304_LimitItemDeletion.Designer.cs
new file mode 100644
index 0000000000..19dbdcdead
--- /dev/null
+++ b/util/MySqlMigrations/Migrations/20250116221304_LimitItemDeletion.Designer.cs
@@ -0,0 +1,2997 @@
+// <auto-generated />
+using System;
+using Bit.Infrastructure.EntityFramework.Repositories;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Metadata;
+using Microsoft.EntityFrameworkCore.Migrations;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
+
+#nullable disable
+
+namespace Bit.MySqlMigrations.Migrations
+{
+    [DbContext(typeof(DatabaseContext))]
+    [Migration("20250116221304_LimitItemDeletion")]
+    partial class LimitItemDeletion
+    {
+        /// <inheritdoc />
+        protected override void BuildTargetModel(ModelBuilder modelBuilder)
+        {
+#pragma warning disable 612, 618
+            modelBuilder
+                .HasAnnotation("ProductVersion", "8.0.8")
+                .HasAnnotation("Relational:MaxIdentifierLength", 64);
+
+            MySqlModelBuilderExtensions.AutoIncrementColumns(modelBuilder);
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("AllowAdminAccessToAllCollectionItems")
+                        .HasColumnType("tinyint(1)")
+                        .HasDefaultValue(true);
+
+                    b.Property<string>("BillingEmail")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasMaxLength(2)
+                        .HasColumnType("varchar(2)");
+
+                    b.Property<string>("BusinessName")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasMaxLength(30)
+                        .HasColumnType("varchar(30)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("Identifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("varchar(100)");
+
+                    b.Property<bool>("LimitCollectionCreation")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("LimitCollectionDeletion")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("LimitItemDeletion")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("MaxAutoscaleSmSeats")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("MaxAutoscaleSmServiceAccounts")
+                        .HasColumnType("int");
+
+                    b.Property<short?>("MaxCollections")
+                        .HasColumnType("smallint");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<DateTime?>("OwnersNotifiedOfAutoscaling")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Plan")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<int?>("Seats")
+                        .HasColumnType("int");
+
+                    b.Property<bool>("SelfHost")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<int?>("SmSeats")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("SmServiceAccounts")
+                        .HasColumnType("int");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("bigint");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("longtext");
+
+                    b.Property<bool>("Use2fa")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseApi")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseCustomPermissions")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseDirectory")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseGroups")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseKeyConnector")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UsePasswordManager")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UsePolicies")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseResetPassword")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseRiskInsights")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseScim")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseSecretsManager")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseSso")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseTotp")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UsersGetPremium")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id", "Enabled")
+                        .HasAnnotation("Npgsql:IndexInclude", new[] { "UseTotp" });
+
+                    b.ToTable("Organization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("longtext");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "Type")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Policy", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("BillingEmail")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BillingPhone")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessName")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Provider", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Settings")
+                        .HasColumnType("longtext");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderOrganization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Email")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("ProviderUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("AccessCode")
+                        .HasMaxLength(25)
+                        .HasColumnType("varchar(25)");
+
+                    b.Property<bool?>("Approved")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime?>("AuthenticationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("MasterPasswordHash")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("RequestDeviceIdentifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<byte>("RequestDeviceType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("RequestIpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<DateTime?>("ResponseDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid?>("ResponseDeviceId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ResponseDeviceId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("AuthRequest", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<Guid?>("GranteeId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("GrantorId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("KeyEncrypted")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime?>("LastNotificationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("RecoveryInitiatedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<int>("WaitTimeDays")
+                        .HasColumnType("int");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("GranteeId");
+
+                    b.HasIndex("GrantorId");
+
+                    b.ToTable("EmergencyAccess", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.Grant", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("int");
+
+                    MySqlPropertyBuilderExtensions.UseMySqlIdentityColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("ClientId")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("varchar(200)");
+
+                    b.Property<DateTime?>("ConsumedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Data")
+                        .IsRequired()
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Description")
+                        .HasMaxLength(200)
+                        .HasColumnType("varchar(200)");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("varchar(200)");
+
+                    b.Property<string>("SessionId")
+                        .HasMaxLength(100)
+                        .HasColumnType("varchar(100)");
+
+                    b.Property<string>("SubjectId")
+                        .HasMaxLength(200)
+                        .HasColumnType("varchar(200)");
+
+                    b.Property<string>("Type")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.HasKey("Id")
+                        .HasName("PK_Grant")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpirationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Key")
+                        .IsUnique();
+
+                    b.ToTable("Grant", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    MySqlPropertyBuilderExtensions.UseMySqlIdentityColumn(b.Property<long>("Id"));
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("longtext");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("SsoConfig", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    MySqlPropertyBuilderExtensions.UseMySqlIdentityColumn(b.Property<long>("Id"));
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId");
+
+                    b.HasIndex("OrganizationId", "ExternalId")
+                        .IsUnique()
+                        .HasAnnotation("Npgsql:IndexInclude", new[] { "UserId" })
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "UserId")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SsoUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("AaGuid")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int>("Counter")
+                        .HasColumnType("int");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("CredentialId")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("varchar(2000)");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("varchar(2000)");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("varchar(2000)");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("PublicKey")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("SupportsPrf")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<string>("Type")
+                        .HasMaxLength(20)
+                        .HasColumnType("varchar(20)");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("WebAuthnCredential", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ClientOrganizationMigrationRecord", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("int");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int>("Seats")
+                        .HasColumnType("int");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId", "OrganizationId")
+                        .IsUnique();
+
+                    b.ToTable("ClientOrganizationMigrationRecord", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid>("InstallationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime?>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("InstallationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationInstallation", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int>("AssignedSeats")
+                        .HasColumnType("int");
+
+                    b.Property<Guid?>("ClientId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("ClientName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<DateTime>("Created")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("InvoiceId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("InvoiceNumber")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("PlanName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<decimal>("Total")
+                        .HasColumnType("decimal(65,30)");
+
+                    b.Property<int>("UsedSeats")
+                        .HasColumnType("int");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderInvoiceItem", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int?>("AllocatedSeats")
+                        .HasColumnType("int");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int?>("PurchasedSeats")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("SeatMinimum")
+                        .HasColumnType("int");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("Id", "PlanType")
+                        .IsUnique();
+
+                    b.ToTable("ProviderPlan", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Cache", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(449)
+                        .HasColumnType("varchar(449)");
+
+                    b.Property<DateTime?>("AbsoluteExpiration")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("ExpiresAtTime")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<long?>("SlidingExpirationInSeconds")
+                        .HasColumnType("bigint");
+
+                    b.Property<byte[]>("Value")
+                        .IsRequired()
+                        .HasColumnType("longblob");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpiresAtTime")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Cache", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("varchar(300)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Collection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("CipherId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("CollectionId", "CipherId");
+
+                    b.HasIndex("CipherId");
+
+                    b.ToTable("CollectionCipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("CollectionId", "GroupId");
+
+                    b.HasIndex("GroupId");
+
+                    b.ToTable("CollectionGroups");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("CollectionId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("tinyint(1)")
+                        .HasDefaultValue(true);
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Identifier")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("PushToken")
+                        .HasMaxLength(255)
+                        .HasColumnType("varchar(255)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Identifier")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "Identifier")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Device", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Event", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("ActingUserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("CollectionId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("Date")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte?>("DeviceType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("DomainName")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid?>("GroupId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("InstallationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("IpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("PolicyId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("ProviderOrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("ProviderUserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("SecretId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte?>("SystemUser")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<int>("Type")
+                        .HasColumnType("int");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Date", "OrganizationId", "ActingUserId", "CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Event", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("varchar(300)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(100)
+                        .HasColumnType("varchar(100)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Group", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("GroupId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("GroupUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("varchar(30)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Config")
+                        .HasColumnType("longtext");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationConnection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("DomainName")
+                        .IsRequired()
+                        .HasMaxLength(255)
+                        .HasColumnType("varchar(255)");
+
+                    b.Property<int>("JobRunCount")
+                        .HasColumnType("int");
+
+                    b.Property<DateTime?>("LastCheckedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("NextRunDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Txt")
+                        .IsRequired()
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime?>("VerifiedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationDomain", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("FriendlyName")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<DateTime?>("LastSyncDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("OfferedToEmail")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<byte?>("PlanSponsorshipType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("SponsoredOrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("SponsoringOrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("SponsoringOrganizationUserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("ToDelete")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime?>("ValidUntil")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SponsoredOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationUserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationSponsorship", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("AccessSecretsManager")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("varchar(300)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("ResetPasswordKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<short>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int>("AccessCount")
+                        .HasColumnType("int");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("DeletionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("Disabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool?>("HideEmail")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<int?>("MaxAccessCount")
+                        .HasColumnType("int");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Password")
+                        .HasMaxLength(300)
+                        .HasColumnType("varchar(300)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("DeletionDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Send", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.TaxRate", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(40)
+                        .HasColumnType("varchar(40)");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<string>("Country")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("PostalCode")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("varchar(10)");
+
+                    b.Property<decimal>("Rate")
+                        .HasColumnType("decimal(65,30)");
+
+                    b.Property<string>("State")
+                        .HasMaxLength(2)
+                        .HasColumnType("varchar(2)");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("TaxRate", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<decimal>("Amount")
+                        .HasColumnType("decimal(65,30)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Details")
+                        .HasMaxLength(100)
+                        .HasColumnType("varchar(100)");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("GatewayId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte?>("PaymentMethodType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool?>("Refunded")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<decimal?>("RefundedAmount")
+                        .HasColumnType("decimal(65,30)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId", "CreationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Transaction", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("AccountRevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("varchar(30)");
+
+                    b.Property<string>("AvatarColor")
+                        .HasMaxLength(7)
+                        .HasColumnType("varchar(7)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Culture")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("varchar(10)");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<bool>("EmailVerified")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<string>("EquivalentDomains")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("ExcludedGlobalEquivalentDomains")
+                        .HasColumnType("longtext");
+
+                    b.Property<int>("FailedLoginCount")
+                        .HasColumnType("int");
+
+                    b.Property<bool>("ForcePasswordReset")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<byte>("Kdf")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<int>("KdfIterations")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("KdfMemory")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("KdfParallelism")
+                        .HasColumnType("int");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime?>("LastEmailChangeDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("LastFailedLoginDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("LastKdfChangeDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("LastKeyRotationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("LastPasswordChangeDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("varchar(100)");
+
+                    b.Property<string>("MasterPassword")
+                        .HasMaxLength(300)
+                        .HasColumnType("varchar(300)");
+
+                    b.Property<string>("MasterPasswordHint")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<bool>("Premium")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime?>("PremiumExpirationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime?>("RenewalReminderDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("SecurityStamp")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("bigint");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("TwoFactorRecoveryCode")
+                        .HasMaxLength(32)
+                        .HasColumnType("varchar(32)");
+
+                    b.Property<bool>("UsesKeyConnector")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("VerifyDevices")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Email")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Premium", "PremiumExpirationDate", "RenewalReminderDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("User", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Body")
+                        .HasColumnType("longtext");
+
+                    b.Property<byte>("ClientType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("Global")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte>("Priority")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Title")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("ClientType", "Global", "UserId", "OrganizationId", "Priority", "CreationDate")
+                        .IsDescending(false, false, false, false, true, true)
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Notification", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("NotificationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("ReadDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("UserId", "NotificationId")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("NotificationId");
+
+                    b.ToTable("NotificationStatus", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Platform.Installation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(150)
+                        .HasColumnType("varchar(150)");
+
+                    b.Property<DateTime?>("LastActivityDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Installation", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Discriminator")
+                        .IsRequired()
+                        .HasMaxLength(34)
+                        .HasColumnType("varchar(34)");
+
+                    b.Property<bool>("Read")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("Write")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.ToTable("AccessPolicy", (string)null);
+
+                    b.HasDiscriminator().HasValue("AccessPolicy");
+
+                    b.UseTphMappingStrategy();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("ClientSecretHash")
+                        .HasMaxLength(128)
+                        .HasColumnType("varchar(128)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("EncryptedPayload")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("varchar(4000)");
+
+                    b.Property<DateTime?>("ExpireAt")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("varchar(200)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Scope")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("varchar(4000)");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ServiceAccountId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Project", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Note")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Value")
+                        .HasColumnType("longtext");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Secret", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ServiceAccount", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Uri")
+                        .HasColumnType("longtext");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("PasswordHealthReportApplication", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Attachments")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Favorites")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Folders")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte?>("Reprompt")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Cipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Folder", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SecurityTask", (string)null);
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.Property<Guid>("ProjectsId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("SecretsId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("ProjectsId", "SecretsId");
+
+                    b.HasIndex("SecretsId");
+
+                    b.ToTable("ProjectSecret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Policies")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Device", "ResponseDevice")
+                        .WithMany()
+                        .HasForeignKey("ResponseDeviceId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("ResponseDevice");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantee")
+                        .WithMany()
+                        .HasForeignKey("GranteeId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantor")
+                        .WithMany()
+                        .HasForeignKey("GrantorId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Grantee");
+
+                    b.Navigation("Grantor");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoConfigs")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Platform.Installation", "Installation")
+                        .WithMany()
+                        .HasForeignKey("InstallationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Installation");
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Collections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CipherId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Collection");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionGroups")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Groups")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Group");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Connections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Domains")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoredOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoredOrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoringOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoringOrganizationId");
+
+                    b.Navigation("SponsoredOrganization");
+
+                    b.Navigation("SponsoringOrganization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Transactions")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Transactions")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", "Notification")
+                        .WithMany()
+                        .HasForeignKey("NotificationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Notification");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Folders")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany()
+                        .HasForeignKey("CipherId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", null)
+                        .WithMany()
+                        .HasForeignKey("ProjectsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", null)
+                        .WithMany()
+                        .HasForeignKey("SecretsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ProjectAccessPolicies")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany()
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Collections");
+
+                    b.Navigation("Connections");
+
+                    b.Navigation("Domains");
+
+                    b.Navigation("Groups");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("Policies");
+
+                    b.Navigation("SsoConfigs");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+
+                    b.Navigation("CollectionGroups");
+
+                    b.Navigation("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Navigation("CollectionUsers");
+
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Folders");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ProjectAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+                });
+#pragma warning restore 612, 618
+        }
+    }
+}
diff --git a/util/MySqlMigrations/Migrations/20250116221304_LimitItemDeletion.cs b/util/MySqlMigrations/Migrations/20250116221304_LimitItemDeletion.cs
new file mode 100644
index 0000000000..19aa5a55a9
--- /dev/null
+++ b/util/MySqlMigrations/Migrations/20250116221304_LimitItemDeletion.cs
@@ -0,0 +1,28 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace Bit.MySqlMigrations.Migrations;
+
+/// <inheritdoc />
+public partial class LimitItemDeletion : Migration
+{
+    /// <inheritdoc />
+    protected override void Up(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.AddColumn<bool>(
+            name: "LimitItemDeletion",
+            table: "Organization",
+            type: "tinyint(1)",
+            nullable: false,
+            defaultValue: false);
+    }
+
+    /// <inheritdoc />
+    protected override void Down(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.DropColumn(
+            name: "LimitItemDeletion",
+            table: "Organization");
+    }
+}
diff --git a/util/MySqlMigrations/Migrations/DatabaseContextModelSnapshot.cs b/util/MySqlMigrations/Migrations/DatabaseContextModelSnapshot.cs
index 46d2a2e5fd..5761cd559f 100644
--- a/util/MySqlMigrations/Migrations/DatabaseContextModelSnapshot.cs
+++ b/util/MySqlMigrations/Migrations/DatabaseContextModelSnapshot.cs
@@ -94,6 +94,9 @@ namespace Bit.MySqlMigrations.Migrations
                     b.Property<bool>("LimitCollectionDeletion")
                         .HasColumnType("tinyint(1)");
 
+                    b.Property<bool>("LimitItemDeletion")
+                        .HasColumnType("tinyint(1)");
+
                     b.Property<int?>("MaxAutoscaleSeats")
                         .HasColumnType("int");
 
diff --git a/util/PostgresMigrations/Migrations/20250116221314_LimitItemDeletion.Designer.cs b/util/PostgresMigrations/Migrations/20250116221314_LimitItemDeletion.Designer.cs
new file mode 100644
index 0000000000..90799c7699
--- /dev/null
+++ b/util/PostgresMigrations/Migrations/20250116221314_LimitItemDeletion.Designer.cs
@@ -0,0 +1,3003 @@
+// <auto-generated />
+using System;
+using Bit.Infrastructure.EntityFramework.Repositories;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Migrations;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
+using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata;
+
+#nullable disable
+
+namespace Bit.PostgresMigrations.Migrations
+{
+    [DbContext(typeof(DatabaseContext))]
+    [Migration("20250116221314_LimitItemDeletion")]
+    partial class LimitItemDeletion
+    {
+        /// <inheritdoc />
+        protected override void BuildTargetModel(ModelBuilder modelBuilder)
+        {
+#pragma warning disable 612, 618
+            modelBuilder
+                .HasAnnotation("Npgsql:CollationDefinition:postgresIndetermanisticCollation", "en-u-ks-primary,en-u-ks-primary,icu,False")
+                .HasAnnotation("ProductVersion", "8.0.8")
+                .HasAnnotation("Relational:MaxIdentifierLength", 63);
+
+            NpgsqlModelBuilderExtensions.UseIdentityByDefaultColumns(modelBuilder);
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("AllowAdminAccessToAllCollectionItems")
+                        .HasColumnType("boolean")
+                        .HasDefaultValue(true);
+
+                    b.Property<string>("BillingEmail")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasMaxLength(2)
+                        .HasColumnType("character varying(2)");
+
+                    b.Property<string>("BusinessName")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasMaxLength(30)
+                        .HasColumnType("character varying(30)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("Identifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)")
+                        .UseCollation("postgresIndetermanisticCollation");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<bool>("LimitCollectionCreation")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("LimitCollectionDeletion")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("LimitItemDeletion")
+                        .HasColumnType("boolean");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("MaxAutoscaleSmSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("MaxAutoscaleSmServiceAccounts")
+                        .HasColumnType("integer");
+
+                    b.Property<short?>("MaxCollections")
+                        .HasColumnType("smallint");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<DateTime?>("OwnersNotifiedOfAutoscaling")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Plan")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<int?>("Seats")
+                        .HasColumnType("integer");
+
+                    b.Property<bool>("SelfHost")
+                        .HasColumnType("boolean");
+
+                    b.Property<int?>("SmSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("SmServiceAccounts")
+                        .HasColumnType("integer");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("bigint");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("text");
+
+                    b.Property<bool>("Use2fa")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseApi")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseCustomPermissions")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseDirectory")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseGroups")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseKeyConnector")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UsePasswordManager")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UsePolicies")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseResetPassword")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseRiskInsights")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseScim")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseSecretsManager")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseSso")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseTotp")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UsersGetPremium")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id", "Enabled");
+
+                    NpgsqlIndexBuilderExtensions.IncludeProperties(b.HasIndex("Id", "Enabled"), new[] { "UseTotp" });
+
+                    b.ToTable("Organization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("text");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "Type")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Policy", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("BillingEmail")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BillingPhone")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessName")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasColumnType("text");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Provider", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Settings")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderOrganization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Email")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("ProviderUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("AccessCode")
+                        .HasMaxLength(25)
+                        .HasColumnType("character varying(25)");
+
+                    b.Property<bool?>("Approved")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("AuthenticationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<string>("MasterPasswordHash")
+                        .HasColumnType("text");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("RequestDeviceIdentifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<byte>("RequestDeviceType")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("RequestIpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<DateTime?>("ResponseDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid?>("ResponseDeviceId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ResponseDeviceId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("AuthRequest", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<Guid?>("GranteeId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("GrantorId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("KeyEncrypted")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("LastNotificationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("RecoveryInitiatedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<int>("WaitTimeDays")
+                        .HasColumnType("integer");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("GranteeId");
+
+                    b.HasIndex("GrantorId");
+
+                    b.ToTable("EmergencyAccess", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.Grant", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("ClientId")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<DateTime?>("ConsumedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Data")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("Description")
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<string>("SessionId")
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<string>("SubjectId")
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<string>("Type")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.HasKey("Id")
+                        .HasName("PK_Grant")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpirationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Key")
+                        .IsUnique();
+
+                    b.ToTable("Grant", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("Id"));
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("text");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("SsoConfig", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("Id"));
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)")
+                        .UseCollation("postgresIndetermanisticCollation");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId");
+
+                    b.HasIndex("OrganizationId", "ExternalId")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    NpgsqlIndexBuilderExtensions.IncludeProperties(b.HasIndex("OrganizationId", "ExternalId"), new[] { "UserId" });
+
+                    b.HasIndex("OrganizationId", "UserId")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SsoUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("AaGuid")
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("Counter")
+                        .HasColumnType("integer");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("CredentialId")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("character varying(2000)");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("character varying(2000)");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("character varying(2000)");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("PublicKey")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("SupportsPrf")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("Type")
+                        .HasMaxLength(20)
+                        .HasColumnType("character varying(20)");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("WebAuthnCredential", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ClientOrganizationMigrationRecord", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("Seats")
+                        .HasColumnType("integer");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId", "OrganizationId")
+                        .IsUnique();
+
+                    b.ToTable("ClientOrganizationMigrationRecord", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("InstallationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime?>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("InstallationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationInstallation", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("AssignedSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<Guid?>("ClientId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("ClientName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<DateTime>("Created")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("InvoiceId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("InvoiceNumber")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("PlanName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<decimal>("Total")
+                        .HasColumnType("numeric");
+
+                    b.Property<int>("UsedSeats")
+                        .HasColumnType("integer");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderInvoiceItem", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<int?>("AllocatedSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<int?>("PurchasedSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("SeatMinimum")
+                        .HasColumnType("integer");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("Id", "PlanType")
+                        .IsUnique();
+
+                    b.ToTable("ProviderPlan", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Cache", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(449)
+                        .HasColumnType("character varying(449)");
+
+                    b.Property<DateTime?>("AbsoluteExpiration")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("ExpiresAtTime")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<long?>("SlidingExpirationInSeconds")
+                        .HasColumnType("bigint");
+
+                    b.Property<byte[]>("Value")
+                        .IsRequired()
+                        .HasColumnType("bytea");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpiresAtTime")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Cache", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("character varying(300)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Collection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("CipherId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("CollectionId", "CipherId");
+
+                    b.HasIndex("CipherId");
+
+                    b.ToTable("CollectionCipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("CollectionId", "GroupId");
+
+                    b.HasIndex("GroupId");
+
+                    b.ToTable("CollectionGroups");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("CollectionId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("boolean")
+                        .HasDefaultValue(true);
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Identifier")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("PushToken")
+                        .HasMaxLength(255)
+                        .HasColumnType("character varying(255)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Identifier")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "Identifier")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Device", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Event", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("ActingUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("CollectionId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("Date")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte?>("DeviceType")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("DomainName")
+                        .HasColumnType("text");
+
+                    b.Property<Guid?>("GroupId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("InstallationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("IpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("PolicyId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("ProviderOrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("ProviderUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("SecretId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte?>("SystemUser")
+                        .HasColumnType("smallint");
+
+                    b.Property<int>("Type")
+                        .HasColumnType("integer");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Date", "OrganizationId", "ActingUserId", "CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Event", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("character varying(300)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Group", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("GroupId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("GroupUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("character varying(30)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Config")
+                        .HasColumnType("text");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationConnection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("DomainName")
+                        .IsRequired()
+                        .HasMaxLength(255)
+                        .HasColumnType("character varying(255)");
+
+                    b.Property<int>("JobRunCount")
+                        .HasColumnType("integer");
+
+                    b.Property<DateTime?>("LastCheckedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("NextRunDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Txt")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("VerifiedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationDomain", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("FriendlyName")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<DateTime?>("LastSyncDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("OfferedToEmail")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<byte?>("PlanSponsorshipType")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("SponsoredOrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("SponsoringOrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("SponsoringOrganizationUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("ToDelete")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("ValidUntil")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SponsoredOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationUserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationSponsorship", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("AccessSecretsManager")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("character varying(300)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ResetPasswordKey")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<short>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("AccessCount")
+                        .HasColumnType("integer");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("DeletionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("Disabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool?>("HideEmail")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<int?>("MaxAccessCount")
+                        .HasColumnType("integer");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Password")
+                        .HasMaxLength(300)
+                        .HasColumnType("character varying(300)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("DeletionDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Send", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.TaxRate", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(40)
+                        .HasColumnType("character varying(40)");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("Country")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("PostalCode")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("character varying(10)");
+
+                    b.Property<decimal>("Rate")
+                        .HasColumnType("numeric");
+
+                    b.Property<string>("State")
+                        .HasMaxLength(2)
+                        .HasColumnType("character varying(2)");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("TaxRate", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<decimal>("Amount")
+                        .HasColumnType("numeric");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Details")
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("GatewayId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte?>("PaymentMethodType")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool?>("Refunded")
+                        .HasColumnType("boolean");
+
+                    b.Property<decimal?>("RefundedAmount")
+                        .HasColumnType("numeric");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId", "CreationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Transaction", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("AccountRevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("character varying(30)");
+
+                    b.Property<string>("AvatarColor")
+                        .HasMaxLength(7)
+                        .HasColumnType("character varying(7)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Culture")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("character varying(10)");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)")
+                        .UseCollation("postgresIndetermanisticCollation");
+
+                    b.Property<bool>("EmailVerified")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("EquivalentDomains")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ExcludedGlobalEquivalentDomains")
+                        .HasColumnType("text");
+
+                    b.Property<int>("FailedLoginCount")
+                        .HasColumnType("integer");
+
+                    b.Property<bool>("ForcePasswordReset")
+                        .HasColumnType("boolean");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<byte>("Kdf")
+                        .HasColumnType("smallint");
+
+                    b.Property<int>("KdfIterations")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("KdfMemory")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("KdfParallelism")
+                        .HasColumnType("integer");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("LastEmailChangeDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("LastFailedLoginDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("LastKdfChangeDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("LastKeyRotationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("LastPasswordChangeDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<string>("MasterPassword")
+                        .HasMaxLength(300)
+                        .HasColumnType("character varying(300)");
+
+                    b.Property<string>("MasterPasswordHint")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<bool>("Premium")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("PremiumExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("RenewalReminderDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("SecurityStamp")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("bigint");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("text");
+
+                    b.Property<string>("TwoFactorRecoveryCode")
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<bool>("UsesKeyConnector")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("VerifyDevices")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Email")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Premium", "PremiumExpirationDate", "RenewalReminderDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("User", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Body")
+                        .HasColumnType("text");
+
+                    b.Property<byte>("ClientType")
+                        .HasColumnType("smallint");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("Global")
+                        .HasColumnType("boolean");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte>("Priority")
+                        .HasColumnType("smallint");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Title")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("ClientType", "Global", "UserId", "OrganizationId", "Priority", "CreationDate")
+                        .IsDescending(false, false, false, false, true, true)
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Notification", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("NotificationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("ReadDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("UserId", "NotificationId")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("NotificationId");
+
+                    b.ToTable("NotificationStatus", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Platform.Installation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(150)
+                        .HasColumnType("character varying(150)");
+
+                    b.Property<DateTime?>("LastActivityDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Installation", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Discriminator")
+                        .IsRequired()
+                        .HasMaxLength(34)
+                        .HasColumnType("character varying(34)");
+
+                    b.Property<bool>("Read")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("Write")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.ToTable("AccessPolicy", (string)null);
+
+                    b.HasDiscriminator().HasValue("AccessPolicy");
+
+                    b.UseTphMappingStrategy();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("ClientSecretHash")
+                        .HasMaxLength(128)
+                        .HasColumnType("character varying(128)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("EncryptedPayload")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("character varying(4000)");
+
+                    b.Property<DateTime?>("ExpireAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Scope")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("character varying(4000)");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ServiceAccountId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Project", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Note")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Value")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Secret", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ServiceAccount", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Uri")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("PasswordHealthReportApplication", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Attachments")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Favorites")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Folders")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte?>("Reprompt")
+                        .HasColumnType("smallint");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Cipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Folder", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SecurityTask", (string)null);
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.Property<Guid>("ProjectsId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("SecretsId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("ProjectsId", "SecretsId");
+
+                    b.HasIndex("SecretsId");
+
+                    b.ToTable("ProjectSecret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Policies")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Device", "ResponseDevice")
+                        .WithMany()
+                        .HasForeignKey("ResponseDeviceId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("ResponseDevice");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantee")
+                        .WithMany()
+                        .HasForeignKey("GranteeId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantor")
+                        .WithMany()
+                        .HasForeignKey("GrantorId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Grantee");
+
+                    b.Navigation("Grantor");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoConfigs")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Platform.Installation", "Installation")
+                        .WithMany()
+                        .HasForeignKey("InstallationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Installation");
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Collections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CipherId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Collection");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionGroups")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Groups")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Group");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Connections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Domains")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoredOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoredOrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoringOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoringOrganizationId");
+
+                    b.Navigation("SponsoredOrganization");
+
+                    b.Navigation("SponsoringOrganization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Transactions")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Transactions")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", "Notification")
+                        .WithMany()
+                        .HasForeignKey("NotificationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Notification");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Folders")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany()
+                        .HasForeignKey("CipherId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", null)
+                        .WithMany()
+                        .HasForeignKey("ProjectsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", null)
+                        .WithMany()
+                        .HasForeignKey("SecretsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ProjectAccessPolicies")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany()
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Collections");
+
+                    b.Navigation("Connections");
+
+                    b.Navigation("Domains");
+
+                    b.Navigation("Groups");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("Policies");
+
+                    b.Navigation("SsoConfigs");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+
+                    b.Navigation("CollectionGroups");
+
+                    b.Navigation("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Navigation("CollectionUsers");
+
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Folders");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ProjectAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+                });
+#pragma warning restore 612, 618
+        }
+    }
+}
diff --git a/util/PostgresMigrations/Migrations/20250116221314_LimitItemDeletion.cs b/util/PostgresMigrations/Migrations/20250116221314_LimitItemDeletion.cs
new file mode 100644
index 0000000000..380ecf507e
--- /dev/null
+++ b/util/PostgresMigrations/Migrations/20250116221314_LimitItemDeletion.cs
@@ -0,0 +1,28 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace Bit.PostgresMigrations.Migrations;
+
+/// <inheritdoc />
+public partial class LimitItemDeletion : Migration
+{
+    /// <inheritdoc />
+    protected override void Up(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.AddColumn<bool>(
+            name: "LimitItemDeletion",
+            table: "Organization",
+            type: "boolean",
+            nullable: false,
+            defaultValue: false);
+    }
+
+    /// <inheritdoc />
+    protected override void Down(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.DropColumn(
+            name: "LimitItemDeletion",
+            table: "Organization");
+    }
+}
diff --git a/util/PostgresMigrations/Migrations/DatabaseContextModelSnapshot.cs b/util/PostgresMigrations/Migrations/DatabaseContextModelSnapshot.cs
index 29672b80a9..4abfec0343 100644
--- a/util/PostgresMigrations/Migrations/DatabaseContextModelSnapshot.cs
+++ b/util/PostgresMigrations/Migrations/DatabaseContextModelSnapshot.cs
@@ -96,6 +96,9 @@ namespace Bit.PostgresMigrations.Migrations
                     b.Property<bool>("LimitCollectionDeletion")
                         .HasColumnType("boolean");
 
+                    b.Property<bool>("LimitItemDeletion")
+                        .HasColumnType("boolean");
+
                     b.Property<int?>("MaxAutoscaleSeats")
                         .HasColumnType("integer");
 
diff --git a/util/SqliteMigrations/Migrations/20250116221310_LimitItemDeletion.Designer.cs b/util/SqliteMigrations/Migrations/20250116221310_LimitItemDeletion.Designer.cs
new file mode 100644
index 0000000000..91015f9300
--- /dev/null
+++ b/util/SqliteMigrations/Migrations/20250116221310_LimitItemDeletion.Designer.cs
@@ -0,0 +1,2986 @@
+// <auto-generated />
+using System;
+using Bit.Infrastructure.EntityFramework.Repositories;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Migrations;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
+
+#nullable disable
+
+namespace Bit.SqliteMigrations.Migrations
+{
+    [DbContext(typeof(DatabaseContext))]
+    [Migration("20250116221310_LimitItemDeletion")]
+    partial class LimitItemDeletion
+    {
+        /// <inheritdoc />
+        protected override void BuildTargetModel(ModelBuilder modelBuilder)
+        {
+#pragma warning disable 612, 618
+            modelBuilder.HasAnnotation("ProductVersion", "8.0.8");
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("AllowAdminAccessToAllCollectionItems")
+                        .HasColumnType("INTEGER")
+                        .HasDefaultValue(true);
+
+                    b.Property<string>("BillingEmail")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasMaxLength(2)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessName")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasMaxLength(30)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Identifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("LimitCollectionCreation")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("LimitCollectionDeletion")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("LimitItemDeletion")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("MaxAutoscaleSmSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("MaxAutoscaleSmServiceAccounts")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<short?>("MaxCollections")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("OwnersNotifiedOfAutoscaling")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Plan")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int?>("Seats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("SelfHost")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("SmSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("SmServiceAccounts")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Use2fa")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseApi")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseCustomPermissions")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseDirectory")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseGroups")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseKeyConnector")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UsePasswordManager")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UsePolicies")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseResetPassword")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseRiskInsights")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseScim")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseSecretsManager")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseSso")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseTotp")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UsersGetPremium")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id", "Enabled")
+                        .HasAnnotation("Npgsql:IndexInclude", new[] { "UseTotp" });
+
+                    b.ToTable("Organization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "Type")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Policy", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BillingEmail")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BillingPhone")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessName")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Provider", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Settings")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderOrganization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Email")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("ProviderUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("AccessCode")
+                        .HasMaxLength(25)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool?>("Approved")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("AuthenticationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("MasterPasswordHash")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("RequestDeviceIdentifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("RequestDeviceType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("RequestIpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ResponseDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ResponseDeviceId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ResponseDeviceId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("AuthRequest", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("GranteeId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("GrantorId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("KeyEncrypted")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastNotificationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("RecoveryInitiatedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int>("WaitTimeDays")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("GranteeId");
+
+                    b.HasIndex("GrantorId");
+
+                    b.ToTable("EmergencyAccess", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.Grant", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("ClientId")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ConsumedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Data")
+                        .IsRequired()
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Description")
+                        .HasMaxLength(200)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("SessionId")
+                        .HasMaxLength(100)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("SubjectId")
+                        .HasMaxLength(200)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Type")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasName("PK_Grant")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpirationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Key")
+                        .IsUnique();
+
+                    b.ToTable("Grant", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("SsoConfig", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId");
+
+                    b.HasIndex("OrganizationId", "ExternalId")
+                        .IsUnique()
+                        .HasAnnotation("Npgsql:IndexInclude", new[] { "UserId" })
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "UserId")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SsoUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("AaGuid")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("Counter")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("CredentialId")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PublicKey")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("SupportsPrf")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Type")
+                        .HasMaxLength(20)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("WebAuthnCredential", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ClientOrganizationMigrationRecord", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("Seats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId", "OrganizationId")
+                        .IsUnique();
+
+                    b.ToTable("ClientOrganizationMigrationRecord", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("InstallationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("InstallationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationInstallation", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("AssignedSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("ClientId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ClientName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("Created")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("InvoiceId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("InvoiceNumber")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PlanName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<decimal>("Total")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("UsedSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderInvoiceItem", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int?>("AllocatedSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int?>("PurchasedSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("SeatMinimum")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("Id", "PlanType")
+                        .IsUnique();
+
+                    b.ToTable("ProviderPlan", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Cache", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(449)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("AbsoluteExpiration")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("ExpiresAtTime")
+                        .HasColumnType("TEXT");
+
+                    b.Property<long?>("SlidingExpirationInSeconds")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte[]>("Value")
+                        .IsRequired()
+                        .HasColumnType("BLOB");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpiresAtTime")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Cache", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Collection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("CipherId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("CollectionId", "CipherId");
+
+                    b.HasIndex("CipherId");
+
+                    b.ToTable("CollectionCipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("CollectionId", "GroupId");
+
+                    b.HasIndex("GroupId");
+
+                    b.ToTable("CollectionGroups");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("CollectionId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("INTEGER")
+                        .HasDefaultValue(true);
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Identifier")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PushToken")
+                        .HasMaxLength(255)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Identifier")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "Identifier")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Device", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Event", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ActingUserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("CollectionId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("Date")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("DeviceType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("DomainName")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("GroupId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("InstallationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("IpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("PolicyId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ProviderOrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ProviderUserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("SecretId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("SystemUser")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Date", "OrganizationId", "ActingUserId", "CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Event", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(100)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Group", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("GroupId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("GroupUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Config")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationConnection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("DomainName")
+                        .IsRequired()
+                        .HasMaxLength(255)
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("JobRunCount")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("LastCheckedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("NextRunDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Txt")
+                        .IsRequired()
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("VerifiedDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationDomain", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("FriendlyName")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastSyncDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("OfferedToEmail")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("PlanSponsorshipType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("SponsoredOrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("SponsoringOrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("SponsoringOrganizationUserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("ToDelete")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("ValidUntil")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SponsoredOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationUserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationSponsorship", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("AccessSecretsManager")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ResetPasswordKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<short>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("AccessCount")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("DeletionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Disabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool?>("HideEmail")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int?>("MaxAccessCount")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Password")
+                        .HasMaxLength(300)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("DeletionDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Send", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.TaxRate", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(40)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Country")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PostalCode")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("TEXT");
+
+                    b.Property<decimal>("Rate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("State")
+                        .HasMaxLength(2)
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("TaxRate", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<decimal>("Amount")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Details")
+                        .HasMaxLength(100)
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("GatewayId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("PaymentMethodType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool?>("Refunded")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<decimal?>("RefundedAmount")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId", "CreationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Transaction", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("AccountRevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("AvatarColor")
+                        .HasMaxLength(7)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Culture")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("EmailVerified")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("EquivalentDomains")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ExcludedGlobalEquivalentDomains")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("FailedLoginCount")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("ForcePasswordReset")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Kdf")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int>("KdfIterations")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("KdfMemory")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("KdfParallelism")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastEmailChangeDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastFailedLoginDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastKdfChangeDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastKeyRotationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastPasswordChangeDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("MasterPassword")
+                        .HasMaxLength(300)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("MasterPasswordHint")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Premium")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("PremiumExpirationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("RenewalReminderDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("SecurityStamp")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("TwoFactorRecoveryCode")
+                        .HasMaxLength(32)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("UsesKeyConnector")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("VerifyDevices")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Email")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Premium", "PremiumExpirationDate", "RenewalReminderDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("User", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Body")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("ClientType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Global")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Priority")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Title")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("ClientType", "Global", "UserId", "OrganizationId", "Priority", "CreationDate")
+                        .IsDescending(false, false, false, false, true, true)
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Notification", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("NotificationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ReadDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("UserId", "NotificationId")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("NotificationId");
+
+                    b.ToTable("NotificationStatus", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Platform.Installation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(150)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastActivityDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Installation", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Discriminator")
+                        .IsRequired()
+                        .HasMaxLength(34)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Read")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Write")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.ToTable("AccessPolicy", (string)null);
+
+                    b.HasDiscriminator().HasValue("AccessPolicy");
+
+                    b.UseTphMappingStrategy();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ClientSecretHash")
+                        .HasMaxLength(128)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedPayload")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ExpireAt")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Scope")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ServiceAccountId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Project", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Note")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Value")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Secret", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ServiceAccount", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Uri")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("PasswordHealthReportApplication", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Attachments")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Favorites")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Folders")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("Reprompt")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Cipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Folder", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SecurityTask", (string)null);
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.Property<Guid>("ProjectsId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("SecretsId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("ProjectsId", "SecretsId");
+
+                    b.HasIndex("SecretsId");
+
+                    b.ToTable("ProjectSecret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Policies")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Device", "ResponseDevice")
+                        .WithMany()
+                        .HasForeignKey("ResponseDeviceId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("ResponseDevice");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantee")
+                        .WithMany()
+                        .HasForeignKey("GranteeId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantor")
+                        .WithMany()
+                        .HasForeignKey("GrantorId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Grantee");
+
+                    b.Navigation("Grantor");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoConfigs")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Platform.Installation", "Installation")
+                        .WithMany()
+                        .HasForeignKey("InstallationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Installation");
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Collections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CipherId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Collection");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionGroups")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Groups")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Group");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Connections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Domains")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoredOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoredOrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoringOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoringOrganizationId");
+
+                    b.Navigation("SponsoredOrganization");
+
+                    b.Navigation("SponsoringOrganization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Transactions")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Transactions")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", "Notification")
+                        .WithMany()
+                        .HasForeignKey("NotificationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Notification");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Folders")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany()
+                        .HasForeignKey("CipherId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", null)
+                        .WithMany()
+                        .HasForeignKey("ProjectsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", null)
+                        .WithMany()
+                        .HasForeignKey("SecretsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ProjectAccessPolicies")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany()
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Collections");
+
+                    b.Navigation("Connections");
+
+                    b.Navigation("Domains");
+
+                    b.Navigation("Groups");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("Policies");
+
+                    b.Navigation("SsoConfigs");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+
+                    b.Navigation("CollectionGroups");
+
+                    b.Navigation("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Navigation("CollectionUsers");
+
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Folders");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ProjectAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+                });
+#pragma warning restore 612, 618
+        }
+    }
+}
diff --git a/util/SqliteMigrations/Migrations/20250116221310_LimitItemDeletion.cs b/util/SqliteMigrations/Migrations/20250116221310_LimitItemDeletion.cs
new file mode 100644
index 0000000000..ded7357312
--- /dev/null
+++ b/util/SqliteMigrations/Migrations/20250116221310_LimitItemDeletion.cs
@@ -0,0 +1,28 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace Bit.SqliteMigrations.Migrations;
+
+/// <inheritdoc />
+public partial class LimitItemDeletion : Migration
+{
+    /// <inheritdoc />
+    protected override void Up(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.AddColumn<bool>(
+            name: "LimitItemDeletion",
+            table: "Organization",
+            type: "INTEGER",
+            nullable: false,
+            defaultValue: false);
+    }
+
+    /// <inheritdoc />
+    protected override void Down(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.DropColumn(
+            name: "LimitItemDeletion",
+            table: "Organization");
+    }
+}
diff --git a/util/SqliteMigrations/Migrations/DatabaseContextModelSnapshot.cs b/util/SqliteMigrations/Migrations/DatabaseContextModelSnapshot.cs
index d71327ec3c..f90de08a93 100644
--- a/util/SqliteMigrations/Migrations/DatabaseContextModelSnapshot.cs
+++ b/util/SqliteMigrations/Migrations/DatabaseContextModelSnapshot.cs
@@ -89,6 +89,9 @@ namespace Bit.SqliteMigrations.Migrations
                     b.Property<bool>("LimitCollectionDeletion")
                         .HasColumnType("INTEGER");
 
+                    b.Property<bool>("LimitItemDeletion")
+                        .HasColumnType("INTEGER");
+
                     b.Property<int?>("MaxAutoscaleSeats")
                         .HasColumnType("INTEGER");
 

From 163a74000d63ff6276a1ad294ce2fba3242e64c1 Mon Sep 17 00:00:00 2001
From: Robyn MacCallum <robyntmaccallum@gmail.com>
Date: Tue, 21 Jan 2025 16:32:30 -0500
Subject: [PATCH 183/384] Add Authenticator sync flags (#5307)

---
 src/Core/Constants.cs | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index 0ebb64ad98..659a377d59 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -161,6 +161,8 @@ public static class FeatureFlagKeys
     public const string ResellerManagedOrgAlert = "PM-15814-alert-owners-of-reseller-managed-orgs";
     public const string UsePricingService = "use-pricing-service";
     public const string RecordInstallationLastActivityDate = "installation-last-activity-date";
+    public const string EnablePasswordManagerSyncAndroid = "enable-password-manager-sync-android";
+    public const string EnablePasswordManagerSynciOS = "enable-password-manager-sync-ios";
 
     public static List<string> GetAllKeys()
     {

From c67181830450e89a5f041116de182bae2ae541b9 Mon Sep 17 00:00:00 2001
From: Bernd Schoolmann <mail@quexten.com>
Date: Wed, 22 Jan 2025 14:14:59 +0100
Subject: [PATCH 184/384] Add argon2-default flag (#5253)

---
 src/Core/Constants.cs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index 659a377d59..5b1e9175cf 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -159,6 +159,7 @@ public static class FeatureFlagKeys
     public const string AuthenticatorSyncAndroid = "enable-authenticator-sync-android";
     public const string AppReviewPrompt = "app-review-prompt";
     public const string ResellerManagedOrgAlert = "PM-15814-alert-owners-of-reseller-managed-orgs";
+    public const string Argon2Default = "argon2-default";
     public const string UsePricingService = "use-pricing-service";
     public const string RecordInstallationLastActivityDate = "installation-last-activity-date";
     public const string EnablePasswordManagerSyncAndroid = "enable-password-manager-sync-android";

From cb76cdb5d3b3391e6ba1ca52c8baccfbd8c0f3f6 Mon Sep 17 00:00:00 2001
From: Thomas Rittson <31796059+eliykat@users.noreply.github.com>
Date: Thu, 23 Jan 2025 00:04:08 +1000
Subject: [PATCH 185/384] Group AC Team feature flags (#5309)

---
 src/Core/Constants.cs | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index 5b1e9175cf..dd45593ae9 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -101,6 +101,12 @@ public static class AuthenticationSchemes
 
 public static class FeatureFlagKeys
 {
+    /* Admin Console Team */
+    public const string ProviderClientVaultPrivacyBanner = "ac-2833-provider-client-vault-privacy-banner";
+    public const string AccountDeprovisioning = "pm-10308-account-deprovisioning";
+    public const string VerifiedSsoDomainEndpoint = "pm-12337-refactor-sso-details-endpoint";
+    public const string IntegrationPage = "pm-14505-admin-console-integration-page";
+
     public const string ReturnErrorOnExistingKeypair = "return-error-on-existing-keypair";
     public const string UseTreeWalkerApiForPageDetailsCollection = "use-tree-walker-api-for-page-details-collection";
     public const string ItemShare = "item-share";
@@ -117,7 +123,6 @@ public static class FeatureFlagKeys
     public const string InlineMenuFieldQualification = "inline-menu-field-qualification";
     public const string TwoFactorComponentRefactor = "two-factor-component-refactor";
     public const string InlineMenuPositioningImprovements = "inline-menu-positioning-improvements";
-    public const string ProviderClientVaultPrivacyBanner = "ac-2833-provider-client-vault-privacy-banner";
     public const string DeviceTrustLogging = "pm-8285-device-trust-logging";
     public const string SSHKeyItemVaultItem = "ssh-key-vault-item";
     public const string SSHAgent = "ssh-agent";
@@ -129,7 +134,6 @@ public static class FeatureFlagKeys
     public const string DelayFido2PageScriptInitWithinMv2 = "delay-fido2-page-script-init-within-mv2";
     public const string NativeCarouselFlow = "native-carousel-flow";
     public const string NativeCreateAccountFlow = "native-create-account-flow";
-    public const string AccountDeprovisioning = "pm-10308-account-deprovisioning";
     public const string NotificationBarAddLoginImprovements = "notification-bar-add-login-improvements";
     public const string BlockBrowserInjectionsByDomain = "block-browser-injections-by-domain";
     public const string NotificationRefresh = "notification-refresh";
@@ -140,12 +144,10 @@ public static class FeatureFlagKeys
     public const string StorageReseedRefactor = "storage-reseed-refactor";
     public const string TrialPayment = "PM-8163-trial-payment";
     public const string RemoveServerVersionHeader = "remove-server-version-header";
-    public const string VerifiedSsoDomainEndpoint = "pm-12337-refactor-sso-details-endpoint";
     public const string PM12275_MultiOrganizationEnterprises = "pm-12275-multi-organization-enterprises";
     public const string GeneratorToolsModernization = "generator-tools-modernization";
     public const string NewDeviceVerification = "new-device-verification";
     public const string RiskInsightsCriticalApplication = "pm-14466-risk-insights-critical-application";
-    public const string IntegrationPage = "pm-14505-admin-console-integration-page";
     public const string NewDeviceVerificationTemporaryDismiss = "new-device-temporary-dismiss";
     public const string NewDeviceVerificationPermanentDismiss = "new-device-permanent-dismiss";
     public const string SecurityTasks = "security-tasks";

From 0e0dd8203a40b1e54ae9ea1ae894e0d9cbdadc3a Mon Sep 17 00:00:00 2001
From: Addison Beck <addison@bitwarden.com>
Date: Wed, 22 Jan 2025 11:41:18 -0500
Subject: [PATCH 186/384] [PM-14818]  Update `migrate.ps1` to support test
 database used by integration tests (#4912)

* Check for correct database in an old MySql migration

* Update `migrate.ps1` to support integration test databases
---
 dev/migrate.ps1                               | 74 +++++++++++++------
 .../20231214162533_GrantIdWithIndexes.cs      |  6 +-
 2 files changed, 54 insertions(+), 26 deletions(-)

diff --git a/dev/migrate.ps1 b/dev/migrate.ps1
index ee78e90d32..d129af4e6e 100755
--- a/dev/migrate.ps1
+++ b/dev/migrate.ps1
@@ -7,11 +7,13 @@ param(
   [switch]$mysql,
   [switch]$mssql,
   [switch]$sqlite,
-  [switch]$selfhost
+  [switch]$selfhost,
+  [switch]$test
 )
 
 # Abort on any error
 $ErrorActionPreference = "Stop"
+$currentDir = Get-Location
 
 if (!$all -and !$postgres -and !$mysql -and !$sqlite) {
   $mssql = $true;
@@ -25,36 +27,62 @@ if ($all -or $postgres -or $mysql -or $sqlite) {
   }
 }
 
-if ($all -or $mssql) {
-  function Get-UserSecrets {
-    # The dotnet cli command sometimes adds //BEGIN and //END comments to the output, Where-Object removes comments
-    # to ensure a valid json
-    return dotnet user-secrets list --json --project ../src/Api | Where-Object { $_ -notmatch "^//" } | ConvertFrom-Json
-  }
-
-  if ($selfhost) {
-    $msSqlConnectionString = $(Get-UserSecrets).'dev:selfHostOverride:globalSettings:sqlServer:connectionString'
-    $envName = "self-host"
-  } else {
-    $msSqlConnectionString = $(Get-UserSecrets).'globalSettings:sqlServer:connectionString'
-    $envName = "cloud"
-  }
-
-  Write-Host "Starting Microsoft SQL Server Migrations for $envName"
-
-  dotnet run --project ../util/MsSqlMigratorUtility/ "$msSqlConnectionString"
+function Get-UserSecrets {
+  # The dotnet cli command sometimes adds //BEGIN and //END comments to the output, Where-Object removes comments
+  # to ensure a valid json
+  return dotnet user-secrets list --json --project "$currentDir/../src/Api" | Where-Object { $_ -notmatch "^//" } | ConvertFrom-Json
 }
 
-$currentDir = Get-Location
+if ($all -or $mssql) {
+  if ($all -or !$test) {
+    if ($selfhost) {
+      $msSqlConnectionString = $(Get-UserSecrets).'dev:selfHostOverride:globalSettings:sqlServer:connectionString'
+      $envName = "self-host"
+    } else {
+      $msSqlConnectionString = $(Get-UserSecrets).'globalSettings:sqlServer:connectionString'
+      $envName = "cloud"
+    }
 
-Foreach ($item in @(@($mysql, "MySQL", "MySqlMigrations"), @($postgres, "PostgreSQL", "PostgresMigrations"), @($sqlite, "SQLite", "SqliteMigrations"))) {
+    Write-Host "Starting Microsoft SQL Server Migrations for $envName"
+    dotnet run --project ../util/MsSqlMigratorUtility/ "$msSqlConnectionString"
+  }
+
+  if ($all -or $test) {
+    $testMsSqlConnectionString = $(Get-UserSecrets).'databases:3:connectionString'
+    if ($testMsSqlConnectionString) {
+      $testEnvName = "test databases"
+      Write-Host "Starting Microsoft SQL Server Migrations for $testEnvName"
+      dotnet run --project ../util/MsSqlMigratorUtility/ "$testMsSqlConnectionString"
+    } else {
+      Write-Host "Connection string for a test MSSQL database not found in secrets.json!"
+    }
+  }
+}
+
+Foreach ($item in @(
+    @($mysql, "MySQL", "MySqlMigrations", "mySql", 2),
+    @($postgres, "PostgreSQL", "PostgresMigrations", "postgreSql", 0),
+    @($sqlite, "SQLite", "SqliteMigrations", "sqlite", 1)
+)) {
   if (!$item[0] -and !$all) {
     continue
   }
 
-  Write-Host "Starting $($item[1]) Migrations"
   Set-Location "$currentDir/../util/$($item[2])/"
-  dotnet ef database update
+  if(!$test -or $all) {
+    Write-Host "Starting $($item[1]) Migrations"
+    $connectionString = $(Get-UserSecrets)."globalSettings:$($item[3]):connectionString"
+    dotnet ef database update --connection "$connectionString"
+  }
+  if ($test -or $all) {
+    $testConnectionString = $(Get-UserSecrets)."databases:$($item[4]):connectionString"
+    if ($testConnectionString) {
+      Write-Host "Starting $($item[1]) Migrations for test databases"
+      dotnet ef database update --connection "$testConnectionString"
+    } else {
+      Write-Host "Connection string for a test $($item[1]) database not found in secrets.json!"
+    }
+  }
 }
 
 Set-Location "$currentDir"
diff --git a/util/MySqlMigrations/Migrations/20231214162533_GrantIdWithIndexes.cs b/util/MySqlMigrations/Migrations/20231214162533_GrantIdWithIndexes.cs
index 1e4c178ade..e65a4dc6bf 100644
--- a/util/MySqlMigrations/Migrations/20231214162533_GrantIdWithIndexes.cs
+++ b/util/MySqlMigrations/Migrations/20231214162533_GrantIdWithIndexes.cs
@@ -74,13 +74,13 @@ public partial class GrantIdWithIndexes : Migration
 
         migrationBuilder.Sql(@"
             DROP PROCEDURE IF EXISTS GrantSchemaChange;
-            
+
             CREATE PROCEDURE GrantSchemaChange()
             BEGIN
-                IF EXISTS (SELECT 1 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = 'Grant' AND COLUMN_NAME = 'Id') THEN
+                IF EXISTS (SELECT 1 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = 'Grant' AND COLUMN_NAME = 'Id' AND TABLE_SCHEMA=database()) THEN
                     ALTER TABLE `Grant` DROP COLUMN `Id`;
                 END IF;
- 
+
                 ALTER TABLE `Grant` ADD COLUMN `Id` INT AUTO_INCREMENT UNIQUE;
             END;
 

From 28a592103d263b4b3770da36e5ba635d4748214e Mon Sep 17 00:00:00 2001
From: Conner Turnbull <133619638+cturnbull-bitwarden@users.noreply.github.com>
Date: Wed, 22 Jan 2025 12:26:21 -0500
Subject: [PATCH 187/384] Updated invoice history to filter on customerId only
 (#5175)

---
 .../Billing/Services/Implementations/PaymentHistoryService.cs    | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/Core/Billing/Services/Implementations/PaymentHistoryService.cs b/src/Core/Billing/Services/Implementations/PaymentHistoryService.cs
index 69e1a4cfba..6e984f946e 100644
--- a/src/Core/Billing/Services/Implementations/PaymentHistoryService.cs
+++ b/src/Core/Billing/Services/Implementations/PaymentHistoryService.cs
@@ -28,7 +28,6 @@ public class PaymentHistoryService(
         var invoices = await stripeAdapter.InvoiceListAsync(new StripeInvoiceListOptions
         {
             Customer = subscriber.GatewayCustomerId,
-            Subscription = subscriber.GatewaySubscriptionId,
             Limit = pageSize,
             Status = status,
             StartingAfter = startAfter

From 8f8a599c07742dd34a400a1afc591b283d12cd2a Mon Sep 17 00:00:00 2001
From: Matt Bishop <mbishop@bitwarden.com>
Date: Wed, 22 Jan 2025 13:09:46 -0500
Subject: [PATCH 188/384] Use .db extension for SQLite configuration example
 (#5313)

---
 dev/secrets.json.example | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dev/secrets.json.example b/dev/secrets.json.example
index e296ffb7c0..7c91669b39 100644
--- a/dev/secrets.json.example
+++ b/dev/secrets.json.example
@@ -21,7 +21,7 @@
       "connectionString": "server=localhost;uid=root;pwd=SET_A_PASSWORD_HERE_123;database=vault_dev"
     },
     "sqlite": {
-      "connectionString": "Data Source=/path/to/bitwardenServer/repository/server/dev/db/bitwarden.sqlite"
+      "connectionString": "Data Source=/path/to/bitwardenServer/repository/server/dev/db/bitwarden.db"
     },
     "identityServer": {
       "certificateThumbprint": "<your Identity certificate thumbprint with no spaces>"

From 9e7d1abdf12e411d94f38ab404e5c6faab07e6da Mon Sep 17 00:00:00 2001
From: cyprain-okeke <108260115+cyprain-okeke@users.noreply.github.com>
Date: Wed, 22 Jan 2025 19:27:11 +0100
Subject: [PATCH 189/384] changes for update to current plan (#5312)

---
 src/Api/Billing/Controllers/OrganizationBillingController.cs | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/Api/Billing/Controllers/OrganizationBillingController.cs b/src/Api/Billing/Controllers/OrganizationBillingController.cs
index 1c0cfd9388..4a6f5f5b8a 100644
--- a/src/Api/Billing/Controllers/OrganizationBillingController.cs
+++ b/src/Api/Billing/Controllers/OrganizationBillingController.cs
@@ -310,6 +310,9 @@ public class OrganizationBillingController(
         }
         var organizationSignup = model.ToOrganizationSignup(user);
         var sale = OrganizationSale.From(organization, organizationSignup);
+        var plan = StaticStore.GetPlan(model.PlanType);
+        sale.Organization.PlanType = plan.Type;
+        sale.Organization.Plan = plan.Name;
         await organizationBillingService.Finalize(sale);
 
         return TypedResults.Ok();

From e8cd86e5f6da1f9e0c917fa7f30f5abc3738048a Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Thu, 23 Jan 2025 12:51:57 +0100
Subject: [PATCH 190/384] [deps] Billing: Update xunit.runner.visualstudio to
 v3 (#5183)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: cyprain-okeke <108260115+cyprain-okeke@users.noreply.github.com>
---
 .../Infrastructure.Dapper.Test.csproj                           | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/Infrastructure.Dapper.Test/Infrastructure.Dapper.Test.csproj b/test/Infrastructure.Dapper.Test/Infrastructure.Dapper.Test.csproj
index 82d63bd3c1..82a92989d1 100644
--- a/test/Infrastructure.Dapper.Test/Infrastructure.Dapper.Test.csproj
+++ b/test/Infrastructure.Dapper.Test/Infrastructure.Dapper.Test.csproj
@@ -12,7 +12,7 @@
   <ItemGroup>
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.12.0" />
     <PackageReference Include="xunit" Version="2.9.2" />
-    <PackageReference Include="xunit.runner.visualstudio" Version="2.8.2">
+    <PackageReference Include="xunit.runner.visualstudio" Version="3.0.1">
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
       <PrivateAssets>all</PrivateAssets>
     </PackageReference>

From 31e95d529f54a8dbc7f90412a893cd08ac1dbd3e Mon Sep 17 00:00:00 2001
From: Conner Turnbull <133619638+cturnbull-bitwarden@users.noreply.github.com>
Date: Thu, 23 Jan 2025 10:00:51 -0500
Subject: [PATCH 191/384] Added some defensive logging around making braintree
 payments (#5317)

---
 .../StripeEventUtilityService.cs              | 52 +++++++++++++------
 1 file changed, 35 insertions(+), 17 deletions(-)

diff --git a/src/Billing/Services/Implementations/StripeEventUtilityService.cs b/src/Billing/Services/Implementations/StripeEventUtilityService.cs
index 520205e745..8077ec5b57 100644
--- a/src/Billing/Services/Implementations/StripeEventUtilityService.cs
+++ b/src/Billing/Services/Implementations/StripeEventUtilityService.cs
@@ -318,26 +318,34 @@ public class StripeEventUtilityService : IStripeEventUtilityService
         Result<Braintree.Transaction> transactionResult;
         try
         {
-            transactionResult = await _btGateway.Transaction.SaleAsync(
-                new Braintree.TransactionRequest
+            var transactionRequest = new Braintree.TransactionRequest
+            {
+                Amount = btInvoiceAmount,
+                CustomerId = customer.Metadata["btCustomerId"],
+                Options = new Braintree.TransactionOptionsRequest
                 {
-                    Amount = btInvoiceAmount,
-                    CustomerId = customer.Metadata["btCustomerId"],
-                    Options = new Braintree.TransactionOptionsRequest
+                    SubmitForSettlement = true,
+                    PayPal = new Braintree.TransactionOptionsPayPalRequest
                     {
-                        SubmitForSettlement = true,
-                        PayPal = new Braintree.TransactionOptionsPayPalRequest
-                        {
-                            CustomField =
-                                $"{btObjIdField}:{btObjId},region:{_globalSettings.BaseServiceUri.CloudRegion}"
-                        }
-                    },
-                    CustomFields = new Dictionary<string, string>
-                    {
-                        [btObjIdField] = btObjId.ToString(),
-                        ["region"] = _globalSettings.BaseServiceUri.CloudRegion
+                        CustomField =
+                            $"{btObjIdField}:{btObjId},region:{_globalSettings.BaseServiceUri.CloudRegion}"
                     }
-                });
+                },
+                CustomFields = new Dictionary<string, string>
+                {
+                    [btObjIdField] = btObjId.ToString(),
+                    ["region"] = _globalSettings.BaseServiceUri.CloudRegion
+                }
+            };
+
+            _logger.LogInformation("Creating Braintree transaction with Amount: {Amount}, CustomerId: {CustomerId}, " + 
+                "CustomField: {CustomField}, CustomFields: {@CustomFields}",
+                transactionRequest.Amount,
+                transactionRequest.CustomerId,
+                transactionRequest.Options.PayPal.CustomField,
+                transactionRequest.CustomFields);
+
+            transactionResult = await _btGateway.Transaction.SaleAsync(transactionRequest);
         }
         catch (NotFoundException e)
         {
@@ -345,9 +353,19 @@ public class StripeEventUtilityService : IStripeEventUtilityService
                 "Attempted to make a payment with Braintree, but customer did not exist for the given btCustomerId present on the Stripe metadata");
             throw;
         }
+        catch (Exception e)
+        {
+            _logger.LogError(e, "Exception occurred while trying to pay invoice with Braintree");
+            throw;
+        }
 
         if (!transactionResult.IsSuccess())
         {
+            _logger.LogWarning("Braintree transaction failed. Error: {ErrorMessage}, Transaction Status: {Status}, Validation Errors: {ValidationErrors}",
+                transactionResult.Message,
+                transactionResult.Target?.Status,
+                string.Join(", ", transactionResult.Errors.DeepAll().Select(e => $"Code: {e.Code}, Message: {e.Message}, Attribute: {e.Attribute}")));
+
             if (invoice.AttemptCount < 4)
             {
                 await _mailService.SendPaymentFailedAsync(customer.Email, btInvoiceAmount, true);

From 20fb45b05c95dcde7d957190f76e98cc3efffc18 Mon Sep 17 00:00:00 2001
From: Alex Morask <144709477+amorask-bitwarden@users.noreply.github.com>
Date: Thu, 23 Jan 2025 11:19:46 -0500
Subject: [PATCH 192/384] Round PayPal transaction amount to two decimal points
 (#5318)

---
 .../Services/Implementations/StripeEventUtilityService.cs     | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/Billing/Services/Implementations/StripeEventUtilityService.cs b/src/Billing/Services/Implementations/StripeEventUtilityService.cs
index 8077ec5b57..48e81dee61 100644
--- a/src/Billing/Services/Implementations/StripeEventUtilityService.cs
+++ b/src/Billing/Services/Implementations/StripeEventUtilityService.cs
@@ -296,7 +296,7 @@ public class StripeEventUtilityService : IStripeEventUtilityService
             btObjIdField = "provider_id";
             btObjId = providerId.Value;
         }
-        var btInvoiceAmount = invoice.AmountDue / 100M;
+        var btInvoiceAmount = Math.Round(invoice.AmountDue / 100M, 2);
 
         var existingTransactions = organizationId.HasValue
             ? await _transactionRepository.GetManyByOrganizationIdAsync(organizationId.Value)
@@ -338,7 +338,7 @@ public class StripeEventUtilityService : IStripeEventUtilityService
                 }
             };
 
-            _logger.LogInformation("Creating Braintree transaction with Amount: {Amount}, CustomerId: {CustomerId}, " + 
+            _logger.LogInformation("Creating Braintree transaction with Amount: {Amount}, CustomerId: {CustomerId}, " +
                 "CustomField: {CustomField}, CustomFields: {@CustomFields}",
                 transactionRequest.Amount,
                 transactionRequest.CustomerId,

From 275f7ceb27ad0c1572844b06cba860dd3f3d7fd8 Mon Sep 17 00:00:00 2001
From: Patrick-Pimentel-Bitwarden <ppimentel@bitwarden.com>
Date: Thu, 23 Jan 2025 11:21:28 -0500
Subject: [PATCH 193/384] Auth/pm 17233/tests for multiple users on single
 device for web approvals (#5316)

* test(test-device-repository): [PM-17233] Add Test Case for Critical Bug Found in Device Repository - Added new test case for previously found bug.
---
 .../Repositories/DeviceRepositoryTests.cs     | 67 ++++++++++++++++++-
 1 file changed, 66 insertions(+), 1 deletion(-)

diff --git a/test/Infrastructure.IntegrationTest/Auth/Repositories/DeviceRepositoryTests.cs b/test/Infrastructure.IntegrationTest/Auth/Repositories/DeviceRepositoryTests.cs
index a9eec23194..95b88d5662 100644
--- a/test/Infrastructure.IntegrationTest/Auth/Repositories/DeviceRepositoryTests.cs
+++ b/test/Infrastructure.IntegrationTest/Auth/Repositories/DeviceRepositoryTests.cs
@@ -73,6 +73,71 @@ public class DeviceRepositoryTests
         Assert.Equal(response.First().AuthRequestId, freshAuthRequest.Id);
     }
 
+    [DatabaseTheory]
+    [DatabaseData]
+    public async Task GetManyByUserIdWithDeviceAuth_WorksWithMultipleUsersOnSameDevice_ReturnsExpectedResults(
+        IDeviceRepository sutRepository,
+        IUserRepository userRepository,
+        IAuthRequestRepository authRequestRepository)
+    {
+        // Arrange
+        var userA = await userRepository.CreateAsync(new User
+        {
+            Name = "Test User A",
+            Email = $"test_user_A+{Guid.NewGuid()}@email.com",
+            ApiKey = "TEST",
+            SecurityStamp = "stamp",
+        });
+
+        var userB = await userRepository.CreateAsync(new User
+        {
+            Name = "Test User B",
+            Email = $"test_user_B+{Guid.NewGuid()}@email.com",
+            ApiKey = "TEST",
+            SecurityStamp = "stamp",
+        });
+
+        var sharedDeviceIdentifier = Guid.NewGuid().ToString();
+
+        var deviceForUserA = await sutRepository.CreateAsync(new Device
+        {
+            Active = true,
+            Name = "chrome-test",
+            UserId = userA.Id,
+            Type = DeviceType.ChromeBrowser,
+            Identifier = sharedDeviceIdentifier,
+        });
+
+        var deviceForUserB = await sutRepository.CreateAsync(new Device
+        {
+            Active = true,
+            Name = "chrome-test",
+            UserId = userB.Id,
+            Type = DeviceType.ChromeBrowser,
+            Identifier = sharedDeviceIdentifier,
+        });
+
+        var userAAuthRequest = await authRequestRepository.CreateAsync(new AuthRequest
+        {
+            ResponseDeviceId = null,
+            Approved = null,
+            Type = AuthRequestType.AuthenticateAndUnlock,
+            OrganizationId = null,
+            UserId = userA.Id,
+            RequestIpAddress = ":1",
+            RequestDeviceIdentifier = deviceForUserA.Identifier,
+            AccessCode = "AccessCode_1234",
+            PublicKey = "PublicKey_1234"
+        });
+
+        // Act
+        var response = await sutRepository.GetManyByUserIdWithDeviceAuth(userB.Id);
+
+        // Assert
+        Assert.Null(response.First().AuthRequestId);
+        Assert.Null(response.First().AuthRequestCreatedAt);
+    }
+
     [DatabaseTheory]
     [DatabaseData]
     public async Task GetManyByUserIdWithDeviceAuth_WorksWithNoAuthRequestAndMultipleDevices_ReturnsExpectedResults(
@@ -117,7 +182,7 @@ public class DeviceRepositoryTests
 
     [DatabaseTheory]
     [DatabaseData]
-    public async Task GetManyByUserIdWithDeviceAuth_FailsToRespondWithAnyAuthData_ReturnsExpectedResults(
+    public async Task GetManyByUserIdWithDeviceAuth_FailsToRespondWithAnyAuthData_ReturnsEmptyResults(
         IDeviceRepository sutRepository,
         IUserRepository userRepository,
         IAuthRequestRepository authRequestRepository)

From ca217584927ee00a5a04cfc61b9523f04a8f281b Mon Sep 17 00:00:00 2001
From: Ike <137194738+ike-kottlowski@users.noreply.github.com>
Date: Thu, 23 Jan 2025 08:23:45 -0800
Subject: [PATCH 194/384] feat (newDeviceVerification)

Added conditional for selfhosted to manage access to feature
---
 src/Admin/Views/Users/Edit.cshtml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/Admin/Views/Users/Edit.cshtml b/src/Admin/Views/Users/Edit.cshtml
index 495fc43c2f..04e95c1400 100644
--- a/src/Admin/Views/Users/Edit.cshtml
+++ b/src/Admin/Views/Users/Edit.cshtml
@@ -1,6 +1,7 @@
 @using Bit.Admin.Enums;
 @inject Bit.Admin.Services.IAccessControlService AccessControlService
 @inject Bit.Core.Services.IFeatureService FeatureService
+@inject Bit.Core.Settings.GlobalSettings GlobalSettings
 @inject IWebHostEnvironment HostingEnvironment
 @model UserEditModel
 @{
@@ -8,6 +9,7 @@
 
     var canViewUserInformation = AccessControlService.UserHasPermission(Permission.User_UserInformation_View);
     var canViewNewDeviceException = AccessControlService.UserHasPermission(Permission.User_NewDeviceException_Edit) &&
+                                    GlobalSettings.EnableNewDeviceVerification &&
                                     FeatureService.IsEnabled(Bit.Core.FeatureFlagKeys.NewDeviceVerification);
     var canViewBillingInformation = AccessControlService.UserHasPermission(Permission.User_BillingInformation_View);
     var canViewGeneral = AccessControlService.UserHasPermission(Permission.User_GeneralDetails_View);

From ef32e807258cd1aa150f78c0ae3486f53dc2c00a Mon Sep 17 00:00:00 2001
From: cyprain-okeke <108260115+cyprain-okeke@users.noreply.github.com>
Date: Fri, 24 Jan 2025 12:02:13 +0100
Subject: [PATCH 195/384] [PM-15807]Move subscription to 'canceled' 7 days
 after unpaid (#5221)

* Changes to implement the cancel job

Signed-off-by: Cy Okeke <cokeke@bitwarden.com>

* Resolve the Dependency issues

Signed-off-by: Cy Okeke <cokeke@bitwarden.com>

* changes when open invoices is more than 10

Signed-off-by: Cy Okeke <cokeke@bitwarden.com>

* Move the package reference to ore

Signed-off-by: Cy Okeke <cokeke@bitwarden.com>

---------

Signed-off-by: Cy Okeke <cokeke@bitwarden.com>
---
 src/Billing/Jobs/JobsHostedService.cs         |  1 +
 .../Jobs/SubscriptionCancellationJob.cs       | 58 +++++++++++++++++++
 .../SubscriptionUpdatedHandler.cs             | 38 +++++++++++-
 src/Billing/Startup.cs                        |  8 +++
 src/Core/Core.csproj                          |  3 +
 5 files changed, 107 insertions(+), 1 deletion(-)
 create mode 100644 src/Billing/Jobs/SubscriptionCancellationJob.cs

diff --git a/src/Billing/Jobs/JobsHostedService.cs b/src/Billing/Jobs/JobsHostedService.cs
index d91ca21520..a6e702c662 100644
--- a/src/Billing/Jobs/JobsHostedService.cs
+++ b/src/Billing/Jobs/JobsHostedService.cs
@@ -32,5 +32,6 @@ public class JobsHostedService : BaseJobsHostedService
     public static void AddJobsServices(IServiceCollection services)
     {
         services.AddTransient<AliveJob>();
+        services.AddTransient<SubscriptionCancellationJob>();
     }
 }
diff --git a/src/Billing/Jobs/SubscriptionCancellationJob.cs b/src/Billing/Jobs/SubscriptionCancellationJob.cs
new file mode 100644
index 0000000000..c46581272e
--- /dev/null
+++ b/src/Billing/Jobs/SubscriptionCancellationJob.cs
@@ -0,0 +1,58 @@
+using Bit.Billing.Services;
+using Bit.Core.Repositories;
+using Quartz;
+using Stripe;
+
+namespace Bit.Billing.Jobs;
+
+public class SubscriptionCancellationJob(
+    IStripeFacade stripeFacade,
+    IOrganizationRepository organizationRepository)
+    : IJob
+{
+    public async Task Execute(IJobExecutionContext context)
+    {
+        var subscriptionId = context.MergedJobDataMap.GetString("subscriptionId");
+        var organizationId = new Guid(context.MergedJobDataMap.GetString("organizationId") ?? string.Empty);
+
+        var organization = await organizationRepository.GetByIdAsync(organizationId);
+        if (organization == null || organization.Enabled)
+        {
+            // Organization was deleted or re-enabled by CS, skip cancellation
+            return;
+        }
+
+        var subscription = await stripeFacade.GetSubscription(subscriptionId);
+        if (subscription?.Status != "unpaid")
+        {
+            // Subscription is no longer unpaid, skip cancellation
+            return;
+        }
+
+        // Cancel the subscription
+        await stripeFacade.CancelSubscription(subscriptionId, new SubscriptionCancelOptions());
+
+        // Void any open invoices
+        var options = new InvoiceListOptions
+        {
+            Status = "open",
+            Subscription = subscriptionId,
+            Limit = 100
+        };
+        var invoices = await stripeFacade.ListInvoices(options);
+        foreach (var invoice in invoices)
+        {
+            await stripeFacade.VoidInvoice(invoice.Id);
+        }
+
+        while (invoices.HasMore)
+        {
+            options.StartingAfter = invoices.Data.Last().Id;
+            invoices = await stripeFacade.ListInvoices(options);
+            foreach (var invoice in invoices)
+            {
+                await stripeFacade.VoidInvoice(invoice.Id);
+            }
+        }
+    }
+}
diff --git a/src/Billing/Services/Implementations/SubscriptionUpdatedHandler.cs b/src/Billing/Services/Implementations/SubscriptionUpdatedHandler.cs
index 6b4fef43d1..ea277a6307 100644
--- a/src/Billing/Services/Implementations/SubscriptionUpdatedHandler.cs
+++ b/src/Billing/Services/Implementations/SubscriptionUpdatedHandler.cs
@@ -1,9 +1,12 @@
 using Bit.Billing.Constants;
+using Bit.Billing.Jobs;
+using Bit.Core;
 using Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.Interfaces;
 using Bit.Core.Platform.Push;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Utilities;
+using Quartz;
 using Stripe;
 using Event = Stripe.Event;
 
@@ -19,6 +22,8 @@ public class SubscriptionUpdatedHandler : ISubscriptionUpdatedHandler
     private readonly IUserService _userService;
     private readonly IPushNotificationService _pushNotificationService;
     private readonly IOrganizationRepository _organizationRepository;
+    private readonly ISchedulerFactory _schedulerFactory;
+    private readonly IFeatureService _featureService;
 
     public SubscriptionUpdatedHandler(
         IStripeEventService stripeEventService,
@@ -28,7 +33,9 @@ public class SubscriptionUpdatedHandler : ISubscriptionUpdatedHandler
         IOrganizationSponsorshipRenewCommand organizationSponsorshipRenewCommand,
         IUserService userService,
         IPushNotificationService pushNotificationService,
-        IOrganizationRepository organizationRepository)
+        IOrganizationRepository organizationRepository,
+        ISchedulerFactory schedulerFactory,
+        IFeatureService featureService)
     {
         _stripeEventService = stripeEventService;
         _stripeEventUtilityService = stripeEventUtilityService;
@@ -38,6 +45,8 @@ public class SubscriptionUpdatedHandler : ISubscriptionUpdatedHandler
         _userService = userService;
         _pushNotificationService = pushNotificationService;
         _organizationRepository = organizationRepository;
+        _schedulerFactory = schedulerFactory;
+        _featureService = featureService;
     }
 
     /// <summary>
@@ -55,6 +64,10 @@ public class SubscriptionUpdatedHandler : ISubscriptionUpdatedHandler
                 when organizationId.HasValue:
                 {
                     await _organizationService.DisableAsync(organizationId.Value, subscription.CurrentPeriodEnd);
+                    if (subscription.Status == StripeSubscriptionStatus.Unpaid)
+                    {
+                        await ScheduleCancellationJobAsync(subscription.Id, organizationId.Value);
+                    }
                     break;
                 }
             case StripeSubscriptionStatus.Unpaid or StripeSubscriptionStatus.IncompleteExpired:
@@ -183,4 +196,27 @@ public class SubscriptionUpdatedHandler : ISubscriptionUpdatedHandler
             await _stripeFacade.DeleteSubscriptionDiscount(subscription.Id);
         }
     }
+
+    private async Task ScheduleCancellationJobAsync(string subscriptionId, Guid organizationId)
+    {
+        var isResellerManagedOrgAlertEnabled = _featureService.IsEnabled(FeatureFlagKeys.ResellerManagedOrgAlert);
+
+        if (isResellerManagedOrgAlertEnabled)
+        {
+            var scheduler = await _schedulerFactory.GetScheduler();
+
+            var job = JobBuilder.Create<SubscriptionCancellationJob>()
+                .WithIdentity($"cancel-sub-{subscriptionId}", "subscription-cancellations")
+                .UsingJobData("subscriptionId", subscriptionId)
+                .UsingJobData("organizationId", organizationId.ToString())
+                .Build();
+
+            var trigger = TriggerBuilder.Create()
+                .WithIdentity($"cancel-trigger-{subscriptionId}", "subscription-cancellations")
+                .StartAt(DateTimeOffset.UtcNow.AddDays(7))
+                .Build();
+
+            await scheduler.ScheduleJob(job, trigger);
+        }
+    }
 }
diff --git a/src/Billing/Startup.cs b/src/Billing/Startup.cs
index e3547d943b..2d2f109e77 100644
--- a/src/Billing/Startup.cs
+++ b/src/Billing/Startup.cs
@@ -9,6 +9,7 @@ using Bit.Core.Settings;
 using Bit.Core.Utilities;
 using Bit.SharedWeb.Utilities;
 using Microsoft.Extensions.DependencyInjection.Extensions;
+using Quartz;
 using Stripe;
 
 namespace Bit.Billing;
@@ -101,6 +102,13 @@ public class Startup
         services.AddScoped<IStripeEventService, StripeEventService>();
         services.AddScoped<IProviderEventService, ProviderEventService>();
 
+        // Add Quartz services first
+        services.AddQuartz(q =>
+        {
+            q.UseMicrosoftDependencyInjectionJobFactory();
+        });
+        services.AddQuartzHostedService();
+
         // Jobs service
         Jobs.JobsHostedService.AddJobsServices(services);
         services.AddHostedService<Jobs.JobsHostedService>();
diff --git a/src/Core/Core.csproj b/src/Core/Core.csproj
index ddd9fc26bb..7a5f7e2543 100644
--- a/src/Core/Core.csproj
+++ b/src/Core/Core.csproj
@@ -67,6 +67,9 @@
     <PackageReference Include="YubicoDotNetClient" Version="1.2.0" />
     <PackageReference Include="Microsoft.Extensions.Caching.StackExchangeRedis" Version="8.0.10" />
     <PackageReference Include="LaunchDarkly.ServerSdk" Version="8.6.0" />
+    <PackageReference Include="Quartz" Version="3.13.1" />
+    <PackageReference Include="Quartz.Extensions.Hosting" Version="3.13.1" />
+    <PackageReference Include="Quartz.Extensions.DependencyInjection" Version="3.13.1" />
   </ItemGroup>
 
   <ItemGroup>

From 36c8a97d5606255df7ac82f29a8822b108548b1e Mon Sep 17 00:00:00 2001
From: Github Actions <actions@github.com>
Date: Fri, 24 Jan 2025 15:20:02 +0000
Subject: [PATCH 196/384] Bumped version to 2025.1.4

---
 Directory.Build.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Directory.Build.props b/Directory.Build.props
index 40e6fdd202..9c54e35e6e 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -3,7 +3,7 @@
   <PropertyGroup>
     <TargetFramework>net8.0</TargetFramework>
 
-    <Version>2025.1.3</Version>
+    <Version>2025.1.4</Version>
 
     <RootNamespace>Bit.$(MSBuildProjectName)</RootNamespace>
     <ImplicitUsings>enable</ImplicitUsings>

From 99a1dbbe02609c316d80c0003aa486a3c721b57c Mon Sep 17 00:00:00 2001
From: Graham Walker <ghwtx@icloud.com>
Date: Fri, 24 Jan 2025 10:57:44 -0600
Subject: [PATCH 197/384] PM-16261 move ImportCiphersAsync to the tools team
 (#5245)

* PM-16261 move ImportCiphersAsync to the tools team and create services using CQRS design pattern

* PM-16261 fix renaming methods and add unit tests for succes and bad request exception

* PM-16261 clean up old code from test
---
 src/Api/Startup.cs                            |   2 +
 .../Controllers/ImportCiphersController.cs    |  13 +-
 .../ImportFeatures/ImportCiphersCommand.cs    | 199 ++++++++++++++++++
 .../ImportServiceCollectionExtension.cs       |  12 ++
 .../Interfaces/IImportCiphersCommand.cs       |  14 ++
 src/Core/Vault/Services/ICipherService.cs     |   4 -
 .../Services/Implementations/CipherService.cs | 146 -------------
 .../Utilities/ServiceCollectionExtensions.cs  |   2 +
 .../ImportCiphersAsyncCommandTests.cs         | 181 ++++++++++++++++
 .../Vault/Services/CipherServiceTests.cs      |  61 ------
 10 files changed, 416 insertions(+), 218 deletions(-)
 create mode 100644 src/Core/Tools/ImportFeatures/ImportCiphersCommand.cs
 create mode 100644 src/Core/Tools/ImportFeatures/ImportServiceCollectionExtension.cs
 create mode 100644 src/Core/Tools/ImportFeatures/Interfaces/IImportCiphersCommand.cs
 create mode 100644 test/Core.Test/Tools/ImportFeatures/ImportCiphersAsyncCommandTests.cs

diff --git a/src/Api/Startup.cs b/src/Api/Startup.cs
index 1adf3f67dc..a341257259 100644
--- a/src/Api/Startup.cs
+++ b/src/Api/Startup.cs
@@ -29,6 +29,7 @@ using Bit.Core.Vault.Entities;
 using Bit.Api.Auth.Models.Request.WebAuthn;
 using Bit.Core.Auth.Models.Data;
 using Bit.Core.Auth.Identity.TokenProviders;
+using Bit.Core.Tools.ImportFeatures;
 using Bit.Core.Tools.ReportFeatures;
 
 
@@ -175,6 +176,7 @@ public class Startup
         services.AddCoreLocalizationServices();
         services.AddBillingOperations();
         services.AddReportingServices();
+        services.AddImportServices();
 
         // Authorization Handlers
         services.AddAuthorizationHandlers();
diff --git a/src/Api/Tools/Controllers/ImportCiphersController.cs b/src/Api/Tools/Controllers/ImportCiphersController.cs
index 0d07d5bc47..4f4e76f6e3 100644
--- a/src/Api/Tools/Controllers/ImportCiphersController.cs
+++ b/src/Api/Tools/Controllers/ImportCiphersController.cs
@@ -7,7 +7,7 @@ using Bit.Core.Exceptions;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Settings;
-using Bit.Core.Vault.Services;
+using Bit.Core.Tools.ImportFeatures.Interfaces;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 
@@ -17,31 +17,30 @@ namespace Bit.Api.Tools.Controllers;
 [Authorize("Application")]
 public class ImportCiphersController : Controller
 {
-    private readonly ICipherService _cipherService;
     private readonly IUserService _userService;
     private readonly ICurrentContext _currentContext;
     private readonly ILogger<ImportCiphersController> _logger;
     private readonly GlobalSettings _globalSettings;
     private readonly ICollectionRepository _collectionRepository;
     private readonly IAuthorizationService _authorizationService;
+    private readonly IImportCiphersCommand _importCiphersCommand;
 
     public ImportCiphersController(
-        ICipherService cipherService,
         IUserService userService,
         ICurrentContext currentContext,
         ILogger<ImportCiphersController> logger,
         GlobalSettings globalSettings,
         ICollectionRepository collectionRepository,
         IAuthorizationService authorizationService,
-        IOrganizationRepository organizationRepository)
+        IImportCiphersCommand importCiphersCommand)
     {
-        _cipherService = cipherService;
         _userService = userService;
         _currentContext = currentContext;
         _logger = logger;
         _globalSettings = globalSettings;
         _collectionRepository = collectionRepository;
         _authorizationService = authorizationService;
+        _importCiphersCommand = importCiphersCommand;
     }
 
     [HttpPost("import")]
@@ -57,7 +56,7 @@ public class ImportCiphersController : Controller
         var userId = _userService.GetProperUserId(User).Value;
         var folders = model.Folders.Select(f => f.ToFolder(userId)).ToList();
         var ciphers = model.Ciphers.Select(c => c.ToCipherDetails(userId, false)).ToList();
-        await _cipherService.ImportCiphersAsync(folders, ciphers, model.FolderRelationships);
+        await _importCiphersCommand.ImportIntoIndividualVaultAsync(folders, ciphers, model.FolderRelationships);
     }
 
     [HttpPost("import-organization")]
@@ -85,7 +84,7 @@ public class ImportCiphersController : Controller
 
         var userId = _userService.GetProperUserId(User).Value;
         var ciphers = model.Ciphers.Select(l => l.ToOrganizationCipherDetails(orgId)).ToList();
-        await _cipherService.ImportCiphersAsync(collections, ciphers, model.CollectionRelationships, userId);
+        await _importCiphersCommand.ImportIntoOrganizationalVaultAsync(collections, ciphers, model.CollectionRelationships, userId);
     }
 
     private async Task<bool> CheckOrgImportPermission(List<Collection> collections, Guid orgId)
diff --git a/src/Core/Tools/ImportFeatures/ImportCiphersCommand.cs b/src/Core/Tools/ImportFeatures/ImportCiphersCommand.cs
new file mode 100644
index 0000000000..646121db52
--- /dev/null
+++ b/src/Core/Tools/ImportFeatures/ImportCiphersCommand.cs
@@ -0,0 +1,199 @@
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Services;
+using Bit.Core.Context;
+using Bit.Core.Entities;
+using Bit.Core.Exceptions;
+using Bit.Core.Platform.Push;
+using Bit.Core.Repositories;
+using Bit.Core.Tools.Enums;
+using Bit.Core.Tools.ImportFeatures.Interfaces;
+using Bit.Core.Tools.Models.Business;
+using Bit.Core.Tools.Services;
+using Bit.Core.Vault.Entities;
+using Bit.Core.Vault.Models.Data;
+using Bit.Core.Vault.Repositories;
+
+namespace Bit.Core.Tools.ImportFeatures;
+
+public class ImportCiphersCommand : IImportCiphersCommand
+{
+    private readonly ICipherRepository _cipherRepository;
+    private readonly IFolderRepository _folderRepository;
+    private readonly IPushNotificationService _pushService;
+    private readonly IPolicyService _policyService;
+    private readonly IOrganizationRepository _organizationRepository;
+    private readonly IOrganizationUserRepository _organizationUserRepository;
+    private readonly ICollectionRepository _collectionRepository;
+    private readonly IReferenceEventService _referenceEventService;
+    private readonly ICurrentContext _currentContext;
+
+
+    public ImportCiphersCommand(
+        ICipherRepository cipherRepository,
+        IFolderRepository folderRepository,
+        ICollectionRepository collectionRepository,
+        IOrganizationRepository organizationRepository,
+        IOrganizationUserRepository organizationUserRepository,
+        IPushNotificationService pushService,
+        IPolicyService policyService,
+        IReferenceEventService referenceEventService,
+        ICurrentContext currentContext)
+    {
+        _cipherRepository = cipherRepository;
+        _folderRepository = folderRepository;
+        _organizationRepository = organizationRepository;
+        _organizationUserRepository = organizationUserRepository;
+        _collectionRepository = collectionRepository;
+        _pushService = pushService;
+        _policyService = policyService;
+        _referenceEventService = referenceEventService;
+        _currentContext = currentContext;
+    }
+
+
+    public async Task ImportIntoIndividualVaultAsync(
+        List<Folder> folders,
+        List<CipherDetails> ciphers,
+        IEnumerable<KeyValuePair<int, int>> folderRelationships)
+    {
+        var userId = folders.FirstOrDefault()?.UserId ?? ciphers.FirstOrDefault()?.UserId;
+
+        // Make sure the user can save new ciphers to their personal vault
+        var anyPersonalOwnershipPolicies = await _policyService.AnyPoliciesApplicableToUserAsync(userId.Value, PolicyType.PersonalOwnership);
+        if (anyPersonalOwnershipPolicies)
+        {
+            throw new BadRequestException("You cannot import items into your personal vault because you are " +
+                "a member of an organization which forbids it.");
+        }
+
+        foreach (var cipher in ciphers)
+        {
+            cipher.SetNewId();
+
+            if (cipher.UserId.HasValue && cipher.Favorite)
+            {
+                cipher.Favorites = $"{{\"{cipher.UserId.ToString().ToUpperInvariant()}\":\"true\"}}";
+            }
+        }
+
+        var userfoldersIds = (await _folderRepository.GetManyByUserIdAsync(userId ?? Guid.Empty)).Select(f => f.Id).ToList();
+
+        //Assign id to the ones that don't exist in DB
+        //Need to keep the list order to create the relationships
+        List<Folder> newFolders = new List<Folder>();
+        foreach (var folder in folders)
+        {
+            if (!userfoldersIds.Contains(folder.Id))
+            {
+                folder.SetNewId();
+                newFolders.Add(folder);
+            }
+        }
+
+        // Create the folder associations based on the newly created folder ids
+        foreach (var relationship in folderRelationships)
+        {
+            var cipher = ciphers.ElementAtOrDefault(relationship.Key);
+            var folder = folders.ElementAtOrDefault(relationship.Value);
+
+            if (cipher == null || folder == null)
+            {
+                continue;
+            }
+
+            cipher.Folders = $"{{\"{cipher.UserId.ToString().ToUpperInvariant()}\":" +
+                $"\"{folder.Id.ToString().ToUpperInvariant()}\"}}";
+        }
+
+        // Create it all
+        await _cipherRepository.CreateAsync(ciphers, newFolders);
+
+        // push
+        if (userId.HasValue)
+        {
+            await _pushService.PushSyncVaultAsync(userId.Value);
+        }
+    }
+
+    public async Task ImportIntoOrganizationalVaultAsync(
+        List<Collection> collections,
+        List<CipherDetails> ciphers,
+        IEnumerable<KeyValuePair<int, int>> collectionRelationships,
+        Guid importingUserId)
+    {
+        var org = collections.Count > 0 ?
+            await _organizationRepository.GetByIdAsync(collections[0].OrganizationId) :
+            await _organizationRepository.GetByIdAsync(ciphers.FirstOrDefault(c => c.OrganizationId.HasValue).OrganizationId.Value);
+        var importingOrgUser = await _organizationUserRepository.GetByOrganizationAsync(org.Id, importingUserId);
+
+        if (collections.Count > 0 && org != null && org.MaxCollections.HasValue)
+        {
+            var collectionCount = await _collectionRepository.GetCountByOrganizationIdAsync(org.Id);
+            if (org.MaxCollections.Value < (collectionCount + collections.Count))
+            {
+                throw new BadRequestException("This organization can only have a maximum of " +
+                    $"{org.MaxCollections.Value} collections.");
+            }
+        }
+
+        // Init. ids for ciphers
+        foreach (var cipher in ciphers)
+        {
+            cipher.SetNewId();
+        }
+
+        var organizationCollectionsIds = (await _collectionRepository.GetManyByOrganizationIdAsync(org.Id)).Select(c => c.Id).ToList();
+
+        //Assign id to the ones that don't exist in DB
+        //Need to keep the list order to create the relationships
+        var newCollections = new List<Collection>();
+        var newCollectionUsers = new List<CollectionUser>();
+
+        foreach (var collection in collections)
+        {
+            if (!organizationCollectionsIds.Contains(collection.Id))
+            {
+                collection.SetNewId();
+                newCollections.Add(collection);
+                newCollectionUsers.Add(new CollectionUser
+                {
+                    CollectionId = collection.Id,
+                    OrganizationUserId = importingOrgUser.Id,
+                    Manage = true
+                });
+            }
+        }
+
+        // Create associations based on the newly assigned ids
+        var collectionCiphers = new List<CollectionCipher>();
+        foreach (var relationship in collectionRelationships)
+        {
+            var cipher = ciphers.ElementAtOrDefault(relationship.Key);
+            var collection = collections.ElementAtOrDefault(relationship.Value);
+
+            if (cipher == null || collection == null)
+            {
+                continue;
+            }
+
+            collectionCiphers.Add(new CollectionCipher
+            {
+                CipherId = cipher.Id,
+                CollectionId = collection.Id
+            });
+        }
+
+        // Create it all
+        await _cipherRepository.CreateAsync(ciphers, newCollections, collectionCiphers, newCollectionUsers);
+
+        // push
+        await _pushService.PushSyncVaultAsync(importingUserId);
+
+
+        if (org != null)
+        {
+            await _referenceEventService.RaiseEventAsync(
+                new ReferenceEvent(ReferenceEventType.VaultImported, org, _currentContext));
+        }
+    }
+}
diff --git a/src/Core/Tools/ImportFeatures/ImportServiceCollectionExtension.cs b/src/Core/Tools/ImportFeatures/ImportServiceCollectionExtension.cs
new file mode 100644
index 0000000000..38c88d7994
--- /dev/null
+++ b/src/Core/Tools/ImportFeatures/ImportServiceCollectionExtension.cs
@@ -0,0 +1,12 @@
+using Bit.Core.Tools.ImportFeatures.Interfaces;
+using Microsoft.Extensions.DependencyInjection;
+
+namespace Bit.Core.Tools.ImportFeatures;
+
+public static class ImportServiceCollectionExtension
+{
+    public static void AddImportServices(this IServiceCollection services)
+    {
+        services.AddScoped<IImportCiphersCommand, ImportCiphersCommand>();
+    }
+}
diff --git a/src/Core/Tools/ImportFeatures/Interfaces/IImportCiphersCommand.cs b/src/Core/Tools/ImportFeatures/Interfaces/IImportCiphersCommand.cs
new file mode 100644
index 0000000000..378024d3a0
--- /dev/null
+++ b/src/Core/Tools/ImportFeatures/Interfaces/IImportCiphersCommand.cs
@@ -0,0 +1,14 @@
+using Bit.Core.Entities;
+using Bit.Core.Vault.Entities;
+using Bit.Core.Vault.Models.Data;
+
+namespace Bit.Core.Tools.ImportFeatures.Interfaces;
+
+public interface IImportCiphersCommand
+{
+    Task ImportIntoIndividualVaultAsync(List<Folder> folders, List<CipherDetails> ciphers,
+        IEnumerable<KeyValuePair<int, int>> folderRelationships);
+
+    Task ImportIntoOrganizationalVaultAsync(List<Collection> collections, List<CipherDetails> ciphers,
+        IEnumerable<KeyValuePair<int, int>> collectionRelationships, Guid importingUserId);
+}
diff --git a/src/Core/Vault/Services/ICipherService.cs b/src/Core/Vault/Services/ICipherService.cs
index 27b84e4a47..e559963361 100644
--- a/src/Core/Vault/Services/ICipherService.cs
+++ b/src/Core/Vault/Services/ICipherService.cs
@@ -28,10 +28,6 @@ public interface ICipherService
     Task ShareManyAsync(IEnumerable<(Cipher cipher, DateTime? lastKnownRevisionDate)> ciphers, Guid organizationId,
         IEnumerable<Guid> collectionIds, Guid sharingUserId);
     Task SaveCollectionsAsync(Cipher cipher, IEnumerable<Guid> collectionIds, Guid savingUserId, bool orgAdmin);
-    Task ImportCiphersAsync(List<Folder> folders, List<CipherDetails> ciphers,
-        IEnumerable<KeyValuePair<int, int>> folderRelationships);
-    Task ImportCiphersAsync(List<Collection> collections, List<CipherDetails> ciphers,
-        IEnumerable<KeyValuePair<int, int>> collectionRelationships, Guid importingUserId);
     Task SoftDeleteAsync(Cipher cipher, Guid deletingUserId, bool orgAdmin = false);
     Task SoftDeleteManyAsync(IEnumerable<Guid> cipherIds, Guid deletingUserId, Guid? organizationId = null, bool orgAdmin = false);
     Task RestoreAsync(Cipher cipher, Guid restoringUserId, bool orgAdmin = false);
diff --git a/src/Core/Vault/Services/Implementations/CipherService.cs b/src/Core/Vault/Services/Implementations/CipherService.cs
index 196ec6ef3d..da1a5f978f 100644
--- a/src/Core/Vault/Services/Implementations/CipherService.cs
+++ b/src/Core/Vault/Services/Implementations/CipherService.cs
@@ -679,152 +679,6 @@ public class CipherService : ICipherService
         await _pushService.PushSyncCipherUpdateAsync(cipher, collectionIds);
     }
 
-    public async Task ImportCiphersAsync(
-        List<Folder> folders,
-        List<CipherDetails> ciphers,
-        IEnumerable<KeyValuePair<int, int>> folderRelationships)
-    {
-        var userId = folders.FirstOrDefault()?.UserId ?? ciphers.FirstOrDefault()?.UserId;
-
-        // Make sure the user can save new ciphers to their personal vault
-        var anyPersonalOwnershipPolicies = await _policyService.AnyPoliciesApplicableToUserAsync(userId.Value, PolicyType.PersonalOwnership);
-        if (anyPersonalOwnershipPolicies)
-        {
-            throw new BadRequestException("You cannot import items into your personal vault because you are " +
-                "a member of an organization which forbids it.");
-        }
-
-        foreach (var cipher in ciphers)
-        {
-            cipher.SetNewId();
-
-            if (cipher.UserId.HasValue && cipher.Favorite)
-            {
-                cipher.Favorites = $"{{\"{cipher.UserId.ToString().ToUpperInvariant()}\":\"true\"}}";
-            }
-        }
-
-        var userfoldersIds = (await _folderRepository.GetManyByUserIdAsync(userId ?? Guid.Empty)).Select(f => f.Id).ToList();
-
-        //Assign id to the ones that don't exist in DB
-        //Need to keep the list order to create the relationships
-        List<Folder> newFolders = new List<Folder>();
-        foreach (var folder in folders)
-        {
-            if (!userfoldersIds.Contains(folder.Id))
-            {
-                folder.SetNewId();
-                newFolders.Add(folder);
-            }
-        }
-
-        // Create the folder associations based on the newly created folder ids
-        foreach (var relationship in folderRelationships)
-        {
-            var cipher = ciphers.ElementAtOrDefault(relationship.Key);
-            var folder = folders.ElementAtOrDefault(relationship.Value);
-
-            if (cipher == null || folder == null)
-            {
-                continue;
-            }
-
-            cipher.Folders = $"{{\"{cipher.UserId.ToString().ToUpperInvariant()}\":" +
-                $"\"{folder.Id.ToString().ToUpperInvariant()}\"}}";
-        }
-
-        // Create it all
-        await _cipherRepository.CreateAsync(ciphers, newFolders);
-
-        // push
-        if (userId.HasValue)
-        {
-            await _pushService.PushSyncVaultAsync(userId.Value);
-        }
-    }
-
-    public async Task ImportCiphersAsync(
-        List<Collection> collections,
-        List<CipherDetails> ciphers,
-        IEnumerable<KeyValuePair<int, int>> collectionRelationships,
-        Guid importingUserId)
-    {
-        var org = collections.Count > 0 ?
-            await _organizationRepository.GetByIdAsync(collections[0].OrganizationId) :
-            await _organizationRepository.GetByIdAsync(ciphers.FirstOrDefault(c => c.OrganizationId.HasValue).OrganizationId.Value);
-        var importingOrgUser = await _organizationUserRepository.GetByOrganizationAsync(org.Id, importingUserId);
-
-        if (collections.Count > 0 && org != null && org.MaxCollections.HasValue)
-        {
-            var collectionCount = await _collectionRepository.GetCountByOrganizationIdAsync(org.Id);
-            if (org.MaxCollections.Value < (collectionCount + collections.Count))
-            {
-                throw new BadRequestException("This organization can only have a maximum of " +
-                    $"{org.MaxCollections.Value} collections.");
-            }
-        }
-
-        // Init. ids for ciphers
-        foreach (var cipher in ciphers)
-        {
-            cipher.SetNewId();
-        }
-
-        var organizationCollectionsIds = (await _collectionRepository.GetManyByOrganizationIdAsync(org.Id)).Select(c => c.Id).ToList();
-
-        //Assign id to the ones that don't exist in DB
-        //Need to keep the list order to create the relationships
-        var newCollections = new List<Collection>();
-        var newCollectionUsers = new List<CollectionUser>();
-
-        foreach (var collection in collections)
-        {
-            if (!organizationCollectionsIds.Contains(collection.Id))
-            {
-                collection.SetNewId();
-                newCollections.Add(collection);
-                newCollectionUsers.Add(new CollectionUser
-                {
-                    CollectionId = collection.Id,
-                    OrganizationUserId = importingOrgUser.Id,
-                    Manage = true
-                });
-            }
-        }
-
-        // Create associations based on the newly assigned ids
-        var collectionCiphers = new List<CollectionCipher>();
-        foreach (var relationship in collectionRelationships)
-        {
-            var cipher = ciphers.ElementAtOrDefault(relationship.Key);
-            var collection = collections.ElementAtOrDefault(relationship.Value);
-
-            if (cipher == null || collection == null)
-            {
-                continue;
-            }
-
-            collectionCiphers.Add(new CollectionCipher
-            {
-                CipherId = cipher.Id,
-                CollectionId = collection.Id
-            });
-        }
-
-        // Create it all
-        await _cipherRepository.CreateAsync(ciphers, newCollections, collectionCiphers, newCollectionUsers);
-
-        // push
-        await _pushService.PushSyncVaultAsync(importingUserId);
-
-
-        if (org != null)
-        {
-            await _referenceEventService.RaiseEventAsync(
-                new ReferenceEvent(ReferenceEventType.VaultImported, org, _currentContext));
-        }
-    }
-
     public async Task SoftDeleteAsync(Cipher cipher, Guid deletingUserId, bool orgAdmin = false)
     {
         if (!orgAdmin && !(await UserCanEditAsync(cipher, deletingUserId)))
diff --git a/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs b/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
index 63c114405f..e1369d5366 100644
--- a/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
+++ b/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
@@ -40,6 +40,7 @@ using Bit.Core.SecretsManager.Repositories.Noop;
 using Bit.Core.Services;
 using Bit.Core.Settings;
 using Bit.Core.Tokens;
+using Bit.Core.Tools.ImportFeatures;
 using Bit.Core.Tools.ReportFeatures;
 using Bit.Core.Tools.Services;
 using Bit.Core.Utilities;
@@ -128,6 +129,7 @@ public static class ServiceCollectionExtensions
         services.AddKeyManagementServices();
         services.AddNotificationCenterServices();
         services.AddPlatformServices();
+        services.AddImportServices();
     }
 
     public static void AddTokenizers(this IServiceCollection services)
diff --git a/test/Core.Test/Tools/ImportFeatures/ImportCiphersAsyncCommandTests.cs b/test/Core.Test/Tools/ImportFeatures/ImportCiphersAsyncCommandTests.cs
new file mode 100644
index 0000000000..1e97856281
--- /dev/null
+++ b/test/Core.Test/Tools/ImportFeatures/ImportCiphersAsyncCommandTests.cs
@@ -0,0 +1,181 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Services;
+using Bit.Core.Entities;
+using Bit.Core.Exceptions;
+using Bit.Core.Platform.Push;
+using Bit.Core.Repositories;
+using Bit.Core.Test.AutoFixture.CipherFixtures;
+using Bit.Core.Tools.Enums;
+using Bit.Core.Tools.ImportFeatures;
+using Bit.Core.Tools.Models.Business;
+using Bit.Core.Tools.Services;
+using Bit.Core.Vault.Entities;
+using Bit.Core.Vault.Models.Data;
+using Bit.Core.Vault.Repositories;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Xunit;
+
+
+namespace Bit.Core.Test.Tools.ImportFeatures;
+
+[UserCipherCustomize]
+[SutProviderCustomize]
+public class ImportCiphersAsyncCommandTests
+{
+    [Theory, BitAutoData]
+    public async Task ImportIntoIndividualVaultAsync_Success(
+        Guid importingUserId,
+        List<CipherDetails> ciphers,
+        SutProvider<ImportCiphersCommand> sutProvider)
+    {
+        sutProvider.GetDependency<IPolicyService>()
+            .AnyPoliciesApplicableToUserAsync(importingUserId, PolicyType.PersonalOwnership)
+            .Returns(false);
+
+        sutProvider.GetDependency<IFolderRepository>()
+            .GetManyByUserIdAsync(importingUserId)
+            .Returns(new List<Folder>());
+
+        var folders = new List<Folder> { new Folder { UserId = importingUserId } };
+
+        var folderRelationships = new List<KeyValuePair<int, int>>();
+
+        // Act
+        await sutProvider.Sut.ImportIntoIndividualVaultAsync(folders, ciphers, folderRelationships);
+
+        // Assert
+        await sutProvider.GetDependency<ICipherRepository>().Received(1).CreateAsync(ciphers, Arg.Any<List<Folder>>());
+        await sutProvider.GetDependency<IPushNotificationService>().Received(1).PushSyncVaultAsync(importingUserId);
+    }
+
+    [Theory, BitAutoData]
+    public async Task ImportIntoIndividualVaultAsync_ThrowsBadRequestException(
+        List<Folder> folders,
+        List<CipherDetails> ciphers,
+        SutProvider<ImportCiphersCommand> sutProvider)
+    {
+        var userId = Guid.NewGuid();
+        folders.ForEach(f => f.UserId = userId);
+        ciphers.ForEach(c => c.UserId = userId);
+
+        sutProvider.GetDependency<IPolicyService>()
+            .AnyPoliciesApplicableToUserAsync(userId, PolicyType.PersonalOwnership)
+            .Returns(true);
+
+        var folderRelationships = new List<KeyValuePair<int, int>>();
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(() =>
+            sutProvider.Sut.ImportIntoIndividualVaultAsync(folders, ciphers, folderRelationships));
+
+        Assert.Equal("You cannot import items into your personal vault because you are a member of an organization which forbids it.", exception.Message);
+    }
+
+    [Theory, BitAutoData]
+    public async Task ImportIntoOrganizationalVaultAsync_Success(
+        Organization organization,
+        Guid importingUserId,
+        OrganizationUser importingOrganizationUser,
+        List<Collection> collections,
+        List<CipherDetails> ciphers,
+        SutProvider<ImportCiphersCommand> sutProvider)
+    {
+        organization.MaxCollections = null;
+        importingOrganizationUser.OrganizationId = organization.Id;
+
+        foreach (var collection in collections)
+        {
+            collection.OrganizationId = organization.Id;
+        }
+
+        foreach (var cipher in ciphers)
+        {
+            cipher.OrganizationId = organization.Id;
+        }
+
+        KeyValuePair<int, int>[] collectionRelationships = {
+            new(0, 0),
+            new(1, 1),
+            new(2, 2)
+        };
+
+        sutProvider.GetDependency<IOrganizationRepository>()
+            .GetByIdAsync(organization.Id)
+            .Returns(organization);
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetByOrganizationAsync(organization.Id, importingUserId)
+            .Returns(importingOrganizationUser);
+
+        // Set up a collection that already exists in the organization
+        sutProvider.GetDependency<ICollectionRepository>()
+            .GetManyByOrganizationIdAsync(organization.Id)
+            .Returns(new List<Collection> { collections[0] });
+
+        await sutProvider.Sut.ImportIntoOrganizationalVaultAsync(collections, ciphers, collectionRelationships, importingUserId);
+
+        await sutProvider.GetDependency<ICipherRepository>().Received(1).CreateAsync(
+            ciphers,
+            Arg.Is<IEnumerable<Collection>>(cols => cols.Count() == collections.Count - 1 &&
+                        !cols.Any(c => c.Id == collections[0].Id) && // Check that the collection that already existed in the organization was not added
+                        cols.All(c => collections.Any(x => c.Name == x.Name))),
+            Arg.Is<IEnumerable<CollectionCipher>>(c => c.Count() == ciphers.Count),
+            Arg.Is<IEnumerable<CollectionUser>>(cus =>
+                cus.Count() == collections.Count - 1 &&
+                !cus.Any(cu => cu.CollectionId == collections[0].Id) && // Check that access was not added for the collection that already existed in the organization
+                cus.All(cu => cu.OrganizationUserId == importingOrganizationUser.Id && cu.Manage == true)));
+        await sutProvider.GetDependency<IPushNotificationService>().Received(1).PushSyncVaultAsync(importingUserId);
+        await sutProvider.GetDependency<IReferenceEventService>().Received(1).RaiseEventAsync(
+            Arg.Is<ReferenceEvent>(e => e.Type == ReferenceEventType.VaultImported));
+    }
+
+    [Theory, BitAutoData]
+    public async Task ImportIntoOrganizationalVaultAsync_ThrowsBadRequestException(
+        Organization organization,
+        Guid importingUserId,
+        OrganizationUser importingOrganizationUser,
+        List<Collection> collections,
+        List<CipherDetails> ciphers,
+        SutProvider<ImportCiphersCommand> sutProvider)
+    {
+        organization.MaxCollections = 1;
+        importingOrganizationUser.OrganizationId = organization.Id;
+
+        foreach (var collection in collections)
+        {
+            collection.OrganizationId = organization.Id;
+        }
+
+        foreach (var cipher in ciphers)
+        {
+            cipher.OrganizationId = organization.Id;
+        }
+
+        KeyValuePair<int, int>[] collectionRelationships = {
+            new(0, 0),
+            new(1, 1),
+            new(2, 2)
+        };
+
+        sutProvider.GetDependency<IOrganizationRepository>()
+            .GetByIdAsync(organization.Id)
+            .Returns(organization);
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetByOrganizationAsync(organization.Id, importingUserId)
+            .Returns(importingOrganizationUser);
+
+        // Set up a collection that already exists in the organization
+        sutProvider.GetDependency<ICollectionRepository>()
+            .GetManyByOrganizationIdAsync(organization.Id)
+            .Returns(new List<Collection> { collections[0] });
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(() =>
+            sutProvider.Sut.ImportIntoOrganizationalVaultAsync(collections, ciphers, collectionRelationships, importingUserId));
+
+        Assert.Equal("This organization can only have a maximum of " +
+        $"{organization.MaxCollections} collections.", exception.Message);
+    }
+}
diff --git a/test/Core.Test/Vault/Services/CipherServiceTests.cs b/test/Core.Test/Vault/Services/CipherServiceTests.cs
index dd34127efe..4f02d94c9c 100644
--- a/test/Core.Test/Vault/Services/CipherServiceTests.cs
+++ b/test/Core.Test/Vault/Services/CipherServiceTests.cs
@@ -7,9 +7,6 @@ using Bit.Core.Platform.Push;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Test.AutoFixture.CipherFixtures;
-using Bit.Core.Tools.Enums;
-using Bit.Core.Tools.Models.Business;
-using Bit.Core.Tools.Services;
 using Bit.Core.Utilities;
 using Bit.Core.Vault.Entities;
 using Bit.Core.Vault.Models.Data;
@@ -26,64 +23,6 @@ namespace Bit.Core.Test.Services;
 [SutProviderCustomize]
 public class CipherServiceTests
 {
-    [Theory, BitAutoData]
-    public async Task ImportCiphersAsync_IntoOrganization_Success(
-        Organization organization,
-        Guid importingUserId,
-        OrganizationUser importingOrganizationUser,
-        List<Collection> collections,
-        List<CipherDetails> ciphers,
-        SutProvider<CipherService> sutProvider)
-    {
-        organization.MaxCollections = null;
-        importingOrganizationUser.OrganizationId = organization.Id;
-
-        foreach (var collection in collections)
-        {
-            collection.OrganizationId = organization.Id;
-        }
-
-        foreach (var cipher in ciphers)
-        {
-            cipher.OrganizationId = organization.Id;
-        }
-
-        KeyValuePair<int, int>[] collectionRelationships = {
-            new(0, 0),
-            new(1, 1),
-            new(2, 2)
-        };
-
-        sutProvider.GetDependency<IOrganizationRepository>()
-            .GetByIdAsync(organization.Id)
-            .Returns(organization);
-
-        sutProvider.GetDependency<IOrganizationUserRepository>()
-            .GetByOrganizationAsync(organization.Id, importingUserId)
-            .Returns(importingOrganizationUser);
-
-        // Set up a collection that already exists in the organization
-        sutProvider.GetDependency<ICollectionRepository>()
-            .GetManyByOrganizationIdAsync(organization.Id)
-            .Returns(new List<Collection> { collections[0] });
-
-        await sutProvider.Sut.ImportCiphersAsync(collections, ciphers, collectionRelationships, importingUserId);
-
-        await sutProvider.GetDependency<ICipherRepository>().Received(1).CreateAsync(
-            ciphers,
-            Arg.Is<IEnumerable<Collection>>(cols => cols.Count() == collections.Count - 1 &&
-                        !cols.Any(c => c.Id == collections[0].Id) && // Check that the collection that already existed in the organization was not added
-                        cols.All(c => collections.Any(x => c.Name == x.Name))),
-            Arg.Is<IEnumerable<CollectionCipher>>(c => c.Count() == ciphers.Count),
-            Arg.Is<IEnumerable<CollectionUser>>(cus =>
-                cus.Count() == collections.Count - 1 &&
-                !cus.Any(cu => cu.CollectionId == collections[0].Id) && // Check that access was not added for the collection that already existed in the organization
-                cus.All(cu => cu.OrganizationUserId == importingOrganizationUser.Id && cu.Manage == true)));
-        await sutProvider.GetDependency<IPushNotificationService>().Received(1).PushSyncVaultAsync(importingUserId);
-        await sutProvider.GetDependency<IReferenceEventService>().Received(1).RaiseEventAsync(
-            Arg.Is<ReferenceEvent>(e => e.Type == ReferenceEventType.VaultImported));
-    }
-
     [Theory, BitAutoData]
     public async Task SaveAsync_WrongRevisionDate_Throws(SutProvider<CipherService> sutProvider, Cipher cipher)
     {

From f140c7f6c1cb365916ac1addac478295180e9903 Mon Sep 17 00:00:00 2001
From: Alex Morask <144709477+amorask-bitwarden@users.noreply.github.com>
Date: Fri, 24 Jan 2025 13:38:35 -0500
Subject: [PATCH 198/384] [PM-11730] Remove feature flag:
 AC-2476-deprecate-stripe-sources-api (#5201)

* Removed feature flag

* Run dotnet format

* Fix integration tests
---
 .../OrganizationBillingController.cs          | 31 -----------
 .../CloudOrganizationSignUpCommand.cs         | 24 +--------
 src/Core/Constants.cs                         |  1 -
 .../UpgradeOrganizationPlanCommand.cs         | 23 +-------
 .../Services/Implementations/UserService.cs   | 14 +----
 .../Helpers/OrganizationTestHelpers.cs        |  8 ++-
 .../CloudOrganizationSignUpCommandTests.cs    | 53 ++++++++-----------
 .../UpgradeOrganizationPlanCommandTests.cs    |  2 +-
 .../Factories/WebApplicationFactoryBase.cs    |  6 +++
 9 files changed, 43 insertions(+), 119 deletions(-)

diff --git a/src/Api/Billing/Controllers/OrganizationBillingController.cs b/src/Api/Billing/Controllers/OrganizationBillingController.cs
index 4a6f5f5b8a..b52241c30e 100644
--- a/src/Api/Billing/Controllers/OrganizationBillingController.cs
+++ b/src/Api/Billing/Controllers/OrganizationBillingController.cs
@@ -2,7 +2,6 @@
 using Bit.Api.AdminConsole.Models.Request.Organizations;
 using Bit.Api.Billing.Models.Requests;
 using Bit.Api.Billing.Models.Responses;
-using Bit.Core;
 using Bit.Core.Billing.Models.Sales;
 using Bit.Core.Billing.Services;
 using Bit.Core.Context;
@@ -139,11 +138,6 @@ public class OrganizationBillingController(
     [HttpGet("payment-method")]
     public async Task<IResult> GetPaymentMethodAsync([FromRoute] Guid organizationId)
     {
-        if (!featureService.IsEnabled(FeatureFlagKeys.AC2476_DeprecateStripeSourcesAPI))
-        {
-            return Error.NotFound();
-        }
-
         if (!await currentContext.EditPaymentMethods(organizationId))
         {
             return Error.Unauthorized();
@@ -168,11 +162,6 @@ public class OrganizationBillingController(
         [FromRoute] Guid organizationId,
         [FromBody] UpdatePaymentMethodRequestBody requestBody)
     {
-        if (!featureService.IsEnabled(FeatureFlagKeys.AC2476_DeprecateStripeSourcesAPI))
-        {
-            return Error.NotFound();
-        }
-
         if (!await currentContext.EditPaymentMethods(organizationId))
         {
             return Error.Unauthorized();
@@ -199,11 +188,6 @@ public class OrganizationBillingController(
         [FromRoute] Guid organizationId,
         [FromBody] VerifyBankAccountRequestBody requestBody)
     {
-        if (!featureService.IsEnabled(FeatureFlagKeys.AC2476_DeprecateStripeSourcesAPI))
-        {
-            return Error.NotFound();
-        }
-
         if (!await currentContext.EditPaymentMethods(organizationId))
         {
             return Error.Unauthorized();
@@ -229,11 +213,6 @@ public class OrganizationBillingController(
     [HttpGet("tax-information")]
     public async Task<IResult> GetTaxInformationAsync([FromRoute] Guid organizationId)
     {
-        if (!featureService.IsEnabled(FeatureFlagKeys.AC2476_DeprecateStripeSourcesAPI))
-        {
-            return Error.NotFound();
-        }
-
         if (!await currentContext.EditPaymentMethods(organizationId))
         {
             return Error.Unauthorized();
@@ -258,11 +237,6 @@ public class OrganizationBillingController(
         [FromRoute] Guid organizationId,
         [FromBody] TaxInformationRequestBody requestBody)
     {
-        if (!featureService.IsEnabled(FeatureFlagKeys.AC2476_DeprecateStripeSourcesAPI))
-        {
-            return Error.NotFound();
-        }
-
         if (!await currentContext.EditPaymentMethods(organizationId))
         {
             return Error.Unauthorized();
@@ -292,11 +266,6 @@ public class OrganizationBillingController(
             throw new UnauthorizedAccessException();
         }
 
-        if (!featureService.IsEnabled(FeatureFlagKeys.AC2476_DeprecateStripeSourcesAPI))
-        {
-            return Error.NotFound();
-        }
-
         if (!await currentContext.EditPaymentMethods(organizationId))
         {
             return Error.Unauthorized();
diff --git a/src/Core/AdminConsole/OrganizationFeatures/Organizations/CloudOrganizationSignUpCommand.cs b/src/Core/AdminConsole/OrganizationFeatures/Organizations/CloudOrganizationSignUpCommand.cs
index df841adf42..94ff3c0059 100644
--- a/src/Core/AdminConsole/OrganizationFeatures/Organizations/CloudOrganizationSignUpCommand.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Organizations/CloudOrganizationSignUpCommand.cs
@@ -125,28 +125,8 @@ public class CloudOrganizationSignUpCommand(
         }
         else if (plan.Type != PlanType.Free)
         {
-            if (featureService.IsEnabled(FeatureFlagKeys.AC2476_DeprecateStripeSourcesAPI))
-            {
-                var sale = OrganizationSale.From(organization, signup);
-                await organizationBillingService.Finalize(sale);
-            }
-            else
-            {
-                if (signup.PaymentMethodType != null)
-                {
-                    await paymentService.PurchaseOrganizationAsync(organization, signup.PaymentMethodType.Value,
-                        signup.PaymentToken, plan, signup.AdditionalStorageGb, signup.AdditionalSeats,
-                        signup.PremiumAccessAddon, signup.TaxInfo, signup.IsFromProvider, signup.AdditionalSmSeats.GetValueOrDefault(),
-                        signup.AdditionalServiceAccounts.GetValueOrDefault(), signup.IsFromSecretsManagerTrial);
-                }
-                else
-                {
-                    await paymentService.PurchaseOrganizationNoPaymentMethod(organization, plan, signup.AdditionalSeats,
-                        signup.PremiumAccessAddon, signup.AdditionalSmSeats.GetValueOrDefault(),
-                        signup.AdditionalServiceAccounts.GetValueOrDefault(), signup.IsFromSecretsManagerTrial);
-                }
-
-            }
+            var sale = OrganizationSale.From(organization, signup);
+            await organizationBillingService.Finalize(sale);
         }
 
         var ownerId = signup.IsFromProvider ? default : signup.Owner.Id;
diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index dd45593ae9..dea65b929e 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -137,7 +137,6 @@ public static class FeatureFlagKeys
     public const string NotificationBarAddLoginImprovements = "notification-bar-add-login-improvements";
     public const string BlockBrowserInjectionsByDomain = "block-browser-injections-by-domain";
     public const string NotificationRefresh = "notification-refresh";
-    public const string AC2476_DeprecateStripeSourcesAPI = "AC-2476-deprecate-stripe-sources-api";
     public const string PersistPopupView = "persist-popup-view";
     public const string CipherKeyEncryption = "cipher-key-encryption";
     public const string EnableNewCardCombinedExpiryAutofill = "enable-new-card-combined-expiry-autofill";
diff --git a/src/Core/OrganizationFeatures/OrganizationSubscriptions/UpgradeOrganizationPlanCommand.cs b/src/Core/OrganizationFeatures/OrganizationSubscriptions/UpgradeOrganizationPlanCommand.cs
index 7f463460dd..19af8121e7 100644
--- a/src/Core/OrganizationFeatures/OrganizationSubscriptions/UpgradeOrganizationPlanCommand.cs
+++ b/src/Core/OrganizationFeatures/OrganizationSubscriptions/UpgradeOrganizationPlanCommand.cs
@@ -224,27 +224,8 @@ public class UpgradeOrganizationPlanCommand : IUpgradeOrganizationPlanCommand
 
         if (string.IsNullOrWhiteSpace(organization.GatewaySubscriptionId))
         {
-            if (_featureService.IsEnabled(FeatureFlagKeys.AC2476_DeprecateStripeSourcesAPI))
-            {
-                var sale = OrganizationSale.From(organization, upgrade);
-                await _organizationBillingService.Finalize(sale);
-            }
-            else
-            {
-                try
-                {
-                    paymentIntentClientSecret = await _paymentService.UpgradeFreeOrganizationAsync(organization,
-                        newPlan, upgrade);
-                    success = string.IsNullOrWhiteSpace(paymentIntentClientSecret);
-                }
-                catch
-                {
-                    await _paymentService.CancelAndRecoverChargesAsync(organization);
-                    organization.GatewayCustomerId = null;
-                    await _organizationService.ReplaceAndUpdateCacheAsync(organization);
-                    throw;
-                }
-            }
+            var sale = OrganizationSale.From(organization, upgrade);
+            await _organizationBillingService.Finalize(sale);
         }
         else
         {
diff --git a/src/Core/Services/Implementations/UserService.cs b/src/Core/Services/Implementations/UserService.cs
index 1dd8c3f8ca..157bfd3a6e 100644
--- a/src/Core/Services/Implementations/UserService.cs
+++ b/src/Core/Services/Implementations/UserService.cs
@@ -933,18 +933,8 @@ public class UserService : UserManager<User>, IUserService, IDisposable
         }
         else
         {
-            var deprecateStripeSourcesAPI = _featureService.IsEnabled(FeatureFlagKeys.AC2476_DeprecateStripeSourcesAPI);
-
-            if (deprecateStripeSourcesAPI)
-            {
-                var sale = PremiumUserSale.From(user, paymentMethodType, paymentToken, taxInfo, additionalStorageGb);
-                await _premiumUserBillingService.Finalize(sale);
-            }
-            else
-            {
-                paymentIntentClientSecret = await _paymentService.PurchasePremiumAsync(user, paymentMethodType,
-                    paymentToken, additionalStorageGb, taxInfo);
-            }
+            var sale = PremiumUserSale.From(user, paymentMethodType, paymentToken, taxInfo, additionalStorageGb);
+            await _premiumUserBillingService.Finalize(sale);
         }
 
         user.Premium = true;
diff --git a/test/Api.IntegrationTest/Helpers/OrganizationTestHelpers.cs b/test/Api.IntegrationTest/Helpers/OrganizationTestHelpers.cs
index dd514803fe..9370948a85 100644
--- a/test/Api.IntegrationTest/Helpers/OrganizationTestHelpers.cs
+++ b/test/Api.IntegrationTest/Helpers/OrganizationTestHelpers.cs
@@ -36,7 +36,13 @@ public static class OrganizationTestHelpers
             OwnerKey = ownerKey,
             Owner = owner,
             AdditionalSeats = passwordManagerSeats,
-            PaymentMethodType = paymentMethod
+            PaymentMethodType = paymentMethod,
+            PaymentToken = "TOKEN",
+            TaxInfo = new TaxInfo
+            {
+                BillingAddressCountry = "US",
+                BillingAddressPostalCode = "12345"
+            }
         });
 
         Debug.Assert(signUpResult.OrganizationUser is not null);
diff --git a/test/Core.Test/AdminConsole/OrganizationFeatures/Organizations/OrganizationSignUp/CloudOrganizationSignUpCommandTests.cs b/test/Core.Test/AdminConsole/OrganizationFeatures/Organizations/OrganizationSignUp/CloudOrganizationSignUpCommandTests.cs
index 46b4f0b334..859c74f3d0 100644
--- a/test/Core.Test/AdminConsole/OrganizationFeatures/Organizations/OrganizationSignUp/CloudOrganizationSignUpCommandTests.cs
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/Organizations/OrganizationSignUp/CloudOrganizationSignUpCommandTests.cs
@@ -1,14 +1,14 @@
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.OrganizationFeatures.Organizations;
 using Bit.Core.Billing.Enums;
+using Bit.Core.Billing.Models.Sales;
+using Bit.Core.Billing.Services;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Models.Business;
 using Bit.Core.Models.Data;
-using Bit.Core.Models.StaticStore;
 using Bit.Core.Repositories;
-using Bit.Core.Services;
 using Bit.Core.Tools.Enums;
 using Bit.Core.Tools.Models.Business;
 using Bit.Core.Tools.Services;
@@ -60,20 +60,16 @@ public class CloudICloudOrganizationSignUpCommandTests
         Assert.NotNull(result.Organization);
         Assert.NotNull(result.OrganizationUser);
 
-        await sutProvider.GetDependency<IPaymentService>().Received(1).PurchaseOrganizationAsync(
-            Arg.Any<Organization>(),
-            signup.PaymentMethodType.Value,
-            signup.PaymentToken,
-            plan,
-            signup.AdditionalStorageGb,
-            signup.AdditionalSeats,
-            signup.PremiumAccessAddon,
-            signup.TaxInfo,
-            false,
-            signup.AdditionalSmSeats.GetValueOrDefault(),
-            signup.AdditionalServiceAccounts.GetValueOrDefault(),
-            signup.UseSecretsManager
-        );
+        await sutProvider.GetDependency<IOrganizationBillingService>().Received(1).Finalize(
+            Arg.Is<OrganizationSale>(sale =>
+                sale.CustomerSetup.TokenizedPaymentSource.Type == signup.PaymentMethodType.Value &&
+                sale.CustomerSetup.TokenizedPaymentSource.Token == signup.PaymentToken &&
+                sale.CustomerSetup.TaxInformation.Country == signup.TaxInfo.BillingAddressCountry &&
+                sale.CustomerSetup.TaxInformation.PostalCode == signup.TaxInfo.BillingAddressPostalCode &&
+                sale.SubscriptionSetup.Plan == plan &&
+                sale.SubscriptionSetup.PasswordManagerOptions.Seats == signup.AdditionalSeats &&
+                sale.SubscriptionSetup.PasswordManagerOptions.Storage == signup.AdditionalStorageGb &&
+                sale.SubscriptionSetup.SecretsManagerOptions == null));
     }
 
     [Theory]
@@ -155,20 +151,17 @@ public class CloudICloudOrganizationSignUpCommandTests
         Assert.NotNull(result.Organization);
         Assert.NotNull(result.OrganizationUser);
 
-        await sutProvider.GetDependency<IPaymentService>().Received(1).PurchaseOrganizationAsync(
-            Arg.Any<Organization>(),
-            signup.PaymentMethodType.Value,
-            signup.PaymentToken,
-            Arg.Is<Plan>(plan),
-            signup.AdditionalStorageGb,
-            signup.AdditionalSeats,
-            signup.PremiumAccessAddon,
-            signup.TaxInfo,
-            false,
-            signup.AdditionalSmSeats.GetValueOrDefault(),
-            signup.AdditionalServiceAccounts.GetValueOrDefault(),
-            signup.IsFromSecretsManagerTrial
-        );
+        await sutProvider.GetDependency<IOrganizationBillingService>().Received(1).Finalize(
+            Arg.Is<OrganizationSale>(sale =>
+                sale.CustomerSetup.TokenizedPaymentSource.Type == signup.PaymentMethodType.Value &&
+                sale.CustomerSetup.TokenizedPaymentSource.Token == signup.PaymentToken &&
+                sale.CustomerSetup.TaxInformation.Country == signup.TaxInfo.BillingAddressCountry &&
+                sale.CustomerSetup.TaxInformation.PostalCode == signup.TaxInfo.BillingAddressPostalCode &&
+                sale.SubscriptionSetup.Plan == plan &&
+                sale.SubscriptionSetup.PasswordManagerOptions.Seats == signup.AdditionalSeats &&
+                sale.SubscriptionSetup.PasswordManagerOptions.Storage == signup.AdditionalStorageGb &&
+                sale.SubscriptionSetup.SecretsManagerOptions.Seats == signup.AdditionalSmSeats &&
+                sale.SubscriptionSetup.SecretsManagerOptions.ServiceAccounts == signup.AdditionalServiceAccounts));
     }
 
     [Theory]
diff --git a/test/Core.Test/OrganizationFeatures/OrganizationSubscriptionUpdate/UpgradeOrganizationPlanCommandTests.cs b/test/Core.Test/OrganizationFeatures/OrganizationSubscriptionUpdate/UpgradeOrganizationPlanCommandTests.cs
index 0f47b6c921..2965a2f03d 100644
--- a/test/Core.Test/OrganizationFeatures/OrganizationSubscriptionUpdate/UpgradeOrganizationPlanCommandTests.cs
+++ b/test/Core.Test/OrganizationFeatures/OrganizationSubscriptionUpdate/UpgradeOrganizationPlanCommandTests.cs
@@ -139,7 +139,7 @@ public class UpgradeOrganizationPlanCommandTests
                 && o.SmServiceAccounts == plan.SecretsManager.BaseServiceAccount + upgrade.AdditionalServiceAccounts));
 
         Assert.True(result.Item1);
-        Assert.NotNull(result.Item2);
+        Assert.Null(result.Item2);
     }
 
     [Theory, FreeOrganizationUpgradeCustomize]
diff --git a/test/IntegrationTestCommon/Factories/WebApplicationFactoryBase.cs b/test/IntegrationTestCommon/Factories/WebApplicationFactoryBase.cs
index 9474ffb862..d01e92ad4c 100644
--- a/test/IntegrationTestCommon/Factories/WebApplicationFactoryBase.cs
+++ b/test/IntegrationTestCommon/Factories/WebApplicationFactoryBase.cs
@@ -1,5 +1,6 @@
 using AspNetCoreRateLimit;
 using Bit.Core.Auth.Services;
+using Bit.Core.Billing.Services;
 using Bit.Core.Platform.Push;
 using Bit.Core.Platform.Push.Internal;
 using Bit.Core.Repositories;
@@ -247,6 +248,11 @@ public abstract class WebApplicationFactoryBase<T> : WebApplicationFactory<T>
             var stripePaymentService = services.First(sd => sd.ServiceType == typeof(IPaymentService));
             services.Remove(stripePaymentService);
             services.AddSingleton(Substitute.For<IPaymentService>());
+
+            var organizationBillingService =
+                services.First(sd => sd.ServiceType == typeof(IOrganizationBillingService));
+            services.Remove(organizationBillingService);
+            services.AddSingleton(Substitute.For<IOrganizationBillingService>());
         });
 
         foreach (var configureTestService in _configureTestServices)

From f2182c2aae876fc44f0e8dad9597b858c51800b4 Mon Sep 17 00:00:00 2001
From: Graham Walker <ghwtx@icloud.com>
Date: Fri, 24 Jan 2025 13:43:41 -0600
Subject: [PATCH 199/384] PM-16261 fixing linter issue (#5322)

---
 src/Core/Vault/Services/ICipherService.cs                | 3 +--
 src/Core/Vault/Services/Implementations/CipherService.cs | 1 -
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/src/Core/Vault/Services/ICipherService.cs b/src/Core/Vault/Services/ICipherService.cs
index e559963361..b332fbb96f 100644
--- a/src/Core/Vault/Services/ICipherService.cs
+++ b/src/Core/Vault/Services/ICipherService.cs
@@ -1,5 +1,4 @@
-using Bit.Core.Entities;
-using Bit.Core.Vault.Entities;
+using Bit.Core.Vault.Entities;
 using Bit.Core.Vault.Models.Data;
 
 namespace Bit.Core.Vault.Services;
diff --git a/src/Core/Vault/Services/Implementations/CipherService.cs b/src/Core/Vault/Services/Implementations/CipherService.cs
index da1a5f978f..ea4db01fd7 100644
--- a/src/Core/Vault/Services/Implementations/CipherService.cs
+++ b/src/Core/Vault/Services/Implementations/CipherService.cs
@@ -2,7 +2,6 @@
 using Bit.Core.AdminConsole.Enums;
 using Bit.Core.AdminConsole.Services;
 using Bit.Core.Context;
-using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Platform.Push;

From 3908edd08fcff620b3c9709d6e4be1633267a096 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rui=20Tom=C3=A9?=
 <108268980+r-tome@users.noreply.github.com>
Date: Mon, 27 Jan 2025 10:58:08 +0000
Subject: [PATCH 200/384] [PM-12489] Extract OrganizationService.DeleteAsync
 and OrganizationService.InitiateDeleteAsync into commands (#5279)

* Create organization deletion command with logic extracted from OrganizationService

* Add unit tests for OrganizationDeleteCommand

* Register OrganizationDeleteCommand for dependency injection

* Refactor organization deletion logic to use IOrganizationDeleteCommand and remove legacy IOrganizationService.DeleteAsync method

* Add organization deletion initiation command and refactor service usage

* Enhance organization deletion commands with detailed XML documentation

* Refactor organization command registration to include sign-up and deletion methods
---
 .../Controllers/OrganizationsController.cs    |   8 +-
 .../Controllers/OrganizationsController.cs    |  10 +-
 .../Interfaces/IOrganizationDeleteCommand.cs  |  13 ++
 .../IOrganizationInitiateDeleteCommand.cs     |  14 +++
 .../OrganizationDeleteCommand.cs              |  69 +++++++++++
 .../OrganizationInitiateDeleteCommand.cs      |  49 ++++++++
 .../Services/IOrganizationService.cs          |   2 -
 .../Implementations/OrganizationService.cs    |  51 --------
 ...OrganizationServiceCollectionExtensions.cs |   8 ++
 .../OrganizationsControllerTests.cs           |   8 +-
 .../OrganizationDeleteCommandTests.cs         |  53 +++++++++
 .../OrganizationInitiateDeleteCommandTests.cs | 112 ++++++++++++++++++
 .../Services/OrganizationServiceTests.cs      |  35 ------
 13 files changed, 337 insertions(+), 95 deletions(-)
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/Organizations/Interfaces/IOrganizationDeleteCommand.cs
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/Organizations/Interfaces/IOrganizationInitiateDeleteCommand.cs
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/Organizations/OrganizationDeleteCommand.cs
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/Organizations/OrganizationInitiateDeleteCommand.cs
 create mode 100644 test/Core.Test/AdminConsole/OrganizationFeatures/Organizations/OrganizationDeleteCommandTests.cs
 create mode 100644 test/Core.Test/AdminConsole/OrganizationFeatures/Organizations/OrganizationInitiateDeleteCommandTests.cs

diff --git a/src/Admin/AdminConsole/Controllers/OrganizationsController.cs b/src/Admin/AdminConsole/Controllers/OrganizationsController.cs
index 86aebfaad7..b24226ee35 100644
--- a/src/Admin/AdminConsole/Controllers/OrganizationsController.cs
+++ b/src/Admin/AdminConsole/Controllers/OrganizationsController.cs
@@ -5,6 +5,7 @@ using Bit.Admin.Services;
 using Bit.Admin.Utilities;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Enums.Provider;
+using Bit.Core.AdminConsole.OrganizationFeatures.Organizations.Interfaces;
 using Bit.Core.AdminConsole.Providers.Interfaces;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Billing.Enums;
@@ -56,6 +57,7 @@ public class OrganizationsController : Controller
     private readonly IRemoveOrganizationFromProviderCommand _removeOrganizationFromProviderCommand;
     private readonly IProviderBillingService _providerBillingService;
     private readonly IFeatureService _featureService;
+    private readonly IOrganizationInitiateDeleteCommand _organizationInitiateDeleteCommand;
 
     public OrganizationsController(
         IOrganizationService organizationService,
@@ -82,7 +84,8 @@ public class OrganizationsController : Controller
         IProviderOrganizationRepository providerOrganizationRepository,
         IRemoveOrganizationFromProviderCommand removeOrganizationFromProviderCommand,
         IProviderBillingService providerBillingService,
-        IFeatureService featureService)
+        IFeatureService featureService,
+        IOrganizationInitiateDeleteCommand organizationInitiateDeleteCommand)
     {
         _organizationService = organizationService;
         _organizationRepository = organizationRepository;
@@ -109,6 +112,7 @@ public class OrganizationsController : Controller
         _removeOrganizationFromProviderCommand = removeOrganizationFromProviderCommand;
         _providerBillingService = providerBillingService;
         _featureService = featureService;
+        _organizationInitiateDeleteCommand = organizationInitiateDeleteCommand;
     }
 
     [RequirePermission(Permission.Org_List_View)]
@@ -319,7 +323,7 @@ public class OrganizationsController : Controller
                 var organization = await _organizationRepository.GetByIdAsync(id);
                 if (organization != null)
                 {
-                    await _organizationService.InitiateDeleteAsync(organization, model.AdminEmail);
+                    await _organizationInitiateDeleteCommand.InitiateDeleteAsync(organization, model.AdminEmail);
                     TempData["Success"] = "The request to initiate deletion of the organization has been sent.";
                 }
             }
diff --git a/src/Api/AdminConsole/Controllers/OrganizationsController.cs b/src/Api/AdminConsole/Controllers/OrganizationsController.cs
index 4e01bb3451..85e8e990a6 100644
--- a/src/Api/AdminConsole/Controllers/OrganizationsController.cs
+++ b/src/Api/AdminConsole/Controllers/OrganizationsController.cs
@@ -14,6 +14,7 @@ using Bit.Core.AdminConsole.Models.Business.Tokenables;
 using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationApiKeys.Interfaces;
 using Bit.Core.AdminConsole.OrganizationFeatures.Organizations;
+using Bit.Core.AdminConsole.OrganizationFeatures.Organizations.Interfaces;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Auth.Enums;
@@ -58,6 +59,7 @@ public class OrganizationsController : Controller
     private readonly IDataProtectorTokenFactory<OrgDeleteTokenable> _orgDeleteTokenDataFactory;
     private readonly IRemoveOrganizationUserCommand _removeOrganizationUserCommand;
     private readonly ICloudOrganizationSignUpCommand _cloudOrganizationSignUpCommand;
+    private readonly IOrganizationDeleteCommand _organizationDeleteCommand;
 
     public OrganizationsController(
         IOrganizationRepository organizationRepository,
@@ -78,7 +80,8 @@ public class OrganizationsController : Controller
         IProviderBillingService providerBillingService,
         IDataProtectorTokenFactory<OrgDeleteTokenable> orgDeleteTokenDataFactory,
         IRemoveOrganizationUserCommand removeOrganizationUserCommand,
-        ICloudOrganizationSignUpCommand cloudOrganizationSignUpCommand)
+        ICloudOrganizationSignUpCommand cloudOrganizationSignUpCommand,
+        IOrganizationDeleteCommand organizationDeleteCommand)
     {
         _organizationRepository = organizationRepository;
         _organizationUserRepository = organizationUserRepository;
@@ -99,6 +102,7 @@ public class OrganizationsController : Controller
         _orgDeleteTokenDataFactory = orgDeleteTokenDataFactory;
         _removeOrganizationUserCommand = removeOrganizationUserCommand;
         _cloudOrganizationSignUpCommand = cloudOrganizationSignUpCommand;
+        _organizationDeleteCommand = organizationDeleteCommand;
     }
 
     [HttpGet("{id}")]
@@ -303,7 +307,7 @@ public class OrganizationsController : Controller
             }
         }
 
-        await _organizationService.DeleteAsync(organization);
+        await _organizationDeleteCommand.DeleteAsync(organization);
     }
 
     [HttpPost("{id}/delete-recover-token")]
@@ -333,7 +337,7 @@ public class OrganizationsController : Controller
             }
         }
 
-        await _organizationService.DeleteAsync(organization);
+        await _organizationDeleteCommand.DeleteAsync(organization);
     }
 
     [HttpPost("{id}/api-key")]
diff --git a/src/Core/AdminConsole/OrganizationFeatures/Organizations/Interfaces/IOrganizationDeleteCommand.cs b/src/Core/AdminConsole/OrganizationFeatures/Organizations/Interfaces/IOrganizationDeleteCommand.cs
new file mode 100644
index 0000000000..fc4de42bed
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/Organizations/Interfaces/IOrganizationDeleteCommand.cs
@@ -0,0 +1,13 @@
+using Bit.Core.AdminConsole.Entities;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.Organizations.Interfaces;
+
+public interface IOrganizationDeleteCommand
+{
+    /// <summary>
+    /// Permanently deletes an organization and performs necessary cleanup.
+    /// </summary>
+    /// <param name="organization">The organization to delete.</param>
+    /// <exception cref="BadRequestException">Thrown when the organization cannot be deleted due to configuration constraints.</exception>
+    Task DeleteAsync(Organization organization);
+}
diff --git a/src/Core/AdminConsole/OrganizationFeatures/Organizations/Interfaces/IOrganizationInitiateDeleteCommand.cs b/src/Core/AdminConsole/OrganizationFeatures/Organizations/Interfaces/IOrganizationInitiateDeleteCommand.cs
new file mode 100644
index 0000000000..a8d211f245
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/Organizations/Interfaces/IOrganizationInitiateDeleteCommand.cs
@@ -0,0 +1,14 @@
+using Bit.Core.AdminConsole.Entities;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.Organizations.Interfaces;
+
+public interface IOrganizationInitiateDeleteCommand
+{
+    /// <summary>
+    /// Initiates a secure deletion process for an organization by requesting confirmation from an organization admin.
+    /// </summary>
+    /// <param name="organization">The organization to be deleted.</param>
+    /// <param name="orgAdminEmail">The email address of the organization admin who will confirm the deletion.</param>
+    /// <exception cref="BadRequestException">Thrown when the specified admin email is invalid or lacks sufficient permissions.</exception>
+    Task InitiateDeleteAsync(Organization organization, string orgAdminEmail);
+}
diff --git a/src/Core/AdminConsole/OrganizationFeatures/Organizations/OrganizationDeleteCommand.cs b/src/Core/AdminConsole/OrganizationFeatures/Organizations/OrganizationDeleteCommand.cs
new file mode 100644
index 0000000000..185d5c5ac0
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/Organizations/OrganizationDeleteCommand.cs
@@ -0,0 +1,69 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.OrganizationFeatures.Organizations.Interfaces;
+using Bit.Core.Auth.Enums;
+using Bit.Core.Auth.Repositories;
+using Bit.Core.Context;
+using Bit.Core.Exceptions;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.Core.Tools.Enums;
+using Bit.Core.Tools.Models.Business;
+using Bit.Core.Tools.Services;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.Organizations;
+
+public class OrganizationDeleteCommand : IOrganizationDeleteCommand
+{
+    private readonly IApplicationCacheService _applicationCacheService;
+    private readonly ICurrentContext _currentContext;
+    private readonly IOrganizationRepository _organizationRepository;
+    private readonly IPaymentService _paymentService;
+    private readonly IReferenceEventService _referenceEventService;
+    private readonly ISsoConfigRepository _ssoConfigRepository;
+
+    public OrganizationDeleteCommand(
+        IApplicationCacheService applicationCacheService,
+        ICurrentContext currentContext,
+        IOrganizationRepository organizationRepository,
+        IPaymentService paymentService,
+        IReferenceEventService referenceEventService,
+        ISsoConfigRepository ssoConfigRepository)
+    {
+        _applicationCacheService = applicationCacheService;
+        _currentContext = currentContext;
+        _organizationRepository = organizationRepository;
+        _paymentService = paymentService;
+        _referenceEventService = referenceEventService;
+        _ssoConfigRepository = ssoConfigRepository;
+    }
+
+    public async Task DeleteAsync(Organization organization)
+    {
+        await ValidateDeleteOrganizationAsync(organization);
+
+        if (!string.IsNullOrWhiteSpace(organization.GatewaySubscriptionId))
+        {
+            try
+            {
+                var eop = !organization.ExpirationDate.HasValue ||
+                          organization.ExpirationDate.Value >= DateTime.UtcNow;
+                await _paymentService.CancelSubscriptionAsync(organization, eop);
+                await _referenceEventService.RaiseEventAsync(
+                    new ReferenceEvent(ReferenceEventType.DeleteAccount, organization, _currentContext));
+            }
+            catch (GatewayException) { }
+        }
+
+        await _organizationRepository.DeleteAsync(organization);
+        await _applicationCacheService.DeleteOrganizationAbilityAsync(organization.Id);
+    }
+
+    private async Task ValidateDeleteOrganizationAsync(Organization organization)
+    {
+        var ssoConfig = await _ssoConfigRepository.GetByOrganizationIdAsync(organization.Id);
+        if (ssoConfig?.GetData()?.MemberDecryptionType == MemberDecryptionType.KeyConnector)
+        {
+            throw new BadRequestException("You cannot delete an Organization that is using Key Connector.");
+        }
+    }
+}
diff --git a/src/Core/AdminConsole/OrganizationFeatures/Organizations/OrganizationInitiateDeleteCommand.cs b/src/Core/AdminConsole/OrganizationFeatures/Organizations/OrganizationInitiateDeleteCommand.cs
new file mode 100644
index 0000000000..5979adc376
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/Organizations/OrganizationInitiateDeleteCommand.cs
@@ -0,0 +1,49 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Models.Business.Tokenables;
+using Bit.Core.AdminConsole.OrganizationFeatures.Organizations.Interfaces;
+using Bit.Core.Enums;
+using Bit.Core.Exceptions;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.Core.Tokens;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.Organizations;
+
+public class OrganizationInitiateDeleteCommand : IOrganizationInitiateDeleteCommand
+{
+    private readonly IOrganizationUserRepository _organizationUserRepository;
+    private readonly IUserRepository _userRepository;
+    private readonly IDataProtectorTokenFactory<OrgDeleteTokenable> _orgDeleteTokenDataFactory;
+    private readonly IMailService _mailService;
+
+    public const string OrganizationAdminNotFoundErrorMessage = "Org admin not found.";
+
+    public OrganizationInitiateDeleteCommand(
+        IOrganizationUserRepository organizationUserRepository,
+        IUserRepository userRepository,
+        IDataProtectorTokenFactory<OrgDeleteTokenable> orgDeleteTokenDataFactory,
+        IMailService mailService)
+    {
+        _organizationUserRepository = organizationUserRepository;
+        _userRepository = userRepository;
+        _orgDeleteTokenDataFactory = orgDeleteTokenDataFactory;
+        _mailService = mailService;
+    }
+
+    public async Task InitiateDeleteAsync(Organization organization, string orgAdminEmail)
+    {
+        var orgAdmin = await _userRepository.GetByEmailAsync(orgAdminEmail);
+        if (orgAdmin == null)
+        {
+            throw new BadRequestException(OrganizationAdminNotFoundErrorMessage);
+        }
+        var orgAdminOrgUser = await _organizationUserRepository.GetDetailsByUserAsync(orgAdmin.Id, organization.Id);
+        if (orgAdminOrgUser == null || orgAdminOrgUser.Status is not OrganizationUserStatusType.Confirmed ||
+            (orgAdminOrgUser.Type is not OrganizationUserType.Admin and not OrganizationUserType.Owner))
+        {
+            throw new BadRequestException(OrganizationAdminNotFoundErrorMessage);
+        }
+        var token = _orgDeleteTokenDataFactory.Protect(new OrgDeleteTokenable(organization, 1));
+        await _mailService.SendInitiateDeleteOrganzationEmailAsync(orgAdminEmail, organization, token);
+    }
+}
diff --git a/src/Core/AdminConsole/Services/IOrganizationService.cs b/src/Core/AdminConsole/Services/IOrganizationService.cs
index 0495c4c76e..7d73a3c903 100644
--- a/src/Core/AdminConsole/Services/IOrganizationService.cs
+++ b/src/Core/AdminConsole/Services/IOrganizationService.cs
@@ -28,8 +28,6 @@ public interface IOrganizationService
     /// </summary>
     Task<(Organization organization, OrganizationUser organizationUser)> SignUpAsync(OrganizationLicense license, User owner,
         string ownerKey, string collectionName, string publicKey, string privateKey);
-    Task InitiateDeleteAsync(Organization organization, string orgAdminEmail);
-    Task DeleteAsync(Organization organization);
     Task EnableAsync(Guid organizationId, DateTime? expirationDate);
     Task DisableAsync(Guid organizationId, DateTime? expirationDate);
     Task UpdateExpirationDateAsync(Guid organizationId, DateTime? expirationDate);
diff --git a/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs b/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
index 8743e51ff2..70a3227a71 100644
--- a/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
+++ b/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
@@ -4,7 +4,6 @@ using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Enums;
 using Bit.Core.AdminConsole.Enums.Provider;
 using Bit.Core.AdminConsole.Models.Business;
-using Bit.Core.AdminConsole.Models.Business.Tokenables;
 using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
 using Bit.Core.AdminConsole.Repositories;
@@ -68,7 +67,6 @@ public class OrganizationService : IOrganizationService
     private readonly IProviderUserRepository _providerUserRepository;
     private readonly ICountNewSmSeatsRequiredQuery _countNewSmSeatsRequiredQuery;
     private readonly IUpdateSecretsManagerSubscriptionCommand _updateSecretsManagerSubscriptionCommand;
-    private readonly IDataProtectorTokenFactory<OrgDeleteTokenable> _orgDeleteTokenDataFactory;
     private readonly IProviderRepository _providerRepository;
     private readonly IOrgUserInviteTokenableFactory _orgUserInviteTokenableFactory;
     private readonly IDataProtectorTokenFactory<OrgUserInviteTokenable> _orgUserInviteTokenDataFactory;
@@ -106,7 +104,6 @@ public class OrganizationService : IOrganizationService
         IOrgUserInviteTokenableFactory orgUserInviteTokenableFactory,
         IDataProtectorTokenFactory<OrgUserInviteTokenable> orgUserInviteTokenDataFactory,
         IUpdateSecretsManagerSubscriptionCommand updateSecretsManagerSubscriptionCommand,
-        IDataProtectorTokenFactory<OrgDeleteTokenable> orgDeleteTokenDataFactory,
         IProviderRepository providerRepository,
         IFeatureService featureService,
         ITwoFactorIsEnabledQuery twoFactorIsEnabledQuery,
@@ -139,7 +136,6 @@ public class OrganizationService : IOrganizationService
         _providerUserRepository = providerUserRepository;
         _countNewSmSeatsRequiredQuery = countNewSmSeatsRequiredQuery;
         _updateSecretsManagerSubscriptionCommand = updateSecretsManagerSubscriptionCommand;
-        _orgDeleteTokenDataFactory = orgDeleteTokenDataFactory;
         _providerRepository = providerRepository;
         _orgUserInviteTokenableFactory = orgUserInviteTokenableFactory;
         _orgUserInviteTokenDataFactory = orgUserInviteTokenDataFactory;
@@ -690,44 +686,6 @@ public class OrganizationService : IOrganizationService
         }
     }
 
-    public async Task InitiateDeleteAsync(Organization organization, string orgAdminEmail)
-    {
-        var orgAdmin = await _userRepository.GetByEmailAsync(orgAdminEmail);
-        if (orgAdmin == null)
-        {
-            throw new BadRequestException("Org admin not found.");
-        }
-        var orgAdminOrgUser = await _organizationUserRepository.GetDetailsByUserAsync(orgAdmin.Id, organization.Id);
-        if (orgAdminOrgUser == null || orgAdminOrgUser.Status != OrganizationUserStatusType.Confirmed ||
-            (orgAdminOrgUser.Type != OrganizationUserType.Admin && orgAdminOrgUser.Type != OrganizationUserType.Owner))
-        {
-            throw new BadRequestException("Org admin not found.");
-        }
-        var token = _orgDeleteTokenDataFactory.Protect(new OrgDeleteTokenable(organization, 1));
-        await _mailService.SendInitiateDeleteOrganzationEmailAsync(orgAdminEmail, organization, token);
-    }
-
-    public async Task DeleteAsync(Organization organization)
-    {
-        await ValidateDeleteOrganizationAsync(organization);
-
-        if (!string.IsNullOrWhiteSpace(organization.GatewaySubscriptionId))
-        {
-            try
-            {
-                var eop = !organization.ExpirationDate.HasValue ||
-                    organization.ExpirationDate.Value >= DateTime.UtcNow;
-                await _paymentService.CancelSubscriptionAsync(organization, eop);
-                await _referenceEventService.RaiseEventAsync(
-                    new ReferenceEvent(ReferenceEventType.DeleteAccount, organization, _currentContext));
-            }
-            catch (GatewayException) { }
-        }
-
-        await _organizationRepository.DeleteAsync(organization);
-        await _applicationCacheService.DeleteOrganizationAbilityAsync(organization.Id);
-    }
-
     public async Task EnableAsync(Guid organizationId, DateTime? expirationDate)
     {
         var org = await GetOrgById(organizationId);
@@ -1978,15 +1936,6 @@ public class OrganizationService : IOrganizationService
         return true;
     }
 
-    private async Task ValidateDeleteOrganizationAsync(Organization organization)
-    {
-        var ssoConfig = await _ssoConfigRepository.GetByOrganizationIdAsync(organization.Id);
-        if (ssoConfig?.GetData()?.MemberDecryptionType == MemberDecryptionType.KeyConnector)
-        {
-            throw new BadRequestException("You cannot delete an Organization that is using Key Connector.");
-        }
-    }
-
     public async Task RevokeUserAsync(OrganizationUser organizationUser, Guid? revokingUserId)
     {
         if (revokingUserId.HasValue && organizationUser.UserId == revokingUserId.Value)
diff --git a/src/Core/OrganizationFeatures/OrganizationServiceCollectionExtensions.cs b/src/Core/OrganizationFeatures/OrganizationServiceCollectionExtensions.cs
index 5586273520..9d2e6e51e6 100644
--- a/src/Core/OrganizationFeatures/OrganizationServiceCollectionExtensions.cs
+++ b/src/Core/OrganizationFeatures/OrganizationServiceCollectionExtensions.cs
@@ -9,6 +9,7 @@ using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationConnections.Interfa
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationDomains;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationDomains.Interfaces;
 using Bit.Core.AdminConsole.OrganizationFeatures.Organizations;
+using Bit.Core.AdminConsole.OrganizationFeatures.Organizations.Interfaces;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Authorization;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
@@ -52,6 +53,7 @@ public static class OrganizationServiceCollectionExtensions
         services.AddOrganizationLicenseCommandsQueries();
         services.AddOrganizationDomainCommandsQueries();
         services.AddOrganizationSignUpCommands();
+        services.AddOrganizationDeleteCommands();
         services.AddOrganizationAuthCommands();
         services.AddOrganizationUserCommands();
         services.AddOrganizationUserCommandsQueries();
@@ -61,6 +63,12 @@ public static class OrganizationServiceCollectionExtensions
     private static IServiceCollection AddOrganizationSignUpCommands(this IServiceCollection services) =>
         services.AddScoped<ICloudOrganizationSignUpCommand, CloudOrganizationSignUpCommand>();
 
+    private static void AddOrganizationDeleteCommands(this IServiceCollection services)
+    {
+        services.AddScoped<IOrganizationDeleteCommand, OrganizationDeleteCommand>();
+        services.AddScoped<IOrganizationInitiateDeleteCommand, OrganizationInitiateDeleteCommand>();
+    }
+
     private static void AddOrganizationConnectionCommands(this IServiceCollection services)
     {
         services.AddScoped<ICreateOrganizationConnectionCommand, CreateOrganizationConnectionCommand>();
diff --git a/test/Api.Test/AdminConsole/Controllers/OrganizationsControllerTests.cs b/test/Api.Test/AdminConsole/Controllers/OrganizationsControllerTests.cs
index f35dbaa5cf..b739469c78 100644
--- a/test/Api.Test/AdminConsole/Controllers/OrganizationsControllerTests.cs
+++ b/test/Api.Test/AdminConsole/Controllers/OrganizationsControllerTests.cs
@@ -8,6 +8,7 @@ using Bit.Core.AdminConsole.Enums.Provider;
 using Bit.Core.AdminConsole.Models.Business.Tokenables;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationApiKeys.Interfaces;
 using Bit.Core.AdminConsole.OrganizationFeatures.Organizations;
+using Bit.Core.AdminConsole.OrganizationFeatures.Organizations.Interfaces;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Auth.Entities;
@@ -52,6 +53,7 @@ public class OrganizationsControllerTests : IDisposable
     private readonly IDataProtectorTokenFactory<OrgDeleteTokenable> _orgDeleteTokenDataFactory;
     private readonly IRemoveOrganizationUserCommand _removeOrganizationUserCommand;
     private readonly ICloudOrganizationSignUpCommand _cloudOrganizationSignUpCommand;
+    private readonly IOrganizationDeleteCommand _organizationDeleteCommand;
     private readonly OrganizationsController _sut;
 
     public OrganizationsControllerTests()
@@ -75,6 +77,7 @@ public class OrganizationsControllerTests : IDisposable
         _orgDeleteTokenDataFactory = Substitute.For<IDataProtectorTokenFactory<OrgDeleteTokenable>>();
         _removeOrganizationUserCommand = Substitute.For<IRemoveOrganizationUserCommand>();
         _cloudOrganizationSignUpCommand = Substitute.For<ICloudOrganizationSignUpCommand>();
+        _organizationDeleteCommand = Substitute.For<IOrganizationDeleteCommand>();
 
         _sut = new OrganizationsController(
             _organizationRepository,
@@ -95,7 +98,8 @@ public class OrganizationsControllerTests : IDisposable
             _providerBillingService,
             _orgDeleteTokenDataFactory,
             _removeOrganizationUserCommand,
-            _cloudOrganizationSignUpCommand);
+            _cloudOrganizationSignUpCommand,
+            _organizationDeleteCommand);
     }
 
     public void Dispose()
@@ -226,6 +230,6 @@ public class OrganizationsControllerTests : IDisposable
         await _providerBillingService.Received(1)
             .ScaleSeats(provider, organization.PlanType, -organization.Seats.Value);
 
-        await _organizationService.Received(1).DeleteAsync(organization);
+        await _organizationDeleteCommand.Received(1).DeleteAsync(organization);
     }
 }
diff --git a/test/Core.Test/AdminConsole/OrganizationFeatures/Organizations/OrganizationDeleteCommandTests.cs b/test/Core.Test/AdminConsole/OrganizationFeatures/Organizations/OrganizationDeleteCommandTests.cs
new file mode 100644
index 0000000000..0a83bb89d8
--- /dev/null
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/Organizations/OrganizationDeleteCommandTests.cs
@@ -0,0 +1,53 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.OrganizationFeatures.Organizations;
+using Bit.Core.Auth.Entities;
+using Bit.Core.Auth.Enums;
+using Bit.Core.Auth.Models.Data;
+using Bit.Core.Auth.Repositories;
+using Bit.Core.Exceptions;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.Core.Test.AutoFixture.OrganizationFixtures;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Core.Test.AdminConsole.OrganizationFeatures.Organizations;
+
+[SutProviderCustomize]
+public class OrganizationDeleteCommandTests
+{
+    [Theory, PaidOrganizationCustomize, BitAutoData]
+    public async Task Delete_Success(Organization organization, SutProvider<OrganizationDeleteCommand> sutProvider)
+    {
+        var organizationRepository = sutProvider.GetDependency<IOrganizationRepository>();
+        var applicationCacheService = sutProvider.GetDependency<IApplicationCacheService>();
+
+        await sutProvider.Sut.DeleteAsync(organization);
+
+        await organizationRepository.Received().DeleteAsync(organization);
+        await applicationCacheService.Received().DeleteOrganizationAbilityAsync(organization.Id);
+    }
+
+    [Theory, PaidOrganizationCustomize, BitAutoData]
+    public async Task Delete_Fails_KeyConnector(Organization organization, SutProvider<OrganizationDeleteCommand> sutProvider,
+        SsoConfig ssoConfig)
+    {
+        ssoConfig.Enabled = true;
+        ssoConfig.SetData(new SsoConfigurationData { MemberDecryptionType = MemberDecryptionType.KeyConnector });
+        var ssoConfigRepository = sutProvider.GetDependency<ISsoConfigRepository>();
+        var organizationRepository = sutProvider.GetDependency<IOrganizationRepository>();
+        var applicationCacheService = sutProvider.GetDependency<IApplicationCacheService>();
+
+        ssoConfigRepository.GetByOrganizationIdAsync(organization.Id).Returns(ssoConfig);
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.DeleteAsync(organization));
+
+        Assert.Contains("You cannot delete an Organization that is using Key Connector.", exception.Message);
+
+        await organizationRepository.DidNotReceiveWithAnyArgs().DeleteAsync(default);
+        await applicationCacheService.DidNotReceiveWithAnyArgs().DeleteOrganizationAbilityAsync(default);
+    }
+}
diff --git a/test/Core.Test/AdminConsole/OrganizationFeatures/Organizations/OrganizationInitiateDeleteCommandTests.cs b/test/Core.Test/AdminConsole/OrganizationFeatures/Organizations/OrganizationInitiateDeleteCommandTests.cs
new file mode 100644
index 0000000000..41c5b569d4
--- /dev/null
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/Organizations/OrganizationInitiateDeleteCommandTests.cs
@@ -0,0 +1,112 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Models.Business.Tokenables;
+using Bit.Core.AdminConsole.OrganizationFeatures.Organizations;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Exceptions;
+using Bit.Core.Models.Data.Organizations.OrganizationUsers;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.Core.Tokens;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Core.Test.AdminConsole.OrganizationFeatures.Organizations;
+
+[SutProviderCustomize]
+public class OrganizationInitiateDeleteCommandTests
+{
+    [Theory]
+    [BitAutoData(OrganizationUserType.Admin)]
+    [BitAutoData(OrganizationUserType.Owner)]
+    public async Task InitiateDeleteAsync_ValidAdminUser_Success(OrganizationUserType organizationUserType,
+        Organization organization, User orgAdmin, OrganizationUserOrganizationDetails orgAdminUser,
+        string token, SutProvider<OrganizationInitiateDeleteCommand> sutProvider)
+    {
+        orgAdminUser.Type = organizationUserType;
+        orgAdminUser.Status = OrganizationUserStatusType.Confirmed;
+
+        sutProvider.GetDependency<IUserRepository>()
+            .GetByEmailAsync(orgAdmin.Email)
+            .Returns(orgAdmin);
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetDetailsByUserAsync(orgAdmin.Id, organization.Id)
+            .Returns(orgAdminUser);
+
+        sutProvider.GetDependency<IDataProtectorTokenFactory<OrgDeleteTokenable>>()
+            .Protect(Arg.Any<OrgDeleteTokenable>())
+            .Returns(token);
+
+        await sutProvider.Sut.InitiateDeleteAsync(organization, orgAdmin.Email);
+
+        await sutProvider.GetDependency<IMailService>().Received(1)
+            .SendInitiateDeleteOrganzationEmailAsync(orgAdmin.Email, organization, token);
+    }
+
+    [Theory, BitAutoData]
+    public async Task InitiateDeleteAsync_UserNotFound_ThrowsBadRequest(
+        Organization organization, string email, SutProvider<OrganizationInitiateDeleteCommand> sutProvider)
+    {
+        sutProvider.GetDependency<IUserRepository>()
+            .GetByEmailAsync(email)
+            .Returns((User)null);
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.InitiateDeleteAsync(organization, email));
+
+        Assert.Equal(OrganizationInitiateDeleteCommand.OrganizationAdminNotFoundErrorMessage, exception.Message);
+    }
+
+    [Theory]
+    [BitAutoData(OrganizationUserType.User)]
+    [BitAutoData(OrganizationUserType.Custom)]
+    public async Task InitiateDeleteAsync_UserNotOrgAdmin_ThrowsBadRequest(OrganizationUserType organizationUserType,
+        Organization organization, User user, OrganizationUserOrganizationDetails orgUser,
+        SutProvider<OrganizationInitiateDeleteCommand> sutProvider)
+    {
+        orgUser.Type = organizationUserType;
+        orgUser.Status = OrganizationUserStatusType.Confirmed;
+
+        sutProvider.GetDependency<IUserRepository>()
+            .GetByEmailAsync(user.Email)
+            .Returns(user);
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetDetailsByUserAsync(user.Id, organization.Id)
+            .Returns(orgUser);
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.InitiateDeleteAsync(organization, user.Email));
+
+        Assert.Equal(OrganizationInitiateDeleteCommand.OrganizationAdminNotFoundErrorMessage, exception.Message);
+    }
+
+    [Theory]
+    [BitAutoData(OrganizationUserStatusType.Invited)]
+    [BitAutoData(OrganizationUserStatusType.Revoked)]
+    [BitAutoData(OrganizationUserStatusType.Accepted)]
+    public async Task InitiateDeleteAsync_UserNotConfirmed_ThrowsBadRequest(
+        OrganizationUserStatusType organizationUserStatusType,
+        Organization organization, User user, OrganizationUserOrganizationDetails orgUser,
+        SutProvider<OrganizationInitiateDeleteCommand> sutProvider)
+    {
+        orgUser.Type = OrganizationUserType.Admin;
+        orgUser.Status = organizationUserStatusType;
+
+        sutProvider.GetDependency<IUserRepository>()
+            .GetByEmailAsync(user.Email)
+            .Returns(user);
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetDetailsByUserAsync(user.Id, organization.Id)
+            .Returns(orgUser);
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.InitiateDeleteAsync(organization, user.Email));
+
+        Assert.Equal(OrganizationInitiateDeleteCommand.OrganizationAdminNotFoundErrorMessage, exception.Message);
+    }
+}
diff --git a/test/Core.Test/AdminConsole/Services/OrganizationServiceTests.cs b/test/Core.Test/AdminConsole/Services/OrganizationServiceTests.cs
index 45cab3912c..cd680f2ef0 100644
--- a/test/Core.Test/AdminConsole/Services/OrganizationServiceTests.cs
+++ b/test/Core.Test/AdminConsole/Services/OrganizationServiceTests.cs
@@ -6,9 +6,7 @@ using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.AdminConsole.Services;
 using Bit.Core.Auth.Entities;
-using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Models.Business.Tokenables;
-using Bit.Core.Auth.Models.Data;
 using Bit.Core.Auth.Repositories;
 using Bit.Core.Auth.UserFeatures.TwoFactorAuth.Interfaces;
 using Bit.Core.Billing.Enums;
@@ -1427,39 +1425,6 @@ OrganizationUserInvite invite, SutProvider<OrganizationService> sutProvider)
         Assert.Contains("Seat limit has been reached. Contact your provider to purchase additional seats.", failureMessage);
     }
 
-    [Theory, PaidOrganizationCustomize, BitAutoData]
-    public async Task Delete_Success(Organization organization, SutProvider<OrganizationService> sutProvider)
-    {
-        var organizationRepository = sutProvider.GetDependency<IOrganizationRepository>();
-        var applicationCacheService = sutProvider.GetDependency<IApplicationCacheService>();
-
-        await sutProvider.Sut.DeleteAsync(organization);
-
-        await organizationRepository.Received().DeleteAsync(organization);
-        await applicationCacheService.Received().DeleteOrganizationAbilityAsync(organization.Id);
-    }
-
-    [Theory, PaidOrganizationCustomize, BitAutoData]
-    public async Task Delete_Fails_KeyConnector(Organization organization, SutProvider<OrganizationService> sutProvider,
-        SsoConfig ssoConfig)
-    {
-        ssoConfig.Enabled = true;
-        ssoConfig.SetData(new SsoConfigurationData { MemberDecryptionType = MemberDecryptionType.KeyConnector });
-        var ssoConfigRepository = sutProvider.GetDependency<ISsoConfigRepository>();
-        var organizationRepository = sutProvider.GetDependency<IOrganizationRepository>();
-        var applicationCacheService = sutProvider.GetDependency<IApplicationCacheService>();
-
-        ssoConfigRepository.GetByOrganizationIdAsync(organization.Id).Returns(ssoConfig);
-
-        var exception = await Assert.ThrowsAsync<BadRequestException>(
-            () => sutProvider.Sut.DeleteAsync(organization));
-
-        Assert.Contains("You cannot delete an Organization that is using Key Connector.", exception.Message);
-
-        await organizationRepository.DidNotReceiveWithAnyArgs().DeleteAsync(default);
-        await applicationCacheService.DidNotReceiveWithAnyArgs().DeleteOrganizationAbilityAsync(default);
-    }
-
     private void RestoreRevokeUser_Setup(
         Organization organization,
         OrganizationUser? requestingOrganizationUser,

From 9e718d733655f41514f0a026e7137f67fcedcdbf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rui=20Tom=C3=A9?=
 <108268980+r-tome@users.noreply.github.com>
Date: Mon, 27 Jan 2025 10:59:46 +0000
Subject: [PATCH 201/384] [PM-15637] Add Email Notification Templates and Logic
 for Device Approval Requests (#5270)

* Add device approval notification email templates

* Add DeviceApprovalRequestedViewModel for device approval notifications

* Add method to send device approval requested notification email

* Send email notification to Organization Admins when adding a new admin approval auth request

* Add tests for device approval notification email sending in AuthRequestServiceTests

* fix(email-templates): Remove unnecessary triple braces from user name variable in device approval notification emails

* Add feature flag for admin notifications on device approval requests

* Add logging for skipped admin notifications on device approval requests
---
 .../Mail/DeviceApprovalRequestedViewModel.cs  |  14 +++
 .../Implementations/AuthRequestService.cs     |  29 ++++-
 src/Core/Constants.cs                         |   1 +
 ...otifyAdminDeviceApprovalRequested.html.hbs |  23 ++++
 ...otifyAdminDeviceApprovalRequested.text.hbs |   5 +
 ...otifyAdminDeviceApprovalRequested.html.hbs |  29 +++++
 ...otifyAdminDeviceApprovalRequested.text.hbs |   7 ++
 src/Core/Services/IMailService.cs             |   1 +
 .../Implementations/HandlebarsMailService.cs  |  18 +++
 .../NoopImplementations/NoopMailService.cs    |   5 +
 .../Auth/Services/AuthRequestServiceTests.cs  | 118 ++++++++++++++++++
 11 files changed, 249 insertions(+), 1 deletion(-)
 create mode 100644 src/Core/AdminConsole/Models/Mail/DeviceApprovalRequestedViewModel.cs
 create mode 100644 src/Core/MailTemplates/Handlebars/AdminConsole/NotifyAdminDeviceApprovalRequested.html.hbs
 create mode 100644 src/Core/MailTemplates/Handlebars/AdminConsole/NotifyAdminDeviceApprovalRequested.text.hbs
 create mode 100644 src/Core/MailTemplates/Handlebars/AdminConsole/SelfHostNotifyAdminDeviceApprovalRequested.html.hbs
 create mode 100644 src/Core/MailTemplates/Handlebars/AdminConsole/SelfHostNotifyAdminDeviceApprovalRequested.text.hbs

diff --git a/src/Core/AdminConsole/Models/Mail/DeviceApprovalRequestedViewModel.cs b/src/Core/AdminConsole/Models/Mail/DeviceApprovalRequestedViewModel.cs
new file mode 100644
index 0000000000..7f6c932619
--- /dev/null
+++ b/src/Core/AdminConsole/Models/Mail/DeviceApprovalRequestedViewModel.cs
@@ -0,0 +1,14 @@
+using Bit.Core.Models.Mail;
+
+namespace Bit.Core.AdminConsole.Models.Mail;
+
+public class DeviceApprovalRequestedViewModel : BaseMailModel
+{
+    public Guid OrganizationId { get; set; }
+    public string UserNameRequestingAccess { get; set; }
+
+    public string Url => string.Format("{0}/organizations/{1}/settings/device-approvals",
+        WebVaultUrl,
+        OrganizationId);
+}
+
diff --git a/src/Core/Auth/Services/Implementations/AuthRequestService.cs b/src/Core/Auth/Services/Implementations/AuthRequestService.cs
index f83c5de1f6..5e41e3a679 100644
--- a/src/Core/Auth/Services/Implementations/AuthRequestService.cs
+++ b/src/Core/Auth/Services/Implementations/AuthRequestService.cs
@@ -12,6 +12,7 @@ using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Settings;
 using Bit.Core.Utilities;
+using Microsoft.Extensions.Logging;
 
 #nullable enable
 
@@ -27,6 +28,9 @@ public class AuthRequestService : IAuthRequestService
     private readonly IPushNotificationService _pushNotificationService;
     private readonly IEventService _eventService;
     private readonly IOrganizationUserRepository _organizationUserRepository;
+    private readonly IMailService _mailService;
+    private readonly IFeatureService _featureService;
+    private readonly ILogger<AuthRequestService> _logger;
 
     public AuthRequestService(
         IAuthRequestRepository authRequestRepository,
@@ -36,7 +40,10 @@ public class AuthRequestService : IAuthRequestService
         ICurrentContext currentContext,
         IPushNotificationService pushNotificationService,
         IEventService eventService,
-        IOrganizationUserRepository organizationRepository)
+        IOrganizationUserRepository organizationRepository,
+        IMailService mailService,
+        IFeatureService featureService,
+        ILogger<AuthRequestService> logger)
     {
         _authRequestRepository = authRequestRepository;
         _userRepository = userRepository;
@@ -46,6 +53,9 @@ public class AuthRequestService : IAuthRequestService
         _pushNotificationService = pushNotificationService;
         _eventService = eventService;
         _organizationUserRepository = organizationRepository;
+        _mailService = mailService;
+        _featureService = featureService;
+        _logger = logger;
     }
 
     public async Task<AuthRequest?> GetAuthRequestAsync(Guid id, Guid userId)
@@ -132,6 +142,8 @@ public class AuthRequestService : IAuthRequestService
             {
                 var createdAuthRequest = await CreateAuthRequestAsync(model, user, organizationUser.OrganizationId);
                 firstAuthRequest ??= createdAuthRequest;
+
+                await NotifyAdminsOfDeviceApprovalRequestAsync(organizationUser, user);
             }
 
             // I know this won't be null because I have already validated that at least one organization exists
@@ -276,4 +288,19 @@ public class AuthRequestService : IAuthRequestService
     {
         return DateTime.UtcNow > savedDate.Add(allowedLifetime);
     }
+
+    private async Task NotifyAdminsOfDeviceApprovalRequestAsync(OrganizationUser organizationUser, User user)
+    {
+        if (!_featureService.IsEnabled(FeatureFlagKeys.DeviceApprovalRequestAdminNotifications))
+        {
+            _logger.LogWarning("Skipped sending device approval notification to admins - feature flag disabled");
+            return;
+        }
+
+        var admins = await _organizationUserRepository.GetManyByMinimumRoleAsync(
+            organizationUser.OrganizationId,
+            OrganizationUserType.Admin);
+        var adminEmails = admins.Select(a => a.Email).Distinct().ToList();
+        await _mailService.SendDeviceApprovalRequestedNotificationEmailAsync(adminEmails, organizationUser.OrganizationId, user.Email, user.Name);
+    }
 }
diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index dea65b929e..b4ddd73409 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -106,6 +106,7 @@ public static class FeatureFlagKeys
     public const string AccountDeprovisioning = "pm-10308-account-deprovisioning";
     public const string VerifiedSsoDomainEndpoint = "pm-12337-refactor-sso-details-endpoint";
     public const string IntegrationPage = "pm-14505-admin-console-integration-page";
+    public const string DeviceApprovalRequestAdminNotifications = "pm-15637-device-approval-request-admin-notifications";
 
     public const string ReturnErrorOnExistingKeypair = "return-error-on-existing-keypair";
     public const string UseTreeWalkerApiForPageDetailsCollection = "use-tree-walker-api-for-page-details-collection";
diff --git a/src/Core/MailTemplates/Handlebars/AdminConsole/NotifyAdminDeviceApprovalRequested.html.hbs b/src/Core/MailTemplates/Handlebars/AdminConsole/NotifyAdminDeviceApprovalRequested.html.hbs
new file mode 100644
index 0000000000..a54773a15e
--- /dev/null
+++ b/src/Core/MailTemplates/Handlebars/AdminConsole/NotifyAdminDeviceApprovalRequested.html.hbs
@@ -0,0 +1,23 @@
+{{#>FullHtmlLayout}}
+<table width="100%" cellpadding="0" cellspacing="0"
+    style="margin: 0; box-sizing: border-box; ">
+    <tr
+        style="margin: 0; box-sizing: border-box; ">
+        <td class="content-block last"
+            style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0 0 10px; -webkit-text-size-adjust: none;"
+            valign="top">
+            {{UserNameRequestingAccess}} has sent a device approval request. Review login requests to allow the member to finish logging in.
+            <br class="line-break" />
+            <br class="line-break" />
+        </td>
+    </tr>
+    <tr style="margin: 0; box-sizing: border-box; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+        <td class="content-block" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0 0 10px; -webkit-text-size-adjust: none; text-align: center;" valign="top" align="center">
+            <a href="{{Url}}" clicktracking=off target="_blank" rel="noopener noreferrer" style="color: #ffffff; text-decoration: none; text-align: center; cursor: pointer; display: inline-block; border-radius: 5px; background-color: #175DDC; border-color: #175DDC; border-style: solid; border-width: 10px 20px; margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+                Review request
+            </a>
+            <br class="line-break" />
+        </td>
+    </tr>
+</table>
+{{/FullHtmlLayout}}
diff --git a/src/Core/MailTemplates/Handlebars/AdminConsole/NotifyAdminDeviceApprovalRequested.text.hbs b/src/Core/MailTemplates/Handlebars/AdminConsole/NotifyAdminDeviceApprovalRequested.text.hbs
new file mode 100644
index 0000000000..e396546646
--- /dev/null
+++ b/src/Core/MailTemplates/Handlebars/AdminConsole/NotifyAdminDeviceApprovalRequested.text.hbs
@@ -0,0 +1,5 @@
+{{#>BasicTextLayout}}
+{{UserNameRequestingAccess}} has sent a device approval request. Review login requests to allow the member to finish logging in.
+
+{{Url}}
+{{/BasicTextLayout}}
diff --git a/src/Core/MailTemplates/Handlebars/AdminConsole/SelfHostNotifyAdminDeviceApprovalRequested.html.hbs b/src/Core/MailTemplates/Handlebars/AdminConsole/SelfHostNotifyAdminDeviceApprovalRequested.html.hbs
new file mode 100644
index 0000000000..ee7fcf8cad
--- /dev/null
+++ b/src/Core/MailTemplates/Handlebars/AdminConsole/SelfHostNotifyAdminDeviceApprovalRequested.html.hbs
@@ -0,0 +1,29 @@
+{{#>FullHtmlLayout}}
+<table width="100%" cellpadding="0" cellspacing="0"
+    style="margin: 0; box-sizing: border-box; ">
+    <tr style="margin: 0; box-sizing: border-box; ">
+        <td class="content-block last"
+            style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0 0 10px; -webkit-text-size-adjust: none;"
+            valign="top">
+            {{UserNameRequestingAccess}} has sent a device approval request. Review login requests to allow the member to finish logging in.
+        </td>
+    </tr>
+    <tr style="margin: 0; box-sizing: border-box; ">
+        <td class="content-block last"
+            style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0 0 10px; -webkit-text-size-adjust: none;"
+            valign="top">
+            To review requests, log in to your self-hosted instance → navigate to the Admin Console → select Device Approvals
+            <br class="line-break" />
+            <br class="line-break" />
+        </td>
+    </tr>
+    <tr style="margin: 0; box-sizing: border-box; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+        <td class="content-block" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0 0 10px; -webkit-text-size-adjust: none; text-align: center;" valign="top" align="center">
+            <a href="{{Url}}" clicktracking=off target="_blank" rel="noopener noreferrer" style="color: #ffffff; text-decoration: none; text-align: center; cursor: pointer; display: inline-block; border-radius: 5px; background-color: #175DDC; border-color: #175DDC; border-style: solid; border-width: 10px 20px; margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+                Review request
+            </a>
+            <br class="line-break" />
+        </td>
+    </tr>
+</table>
+{{/FullHtmlLayout}}
diff --git a/src/Core/MailTemplates/Handlebars/AdminConsole/SelfHostNotifyAdminDeviceApprovalRequested.text.hbs b/src/Core/MailTemplates/Handlebars/AdminConsole/SelfHostNotifyAdminDeviceApprovalRequested.text.hbs
new file mode 100644
index 0000000000..e5b412cc87
--- /dev/null
+++ b/src/Core/MailTemplates/Handlebars/AdminConsole/SelfHostNotifyAdminDeviceApprovalRequested.text.hbs
@@ -0,0 +1,7 @@
+{{#>BasicTextLayout}}
+{{UserNameRequestingAccess}} has sent a device approval request. Review login requests to allow the member to finish logging in.
+
+To review requests, log in to your self-hosted instance -> navigate to the Admin Console -> select Device Approvals.
+
+{{Url}}
+{{/BasicTextLayout}}
diff --git a/src/Core/Services/IMailService.cs b/src/Core/Services/IMailService.cs
index 09bae38a03..77914c0188 100644
--- a/src/Core/Services/IMailService.cs
+++ b/src/Core/Services/IMailService.cs
@@ -96,5 +96,6 @@ public interface IMailService
     Task SendFamiliesForEnterpriseRemoveSponsorshipsEmailAsync(string email, string offerAcceptanceDate, string organizationId,
         string organizationName);
     Task SendClaimedDomainUserEmailAsync(ManagedUserDomainClaimedEmails emailList);
+    Task SendDeviceApprovalRequestedNotificationEmailAsync(IEnumerable<string> adminEmails, Guid organizationId, string email, string userName);
 }
 
diff --git a/src/Core/Services/Implementations/HandlebarsMailService.cs b/src/Core/Services/Implementations/HandlebarsMailService.cs
index c4ca48d3a3..630c5b0bf0 100644
--- a/src/Core/Services/Implementations/HandlebarsMailService.cs
+++ b/src/Core/Services/Implementations/HandlebarsMailService.cs
@@ -2,6 +2,7 @@
 using System.Reflection;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Entities.Provider;
+using Bit.Core.AdminConsole.Models.Mail;
 using Bit.Core.Auth.Entities;
 using Bit.Core.Auth.Models.Mail;
 using Bit.Core.Billing.Enums;
@@ -1168,6 +1169,23 @@ public class HandlebarsMailService : IMailService
         await _mailDeliveryService.SendEmailAsync(message);
     }
 
+    public async Task SendDeviceApprovalRequestedNotificationEmailAsync(IEnumerable<string> adminEmails, Guid organizationId, string email, string userName)
+    {
+        var templateName = _globalSettings.SelfHosted ?
+            "AdminConsole.SelfHostNotifyAdminDeviceApprovalRequested" :
+            "AdminConsole.NotifyAdminDeviceApprovalRequested";
+        var message = CreateDefaultMessage("Review SSO login request for new device", adminEmails);
+        var model = new DeviceApprovalRequestedViewModel
+        {
+            WebVaultUrl = _globalSettings.BaseServiceUri.VaultWithHash,
+            UserNameRequestingAccess = GetUserIdentifier(email, userName),
+            OrganizationId = organizationId,
+        };
+        await AddMessageContentAsync(message, templateName, model);
+        message.Category = "DeviceApprovalRequested";
+        await _mailDeliveryService.SendEmailAsync(message);
+    }
+
     private static string GetUserIdentifier(string email, string userName)
     {
         return string.IsNullOrEmpty(userName) ? email : CoreHelpers.SanitizeForEmail(userName, false);
diff --git a/src/Core/Services/NoopImplementations/NoopMailService.cs b/src/Core/Services/NoopImplementations/NoopMailService.cs
index 0e07436fd1..13914ddd86 100644
--- a/src/Core/Services/NoopImplementations/NoopMailService.cs
+++ b/src/Core/Services/NoopImplementations/NoopMailService.cs
@@ -316,5 +316,10 @@ public class NoopMailService : IMailService
         return Task.FromResult(0);
     }
     public Task SendClaimedDomainUserEmailAsync(ManagedUserDomainClaimedEmails emailList) => Task.CompletedTask;
+
+    public Task SendDeviceApprovalRequestedNotificationEmailAsync(IEnumerable<string> adminEmails, Guid organizationId, string email, string userName)
+    {
+        return Task.FromResult(0);
+    }
 }
 
diff --git a/test/Core.Test/Auth/Services/AuthRequestServiceTests.cs b/test/Core.Test/Auth/Services/AuthRequestServiceTests.cs
index 4e42125dce..3894ac90a8 100644
--- a/test/Core.Test/Auth/Services/AuthRequestServiceTests.cs
+++ b/test/Core.Test/Auth/Services/AuthRequestServiceTests.cs
@@ -7,6 +7,7 @@ using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
+using Bit.Core.Models.Data.Organizations.OrganizationUsers;
 using Bit.Core.Platform.Push;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
@@ -227,6 +228,14 @@ public class AuthRequestServiceTests
         await sutProvider.GetDependency<IAuthRequestRepository>()
             .Received()
             .CreateAsync(createdAuthRequest);
+
+        await sutProvider.GetDependency<IMailService>()
+            .DidNotReceiveWithAnyArgs()
+            .SendDeviceApprovalRequestedNotificationEmailAsync(
+                Arg.Any<IEnumerable<string>>(),
+                Arg.Any<Guid>(),
+                Arg.Any<string>(),
+                Arg.Any<string>());
     }
 
     /// <summary>
@@ -321,6 +330,115 @@ public class AuthRequestServiceTests
         await sutProvider.GetDependency<IEventService>()
             .Received(1)
             .LogUserEventAsync(user.Id, EventType.User_RequestedDeviceApproval);
+
+        await sutProvider.GetDependency<IMailService>()
+            .DidNotReceiveWithAnyArgs()
+            .SendDeviceApprovalRequestedNotificationEmailAsync(
+                Arg.Any<IEnumerable<string>>(),
+                Arg.Any<Guid>(),
+                Arg.Any<string>(),
+                Arg.Any<string>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task CreateAuthRequestAsync_AdminApproval_WithAdminNotifications_CreatesForEachOrganization_SendsEmails(
+        SutProvider<AuthRequestService> sutProvider,
+        AuthRequestCreateRequestModel createModel,
+        User user,
+        OrganizationUser organizationUser1,
+        OrganizationUserUserDetails admin1,
+        OrganizationUser organizationUser2,
+        OrganizationUserUserDetails admin2,
+        OrganizationUserUserDetails admin3)
+    {
+        createModel.Type = AuthRequestType.AdminApproval;
+        user.Email = createModel.Email;
+        organizationUser1.UserId = user.Id;
+        organizationUser2.UserId = user.Id;
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.DeviceApprovalRequestAdminNotifications)
+            .Returns(true);
+
+        sutProvider.GetDependency<IUserRepository>()
+            .GetByEmailAsync(user.Email)
+            .Returns(user);
+
+        sutProvider.GetDependency<ICurrentContext>()
+            .DeviceType
+            .Returns(DeviceType.ChromeExtension);
+
+        sutProvider.GetDependency<ICurrentContext>()
+            .UserId
+            .Returns(user.Id);
+
+        sutProvider.GetDependency<IGlobalSettings>()
+            .PasswordlessAuth.KnownDevicesOnly
+            .Returns(false);
+
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyByUserAsync(user.Id)
+            .Returns(new List<OrganizationUser>
+            {
+                organizationUser1,
+                organizationUser2,
+            });
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyByMinimumRoleAsync(organizationUser1.OrganizationId, OrganizationUserType.Admin)
+            .Returns(
+            [
+                admin1,
+            ]);
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyByMinimumRoleAsync(organizationUser2.OrganizationId, OrganizationUserType.Admin)
+            .Returns(
+            [
+                admin2,
+                admin3,
+            ]);
+
+        sutProvider.GetDependency<IAuthRequestRepository>()
+            .CreateAsync(Arg.Any<AuthRequest>())
+            .Returns(c => c.ArgAt<AuthRequest>(0));
+
+        var authRequest = await sutProvider.Sut.CreateAuthRequestAsync(createModel);
+
+        Assert.Equal(organizationUser1.OrganizationId, authRequest.OrganizationId);
+
+        await sutProvider.GetDependency<IAuthRequestRepository>()
+            .Received(1)
+            .CreateAsync(Arg.Is<AuthRequest>(o => o.OrganizationId == organizationUser1.OrganizationId));
+
+        await sutProvider.GetDependency<IAuthRequestRepository>()
+            .Received(1)
+            .CreateAsync(Arg.Is<AuthRequest>(o => o.OrganizationId == organizationUser2.OrganizationId));
+
+        await sutProvider.GetDependency<IAuthRequestRepository>()
+            .Received(2)
+            .CreateAsync(Arg.Any<AuthRequest>());
+
+        await sutProvider.GetDependency<IEventService>()
+            .Received(1)
+            .LogUserEventAsync(user.Id, EventType.User_RequestedDeviceApproval);
+
+        await sutProvider.GetDependency<IMailService>()
+            .Received(1)
+            .SendDeviceApprovalRequestedNotificationEmailAsync(
+                Arg.Is<IEnumerable<string>>(emails => emails.Count() == 1 && emails.Contains(admin1.Email)),
+                organizationUser1.OrganizationId,
+                user.Email,
+                user.Name);
+
+        await sutProvider.GetDependency<IMailService>()
+            .Received(1)
+            .SendDeviceApprovalRequestedNotificationEmailAsync(
+                Arg.Is<IEnumerable<string>>(emails => emails.Count() == 2 && emails.Contains(admin2.Email) && emails.Contains(admin3.Email)),
+                organizationUser2.OrganizationId,
+                user.Email,
+                user.Name);
     }
 
     /// <summary>

From c03abafa71e192cc0e443616adcc5bebc4a368eb Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Mon, 27 Jan 2025 09:08:15 -0500
Subject: [PATCH 202/384] [deps] Billing: Update CsvHelper to v33 (#5181)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 bitwarden_license/src/Commercial.Core/Commercial.Core.csproj | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bitwarden_license/src/Commercial.Core/Commercial.Core.csproj b/bitwarden_license/src/Commercial.Core/Commercial.Core.csproj
index 0b97232931..57babb4043 100644
--- a/bitwarden_license/src/Commercial.Core/Commercial.Core.csproj
+++ b/bitwarden_license/src/Commercial.Core/Commercial.Core.csproj
@@ -5,7 +5,7 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="CsvHelper" Version="32.0.3" />
+    <PackageReference Include="CsvHelper" Version="33.0.1" />
   </ItemGroup>
 
 </Project>

From 5310f63514979cd6f4bc607b7cd2e6857ede7da3 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Mon, 27 Jan 2025 09:17:18 -0500
Subject: [PATCH 203/384] [deps] Billing: Update coverlet.collector to 6.0.4
 (#5219)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Alex Morask <144709477+amorask-bitwarden@users.noreply.github.com>
---
 .../Infrastructure.Dapper.Test.csproj                           | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/Infrastructure.Dapper.Test/Infrastructure.Dapper.Test.csproj b/test/Infrastructure.Dapper.Test/Infrastructure.Dapper.Test.csproj
index 82a92989d1..65041c3023 100644
--- a/test/Infrastructure.Dapper.Test/Infrastructure.Dapper.Test.csproj
+++ b/test/Infrastructure.Dapper.Test/Infrastructure.Dapper.Test.csproj
@@ -16,7 +16,7 @@
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
       <PrivateAssets>all</PrivateAssets>
     </PackageReference>
-    <PackageReference Include="coverlet.collector" Version="6.0.2">
+    <PackageReference Include="coverlet.collector" Version="6.0.4">
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
       <PrivateAssets>all</PrivateAssets>
     </PackageReference>

From 5562ca9d5e2b43e428b47365918d1cb6145baee7 Mon Sep 17 00:00:00 2001
From: Jonas Hendrickx <jhendrickx@bitwarden.com>
Date: Mon, 27 Jan 2025 15:28:47 +0100
Subject: [PATCH 204/384] WIP (#5210)

---
 .../Implementations/UpcomingInvoiceHandler.cs |  8 +--
 .../OrganizationBillingService.cs             |  2 +-
 .../PremiumUserBillingService.cs              |  2 +-
 .../Implementations/SubscriberService.cs      | 20 ++----
 .../Implementations/StripePaymentService.cs   | 70 ++++++-------------
 5 files changed, 30 insertions(+), 72 deletions(-)

diff --git a/src/Billing/Services/Implementations/UpcomingInvoiceHandler.cs b/src/Billing/Services/Implementations/UpcomingInvoiceHandler.cs
index bd496c6974..c52c03b6aa 100644
--- a/src/Billing/Services/Implementations/UpcomingInvoiceHandler.cs
+++ b/src/Billing/Services/Implementations/UpcomingInvoiceHandler.cs
@@ -1,7 +1,6 @@
 using Bit.Billing.Constants;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Repositories;
-using Bit.Core.Billing.Constants;
 using Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.Interfaces;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
@@ -161,18 +160,13 @@ public class UpcomingInvoiceHandler : IUpcomingInvoiceHandler
 
     private async Task<Subscription> TryEnableAutomaticTaxAsync(Subscription subscription)
     {
-        var customerGetOptions = new CustomerGetOptions { Expand = ["tax"] };
-        var customer = await _stripeFacade.GetCustomer(subscription.CustomerId, customerGetOptions);
-
-        if (subscription.AutomaticTax.Enabled ||
-            customer.Tax?.AutomaticTax != StripeConstants.AutomaticTaxStatus.Supported)
+        if (subscription.AutomaticTax.Enabled)
         {
             return subscription;
         }
 
         var subscriptionUpdateOptions = new SubscriptionUpdateOptions
         {
-            DefaultTaxRates = [],
             AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = true }
         };
 
diff --git a/src/Core/Billing/Services/Implementations/OrganizationBillingService.cs b/src/Core/Billing/Services/Implementations/OrganizationBillingService.cs
index ec9770c59e..201de22525 100644
--- a/src/Core/Billing/Services/Implementations/OrganizationBillingService.cs
+++ b/src/Core/Billing/Services/Implementations/OrganizationBillingService.cs
@@ -360,7 +360,7 @@ public class OrganizationBillingService(
         {
             AutomaticTax = new SubscriptionAutomaticTaxOptions
             {
-                Enabled = customer.Tax?.AutomaticTax == StripeConstants.AutomaticTaxStatus.Supported
+                Enabled = true
             },
             CollectionMethod = StripeConstants.CollectionMethod.ChargeAutomatically,
             Customer = customer.Id,
diff --git a/src/Core/Billing/Services/Implementations/PremiumUserBillingService.cs b/src/Core/Billing/Services/Implementations/PremiumUserBillingService.cs
index 306ee88eaf..0672a8d5e7 100644
--- a/src/Core/Billing/Services/Implementations/PremiumUserBillingService.cs
+++ b/src/Core/Billing/Services/Implementations/PremiumUserBillingService.cs
@@ -235,7 +235,7 @@ public class PremiumUserBillingService(
         {
             AutomaticTax = new SubscriptionAutomaticTaxOptions
             {
-                Enabled = customer.Tax?.AutomaticTax == StripeConstants.AutomaticTaxStatus.Supported,
+                Enabled = true
             },
             CollectionMethod = StripeConstants.CollectionMethod.ChargeAutomatically,
             Customer = customer.Id,
diff --git a/src/Core/Billing/Services/Implementations/SubscriberService.cs b/src/Core/Billing/Services/Implementations/SubscriberService.cs
index b2dca19e80..f4cf22ac19 100644
--- a/src/Core/Billing/Services/Implementations/SubscriberService.cs
+++ b/src/Core/Billing/Services/Implementations/SubscriberService.cs
@@ -661,21 +661,11 @@ public class SubscriberService(
             }
         }
 
-        if (SubscriberIsEligibleForAutomaticTax(subscriber, customer))
-        {
-            await stripeAdapter.SubscriptionUpdateAsync(subscriber.GatewaySubscriptionId,
-                new SubscriptionUpdateOptions
-                {
-                    AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = true }
-                });
-        }
-
-        return;
-
-        bool SubscriberIsEligibleForAutomaticTax(ISubscriber localSubscriber, Customer localCustomer)
-            => !string.IsNullOrEmpty(localSubscriber.GatewaySubscriptionId) &&
-               (localCustomer.Subscriptions?.Any(sub => sub.Id == localSubscriber.GatewaySubscriptionId && !sub.AutomaticTax.Enabled) ?? false) &&
-               localCustomer.Tax?.AutomaticTax == StripeConstants.AutomaticTaxStatus.Supported;
+        await stripeAdapter.SubscriptionUpdateAsync(subscriber.GatewaySubscriptionId,
+            new SubscriptionUpdateOptions
+            {
+                AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = true },
+            });
     }
 
     public async Task VerifyBankAccount(
diff --git a/src/Core/Services/Implementations/StripePaymentService.cs b/src/Core/Services/Implementations/StripePaymentService.cs
index 3f9c5c53c6..fb5c7364a5 100644
--- a/src/Core/Services/Implementations/StripePaymentService.cs
+++ b/src/Core/Services/Implementations/StripePaymentService.cs
@@ -177,11 +177,7 @@ public class StripePaymentService : IPaymentService
             customer = await _stripeAdapter.CustomerCreateAsync(customerCreateOptions);
             subCreateOptions.AddExpand("latest_invoice.payment_intent");
             subCreateOptions.Customer = customer.Id;
-
-            if (CustomerHasTaxLocationVerified(customer))
-            {
-                subCreateOptions.AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = true };
-            }
+            subCreateOptions.AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = true };
 
             subscription = await _stripeAdapter.SubscriptionCreateAsync(subCreateOptions);
             if (subscription.Status == "incomplete" && subscription.LatestInvoice?.PaymentIntent != null)
@@ -362,13 +358,10 @@ public class StripePaymentService : IPaymentService
             customer = await _stripeAdapter.CustomerUpdateAsync(org.GatewayCustomerId, customerUpdateOptions);
         }
 
-        var subCreateOptions = new OrganizationUpgradeSubscriptionOptions(customer.Id, org, plan, upgrade);
-
-        if (CustomerHasTaxLocationVerified(customer))
+        var subCreateOptions = new OrganizationUpgradeSubscriptionOptions(customer.Id, org, plan, upgrade)
         {
-            subCreateOptions.DefaultTaxRates = [];
-            subCreateOptions.AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = true };
-        }
+            AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = true }
+        };
 
         var (stripePaymentMethod, paymentMethodType) = IdentifyPaymentMethod(customer, subCreateOptions);
 
@@ -527,6 +520,10 @@ public class StripePaymentService : IPaymentService
 
             var customerCreateOptions = new CustomerCreateOptions
             {
+                Tax = new CustomerTaxOptions
+                {
+                    ValidateLocation = StripeConstants.ValidateTaxLocationTiming.Immediately
+                },
                 Description = user.Name,
                 Email = user.Email,
                 Metadata = stripeCustomerMetadata,
@@ -564,6 +561,7 @@ public class StripePaymentService : IPaymentService
 
         var subCreateOptions = new SubscriptionCreateOptions
         {
+            AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = true },
             Customer = customer.Id,
             Items = [],
             Metadata = new Dictionary<string, string>
@@ -583,16 +581,10 @@ public class StripePaymentService : IPaymentService
             subCreateOptions.Items.Add(new SubscriptionItemOptions
             {
                 Plan = StoragePlanId,
-                Quantity = additionalStorageGb
+                Quantity = additionalStorageGb,
             });
         }
 
-        if (CustomerHasTaxLocationVerified(customer))
-        {
-            subCreateOptions.DefaultTaxRates = [];
-            subCreateOptions.AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = true };
-        }
-
         var subscription = await ChargeForNewSubscriptionAsync(user, customer, createdStripeCustomer,
             stripePaymentMethod, paymentMethodType, subCreateOptions, braintreeCustomer);
 
@@ -630,10 +622,7 @@ public class StripePaymentService : IPaymentService
                     SubscriptionItems = ToInvoiceSubscriptionItemOptions(subCreateOptions.Items)
                 });
 
-                if (CustomerHasTaxLocationVerified(customer))
-                {
-                    previewInvoice.AutomaticTax = new InvoiceAutomaticTax { Enabled = true };
-                }
+                previewInvoice.AutomaticTax = new InvoiceAutomaticTax { Enabled = true };
 
                 if (previewInvoice.AmountDue > 0)
                 {
@@ -691,14 +680,12 @@ public class StripePaymentService : IPaymentService
                     Customer = customer.Id,
                     SubscriptionItems = ToInvoiceSubscriptionItemOptions(subCreateOptions.Items),
                     SubscriptionDefaultTaxRates = subCreateOptions.DefaultTaxRates,
+                    AutomaticTax = new InvoiceAutomaticTaxOptions
+                    {
+                        Enabled = true
+                    }
                 };
 
-                if (CustomerHasTaxLocationVerified(customer))
-                {
-                    upcomingInvoiceOptions.AutomaticTax = new InvoiceAutomaticTaxOptions { Enabled = true };
-                    upcomingInvoiceOptions.SubscriptionDefaultTaxRates = [];
-                }
-
                 var previewInvoice = await _stripeAdapter.InvoiceUpcomingAsync(upcomingInvoiceOptions);
 
                 if (previewInvoice.AmountDue > 0)
@@ -817,7 +804,11 @@ public class StripePaymentService : IPaymentService
             Items = updatedItemOptions,
             ProrationBehavior = invoiceNow ? Constants.AlwaysInvoice : Constants.CreateProrations,
             DaysUntilDue = daysUntilDue ?? 1,
-            CollectionMethod = "send_invoice"
+            CollectionMethod = "send_invoice",
+            AutomaticTax = new SubscriptionAutomaticTaxOptions
+            {
+                Enabled = true
+            }
         };
         if (!invoiceNow && isAnnualPlan && sub.Status.Trim() != "trialing")
         {
@@ -825,13 +816,6 @@ public class StripePaymentService : IPaymentService
                 new SubscriptionPendingInvoiceItemIntervalOptions { Interval = "month" };
         }
 
-        if (sub.AutomaticTax.Enabled != true &&
-            CustomerHasTaxLocationVerified(sub.Customer))
-        {
-            subUpdateOptions.DefaultTaxRates = [];
-            subUpdateOptions.AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = true };
-        }
-
         if (!subscriptionUpdate.UpdateNeeded(sub))
         {
             // No need to update subscription, quantity matches
@@ -1516,13 +1500,11 @@ public class StripePaymentService : IPaymentService
             if (!string.IsNullOrEmpty(subscriber.GatewaySubscriptionId) &&
                 customer.Subscriptions.Any(sub =>
                     sub.Id == subscriber.GatewaySubscriptionId &&
-                    !sub.AutomaticTax.Enabled) &&
-                CustomerHasTaxLocationVerified(customer))
+                    !sub.AutomaticTax.Enabled))
             {
                 var subscriptionUpdateOptions = new SubscriptionUpdateOptions
                 {
-                    AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = true },
-                    DefaultTaxRates = []
+                    AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = true }
                 };
 
                 _ = await _stripeAdapter.SubscriptionUpdateAsync(
@@ -2280,14 +2262,6 @@ public class StripePaymentService : IPaymentService
         }
     }
 
-    /// <summary>
-    /// Determines if a Stripe customer supports automatic tax
-    /// </summary>
-    /// <param name="customer"></param>
-    /// <returns></returns>
-    private static bool CustomerHasTaxLocationVerified(Customer customer) =>
-        customer?.Tax?.AutomaticTax == StripeConstants.AutomaticTaxStatus.Supported;
-
     // We are taking only first 30 characters of the SubscriberName because stripe provide
     // for 30 characters  for custom_fields,see the link: https://stripe.com/docs/api/invoices/create
     private static string GetFirstThirtyCharacters(string subscriberName)

From 411291b782966fe17f4e53cd9350d137dac5d7ae Mon Sep 17 00:00:00 2001
From: Github Actions <actions@github.com>
Date: Mon, 27 Jan 2025 15:48:47 +0000
Subject: [PATCH 205/384] Bumped version to 2025.1.5

---
 Directory.Build.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Directory.Build.props b/Directory.Build.props
index 9c54e35e6e..d109303a58 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -3,7 +3,7 @@
   <PropertyGroup>
     <TargetFramework>net8.0</TargetFramework>
 
-    <Version>2025.1.4</Version>
+    <Version>2025.1.5</Version>
 
     <RootNamespace>Bit.$(MSBuildProjectName)</RootNamespace>
     <ImplicitUsings>enable</ImplicitUsings>

From ec1cf31d9102e5e2366ade65954587dfd2cf2fec Mon Sep 17 00:00:00 2001
From: Jonas Hendrickx <jhendrickx@bitwarden.com>
Date: Mon, 27 Jan 2025 17:20:40 +0100
Subject: [PATCH 206/384] [PM-17425] Cannot open Stripe links for individual
 premium accounts (#5314)

---
 src/Admin/Views/Users/Edit.cshtml | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/src/Admin/Views/Users/Edit.cshtml b/src/Admin/Views/Users/Edit.cshtml
index 04e95c1400..8169b72b3c 100644
--- a/src/Admin/Views/Users/Edit.cshtml
+++ b/src/Admin/Views/Users/Edit.cshtml
@@ -37,11 +37,7 @@
                 // Premium
                 document.getElementById('@(nameof(Model.MaxStorageGb))').value = '1';
                 document.getElementById('@(nameof(Model.Premium))').checked = true;
-    using Stripe.Entitlements;
                 // Licensing
-    using Bit.Core;
-    using Stripe.Entitlements;
-                using Microsoft.Identity.Client.Extensibility;
                 document.getElementById('@(nameof(Model.LicenseKey))').value = '@Model.RandomLicenseKey';
                 document.getElementById('@(nameof(Model.PremiumExpirationDate))').value =
                     '@Model.OneYearExpirationDate';

From a51c7a1a8bee339eea8a8c6c6c420ea5f643e708 Mon Sep 17 00:00:00 2001
From: Jonas Hendrickx <jhendrickx@bitwarden.com>
Date: Mon, 27 Jan 2025 19:22:55 +0100
Subject: [PATCH 207/384] [BEEEP] Remove unused code (#5320)

---
 .../Controllers/FreshdeskController.cs        |  3 --
 src/Billing/Controllers/LoginController.cs    | 53 -------------------
 2 files changed, 56 deletions(-)
 delete mode 100644 src/Billing/Controllers/LoginController.cs

diff --git a/src/Billing/Controllers/FreshdeskController.cs b/src/Billing/Controllers/FreshdeskController.cs
index 1b6ddea429..7aeb60a67f 100644
--- a/src/Billing/Controllers/FreshdeskController.cs
+++ b/src/Billing/Controllers/FreshdeskController.cs
@@ -17,7 +17,6 @@ public class FreshdeskController : Controller
     private readonly BillingSettings _billingSettings;
     private readonly IUserRepository _userRepository;
     private readonly IOrganizationRepository _organizationRepository;
-    private readonly IOrganizationUserRepository _organizationUserRepository;
     private readonly ILogger<FreshdeskController> _logger;
     private readonly GlobalSettings _globalSettings;
     private readonly IHttpClientFactory _httpClientFactory;
@@ -25,7 +24,6 @@ public class FreshdeskController : Controller
     public FreshdeskController(
         IUserRepository userRepository,
         IOrganizationRepository organizationRepository,
-        IOrganizationUserRepository organizationUserRepository,
         IOptions<BillingSettings> billingSettings,
         ILogger<FreshdeskController> logger,
         GlobalSettings globalSettings,
@@ -34,7 +32,6 @@ public class FreshdeskController : Controller
         _billingSettings = billingSettings?.Value;
         _userRepository = userRepository;
         _organizationRepository = organizationRepository;
-        _organizationUserRepository = organizationUserRepository;
         _logger = logger;
         _globalSettings = globalSettings;
         _httpClientFactory = httpClientFactory;
diff --git a/src/Billing/Controllers/LoginController.cs b/src/Billing/Controllers/LoginController.cs
deleted file mode 100644
index c2df41b92c..0000000000
--- a/src/Billing/Controllers/LoginController.cs
+++ /dev/null
@@ -1,53 +0,0 @@
-using Microsoft.AspNetCore.Mvc;
-
-namespace Billing.Controllers;
-
-public class LoginController : Controller
-{
-    /*
-    private readonly PasswordlessSignInManager<IdentityUser> _signInManager;
-
-    public LoginController(
-        PasswordlessSignInManager<IdentityUser> signInManager)
-    {
-        _signInManager = signInManager;
-    }
-
-    public IActionResult Index()
-    {
-        return View();
-    }
-
-    [HttpPost]
-    [ValidateAntiForgeryToken]
-    public async Task<IActionResult> Index(LoginModel model)
-    {
-        if (ModelState.IsValid)
-        {
-            var result = await _signInManager.PasswordlessSignInAsync(model.Email,
-                Url.Action("Confirm", "Login", null, Request.Scheme));
-            if (result.Succeeded)
-            {
-                return RedirectToAction("Index", "Home");
-            }
-            else
-            {
-                ModelState.AddModelError(string.Empty, "Account not found.");
-            }
-        }
-
-        return View(model);
-    }
-
-    public async Task<IActionResult> Confirm(string email, string token)
-    {
-        var result = await _signInManager.PasswordlessSignInAsync(email, token, false);
-        if (!result.Succeeded)
-        {
-            return View("Error");
-        }
-
-        return RedirectToAction("Index", "Home");
-    }
-    */
-}

From a9a12301afaa4eaad39b90bbdc35574746480d68 Mon Sep 17 00:00:00 2001
From: Brandon Treston <btreston@bitwarden.com>
Date: Mon, 27 Jan 2025 17:01:28 -0500
Subject: [PATCH 208/384] [PM-17120] add feature flag (#5329)

* add feature flag

* cleanup

* cleanup
---
 src/Core/Constants.cs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index b4ddd73409..848a8805b7 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -166,6 +166,7 @@ public static class FeatureFlagKeys
     public const string RecordInstallationLastActivityDate = "installation-last-activity-date";
     public const string EnablePasswordManagerSyncAndroid = "enable-password-manager-sync-android";
     public const string EnablePasswordManagerSynciOS = "enable-password-manager-sync-ios";
+    public const string AccountDeprovisioningBanner = "pm-17120-account-deprovisioning-admin-console-banner";
 
     public static List<string> GetAllKeys()
     {

From 4e1e514e836e63057a2e20221d55fe483359f36b Mon Sep 17 00:00:00 2001
From: Nick Krantz <125900171+nick-livefront@users.noreply.github.com>
Date: Tue, 28 Jan 2025 09:49:51 -0600
Subject: [PATCH 209/384] [PM-11249] Update cipher revision date when an
 attachment is added or deleted (#4873)

* update the cipher revision date when an attachment is added or deleted

* store the updated cipher in the DB when an attachment is altered

* return cipher from delete attachment endpoint
---
 .../Vault/Controllers/CiphersController.cs    |  4 ++--
 .../Data/DeleteAttachmentReponseData.cs       | 13 +++++++++++
 src/Core/Vault/Services/ICipherService.cs     |  2 +-
 .../Services/Implementations/CipherService.cs | 23 +++++++++++++++----
 4 files changed, 35 insertions(+), 7 deletions(-)
 create mode 100644 src/Core/Vault/Models/Data/DeleteAttachmentReponseData.cs

diff --git a/src/Api/Vault/Controllers/CiphersController.cs b/src/Api/Vault/Controllers/CiphersController.cs
index 59984683e5..c8ebb8c402 100644
--- a/src/Api/Vault/Controllers/CiphersController.cs
+++ b/src/Api/Vault/Controllers/CiphersController.cs
@@ -1097,7 +1097,7 @@ public class CiphersController : Controller
 
     [HttpDelete("{id}/attachment/{attachmentId}")]
     [HttpPost("{id}/attachment/{attachmentId}/delete")]
-    public async Task DeleteAttachment(Guid id, string attachmentId)
+    public async Task<DeleteAttachmentResponseData> DeleteAttachment(Guid id, string attachmentId)
     {
         var userId = _userService.GetProperUserId(User).Value;
         var cipher = await GetByIdAsync(id, userId);
@@ -1106,7 +1106,7 @@ public class CiphersController : Controller
             throw new NotFoundException();
         }
 
-        await _cipherService.DeleteAttachmentAsync(cipher, attachmentId, userId, false);
+        return await _cipherService.DeleteAttachmentAsync(cipher, attachmentId, userId, false);
     }
 
     [HttpDelete("{id}/attachment/{attachmentId}/admin")]
diff --git a/src/Core/Vault/Models/Data/DeleteAttachmentReponseData.cs b/src/Core/Vault/Models/Data/DeleteAttachmentReponseData.cs
new file mode 100644
index 0000000000..0a5e755572
--- /dev/null
+++ b/src/Core/Vault/Models/Data/DeleteAttachmentReponseData.cs
@@ -0,0 +1,13 @@
+using Bit.Core.Vault.Entities;
+
+namespace Bit.Core.Vault.Models.Data;
+
+public class DeleteAttachmentResponseData
+{
+    public Cipher Cipher { get; set; }
+
+    public DeleteAttachmentResponseData(Cipher cipher)
+    {
+        Cipher = cipher;
+    }
+}
diff --git a/src/Core/Vault/Services/ICipherService.cs b/src/Core/Vault/Services/ICipherService.cs
index b332fbb96f..17f55cb47d 100644
--- a/src/Core/Vault/Services/ICipherService.cs
+++ b/src/Core/Vault/Services/ICipherService.cs
@@ -17,7 +17,7 @@ public interface ICipherService
         string attachmentId, Guid organizationShareId);
     Task DeleteAsync(Cipher cipher, Guid deletingUserId, bool orgAdmin = false);
     Task DeleteManyAsync(IEnumerable<Guid> cipherIds, Guid deletingUserId, Guid? organizationId = null, bool orgAdmin = false);
-    Task DeleteAttachmentAsync(Cipher cipher, string attachmentId, Guid deletingUserId, bool orgAdmin = false);
+    Task<DeleteAttachmentResponseData> DeleteAttachmentAsync(Cipher cipher, string attachmentId, Guid deletingUserId, bool orgAdmin = false);
     Task PurgeAsync(Guid organizationId);
     Task MoveManyAsync(IEnumerable<Guid> cipherIds, Guid? destinationFolderId, Guid movingUserId);
     Task SaveFolderAsync(Folder folder);
diff --git a/src/Core/Vault/Services/Implementations/CipherService.cs b/src/Core/Vault/Services/Implementations/CipherService.cs
index ea4db01fd7..90c03df90b 100644
--- a/src/Core/Vault/Services/Implementations/CipherService.cs
+++ b/src/Core/Vault/Services/Implementations/CipherService.cs
@@ -210,6 +210,11 @@ public class CipherService : ICipherService
             AttachmentData = JsonSerializer.Serialize(data)
         });
         cipher.AddAttachment(attachmentId, data);
+
+        // Update the revision date when an attachment is added
+        cipher.RevisionDate = DateTime.UtcNow;
+        await _cipherRepository.ReplaceAsync((CipherDetails)cipher);
+
         await _pushService.PushSyncCipherUpdateAsync(cipher, null);
 
         return (attachmentId, uploadUrl);
@@ -259,6 +264,10 @@ public class CipherService : ICipherService
             throw;
         }
 
+        // Update the revision date when an attachment is added
+        cipher.RevisionDate = DateTime.UtcNow;
+        await _cipherRepository.ReplaceAsync((CipherDetails)cipher);
+
         // push
         await _pushService.PushSyncCipherUpdateAsync(cipher, null);
     }
@@ -441,7 +450,7 @@ public class CipherService : ICipherService
         await _pushService.PushSyncCiphersAsync(deletingUserId);
     }
 
-    public async Task DeleteAttachmentAsync(Cipher cipher, string attachmentId, Guid deletingUserId,
+    public async Task<DeleteAttachmentResponseData> DeleteAttachmentAsync(Cipher cipher, string attachmentId, Guid deletingUserId,
         bool orgAdmin = false)
     {
         if (!orgAdmin && !(await UserCanEditAsync(cipher, deletingUserId)))
@@ -454,7 +463,7 @@ public class CipherService : ICipherService
             throw new NotFoundException();
         }
 
-        await DeleteAttachmentAsync(cipher, cipher.GetAttachments()[attachmentId]);
+        return await DeleteAttachmentAsync(cipher, cipher.GetAttachments()[attachmentId]);
     }
 
     public async Task PurgeAsync(Guid organizationId)
@@ -834,11 +843,11 @@ public class CipherService : ICipherService
         }
     }
 
-    private async Task DeleteAttachmentAsync(Cipher cipher, CipherAttachment.MetaData attachmentData)
+    private async Task<DeleteAttachmentResponseData> DeleteAttachmentAsync(Cipher cipher, CipherAttachment.MetaData attachmentData)
     {
         if (attachmentData == null || string.IsNullOrWhiteSpace(attachmentData.AttachmentId))
         {
-            return;
+            return null;
         }
 
         await _cipherRepository.DeleteAttachmentAsync(cipher.Id, attachmentData.AttachmentId);
@@ -846,8 +855,14 @@ public class CipherService : ICipherService
         await _attachmentStorageService.DeleteAttachmentAsync(cipher.Id, attachmentData);
         await _eventService.LogCipherEventAsync(cipher, Bit.Core.Enums.EventType.Cipher_AttachmentDeleted);
 
+        // Update the revision date when an attachment is deleted
+        cipher.RevisionDate = DateTime.UtcNow;
+        await _cipherRepository.ReplaceAsync((CipherDetails)cipher);
+
         // push
         await _pushService.PushSyncCipherUpdateAsync(cipher, null);
+
+        return new DeleteAttachmentResponseData(cipher);
     }
 
     private async Task ValidateCipherEditForAttachmentAsync(Cipher cipher, Guid savingUserId, bool orgAdmin,

From 6d7bdb6ec000f3f2c795a9b9b8f658b4fafea7bc Mon Sep 17 00:00:00 2001
From: Jimmy Vo <huynhmaivo82@gmail.com>
Date: Tue, 28 Jan 2025 12:23:15 -0500
Subject: [PATCH 210/384] Ac/pm 17217/add use policy check for accept
 endpoint(#5324)

---
 .../OrganizationUsersController.cs            | 23 ++++++--
 .../OrganizationUsersControllerTests.cs       | 58 +++++++++++++++++--
 2 files changed, 73 insertions(+), 8 deletions(-)

diff --git a/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs b/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs
index 12d11fbc18..265aefc4ca 100644
--- a/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs
+++ b/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs
@@ -311,10 +311,8 @@ public class OrganizationUsersController : Controller
             throw new UnauthorizedAccessException();
         }
 
-        var masterPasswordPolicy = await _policyRepository.GetByOrganizationIdTypeAsync(orgId, PolicyType.ResetPassword);
-        var useMasterPasswordPolicy = masterPasswordPolicy != null &&
-                                          masterPasswordPolicy.Enabled &&
-                                          masterPasswordPolicy.GetDataModel<ResetPasswordDataModel>().AutoEnrollEnabled;
+        var useMasterPasswordPolicy = await ShouldHandleResetPasswordAsync(orgId);
+
         if (useMasterPasswordPolicy && string.IsNullOrWhiteSpace(model.ResetPasswordKey))
         {
             throw new BadRequestException(string.Empty, "Master Password reset is required, but not provided.");
@@ -328,6 +326,23 @@ public class OrganizationUsersController : Controller
         }
     }
 
+    private async Task<bool> ShouldHandleResetPasswordAsync(Guid orgId)
+    {
+        var organizationAbility = await _applicationCacheService.GetOrganizationAbilityAsync(orgId);
+
+        if (organizationAbility is not { UsePolicies: true })
+        {
+            return false;
+        }
+
+        var masterPasswordPolicy = await _policyRepository.GetByOrganizationIdTypeAsync(orgId, PolicyType.ResetPassword);
+        var useMasterPasswordPolicy = masterPasswordPolicy != null &&
+                                          masterPasswordPolicy.Enabled &&
+                                          masterPasswordPolicy.GetDataModel<ResetPasswordDataModel>().AutoEnrollEnabled;
+
+        return useMasterPasswordPolicy;
+    }
+
     [HttpPost("{id}/confirm")]
     public async Task Confirm(string orgId, string id, [FromBody] OrganizationUserConfirmRequestModel model)
     {
diff --git a/test/Api.Test/AdminConsole/Controllers/OrganizationUsersControllerTests.cs b/test/Api.Test/AdminConsole/Controllers/OrganizationUsersControllerTests.cs
index 0ba8a101d7..e3071bd227 100644
--- a/test/Api.Test/AdminConsole/Controllers/OrganizationUsersControllerTests.cs
+++ b/test/Api.Test/AdminConsole/Controllers/OrganizationUsersControllerTests.cs
@@ -123,24 +123,74 @@ public class OrganizationUsersControllerTests
 
     [Theory]
     [BitAutoData]
-    public async Task Accept_RequireMasterPasswordReset(Guid orgId, Guid orgUserId,
+    public async Task Accept_WhenOrganizationUsePoliciesIsEnabledAndResetPolicyIsEnabled_ShouldHandleResetPassword(Guid orgId, Guid orgUserId,
         OrganizationUserAcceptRequestModel model, User user, SutProvider<OrganizationUsersController> sutProvider)
     {
+        // Arrange
+        var applicationCacheService = sutProvider.GetDependency<IApplicationCacheService>();
+        applicationCacheService.GetOrganizationAbilityAsync(orgId).Returns(new OrganizationAbility { UsePolicies = true });
+
         var policy = new Policy
         {
             Enabled = true,
             Data = CoreHelpers.ClassToJsonData(new ResetPasswordDataModel { AutoEnrollEnabled = true, }),
         };
-        sutProvider.GetDependency<IUserService>().GetUserByPrincipalAsync(default).ReturnsForAnyArgs(user);
-        sutProvider.GetDependency<IPolicyRepository>().GetByOrganizationIdTypeAsync(orgId,
+        var userService = sutProvider.GetDependency<IUserService>();
+        userService.GetUserByPrincipalAsync(default).ReturnsForAnyArgs(user);
+
+
+        var policyRepository = sutProvider.GetDependency<IPolicyRepository>();
+        policyRepository.GetByOrganizationIdTypeAsync(orgId,
             PolicyType.ResetPassword).Returns(policy);
 
+        // Act
         await sutProvider.Sut.Accept(orgId, orgUserId, model);
 
+        // Assert
         await sutProvider.GetDependency<IAcceptOrgUserCommand>().Received(1)
-            .AcceptOrgUserByEmailTokenAsync(orgUserId, user, model.Token, sutProvider.GetDependency<IUserService>());
+            .AcceptOrgUserByEmailTokenAsync(orgUserId, user, model.Token, userService);
         await sutProvider.GetDependency<IOrganizationService>().Received(1)
             .UpdateUserResetPasswordEnrollmentAsync(orgId, user.Id, model.ResetPasswordKey, user.Id);
+
+        await userService.Received(1).GetUserByPrincipalAsync(default);
+        await applicationCacheService.Received(1).GetOrganizationAbilityAsync(orgId);
+        await policyRepository.Received(1).GetByOrganizationIdTypeAsync(orgId, PolicyType.ResetPassword);
+
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task Accept_WhenOrganizationUsePoliciesIsDisabled_ShouldNotHandleResetPassword(Guid orgId, Guid orgUserId,
+        OrganizationUserAcceptRequestModel model, User user, SutProvider<OrganizationUsersController> sutProvider)
+    {
+        // Arrange
+        var applicationCacheService = sutProvider.GetDependency<IApplicationCacheService>();
+        applicationCacheService.GetOrganizationAbilityAsync(orgId).Returns(new OrganizationAbility { UsePolicies = false });
+
+        var policy = new Policy
+        {
+            Enabled = true,
+            Data = CoreHelpers.ClassToJsonData(new ResetPasswordDataModel { AutoEnrollEnabled = true, }),
+        };
+        var userService = sutProvider.GetDependency<IUserService>();
+        userService.GetUserByPrincipalAsync(default).ReturnsForAnyArgs(user);
+
+        var policyRepository = sutProvider.GetDependency<IPolicyRepository>();
+        policyRepository.GetByOrganizationIdTypeAsync(orgId,
+            PolicyType.ResetPassword).Returns(policy);
+
+        // Act
+        await sutProvider.Sut.Accept(orgId, orgUserId, model);
+
+        // Assert
+        await userService.Received(1).GetUserByPrincipalAsync(default);
+        await sutProvider.GetDependency<IAcceptOrgUserCommand>().Received(1)
+            .AcceptOrgUserByEmailTokenAsync(orgUserId, user, model.Token, userService);
+        await sutProvider.GetDependency<IOrganizationService>().Received(0)
+            .UpdateUserResetPasswordEnrollmentAsync(orgId, user.Id, model.ResetPasswordKey, user.Id);
+
+        await policyRepository.Received(0).GetByOrganizationIdTypeAsync(orgId, PolicyType.ResetPassword);
+        await applicationCacheService.Received(1).GetOrganizationAbilityAsync(orgId);
     }
 
     [Theory]

From 93f5b34223d1f6648ce75bd8180240dc06949b41 Mon Sep 17 00:00:00 2001
From: Jimmy Vo <huynhmaivo82@gmail.com>
Date: Tue, 28 Jan 2025 12:58:04 -0500
Subject: [PATCH 211/384] Add limit item deletion server code (#5308)

---
 .../Models/Response/Organizations/OrganizationResponseModel.cs | 2 ++
 .../Models/Response/ProfileOrganizationResponseModel.cs        | 2 ++
 .../Response/ProfileProviderOrganizationResponseModel.cs       | 1 +
 .../OrganizationCollectionManagementUpdateRequestModel.cs      | 2 ++
 .../Models/Data/Organizations/OrganizationAbility.cs           | 2 ++
 .../OrganizationUsers/OrganizationUserOrganizationDetails.cs   | 1 +
 .../Models/Data/Organizations/SelfHostedOrganizationDetails.cs | 1 +
 .../Models/Data/Provider/ProviderUserOrganizationDetails.cs    | 1 +
 src/Core/Models/PushNotification.cs                            | 1 +
 .../NotificationHub/NotificationHubPushNotificationService.cs  | 3 ++-
 .../Push/Services/AzureQueuePushNotificationService.cs         | 3 ++-
 .../Push/Services/NotificationsApiPushNotificationService.cs   | 3 ++-
 .../Platform/Push/Services/RelayPushNotificationService.cs     | 3 ++-
 .../AdminConsole/Repositories/OrganizationRepository.cs        | 1 +
 .../Queries/OrganizationUserOrganizationDetailsViewQuery.cs    | 1 +
 .../Queries/ProviderUserOrganizationDetailsViewQuery.cs        | 1 +
 16 files changed, 24 insertions(+), 4 deletions(-)

diff --git a/src/Api/AdminConsole/Models/Response/Organizations/OrganizationResponseModel.cs b/src/Api/AdminConsole/Models/Response/Organizations/OrganizationResponseModel.cs
index 116b4b1238..272aaf6f9c 100644
--- a/src/Api/AdminConsole/Models/Response/Organizations/OrganizationResponseModel.cs
+++ b/src/Api/AdminConsole/Models/Response/Organizations/OrganizationResponseModel.cs
@@ -57,6 +57,7 @@ public class OrganizationResponseModel : ResponseModel
         MaxAutoscaleSmServiceAccounts = organization.MaxAutoscaleSmServiceAccounts;
         LimitCollectionCreation = organization.LimitCollectionCreation;
         LimitCollectionDeletion = organization.LimitCollectionDeletion;
+        LimitItemDeletion = organization.LimitItemDeletion;
         AllowAdminAccessToAllCollectionItems = organization.AllowAdminAccessToAllCollectionItems;
         UseRiskInsights = organization.UseRiskInsights;
     }
@@ -102,6 +103,7 @@ public class OrganizationResponseModel : ResponseModel
     public int? MaxAutoscaleSmServiceAccounts { get; set; }
     public bool LimitCollectionCreation { get; set; }
     public bool LimitCollectionDeletion { get; set; }
+    public bool LimitItemDeletion { get; set; }
     public bool AllowAdminAccessToAllCollectionItems { get; set; }
     public bool UseRiskInsights { get; set; }
 }
diff --git a/src/Api/AdminConsole/Models/Response/ProfileOrganizationResponseModel.cs b/src/Api/AdminConsole/Models/Response/ProfileOrganizationResponseModel.cs
index 75e4c44a6d..d08298de6e 100644
--- a/src/Api/AdminConsole/Models/Response/ProfileOrganizationResponseModel.cs
+++ b/src/Api/AdminConsole/Models/Response/ProfileOrganizationResponseModel.cs
@@ -67,6 +67,7 @@ public class ProfileOrganizationResponseModel : ResponseModel
         AccessSecretsManager = organization.AccessSecretsManager;
         LimitCollectionCreation = organization.LimitCollectionCreation;
         LimitCollectionDeletion = organization.LimitCollectionDeletion;
+        LimitItemDeletion = organization.LimitItemDeletion;
         AllowAdminAccessToAllCollectionItems = organization.AllowAdminAccessToAllCollectionItems;
         UserIsManagedByOrganization = organizationIdsManagingUser.Contains(organization.OrganizationId);
         UseRiskInsights = organization.UseRiskInsights;
@@ -128,6 +129,7 @@ public class ProfileOrganizationResponseModel : ResponseModel
     public bool AccessSecretsManager { get; set; }
     public bool LimitCollectionCreation { get; set; }
     public bool LimitCollectionDeletion { get; set; }
+    public bool LimitItemDeletion { get; set; }
     public bool AllowAdminAccessToAllCollectionItems { get; set; }
     /// <summary>
     /// Indicates if the organization manages the user.
diff --git a/src/Api/AdminConsole/Models/Response/ProfileProviderOrganizationResponseModel.cs b/src/Api/AdminConsole/Models/Response/ProfileProviderOrganizationResponseModel.cs
index 211476dca1..589744c7df 100644
--- a/src/Api/AdminConsole/Models/Response/ProfileProviderOrganizationResponseModel.cs
+++ b/src/Api/AdminConsole/Models/Response/ProfileProviderOrganizationResponseModel.cs
@@ -47,6 +47,7 @@ public class ProfileProviderOrganizationResponseModel : ProfileOrganizationRespo
         ProductTierType = StaticStore.GetPlan(organization.PlanType).ProductTier;
         LimitCollectionCreation = organization.LimitCollectionCreation;
         LimitCollectionDeletion = organization.LimitCollectionDeletion;
+        LimitItemDeletion = organization.LimitItemDeletion;
         AllowAdminAccessToAllCollectionItems = organization.AllowAdminAccessToAllCollectionItems;
         UseRiskInsights = organization.UseRiskInsights;
     }
diff --git a/src/Api/Models/Request/Organizations/OrganizationCollectionManagementUpdateRequestModel.cs b/src/Api/Models/Request/Organizations/OrganizationCollectionManagementUpdateRequestModel.cs
index 94f842ca1e..829840c896 100644
--- a/src/Api/Models/Request/Organizations/OrganizationCollectionManagementUpdateRequestModel.cs
+++ b/src/Api/Models/Request/Organizations/OrganizationCollectionManagementUpdateRequestModel.cs
@@ -7,12 +7,14 @@ public class OrganizationCollectionManagementUpdateRequestModel
 {
     public bool LimitCollectionCreation { get; set; }
     public bool LimitCollectionDeletion { get; set; }
+    public bool LimitItemDeletion { get; set; }
     public bool AllowAdminAccessToAllCollectionItems { get; set; }
 
     public virtual Organization ToOrganization(Organization existingOrganization, IFeatureService featureService)
     {
         existingOrganization.LimitCollectionCreation = LimitCollectionCreation;
         existingOrganization.LimitCollectionDeletion = LimitCollectionDeletion;
+        existingOrganization.LimitItemDeletion = LimitItemDeletion;
         existingOrganization.AllowAdminAccessToAllCollectionItems = AllowAdminAccessToAllCollectionItems;
         return existingOrganization;
     }
diff --git a/src/Core/AdminConsole/Models/Data/Organizations/OrganizationAbility.cs b/src/Core/AdminConsole/Models/Data/Organizations/OrganizationAbility.cs
index 6392e483ce..62914f6fa8 100644
--- a/src/Core/AdminConsole/Models/Data/Organizations/OrganizationAbility.cs
+++ b/src/Core/AdminConsole/Models/Data/Organizations/OrganizationAbility.cs
@@ -23,6 +23,7 @@ public class OrganizationAbility
         UsePolicies = organization.UsePolicies;
         LimitCollectionCreation = organization.LimitCollectionCreation;
         LimitCollectionDeletion = organization.LimitCollectionDeletion;
+        LimitItemDeletion = organization.LimitItemDeletion;
         AllowAdminAccessToAllCollectionItems = organization.AllowAdminAccessToAllCollectionItems;
         UseRiskInsights = organization.UseRiskInsights;
     }
@@ -41,6 +42,7 @@ public class OrganizationAbility
     public bool UsePolicies { get; set; }
     public bool LimitCollectionCreation { get; set; }
     public bool LimitCollectionDeletion { get; set; }
+    public bool LimitItemDeletion { get; set; }
     public bool AllowAdminAccessToAllCollectionItems { get; set; }
     public bool UseRiskInsights { get; set; }
 }
diff --git a/src/Core/AdminConsole/Models/Data/Organizations/OrganizationUsers/OrganizationUserOrganizationDetails.cs b/src/Core/AdminConsole/Models/Data/Organizations/OrganizationUsers/OrganizationUserOrganizationDetails.cs
index e06b6bd66a..18d68af220 100644
--- a/src/Core/AdminConsole/Models/Data/Organizations/OrganizationUsers/OrganizationUserOrganizationDetails.cs
+++ b/src/Core/AdminConsole/Models/Data/Organizations/OrganizationUsers/OrganizationUserOrganizationDetails.cs
@@ -56,6 +56,7 @@ public class OrganizationUserOrganizationDetails
     public int? SmServiceAccounts { get; set; }
     public bool LimitCollectionCreation { get; set; }
     public bool LimitCollectionDeletion { get; set; }
+    public bool LimitItemDeletion { get; set; }
     public bool AllowAdminAccessToAllCollectionItems { get; set; }
     public bool UseRiskInsights { get; set; }
 }
diff --git a/src/Core/AdminConsole/Models/Data/Organizations/SelfHostedOrganizationDetails.cs b/src/Core/AdminConsole/Models/Data/Organizations/SelfHostedOrganizationDetails.cs
index bd727f707b..c53ac8745c 100644
--- a/src/Core/AdminConsole/Models/Data/Organizations/SelfHostedOrganizationDetails.cs
+++ b/src/Core/AdminConsole/Models/Data/Organizations/SelfHostedOrganizationDetails.cs
@@ -146,6 +146,7 @@ public class SelfHostedOrganizationDetails : Organization
             OwnersNotifiedOfAutoscaling = OwnersNotifiedOfAutoscaling,
             LimitCollectionCreation = LimitCollectionCreation,
             LimitCollectionDeletion = LimitCollectionDeletion,
+            LimitItemDeletion = LimitItemDeletion,
             AllowAdminAccessToAllCollectionItems = AllowAdminAccessToAllCollectionItems,
             Status = Status
         };
diff --git a/src/Core/AdminConsole/Models/Data/Provider/ProviderUserOrganizationDetails.cs b/src/Core/AdminConsole/Models/Data/Provider/ProviderUserOrganizationDetails.cs
index bd5592edfc..57f176666a 100644
--- a/src/Core/AdminConsole/Models/Data/Provider/ProviderUserOrganizationDetails.cs
+++ b/src/Core/AdminConsole/Models/Data/Provider/ProviderUserOrganizationDetails.cs
@@ -42,6 +42,7 @@ public class ProviderUserOrganizationDetails
     public PlanType PlanType { get; set; }
     public bool LimitCollectionCreation { get; set; }
     public bool LimitCollectionDeletion { get; set; }
+    public bool LimitItemDeletion { get; set; }
     public bool AllowAdminAccessToAllCollectionItems { get; set; }
     public bool UseRiskInsights { get; set; }
     public ProviderType ProviderType { get; set; }
diff --git a/src/Core/Models/PushNotification.cs b/src/Core/Models/PushNotification.cs
index 9907abcb65..e2247881ea 100644
--- a/src/Core/Models/PushNotification.cs
+++ b/src/Core/Models/PushNotification.cs
@@ -62,4 +62,5 @@ public class OrganizationCollectionManagementPushNotification
     public Guid OrganizationId { get; init; }
     public bool LimitCollectionCreation { get; init; }
     public bool LimitCollectionDeletion { get; init; }
+    public bool LimitItemDeletion { get; init; }
 }
diff --git a/src/Core/NotificationHub/NotificationHubPushNotificationService.cs b/src/Core/NotificationHub/NotificationHubPushNotificationService.cs
index d90ebdd744..d99cbf3fe7 100644
--- a/src/Core/NotificationHub/NotificationHubPushNotificationService.cs
+++ b/src/Core/NotificationHub/NotificationHubPushNotificationService.cs
@@ -246,7 +246,8 @@ public class NotificationHubPushNotificationService : IPushNotificationService
             {
                 OrganizationId = organization.Id,
                 LimitCollectionCreation = organization.LimitCollectionCreation,
-                LimitCollectionDeletion = organization.LimitCollectionDeletion
+                LimitCollectionDeletion = organization.LimitCollectionDeletion,
+                LimitItemDeletion = organization.LimitItemDeletion
             },
             false
         );
diff --git a/src/Core/Platform/Push/Services/AzureQueuePushNotificationService.cs b/src/Core/Platform/Push/Services/AzureQueuePushNotificationService.cs
index 0503a22a60..33272ce870 100644
--- a/src/Core/Platform/Push/Services/AzureQueuePushNotificationService.cs
+++ b/src/Core/Platform/Push/Services/AzureQueuePushNotificationService.cs
@@ -239,6 +239,7 @@ public class AzureQueuePushNotificationService : IPushNotificationService
             {
                 OrganizationId = organization.Id,
                 LimitCollectionCreation = organization.LimitCollectionCreation,
-                LimitCollectionDeletion = organization.LimitCollectionDeletion
+                LimitCollectionDeletion = organization.LimitCollectionDeletion,
+                LimitItemDeletion = organization.LimitItemDeletion
             }, false);
 }
diff --git a/src/Core/Platform/Push/Services/NotificationsApiPushNotificationService.cs b/src/Core/Platform/Push/Services/NotificationsApiPushNotificationService.cs
index 849ae1b765..5ebfc811ef 100644
--- a/src/Core/Platform/Push/Services/NotificationsApiPushNotificationService.cs
+++ b/src/Core/Platform/Push/Services/NotificationsApiPushNotificationService.cs
@@ -248,6 +248,7 @@ public class NotificationsApiPushNotificationService : BaseIdentityClientService
             {
                 OrganizationId = organization.Id,
                 LimitCollectionCreation = organization.LimitCollectionCreation,
-                LimitCollectionDeletion = organization.LimitCollectionDeletion
+                LimitCollectionDeletion = organization.LimitCollectionDeletion,
+                LimitItemDeletion = organization.LimitItemDeletion
             }, false);
 }
diff --git a/src/Core/Platform/Push/Services/RelayPushNotificationService.cs b/src/Core/Platform/Push/Services/RelayPushNotificationService.cs
index e41244a1b8..6549ab47c3 100644
--- a/src/Core/Platform/Push/Services/RelayPushNotificationService.cs
+++ b/src/Core/Platform/Push/Services/RelayPushNotificationService.cs
@@ -273,7 +273,8 @@ public class RelayPushNotificationService : BaseIdentityClientService, IPushNoti
             {
                 OrganizationId = organization.Id,
                 LimitCollectionCreation = organization.LimitCollectionCreation,
-                LimitCollectionDeletion = organization.LimitCollectionDeletion
+                LimitCollectionDeletion = organization.LimitCollectionDeletion,
+                LimitItemDeletion = organization.LimitItemDeletion
             },
             false
         );
diff --git a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationRepository.cs b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationRepository.cs
index fb3766c6c7..c1c78eee60 100644
--- a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationRepository.cs
+++ b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationRepository.cs
@@ -101,6 +101,7 @@ public class OrganizationRepository : Repository<Core.AdminConsole.Entities.Orga
                 UsePolicies = e.UsePolicies,
                 LimitCollectionCreation = e.LimitCollectionCreation,
                 LimitCollectionDeletion = e.LimitCollectionDeletion,
+                LimitItemDeletion = e.LimitItemDeletion,
                 AllowAdminAccessToAllCollectionItems = e.AllowAdminAccessToAllCollectionItems,
                 UseRiskInsights = e.UseRiskInsights
             }).ToListAsync();
diff --git a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/Queries/OrganizationUserOrganizationDetailsViewQuery.cs b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/Queries/OrganizationUserOrganizationDetailsViewQuery.cs
index c93903ab0f..73aea44332 100644
--- a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/Queries/OrganizationUserOrganizationDetailsViewQuery.cs
+++ b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/Queries/OrganizationUserOrganizationDetailsViewQuery.cs
@@ -68,6 +68,7 @@ public class OrganizationUserOrganizationDetailsViewQuery : IQuery<OrganizationU
                         SmServiceAccounts = o.SmServiceAccounts,
                         LimitCollectionCreation = o.LimitCollectionCreation,
                         LimitCollectionDeletion = o.LimitCollectionDeletion,
+                        LimitItemDeletion = o.LimitItemDeletion,
                         AllowAdminAccessToAllCollectionItems = o.AllowAdminAccessToAllCollectionItems,
                         UseRiskInsights = o.UseRiskInsights,
                     };
diff --git a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/Queries/ProviderUserOrganizationDetailsViewQuery.cs b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/Queries/ProviderUserOrganizationDetailsViewQuery.cs
index 3f3d3d389e..9483ccbc92 100644
--- a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/Queries/ProviderUserOrganizationDetailsViewQuery.cs
+++ b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/Queries/ProviderUserOrganizationDetailsViewQuery.cs
@@ -46,6 +46,7 @@ public class ProviderUserOrganizationDetailsViewQuery : IQuery<ProviderUserOrgan
             PlanType = x.o.PlanType,
             LimitCollectionCreation = x.o.LimitCollectionCreation,
             LimitCollectionDeletion = x.o.LimitCollectionDeletion,
+            LimitItemDeletion = x.o.LimitItemDeletion,
             AllowAdminAccessToAllCollectionItems = x.o.AllowAdminAccessToAllCollectionItems,
             UseRiskInsights = x.o.UseRiskInsights,
             ProviderType = x.p.Type

From 3d273bf494666a26217169d7956d8a63b736d13f Mon Sep 17 00:00:00 2001
From: Patrick Honkonen <1883101+SaintPatrck@users.noreply.github.com>
Date: Tue, 28 Jan 2025 13:39:19 -0500
Subject: [PATCH 212/384] [PM-15906] Add feature flags for Android single tap
 passkey flows (#5334)

Add feature flags to control single tap passkey creation and authentication in the Android client.
---
 src/Core/Constants.cs | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index 848a8805b7..6f08ee4f6b 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -167,6 +167,8 @@ public static class FeatureFlagKeys
     public const string EnablePasswordManagerSyncAndroid = "enable-password-manager-sync-android";
     public const string EnablePasswordManagerSynciOS = "enable-password-manager-sync-ios";
     public const string AccountDeprovisioningBanner = "pm-17120-account-deprovisioning-admin-console-banner";
+    public const string SingleTapPasskeyCreation = "single-tap-passkey-creation";
+    public const string SingleTapPasskeyAuthentication = "single-tap-passkey-authentication";
 
     public static List<string> GetAllKeys()
     {

From f1c94a1400137e150ef1b999448a2e6476cbf1b5 Mon Sep 17 00:00:00 2001
From: Tom <144813356+ttalty@users.noreply.github.com>
Date: Tue, 28 Jan 2025 13:52:11 -0500
Subject: [PATCH 213/384] Risk insights feature flag for server (#5328)

---
 src/Core/Constants.cs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index 6f08ee4f6b..6d70f0b3ce 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -169,6 +169,7 @@ public static class FeatureFlagKeys
     public const string AccountDeprovisioningBanner = "pm-17120-account-deprovisioning-admin-console-banner";
     public const string SingleTapPasskeyCreation = "single-tap-passkey-creation";
     public const string SingleTapPasskeyAuthentication = "single-tap-passkey-authentication";
+    public const string EnableRiskInsightsNotifications = "enable-risk-insights-notifications";
 
     public static List<string> GetAllKeys()
     {

From 62afa0b30af772f1e644abe231608228e81c3520 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rui=20Tom=C3=A9?=
 <108268980+r-tome@users.noreply.github.com>
Date: Wed, 29 Jan 2025 16:13:36 +0000
Subject: [PATCH 214/384] [PM-17691] Change permission requirement for
 organization deletion initiation (#5339)

---
 src/Admin/AdminConsole/Controllers/OrganizationsController.cs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Admin/AdminConsole/Controllers/OrganizationsController.cs b/src/Admin/AdminConsole/Controllers/OrganizationsController.cs
index b24226ee35..3fdef169b4 100644
--- a/src/Admin/AdminConsole/Controllers/OrganizationsController.cs
+++ b/src/Admin/AdminConsole/Controllers/OrganizationsController.cs
@@ -309,7 +309,7 @@ public class OrganizationsController : Controller
 
     [HttpPost]
     [ValidateAntiForgeryToken]
-    [RequirePermission(Permission.Org_Delete)]
+    [RequirePermission(Permission.Org_RequestDelete)]
     public async Task<IActionResult> DeleteInitiation(Guid id, OrganizationInitiateDeleteModel model)
     {
         if (!ModelState.IsValid)

From a5b3f80d7124c8d243d41a528397501ec77b2bfd Mon Sep 17 00:00:00 2001
From: Todd Martin <106564991+trmartin4@users.noreply.github.com>
Date: Wed, 29 Jan 2025 12:08:29 -0500
Subject: [PATCH 215/384] [PM-16053] Add DeviceType enum to AuthRequest
 response model (#5341)

---
 src/Api/Auth/Models/Response/AuthRequestResponseModel.cs | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/Api/Auth/Models/Response/AuthRequestResponseModel.cs b/src/Api/Auth/Models/Response/AuthRequestResponseModel.cs
index 0234fc333a..3a07873451 100644
--- a/src/Api/Auth/Models/Response/AuthRequestResponseModel.cs
+++ b/src/Api/Auth/Models/Response/AuthRequestResponseModel.cs
@@ -1,6 +1,7 @@
 using System.ComponentModel.DataAnnotations;
 using System.Reflection;
 using Bit.Core.Auth.Entities;
+using Bit.Core.Enums;
 using Bit.Core.Models.Api;
 
 namespace Bit.Api.Auth.Models.Response;
@@ -17,6 +18,7 @@ public class AuthRequestResponseModel : ResponseModel
 
         Id = authRequest.Id;
         PublicKey = authRequest.PublicKey;
+        RequestDeviceTypeValue = authRequest.RequestDeviceType;
         RequestDeviceType = authRequest.RequestDeviceType.GetType().GetMember(authRequest.RequestDeviceType.ToString())
             .FirstOrDefault()?.GetCustomAttribute<DisplayAttribute>()?.GetName();
         RequestIpAddress = authRequest.RequestIpAddress;
@@ -30,6 +32,7 @@ public class AuthRequestResponseModel : ResponseModel
 
     public Guid Id { get; set; }
     public string PublicKey { get; set; }
+    public DeviceType RequestDeviceTypeValue { get; set; }
     public string RequestDeviceType { get; set; }
     public string RequestIpAddress { get; set; }
     public string Key { get; set; }

From 2f2ef20c749478f643b1aff925b48ff8bf5a0389 Mon Sep 17 00:00:00 2001
From: Shane Melton <smelton@bitwarden.com>
Date: Wed, 29 Jan 2025 12:07:03 -0800
Subject: [PATCH 216/384] Add missing IGetTasksForOrganizationQuery query
 registration (#5343)

---
 src/Core/Vault/VaultServiceCollectionExtensions.cs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/Core/Vault/VaultServiceCollectionExtensions.cs b/src/Core/Vault/VaultServiceCollectionExtensions.cs
index 4995d0405f..169a62d12d 100644
--- a/src/Core/Vault/VaultServiceCollectionExtensions.cs
+++ b/src/Core/Vault/VaultServiceCollectionExtensions.cs
@@ -20,5 +20,6 @@ public static class VaultServiceCollectionExtensions
         services.AddScoped<IGetTaskDetailsForUserQuery, GetTaskDetailsForUserQuery>();
         services.AddScoped<IMarkTaskAsCompleteCommand, MarkTaskAsCompletedCommand>();
         services.AddScoped<IGetCipherPermissionsForUserQuery, GetCipherPermissionsForUserQuery>();
+        services.AddScoped<IGetTasksForOrganizationQuery, GetTasksForOrganizationQuery>();
     }
 }

From ad2ea4ca21a7ca770fd04b123638d6b8c8578dc8 Mon Sep 17 00:00:00 2001
From: Alex Morask <144709477+amorask-bitwarden@users.noreply.github.com>
Date: Thu, 30 Jan 2025 10:26:34 -0500
Subject: [PATCH 217/384] Don't enable tax for customer without tax info
 (#5347)

---
 .../Implementations/OrganizationBillingService.cs     | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/Core/Billing/Services/Implementations/OrganizationBillingService.cs b/src/Core/Billing/Services/Implementations/OrganizationBillingService.cs
index 201de22525..1bc4f792d7 100644
--- a/src/Core/Billing/Services/Implementations/OrganizationBillingService.cs
+++ b/src/Core/Billing/Services/Implementations/OrganizationBillingService.cs
@@ -356,11 +356,20 @@ public class OrganizationBillingService(
             }
         }
 
+        var customerHasTaxInfo = customer is
+        {
+            Address:
+            {
+                Country: not null and not "",
+                PostalCode: not null and not ""
+            }
+        };
+
         var subscriptionCreateOptions = new SubscriptionCreateOptions
         {
             AutomaticTax = new SubscriptionAutomaticTaxOptions
             {
-                Enabled = true
+                Enabled = customerHasTaxInfo
             },
             CollectionMethod = StripeConstants.CollectionMethod.ChargeAutomatically,
             Customer = customer.Id,

From 23dce5810326b5a307ebdbd6bc09528964de5222 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Thu, 30 Jan 2025 10:58:14 -0500
Subject: [PATCH 218/384] [deps] Billing: Update xunit to 2.9.3 (#5289)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 .../Infrastructure.Dapper.Test.csproj                           | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/Infrastructure.Dapper.Test/Infrastructure.Dapper.Test.csproj b/test/Infrastructure.Dapper.Test/Infrastructure.Dapper.Test.csproj
index 65041c3023..1ba67ba61e 100644
--- a/test/Infrastructure.Dapper.Test/Infrastructure.Dapper.Test.csproj
+++ b/test/Infrastructure.Dapper.Test/Infrastructure.Dapper.Test.csproj
@@ -11,7 +11,7 @@
 
   <ItemGroup>
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.12.0" />
-    <PackageReference Include="xunit" Version="2.9.2" />
+    <PackageReference Include="xunit" Version="2.9.3" />
     <PackageReference Include="xunit.runner.visualstudio" Version="3.0.1">
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
       <PrivateAssets>all</PrivateAssets>

From 443a147433d30c45ddff1f8b80e626e890253197 Mon Sep 17 00:00:00 2001
From: Alex Morask <144709477+amorask-bitwarden@users.noreply.github.com>
Date: Thu, 30 Jan 2025 11:55:05 -0500
Subject: [PATCH 219/384] Replace StripePaymentService with
 PremiumUserBillingService in ReplacePaymentMethodAsync call (#5350)

---
 .../Services/IPremiumUserBillingService.cs    |  8 ++++++-
 .../PremiumUserBillingService.cs              | 23 +++++++++++++++++++
 .../Services/Implementations/UserService.cs   | 11 +++++----
 3 files changed, 36 insertions(+), 6 deletions(-)

diff --git a/src/Core/Billing/Services/IPremiumUserBillingService.cs b/src/Core/Billing/Services/IPremiumUserBillingService.cs
index f74bf6c8da..2161b247b9 100644
--- a/src/Core/Billing/Services/IPremiumUserBillingService.cs
+++ b/src/Core/Billing/Services/IPremiumUserBillingService.cs
@@ -1,4 +1,5 @@
-using Bit.Core.Billing.Models.Sales;
+using Bit.Core.Billing.Models;
+using Bit.Core.Billing.Models.Sales;
 using Bit.Core.Entities;
 
 namespace Bit.Core.Billing.Services;
@@ -27,4 +28,9 @@ public interface IPremiumUserBillingService
     /// </code>
     /// </example>
     Task Finalize(PremiumUserSale sale);
+
+    Task UpdatePaymentMethod(
+        User user,
+        TokenizedPaymentSource tokenizedPaymentSource,
+        TaxInformation taxInformation);
 }
diff --git a/src/Core/Billing/Services/Implementations/PremiumUserBillingService.cs b/src/Core/Billing/Services/Implementations/PremiumUserBillingService.cs
index 0672a8d5e7..ed841c9576 100644
--- a/src/Core/Billing/Services/Implementations/PremiumUserBillingService.cs
+++ b/src/Core/Billing/Services/Implementations/PremiumUserBillingService.cs
@@ -1,5 +1,6 @@
 using Bit.Core.Billing.Caches;
 using Bit.Core.Billing.Constants;
+using Bit.Core.Billing.Models;
 using Bit.Core.Billing.Models.Sales;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
@@ -58,6 +59,28 @@ public class PremiumUserBillingService(
         await userRepository.ReplaceAsync(user);
     }
 
+    public async Task UpdatePaymentMethod(
+        User user,
+        TokenizedPaymentSource tokenizedPaymentSource,
+        TaxInformation taxInformation)
+    {
+        if (string.IsNullOrEmpty(user.GatewayCustomerId))
+        {
+            var customer = await CreateCustomerAsync(user,
+                new CustomerSetup { TokenizedPaymentSource = tokenizedPaymentSource, TaxInformation = taxInformation });
+
+            user.Gateway = GatewayType.Stripe;
+            user.GatewayCustomerId = customer.Id;
+
+            await userRepository.ReplaceAsync(user);
+        }
+        else
+        {
+            await subscriberService.UpdatePaymentSource(user, tokenizedPaymentSource);
+            await subscriberService.UpdateTaxInformation(user, taxInformation);
+        }
+    }
+
     private async Task<Customer> CreateCustomerAsync(
         User user,
         CustomerSetup customerSetup)
diff --git a/src/Core/Services/Implementations/UserService.cs b/src/Core/Services/Implementations/UserService.cs
index 157bfd3a6e..11d4042def 100644
--- a/src/Core/Services/Implementations/UserService.cs
+++ b/src/Core/Services/Implementations/UserService.cs
@@ -9,6 +9,7 @@ using Bit.Core.AdminConsole.Services;
 using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Models;
 using Bit.Core.Auth.Models.Business.Tokenables;
+using Bit.Core.Billing.Models;
 using Bit.Core.Billing.Models.Sales;
 using Bit.Core.Billing.Services;
 using Bit.Core.Context;
@@ -1044,11 +1045,11 @@ public class UserService : UserManager<User>, IUserService, IDisposable
             throw new BadRequestException("Invalid token.");
         }
 
-        var updated = await _paymentService.UpdatePaymentMethodAsync(user, paymentMethodType, paymentToken, taxInfo: taxInfo);
-        if (updated)
-        {
-            await SaveUserAsync(user);
-        }
+        var tokenizedPaymentSource = new TokenizedPaymentSource(paymentMethodType, paymentToken);
+        var taxInformation = TaxInformation.From(taxInfo);
+
+        await _premiumUserBillingService.UpdatePaymentMethod(user, tokenizedPaymentSource, taxInformation);
+        await SaveUserAsync(user);
     }
 
     public async Task CancelPremiumAsync(User user, bool? endOfPeriod = null)

From 5efd68cf51ab7437a6e92b4279c3dc8f73ac21db Mon Sep 17 00:00:00 2001
From: Brant DeBow <125889545+brant-livefront@users.noreply.github.com>
Date: Thu, 30 Jan 2025 11:07:02 -0600
Subject: [PATCH 220/384] [PM-17562] Initial POC of Distributed Events (#5323)

* Initial POC of Distributed Events

* Apply suggestions from code review

Co-authored-by: Justin Baur <19896123+justindbaur@users.noreply.github.com>

* Clean up files to support accepted changes. Address PR Feedback

* Removed unneeded using to fix lint warning

* Moved config into a common EventLogging top-level item. Fixed issues from PR review

* Optimized per suggestion from justinbaur

Co-authored-by: Justin Baur <19896123+justindbaur@users.noreply.github.com>

* Updated to add IAsyncDisposable as suggested in PR review

* Updated with suggestion to use KeyedSingleton for the IEventWriteService

* Changed key case to lowercase

---------

Co-authored-by: Justin Baur <19896123+justindbaur@users.noreply.github.com>
---
 dev/.env.example                              |  6 +-
 dev/docker-compose.yml                        | 15 +++
 .../RabbitMqEventHttpPostListener.cs          | 35 +++++++
 .../RabbitMqEventListenerBase.cs              | 93 +++++++++++++++++++
 .../RabbitMqEventRepositoryListener.cs        | 29 ++++++
 .../RabbitMqEventWriteService.cs              | 65 +++++++++++++
 src/Core/Core.csproj                          |  5 +-
 src/Core/Settings/GlobalSettings.cs           | 39 ++++++++
 src/Events/Startup.cs                         | 16 ++++
 .../Utilities/ServiceCollectionExtensions.cs  | 12 ++-
 10 files changed, 311 insertions(+), 4 deletions(-)
 create mode 100644 src/Core/AdminConsole/Services/Implementations/RabbitMqEventHttpPostListener.cs
 create mode 100644 src/Core/AdminConsole/Services/Implementations/RabbitMqEventListenerBase.cs
 create mode 100644 src/Core/AdminConsole/Services/Implementations/RabbitMqEventRepositoryListener.cs
 create mode 100644 src/Core/AdminConsole/Services/Implementations/RabbitMqEventWriteService.cs

diff --git a/dev/.env.example b/dev/.env.example
index d0ebf50efb..f0aed83a59 100644
--- a/dev/.env.example
+++ b/dev/.env.example
@@ -20,4 +20,8 @@ IDP_SP_ACS_URL=http://localhost:51822/saml2/yourOrgIdHere/Acs
 # Optional reverse proxy configuration
 # Should match server listen ports in reverse-proxy.conf
 API_PROXY_PORT=4100
-IDENTITY_PROXY_PORT=33756
\ No newline at end of file
+IDENTITY_PROXY_PORT=33756
+
+# Optional RabbitMQ configuration
+RABBITMQ_DEFAULT_USER=bitwarden
+RABBITMQ_DEFAULT_PASS=SET_A_PASSWORD_HERE_123
diff --git a/dev/docker-compose.yml b/dev/docker-compose.yml
index c02d3c872b..d23eaefbb0 100644
--- a/dev/docker-compose.yml
+++ b/dev/docker-compose.yml
@@ -84,6 +84,20 @@ services:
     profiles:
       - idp
 
+  rabbitmq:
+    image: rabbitmq:management
+    container_name: rabbitmq
+    ports:
+      - "5672:5672"
+      - "15672:15672"
+    environment:
+      RABBITMQ_DEFAULT_USER: ${RABBITMQ_DEFAULT_USER}
+      RABBITMQ_DEFAULT_PASS: ${RABBITMQ_DEFAULT_PASS}
+    volumes:
+      - rabbitmq_data:/var/lib/rabbitmq_data
+    profiles:
+      - rabbitmq
+
   reverse-proxy:
     image: nginx:alpine
     container_name: reverse-proxy
@@ -99,3 +113,4 @@ volumes:
   mssql_dev_data:
   postgres_dev_data:
   mysql_dev_data:
+  rabbitmq_data:
diff --git a/src/Core/AdminConsole/Services/Implementations/RabbitMqEventHttpPostListener.cs b/src/Core/AdminConsole/Services/Implementations/RabbitMqEventHttpPostListener.cs
new file mode 100644
index 0000000000..5a875f9278
--- /dev/null
+++ b/src/Core/AdminConsole/Services/Implementations/RabbitMqEventHttpPostListener.cs
@@ -0,0 +1,35 @@
+using System.Net.Http.Json;
+using Bit.Core.Models.Data;
+using Bit.Core.Settings;
+using Microsoft.Extensions.Logging;
+
+namespace Bit.Core.Services;
+
+public class RabbitMqEventHttpPostListener : RabbitMqEventListenerBase
+{
+    private readonly HttpClient _httpClient;
+    private readonly string _httpPostUrl;
+    private readonly string _queueName;
+
+    protected override string QueueName => _queueName;
+
+    public const string HttpClientName = "EventHttpPostListenerHttpClient";
+
+    public RabbitMqEventHttpPostListener(
+        IHttpClientFactory httpClientFactory,
+        ILogger<RabbitMqEventListenerBase> logger,
+        GlobalSettings globalSettings)
+        : base(logger, globalSettings)
+    {
+        _httpClient = httpClientFactory.CreateClient(HttpClientName);
+        _httpPostUrl = globalSettings.EventLogging.RabbitMq.HttpPostUrl;
+        _queueName = globalSettings.EventLogging.RabbitMq.HttpPostQueueName;
+    }
+
+    protected override async Task HandleMessageAsync(EventMessage eventMessage)
+    {
+        var content = JsonContent.Create(eventMessage);
+        var response = await _httpClient.PostAsync(_httpPostUrl, content);
+        response.EnsureSuccessStatusCode();
+    }
+}
diff --git a/src/Core/AdminConsole/Services/Implementations/RabbitMqEventListenerBase.cs b/src/Core/AdminConsole/Services/Implementations/RabbitMqEventListenerBase.cs
new file mode 100644
index 0000000000..48a549d261
--- /dev/null
+++ b/src/Core/AdminConsole/Services/Implementations/RabbitMqEventListenerBase.cs
@@ -0,0 +1,93 @@
+using System.Text.Json;
+using Bit.Core.Models.Data;
+using Bit.Core.Settings;
+using Microsoft.Extensions.Hosting;
+using Microsoft.Extensions.Logging;
+using RabbitMQ.Client;
+using RabbitMQ.Client.Events;
+
+namespace Bit.Core.Services;
+
+public abstract class RabbitMqEventListenerBase : BackgroundService
+{
+    private IChannel _channel;
+    private IConnection _connection;
+    private readonly string _exchangeName;
+    private readonly ConnectionFactory _factory;
+    private readonly ILogger<RabbitMqEventListenerBase> _logger;
+
+    protected abstract string QueueName { get; }
+
+    protected RabbitMqEventListenerBase(
+        ILogger<RabbitMqEventListenerBase> logger,
+        GlobalSettings globalSettings)
+    {
+        _factory = new ConnectionFactory
+        {
+            HostName = globalSettings.EventLogging.RabbitMq.HostName,
+            UserName = globalSettings.EventLogging.RabbitMq.Username,
+            Password = globalSettings.EventLogging.RabbitMq.Password
+        };
+        _exchangeName = globalSettings.EventLogging.RabbitMq.ExchangeName;
+        _logger = logger;
+    }
+
+    public override async Task StartAsync(CancellationToken cancellationToken)
+    {
+        _connection = await _factory.CreateConnectionAsync(cancellationToken);
+        _channel = await _connection.CreateChannelAsync(cancellationToken: cancellationToken);
+
+        await _channel.ExchangeDeclareAsync(exchange: _exchangeName, type: ExchangeType.Fanout, durable: true);
+        await _channel.QueueDeclareAsync(queue: QueueName,
+                                         durable: true,
+                                         exclusive: false,
+                                         autoDelete: false,
+                                         arguments: null,
+                                         cancellationToken: cancellationToken);
+        await _channel.QueueBindAsync(queue: QueueName,
+                                      exchange: _exchangeName,
+                                      routingKey: string.Empty,
+                                      cancellationToken: cancellationToken);
+        await base.StartAsync(cancellationToken);
+    }
+
+    protected override async Task ExecuteAsync(CancellationToken stoppingToken)
+    {
+        var consumer = new AsyncEventingBasicConsumer(_channel);
+        consumer.ReceivedAsync += async (_, eventArgs) =>
+        {
+            try
+            {
+                var eventMessage = JsonSerializer.Deserialize<EventMessage>(eventArgs.Body.Span);
+                await HandleMessageAsync(eventMessage);
+            }
+            catch (Exception ex)
+            {
+                _logger.LogError(ex, "An error occurred while processing the message");
+            }
+        };
+
+        await _channel.BasicConsumeAsync(QueueName, autoAck: true, consumer: consumer, cancellationToken: stoppingToken);
+
+        while (!stoppingToken.IsCancellationRequested)
+        {
+            await Task.Delay(1_000, stoppingToken);
+        }
+    }
+
+    public override async Task StopAsync(CancellationToken cancellationToken)
+    {
+        await _channel.CloseAsync();
+        await _connection.CloseAsync();
+        await base.StopAsync(cancellationToken);
+    }
+
+    public override void Dispose()
+    {
+        _channel.Dispose();
+        _connection.Dispose();
+        base.Dispose();
+    }
+
+    protected abstract Task HandleMessageAsync(EventMessage eventMessage);
+}
diff --git a/src/Core/AdminConsole/Services/Implementations/RabbitMqEventRepositoryListener.cs b/src/Core/AdminConsole/Services/Implementations/RabbitMqEventRepositoryListener.cs
new file mode 100644
index 0000000000..25d85bddeb
--- /dev/null
+++ b/src/Core/AdminConsole/Services/Implementations/RabbitMqEventRepositoryListener.cs
@@ -0,0 +1,29 @@
+using Bit.Core.Models.Data;
+using Bit.Core.Settings;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
+
+namespace Bit.Core.Services;
+
+public class RabbitMqEventRepositoryListener : RabbitMqEventListenerBase
+{
+    private readonly IEventWriteService _eventWriteService;
+    private readonly string _queueName;
+
+    protected override string QueueName => _queueName;
+
+    public RabbitMqEventRepositoryListener(
+        [FromKeyedServices("persistent")] IEventWriteService eventWriteService,
+        ILogger<RabbitMqEventListenerBase> logger,
+        GlobalSettings globalSettings)
+        : base(logger, globalSettings)
+    {
+        _eventWriteService = eventWriteService;
+        _queueName = globalSettings.EventLogging.RabbitMq.EventRepositoryQueueName;
+    }
+
+    protected override Task HandleMessageAsync(EventMessage eventMessage)
+    {
+        return _eventWriteService.CreateAsync(eventMessage);
+    }
+}
diff --git a/src/Core/AdminConsole/Services/Implementations/RabbitMqEventWriteService.cs b/src/Core/AdminConsole/Services/Implementations/RabbitMqEventWriteService.cs
new file mode 100644
index 0000000000..d89cf890ac
--- /dev/null
+++ b/src/Core/AdminConsole/Services/Implementations/RabbitMqEventWriteService.cs
@@ -0,0 +1,65 @@
+using System.Text.Json;
+using Bit.Core.Models.Data;
+using Bit.Core.Settings;
+using RabbitMQ.Client;
+
+namespace Bit.Core.Services;
+public class RabbitMqEventWriteService : IEventWriteService, IAsyncDisposable
+{
+    private readonly ConnectionFactory _factory;
+    private readonly Lazy<Task<IConnection>> _lazyConnection;
+    private readonly string _exchangeName;
+
+    public RabbitMqEventWriteService(GlobalSettings globalSettings)
+    {
+        _factory = new ConnectionFactory
+        {
+            HostName = globalSettings.EventLogging.RabbitMq.HostName,
+            UserName = globalSettings.EventLogging.RabbitMq.Username,
+            Password = globalSettings.EventLogging.RabbitMq.Password
+        };
+        _exchangeName = globalSettings.EventLogging.RabbitMq.ExchangeName;
+
+        _lazyConnection = new Lazy<Task<IConnection>>(CreateConnectionAsync);
+    }
+
+    public async Task CreateAsync(IEvent e)
+    {
+        var connection = await _lazyConnection.Value;
+        using var channel = await connection.CreateChannelAsync();
+
+        await channel.ExchangeDeclareAsync(exchange: _exchangeName, type: ExchangeType.Fanout, durable: true);
+
+        var body = JsonSerializer.SerializeToUtf8Bytes(e);
+
+        await channel.BasicPublishAsync(exchange: _exchangeName, routingKey: string.Empty, body: body);
+    }
+
+    public async Task CreateManyAsync(IEnumerable<IEvent> events)
+    {
+        var connection = await _lazyConnection.Value;
+        using var channel = await connection.CreateChannelAsync();
+        await channel.ExchangeDeclareAsync(exchange: _exchangeName, type: ExchangeType.Fanout, durable: true);
+
+        foreach (var e in events)
+        {
+            var body = JsonSerializer.SerializeToUtf8Bytes(e);
+
+            await channel.BasicPublishAsync(exchange: _exchangeName, routingKey: string.Empty, body: body);
+        }
+    }
+
+    public async ValueTask DisposeAsync()
+    {
+        if (_lazyConnection.IsValueCreated)
+        {
+            var connection = await _lazyConnection.Value;
+            await connection.DisposeAsync();
+        }
+    }
+
+    private async Task<IConnection> CreateConnectionAsync()
+    {
+        return await _factory.CreateConnectionAsync();
+    }
+}
diff --git a/src/Core/Core.csproj b/src/Core/Core.csproj
index 7a5f7e2543..210a33f3f7 100644
--- a/src/Core/Core.csproj
+++ b/src/Core/Core.csproj
@@ -40,7 +40,7 @@
     <PackageReference Include="DnsClient" Version="1.8.0" />
     <PackageReference Include="Fido2.AspNet" Version="3.0.1" />
     <PackageReference Include="Handlebars.Net" Version="2.1.6" />
-    <PackageReference Include="MailKit" Version="4.9.0" />    
+    <PackageReference Include="MailKit" Version="4.9.0" />
     <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.10" />
     <PackageReference Include="Microsoft.Azure.Cosmos" Version="3.46.1" />
     <PackageReference Include="Microsoft.Azure.NotificationHubs" Version="4.2.0" />
@@ -70,12 +70,13 @@
     <PackageReference Include="Quartz" Version="3.13.1" />
     <PackageReference Include="Quartz.Extensions.Hosting" Version="3.13.1" />
     <PackageReference Include="Quartz.Extensions.DependencyInjection" Version="3.13.1" />
+    <PackageReference Include="RabbitMQ.Client" Version="7.0.0" />
   </ItemGroup>
 
   <ItemGroup>
     <Protobuf Include="Billing\Pricing\Protos\password-manager.proto" GrpcServices="Client" />
   </ItemGroup>
-  
+
   <ItemGroup>
     <Folder Include="Resources\" />
     <Folder Include="Properties\" />
diff --git a/src/Core/Settings/GlobalSettings.cs b/src/Core/Settings/GlobalSettings.cs
index 97d66aed53..718293891b 100644
--- a/src/Core/Settings/GlobalSettings.cs
+++ b/src/Core/Settings/GlobalSettings.cs
@@ -53,6 +53,7 @@ public class GlobalSettings : IGlobalSettings
     public virtual SqlSettings PostgreSql { get; set; } = new SqlSettings();
     public virtual SqlSettings MySql { get; set; } = new SqlSettings();
     public virtual SqlSettings Sqlite { get; set; } = new SqlSettings() { ConnectionString = "Data Source=:memory:" };
+    public virtual EventLoggingSettings EventLogging { get; set; } = new EventLoggingSettings();
     public virtual MailSettings Mail { get; set; } = new MailSettings();
     public virtual IConnectionStringSettings Storage { get; set; } = new ConnectionStringSettings();
     public virtual ConnectionStringSettings Events { get; set; } = new ConnectionStringSettings();
@@ -256,6 +257,44 @@ public class GlobalSettings : IGlobalSettings
         }
     }
 
+    public class EventLoggingSettings
+    {
+        public RabbitMqSettings RabbitMq { get; set; }
+
+        public class RabbitMqSettings
+        {
+            private string _hostName;
+            private string _username;
+            private string _password;
+            private string _exchangeName;
+
+            public virtual string EventRepositoryQueueName { get; set; } = "events-write-queue";
+            public virtual string HttpPostQueueName { get; set; } = "events-httpPost-queue";
+            public virtual string HttpPostUrl { get; set; }
+
+            public string HostName
+            {
+                get => _hostName;
+                set => _hostName = value.Trim('"');
+            }
+            public string Username
+            {
+                get => _username;
+                set => _username = value.Trim('"');
+            }
+            public string Password
+            {
+                get => _password;
+                set => _password = value.Trim('"');
+            }
+            public string ExchangeName
+            {
+                get => _exchangeName;
+                set => _exchangeName = value.Trim('"');
+            }
+        }
+    }
+
     public class ConnectionStringSettings : IConnectionStringSettings
     {
         private string _connectionString;
diff --git a/src/Events/Startup.cs b/src/Events/Startup.cs
index bac39c68dd..03e99f14e8 100644
--- a/src/Events/Startup.cs
+++ b/src/Events/Startup.cs
@@ -82,6 +82,22 @@ public class Startup
         {
             services.AddHostedService<Core.HostedServices.ApplicationCacheHostedService>();
         }
+
+        // Optional RabbitMQ Listeners
+        if (CoreHelpers.SettingHasValue(globalSettings.EventLogging.RabbitMq.HostName) &&
+            CoreHelpers.SettingHasValue(globalSettings.EventLogging.RabbitMq.Username) &&
+            CoreHelpers.SettingHasValue(globalSettings.EventLogging.RabbitMq.Password) &&
+            CoreHelpers.SettingHasValue(globalSettings.EventLogging.RabbitMq.ExchangeName))
+        {
+            services.AddKeyedSingleton<IEventWriteService, RepositoryEventWriteService>("persistent");
+            services.AddHostedService<RabbitMqEventRepositoryListener>();
+
+            if (CoreHelpers.SettingHasValue(globalSettings.EventLogging.RabbitMq.HttpPostUrl))
+            {
+                services.AddHttpClient(RabbitMqEventHttpPostListener.HttpClientName);
+                services.AddHostedService<RabbitMqEventHttpPostListener>();
+            }
+        }
     }
 
     public void Configure(
diff --git a/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs b/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
index e1369d5366..622b3d7f39 100644
--- a/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
+++ b/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
@@ -325,7 +325,17 @@ public static class ServiceCollectionExtensions
         }
         else if (globalSettings.SelfHosted)
         {
-            services.AddSingleton<IEventWriteService, RepositoryEventWriteService>();
+            if (CoreHelpers.SettingHasValue(globalSettings.EventLogging.RabbitMq.HostName) &&
+                CoreHelpers.SettingHasValue(globalSettings.EventLogging.RabbitMq.Username) &&
+                CoreHelpers.SettingHasValue(globalSettings.EventLogging.RabbitMq.Password) &&
+                CoreHelpers.SettingHasValue(globalSettings.EventLogging.RabbitMq.ExchangeName))
+            {
+                services.AddSingleton<IEventWriteService, RabbitMqEventWriteService>();
+            }
+            else
+            {
+                services.AddSingleton<IEventWriteService, RepositoryEventWriteService>();
+            }
         }
         else
         {

From ab0cab2072d7c925752ee7aa63125cbe2f10ed22 Mon Sep 17 00:00:00 2001
From: Justin Baur <19896123+justindbaur@users.noreply.github.com>
Date: Thu, 30 Jan 2025 13:59:58 -0500
Subject: [PATCH 221/384] Fix Events Startup (#5352)

---
 src/Core/Settings/GlobalSettings.cs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Core/Settings/GlobalSettings.cs b/src/Core/Settings/GlobalSettings.cs
index 718293891b..d039102eb9 100644
--- a/src/Core/Settings/GlobalSettings.cs
+++ b/src/Core/Settings/GlobalSettings.cs
@@ -259,7 +259,7 @@ public class GlobalSettings : IGlobalSettings
 
     public class EventLoggingSettings
     {
-        public RabbitMqSettings RabbitMq { get; set; }
+        public RabbitMqSettings RabbitMq { get; set; } = new RabbitMqSettings();
 
         public class RabbitMqSettings
         {

From 148a6311783b2db87eab6781327570d26eec6e5e Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Fri, 31 Jan 2025 15:59:39 +0100
Subject: [PATCH 222/384] [deps]: Update github/codeql-action action to v3.28.8
 (#5292)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 .github/workflows/build.yml | 2 +-
 .github/workflows/scan.yml  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 7d64612aba..3b96eeb468 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -314,7 +314,7 @@ jobs:
           output-format: sarif
 
       - name: Upload Grype results to GitHub
-        uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
+        uses: github/codeql-action/upload-sarif@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
         with:
           sarif_file: ${{ steps.container-scan.outputs.sarif }}
 
diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index 156ebee165..ec2eb7789a 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -46,7 +46,7 @@ jobs:
             --output-path . ${{ env.INCREMENTAL }}
 
       - name: Upload Checkmarx results to GitHub
-        uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
+        uses: github/codeql-action/upload-sarif@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
         with:
           sarif_file: cx_result.sarif
 

From d239170c1ca3996703c59ea3a46cf6315b925a53 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rui=20Tom=C3=A9?=
 <108268980+r-tome@users.noreply.github.com>
Date: Fri, 31 Jan 2025 15:01:26 +0000
Subject: [PATCH 223/384] [PM-17697] Save Organization Name changes in
 Bitwarden Portal (#5337)

* Add Org_Name_Edit permission to the Permissions enum

* Add Org_Name_Edit permission to RolePermissionMapping

* Implement Org_Name_Edit permission check in UpdateOrganization method

* Add Org_Name_Edit permission check to Organization form input
---
 .../AdminConsole/Controllers/OrganizationsController.cs      | 5 +++++
 src/Admin/AdminConsole/Views/Shared/_OrganizationForm.cshtml | 3 ++-
 src/Admin/Enums/Permissions.cs                               | 1 +
 src/Admin/Utilities/RolePermissionMapping.cs                 | 5 +++++
 4 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/src/Admin/AdminConsole/Controllers/OrganizationsController.cs b/src/Admin/AdminConsole/Controllers/OrganizationsController.cs
index 3fdef169b4..60a5a39612 100644
--- a/src/Admin/AdminConsole/Controllers/OrganizationsController.cs
+++ b/src/Admin/AdminConsole/Controllers/OrganizationsController.cs
@@ -421,6 +421,11 @@ public class OrganizationsController : Controller
 
     private void UpdateOrganization(Organization organization, OrganizationEditModel model)
     {
+        if (_accessControlService.UserHasPermission(Permission.Org_Name_Edit))
+        {
+            organization.Name = WebUtility.HtmlEncode(model.Name);
+        }
+
         if (_accessControlService.UserHasPermission(Permission.Org_CheckEnabledBox))
         {
             organization.Enabled = model.Enabled;
diff --git a/src/Admin/AdminConsole/Views/Shared/_OrganizationForm.cshtml b/src/Admin/AdminConsole/Views/Shared/_OrganizationForm.cshtml
index cdc7608675..aeff65c900 100644
--- a/src/Admin/AdminConsole/Views/Shared/_OrganizationForm.cshtml
+++ b/src/Admin/AdminConsole/Views/Shared/_OrganizationForm.cshtml
@@ -12,6 +12,7 @@
     var canViewBilling = AccessControlService.UserHasPermission(Permission.Org_Billing_View);
     var canViewPlan = AccessControlService.UserHasPermission(Permission.Org_Plan_View);
     var canViewLicensing = AccessControlService.UserHasPermission(Permission.Org_Licensing_View);
+    var canEditName = AccessControlService.UserHasPermission(Permission.Org_Name_Edit);
     var canCheckEnabled = AccessControlService.UserHasPermission(Permission.Org_CheckEnabledBox);
     var canEditPlan = AccessControlService.UserHasPermission(Permission.Org_Plan_Edit);
     var canEditLicensing = AccessControlService.UserHasPermission(Permission.Org_Licensing_Edit);
@@ -28,7 +29,7 @@
             <div class="col-sm">
                 <div class="mb-3">
                     <label class="form-label" asp-for="Name"></label>
-                    <input type="text" class="form-control" asp-for="Name" value="@Model.Name" required>
+                    <input type="text" class="form-control" asp-for="Name" value="@Model.Name" required disabled="@(canEditName ? null : "disabled")">
                 </div>
             </div>
         </div>
diff --git a/src/Admin/Enums/Permissions.cs b/src/Admin/Enums/Permissions.cs
index 20c500c061..4edcd742b4 100644
--- a/src/Admin/Enums/Permissions.cs
+++ b/src/Admin/Enums/Permissions.cs
@@ -22,6 +22,7 @@ public enum Permission
     Org_List_View,
     Org_OrgInformation_View,
     Org_GeneralDetails_View,
+    Org_Name_Edit,
     Org_CheckEnabledBox,
     Org_BusinessInformation_View,
     Org_InitiateTrial,
diff --git a/src/Admin/Utilities/RolePermissionMapping.cs b/src/Admin/Utilities/RolePermissionMapping.cs
index 4b5a4e3802..3b510781be 100644
--- a/src/Admin/Utilities/RolePermissionMapping.cs
+++ b/src/Admin/Utilities/RolePermissionMapping.cs
@@ -24,6 +24,7 @@ public static class RolePermissionMapping
                 Permission.User_Billing_Edit,
                 Permission.User_Billing_LaunchGateway,
                 Permission.User_NewDeviceException_Edit,
+                Permission.Org_Name_Edit,
                 Permission.Org_CheckEnabledBox,
                 Permission.Org_List_View,
                 Permission.Org_OrgInformation_View,
@@ -71,6 +72,7 @@ public static class RolePermissionMapping
                 Permission.User_Billing_Edit,
                 Permission.User_Billing_LaunchGateway,
                 Permission.User_NewDeviceException_Edit,
+                Permission.Org_Name_Edit,
                 Permission.Org_CheckEnabledBox,
                 Permission.Org_List_View,
                 Permission.Org_OrgInformation_View,
@@ -116,6 +118,7 @@ public static class RolePermissionMapping
                 Permission.User_Billing_View,
                 Permission.User_Billing_LaunchGateway,
                 Permission.User_NewDeviceException_Edit,
+                Permission.Org_Name_Edit,
                 Permission.Org_CheckEnabledBox,
                 Permission.Org_List_View,
                 Permission.Org_OrgInformation_View,
@@ -148,6 +151,7 @@ public static class RolePermissionMapping
                 Permission.User_Billing_View,
                 Permission.User_Billing_Edit,
                 Permission.User_Billing_LaunchGateway,
+                Permission.Org_Name_Edit,
                 Permission.Org_CheckEnabledBox,
                 Permission.Org_List_View,
                 Permission.Org_OrgInformation_View,
@@ -185,6 +189,7 @@ public static class RolePermissionMapping
                 Permission.User_Premium_View,
                 Permission.User_Licensing_View,
                 Permission.User_Licensing_Edit,
+                Permission.Org_Name_Edit,
                 Permission.Org_CheckEnabledBox,
                 Permission.Org_List_View,
                 Permission.Org_OrgInformation_View,

From e43a8011f10d94d9ca3271fe2a21e703ce6023d1 Mon Sep 17 00:00:00 2001
From: Todd Martin <106564991+trmartin4@users.noreply.github.com>
Date: Fri, 31 Jan 2025 10:46:09 -0500
Subject: [PATCH 224/384] [PM-17709] Send New Device Login email for all new
 devices (#5340)

* Send New Device Login email regardless of New Device Verification

* Adjusted tests

* Linting

* Clarified test names.
---
 .../RequestValidators/DeviceValidator.cs      | 34 ++++++++++---------
 .../IdentityServer/DeviceValidatorTests.cs    | 12 ++-----
 2 files changed, 21 insertions(+), 25 deletions(-)

diff --git a/src/Identity/IdentityServer/RequestValidators/DeviceValidator.cs b/src/Identity/IdentityServer/RequestValidators/DeviceValidator.cs
index 1b148c5974..fee10e10ff 100644
--- a/src/Identity/IdentityServer/RequestValidators/DeviceValidator.cs
+++ b/src/Identity/IdentityServer/RequestValidators/DeviceValidator.cs
@@ -85,28 +85,17 @@ public class DeviceValidator(
             }
         }
 
-        // At this point we have established either new device verification is not required or the NewDeviceOtp is valid
+        // At this point we have established either new device verification is not required or the NewDeviceOtp is valid,
+        // so we save the device to the database and proceed with authentication
         requestDevice.UserId = context.User.Id;
         await _deviceService.SaveAsync(requestDevice);
         context.Device = requestDevice;
 
-        // backwards compatibility -- If NewDeviceVerification not enabled send the new login emails
-        // PM-13340: removal Task; remove entire if block emails should no longer be sent
-        if (!_featureService.IsEnabled(FeatureFlagKeys.NewDeviceVerification))
+        if (!_globalSettings.DisableEmailNewDevice)
         {
-            // This ensures the user doesn't receive a "new device" email on the first login
-            var now = DateTime.UtcNow;
-            if (now - context.User.CreationDate > TimeSpan.FromMinutes(10))
-            {
-                var deviceType = requestDevice.Type.GetType().GetMember(requestDevice.Type.ToString())
-                    .FirstOrDefault()?.GetCustomAttribute<DisplayAttribute>()?.GetName();
-                if (!_globalSettings.DisableEmailNewDevice)
-                {
-                    await _mailService.SendNewDeviceLoggedInEmail(context.User.Email, deviceType, now,
-                        _currentContext.IpAddress);
-                }
-            }
+            await SendNewDeviceLoginEmail(context.User, requestDevice);
         }
+
         return true;
     }
 
@@ -174,6 +163,19 @@ public class DeviceValidator(
         return DeviceValidationResultType.NewDeviceVerificationRequired;
     }
 
+    private async Task SendNewDeviceLoginEmail(User user, Device requestDevice)
+    {
+        // Ensure that the user doesn't receive a "new device" email on the first login
+        var now = DateTime.UtcNow;
+        if (now - user.CreationDate > TimeSpan.FromMinutes(10))
+        {
+            var deviceType = requestDevice.Type.GetType().GetMember(requestDevice.Type.ToString())
+                .FirstOrDefault()?.GetCustomAttribute<DisplayAttribute>()?.GetName();
+            await _mailService.SendNewDeviceLoggedInEmail(user.Email, deviceType, now,
+                _currentContext.IpAddress);
+        }
+    }
+
     public async Task<Device> GetKnownDeviceAsync(User user, Device device)
     {
         if (user == null || device == null)
diff --git a/test/Identity.Test/IdentityServer/DeviceValidatorTests.cs b/test/Identity.Test/IdentityServer/DeviceValidatorTests.cs
index fa3a117c55..6e6406f16b 100644
--- a/test/Identity.Test/IdentityServer/DeviceValidatorTests.cs
+++ b/test/Identity.Test/IdentityServer/DeviceValidatorTests.cs
@@ -227,7 +227,7 @@ public class DeviceValidatorTests
     }
 
     [Theory, BitAutoData]
-    public async void ValidateRequestDeviceAsync_NewDeviceVerificationFeatureFlagFalse_SendsEmail_ReturnsTrue(
+    public async void ValidateRequestDeviceAsync_ExistingUserNewDeviceLogin_SendNewDeviceLoginEmail_ReturnsTrue(
         CustomValidatorRequestContext context,
         [AuthFixtures.ValidatedTokenRequest] ValidatedTokenRequest request)
     {
@@ -237,8 +237,6 @@ public class DeviceValidatorTests
         _globalSettings.DisableEmailNewDevice = false;
         _deviceRepository.GetByIdentifierAsync(context.Device.Identifier, context.User.Id)
             .Returns(null as Device);
-        _featureService.IsEnabled(FeatureFlagKeys.NewDeviceVerification)
-            .Returns(false);
         // set user creation to more than 10 minutes ago
         context.User.CreationDate = DateTime.UtcNow - TimeSpan.FromMinutes(11);
 
@@ -253,7 +251,7 @@ public class DeviceValidatorTests
     }
 
     [Theory, BitAutoData]
-    public async void ValidateRequestDeviceAsync_NewDeviceVerificationFeatureFlagFalse_NewUser_DoesNotSendEmail_ReturnsTrue(
+    public async void ValidateRequestDeviceAsync_NewUserNewDeviceLogin_DoesNotSendNewDeviceLoginEmail_ReturnsTrue(
     CustomValidatorRequestContext context,
     [AuthFixtures.ValidatedTokenRequest] ValidatedTokenRequest request)
     {
@@ -263,8 +261,6 @@ public class DeviceValidatorTests
         _globalSettings.DisableEmailNewDevice = false;
         _deviceRepository.GetByIdentifierAsync(context.Device.Identifier, context.User.Id)
             .Returns(null as Device);
-        _featureService.IsEnabled(FeatureFlagKeys.NewDeviceVerification)
-            .Returns(false);
         // set user creation to less than 10 minutes ago
         context.User.CreationDate = DateTime.UtcNow - TimeSpan.FromMinutes(9);
 
@@ -279,7 +275,7 @@ public class DeviceValidatorTests
     }
 
     [Theory, BitAutoData]
-    public async void ValidateRequestDeviceAsync_NewDeviceVerificationFeatureFlagFalse_DisableEmailTrue_DoesNotSendEmail_ReturnsTrue(
+    public async void ValidateRequestDeviceAsynce_DisableNewDeviceLoginEmailTrue_DoesNotSendNewDeviceEmail_ReturnsTrue(
         CustomValidatorRequestContext context,
         [AuthFixtures.ValidatedTokenRequest] ValidatedTokenRequest request)
     {
@@ -289,8 +285,6 @@ public class DeviceValidatorTests
         _globalSettings.DisableEmailNewDevice = true;
         _deviceRepository.GetByIdentifierAsync(context.Device.Identifier, context.User.Id)
             .Returns(null as Device);
-        _featureService.IsEnabled(FeatureFlagKeys.NewDeviceVerification)
-            .Returns(false);
 
         // Act
         var result = await _sut.ValidateRequestDeviceAsync(request, context);

From bd394eabe9c887e43893a961e191e6c0e11e1d08 Mon Sep 17 00:00:00 2001
From: Jimmy Vo <huynhmaivo82@gmail.com>
Date: Fri, 31 Jan 2025 10:50:14 -0500
Subject: [PATCH 225/384] [pm-16528] Fix entity framework query (#5333)

---
 .../OrganizationDomainRepository.cs           |  28 ++---
 .../OrganizationDomainRepositoryTests.cs      | 118 ++++++++++++++++++
 2 files changed, 127 insertions(+), 19 deletions(-)

diff --git a/src/Infrastructure.EntityFramework/Repositories/OrganizationDomainRepository.cs b/src/Infrastructure.EntityFramework/Repositories/OrganizationDomainRepository.cs
index e339c13351..50d791b81b 100644
--- a/src/Infrastructure.EntityFramework/Repositories/OrganizationDomainRepository.cs
+++ b/src/Infrastructure.EntityFramework/Repositories/OrganizationDomainRepository.cs
@@ -46,27 +46,17 @@ public class OrganizationDomainRepository : Repository<Core.Entities.Organizatio
         using var scope = ServiceScopeFactory.CreateScope();
         var dbContext = GetDatabaseContext(scope);
 
-        var domains = await dbContext.OrganizationDomains
-            .Where(x => x.VerifiedDate == null
-                        && x.JobRunCount != 3
-                        && x.NextRunDate.Year == date.Year
-                        && x.NextRunDate.Month == date.Month
-                        && x.NextRunDate.Day == date.Day
-                        && x.NextRunDate.Hour == date.Hour)
-            .AsNoTracking()
+        var start36HoursWindow = date.AddHours(-36);
+        var end36HoursWindow = date;
+
+        var pastDomains = await dbContext.OrganizationDomains
+            .Where(x => x.NextRunDate >= start36HoursWindow
+                       && x.NextRunDate <= end36HoursWindow
+                       && x.VerifiedDate == null
+                       && x.JobRunCount != 3)
             .ToListAsync();
 
-        //Get records that have ignored/failed by the background service
-        var pastDomains = dbContext.OrganizationDomains
-            .AsEnumerable()
-            .Where(x => (date - x.NextRunDate).TotalHours > 36
-                        && x.VerifiedDate == null
-                        && x.JobRunCount != 3)
-            .ToList();
-
-        var results = domains.Union(pastDomains);
-
-        return Mapper.Map<List<Core.Entities.OrganizationDomain>>(results);
+        return Mapper.Map<List<Core.Entities.OrganizationDomain>>(pastDomains);
     }
 
     public async Task<OrganizationDomainSsoDetailsData?> GetOrganizationDomainSsoDetailsAsync(string email)
diff --git a/test/Infrastructure.IntegrationTest/AdminConsole/Repositories/OrganizationDomainRepositoryTests.cs b/test/Infrastructure.IntegrationTest/AdminConsole/Repositories/OrganizationDomainRepositoryTests.cs
index 8e0b502a47..ad92f40efc 100644
--- a/test/Infrastructure.IntegrationTest/AdminConsole/Repositories/OrganizationDomainRepositoryTests.cs
+++ b/test/Infrastructure.IntegrationTest/AdminConsole/Repositories/OrganizationDomainRepositoryTests.cs
@@ -188,4 +188,122 @@ public class OrganizationDomainRepositoryTests
         var expectedDomain2 = domains.FirstOrDefault(domain => domain.DomainName == organizationDomain2.DomainName);
         Assert.Null(expectedDomain2);
     }
+
+    [DatabaseTheory, DatabaseData]
+    public async Task GetManyByNextRunDateAsync_ShouldReturnUnverifiedDomains(
+     IOrganizationRepository organizationRepository,
+     IOrganizationDomainRepository organizationDomainRepository)
+    {
+        // Arrange
+        var id = Guid.NewGuid();
+
+        var organization1 = await organizationRepository.CreateAsync(new Organization
+        {
+            Name = $"Test Org {id}",
+            BillingEmail = $"test+{id}@example.com",
+            Plan = "Test",
+            PrivateKey = "privatekey",
+
+        });
+
+        var organizationDomain = new OrganizationDomain
+        {
+            OrganizationId = organization1.Id,
+            DomainName = $"domain2+{id}@example.com",
+            Txt = "btw+12345"
+        };
+
+        var within36HoursWindow = 1;
+        organizationDomain.SetNextRunDate(within36HoursWindow);
+
+        await organizationDomainRepository.CreateAsync(organizationDomain);
+
+        var date = organizationDomain.NextRunDate;
+
+        // Act
+        var domains = await organizationDomainRepository.GetManyByNextRunDateAsync(date);
+
+        // Assert
+        var expectedDomain = domains.FirstOrDefault(domain => domain.DomainName == organizationDomain.DomainName);
+        Assert.NotNull(expectedDomain);
+    }
+
+    [DatabaseTheory, DatabaseData]
+    public async Task GetManyByNextRunDateAsync_ShouldNotReturnUnverifiedDomains_WhenNextRunDateIsOutside36hoursWindow(
+        IOrganizationRepository organizationRepository,
+        IOrganizationDomainRepository organizationDomainRepository)
+    {
+        // Arrange
+        var id = Guid.NewGuid();
+
+        var organization1 = await organizationRepository.CreateAsync(new Organization
+        {
+            Name = $"Test Org {id}",
+            BillingEmail = $"test+{id}@example.com",
+            Plan = "Test",
+            PrivateKey = "privatekey",
+
+        });
+
+        var organizationDomain = new OrganizationDomain
+        {
+            OrganizationId = organization1.Id,
+            DomainName = $"domain2+{id}@example.com",
+            Txt = "btw+12345"
+        };
+
+        var outside36HoursWindow = 20;
+        organizationDomain.SetNextRunDate(outside36HoursWindow);
+
+        await organizationDomainRepository.CreateAsync(organizationDomain);
+
+        var date = DateTimeOffset.UtcNow.Date.AddDays(1);
+
+        // Act
+        var domains = await organizationDomainRepository.GetManyByNextRunDateAsync(date);
+
+        // Assert
+        var expectedDomain = domains.FirstOrDefault(domain => domain.DomainName == organizationDomain.DomainName);
+        Assert.Null(expectedDomain);
+    }
+
+    [DatabaseTheory, DatabaseData]
+    public async Task GetManyByNextRunDateAsync_ShouldNotReturnVerifiedDomains(
+        IOrganizationRepository organizationRepository,
+        IOrganizationDomainRepository organizationDomainRepository)
+    {
+        // Arrange
+        var id = Guid.NewGuid();
+
+        var organization1 = await organizationRepository.CreateAsync(new Organization
+        {
+            Name = $"Test Org {id}",
+            BillingEmail = $"test+{id}@example.com",
+            Plan = "Test",
+            PrivateKey = "privatekey",
+
+        });
+
+        var organizationDomain = new OrganizationDomain
+        {
+            OrganizationId = organization1.Id,
+            DomainName = $"domain2+{id}@example.com",
+            Txt = "btw+12345"
+        };
+
+        var within36HoursWindow = 1;
+        organizationDomain.SetNextRunDate(within36HoursWindow);
+        organizationDomain.SetVerifiedDate();
+
+        await organizationDomainRepository.CreateAsync(organizationDomain);
+
+        var date = DateTimeOffset.UtcNow.Date.AddDays(1);
+
+        // Act
+        var domains = await organizationDomainRepository.GetManyByNextRunDateAsync(date);
+
+        // Assert
+        var expectedDomain = domains.FirstOrDefault(domain => domain.DomainName == organizationDomain.DomainName);
+        Assert.Null(expectedDomain);
+    }
 }

From 408ddd938893448cfce270ef0754168d4d65e037 Mon Sep 17 00:00:00 2001
From: Justin Baur <19896123+justindbaur@users.noreply.github.com>
Date: Fri, 31 Jan 2025 11:08:07 -0500
Subject: [PATCH 226/384] Scaffold Events Integration Tests (#5355)

* Scaffold Events Integration Tests

* Format
---
 bitwarden-server.sln                          |  7 ++
 .../Controllers/CollectControllerTests.cs     | 29 ++++++++
 .../Events.IntegrationTest.csproj             | 29 ++++++++
 .../EventsApplicationFactory.cs               | 57 +++++++++++++++
 test/Events.IntegrationTest/GlobalUsings.cs   |  1 +
 .../Factories/WebApplicationFactoryBase.cs    | 72 ++++++++++---------
 6 files changed, 163 insertions(+), 32 deletions(-)
 create mode 100644 test/Events.IntegrationTest/Controllers/CollectControllerTests.cs
 create mode 100644 test/Events.IntegrationTest/Events.IntegrationTest.csproj
 create mode 100644 test/Events.IntegrationTest/EventsApplicationFactory.cs
 create mode 100644 test/Events.IntegrationTest/GlobalUsings.cs

diff --git a/bitwarden-server.sln b/bitwarden-server.sln
index 75e7d7fade..e9aff53f8e 100644
--- a/bitwarden-server.sln
+++ b/bitwarden-server.sln
@@ -125,6 +125,8 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Notifications.Test", "test\
 EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Infrastructure.Dapper.Test", "test\Infrastructure.Dapper.Test\Infrastructure.Dapper.Test.csproj", "{4A725DB3-BE4F-4C23-9087-82D0610D67AF}"
 EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Events.IntegrationTest", "test\Events.IntegrationTest\Events.IntegrationTest.csproj", "{4F4C63A9-AEE2-48C4-AB86-A5BCD665E401}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -313,6 +315,10 @@ Global
 		{4A725DB3-BE4F-4C23-9087-82D0610D67AF}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{4A725DB3-BE4F-4C23-9087-82D0610D67AF}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{4A725DB3-BE4F-4C23-9087-82D0610D67AF}.Release|Any CPU.Build.0 = Release|Any CPU
+		{4F4C63A9-AEE2-48C4-AB86-A5BCD665E401}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{4F4C63A9-AEE2-48C4-AB86-A5BCD665E401}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{4F4C63A9-AEE2-48C4-AB86-A5BCD665E401}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{4F4C63A9-AEE2-48C4-AB86-A5BCD665E401}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@@ -363,6 +369,7 @@ Global
 		{81673EFB-7134-4B4B-A32F-1EA05F0EF3CE} = {DD5BD056-4AAE-43EF-BBD2-0B569B8DA84F}
 		{90D85D8F-5577-4570-A96E-5A2E185F0F6F} = {DD5BD056-4AAE-43EF-BBD2-0B569B8DA84F}
 		{4A725DB3-BE4F-4C23-9087-82D0610D67AF} = {DD5BD056-4AAE-43EF-BBD2-0B569B8DA84F}
+		{4F4C63A9-AEE2-48C4-AB86-A5BCD665E401} = {DD5BD056-4AAE-43EF-BBD2-0B569B8DA84F}
 	EndGlobalSection
 	GlobalSection(ExtensibilityGlobals) = postSolution
 		SolutionGuid = {E01CBF68-2E20-425F-9EDB-E0A6510CA92F}
diff --git a/test/Events.IntegrationTest/Controllers/CollectControllerTests.cs b/test/Events.IntegrationTest/Controllers/CollectControllerTests.cs
new file mode 100644
index 0000000000..7f86758144
--- /dev/null
+++ b/test/Events.IntegrationTest/Controllers/CollectControllerTests.cs
@@ -0,0 +1,29 @@
+using System.Net.Http.Json;
+using Bit.Core.Enums;
+using Bit.Events.Models;
+
+namespace Bit.Events.IntegrationTest.Controllers;
+
+public class CollectControllerTests
+{
+    // This is a very simple test, and should be updated to assert more things, but for now
+    // it ensures that the events startup doesn't throw any errors with fairly basic configuration.
+    [Fact]
+    public async Task Post_Works()
+    {
+        var eventsApplicationFactory = new EventsApplicationFactory();
+        var (accessToken, _) = await eventsApplicationFactory.LoginWithNewAccount();
+        var client = eventsApplicationFactory.CreateAuthedClient(accessToken);
+
+        var response = await client.PostAsJsonAsync<IEnumerable<EventModel>>("collect",
+        [
+            new EventModel
+            {
+                Type = EventType.User_ClientExportedVault,
+                Date = DateTime.UtcNow,
+            },
+        ]);
+
+        response.EnsureSuccessStatusCode();
+    }
+}
diff --git a/test/Events.IntegrationTest/Events.IntegrationTest.csproj b/test/Events.IntegrationTest/Events.IntegrationTest.csproj
new file mode 100644
index 0000000000..0b51185298
--- /dev/null
+++ b/test/Events.IntegrationTest/Events.IntegrationTest.csproj
@@ -0,0 +1,29 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <TargetFramework>net8.0</TargetFramework>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <Nullable>enable</Nullable>
+    <IsPackable>false</IsPackable>
+    <IsTestProject>true</IsTestProject>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(MicrosoftNetTestSdkVersion)" />
+    <PackageReference Include="xunit" Version="$(XUnitVersion)" />
+    <PackageReference Include="xunit.runner.visualstudio" Version="$(XUnitRunnerVisualStudioVersion)">
+      <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
+      <PrivateAssets>all</PrivateAssets>
+    </PackageReference>
+    <PackageReference Include="coverlet.collector" Version="$(CoverletCollectorVersion)">
+      <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
+      <PrivateAssets>all</PrivateAssets>
+    </PackageReference>
+  </ItemGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\..\src\Events\Events.csproj" />
+    <ProjectReference Include="..\IntegrationTestCommon\IntegrationTestCommon.csproj" />
+  </ItemGroup>
+
+</Project>
diff --git a/test/Events.IntegrationTest/EventsApplicationFactory.cs b/test/Events.IntegrationTest/EventsApplicationFactory.cs
new file mode 100644
index 0000000000..3faf5e81bf
--- /dev/null
+++ b/test/Events.IntegrationTest/EventsApplicationFactory.cs
@@ -0,0 +1,57 @@
+using Bit.Identity.Models.Request.Accounts;
+using Bit.IntegrationTestCommon.Factories;
+using Microsoft.AspNetCore.Authentication.JwtBearer;
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.AspNetCore.TestHost;
+using Microsoft.Data.Sqlite;
+using Microsoft.Extensions.DependencyInjection;
+
+namespace Bit.Events.IntegrationTest;
+
+public class EventsApplicationFactory : WebApplicationFactoryBase<Startup>
+{
+    private readonly IdentityApplicationFactory _identityApplicationFactory;
+    private const string _connectionString = "DataSource=:memory:";
+
+    public EventsApplicationFactory()
+    {
+        SqliteConnection = new SqliteConnection(_connectionString);
+        SqliteConnection.Open();
+
+        _identityApplicationFactory = new IdentityApplicationFactory();
+        _identityApplicationFactory.SqliteConnection = SqliteConnection;
+    }
+
+    protected override void ConfigureWebHost(IWebHostBuilder builder)
+    {
+        base.ConfigureWebHost(builder);
+
+        builder.ConfigureTestServices(services =>
+        {
+            services.Configure<JwtBearerOptions>(JwtBearerDefaults.AuthenticationScheme, options =>
+            {
+                options.BackchannelHttpHandler = _identityApplicationFactory.Server.CreateHandler();
+            });
+        });
+    }
+
+    /// <summary>
+    /// Helper for registering and logging in to a new account
+    /// </summary>
+    public async Task<(string Token, string RefreshToken)> LoginWithNewAccount(string email = "integration-test@bitwarden.com", string masterPasswordHash = "master_password_hash")
+    {
+        await _identityApplicationFactory.RegisterAsync(new RegisterRequestModel
+        {
+            Email = email,
+            MasterPasswordHash = masterPasswordHash,
+        });
+
+        return await _identityApplicationFactory.TokenFromPasswordAsync(email, masterPasswordHash);
+    }
+
+    protected override void Dispose(bool disposing)
+    {
+        base.Dispose(disposing);
+        SqliteConnection!.Dispose();
+    }
+}
diff --git a/test/Events.IntegrationTest/GlobalUsings.cs b/test/Events.IntegrationTest/GlobalUsings.cs
new file mode 100644
index 0000000000..9df1d42179
--- /dev/null
+++ b/test/Events.IntegrationTest/GlobalUsings.cs
@@ -0,0 +1 @@
+global using Xunit;
diff --git a/test/IntegrationTestCommon/Factories/WebApplicationFactoryBase.cs b/test/IntegrationTestCommon/Factories/WebApplicationFactoryBase.cs
index d01e92ad4c..7c7f790cdc 100644
--- a/test/IntegrationTestCommon/Factories/WebApplicationFactoryBase.cs
+++ b/test/IntegrationTestCommon/Factories/WebApplicationFactoryBase.cs
@@ -14,6 +14,7 @@ using Microsoft.Data.Sqlite;
 using Microsoft.EntityFrameworkCore;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.DependencyInjection.Extensions;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Logging.Abstractions;
 using NSubstitute;
@@ -188,44 +189,27 @@ public abstract class WebApplicationFactoryBase<T> : WebApplicationFactory<T>
             // QUESTION: The normal licensing service should run fine on developer machines but not in CI
             // should we have a fork here to leave the normal service for developers?
             // TODO: Eventually add the license file to CI
-            var licensingService = services.First(sd => sd.ServiceType == typeof(ILicensingService));
-            services.Remove(licensingService);
-            services.AddSingleton<ILicensingService, NoopLicensingService>();
+            Replace<ILicensingService, NoopLicensingService>(services);
 
             // FUTURE CONSIDERATION: Add way to run this self hosted/cloud, for now it is cloud only
-            var pushRegistrationService = services.First(sd => sd.ServiceType == typeof(IPushRegistrationService));
-            services.Remove(pushRegistrationService);
-            services.AddSingleton<IPushRegistrationService, NoopPushRegistrationService>();
+            Replace<IPushRegistrationService, NoopPushRegistrationService>(services);
 
             // Even though we are cloud we currently set this up as cloud, we can use the EF/selfhosted service
             // instead of using Noop for this service
             // TODO: Install and use azurite in CI pipeline
-            var eventWriteService = services.First(sd => sd.ServiceType == typeof(IEventWriteService));
-            services.Remove(eventWriteService);
-            services.AddSingleton<IEventWriteService, RepositoryEventWriteService>();
+            Replace<IEventWriteService, RepositoryEventWriteService>(services);
 
-            var eventRepositoryService = services.First(sd => sd.ServiceType == typeof(IEventRepository));
-            services.Remove(eventRepositoryService);
-            services.AddSingleton<IEventRepository, EventRepository>();
+            Replace<IEventRepository, EventRepository>(services);
 
-            var mailDeliveryService = services.First(sd => sd.ServiceType == typeof(IMailDeliveryService));
-            services.Remove(mailDeliveryService);
-            services.AddSingleton<IMailDeliveryService, NoopMailDeliveryService>();
+            Replace<IMailDeliveryService, NoopMailDeliveryService>(services);
 
-            var captchaValidationService = services.First(sd => sd.ServiceType == typeof(ICaptchaValidationService));
-            services.Remove(captchaValidationService);
-            services.AddSingleton<ICaptchaValidationService, NoopCaptchaValidationService>();
+            Replace<ICaptchaValidationService, NoopCaptchaValidationService>(services);
 
             // TODO: Install and use azurite in CI pipeline
-            var installationDeviceRepository =
-                services.First(sd => sd.ServiceType == typeof(IInstallationDeviceRepository));
-            services.Remove(installationDeviceRepository);
-            services.AddSingleton<IInstallationDeviceRepository, NoopRepos.InstallationDeviceRepository>();
+            Replace<IInstallationDeviceRepository, NoopRepos.InstallationDeviceRepository>(services);
 
             // TODO: Install and use azurite in CI pipeline
-            var referenceEventService = services.First(sd => sd.ServiceType == typeof(IReferenceEventService));
-            services.Remove(referenceEventService);
-            services.AddSingleton<IReferenceEventService, NoopReferenceEventService>();
+            Replace<IReferenceEventService, NoopReferenceEventService>(services);
 
             // Our Rate limiter works so well that it begins to fail tests unless we carve out
             // one whitelisted ip. We should still test the rate limiter though and they should change the Ip
@@ -245,14 +229,9 @@ public abstract class WebApplicationFactoryBase<T> : WebApplicationFactory<T>
             services.AddSingleton<ILoggerFactory, NullLoggerFactory>();
 
             // Noop StripePaymentService - this could be changed to integrate with our Stripe test account
-            var stripePaymentService = services.First(sd => sd.ServiceType == typeof(IPaymentService));
-            services.Remove(stripePaymentService);
-            services.AddSingleton(Substitute.For<IPaymentService>());
+            Replace(services, Substitute.For<IPaymentService>());
 
-            var organizationBillingService =
-                services.First(sd => sd.ServiceType == typeof(IOrganizationBillingService));
-            services.Remove(organizationBillingService);
-            services.AddSingleton(Substitute.For<IOrganizationBillingService>());
+            Replace(services, Substitute.For<IOrganizationBillingService>());
         });
 
         foreach (var configureTestService in _configureTestServices)
@@ -261,6 +240,35 @@ public abstract class WebApplicationFactoryBase<T> : WebApplicationFactory<T>
         }
     }
 
+    private static void Replace<TService, TNewImplementation>(IServiceCollection services)
+        where TService : class
+        where TNewImplementation : class, TService
+    {
+        services.RemoveAll<TService>();
+        services.AddSingleton<TService, TNewImplementation>();
+    }
+
+    private static void Replace<TService>(IServiceCollection services, TService implementation)
+        where TService : class
+    {
+        services.RemoveAll<TService>();
+        services.AddSingleton<TService>(implementation);
+    }
+
+    public HttpClient CreateAuthedClient(string accessToken)
+    {
+        var handler = Server.CreateHandler((context) =>
+        {
+            context.Request.Headers.Authorization = $"Bearer {accessToken}";
+        });
+
+        return new HttpClient(handler)
+        {
+            BaseAddress = Server.BaseAddress,
+            Timeout = TimeSpan.FromSeconds(200),
+        };
+    }
+
     public DatabaseContext GetDatabaseContext()
     {
         var scope = Services.CreateScope();

From 669c253bc62639deffd08076843873030d66e223 Mon Sep 17 00:00:00 2001
From: Vincent Salucci <26154748+vincentsalucci@users.noreply.github.com>
Date: Fri, 31 Jan 2025 12:18:10 -0600
Subject: [PATCH 227/384] chore: add limit item deletion feature flag constant,
 refs PM-17214 (#5356)

---
 src/Core/Constants.cs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index 6d70f0b3ce..5643ed7654 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -107,6 +107,7 @@ public static class FeatureFlagKeys
     public const string VerifiedSsoDomainEndpoint = "pm-12337-refactor-sso-details-endpoint";
     public const string IntegrationPage = "pm-14505-admin-console-integration-page";
     public const string DeviceApprovalRequestAdminNotifications = "pm-15637-device-approval-request-admin-notifications";
+    public const string LimitItemDeletion = "pm-15493-restrict-item-deletion-to-can-manage-permission";
 
     public const string ReturnErrorOnExistingKeypair = "return-error-on-existing-keypair";
     public const string UseTreeWalkerApiForPageDetailsCollection = "use-tree-walker-api-for-page-details-collection";

From 1adc5358a871885483296e2a997a147ab17fd84d Mon Sep 17 00:00:00 2001
From: Robyn MacCallum <robyntmaccallum@gmail.com>
Date: Mon, 3 Feb 2025 09:35:38 -0500
Subject: [PATCH 228/384] Create a single feature flag for the Authenticator
 sync (#5353)

* Create a single feature flag for the Authenticator sync

* Update feature flag key
---
 src/Core/Constants.cs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index 5643ed7654..b196306409 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -171,6 +171,7 @@ public static class FeatureFlagKeys
     public const string SingleTapPasskeyCreation = "single-tap-passkey-creation";
     public const string SingleTapPasskeyAuthentication = "single-tap-passkey-authentication";
     public const string EnableRiskInsightsNotifications = "enable-risk-insights-notifications";
+    public const string EnablePMAuthenticatorSync = "enable-pm-bwa-sync";
 
     public static List<string> GetAllKeys()
     {

From fe983aff7f43b076f9c1affeb654eaa9951d2fff Mon Sep 17 00:00:00 2001
From: Jimmy Vo <huynhmaivo82@gmail.com>
Date: Mon, 3 Feb 2025 12:35:46 -0500
Subject: [PATCH 229/384] [pm-17911] Refresh OrganizationView (#5360)

---
 .../2025-02-03_01_RefreshView_For_LimitItemDeletion.sql    | 7 +++++++
 1 file changed, 7 insertions(+)
 create mode 100644 util/Migrator/DbScripts/2025-02-03_01_RefreshView_For_LimitItemDeletion.sql

diff --git a/util/Migrator/DbScripts/2025-02-03_01_RefreshView_For_LimitItemDeletion.sql b/util/Migrator/DbScripts/2025-02-03_01_RefreshView_For_LimitItemDeletion.sql
new file mode 100644
index 0000000000..98893bb030
--- /dev/null
+++ b/util/Migrator/DbScripts/2025-02-03_01_RefreshView_For_LimitItemDeletion.sql
@@ -0,0 +1,7 @@
+-- Refresh Views
+
+IF OBJECT_ID('[dbo].[OrganizationView]') IS NOT NULL
+    BEGIN
+        EXECUTE sp_refreshview N'[dbo].[OrganizationView]';
+    END
+GO

From 060e9e60bff549b65cef12586c4fab0ec598a7fe Mon Sep 17 00:00:00 2001
From: Jimmy Vo <huynhmaivo82@gmail.com>
Date: Mon, 3 Feb 2025 14:55:57 -0500
Subject: [PATCH 230/384] [pm-337] Remove the continuation token from the
 ListResponseModel. (#5192)

---
 .../Public/Controllers/EventsController.cs             |  4 ++--
 src/Api/Models/Public/Response/ListResponseModel.cs    |  7 +------
 .../Models/Public/Response/PagedListResponseModel.cs   | 10 ++++++++++
 3 files changed, 13 insertions(+), 8 deletions(-)
 create mode 100644 src/Api/Models/Public/Response/PagedListResponseModel.cs

diff --git a/src/Api/AdminConsole/Public/Controllers/EventsController.cs b/src/Api/AdminConsole/Public/Controllers/EventsController.cs
index d2e198de17..992b7453aa 100644
--- a/src/Api/AdminConsole/Public/Controllers/EventsController.cs
+++ b/src/Api/AdminConsole/Public/Controllers/EventsController.cs
@@ -36,7 +36,7 @@ public class EventsController : Controller
     /// If no filters are provided, it will return the last 30 days of event for the organization.
     /// </remarks>
     [HttpGet]
-    [ProducesResponseType(typeof(ListResponseModel<EventResponseModel>), (int)HttpStatusCode.OK)]
+    [ProducesResponseType(typeof(PagedListResponseModel<EventResponseModel>), (int)HttpStatusCode.OK)]
     public async Task<IActionResult> List([FromQuery] EventFilterRequestModel request)
     {
         var dateRange = request.ToDateRange();
@@ -65,7 +65,7 @@ public class EventsController : Controller
         }
 
         var eventResponses = result.Data.Select(e => new EventResponseModel(e));
-        var response = new ListResponseModel<EventResponseModel>(eventResponses, result.ContinuationToken);
+        var response = new PagedListResponseModel<EventResponseModel>(eventResponses, result.ContinuationToken);
         return new JsonResult(response);
     }
 }
diff --git a/src/Api/Models/Public/Response/ListResponseModel.cs b/src/Api/Models/Public/Response/ListResponseModel.cs
index 0865be3e8e..a55d6f62bb 100644
--- a/src/Api/Models/Public/Response/ListResponseModel.cs
+++ b/src/Api/Models/Public/Response/ListResponseModel.cs
@@ -4,10 +4,9 @@ namespace Bit.Api.Models.Public.Response;
 
 public class ListResponseModel<T> : IResponseModel where T : IResponseModel
 {
-    public ListResponseModel(IEnumerable<T> data, string continuationToken = null)
+    public ListResponseModel(IEnumerable<T> data)
     {
         Data = data;
-        ContinuationToken = continuationToken;
     }
 
     /// <summary>
@@ -21,8 +20,4 @@ public class ListResponseModel<T> : IResponseModel where T : IResponseModel
     /// </summary>
     [Required]
     public IEnumerable<T> Data { get; set; }
-    /// <summary>
-    /// A cursor for use in pagination.
-    /// </summary>
-    public string ContinuationToken { get; set; }
 }
diff --git a/src/Api/Models/Public/Response/PagedListResponseModel.cs b/src/Api/Models/Public/Response/PagedListResponseModel.cs
new file mode 100644
index 0000000000..b0f25cb4f8
--- /dev/null
+++ b/src/Api/Models/Public/Response/PagedListResponseModel.cs
@@ -0,0 +1,10 @@
+namespace Bit.Api.Models.Public.Response;
+
+public class PagedListResponseModel<T>(IEnumerable<T> data, string continuationToken) : ListResponseModel<T>(data)
+    where T : IResponseModel
+{
+    /// <summary>
+    /// A cursor for use in pagination.
+    /// </summary>
+    public string ContinuationToken { get; set; } = continuationToken;
+}

From 90f308db34a6ce79967f3a93173bd32137125660 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Tue, 4 Feb 2025 11:09:09 +0100
Subject: [PATCH 231/384] [deps] Tools: Update aws-sdk-net monorepo (#5278)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 src/Core/Core.csproj | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/Core/Core.csproj b/src/Core/Core.csproj
index 210a33f3f7..7b319e56c9 100644
--- a/src/Core/Core.csproj
+++ b/src/Core/Core.csproj
@@ -21,8 +21,8 @@
 
   <ItemGroup>
     <PackageReference Include="AspNetCoreRateLimit.Redis" Version="2.0.0" />
-    <PackageReference Include="AWSSDK.SimpleEmail" Version="3.7.402.18" />
-    <PackageReference Include="AWSSDK.SQS" Version="3.7.400.75" />
+    <PackageReference Include="AWSSDK.SimpleEmail" Version="3.7.402.28" />
+    <PackageReference Include="AWSSDK.SQS" Version="3.7.400.85" />
     <PackageReference Include="Azure.Data.Tables" Version="12.9.0" />
     <PackageReference Include="Azure.Extensions.AspNetCore.DataProtection.Blobs" Version="1.3.4" />
     <PackageReference Include="Google.Protobuf" Version="3.29.2" />

From f1b9bd9a099d6d542eb367597c7ef99e9842c233 Mon Sep 17 00:00:00 2001
From: Alex Morask <144709477+amorask-bitwarden@users.noreply.github.com>
Date: Tue, 4 Feb 2025 09:02:18 -0500
Subject: [PATCH 232/384] [PM-15179] Implement endpoints to add existing
 organization to CB provider (#5310)

* Implement endpoints to add existing organization to provider

* Run dotnet format

* Support MOE

* Run dotnet format

* Move ProviderClientsController under AC ownership

* Move ProviderClientsControllerTests under AC ownership

* Jared's feedback
---
 .../Billing/ProviderBillingService.cs         | 179 ++++++++++++++++++
 .../Controllers/ProviderClientsController.cs  |  68 ++++++-
 .../AddExistingOrganizationRequestBody.cs     |  12 ++
 .../Repositories/IOrganizationRepository.cs   |   2 +
 src/Core/Billing/Constants/PlanConstants.cs   |  30 +++
 src/Core/Billing/Constants/StripeConstants.cs |  10 +
 .../Billing/Models/AddableOrganization.cs     |   8 +
 .../Services/IProviderBillingService.cs       |  10 +
 src/Core/Constants.cs                         |   1 +
 .../Repositories/OrganizationRepository.cs    |  16 ++
 .../Repositories/OrganizationRepository.cs    |  38 ++++
 ...nization_ReadAddableToProviderByUserId.sql |  23 +++
 .../ProviderClientsControllerTests.cs         |   5 +-
 ...nization_ReadAddableToProviderByUserId.sql |  31 +++
 14 files changed, 427 insertions(+), 6 deletions(-)
 rename src/Api/{Billing => AdminConsole}/Controllers/ProviderClientsController.cs (67%)
 create mode 100644 src/Api/Billing/Models/Requests/AddExistingOrganizationRequestBody.cs
 create mode 100644 src/Core/Billing/Constants/PlanConstants.cs
 create mode 100644 src/Core/Billing/Models/AddableOrganization.cs
 create mode 100644 src/Sql/dbo/Stored Procedures/Organization_ReadAddableToProviderByUserId.sql
 rename test/Api.Test/{Billing => AdminConsole}/Controllers/ProviderClientsControllerTests.cs (98%)
 create mode 100644 util/Migrator/DbScripts/2025-01-28_00_Add_Organization_ReadAddableToProviderByUserId.sql

diff --git a/bitwarden_license/src/Commercial.Core/Billing/ProviderBillingService.cs b/bitwarden_license/src/Commercial.Core/Billing/ProviderBillingService.cs
index 2b834947af..abba8aff90 100644
--- a/bitwarden_license/src/Commercial.Core/Billing/ProviderBillingService.cs
+++ b/bitwarden_license/src/Commercial.Core/Billing/ProviderBillingService.cs
@@ -1,12 +1,15 @@
 using System.Globalization;
 using Bit.Commercial.Core.Billing.Models;
+using Bit.Core;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Entities.Provider;
+using Bit.Core.AdminConsole.Enums.Provider;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Billing;
 using Bit.Core.Billing.Constants;
 using Bit.Core.Billing.Entities;
 using Bit.Core.Billing.Enums;
+using Bit.Core.Billing.Models;
 using Bit.Core.Billing.Repositories;
 using Bit.Core.Billing.Services;
 using Bit.Core.Billing.Services.Contracts;
@@ -24,6 +27,7 @@ using Stripe;
 namespace Bit.Commercial.Core.Billing;
 
 public class ProviderBillingService(
+    IEventService eventService,
     IGlobalSettings globalSettings,
     ILogger<ProviderBillingService> logger,
     IOrganizationRepository organizationRepository,
@@ -31,10 +35,93 @@ public class ProviderBillingService(
     IProviderInvoiceItemRepository providerInvoiceItemRepository,
     IProviderOrganizationRepository providerOrganizationRepository,
     IProviderPlanRepository providerPlanRepository,
+    IProviderUserRepository providerUserRepository,
     IStripeAdapter stripeAdapter,
     ISubscriberService subscriberService,
     ITaxService taxService) : IProviderBillingService
 {
+    [RequireFeature(FeatureFlagKeys.P15179_AddExistingOrgsFromProviderPortal)]
+    public async Task AddExistingOrganization(
+        Provider provider,
+        Organization organization,
+        string key)
+    {
+        await stripeAdapter.SubscriptionUpdateAsync(organization.GatewaySubscriptionId,
+            new SubscriptionUpdateOptions
+            {
+                CancelAtPeriodEnd = false
+            });
+
+        var subscription =
+            await stripeAdapter.SubscriptionCancelAsync(organization.GatewaySubscriptionId,
+                new SubscriptionCancelOptions
+                {
+                    CancellationDetails = new SubscriptionCancellationDetailsOptions
+                    {
+                        Comment = $"Organization was added to Provider with ID {provider.Id}"
+                    },
+                    InvoiceNow = true,
+                    Prorate = true,
+                    Expand = ["latest_invoice", "test_clock"]
+                });
+
+        var now = subscription.TestClock?.FrozenTime ?? DateTime.UtcNow;
+
+        var wasTrialing = subscription.TrialEnd.HasValue && subscription.TrialEnd.Value > now;
+
+        if (!wasTrialing && subscription.LatestInvoice.Status == StripeConstants.InvoiceStatus.Draft)
+        {
+            await stripeAdapter.InvoiceFinalizeInvoiceAsync(subscription.LatestInvoiceId,
+                new InvoiceFinalizeOptions { AutoAdvance = true });
+        }
+
+        var managedPlanType = await GetManagedPlanTypeAsync(provider, organization);
+
+        // TODO: Replace with PricingClient
+        var plan = StaticStore.GetPlan(managedPlanType);
+        organization.Plan = plan.Name;
+        organization.PlanType = plan.Type;
+        organization.MaxCollections = plan.PasswordManager.MaxCollections;
+        organization.MaxStorageGb = plan.PasswordManager.BaseStorageGb;
+        organization.UsePolicies = plan.HasPolicies;
+        organization.UseSso = plan.HasSso;
+        organization.UseGroups = plan.HasGroups;
+        organization.UseEvents = plan.HasEvents;
+        organization.UseDirectory = plan.HasDirectory;
+        organization.UseTotp = plan.HasTotp;
+        organization.Use2fa = plan.Has2fa;
+        organization.UseApi = plan.HasApi;
+        organization.UseResetPassword = plan.HasResetPassword;
+        organization.SelfHost = plan.HasSelfHost;
+        organization.UsersGetPremium = plan.UsersGetPremium;
+        organization.UseCustomPermissions = plan.HasCustomPermissions;
+        organization.UseScim = plan.HasScim;
+        organization.UseKeyConnector = plan.HasKeyConnector;
+        organization.MaxStorageGb = plan.PasswordManager.BaseStorageGb;
+        organization.BillingEmail = provider.BillingEmail!;
+        organization.GatewaySubscriptionId = null;
+        organization.ExpirationDate = null;
+        organization.MaxAutoscaleSeats = null;
+        organization.Status = OrganizationStatusType.Managed;
+
+        var providerOrganization = new ProviderOrganization
+        {
+            ProviderId = provider.Id,
+            OrganizationId = organization.Id,
+            Key = key
+        };
+
+        await Task.WhenAll(
+            organizationRepository.ReplaceAsync(organization),
+            providerOrganizationRepository.CreateAsync(providerOrganization),
+            ScaleSeats(provider, organization.PlanType, organization.Seats!.Value)
+        );
+
+        await eventService.LogProviderOrganizationEventAsync(
+            providerOrganization,
+            EventType.ProviderOrganization_Added);
+    }
+
     public async Task ChangePlan(ChangeProviderPlanCommand command)
     {
         var plan = await providerPlanRepository.GetByIdAsync(command.ProviderPlanId);
@@ -206,6 +293,81 @@ public class ProviderBillingService(
         return memoryStream.ToArray();
     }
 
+    [RequireFeature(FeatureFlagKeys.P15179_AddExistingOrgsFromProviderPortal)]
+    public async Task<IEnumerable<AddableOrganization>> GetAddableOrganizations(
+        Provider provider,
+        Guid userId)
+    {
+        var providerUser = await providerUserRepository.GetByProviderUserAsync(provider.Id, userId);
+
+        if (providerUser is not { Status: ProviderUserStatusType.Confirmed })
+        {
+            throw new UnauthorizedAccessException();
+        }
+
+        var candidates = await organizationRepository.GetAddableToProviderByUserIdAsync(userId, provider.Type);
+
+        var active = (await Task.WhenAll(candidates.Select(async organization =>
+            {
+                var subscription = await subscriberService.GetSubscription(organization);
+                return (organization, subscription);
+            })))
+            .Where(pair => pair.subscription is
+            {
+                Status:
+                    StripeConstants.SubscriptionStatus.Active or
+                    StripeConstants.SubscriptionStatus.Trialing or
+                    StripeConstants.SubscriptionStatus.PastDue
+            }).ToList();
+
+        if (active.Count == 0)
+        {
+            return [];
+        }
+
+        return await Task.WhenAll(active.Select(async pair =>
+        {
+            var (organization, _) = pair;
+
+            var planName = DerivePlanName(provider, organization);
+
+            var addable = new AddableOrganization(
+                organization.Id,
+                organization.Name,
+                planName,
+                organization.Seats!.Value);
+
+            if (providerUser.Type != ProviderUserType.ServiceUser)
+            {
+                return addable;
+            }
+
+            var applicablePlanType = await GetManagedPlanTypeAsync(provider, organization);
+
+            var requiresPurchase =
+                await SeatAdjustmentResultsInPurchase(provider, applicablePlanType, organization.Seats!.Value);
+
+            return addable with { Disabled = requiresPurchase };
+        }));
+
+        string DerivePlanName(Provider localProvider, Organization localOrganization)
+        {
+            if (localProvider.Type == ProviderType.Msp)
+            {
+                return localOrganization.PlanType switch
+                {
+                    var planType when PlanConstants.EnterprisePlanTypes.Contains(planType) => "Enterprise",
+                    var planType when PlanConstants.TeamsPlanTypes.Contains(planType) => "Teams",
+                    _ => throw new BillingException()
+                };
+            }
+
+            // TODO: Replace with PricingClient
+            var plan = StaticStore.GetPlan(localOrganization.PlanType);
+            return plan.Name;
+        }
+    }
+
     public async Task ScaleSeats(
         Provider provider,
         PlanType planType,
@@ -582,4 +744,21 @@ public class ProviderBillingService(
 
         return providerPlan;
     }
+
+    private async Task<PlanType> GetManagedPlanTypeAsync(
+        Provider provider,
+        Organization organization)
+    {
+        if (provider.Type == ProviderType.MultiOrganizationEnterprise)
+        {
+            return (await providerPlanRepository.GetByProviderId(provider.Id)).First().PlanType;
+        }
+
+        return organization.PlanType switch
+        {
+            var planType when PlanConstants.TeamsPlanTypes.Contains(planType) => PlanType.TeamsMonthly,
+            var planType when PlanConstants.EnterprisePlanTypes.Contains(planType) => PlanType.EnterpriseMonthly,
+            _ => throw new BillingException()
+        };
+    }
 }
diff --git a/src/Api/Billing/Controllers/ProviderClientsController.cs b/src/Api/AdminConsole/Controllers/ProviderClientsController.cs
similarity index 67%
rename from src/Api/Billing/Controllers/ProviderClientsController.cs
rename to src/Api/AdminConsole/Controllers/ProviderClientsController.cs
index 0c09fa7baf..38d8b254d7 100644
--- a/src/Api/Billing/Controllers/ProviderClientsController.cs
+++ b/src/Api/AdminConsole/Controllers/ProviderClientsController.cs
@@ -1,4 +1,6 @@
-using Bit.Api.Billing.Models.Requests;
+using Bit.Api.Billing.Controllers;
+using Bit.Api.Billing.Models.Requests;
+using Bit.Core;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.AdminConsole.Services;
 using Bit.Core.Billing.Services;
@@ -7,13 +9,15 @@ using Bit.Core.Enums;
 using Bit.Core.Models.Business;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
+using Bit.Core.Utilities;
 using Microsoft.AspNetCore.Mvc;
 
-namespace Bit.Api.Billing.Controllers;
+namespace Bit.Api.AdminConsole.Controllers;
 
 [Route("providers/{providerId:guid}/clients")]
 public class ProviderClientsController(
     ICurrentContext currentContext,
+    IFeatureService featureService,
     ILogger<BaseProviderController> logger,
     IOrganizationRepository organizationRepository,
     IProviderBillingService providerBillingService,
@@ -22,7 +26,10 @@ public class ProviderClientsController(
     IProviderService providerService,
     IUserService userService) : BaseProviderController(currentContext, logger, providerRepository, userService)
 {
+    private readonly ICurrentContext _currentContext = currentContext;
+
     [HttpPost]
+    [SelfHosted(NotSelfHostedOnly = true)]
     public async Task<IResult> CreateAsync(
         [FromRoute] Guid providerId,
         [FromBody] CreateClientOrganizationRequestBody requestBody)
@@ -80,6 +87,7 @@ public class ProviderClientsController(
     }
 
     [HttpPut("{providerOrganizationId:guid}")]
+    [SelfHosted(NotSelfHostedOnly = true)]
     public async Task<IResult> UpdateAsync(
         [FromRoute] Guid providerId,
         [FromRoute] Guid providerOrganizationId,
@@ -113,7 +121,7 @@ public class ProviderClientsController(
             clientOrganization.PlanType,
             seatAdjustment);
 
-        if (seatAdjustmentResultsInPurchase && !currentContext.ProviderProviderAdmin(provider.Id))
+        if (seatAdjustmentResultsInPurchase && !_currentContext.ProviderProviderAdmin(provider.Id))
         {
             return Error.Unauthorized("Service users cannot purchase additional seats.");
         }
@@ -127,4 +135,58 @@ public class ProviderClientsController(
 
         return TypedResults.Ok();
     }
+
+    [HttpGet("addable")]
+    [SelfHosted(NotSelfHostedOnly = true)]
+    public async Task<IResult> GetAddableOrganizationsAsync([FromRoute] Guid providerId)
+    {
+        if (!featureService.IsEnabled(FeatureFlagKeys.P15179_AddExistingOrgsFromProviderPortal))
+        {
+            return Error.NotFound();
+        }
+
+        var (provider, result) = await TryGetBillableProviderForServiceUserOperation(providerId);
+
+        if (provider == null)
+        {
+            return result;
+        }
+
+        var userId = _currentContext.UserId;
+
+        if (!userId.HasValue)
+        {
+            return Error.Unauthorized();
+        }
+
+        var addable =
+            await providerBillingService.GetAddableOrganizations(provider, userId.Value);
+
+        return TypedResults.Ok(addable);
+    }
+
+    [HttpPost("existing")]
+    [SelfHosted(NotSelfHostedOnly = true)]
+    public async Task<IResult> AddExistingOrganizationAsync(
+        [FromRoute] Guid providerId,
+        [FromBody] AddExistingOrganizationRequestBody requestBody)
+    {
+        var (provider, result) = await TryGetBillableProviderForServiceUserOperation(providerId);
+
+        if (provider == null)
+        {
+            return result;
+        }
+
+        var organization = await organizationRepository.GetByIdAsync(requestBody.OrganizationId);
+
+        if (organization == null)
+        {
+            return Error.BadRequest("The organization being added to the provider does not exist.");
+        }
+
+        await providerBillingService.AddExistingOrganization(provider, organization, requestBody.Key);
+
+        return TypedResults.Ok();
+    }
 }
diff --git a/src/Api/Billing/Models/Requests/AddExistingOrganizationRequestBody.cs b/src/Api/Billing/Models/Requests/AddExistingOrganizationRequestBody.cs
new file mode 100644
index 0000000000..c2add17793
--- /dev/null
+++ b/src/Api/Billing/Models/Requests/AddExistingOrganizationRequestBody.cs
@@ -0,0 +1,12 @@
+using System.ComponentModel.DataAnnotations;
+
+namespace Bit.Api.Billing.Models.Requests;
+
+public class AddExistingOrganizationRequestBody
+{
+    [Required(ErrorMessage = "'key' must be provided")]
+    public string Key { get; set; }
+
+    [Required(ErrorMessage = "'organizationId' must be provided")]
+    public Guid OrganizationId { get; set; }
+}
diff --git a/src/Core/AdminConsole/Repositories/IOrganizationRepository.cs b/src/Core/AdminConsole/Repositories/IOrganizationRepository.cs
index 5b274d3f88..584d95ffe2 100644
--- a/src/Core/AdminConsole/Repositories/IOrganizationRepository.cs
+++ b/src/Core/AdminConsole/Repositories/IOrganizationRepository.cs
@@ -1,4 +1,5 @@
 using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Enums.Provider;
 using Bit.Core.Models.Data.Organizations;
 
 #nullable enable
@@ -22,4 +23,5 @@ public interface IOrganizationRepository : IRepository<Organization, Guid>
     /// Gets the organizations that have a verified domain matching the user's email domain.
     /// </summary>
     Task<ICollection<Organization>> GetByVerifiedUserEmailDomainAsync(Guid userId);
+    Task<ICollection<Organization>> GetAddableToProviderByUserIdAsync(Guid userId, ProviderType providerType);
 }
diff --git a/src/Core/Billing/Constants/PlanConstants.cs b/src/Core/Billing/Constants/PlanConstants.cs
new file mode 100644
index 0000000000..1ac5b8e750
--- /dev/null
+++ b/src/Core/Billing/Constants/PlanConstants.cs
@@ -0,0 +1,30 @@
+using Bit.Core.Billing.Enums;
+
+namespace Bit.Core.Billing.Constants;
+
+public static class PlanConstants
+{
+    public static List<PlanType> EnterprisePlanTypes =>
+    [
+        PlanType.EnterpriseAnnually2019,
+        PlanType.EnterpriseAnnually2020,
+        PlanType.EnterpriseAnnually2023,
+        PlanType.EnterpriseAnnually,
+        PlanType.EnterpriseMonthly2019,
+        PlanType.EnterpriseMonthly2020,
+        PlanType.EnterpriseMonthly2023,
+        PlanType.EnterpriseMonthly
+    ];
+
+    public static List<PlanType> TeamsPlanTypes =>
+    [
+        PlanType.TeamsAnnually2019,
+        PlanType.TeamsAnnually2020,
+        PlanType.TeamsAnnually2023,
+        PlanType.TeamsAnnually,
+        PlanType.TeamsMonthly2019,
+        PlanType.TeamsMonthly2020,
+        PlanType.TeamsMonthly2023,
+        PlanType.TeamsMonthly
+    ];
+}
diff --git a/src/Core/Billing/Constants/StripeConstants.cs b/src/Core/Billing/Constants/StripeConstants.cs
index 7371b8b7e9..e3c2b7245e 100644
--- a/src/Core/Billing/Constants/StripeConstants.cs
+++ b/src/Core/Billing/Constants/StripeConstants.cs
@@ -31,6 +31,16 @@ public static class StripeConstants
         public const string TaxIdInvalid = "tax_id_invalid";
     }
 
+    public static class InvoiceStatus
+    {
+        public const string Draft = "draft";
+    }
+
+    public static class MetadataKeys
+    {
+        public const string OrganizationId = "organizationId";
+    }
+
     public static class PaymentBehavior
     {
         public const string DefaultIncomplete = "default_incomplete";
diff --git a/src/Core/Billing/Models/AddableOrganization.cs b/src/Core/Billing/Models/AddableOrganization.cs
new file mode 100644
index 0000000000..fe6d5458bd
--- /dev/null
+++ b/src/Core/Billing/Models/AddableOrganization.cs
@@ -0,0 +1,8 @@
+namespace Bit.Core.Billing.Models;
+
+public record AddableOrganization(
+    Guid Id,
+    string Name,
+    string Plan,
+    int Seats,
+    bool Disabled = false);
diff --git a/src/Core/Billing/Services/IProviderBillingService.cs b/src/Core/Billing/Services/IProviderBillingService.cs
index 20e7407628..d6983da03e 100644
--- a/src/Core/Billing/Services/IProviderBillingService.cs
+++ b/src/Core/Billing/Services/IProviderBillingService.cs
@@ -2,6 +2,7 @@
 using Bit.Core.AdminConsole.Entities.Provider;
 using Bit.Core.Billing.Entities;
 using Bit.Core.Billing.Enums;
+using Bit.Core.Billing.Models;
 using Bit.Core.Billing.Services.Contracts;
 using Bit.Core.Models.Business;
 using Stripe;
@@ -10,6 +11,11 @@ namespace Bit.Core.Billing.Services;
 
 public interface IProviderBillingService
 {
+    Task AddExistingOrganization(
+        Provider provider,
+        Organization organization,
+        string key);
+
     /// <summary>
     /// Changes the assigned provider plan for the provider.
     /// </summary>
@@ -35,6 +41,10 @@ public interface IProviderBillingService
     Task<byte[]> GenerateClientInvoiceReport(
         string invoiceId);
 
+    Task<IEnumerable<AddableOrganization>> GetAddableOrganizations(
+        Provider provider,
+        Guid userId);
+
     /// <summary>
     /// Scales the <paramref name="provider"/>'s seats for the specified <paramref name="planType"/> using the provided <paramref name="seatAdjustment"/>.
     /// This operation may autoscale the provider's Stripe <see cref="Stripe.Subscription"/> depending on the <paramref name="provider"/>'s seat minimum for the
diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index b196306409..8660010871 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -172,6 +172,7 @@ public static class FeatureFlagKeys
     public const string SingleTapPasskeyAuthentication = "single-tap-passkey-authentication";
     public const string EnableRiskInsightsNotifications = "enable-risk-insights-notifications";
     public const string EnablePMAuthenticatorSync = "enable-pm-bwa-sync";
+    public const string P15179_AddExistingOrgsFromProviderPortal = "PM-15179-add-existing-orgs-from-provider-portal";
 
     public static List<string> GetAllKeys()
     {
diff --git a/src/Infrastructure.Dapper/AdminConsole/Repositories/OrganizationRepository.cs b/src/Infrastructure.Dapper/AdminConsole/Repositories/OrganizationRepository.cs
index 20fdf83155..f624f7da28 100644
--- a/src/Infrastructure.Dapper/AdminConsole/Repositories/OrganizationRepository.cs
+++ b/src/Infrastructure.Dapper/AdminConsole/Repositories/OrganizationRepository.cs
@@ -1,5 +1,6 @@
 using System.Data;
 using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Enums.Provider;
 using Bit.Core.Auth.Entities;
 using Bit.Core.Entities;
 using Bit.Core.Models.Data.Organizations;
@@ -180,4 +181,19 @@ public class OrganizationRepository : Repository<Organization, Guid>, IOrganizat
             return result.ToList();
         }
     }
+
+    public async Task<ICollection<Organization>> GetAddableToProviderByUserIdAsync(
+        Guid userId,
+        ProviderType providerType)
+    {
+        using (var connection = new SqlConnection(ConnectionString))
+        {
+            var result = await connection.QueryAsync<Organization>(
+                $"[{Schema}].[{Table}_ReadAddableToProviderByUserId]",
+                new { UserId = userId, ProviderType = providerType },
+                commandType: CommandType.StoredProcedure);
+
+            return result.ToList();
+        }
+    }
 }
diff --git a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationRepository.cs b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationRepository.cs
index c1c78eee60..b6ec2ddca0 100644
--- a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationRepository.cs
+++ b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationRepository.cs
@@ -1,9 +1,12 @@
 using AutoMapper;
 using AutoMapper.QueryableExtensions;
+using Bit.Core.AdminConsole.Enums.Provider;
+using Bit.Core.Billing.Constants;
 using Bit.Core.Billing.Enums;
 using Bit.Core.Enums;
 using Bit.Core.Models.Data.Organizations;
 using Bit.Core.Repositories;
+using LinqToDB.Tools;
 using Microsoft.EntityFrameworkCore;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
@@ -298,6 +301,41 @@ public class OrganizationRepository : Repository<Core.AdminConsole.Entities.Orga
         }
     }
 
+    public async Task<ICollection<Core.AdminConsole.Entities.Organization>> GetAddableToProviderByUserIdAsync(
+        Guid userId,
+        ProviderType providerType)
+    {
+        using (var scope = ServiceScopeFactory.CreateScope())
+        {
+            var dbContext = GetDatabaseContext(scope);
+
+            var planTypes = providerType switch
+            {
+                ProviderType.Msp => PlanConstants.EnterprisePlanTypes.Concat(PlanConstants.TeamsPlanTypes),
+                ProviderType.MultiOrganizationEnterprise => PlanConstants.EnterprisePlanTypes,
+                _ => []
+            };
+
+            var query =
+                from organizationUser in dbContext.OrganizationUsers
+                join organization in dbContext.Organizations on organizationUser.OrganizationId equals organization.Id
+                where
+                    organizationUser.UserId == userId &&
+                    organizationUser.Type == OrganizationUserType.Owner &&
+                    organizationUser.Status == OrganizationUserStatusType.Confirmed &&
+                    organization.Enabled &&
+                    organization.GatewayCustomerId != null &&
+                    organization.GatewaySubscriptionId != null &&
+                    organization.Seats > 0 &&
+                    organization.Status == OrganizationStatusType.Created &&
+                    !organization.UseSecretsManager &&
+                    organization.PlanType.In(planTypes)
+                select organization;
+
+            return await query.ToArrayAsync();
+        }
+    }
+
     public Task EnableCollectionEnhancements(Guid organizationId)
     {
         throw new NotImplementedException("Collection enhancements migration is not yet supported for Entity Framework.");
diff --git a/src/Sql/dbo/Stored Procedures/Organization_ReadAddableToProviderByUserId.sql b/src/Sql/dbo/Stored Procedures/Organization_ReadAddableToProviderByUserId.sql
new file mode 100644
index 0000000000..e11109ae10
--- /dev/null
+++ b/src/Sql/dbo/Stored Procedures/Organization_ReadAddableToProviderByUserId.sql	
@@ -0,0 +1,23 @@
+CREATE PROCEDURE [dbo].[Organization_ReadAddableToProviderByUserId]
+    @UserId UNIQUEIDENTIFIER,
+    @ProviderType TINYINT
+AS
+BEGIN
+    SET NOCOUNT ON
+    SELECT O.* FROM [dbo].[OrganizationUser] AS OU
+    JOIN [dbo].[Organization] AS O ON O.[Id] = OU.[OrganizationId]
+    WHERE
+        OU.[UserId] = @UserId AND
+        OU.[Type] = 0 AND
+        OU.[Status] = 2 AND
+        O.[Enabled] = 1 AND
+        O.[GatewayCustomerId] IS NOT NULL AND
+        O.[GatewaySubscriptionId] IS NOT NULL AND
+        O.[Seats] > 0 AND
+        O.[Status] = 1 AND
+        O.[UseSecretsManager] = 0 AND
+        -- All Teams & Enterprise for MSP
+        (@ProviderType = 0 AND O.[PlanType] IN (2, 3, 4, 5, 8, 9, 10, 11, 12, 13, 14, 15, 17, 18, 19, 20) OR
+        -- All Enterprise for MOE
+         @ProviderType = 2 AND O.[PlanType] IN (4, 5, 10, 11, 14, 15, 19, 20));
+END
diff --git a/test/Api.Test/Billing/Controllers/ProviderClientsControllerTests.cs b/test/Api.Test/AdminConsole/Controllers/ProviderClientsControllerTests.cs
similarity index 98%
rename from test/Api.Test/Billing/Controllers/ProviderClientsControllerTests.cs
rename to test/Api.Test/AdminConsole/Controllers/ProviderClientsControllerTests.cs
index 86bacd9aa3..8ddd92a5fa 100644
--- a/test/Api.Test/Billing/Controllers/ProviderClientsControllerTests.cs
+++ b/test/Api.Test/AdminConsole/Controllers/ProviderClientsControllerTests.cs
@@ -1,5 +1,5 @@
 using System.Security.Claims;
-using Bit.Api.Billing.Controllers;
+using Bit.Api.AdminConsole.Controllers;
 using Bit.Api.Billing.Models.Requests;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Entities.Provider;
@@ -19,10 +19,9 @@ using Microsoft.AspNetCore.Http.HttpResults;
 using NSubstitute;
 using NSubstitute.ReturnsExtensions;
 using Xunit;
-
 using static Bit.Api.Test.Billing.Utilities;
 
-namespace Bit.Api.Test.Billing.Controllers;
+namespace Bit.Api.Test.AdminConsole.Controllers;
 
 [ControllerCustomize(typeof(ProviderClientsController))]
 [SutProviderCustomize]
diff --git a/util/Migrator/DbScripts/2025-01-28_00_Add_Organization_ReadAddableToProviderByUserId.sql b/util/Migrator/DbScripts/2025-01-28_00_Add_Organization_ReadAddableToProviderByUserId.sql
new file mode 100644
index 0000000000..1255544d19
--- /dev/null
+++ b/util/Migrator/DbScripts/2025-01-28_00_Add_Organization_ReadAddableToProviderByUserId.sql
@@ -0,0 +1,31 @@
+-- Drop existing SPROC
+IF OBJECT_ID('[dbo].[Organization_ReadAddableToProviderByUserId') IS NOT NULL
+BEGIN
+    DROP PROCEDURE [dbo].[Organization_ReadAddableToProviderByUserId]
+END
+GO
+
+CREATE PROCEDURE [dbo].[Organization_ReadAddableToProviderByUserId]
+    @UserId UNIQUEIDENTIFIER,
+    @ProviderType TINYINT
+AS
+BEGIN
+    SET NOCOUNT ON
+    SELECT O.* FROM [dbo].[OrganizationUser] AS OU
+    JOIN [dbo].[Organization] AS O ON O.[Id] = OU.[OrganizationId]
+    WHERE
+        OU.[UserId] = @UserId AND
+        OU.[Type] = 0 AND
+        OU.[Status] = 2 AND
+        O.[Enabled] = 1 AND
+        O.[GatewayCustomerId] IS NOT NULL AND
+        O.[GatewaySubscriptionId] IS NOT NULL AND
+        O.[Seats] > 0 AND
+        O.[Status] = 1 AND
+        O.[UseSecretsManager] = 0 AND
+      -- All Teams & Enterprise for MSP
+        (@ProviderType = 0 AND O.[PlanType] IN (2, 3, 4, 5, 8, 9, 10, 11, 12, 13, 14, 15, 17, 18, 19, 20) OR
+            -- All Enterprise for MOE
+         @ProviderType = 2 AND O.[PlanType] IN (4, 5, 10, 11, 14, 15, 19, 20));
+END
+GO

From 3f3da558b6c47a91c09f32e3535451d58f4858ee Mon Sep 17 00:00:00 2001
From: Brant DeBow <125889545+brant-livefront@users.noreply.github.com>
Date: Tue, 4 Feb 2025 08:02:43 -0600
Subject: [PATCH 233/384] [PM-17562] Refactor existing RabbitMq implementation
 (#5357)

* [PM-17562] Refactor existing RabbitMq implementation

* Fixed issues noted in PR review
---
 .../Services/IEventMessageHandler.cs          |  8 +++
 .../Implementations/EventRepositoryHandler.cs | 14 ++++
 ...ostListener.cs => HttpPostEventHandler.cs} | 15 ++---
 .../RabbitMqEventRepositoryListener.cs        | 29 --------
 .../Services/EventLoggingListenerService.cs   | 13 ++++
 .../RabbitMqEventListenerService.cs}          | 27 ++++----
 src/Core/Settings/IGlobalSettings.cs          |  1 +
 src/Events/Startup.cs                         | 19 +++++-
 .../MockedHttpMessageHandler.cs               |  3 +
 .../Services/EventRepositoryHandlerTests.cs   | 24 +++++++
 .../Services/HttpPostEventHandlerTests.cs     | 66 +++++++++++++++++++
 11 files changed, 162 insertions(+), 57 deletions(-)
 create mode 100644 src/Core/AdminConsole/Services/IEventMessageHandler.cs
 create mode 100644 src/Core/AdminConsole/Services/Implementations/EventRepositoryHandler.cs
 rename src/Core/AdminConsole/Services/Implementations/{RabbitMqEventHttpPostListener.cs => HttpPostEventHandler.cs} (52%)
 delete mode 100644 src/Core/AdminConsole/Services/Implementations/RabbitMqEventRepositoryListener.cs
 create mode 100644 src/Core/Services/EventLoggingListenerService.cs
 rename src/Core/{AdminConsole/Services/Implementations/RabbitMqEventListenerBase.cs => Services/Implementations/RabbitMqEventListenerService.cs} (78%)
 create mode 100644 test/Core.Test/AdminConsole/Services/EventRepositoryHandlerTests.cs
 create mode 100644 test/Core.Test/AdminConsole/Services/HttpPostEventHandlerTests.cs

diff --git a/src/Core/AdminConsole/Services/IEventMessageHandler.cs b/src/Core/AdminConsole/Services/IEventMessageHandler.cs
new file mode 100644
index 0000000000..5df9544c29
--- /dev/null
+++ b/src/Core/AdminConsole/Services/IEventMessageHandler.cs
@@ -0,0 +1,8 @@
+using Bit.Core.Models.Data;
+
+namespace Bit.Core.Services;
+
+public interface IEventMessageHandler
+{
+    Task HandleEventAsync(EventMessage eventMessage);
+}
diff --git a/src/Core/AdminConsole/Services/Implementations/EventRepositoryHandler.cs b/src/Core/AdminConsole/Services/Implementations/EventRepositoryHandler.cs
new file mode 100644
index 0000000000..6e4158122c
--- /dev/null
+++ b/src/Core/AdminConsole/Services/Implementations/EventRepositoryHandler.cs
@@ -0,0 +1,14 @@
+using Bit.Core.Models.Data;
+using Microsoft.Extensions.DependencyInjection;
+
+namespace Bit.Core.Services;
+
+public class EventRepositoryHandler(
+    [FromKeyedServices("persistent")] IEventWriteService eventWriteService)
+    : IEventMessageHandler
+{
+    public Task HandleEventAsync(EventMessage eventMessage)
+    {
+        return eventWriteService.CreateAsync(eventMessage);
+    }
+}
diff --git a/src/Core/AdminConsole/Services/Implementations/RabbitMqEventHttpPostListener.cs b/src/Core/AdminConsole/Services/Implementations/HttpPostEventHandler.cs
similarity index 52%
rename from src/Core/AdminConsole/Services/Implementations/RabbitMqEventHttpPostListener.cs
rename to src/Core/AdminConsole/Services/Implementations/HttpPostEventHandler.cs
index 5a875f9278..8aece0c1da 100644
--- a/src/Core/AdminConsole/Services/Implementations/RabbitMqEventHttpPostListener.cs
+++ b/src/Core/AdminConsole/Services/Implementations/HttpPostEventHandler.cs
@@ -1,32 +1,25 @@
 using System.Net.Http.Json;
 using Bit.Core.Models.Data;
 using Bit.Core.Settings;
-using Microsoft.Extensions.Logging;
 
 namespace Bit.Core.Services;
 
-public class RabbitMqEventHttpPostListener : RabbitMqEventListenerBase
+public class HttpPostEventHandler : IEventMessageHandler
 {
     private readonly HttpClient _httpClient;
     private readonly string _httpPostUrl;
-    private readonly string _queueName;
 
-    protected override string QueueName => _queueName;
+    public const string HttpClientName = "HttpPostEventHandlerHttpClient";
 
-    public const string HttpClientName = "EventHttpPostListenerHttpClient";
-
-    public RabbitMqEventHttpPostListener(
+    public HttpPostEventHandler(
         IHttpClientFactory httpClientFactory,
-        ILogger<RabbitMqEventListenerBase> logger,
         GlobalSettings globalSettings)
-        : base(logger, globalSettings)
     {
         _httpClient = httpClientFactory.CreateClient(HttpClientName);
         _httpPostUrl = globalSettings.EventLogging.RabbitMq.HttpPostUrl;
-        _queueName = globalSettings.EventLogging.RabbitMq.HttpPostQueueName;
     }
 
-    protected override async Task HandleMessageAsync(EventMessage eventMessage)
+    public async Task HandleEventAsync(EventMessage eventMessage)
     {
         var content = JsonContent.Create(eventMessage);
         var response = await _httpClient.PostAsync(_httpPostUrl, content);
diff --git a/src/Core/AdminConsole/Services/Implementations/RabbitMqEventRepositoryListener.cs b/src/Core/AdminConsole/Services/Implementations/RabbitMqEventRepositoryListener.cs
deleted file mode 100644
index 25d85bddeb..0000000000
--- a/src/Core/AdminConsole/Services/Implementations/RabbitMqEventRepositoryListener.cs
+++ /dev/null
@@ -1,29 +0,0 @@
-using Bit.Core.Models.Data;
-using Bit.Core.Settings;
-using Microsoft.Extensions.DependencyInjection;
-using Microsoft.Extensions.Logging;
-
-namespace Bit.Core.Services;
-
-public class RabbitMqEventRepositoryListener : RabbitMqEventListenerBase
-{
-    private readonly IEventWriteService _eventWriteService;
-    private readonly string _queueName;
-
-    protected override string QueueName => _queueName;
-
-    public RabbitMqEventRepositoryListener(
-        [FromKeyedServices("persistent")] IEventWriteService eventWriteService,
-        ILogger<RabbitMqEventListenerBase> logger,
-        GlobalSettings globalSettings)
-        : base(logger, globalSettings)
-    {
-        _eventWriteService = eventWriteService;
-        _queueName = globalSettings.EventLogging.RabbitMq.EventRepositoryQueueName;
-    }
-
-    protected override Task HandleMessageAsync(EventMessage eventMessage)
-    {
-        return _eventWriteService.CreateAsync(eventMessage);
-    }
-}
diff --git a/src/Core/Services/EventLoggingListenerService.cs b/src/Core/Services/EventLoggingListenerService.cs
new file mode 100644
index 0000000000..60b8789a6b
--- /dev/null
+++ b/src/Core/Services/EventLoggingListenerService.cs
@@ -0,0 +1,13 @@
+using Microsoft.Extensions.Hosting;
+
+namespace Bit.Core.Services;
+
+public abstract class EventLoggingListenerService : BackgroundService
+{
+    protected readonly IEventMessageHandler _handler;
+
+    protected EventLoggingListenerService(IEventMessageHandler handler)
+    {
+        _handler = handler ?? throw new ArgumentNullException(nameof(handler));
+    }
+}
diff --git a/src/Core/AdminConsole/Services/Implementations/RabbitMqEventListenerBase.cs b/src/Core/Services/Implementations/RabbitMqEventListenerService.cs
similarity index 78%
rename from src/Core/AdminConsole/Services/Implementations/RabbitMqEventListenerBase.cs
rename to src/Core/Services/Implementations/RabbitMqEventListenerService.cs
index 48a549d261..9360170368 100644
--- a/src/Core/AdminConsole/Services/Implementations/RabbitMqEventListenerBase.cs
+++ b/src/Core/Services/Implementations/RabbitMqEventListenerService.cs
@@ -1,26 +1,26 @@
 using System.Text.Json;
 using Bit.Core.Models.Data;
 using Bit.Core.Settings;
-using Microsoft.Extensions.Hosting;
 using Microsoft.Extensions.Logging;
 using RabbitMQ.Client;
 using RabbitMQ.Client.Events;
 
 namespace Bit.Core.Services;
 
-public abstract class RabbitMqEventListenerBase : BackgroundService
+public class RabbitMqEventListenerService : EventLoggingListenerService
 {
     private IChannel _channel;
     private IConnection _connection;
     private readonly string _exchangeName;
     private readonly ConnectionFactory _factory;
-    private readonly ILogger<RabbitMqEventListenerBase> _logger;
+    private readonly ILogger<RabbitMqEventListenerService> _logger;
+    private readonly string _queueName;
 
-    protected abstract string QueueName { get; }
-
-    protected RabbitMqEventListenerBase(
-        ILogger<RabbitMqEventListenerBase> logger,
-        GlobalSettings globalSettings)
+    public RabbitMqEventListenerService(
+        IEventMessageHandler handler,
+        ILogger<RabbitMqEventListenerService> logger,
+        GlobalSettings globalSettings,
+        string queueName) : base(handler)
     {
         _factory = new ConnectionFactory
         {
@@ -30,6 +30,7 @@ public abstract class RabbitMqEventListenerBase : BackgroundService
         };
         _exchangeName = globalSettings.EventLogging.RabbitMq.ExchangeName;
         _logger = logger;
+        _queueName = queueName;
     }
 
     public override async Task StartAsync(CancellationToken cancellationToken)
@@ -38,13 +39,13 @@ public abstract class RabbitMqEventListenerBase : BackgroundService
         _channel = await _connection.CreateChannelAsync(cancellationToken: cancellationToken);
 
         await _channel.ExchangeDeclareAsync(exchange: _exchangeName, type: ExchangeType.Fanout, durable: true);
-        await _channel.QueueDeclareAsync(queue: QueueName,
+        await _channel.QueueDeclareAsync(queue: _queueName,
                                          durable: true,
                                          exclusive: false,
                                          autoDelete: false,
                                          arguments: null,
                                          cancellationToken: cancellationToken);
-        await _channel.QueueBindAsync(queue: QueueName,
+        await _channel.QueueBindAsync(queue: _queueName,
                                       exchange: _exchangeName,
                                       routingKey: string.Empty,
                                       cancellationToken: cancellationToken);
@@ -59,7 +60,7 @@ public abstract class RabbitMqEventListenerBase : BackgroundService
             try
             {
                 var eventMessage = JsonSerializer.Deserialize<EventMessage>(eventArgs.Body.Span);
-                await HandleMessageAsync(eventMessage);
+                await _handler.HandleEventAsync(eventMessage);
             }
             catch (Exception ex)
             {
@@ -67,7 +68,7 @@ public abstract class RabbitMqEventListenerBase : BackgroundService
             }
         };
 
-        await _channel.BasicConsumeAsync(QueueName, autoAck: true, consumer: consumer, cancellationToken: stoppingToken);
+        await _channel.BasicConsumeAsync(_queueName, autoAck: true, consumer: consumer, cancellationToken: stoppingToken);
 
         while (!stoppingToken.IsCancellationRequested)
         {
@@ -88,6 +89,4 @@ public abstract class RabbitMqEventListenerBase : BackgroundService
         _connection.Dispose();
         base.Dispose();
     }
-
-    protected abstract Task HandleMessageAsync(EventMessage eventMessage);
 }
diff --git a/src/Core/Settings/IGlobalSettings.cs b/src/Core/Settings/IGlobalSettings.cs
index afe35ed34b..b89df8abf5 100644
--- a/src/Core/Settings/IGlobalSettings.cs
+++ b/src/Core/Settings/IGlobalSettings.cs
@@ -27,4 +27,5 @@ public interface IGlobalSettings
     string DatabaseProvider { get; set; }
     GlobalSettings.SqlSettings SqlServer { get; set; }
     string DevelopmentDirectory { get; set; }
+    GlobalSettings.EventLoggingSettings EventLogging { get; set; }
 }
diff --git a/src/Events/Startup.cs b/src/Events/Startup.cs
index 03e99f14e8..b692733a55 100644
--- a/src/Events/Startup.cs
+++ b/src/Events/Startup.cs
@@ -89,13 +89,26 @@ public class Startup
             CoreHelpers.SettingHasValue(globalSettings.EventLogging.RabbitMq.Password) &&
             CoreHelpers.SettingHasValue(globalSettings.EventLogging.RabbitMq.ExchangeName))
         {
+            services.AddSingleton<EventRepositoryHandler>();
             services.AddKeyedSingleton<IEventWriteService, RepositoryEventWriteService>("persistent");
-            services.AddHostedService<RabbitMqEventRepositoryListener>();
+            services.AddSingleton<IHostedService>(provider =>
+                new RabbitMqEventListenerService(
+                    provider.GetRequiredService<EventRepositoryHandler>(),
+                    provider.GetRequiredService<ILogger<RabbitMqEventListenerService>>(),
+                    provider.GetRequiredService<GlobalSettings>(),
+                    globalSettings.EventLogging.RabbitMq.EventRepositoryQueueName));
 
             if (CoreHelpers.SettingHasValue(globalSettings.EventLogging.RabbitMq.HttpPostUrl))
             {
-                services.AddHttpClient(RabbitMqEventHttpPostListener.HttpClientName);
-                services.AddHostedService<RabbitMqEventHttpPostListener>();
+                services.AddSingleton<HttpPostEventHandler>();
+                services.AddHttpClient(HttpPostEventHandler.HttpClientName);
+
+                services.AddSingleton<IHostedService>(provider =>
+                    new RabbitMqEventListenerService(
+                        provider.GetRequiredService<HttpPostEventHandler>(),
+                        provider.GetRequiredService<ILogger<RabbitMqEventListenerService>>(),
+                        provider.GetRequiredService<GlobalSettings>(),
+                        globalSettings.EventLogging.RabbitMq.HttpPostQueueName));
             }
         }
     }
diff --git a/test/Common/MockedHttpClient/MockedHttpMessageHandler.cs b/test/Common/MockedHttpClient/MockedHttpMessageHandler.cs
index 1b1bd52a03..8a6c1dae97 100644
--- a/test/Common/MockedHttpClient/MockedHttpMessageHandler.cs
+++ b/test/Common/MockedHttpClient/MockedHttpMessageHandler.cs
@@ -8,6 +8,8 @@ public class MockedHttpMessageHandler : HttpMessageHandler
 {
     private readonly List<IHttpRequestMatcher> _matchers = new();
 
+    public List<HttpRequestMessage> CapturedRequests { get; } = new List<HttpRequestMessage>();
+
     /// <summary>
     /// The fallback handler to use when the request does not match any of the provided matchers.
     /// </summary>
@@ -16,6 +18,7 @@ public class MockedHttpMessageHandler : HttpMessageHandler
 
     protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
     {
+        CapturedRequests.Add(request);
         var matcher = _matchers.FirstOrDefault(x => x.Matches(request));
         if (matcher == null)
         {
diff --git a/test/Core.Test/AdminConsole/Services/EventRepositoryHandlerTests.cs b/test/Core.Test/AdminConsole/Services/EventRepositoryHandlerTests.cs
new file mode 100644
index 0000000000..2b143f5cb8
--- /dev/null
+++ b/test/Core.Test/AdminConsole/Services/EventRepositoryHandlerTests.cs
@@ -0,0 +1,24 @@
+using Bit.Core.Models.Data;
+using Bit.Core.Services;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using Bit.Test.Common.Helpers;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Core.Test.Services;
+
+[SutProviderCustomize]
+public class EventRepositoryHandlerTests
+{
+    [Theory, BitAutoData]
+    public async Task HandleEventAsync_WritesEventToIEventWriteService(
+        EventMessage eventMessage,
+        SutProvider<EventRepositoryHandler> sutProvider)
+    {
+        await sutProvider.Sut.HandleEventAsync(eventMessage);
+        await sutProvider.GetDependency<IEventWriteService>().Received(1).CreateAsync(
+            Arg.Is(AssertHelper.AssertPropertyEqual<IEvent>(eventMessage))
+        );
+    }
+}
diff --git a/test/Core.Test/AdminConsole/Services/HttpPostEventHandlerTests.cs b/test/Core.Test/AdminConsole/Services/HttpPostEventHandlerTests.cs
new file mode 100644
index 0000000000..414b1c54be
--- /dev/null
+++ b/test/Core.Test/AdminConsole/Services/HttpPostEventHandlerTests.cs
@@ -0,0 +1,66 @@
+using System.Net;
+using System.Net.Http.Json;
+using Bit.Core.Models.Data;
+using Bit.Core.Services;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using Bit.Test.Common.Helpers;
+using Bit.Test.Common.MockedHttpClient;
+using NSubstitute;
+using Xunit;
+using GlobalSettings = Bit.Core.Settings.GlobalSettings;
+
+namespace Bit.Core.Test.Services;
+
+[SutProviderCustomize]
+public class HttpPostEventHandlerTests
+{
+    private readonly MockedHttpMessageHandler _handler;
+    private HttpClient _httpClient;
+
+    private const string _httpPostUrl = "http://localhost/test/event";
+
+    public HttpPostEventHandlerTests()
+    {
+        _handler = new MockedHttpMessageHandler();
+        _handler.Fallback
+            .WithStatusCode(HttpStatusCode.OK)
+            .WithContent(new StringContent("<html><head><title>test</title></head><body>test</body></html>"));
+        _httpClient = _handler.ToHttpClient();
+    }
+
+    public SutProvider<HttpPostEventHandler> GetSutProvider()
+    {
+        var clientFactory = Substitute.For<IHttpClientFactory>();
+        clientFactory.CreateClient(HttpPostEventHandler.HttpClientName).Returns(_httpClient);
+
+        var globalSettings = new GlobalSettings();
+        globalSettings.EventLogging.RabbitMq.HttpPostUrl = _httpPostUrl;
+
+        return new SutProvider<HttpPostEventHandler>()
+            .SetDependency(globalSettings)
+            .SetDependency(clientFactory)
+            .Create();
+    }
+
+    [Theory, BitAutoData]
+    public async Task HandleEventAsync_PostsEventsToUrl(EventMessage eventMessage)
+    {
+        var sutProvider = GetSutProvider();
+        var content = JsonContent.Create(eventMessage);
+
+        await sutProvider.Sut.HandleEventAsync(eventMessage);
+        sutProvider.GetDependency<IHttpClientFactory>().Received(1).CreateClient(
+            Arg.Is(AssertHelper.AssertPropertyEqual<string>(HttpPostEventHandler.HttpClientName))
+        );
+
+        Assert.Single(_handler.CapturedRequests);
+        var request = _handler.CapturedRequests[0];
+        Assert.NotNull(request);
+        var returned = await request.Content.ReadFromJsonAsync<EventMessage>();
+
+        Assert.Equal(HttpMethod.Post, request.Method);
+        Assert.Equal(_httpPostUrl, request.RequestUri.ToString());
+        AssertHelper.AssertPropertyEqual(eventMessage, returned, new[] { "IdempotencyId" });
+    }
+}

From 37b5cef085972c29ffd6e615b7d27a19ffde81ae Mon Sep 17 00:00:00 2001
From: Alex Morask <144709477+amorask-bitwarden@users.noreply.github.com>
Date: Tue, 4 Feb 2025 09:06:04 -0500
Subject: [PATCH 234/384] [PM-16040] Update
 Organization_UnassignedToProviderSearch.sql SPROC to allow Reseller plan
 types (#5332)

* Update Organization_UnassignedToProviderSearch.sql SPROC

* Robert's feedback
---
 .../Repositories/OrganizationRepository.cs    | 18 ++++---
 ...rganization_UnassignedToProviderSearch.sql | 14 ++---
 ...rganization_UnassignedToProviderSearch.sql | 54 +++++++++++++++++++
 3 files changed, 73 insertions(+), 13 deletions(-)
 create mode 100644 util/Migrator/DbScripts/2025-01-28_00_UpdateOrganization_UnassignedToProviderSearch.sql

diff --git a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationRepository.cs b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationRepository.cs
index b6ec2ddca0..ea4e1334c6 100644
--- a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationRepository.cs
+++ b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationRepository.cs
@@ -117,13 +117,19 @@ public class OrganizationRepository : Repository<Core.AdminConsole.Entities.Orga
 
         var dbContext = GetDatabaseContext(scope);
 
+        var disallowedPlanTypes = new List<PlanType>
+        {
+            PlanType.Free,
+            PlanType.Custom,
+            PlanType.FamiliesAnnually2019,
+            PlanType.FamiliesAnnually
+        };
+
         var query =
             from o in dbContext.Organizations
-            where
-                ((o.PlanType >= PlanType.TeamsMonthly2019 && o.PlanType <= PlanType.EnterpriseAnnually2019) ||
-                 (o.PlanType >= PlanType.TeamsMonthly2020 && o.PlanType <= PlanType.EnterpriseAnnually)) &&
-                !dbContext.ProviderOrganizations.Any(po => po.OrganizationId == o.Id) &&
-                (string.IsNullOrWhiteSpace(name) || EF.Functions.Like(o.Name, $"%{name}%"))
+            where o.PlanType.NotIn(disallowedPlanTypes) &&
+                  !dbContext.ProviderOrganizations.Any(po => po.OrganizationId == o.Id) &&
+                  (string.IsNullOrWhiteSpace(name) || EF.Functions.Like(o.Name, $"%{name}%"))
             select o;
 
         if (string.IsNullOrWhiteSpace(ownerEmail))
@@ -155,7 +161,7 @@ public class OrganizationRepository : Repository<Core.AdminConsole.Entities.Orga
                     select o;
         }
 
-        return await query.OrderByDescending(o => o.CreationDate).Skip(skip).Take(take).ToArrayAsync();
+        return await query.OrderByDescending(o => o.CreationDate).ThenByDescending(o => o.Id).Skip(skip).Take(take).ToArrayAsync();
     }
 
     public async Task UpdateStorageAsync(Guid id)
diff --git a/src/Sql/dbo/Stored Procedures/Organization_UnassignedToProviderSearch.sql b/src/Sql/dbo/Stored Procedures/Organization_UnassignedToProviderSearch.sql
index e40f78fee0..4f2269b583 100644
--- a/src/Sql/dbo/Stored Procedures/Organization_UnassignedToProviderSearch.sql	
+++ b/src/Sql/dbo/Stored Procedures/Organization_UnassignedToProviderSearch.sql	
@@ -1,5 +1,5 @@
 CREATE PROCEDURE [dbo].[Organization_UnassignedToProviderSearch]
-    @Name NVARCHAR(50),
+    @Name NVARCHAR(55),
     @OwnerEmail NVARCHAR(256),
     @Skip INT = 0,
     @Take INT = 25
@@ -9,7 +9,7 @@ BEGIN
     SET NOCOUNT ON
     DECLARE @NameLikeSearch NVARCHAR(55) = '%' + @Name + '%'
     DECLARE @OwnerLikeSearch NVARCHAR(55) = @OwnerEmail + '%'
-        
+
     IF @OwnerEmail IS NOT NULL
     BEGIN
         SELECT
@@ -21,11 +21,11 @@ BEGIN
             INNER JOIN
                 [dbo].[User] U ON U.[Id] = OU.[UserId]
         WHERE
-            ((O.[PlanType] >= 2 AND O.[PlanType] <= 5) OR (O.[PlanType] >= 8 AND O.[PlanType] <= 20) AND (O.PlanType <> 16)) -- All 'Teams' and 'Enterprise' organizations
+            O.[PlanType] NOT IN (0, 1, 6, 7) -- Not 'Free', 'Custom' or 'Families'
             AND NOT EXISTS (SELECT * FROM [dbo].[ProviderOrganizationView] PO WHERE PO.[OrganizationId] = O.[Id])
             AND (@Name IS NULL OR O.[Name] LIKE @NameLikeSearch)
             AND (U.[Email] LIKE @OwnerLikeSearch)
-        ORDER BY O.[CreationDate] DESC
+        ORDER BY O.[CreationDate] DESC, O.[Id]
         OFFSET @Skip ROWS
         FETCH NEXT @Take ROWS ONLY
     END
@@ -36,11 +36,11 @@ BEGIN
         FROM
             [dbo].[OrganizationView] O
         WHERE
-            ((O.[PlanType] >= 2 AND O.[PlanType] <= 5) OR (O.[PlanType] >= 8 AND O.[PlanType] <= 20) AND (O.PlanType <> 16)) -- All 'Teams' and 'Enterprise' organizations
+            O.[PlanType] NOT IN (0, 1, 6, 7) -- Not 'Free', 'Custom' or 'Families'
             AND NOT EXISTS (SELECT * FROM [dbo].[ProviderOrganizationView] PO WHERE PO.[OrganizationId] = O.[Id])
             AND (@Name IS NULL OR O.[Name] LIKE @NameLikeSearch)
-        ORDER BY O.[CreationDate] DESC
+        ORDER BY O.[CreationDate] DESC, O.[Id]
         OFFSET @Skip ROWS
         FETCH NEXT @Take ROWS ONLY
     END
-END
\ No newline at end of file
+END
diff --git a/util/Migrator/DbScripts/2025-01-28_00_UpdateOrganization_UnassignedToProviderSearch.sql b/util/Migrator/DbScripts/2025-01-28_00_UpdateOrganization_UnassignedToProviderSearch.sql
new file mode 100644
index 0000000000..07ec9ae8ac
--- /dev/null
+++ b/util/Migrator/DbScripts/2025-01-28_00_UpdateOrganization_UnassignedToProviderSearch.sql
@@ -0,0 +1,54 @@
+-- Drop existing SPROC
+IF OBJECT_ID('[dbo].[Organization_UnassignedToProviderSearch]') IS NOT NULL
+    BEGIN
+        DROP PROCEDURE [dbo].[Organization_UnassignedToProviderSearch]
+    END
+GO
+
+CREATE PROCEDURE [dbo].[Organization_UnassignedToProviderSearch]
+    @Name NVARCHAR(55),
+    @OwnerEmail NVARCHAR(256),
+    @Skip INT = 0,
+    @Take INT = 25
+    WITH RECOMPILE
+AS
+BEGIN
+    SET NOCOUNT ON
+    DECLARE @NameLikeSearch NVARCHAR(55) = '%' + @Name + '%'
+    DECLARE @OwnerLikeSearch NVARCHAR(55) = @OwnerEmail + '%'
+
+    IF @OwnerEmail IS NOT NULL
+    BEGIN
+        SELECT
+            O.*
+        FROM
+            [dbo].[OrganizationView] O
+            INNER JOIN
+                [dbo].[OrganizationUser] OU ON O.[Id] = OU.[OrganizationId]
+            INNER JOIN
+                [dbo].[User] U ON U.[Id] = OU.[UserId]
+        WHERE
+            O.[PlanType] NOT IN (0, 1, 6, 7) -- Not 'Free', 'Custom' or 'Families'
+            AND NOT EXISTS (SELECT * FROM [dbo].[ProviderOrganizationView] PO WHERE PO.[OrganizationId] = O.[Id])
+            AND (@Name IS NULL OR O.[Name] LIKE @NameLikeSearch)
+            AND (U.[Email] LIKE @OwnerLikeSearch)
+        ORDER BY O.[CreationDate] DESC, O.[Id]
+        OFFSET @Skip ROWS
+        FETCH NEXT @Take ROWS ONLY
+    END
+    ELSE
+    BEGIN
+        SELECT
+            O.*
+        FROM
+            [dbo].[OrganizationView] O
+        WHERE
+            O.[PlanType] NOT IN (0, 1, 6, 7) -- Not 'Free', 'Custom' or 'Families'
+            AND NOT EXISTS (SELECT * FROM [dbo].[ProviderOrganizationView] PO WHERE PO.[OrganizationId] = O.[Id])
+            AND (@Name IS NULL OR O.[Name] LIKE @NameLikeSearch)
+        ORDER BY O.[CreationDate] DESC, O.[Id]
+        OFFSET @Skip ROWS
+        FETCH NEXT @Take ROWS ONLY
+    END
+END
+GO

From 0337300eac108ad2965795758febd895f93781e2 Mon Sep 17 00:00:00 2001
From: cyprain-okeke <108260115+cyprain-okeke@users.noreply.github.com>
Date: Tue, 4 Feb 2025 15:27:58 +0100
Subject: [PATCH 235/384] [PM-15625]Disable trial/send-verification-email
 endpoint for self-host (#5265)

* endpoint is shut off for self-hosted env

Signed-off-by: Cy Okeke <cokeke@bitwarden.com>

* Fix the reference issues

Signed-off-by: Cy Okeke <cokeke@bitwarden.com>

---------

Signed-off-by: Cy Okeke <cokeke@bitwarden.com>
---
 src/Identity/Billing/Controller/AccountsController.cs | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/Identity/Billing/Controller/AccountsController.cs b/src/Identity/Billing/Controller/AccountsController.cs
index aada40bcb2..96ec1280cd 100644
--- a/src/Identity/Billing/Controller/AccountsController.cs
+++ b/src/Identity/Billing/Controller/AccountsController.cs
@@ -4,6 +4,7 @@ using Bit.Core.Context;
 using Bit.Core.Tools.Enums;
 using Bit.Core.Tools.Models.Business;
 using Bit.Core.Tools.Services;
+using Bit.Core.Utilities;
 using Bit.SharedWeb.Utilities;
 using Microsoft.AspNetCore.Mvc;
 
@@ -17,6 +18,7 @@ public class AccountsController(
     IReferenceEventService referenceEventService) : Microsoft.AspNetCore.Mvc.Controller
 {
     [HttpPost("trial/send-verification-email")]
+    [SelfHosted(NotSelfHostedOnly = true)]
     public async Task<IActionResult> PostTrialInitiationSendVerificationEmailAsync([FromBody] TrialSendVerificationEmailRequestModel model)
     {
         var token = await sendTrialInitiationEmailForRegistrationCommand.Handle(

From b5cfb4b9c73de206999c170519fde76a1fc86682 Mon Sep 17 00:00:00 2001
From: Matt Andreko <mandreko@bitwarden.com>
Date: Tue, 4 Feb 2025 12:14:55 -0500
Subject: [PATCH 236/384] Enabled SonarQube scanning for PRs (#5363)

* Added scan workflow parameter for PR number to enable branch scanning

* Added missing backslash
---
 .github/workflows/scan.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index ec2eb7789a..fbcff6b1c0 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -85,6 +85,7 @@ jobs:
           /d:sonar.test.inclusions=test/,bitwarden_license/test/ \
           /d:sonar.exclusions=test/,bitwarden_license/test/ \
           /o:"${{ github.repository_owner }}" /d:sonar.token="${{ secrets.SONAR_TOKEN }}" \
+          /d:sonar.pullrequest.key=${{ github.event.pull_request.number }} \
           /d:sonar.host.url="https://sonarcloud.io"
           dotnet build
           dotnet-sonarscanner end /d:sonar.token="${{ secrets.SONAR_TOKEN }}"

From bdbed7adc8ef7be9c6da07207405f2cc04366707 Mon Sep 17 00:00:00 2001
From: Daniel James Smith <2670567+djsmith85@users.noreply.github.com>
Date: Tue, 4 Feb 2025 19:31:15 +0100
Subject: [PATCH 237/384] Group tools owned feature flags (#5362)

Co-authored-by: Daniel James Smith <djsmith85@users.noreply.github.com>
---
 src/Core/Constants.cs | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index 8660010871..6f9960919a 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -109,9 +109,15 @@ public static class FeatureFlagKeys
     public const string DeviceApprovalRequestAdminNotifications = "pm-15637-device-approval-request-admin-notifications";
     public const string LimitItemDeletion = "pm-15493-restrict-item-deletion-to-can-manage-permission";
 
+    /* Tools Team */
+    public const string ItemShare = "item-share";
+    public const string GeneratorToolsModernization = "generator-tools-modernization";
+    public const string MemberAccessReport = "ac-2059-member-access-report";
+    public const string RiskInsightsCriticalApplication = "pm-14466-risk-insights-critical-application";
+    public const string EnableRiskInsightsNotifications = "enable-risk-insights-notifications";
+
     public const string ReturnErrorOnExistingKeypair = "return-error-on-existing-keypair";
     public const string UseTreeWalkerApiForPageDetailsCollection = "use-tree-walker-api-for-page-details-collection";
-    public const string ItemShare = "item-share";
     public const string DuoRedirect = "duo-redirect";
     public const string AC2101UpdateTrialInitiationEmail = "AC-2101-update-trial-initiation-email";
     public const string AC1795_UpdatedSubscriptionStatusSection = "AC-1795_updated-subscription-status-section";
@@ -121,7 +127,6 @@ public static class FeatureFlagKeys
     public const string RestrictProviderAccess = "restrict-provider-access";
     public const string PM4154BulkEncryptionService = "PM-4154-bulk-encryption-service";
     public const string VaultBulkManagementAction = "vault-bulk-management-action";
-    public const string MemberAccessReport = "ac-2059-member-access-report";
     public const string InlineMenuFieldQualification = "inline-menu-field-qualification";
     public const string TwoFactorComponentRefactor = "two-factor-component-refactor";
     public const string InlineMenuPositioningImprovements = "inline-menu-positioning-improvements";
@@ -146,9 +151,7 @@ public static class FeatureFlagKeys
     public const string TrialPayment = "PM-8163-trial-payment";
     public const string RemoveServerVersionHeader = "remove-server-version-header";
     public const string PM12275_MultiOrganizationEnterprises = "pm-12275-multi-organization-enterprises";
-    public const string GeneratorToolsModernization = "generator-tools-modernization";
     public const string NewDeviceVerification = "new-device-verification";
-    public const string RiskInsightsCriticalApplication = "pm-14466-risk-insights-critical-application";
     public const string NewDeviceVerificationTemporaryDismiss = "new-device-temporary-dismiss";
     public const string NewDeviceVerificationPermanentDismiss = "new-device-permanent-dismiss";
     public const string SecurityTasks = "security-tasks";
@@ -170,7 +173,6 @@ public static class FeatureFlagKeys
     public const string AccountDeprovisioningBanner = "pm-17120-account-deprovisioning-admin-console-banner";
     public const string SingleTapPasskeyCreation = "single-tap-passkey-creation";
     public const string SingleTapPasskeyAuthentication = "single-tap-passkey-authentication";
-    public const string EnableRiskInsightsNotifications = "enable-risk-insights-notifications";
     public const string EnablePMAuthenticatorSync = "enable-pm-bwa-sync";
     public const string P15179_AddExistingOrgsFromProviderPortal = "PM-15179-add-existing-orgs-from-provider-portal";
 

From d2fb3760d3da1debd260ba190741ea360644a848 Mon Sep 17 00:00:00 2001
From: Matt Andreko <mandreko@bitwarden.com>
Date: Tue, 4 Feb 2025 13:53:16 -0500
Subject: [PATCH 238/384] Reworked PR workflow logic to prevent missing
 parameter (#5367)

---
 .github/workflows/scan.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index fbcff6b1c0..1fa5c9587c 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -85,7 +85,6 @@ jobs:
           /d:sonar.test.inclusions=test/,bitwarden_license/test/ \
           /d:sonar.exclusions=test/,bitwarden_license/test/ \
           /o:"${{ github.repository_owner }}" /d:sonar.token="${{ secrets.SONAR_TOKEN }}" \
-          /d:sonar.pullrequest.key=${{ github.event.pull_request.number }} \
-          /d:sonar.host.url="https://sonarcloud.io"
+          /d:sonar.host.url="https://sonarcloud.io" ${{ contains(github.event_name, 'pull_request') && format('/d:sonar.pullrequest.key={0}', github.event.pull_request.number) || '' }}
           dotnet build
           dotnet-sonarscanner end /d:sonar.token="${{ secrets.SONAR_TOKEN }}"

From 72b78ed65506b7433e1a224c29fb66ebaf36f55f Mon Sep 17 00:00:00 2001
From: Alex Morask <144709477+amorask-bitwarden@users.noreply.github.com>
Date: Tue, 4 Feb 2025 14:58:54 -0500
Subject: [PATCH 239/384] Update feature flag name (#5364)

---
 src/Core/Constants.cs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index 6f9960919a..f58f1f7157 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -174,7 +174,7 @@ public static class FeatureFlagKeys
     public const string SingleTapPasskeyCreation = "single-tap-passkey-creation";
     public const string SingleTapPasskeyAuthentication = "single-tap-passkey-authentication";
     public const string EnablePMAuthenticatorSync = "enable-pm-bwa-sync";
-    public const string P15179_AddExistingOrgsFromProviderPortal = "PM-15179-add-existing-orgs-from-provider-portal";
+    public const string P15179_AddExistingOrgsFromProviderPortal = "pm-15179-add-existing-orgs-from-provider-portal";
 
     public static List<string> GetAllKeys()
     {

From 90680f482a3b20b8d580056c6d136baab4cbf089 Mon Sep 17 00:00:00 2001
From: Todd Martin <106564991+trmartin4@users.noreply.github.com>
Date: Tue, 4 Feb 2025 15:40:17 -0500
Subject: [PATCH 240/384] Revert version from 2025.1.5 to 2025.1.4 (#5369)

---
 Directory.Build.props | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Directory.Build.props b/Directory.Build.props
index d109303a58..88b63d156c 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -3,7 +3,7 @@
   <PropertyGroup>
     <TargetFramework>net8.0</TargetFramework>
 
-    <Version>2025.1.5</Version>
+    <Version>2025.1.4</Version>
 
     <RootNamespace>Bit.$(MSBuildProjectName)</RootNamespace>
     <ImplicitUsings>enable</ImplicitUsings>
@@ -64,4 +64,4 @@
     </ItemGroup>
   </Target>
 
-</Project>
\ No newline at end of file
+</Project>

From 412c6f9849431a3d170a8009c86f2d7fa4ae3a57 Mon Sep 17 00:00:00 2001
From: Jason Ng <jcory.ng@gmail.com>
Date: Tue, 4 Feb 2025 15:45:24 -0500
Subject: [PATCH 241/384] [PM-11162] Assign to Collection Permission Update
 (#4844)

Only users with Manage/Edit permissions will be allowed to Assign To Collections. If the user has Can Edit Except Password the collections dropdown will be disabled.

---------

Co-authored-by: Matt Bishop <mbishop@bitwarden.com>
Co-authored-by: kejaeger <138028972+kejaeger@users.noreply.github.com>
---
 .../Vault/Controllers/CiphersController.cs    |  57 ++++++++-
 .../Vault/Repositories/CipherRepository.cs    |   2 +-
 .../Cipher/CipherDetails_ReadByIdUserId.sql   |  38 +++++-
 .../CollectionCipher_UpdateCollections.sql    |  56 ++++-----
 .../Controllers/CiphersControllerTests.cs     |   1 +
 ...0_CollectionPermissionEditExceptPWPerm.sql | 118 ++++++++++++++++++
 6 files changed, 233 insertions(+), 39 deletions(-)
 create mode 100644 util/Migrator/DbScripts/2025-02-04_00_CollectionPermissionEditExceptPWPerm.sql

diff --git a/src/Api/Vault/Controllers/CiphersController.cs b/src/Api/Vault/Controllers/CiphersController.cs
index c8ebb8c402..5a7d427963 100644
--- a/src/Api/Vault/Controllers/CiphersController.cs
+++ b/src/Api/Vault/Controllers/CiphersController.cs
@@ -424,6 +424,59 @@ public class CiphersController : Controller
         return false;
     }
 
+    /// <summary>
+    /// TODO: Move this to its own authorization handler or equivalent service - AC-2062
+    /// </summary>
+    private async Task<bool> CanModifyCipherCollectionsAsync(Guid organizationId, IEnumerable<Guid> cipherIds)
+    {
+        // If the user can edit all ciphers for the organization, just check they all belong to the org
+        if (await CanEditAllCiphersAsync(organizationId))
+        {
+            // TODO: This can likely be optimized to only query the requested ciphers and then checking they belong to the org
+            var orgCiphers = (await _cipherRepository.GetManyByOrganizationIdAsync(organizationId)).ToDictionary(c => c.Id);
+
+            // Ensure all requested ciphers are in orgCiphers
+            if (cipherIds.Any(c => !orgCiphers.ContainsKey(c)))
+            {
+                return false;
+            }
+
+            return true;
+        }
+
+        // The user cannot access any ciphers for the organization, we're done
+        if (!await CanAccessOrganizationCiphersAsync(organizationId))
+        {
+            return false;
+        }
+
+        var userId = _userService.GetProperUserId(User).Value;
+        // Select all editable ciphers for this user belonging to the organization
+        var editableOrgCipherList = (await _cipherRepository.GetManyByUserIdAsync(userId, true))
+            .Where(c => c.OrganizationId == organizationId && c.UserId == null && c.Edit && c.ViewPassword).ToList();
+
+        // Special case for unassigned ciphers
+        if (await CanAccessUnassignedCiphersAsync(organizationId))
+        {
+            var unassignedCiphers =
+                (await _cipherRepository.GetManyUnassignedOrganizationDetailsByOrganizationIdAsync(
+                    organizationId));
+
+            // Users that can access unassigned ciphers can also edit them
+            editableOrgCipherList.AddRange(unassignedCiphers.Select(c => new CipherDetails(c) { Edit = true }));
+        }
+
+        var editableOrgCiphers = editableOrgCipherList
+            .ToDictionary(c => c.Id);
+
+        if (cipherIds.Any(c => !editableOrgCiphers.ContainsKey(c)))
+        {
+            return false;
+        }
+
+        return true;
+    }
+
     /// <summary>
     /// TODO: Move this to its own authorization handler or equivalent service - AC-2062
     /// </summary>
@@ -579,7 +632,7 @@ public class CiphersController : Controller
         var userId = _userService.GetProperUserId(User).Value;
         var cipher = await GetByIdAsync(id, userId);
         if (cipher == null || !cipher.OrganizationId.HasValue ||
-            !await _currentContext.OrganizationUser(cipher.OrganizationId.Value))
+            !await _currentContext.OrganizationUser(cipher.OrganizationId.Value) || !cipher.ViewPassword)
         {
             throw new NotFoundException();
         }
@@ -634,7 +687,7 @@ public class CiphersController : Controller
     [HttpPost("bulk-collections")]
     public async Task PostBulkCollections([FromBody] CipherBulkUpdateCollectionsRequestModel model)
     {
-        if (!await CanEditCiphersAsync(model.OrganizationId, model.CipherIds) ||
+        if (!await CanModifyCipherCollectionsAsync(model.OrganizationId, model.CipherIds) ||
             !await CanEditItemsInCollections(model.OrganizationId, model.CollectionIds))
         {
             throw new NotFoundException();
diff --git a/src/Infrastructure.Dapper/Vault/Repositories/CipherRepository.cs b/src/Infrastructure.Dapper/Vault/Repositories/CipherRepository.cs
index 098e8299e4..b8304fbbb0 100644
--- a/src/Infrastructure.Dapper/Vault/Repositories/CipherRepository.cs
+++ b/src/Infrastructure.Dapper/Vault/Repositories/CipherRepository.cs
@@ -98,7 +98,7 @@ public class CipherRepository : Repository<Cipher, Guid>, ICipherRepository
 
             return results
                 .GroupBy(c => c.Id)
-                .Select(g => g.OrderByDescending(og => og.Edit).First())
+                .Select(g => g.OrderByDescending(og => og.Edit).ThenByDescending(og => og.ViewPassword).First())
                 .ToList();
         }
     }
diff --git a/src/Sql/Vault/dbo/Stored Procedures/Cipher/CipherDetails_ReadByIdUserId.sql b/src/Sql/Vault/dbo/Stored Procedures/Cipher/CipherDetails_ReadByIdUserId.sql
index e2fb2629bd..189ad0a4a5 100644
--- a/src/Sql/Vault/dbo/Stored Procedures/Cipher/CipherDetails_ReadByIdUserId.sql	
+++ b/src/Sql/Vault/dbo/Stored Procedures/Cipher/CipherDetails_ReadByIdUserId.sql	
@@ -5,12 +5,40 @@ AS
 BEGIN
     SET NOCOUNT ON
 
-    SELECT TOP 1
-        *
+SELECT
+        [Id],
+        [UserId],
+        [OrganizationId],
+        [Type],
+        [Data],
+        [Attachments],
+        [CreationDate],
+        [RevisionDate],
+        [Favorite],
+        [FolderId],
+        [DeletedDate],
+        [Reprompt],
+        [Key],
+        [OrganizationUseTotp],
+        MAX ([Edit]) AS [Edit],
+        MAX ([ViewPassword]) AS [ViewPassword]
     FROM
         [dbo].[UserCipherDetails](@UserId)
     WHERE
         [Id] = @Id
-    ORDER BY
-        [Edit] DESC
-END
\ No newline at end of file
+    GROUP BY
+        [Id],
+        [UserId],
+        [OrganizationId],
+        [Type],
+        [Data],
+        [Attachments],
+        [CreationDate],
+        [RevisionDate],
+        [Favorite],
+        [FolderId],
+        [DeletedDate],
+        [Reprompt],
+        [Key],
+        [OrganizationUseTotp]
+END
diff --git a/src/Sql/dbo/Stored Procedures/CollectionCipher_UpdateCollections.sql b/src/Sql/dbo/Stored Procedures/CollectionCipher_UpdateCollections.sql
index 4098ab59e2..f3a1d964b5 100644
--- a/src/Sql/dbo/Stored Procedures/CollectionCipher_UpdateCollections.sql	
+++ b/src/Sql/dbo/Stored Procedures/CollectionCipher_UpdateCollections.sql	
@@ -14,10 +14,9 @@ BEGIN
         WHERE
             [Id] = @CipherId
     )
-
-    ;WITH [AvailableCollectionsCTE] AS(
-        SELECT
+    SELECT
             C.[Id]
+            INTO #TempAvailableCollections
         FROM
             [dbo].[Collection] C
         INNER JOIN
@@ -40,38 +39,33 @@ BEGIN
                 CU.[ReadOnly] = 0
                 OR CG.[ReadOnly] = 0
             )
-    ),
-    [CollectionCiphersCTE] AS(
-        SELECT
-            [CollectionId],
-            [CipherId]
-        FROM
-            [dbo].[CollectionCipher]
-        WHERE
-            [CipherId] = @CipherId
+    -- Insert new collection assignments
+    INSERT INTO [dbo].[CollectionCipher] (
+        [CollectionId],
+        [CipherId]
     )
-    MERGE
-        [CollectionCiphersCTE] AS [Target]
-    USING
-        @CollectionIds AS [Source]
-    ON
-        [Target].[CollectionId] = [Source].[Id]
-        AND [Target].[CipherId] = @CipherId
-    WHEN NOT MATCHED BY TARGET
-    AND [Source].[Id] IN (SELECT [Id] FROM [AvailableCollectionsCTE]) THEN
-        INSERT VALUES
-        (
-            [Source].[Id],
-            @CipherId
-        )
-    WHEN NOT MATCHED BY SOURCE
-    AND [Target].[CipherId] = @CipherId
-    AND [Target].[CollectionId] IN (SELECT [Id] FROM [AvailableCollectionsCTE]) THEN
-        DELETE
-    ;
+    SELECT 
+        [Id],
+        @CipherId
+    FROM @CollectionIds
+    WHERE [Id] IN (SELECT [Id] FROM [#TempAvailableCollections])
+    AND NOT EXISTS (
+        SELECT 1 
+        FROM [dbo].[CollectionCipher]
+        WHERE [CollectionId] = [@CollectionIds].[Id]
+        AND [CipherId] = @CipherId
+    );
+
+    -- Delete removed collection assignments
+    DELETE CC
+    FROM [dbo].[CollectionCipher] CC
+    WHERE CC.[CipherId] = @CipherId
+    AND CC.[CollectionId] IN (SELECT [Id] FROM [#TempAvailableCollections])
+    AND CC.[CollectionId] NOT IN (SELECT [Id] FROM @CollectionIds);
 
     IF @OrgId IS NOT NULL
     BEGIN
         EXEC [dbo].[User_BumpAccountRevisionDateByOrganizationId] @OrgId
     END
+    DROP TABLE #TempAvailableCollections;
 END
diff --git a/test/Api.Test/Vault/Controllers/CiphersControllerTests.cs b/test/Api.Test/Vault/Controllers/CiphersControllerTests.cs
index e7c5cd9ef5..2afce14ac5 100644
--- a/test/Api.Test/Vault/Controllers/CiphersControllerTests.cs
+++ b/test/Api.Test/Vault/Controllers/CiphersControllerTests.cs
@@ -127,6 +127,7 @@ public class CiphersControllerTests
             UserId = userId,
             OrganizationId = Guid.NewGuid(),
             Type = CipherType.Login,
+            ViewPassword = true,
             Data = @"
             {
                 ""Uris"": [
diff --git a/util/Migrator/DbScripts/2025-02-04_00_CollectionPermissionEditExceptPWPerm.sql b/util/Migrator/DbScripts/2025-02-04_00_CollectionPermissionEditExceptPWPerm.sql
new file mode 100644
index 0000000000..95013afaa4
--- /dev/null
+++ b/util/Migrator/DbScripts/2025-02-04_00_CollectionPermissionEditExceptPWPerm.sql
@@ -0,0 +1,118 @@
+CREATE OR ALTER PROCEDURE [dbo].[CipherDetails_ReadByIdUserId]
+    @Id UNIQUEIDENTIFIER,
+    @UserId UNIQUEIDENTIFIER
+AS
+BEGIN
+    SET NOCOUNT ON
+
+SELECT
+    [Id],
+    [UserId],
+    [OrganizationId],
+    [Type],
+    [Data],
+    [Attachments],
+    [CreationDate],
+    [RevisionDate],
+    [Favorite],
+    [FolderId],
+    [DeletedDate],
+    [Reprompt],
+    [Key],
+    [OrganizationUseTotp],
+    MAX ([Edit]) AS [Edit],
+    MAX ([ViewPassword]) AS [ViewPassword]
+FROM
+    [dbo].[UserCipherDetails](@UserId)
+WHERE
+    [Id] = @Id
+GROUP BY
+    [Id],
+    [UserId],
+    [OrganizationId],
+    [Type],
+    [Data],
+    [Attachments],
+    [CreationDate],
+    [RevisionDate],
+    [Favorite],
+    [FolderId],
+    [DeletedDate],
+    [Reprompt],
+    [Key],
+    [OrganizationUseTotp]
+END
+GO
+
+CREATE OR ALTER PROCEDURE [dbo].[CollectionCipher_UpdateCollections]
+    @CipherId UNIQUEIDENTIFIER,
+    @UserId UNIQUEIDENTIFIER,
+    @CollectionIds AS [dbo].[GuidIdArray] READONLY
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    DECLARE @OrgId UNIQUEIDENTIFIER = (
+        SELECT TOP 1
+            [OrganizationId]
+        FROM
+            [dbo].[Cipher]
+        WHERE
+            [Id] = @CipherId
+    )
+    SELECT
+            C.[Id]
+            INTO #TempAvailableCollections
+        FROM
+            [dbo].[Collection] C
+        INNER JOIN
+            [Organization] O ON O.[Id] = C.[OrganizationId]
+        INNER JOIN
+            [dbo].[OrganizationUser] OU ON OU.[OrganizationId] = O.[Id] AND OU.[UserId] = @UserId
+        LEFT JOIN
+            [dbo].[CollectionUser] CU ON CU.[CollectionId] = C.[Id] AND CU.[OrganizationUserId] = OU.[Id]
+        LEFT JOIN
+            [dbo].[GroupUser] GU ON CU.[CollectionId] IS NULL AND GU.[OrganizationUserId] = OU.[Id]
+        LEFT JOIN
+            [dbo].[Group] G ON G.[Id] = GU.[GroupId]
+        LEFT JOIN
+            [dbo].[CollectionGroup] CG ON CG.[CollectionId] = C.[Id] AND CG.[GroupId] = GU.[GroupId]
+        WHERE
+            O.[Id] = @OrgId
+            AND O.[Enabled] = 1
+            AND OU.[Status] = 2 -- Confirmed
+            AND (
+                CU.[ReadOnly] = 0
+                OR CG.[ReadOnly] = 0
+            )
+    -- Insert new collection assignments
+    INSERT INTO [dbo].[CollectionCipher] (
+        [CollectionId],
+        [CipherId]
+    )
+    SELECT 
+        [Id],
+        @CipherId
+    FROM @CollectionIds
+    WHERE [Id] IN (SELECT [Id] FROM [#TempAvailableCollections])
+    AND NOT EXISTS (
+        SELECT 1 
+        FROM [dbo].[CollectionCipher]
+        WHERE [CollectionId] = [@CollectionIds].[Id]
+        AND [CipherId] = @CipherId
+    );
+
+    -- Delete removed collection assignments
+    DELETE CC
+    FROM [dbo].[CollectionCipher] CC
+    WHERE CC.[CipherId] = @CipherId
+    AND CC.[CollectionId] IN (SELECT [Id] FROM [#TempAvailableCollections])
+    AND CC.[CollectionId] NOT IN (SELECT [Id] FROM @CollectionIds);
+
+    IF @OrgId IS NOT NULL
+    BEGIN
+        EXEC [dbo].[User_BumpAccountRevisionDateByOrganizationId] @OrgId
+    END
+    DROP TABLE #TempAvailableCollections;
+END
+GO

From a8a08a0c8f21b9893b4a5831f61cfce1ad131d3c Mon Sep 17 00:00:00 2001
From: cyprain-okeke <108260115+cyprain-okeke@users.noreply.github.com>
Date: Wed, 5 Feb 2025 09:18:23 +0100
Subject: [PATCH 242/384] Remove the feature flag (#5331)

---
 .../Billing/Controllers/OrganizationSponsorshipsController.cs  | 3 +--
 src/Core/Constants.cs                                          | 1 -
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/src/Api/Billing/Controllers/OrganizationSponsorshipsController.cs b/src/Api/Billing/Controllers/OrganizationSponsorshipsController.cs
index a7a4c39054..42263aa88b 100644
--- a/src/Api/Billing/Controllers/OrganizationSponsorshipsController.cs
+++ b/src/Api/Billing/Controllers/OrganizationSponsorshipsController.cs
@@ -1,6 +1,5 @@
 using Bit.Api.Models.Request.Organizations;
 using Bit.Api.Models.Response.Organizations;
-using Bit.Core;
 using Bit.Core.AdminConsole.Enums;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationConnections.Interfaces;
 using Bit.Core.AdminConsole.Repositories;
@@ -107,7 +106,7 @@ public class OrganizationSponsorshipsController : Controller
     {
         var isFreeFamilyPolicyEnabled = false;
         var (isValid, sponsorship) = await _validateRedemptionTokenCommand.ValidateRedemptionTokenAsync(sponsorshipToken, (await CurrentUser).Email);
-        if (isValid && _featureService.IsEnabled(FeatureFlagKeys.DisableFreeFamiliesSponsorship) && sponsorship.SponsoringOrganizationId.HasValue)
+        if (isValid && sponsorship.SponsoringOrganizationId.HasValue)
         {
             var policy = await _policyRepository.GetByOrganizationIdTypeAsync(sponsorship.SponsoringOrganizationId.Value,
                 PolicyType.FreeFamiliesSponsorshipPolicy);
diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index f58f1f7157..cba146c959 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -155,7 +155,6 @@ public static class FeatureFlagKeys
     public const string NewDeviceVerificationTemporaryDismiss = "new-device-temporary-dismiss";
     public const string NewDeviceVerificationPermanentDismiss = "new-device-permanent-dismiss";
     public const string SecurityTasks = "security-tasks";
-    public const string DisableFreeFamiliesSponsorship = "PM-12274-disable-free-families-sponsorship";
     public const string MacOsNativeCredentialSync = "macos-native-credential-sync";
     public const string PM9111ExtensionPersistAddEditForm = "pm-9111-extension-persist-add-edit-form";
     public const string InlineMenuTotp = "inline-menu-totp";

From 617bb5015fdde37a0e78d43a8086918409de41fb Mon Sep 17 00:00:00 2001
From: Tom <144813356+ttalty@users.noreply.github.com>
Date: Wed, 5 Feb 2025 04:57:19 -0500
Subject: [PATCH 243/384] Removing the member access feature flag from the
 server (#5368)

---
 src/Core/Constants.cs | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index cba146c959..03d6a193a7 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -112,7 +112,6 @@ public static class FeatureFlagKeys
     /* Tools Team */
     public const string ItemShare = "item-share";
     public const string GeneratorToolsModernization = "generator-tools-modernization";
-    public const string MemberAccessReport = "ac-2059-member-access-report";
     public const string RiskInsightsCriticalApplication = "pm-14466-risk-insights-critical-application";
     public const string EnableRiskInsightsNotifications = "enable-risk-insights-notifications";
 

From 03c390de7405b6e2a2c0463d28ad406de6b66210 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rui=20Tom=C3=A9?=
 <108268980+r-tome@users.noreply.github.com>
Date: Wed, 5 Feb 2025 14:47:06 +0000
Subject: [PATCH 244/384] =?UTF-8?q?[PM-15637]=20Notify=20Custom=20Users=20?=
 =?UTF-8?q?with=20=E2=80=9CManage=20Account=20Recovery=E2=80=9D=20permissi?=
 =?UTF-8?q?on=20for=20Device=20Approval=20Requests=20(#5359)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Add stored procedure to read organization user details by role

* Add OrganizationUserRepository method to retrieve OrganizationUser details by role

* Enhance AuthRequestService to send notifications to custom users with ManageResetPassword permission

* Enhance AuthRequestServiceTests to include custom user permissions and validate notification email recipients
---
 .../IOrganizationUserRepository.cs            |  8 +++++
 .../Implementations/AuthRequestService.cs     | 30 +++++++++++++++--
 .../OrganizationUserRepository.cs             | 13 ++++++++
 .../OrganizationUserRepository.cs             | 21 ++++++++++++
 ...OrganizationUser_ReadManyDetailsByRole.sql | 16 ++++++++++
 .../Auth/Services/AuthRequestServiceTests.cs  | 32 +++++++++++++++++--
 ...-02-03_00_OrgUserReadManyDetailsByRole.sql | 16 ++++++++++
 7 files changed, 131 insertions(+), 5 deletions(-)
 create mode 100644 src/Sql/dbo/Stored Procedures/OrganizationUser_ReadManyDetailsByRole.sql
 create mode 100644 util/Migrator/DbScripts/2025-02-03_00_OrgUserReadManyDetailsByRole.sql

diff --git a/src/Core/AdminConsole/Repositories/IOrganizationUserRepository.cs b/src/Core/AdminConsole/Repositories/IOrganizationUserRepository.cs
index 516b4614af..8825f9722a 100644
--- a/src/Core/AdminConsole/Repositories/IOrganizationUserRepository.cs
+++ b/src/Core/AdminConsole/Repositories/IOrganizationUserRepository.cs
@@ -60,4 +60,12 @@ public interface IOrganizationUserRepository : IRepository<OrganizationUser, Gui
     Task<ICollection<OrganizationUser>> GetManyByOrganizationWithClaimedDomainsAsync(Guid organizationId);
 
     Task RevokeManyByIdAsync(IEnumerable<Guid> organizationUserIds);
+
+    /// <summary>
+    /// Returns a list of OrganizationUsersUserDetails with the specified role.
+    /// </summary>
+    /// <param name="organizationId">The organization to search within</param>
+    /// <param name="role">The role to search for</param>
+    /// <returns>A list of OrganizationUsersUserDetails with the specified role</returns>
+    Task<IEnumerable<OrganizationUserUserDetails>> GetManyDetailsByRoleAsync(Guid organizationId, OrganizationUserType role);
 }
diff --git a/src/Core/Auth/Services/Implementations/AuthRequestService.cs b/src/Core/Auth/Services/Implementations/AuthRequestService.cs
index 5e41e3a679..b70a690338 100644
--- a/src/Core/Auth/Services/Implementations/AuthRequestService.cs
+++ b/src/Core/Auth/Services/Implementations/AuthRequestService.cs
@@ -297,10 +297,34 @@ public class AuthRequestService : IAuthRequestService
             return;
         }
 
-        var admins = await _organizationUserRepository.GetManyByMinimumRoleAsync(
+        var adminEmails = await GetAdminAndAccountRecoveryEmailsAsync(organizationUser.OrganizationId);
+
+        await _mailService.SendDeviceApprovalRequestedNotificationEmailAsync(
+            adminEmails,
             organizationUser.OrganizationId,
+            user.Email,
+            user.Name);
+    }
+
+    /// <summary>
+    /// Returns a list of emails for admins and custom users with the ManageResetPassword permission.
+    /// </summary>
+    /// <param name="organizationId">The organization to search within</param>
+    private async Task<List<string>> GetAdminAndAccountRecoveryEmailsAsync(Guid organizationId)
+    {
+        var admins = await _organizationUserRepository.GetManyByMinimumRoleAsync(
+            organizationId,
             OrganizationUserType.Admin);
-        var adminEmails = admins.Select(a => a.Email).Distinct().ToList();
-        await _mailService.SendDeviceApprovalRequestedNotificationEmailAsync(adminEmails, organizationUser.OrganizationId, user.Email, user.Name);
+
+        var customUsers = await _organizationUserRepository.GetManyDetailsByRoleAsync(
+            organizationId,
+            OrganizationUserType.Custom);
+
+        return admins.Select(a => a.Email)
+            .Concat(customUsers
+                .Where(a => a.GetPermissions().ManageResetPassword)
+                .Select(a => a.Email))
+            .Distinct()
+            .ToList();
     }
 }
diff --git a/src/Infrastructure.Dapper/AdminConsole/Repositories/OrganizationUserRepository.cs b/src/Infrastructure.Dapper/AdminConsole/Repositories/OrganizationUserRepository.cs
index 42f79852f3..9b77fb216e 100644
--- a/src/Infrastructure.Dapper/AdminConsole/Repositories/OrganizationUserRepository.cs
+++ b/src/Infrastructure.Dapper/AdminConsole/Repositories/OrganizationUserRepository.cs
@@ -567,4 +567,17 @@ public class OrganizationUserRepository : Repository<OrganizationUser, Guid>, IO
             new { OrganizationUserIds = JsonSerializer.Serialize(organizationUserIds), Status = OrganizationUserStatusType.Revoked },
             commandType: CommandType.StoredProcedure);
     }
+
+    public async Task<IEnumerable<OrganizationUserUserDetails>> GetManyDetailsByRoleAsync(Guid organizationId, OrganizationUserType role)
+    {
+        using (var connection = new SqlConnection(ConnectionString))
+        {
+            var results = await connection.QueryAsync<OrganizationUserUserDetails>(
+                "[dbo].[OrganizationUser_ReadManyDetailsByRole]",
+                new { OrganizationId = organizationId, Role = role },
+                commandType: CommandType.StoredProcedure);
+
+            return results.ToList();
+        }
+    }
 }
diff --git a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationUserRepository.cs b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationUserRepository.cs
index 007ff1a7ff..ef6460df0e 100644
--- a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationUserRepository.cs
+++ b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationUserRepository.cs
@@ -733,4 +733,25 @@ public class OrganizationUserRepository : Repository<Core.Entities.OrganizationU
 
         await dbContext.UserBumpAccountRevisionDateByOrganizationUserIdsAsync(organizationUserIds);
     }
+
+    public async Task<IEnumerable<OrganizationUserUserDetails>> GetManyDetailsByRoleAsync(Guid organizationId, OrganizationUserType role)
+    {
+        using (var scope = ServiceScopeFactory.CreateScope())
+        {
+            var dbContext = GetDatabaseContext(scope);
+            var query = from ou in dbContext.OrganizationUsers
+                        join u in dbContext.Users
+                            on ou.UserId equals u.Id
+                        where ou.OrganizationId == organizationId &&
+                            ou.Type == role &&
+                            ou.Status == OrganizationUserStatusType.Confirmed
+                        select new OrganizationUserUserDetails
+                        {
+                            Id = ou.Id,
+                            Email = ou.Email ?? u.Email,
+                            Permissions = ou.Permissions
+                        };
+            return await query.ToListAsync();
+        }
+    }
 }
diff --git a/src/Sql/dbo/Stored Procedures/OrganizationUser_ReadManyDetailsByRole.sql b/src/Sql/dbo/Stored Procedures/OrganizationUser_ReadManyDetailsByRole.sql
new file mode 100644
index 0000000000..e8bf8bb701
--- /dev/null
+++ b/src/Sql/dbo/Stored Procedures/OrganizationUser_ReadManyDetailsByRole.sql	
@@ -0,0 +1,16 @@
+CREATE PROCEDURE [dbo].[OrganizationUser_ReadManyDetailsByRole]
+    @OrganizationId UNIQUEIDENTIFIER,
+    @Role TINYINT
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    SELECT
+        *
+    FROM
+        [dbo].[OrganizationUserUserDetailsView]
+    WHERE
+        OrganizationId = @OrganizationId 
+        AND Status = 2 -- 2 = Confirmed 
+        AND [Type] = @Role
+END
diff --git a/test/Core.Test/Auth/Services/AuthRequestServiceTests.cs b/test/Core.Test/Auth/Services/AuthRequestServiceTests.cs
index 3894ac90a8..8feef2facc 100644
--- a/test/Core.Test/Auth/Services/AuthRequestServiceTests.cs
+++ b/test/Core.Test/Auth/Services/AuthRequestServiceTests.cs
@@ -7,11 +7,13 @@ using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
+using Bit.Core.Models.Data;
 using Bit.Core.Models.Data.Organizations.OrganizationUsers;
 using Bit.Core.Platform.Push;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Settings;
+using Bit.Core.Utilities;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
 using Bit.Test.Common.Helpers;
@@ -347,14 +349,24 @@ public class AuthRequestServiceTests
         User user,
         OrganizationUser organizationUser1,
         OrganizationUserUserDetails admin1,
+        OrganizationUserUserDetails customUser1,
         OrganizationUser organizationUser2,
         OrganizationUserUserDetails admin2,
-        OrganizationUserUserDetails admin3)
+        OrganizationUserUserDetails admin3,
+        OrganizationUserUserDetails customUser2)
     {
         createModel.Type = AuthRequestType.AdminApproval;
         user.Email = createModel.Email;
         organizationUser1.UserId = user.Id;
         organizationUser2.UserId = user.Id;
+        customUser1.Permissions = CoreHelpers.ClassToJsonData(new Permissions
+        {
+            ManageResetPassword = false,
+        });
+        customUser2.Permissions = CoreHelpers.ClassToJsonData(new Permissions
+        {
+            ManageResetPassword = true,
+        });
 
         sutProvider.GetDependency<IFeatureService>()
             .IsEnabled(FeatureFlagKeys.DeviceApprovalRequestAdminNotifications)
@@ -392,6 +404,13 @@ public class AuthRequestServiceTests
                 admin1,
             ]);
 
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyDetailsByRoleAsync(organizationUser1.OrganizationId, OrganizationUserType.Custom)
+            .Returns(
+            [
+                customUser1,
+            ]);
+
         sutProvider.GetDependency<IOrganizationUserRepository>()
             .GetManyByMinimumRoleAsync(organizationUser2.OrganizationId, OrganizationUserType.Admin)
             .Returns(
@@ -400,6 +419,13 @@ public class AuthRequestServiceTests
                 admin3,
             ]);
 
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyDetailsByRoleAsync(organizationUser2.OrganizationId, OrganizationUserType.Custom)
+            .Returns(
+            [
+                customUser2,
+            ]);
+
         sutProvider.GetDependency<IAuthRequestRepository>()
             .CreateAsync(Arg.Any<AuthRequest>())
             .Returns(c => c.ArgAt<AuthRequest>(0));
@@ -435,7 +461,9 @@ public class AuthRequestServiceTests
         await sutProvider.GetDependency<IMailService>()
             .Received(1)
             .SendDeviceApprovalRequestedNotificationEmailAsync(
-                Arg.Is<IEnumerable<string>>(emails => emails.Count() == 2 && emails.Contains(admin2.Email) && emails.Contains(admin3.Email)),
+                Arg.Is<IEnumerable<string>>(emails => emails.Count() == 3 &&
+                                                      emails.Contains(admin2.Email) && emails.Contains(admin3.Email) &&
+                                                      emails.Contains(customUser2.Email)),
                 organizationUser2.OrganizationId,
                 user.Email,
                 user.Name);
diff --git a/util/Migrator/DbScripts/2025-02-03_00_OrgUserReadManyDetailsByRole.sql b/util/Migrator/DbScripts/2025-02-03_00_OrgUserReadManyDetailsByRole.sql
new file mode 100644
index 0000000000..4d687f0bb1
--- /dev/null
+++ b/util/Migrator/DbScripts/2025-02-03_00_OrgUserReadManyDetailsByRole.sql
@@ -0,0 +1,16 @@
+CREATE OR ALTER PROCEDURE [dbo].[OrganizationUser_ReadManyDetailsByRole]
+    @OrganizationId UNIQUEIDENTIFIER,
+    @Role TINYINT
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    SELECT
+        *
+    FROM
+        [dbo].[OrganizationUserUserDetailsView]
+    WHERE
+        OrganizationId = @OrganizationId
+        AND Status = 2 -- 2 = Confirmed
+        AND [Type] = @Role
+END

From 77364549fa9dd756a02c0bea04761b7f01beaa76 Mon Sep 17 00:00:00 2001
From: Patrick Honkonen <1883101+SaintPatrck@users.noreply.github.com>
Date: Wed, 5 Feb 2025 10:03:13 -0500
Subject: [PATCH 245/384] [PM-16157] Add feature flag for mTLS support in
 Android client (#5335)

Add a feature flag to control support for selecting a mutual TLS client certificate within the Android client.
---
 src/Core/Constants.cs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index 03d6a193a7..ba3b8b0795 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -173,6 +173,7 @@ public static class FeatureFlagKeys
     public const string SingleTapPasskeyAuthentication = "single-tap-passkey-authentication";
     public const string EnablePMAuthenticatorSync = "enable-pm-bwa-sync";
     public const string P15179_AddExistingOrgsFromProviderPortal = "pm-15179-add-existing-orgs-from-provider-portal";
+    public const string AndroidMutualTls = "mutual-tls";
 
     public static List<string> GetAllKeys()
     {

From a971a18719b4a9a8cf3af77270b1799ed6942083 Mon Sep 17 00:00:00 2001
From: Justin Baur <19896123+justindbaur@users.noreply.github.com>
Date: Wed, 5 Feb 2025 15:32:27 -0500
Subject: [PATCH 246/384] [PM-17957] Pin Transitive Deps (#5371)

* Remove duplicate quartz reference

* Pin Core packages

* Pin Notifications packages
---
 src/Core/Core.csproj                   | 6 +++++-
 src/Notifications/Notifications.csproj | 4 ++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/Core/Core.csproj b/src/Core/Core.csproj
index 7b319e56c9..a2d4660194 100644
--- a/src/Core/Core.csproj
+++ b/src/Core/Core.csproj
@@ -51,7 +51,6 @@
     <PackageReference Include="Microsoft.Extensions.Configuration.UserSecrets" Version="8.0.0" />
     <PackageReference Include="Microsoft.Extensions.Identity.Stores" Version="8.0.10" />
     <PackageReference Include="OneOf" Version="3.0.271" />
-    <PackageReference Include="Quartz" Version="3.13.1" />
     <PackageReference Include="SendGrid" Version="9.29.3" />
     <PackageReference Include="Serilog.AspNetCore" Version="8.0.3" />
     <PackageReference Include="Serilog.Extensions.Logging" Version="8.0.0" />
@@ -73,6 +72,11 @@
     <PackageReference Include="RabbitMQ.Client" Version="7.0.0" />
   </ItemGroup>
 
+  <ItemGroup Label="Pinned transitive dependencies">
+    <PackageReference Include="System.Text.Json" Version="8.0.5" />
+    <PackageReference Include="Microsoft.Extensions.Caching.Memory" Version="8.0.1" />
+  </ItemGroup>
+
   <ItemGroup>
     <Protobuf Include="Billing\Pricing\Protos\password-manager.proto" GrpcServices="Client" />
   </ItemGroup>
diff --git a/src/Notifications/Notifications.csproj b/src/Notifications/Notifications.csproj
index 68ae96963e..4d19f7faf9 100644
--- a/src/Notifications/Notifications.csproj
+++ b/src/Notifications/Notifications.csproj
@@ -11,6 +11,10 @@
     <PackageReference Include="Microsoft.AspNetCore.SignalR.StackExchangeRedis" Version="8.0.8" />
   </ItemGroup>
 
+  <ItemGroup Label="Pinned transitive dependencies">
+    <PackageReference Include="MessagePack" Version="2.5.192" />
+  </ItemGroup>
+
   <ItemGroup>
     <ProjectReference Include="..\Core\Core.csproj" />
     <ProjectReference Include="..\SharedWeb\SharedWeb.csproj" />

From 46004b9c6849f0ca7c8ddbfce930cbb2f72a9c0a Mon Sep 17 00:00:00 2001
From: SmithThe4th <gsmith@bitwarden.com>
Date: Wed, 5 Feb 2025 16:56:01 -0500
Subject: [PATCH 247/384] [PM-14381] Add POST /tasks/bulk-create endpoint
 (#5188)

* [PM-14378] Introduce GetCipherPermissionsForOrganization query for Dapper CipherRepository

* [PM-14378] Introduce GetCipherPermissionsForOrganization method for Entity Framework

* [PM-14378] Add integration tests for new repository method

* [PM-14378] Introduce IGetCipherPermissionsForUserQuery CQRS query

* [PM-14378] Introduce SecurityTaskOperationRequirement

* [PM-14378] Introduce SecurityTaskAuthorizationHandler.cs

* [PM-14378] Introduce SecurityTaskOrganizationAuthorizationHandler.cs

* [PM-14378] Register new authorization handlers

* [PM-14378] Formatting

* [PM-14378] Add unit tests for GetCipherPermissionsForUserQuery

* [PM-15378] Cleanup SecurityTaskAuthorizationHandler and add tests

* [PM-14378] Add tests for SecurityTaskOrganizationAuthorizationHandler

* [PM-14378] Formatting

* [PM-14378] Update date in migration file

* [PM-14378] Add missing awaits

* Added bulk create request model

* Created sproc to create bulk security tasks

* Renamed tasks to SecurityTasksInput

* Added create many implementation for sqlserver and ef core

* removed trailing comma

* created ef implementatin for create many and added integration test

* Refactored request model

* Refactored request model

* created create many tasks command interface and class

* added security authorization handler work temp

* Added the implementation for the create manys tasks command

* Added comment

* Changed return to return list of created security tasks

* Registered command

* Completed bulk create action

* Added unit tests for the command

* removed hard coded table name

* Fixed lint issue

* Added JsonConverter attribute to allow enum value to be passed as string

* Removed makshift security task operations

* Fixed references

* Removed old migration

* Rebased

* [PM-14378] Introduce GetCipherPermissionsForOrganization query for Dapper CipherRepository

* [PM-14378] Introduce GetCipherPermissionsForOrganization method for Entity Framework

* [PM-14378] Add unit tests for GetCipherPermissionsForUserQuery

* Completed bulk create action

* bumped migration version

* Fixed lint issue

* Removed complex sql data type in favour of json string

* Register IGetTasksForOrganizationQuery

* Fixed lint issue

* Removed tasks grouping

* Fixed linting

* Removed unused code

* Removed unused code

* Aligned with client change

* Fixed linting

---------

Co-authored-by: Shane Melton <smelton@bitwarden.com>
---
 .../Controllers/SecurityTaskController.cs     | 21 ++++-
 .../BulkCreateSecurityTasksRequestModel.cs    |  8 ++
 .../Authorization/SecurityTaskOperations.cs   | 16 ----
 .../Vault/Commands/CreateManyTasksCommand.cs  | 65 ++++++++++++++
 .../Interfaces/ICreateManyTasksCommand.cs     | 17 ++++
 .../Commands/MarkTaskAsCompletedCommand.cs    |  2 +-
 .../Models/Api/SecurityTaskCreateRequest.cs   |  9 ++
 .../Repositories/ISecurityTaskRepository.cs   |  7 ++
 .../Vault/VaultServiceCollectionExtensions.cs |  1 +
 src/Infrastructure.Dapper/DapperHelpers.cs    |  2 +-
 .../Repositories/SecurityTaskRepository.cs    | 26 ++++++
 .../Repositories/SecurityTaskRepository.cs    | 24 ++++++
 .../SecurityTask/SecurityTask_CreateMany.sql  | 55 ++++++++++++
 .../Commands/CreateManyTasksCommandTest.cs    | 85 +++++++++++++++++++
 .../MarkTaskAsCompletedCommandTest.cs         |  2 +-
 .../SecurityTaskRepositoryTests.cs            | 43 ++++++++++
 .../2025-01-22_00_SecurityTaskCreateMany.sql  | 55 ++++++++++++
 17 files changed, 418 insertions(+), 20 deletions(-)
 create mode 100644 src/Api/Vault/Models/Request/BulkCreateSecurityTasksRequestModel.cs
 delete mode 100644 src/Core/Vault/Authorization/SecurityTaskOperations.cs
 create mode 100644 src/Core/Vault/Commands/CreateManyTasksCommand.cs
 create mode 100644 src/Core/Vault/Commands/Interfaces/ICreateManyTasksCommand.cs
 create mode 100644 src/Core/Vault/Models/Api/SecurityTaskCreateRequest.cs
 create mode 100644 src/Sql/Vault/dbo/Stored Procedures/SecurityTask/SecurityTask_CreateMany.sql
 create mode 100644 test/Core.Test/Vault/Commands/CreateManyTasksCommandTest.cs
 create mode 100644 util/Migrator/DbScripts/2025-01-22_00_SecurityTaskCreateMany.sql

diff --git a/src/Api/Vault/Controllers/SecurityTaskController.cs b/src/Api/Vault/Controllers/SecurityTaskController.cs
index 14ef0e5e4e..88b7aed9c6 100644
--- a/src/Api/Vault/Controllers/SecurityTaskController.cs
+++ b/src/Api/Vault/Controllers/SecurityTaskController.cs
@@ -1,4 +1,5 @@
 using Bit.Api.Models.Response;
+using Bit.Api.Vault.Models.Request;
 using Bit.Api.Vault.Models.Response;
 using Bit.Core;
 using Bit.Core.Services;
@@ -20,17 +21,20 @@ public class SecurityTaskController : Controller
     private readonly IGetTaskDetailsForUserQuery _getTaskDetailsForUserQuery;
     private readonly IMarkTaskAsCompleteCommand _markTaskAsCompleteCommand;
     private readonly IGetTasksForOrganizationQuery _getTasksForOrganizationQuery;
+    private readonly ICreateManyTasksCommand _createManyTasksCommand;
 
     public SecurityTaskController(
         IUserService userService,
         IGetTaskDetailsForUserQuery getTaskDetailsForUserQuery,
         IMarkTaskAsCompleteCommand markTaskAsCompleteCommand,
-        IGetTasksForOrganizationQuery getTasksForOrganizationQuery)
+        IGetTasksForOrganizationQuery getTasksForOrganizationQuery,
+        ICreateManyTasksCommand createManyTasksCommand)
     {
         _userService = userService;
         _getTaskDetailsForUserQuery = getTaskDetailsForUserQuery;
         _markTaskAsCompleteCommand = markTaskAsCompleteCommand;
         _getTasksForOrganizationQuery = getTasksForOrganizationQuery;
+        _createManyTasksCommand = createManyTasksCommand;
     }
 
     /// <summary>
@@ -71,4 +75,19 @@ public class SecurityTaskController : Controller
         var response = securityTasks.Select(x => new SecurityTasksResponseModel(x)).ToList();
         return new ListResponseModel<SecurityTasksResponseModel>(response);
     }
+
+    /// <summary>
+    /// Bulk create security tasks for an organization.
+    /// </summary>
+    /// <param name="orgId"></param>
+    /// <param name="model"></param>
+    /// <returns>A list response model containing the security tasks created for the organization.</returns>
+    [HttpPost("{orgId:guid}/bulk-create")]
+    public async Task<ListResponseModel<SecurityTasksResponseModel>> BulkCreateTasks(Guid orgId,
+        [FromBody] BulkCreateSecurityTasksRequestModel model)
+    {
+        var securityTasks = await _createManyTasksCommand.CreateAsync(orgId, model.Tasks);
+        var response = securityTasks.Select(x => new SecurityTasksResponseModel(x)).ToList();
+        return new ListResponseModel<SecurityTasksResponseModel>(response);
+    }
 }
diff --git a/src/Api/Vault/Models/Request/BulkCreateSecurityTasksRequestModel.cs b/src/Api/Vault/Models/Request/BulkCreateSecurityTasksRequestModel.cs
new file mode 100644
index 0000000000..6c8c7e03b3
--- /dev/null
+++ b/src/Api/Vault/Models/Request/BulkCreateSecurityTasksRequestModel.cs
@@ -0,0 +1,8 @@
+using Bit.Core.Vault.Models.Api;
+
+namespace Bit.Api.Vault.Models.Request;
+
+public class BulkCreateSecurityTasksRequestModel
+{
+    public IEnumerable<SecurityTaskCreateRequest> Tasks { get; set; }
+}
diff --git a/src/Core/Vault/Authorization/SecurityTaskOperations.cs b/src/Core/Vault/Authorization/SecurityTaskOperations.cs
deleted file mode 100644
index 77b504723f..0000000000
--- a/src/Core/Vault/Authorization/SecurityTaskOperations.cs
+++ /dev/null
@@ -1,16 +0,0 @@
-using Microsoft.AspNetCore.Authorization.Infrastructure;
-
-namespace Bit.Core.Vault.Authorization;
-
-public class SecurityTaskOperationRequirement : OperationAuthorizationRequirement
-{
-    public SecurityTaskOperationRequirement(string name)
-    {
-        Name = name;
-    }
-}
-
-public static class SecurityTaskOperations
-{
-    public static readonly SecurityTaskOperationRequirement Update = new(nameof(Update));
-}
diff --git a/src/Core/Vault/Commands/CreateManyTasksCommand.cs b/src/Core/Vault/Commands/CreateManyTasksCommand.cs
new file mode 100644
index 0000000000..1b21f202eb
--- /dev/null
+++ b/src/Core/Vault/Commands/CreateManyTasksCommand.cs
@@ -0,0 +1,65 @@
+using Bit.Core.Context;
+using Bit.Core.Exceptions;
+using Bit.Core.Utilities;
+using Bit.Core.Vault.Authorization.SecurityTasks;
+using Bit.Core.Vault.Commands.Interfaces;
+using Bit.Core.Vault.Entities;
+using Bit.Core.Vault.Enums;
+using Bit.Core.Vault.Models.Api;
+using Bit.Core.Vault.Repositories;
+using Microsoft.AspNetCore.Authorization;
+
+namespace Bit.Core.Vault.Commands;
+
+public class CreateManyTasksCommand : ICreateManyTasksCommand
+{
+    private readonly IAuthorizationService _authorizationService;
+    private readonly ICurrentContext _currentContext;
+    private readonly ISecurityTaskRepository _securityTaskRepository;
+
+    public CreateManyTasksCommand(
+        ISecurityTaskRepository securityTaskRepository,
+        IAuthorizationService authorizationService,
+        ICurrentContext currentContext)
+    {
+        _securityTaskRepository = securityTaskRepository;
+        _authorizationService = authorizationService;
+        _currentContext = currentContext;
+    }
+
+    /// <inheritdoc />
+    public async Task<ICollection<SecurityTask>> CreateAsync(Guid organizationId,
+        IEnumerable<SecurityTaskCreateRequest> tasks)
+    {
+        if (!_currentContext.UserId.HasValue)
+        {
+            throw new NotFoundException();
+        }
+
+        var tasksList = tasks?.ToList();
+
+        if (tasksList is null || tasksList.Count == 0)
+        {
+            throw new BadRequestException("No tasks provided.");
+        }
+
+        var securityTasks = tasksList.Select(t => new SecurityTask
+        {
+            OrganizationId = organizationId,
+            CipherId = t.CipherId,
+            Type = t.Type,
+            Status = SecurityTaskStatus.Pending
+        }).ToList();
+
+        // Verify authorization for each task
+        foreach (var task in securityTasks)
+        {
+            await _authorizationService.AuthorizeOrThrowAsync(
+                _currentContext.HttpContext.User,
+                task,
+                SecurityTaskOperations.Create);
+        }
+
+        return await _securityTaskRepository.CreateManyAsync(securityTasks);
+    }
+}
diff --git a/src/Core/Vault/Commands/Interfaces/ICreateManyTasksCommand.cs b/src/Core/Vault/Commands/Interfaces/ICreateManyTasksCommand.cs
new file mode 100644
index 0000000000..3aa0f85070
--- /dev/null
+++ b/src/Core/Vault/Commands/Interfaces/ICreateManyTasksCommand.cs
@@ -0,0 +1,17 @@
+using Bit.Core.Vault.Entities;
+using Bit.Core.Vault.Models.Api;
+
+namespace Bit.Core.Vault.Commands.Interfaces;
+
+public interface ICreateManyTasksCommand
+{
+    /// <summary>
+    /// Creates multiple security tasks for an organization.
+    /// Each task must be authorized and the user must have the Create permission
+    /// and associated ciphers must belong to the organization.
+    /// </summary>
+    /// <param name="organizationId">The </param>
+    /// <param name="tasks"></param>
+    /// <returns>Collection of created security tasks</returns>
+    Task<ICollection<SecurityTask>> CreateAsync(Guid organizationId, IEnumerable<SecurityTaskCreateRequest> tasks);
+}
diff --git a/src/Core/Vault/Commands/MarkTaskAsCompletedCommand.cs b/src/Core/Vault/Commands/MarkTaskAsCompletedCommand.cs
index b46fb0cecb..77b8a8625c 100644
--- a/src/Core/Vault/Commands/MarkTaskAsCompletedCommand.cs
+++ b/src/Core/Vault/Commands/MarkTaskAsCompletedCommand.cs
@@ -1,7 +1,7 @@
 using Bit.Core.Context;
 using Bit.Core.Exceptions;
 using Bit.Core.Utilities;
-using Bit.Core.Vault.Authorization;
+using Bit.Core.Vault.Authorization.SecurityTasks;
 using Bit.Core.Vault.Commands.Interfaces;
 using Bit.Core.Vault.Enums;
 using Bit.Core.Vault.Repositories;
diff --git a/src/Core/Vault/Models/Api/SecurityTaskCreateRequest.cs b/src/Core/Vault/Models/Api/SecurityTaskCreateRequest.cs
new file mode 100644
index 0000000000..f865871380
--- /dev/null
+++ b/src/Core/Vault/Models/Api/SecurityTaskCreateRequest.cs
@@ -0,0 +1,9 @@
+using Bit.Core.Vault.Enums;
+
+namespace Bit.Core.Vault.Models.Api;
+
+public class SecurityTaskCreateRequest
+{
+    public SecurityTaskType Type { get; set; }
+    public Guid? CipherId { get; set; }
+}
diff --git a/src/Core/Vault/Repositories/ISecurityTaskRepository.cs b/src/Core/Vault/Repositories/ISecurityTaskRepository.cs
index c236172533..cc8303345d 100644
--- a/src/Core/Vault/Repositories/ISecurityTaskRepository.cs
+++ b/src/Core/Vault/Repositories/ISecurityTaskRepository.cs
@@ -21,4 +21,11 @@ public interface ISecurityTaskRepository : IRepository<SecurityTask, Guid>
     /// <param name="status">Optional filter for task status. If not provided, returns tasks of all statuses</param>
     /// <returns></returns>
     Task<ICollection<SecurityTask>> GetManyByOrganizationIdStatusAsync(Guid organizationId, SecurityTaskStatus? status = null);
+
+    /// <summary>
+    ///  Creates bulk security tasks for an organization.
+    /// </summary>
+    /// <param name="tasks">Collection of tasks to create</param>
+    /// <returns>Collection of created security tasks</returns>
+    Task<ICollection<SecurityTask>> CreateManyAsync(IEnumerable<SecurityTask> tasks);
 }
diff --git a/src/Core/Vault/VaultServiceCollectionExtensions.cs b/src/Core/Vault/VaultServiceCollectionExtensions.cs
index 169a62d12d..fcb9259135 100644
--- a/src/Core/Vault/VaultServiceCollectionExtensions.cs
+++ b/src/Core/Vault/VaultServiceCollectionExtensions.cs
@@ -21,5 +21,6 @@ public static class VaultServiceCollectionExtensions
         services.AddScoped<IMarkTaskAsCompleteCommand, MarkTaskAsCompletedCommand>();
         services.AddScoped<IGetCipherPermissionsForUserQuery, GetCipherPermissionsForUserQuery>();
         services.AddScoped<IGetTasksForOrganizationQuery, GetTasksForOrganizationQuery>();
+        services.AddScoped<ICreateManyTasksCommand, CreateManyTasksCommand>();
     }
 }
diff --git a/src/Infrastructure.Dapper/DapperHelpers.cs b/src/Infrastructure.Dapper/DapperHelpers.cs
index c256612447..9a67af3a93 100644
--- a/src/Infrastructure.Dapper/DapperHelpers.cs
+++ b/src/Infrastructure.Dapper/DapperHelpers.cs
@@ -81,7 +81,7 @@ public class DataTableBuilder<T>
             return true;
         }
 
-        // Value type properties will implicitly box into the object so 
+        // Value type properties will implicitly box into the object so
         // we need to look past the Convert expression
         // i => (System.Object?)i.Id
         if (
diff --git a/src/Infrastructure.Dapper/Vault/Repositories/SecurityTaskRepository.cs b/src/Infrastructure.Dapper/Vault/Repositories/SecurityTaskRepository.cs
index 35dace9a9e..f7a5f3b878 100644
--- a/src/Infrastructure.Dapper/Vault/Repositories/SecurityTaskRepository.cs
+++ b/src/Infrastructure.Dapper/Vault/Repositories/SecurityTaskRepository.cs
@@ -1,4 +1,5 @@
 using System.Data;
+using System.Text.Json;
 using Bit.Core.Settings;
 using Bit.Core.Vault.Entities;
 using Bit.Core.Vault.Enums;
@@ -46,4 +47,29 @@ public class SecurityTaskRepository : Repository<SecurityTask, Guid>, ISecurityT
 
         return results.ToList();
     }
+
+    /// <inheritdoc />
+    public async Task<ICollection<SecurityTask>> CreateManyAsync(IEnumerable<SecurityTask> tasks)
+    {
+        var tasksList = tasks?.ToList();
+        if (tasksList is null || tasksList.Count == 0)
+        {
+            return Array.Empty<SecurityTask>();
+        }
+
+        foreach (var task in tasksList)
+        {
+            task.SetNewId();
+        }
+
+        var tasksJson = JsonSerializer.Serialize(tasksList);
+
+        await using var connection = new SqlConnection(ConnectionString);
+        await connection.ExecuteAsync(
+            $"[{Schema}].[{Table}_CreateMany]",
+            new { SecurityTasksJson = tasksJson },
+            commandType: CommandType.StoredProcedure);
+
+        return tasksList;
+    }
 }
diff --git a/src/Infrastructure.EntityFramework/Vault/Repositories/SecurityTaskRepository.cs b/src/Infrastructure.EntityFramework/Vault/Repositories/SecurityTaskRepository.cs
index 5adfdc4c76..a3ba2632fe 100644
--- a/src/Infrastructure.EntityFramework/Vault/Repositories/SecurityTaskRepository.cs
+++ b/src/Infrastructure.EntityFramework/Vault/Repositories/SecurityTaskRepository.cs
@@ -52,4 +52,28 @@ public class SecurityTaskRepository : Repository<Core.Vault.Entities.SecurityTas
 
         return await query.OrderByDescending(st => st.CreationDate).ToListAsync();
     }
+
+    /// <inheritdoc />
+    public async Task<ICollection<Core.Vault.Entities.SecurityTask>> CreateManyAsync(
+        IEnumerable<Core.Vault.Entities.SecurityTask> tasks)
+    {
+        var tasksList = tasks?.ToList();
+        if (tasksList is null || tasksList.Count == 0)
+        {
+            return Array.Empty<SecurityTask>();
+        }
+
+        foreach (var task in tasksList)
+        {
+            task.SetNewId();
+        }
+
+        using var scope = ServiceScopeFactory.CreateScope();
+        var dbContext = GetDatabaseContext(scope);
+        var entities = Mapper.Map<List<SecurityTask>>(tasksList);
+        await dbContext.AddRangeAsync(entities);
+        await dbContext.SaveChangesAsync();
+
+        return tasksList;
+    }
 }
diff --git a/src/Sql/Vault/dbo/Stored Procedures/SecurityTask/SecurityTask_CreateMany.sql b/src/Sql/Vault/dbo/Stored Procedures/SecurityTask/SecurityTask_CreateMany.sql
new file mode 100644
index 0000000000..9e60f2ad1b
--- /dev/null
+++ b/src/Sql/Vault/dbo/Stored Procedures/SecurityTask/SecurityTask_CreateMany.sql	
@@ -0,0 +1,55 @@
+CREATE PROCEDURE [dbo].[SecurityTask_CreateMany]
+    @SecurityTasksJson NVARCHAR(MAX)
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    CREATE TABLE #TempSecurityTasks
+    (
+        [Id]             UNIQUEIDENTIFIER,
+        [OrganizationId] UNIQUEIDENTIFIER,
+        [CipherId]       UNIQUEIDENTIFIER,
+        [Type]           TINYINT,
+        [Status]         TINYINT,
+        [CreationDate]   DATETIME2(7),
+        [RevisionDate]   DATETIME2(7)
+    )
+
+    INSERT INTO #TempSecurityTasks
+    ([Id],
+     [OrganizationId],
+     [CipherId],
+     [Type],
+     [Status],
+     [CreationDate],
+     [RevisionDate])
+    SELECT CAST(JSON_VALUE([value], '$.Id') AS UNIQUEIDENTIFIER),
+           CAST(JSON_VALUE([value], '$.OrganizationId') AS UNIQUEIDENTIFIER),
+           CAST(JSON_VALUE([value], '$.CipherId') AS UNIQUEIDENTIFIER),
+           CAST(JSON_VALUE([value], '$.Type') AS TINYINT),
+           CAST(JSON_VALUE([value], '$.Status') AS TINYINT),
+           CAST(JSON_VALUE([value], '$.CreationDate') AS DATETIME2(7)),
+           CAST(JSON_VALUE([value], '$.RevisionDate') AS DATETIME2(7))
+    FROM OPENJSON(@SecurityTasksJson) ST
+
+    INSERT INTO [dbo].[SecurityTask]
+    (
+        [Id],
+        [OrganizationId],
+        [CipherId],
+        [Type],
+        [Status],
+        [CreationDate],
+        [RevisionDate]
+    )
+    SELECT [Id],
+           [OrganizationId],
+           [CipherId],
+           [Type],
+           [Status],
+           [CreationDate],
+           [RevisionDate]
+    FROM #TempSecurityTasks
+
+    DROP TABLE #TempSecurityTasks
+END
diff --git a/test/Core.Test/Vault/Commands/CreateManyTasksCommandTest.cs b/test/Core.Test/Vault/Commands/CreateManyTasksCommandTest.cs
new file mode 100644
index 0000000000..23e92965f2
--- /dev/null
+++ b/test/Core.Test/Vault/Commands/CreateManyTasksCommandTest.cs
@@ -0,0 +1,85 @@
+using System.Security.Claims;
+using Bit.Core.Context;
+using Bit.Core.Exceptions;
+using Bit.Core.Test.Vault.AutoFixture;
+using Bit.Core.Vault.Authorization.SecurityTasks;
+using Bit.Core.Vault.Commands;
+using Bit.Core.Vault.Entities;
+using Bit.Core.Vault.Models.Api;
+using Bit.Core.Vault.Repositories;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using Microsoft.AspNetCore.Authorization;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Core.Test.Vault.Commands;
+
+[SutProviderCustomize]
+[SecurityTaskCustomize]
+public class CreateManyTasksCommandTest
+{
+    private static void Setup(SutProvider<CreateManyTasksCommand> sutProvider, Guid? userId,
+        bool authorizedCreate = false)
+    {
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
+        sutProvider.GetDependency<IAuthorizationService>()
+            .AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), Arg.Any<object>(),
+                Arg.Is<IEnumerable<IAuthorizationRequirement>>(reqs =>
+                    reqs.Contains(SecurityTaskOperations.Create)))
+            .Returns(authorizedCreate ? AuthorizationResult.Success() : AuthorizationResult.Failed());
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task CreateAsync_NotLoggedIn_NotFoundException(
+        SutProvider<CreateManyTasksCommand> sutProvider,
+        Guid organizationId,
+        IEnumerable<SecurityTaskCreateRequest> tasks)
+    {
+        Setup(sutProvider, null, true);
+
+        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.CreateAsync(organizationId, tasks));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task CreateAsync_NoTasksProvided_BadRequestException(
+        SutProvider<CreateManyTasksCommand> sutProvider,
+        Guid organizationId)
+    {
+        Setup(sutProvider, Guid.NewGuid());
+
+        await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.CreateAsync(organizationId, null));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task CreateAsync_AuthorizationFailed_NotFoundException(
+        SutProvider<CreateManyTasksCommand> sutProvider,
+        Guid organizationId,
+        IEnumerable<SecurityTaskCreateRequest> tasks)
+    {
+        Setup(sutProvider, Guid.NewGuid());
+
+        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.CreateAsync(organizationId, tasks));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task CreateAsync_AuthorizationSucceeded_ReturnsSecurityTasks(
+        SutProvider<CreateManyTasksCommand> sutProvider,
+        Guid organizationId,
+        IEnumerable<SecurityTaskCreateRequest> tasks,
+        ICollection<SecurityTask> securityTasks)
+    {
+        Setup(sutProvider, Guid.NewGuid(), true);
+        sutProvider.GetDependency<ISecurityTaskRepository>()
+            .CreateManyAsync(Arg.Any<ICollection<SecurityTask>>())
+            .Returns(securityTasks);
+
+        var result = await sutProvider.Sut.CreateAsync(organizationId, tasks);
+
+        Assert.Equal(securityTasks, result);
+    }
+}
diff --git a/test/Core.Test/Vault/Commands/MarkTaskAsCompletedCommandTest.cs b/test/Core.Test/Vault/Commands/MarkTaskAsCompletedCommandTest.cs
index 82550df48d..ca9a42cdb3 100644
--- a/test/Core.Test/Vault/Commands/MarkTaskAsCompletedCommandTest.cs
+++ b/test/Core.Test/Vault/Commands/MarkTaskAsCompletedCommandTest.cs
@@ -3,7 +3,7 @@ using System.Security.Claims;
 using Bit.Core.Context;
 using Bit.Core.Exceptions;
 using Bit.Core.Test.Vault.AutoFixture;
-using Bit.Core.Vault.Authorization;
+using Bit.Core.Vault.Authorization.SecurityTasks;
 using Bit.Core.Vault.Commands;
 using Bit.Core.Vault.Entities;
 using Bit.Core.Vault.Repositories;
diff --git a/test/Infrastructure.IntegrationTest/Vault/Repositories/SecurityTaskRepositoryTests.cs b/test/Infrastructure.IntegrationTest/Vault/Repositories/SecurityTaskRepositoryTests.cs
index 2010c90a5e..eb5a310db3 100644
--- a/test/Infrastructure.IntegrationTest/Vault/Repositories/SecurityTaskRepositoryTests.cs
+++ b/test/Infrastructure.IntegrationTest/Vault/Repositories/SecurityTaskRepositoryTests.cs
@@ -223,4 +223,47 @@ public class SecurityTaskRepositoryTests
         Assert.DoesNotContain(task1, completedTasks, new SecurityTaskComparer());
         Assert.DoesNotContain(task3, completedTasks, new SecurityTaskComparer());
     }
+
+    [DatabaseTheory, DatabaseData]
+    public async Task CreateManyAsync(
+        IOrganizationRepository organizationRepository,
+        ICipherRepository cipherRepository,
+        ISecurityTaskRepository securityTaskRepository)
+    {
+        var organization = await organizationRepository.CreateAsync(new Organization
+        {
+            Name = "Test Org",
+            PlanType = PlanType.EnterpriseAnnually,
+            Plan = "Test Plan",
+            BillingEmail = ""
+        });
+
+        var cipher1 = new Cipher { Type = CipherType.Login, OrganizationId = organization.Id, Data = "", };
+        await cipherRepository.CreateAsync(cipher1);
+
+        var cipher2 = new Cipher { Type = CipherType.Login, OrganizationId = organization.Id, Data = "", };
+        await cipherRepository.CreateAsync(cipher2);
+
+        var tasks = new List<SecurityTask>
+        {
+            new()
+            {
+                OrganizationId = organization.Id,
+                CipherId = cipher1.Id,
+                Status = SecurityTaskStatus.Pending,
+                Type = SecurityTaskType.UpdateAtRiskCredential,
+            },
+            new()
+            {
+                OrganizationId = organization.Id,
+                CipherId = cipher2.Id,
+                Status = SecurityTaskStatus.Completed,
+                Type = SecurityTaskType.UpdateAtRiskCredential,
+            }
+        };
+
+        var taskIds = await securityTaskRepository.CreateManyAsync(tasks);
+
+        Assert.Equal(2, taskIds.Count);
+    }
 }
diff --git a/util/Migrator/DbScripts/2025-01-22_00_SecurityTaskCreateMany.sql b/util/Migrator/DbScripts/2025-01-22_00_SecurityTaskCreateMany.sql
new file mode 100644
index 0000000000..6bf797eccd
--- /dev/null
+++ b/util/Migrator/DbScripts/2025-01-22_00_SecurityTaskCreateMany.sql
@@ -0,0 +1,55 @@
+-- SecurityTask_CreateMany
+CREATE OR ALTER PROCEDURE [dbo].[SecurityTask_CreateMany]
+    @SecurityTasksJson NVARCHAR(MAX)
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    CREATE TABLE #TempSecurityTasks
+    (
+        [Id]             UNIQUEIDENTIFIER,
+        [OrganizationId] UNIQUEIDENTIFIER,
+        [CipherId]       UNIQUEIDENTIFIER,
+        [Type]           TINYINT,
+        [Status]         TINYINT,
+        [CreationDate]   DATETIME2(7),
+        [RevisionDate]   DATETIME2(7)
+    )
+
+    INSERT INTO #TempSecurityTasks
+    ([Id],
+     [OrganizationId],
+     [CipherId],
+     [Type],
+     [Status],
+     [CreationDate],
+     [RevisionDate])
+    SELECT CAST(JSON_VALUE([value], '$.Id') AS UNIQUEIDENTIFIER),
+           CAST(JSON_VALUE([value], '$.OrganizationId') AS UNIQUEIDENTIFIER),
+           CAST(JSON_VALUE([value], '$.CipherId') AS UNIQUEIDENTIFIER),
+           CAST(JSON_VALUE([value], '$.Type') AS TINYINT),
+           CAST(JSON_VALUE([value], '$.Status') AS TINYINT),
+           CAST(JSON_VALUE([value], '$.CreationDate') AS DATETIME2(7)),
+           CAST(JSON_VALUE([value], '$.RevisionDate') AS DATETIME2(7))
+    FROM OPENJSON(@SecurityTasksJson) ST
+
+    INSERT INTO [dbo].[SecurityTask]
+    ([Id],
+     [OrganizationId],
+     [CipherId],
+     [Type],
+     [Status],
+     [CreationDate],
+     [RevisionDate])
+    SELECT [Id],
+           [OrganizationId],
+           [CipherId],
+           [Type],
+           [Status],
+           [CreationDate],
+           [RevisionDate]
+    FROM #TempSecurityTasks
+
+    DROP TABLE #TempSecurityTasks
+END
+GO

From daf2696a813fba07a704e9b552b5e5151f64bd4f Mon Sep 17 00:00:00 2001
From: Graham Walker <ghwtx@icloud.com>
Date: Wed, 5 Feb 2025 16:36:18 -0600
Subject: [PATCH 248/384] PM-16085 - Increase import limitations (#5275)

* PM-16261 move ImportCiphersAsync to the tools team and create services using CQRS design pattern

* PM-16261 fix renaming methods and add unit tests for succes and bad request exception

* PM-16261 clean up old code from test

* make import limits configurable via appsettings

* PM-16085 fix issue with appSettings converting to globalSettings for new cipher import limits
---
 src/Api/Tools/Controllers/ImportCiphersController.cs | 5 +++--
 src/Api/appsettings.json                             | 5 +++++
 src/Core/Settings/GlobalSettings.cs                  | 8 ++++++++
 3 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/src/Api/Tools/Controllers/ImportCiphersController.cs b/src/Api/Tools/Controllers/ImportCiphersController.cs
index 4f4e76f6e3..c268500f71 100644
--- a/src/Api/Tools/Controllers/ImportCiphersController.cs
+++ b/src/Api/Tools/Controllers/ImportCiphersController.cs
@@ -64,8 +64,9 @@ public class ImportCiphersController : Controller
         [FromBody] ImportOrganizationCiphersRequestModel model)
     {
         if (!_globalSettings.SelfHosted &&
-            (model.Ciphers.Count() > 7000 || model.CollectionRelationships.Count() > 14000 ||
-                model.Collections.Count() > 2000))
+            (model.Ciphers.Count() > _globalSettings.ImportCiphersLimitation.CiphersLimit ||
+             model.CollectionRelationships.Count() > _globalSettings.ImportCiphersLimitation.CollectionRelationshipsLimit ||
+             model.Collections.Count() > _globalSettings.ImportCiphersLimitation.CollectionsLimit))
         {
             throw new BadRequestException("You cannot import this much data at once.");
         }
diff --git a/src/Api/appsettings.json b/src/Api/appsettings.json
index c04539a9fe..98b210cb1e 100644
--- a/src/Api/appsettings.json
+++ b/src/Api/appsettings.json
@@ -56,6 +56,11 @@
       "publicKey": "SECRET",
       "privateKey": "SECRET"
     },
+    "importCiphersLimitation": {
+      "ciphersLimit": 40000,
+      "collectionRelationshipsLimit": 80000,
+      "collectionsLimit": 2000
+    },
     "bitPay": {
       "production": false,
       "token": "SECRET",
diff --git a/src/Core/Settings/GlobalSettings.cs b/src/Core/Settings/GlobalSettings.cs
index d039102eb9..a63a36c1c0 100644
--- a/src/Core/Settings/GlobalSettings.cs
+++ b/src/Core/Settings/GlobalSettings.cs
@@ -70,6 +70,7 @@ public class GlobalSettings : IGlobalSettings
     public virtual YubicoSettings Yubico { get; set; } = new YubicoSettings();
     public virtual DuoSettings Duo { get; set; } = new DuoSettings();
     public virtual BraintreeSettings Braintree { get; set; } = new BraintreeSettings();
+    public virtual ImportCiphersLimitationSettings ImportCiphersLimitation { get; set; } = new ImportCiphersLimitationSettings();
     public virtual BitPaySettings BitPay { get; set; } = new BitPaySettings();
     public virtual AmazonSettings Amazon { get; set; } = new AmazonSettings();
     public virtual ServiceBusSettings ServiceBus { get; set; } = new ServiceBusSettings();
@@ -521,6 +522,13 @@ public class GlobalSettings : IGlobalSettings
         public string PrivateKey { get; set; }
     }
 
+    public class ImportCiphersLimitationSettings
+    {
+        public int CiphersLimit { get; set; }
+        public int CollectionRelationshipsLimit { get; set; }
+        public int CollectionsLimit { get; set; }
+    }
+
     public class BitPaySettings
     {
         public bool Production { get; set; }

From 1c3ea1151c69aece541810819b8c1b6a31452f9b Mon Sep 17 00:00:00 2001
From: cyprain-okeke <108260115+cyprain-okeke@users.noreply.github.com>
Date: Thu, 6 Feb 2025 09:22:16 +0100
Subject: [PATCH 249/384] [PM-16482]NullReferenceException in
 CustomerUpdatedHandler due to uninitialized dependency (#5349)

* Changes to throw exact errors

* Add some logging to each error state

Signed-off-by: Cy Okeke <cokeke@bitwarden.com>

---------

Signed-off-by: Cy Okeke <cokeke@bitwarden.com>
---
 .../Implementations/CustomerUpdatedHandler.cs | 62 +++++++++++++++++--
 1 file changed, 58 insertions(+), 4 deletions(-)

diff --git a/src/Billing/Services/Implementations/CustomerUpdatedHandler.cs b/src/Billing/Services/Implementations/CustomerUpdatedHandler.cs
index ec70697c01..6deb0bc330 100644
--- a/src/Billing/Services/Implementations/CustomerUpdatedHandler.cs
+++ b/src/Billing/Services/Implementations/CustomerUpdatedHandler.cs
@@ -14,19 +14,22 @@ public class CustomerUpdatedHandler : ICustomerUpdatedHandler
     private readonly ICurrentContext _currentContext;
     private readonly IStripeEventService _stripeEventService;
     private readonly IStripeEventUtilityService _stripeEventUtilityService;
+    private readonly ILogger<CustomerUpdatedHandler> _logger;
 
     public CustomerUpdatedHandler(
         IOrganizationRepository organizationRepository,
         IReferenceEventService referenceEventService,
         ICurrentContext currentContext,
         IStripeEventService stripeEventService,
-        IStripeEventUtilityService stripeEventUtilityService)
+        IStripeEventUtilityService stripeEventUtilityService,
+        ILogger<CustomerUpdatedHandler> logger)
     {
-        _organizationRepository = organizationRepository;
+        _organizationRepository = organizationRepository ?? throw new ArgumentNullException(nameof(organizationRepository));
         _referenceEventService = referenceEventService;
         _currentContext = currentContext;
         _stripeEventService = stripeEventService;
         _stripeEventUtilityService = stripeEventUtilityService;
+        _logger = logger;
     }
 
     /// <summary>
@@ -35,25 +38,76 @@ public class CustomerUpdatedHandler : ICustomerUpdatedHandler
     /// <param name="parsedEvent"></param>
     public async Task HandleAsync(Event parsedEvent)
     {
-        var customer = await _stripeEventService.GetCustomer(parsedEvent, true, ["subscriptions"]);
-        if (customer.Subscriptions == null || !customer.Subscriptions.Any())
+        if (parsedEvent == null)
         {
+            _logger.LogError("Parsed event was null in CustomerUpdatedHandler");
+            throw new ArgumentNullException(nameof(parsedEvent));
+        }
+
+        if (_stripeEventService == null)
+        {
+            _logger.LogError("StripeEventService was not initialized in CustomerUpdatedHandler");
+            throw new InvalidOperationException($"{nameof(_stripeEventService)} is not initialized");
+        }
+
+        var customer = await _stripeEventService.GetCustomer(parsedEvent, true, ["subscriptions"]);
+        if (customer?.Subscriptions == null || !customer.Subscriptions.Any())
+        {
+            _logger.LogWarning("Customer or subscriptions were null or empty in CustomerUpdatedHandler. Customer ID: {CustomerId}", customer?.Id);
             return;
         }
 
         var subscription = customer.Subscriptions.First();
 
+        if (subscription.Metadata == null)
+        {
+            _logger.LogWarning("Subscription metadata was null in CustomerUpdatedHandler. Subscription ID: {SubscriptionId}", subscription.Id);
+            return;
+        }
+
+        if (_stripeEventUtilityService == null)
+        {
+            _logger.LogError("StripeEventUtilityService was not initialized in CustomerUpdatedHandler");
+            throw new InvalidOperationException($"{nameof(_stripeEventUtilityService)} is not initialized");
+        }
+
         var (organizationId, _, providerId) = _stripeEventUtilityService.GetIdsFromMetadata(subscription.Metadata);
 
         if (!organizationId.HasValue)
         {
+            _logger.LogWarning("Organization ID was not found in subscription metadata. Subscription ID: {SubscriptionId}", subscription.Id);
             return;
         }
 
+        if (_organizationRepository == null)
+        {
+            _logger.LogError("OrganizationRepository was not initialized in CustomerUpdatedHandler");
+            throw new InvalidOperationException($"{nameof(_organizationRepository)} is not initialized");
+        }
+
         var organization = await _organizationRepository.GetByIdAsync(organizationId.Value);
+
+        if (organization == null)
+        {
+            _logger.LogWarning("Organization not found. Organization ID: {OrganizationId}", organizationId.Value);
+            return;
+        }
+
         organization.BillingEmail = customer.Email;
         await _organizationRepository.ReplaceAsync(organization);
 
+        if (_referenceEventService == null)
+        {
+            _logger.LogError("ReferenceEventService was not initialized in CustomerUpdatedHandler");
+            throw new InvalidOperationException($"{nameof(_referenceEventService)} is not initialized");
+        }
+
+        if (_currentContext == null)
+        {
+            _logger.LogError("CurrentContext was not initialized in CustomerUpdatedHandler");
+            throw new InvalidOperationException($"{nameof(_currentContext)} is not initialized");
+        }
+
         await _referenceEventService.RaiseEventAsync(
             new ReferenceEvent(ReferenceEventType.OrganizationEditedInStripe, organization, _currentContext));
     }

From a12b61cc9ea48cf8132f2427747f6c4b11f0eb58 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rui=20Tom=C3=A9?=
 <108268980+r-tome@users.noreply.github.com>
Date: Thu, 6 Feb 2025 10:28:12 +0000
Subject: [PATCH 250/384] [PM-17168] Sync organization user revoked/restored
 status immediately via push notification (#5330)

* [PM-17168] Add push notification for revoked and restored organization users

* Add feature flag for push notification on user revoke/restore actions

* Add tests for user revocation and restoration with push sync feature flag enabled
---
 .../Implementations/OrganizationService.cs    |  28 ++
 src/Core/Constants.cs                         |   1 +
 .../Services/OrganizationServiceTests.cs      | 267 +++++++++++++-----
 3 files changed, 230 insertions(+), 66 deletions(-)

diff --git a/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs b/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
index 70a3227a71..6194aea6c7 100644
--- a/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
+++ b/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
@@ -1951,6 +1951,11 @@ public class OrganizationService : IOrganizationService
 
         await RepositoryRevokeUserAsync(organizationUser);
         await _eventService.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Revoked);
+
+        if (_featureService.IsEnabled(FeatureFlagKeys.PushSyncOrgKeysOnRevokeRestore) && organizationUser.UserId.HasValue)
+        {
+            await _pushNotificationService.PushSyncOrgKeysAsync(organizationUser.UserId.Value);
+        }
     }
 
     public async Task RevokeUserAsync(OrganizationUser organizationUser,
@@ -1958,6 +1963,11 @@ public class OrganizationService : IOrganizationService
     {
         await RepositoryRevokeUserAsync(organizationUser);
         await _eventService.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Revoked, systemUser);
+
+        if (_featureService.IsEnabled(FeatureFlagKeys.PushSyncOrgKeysOnRevokeRestore) && organizationUser.UserId.HasValue)
+        {
+            await _pushNotificationService.PushSyncOrgKeysAsync(organizationUser.UserId.Value);
+        }
     }
 
     private async Task RepositoryRevokeUserAsync(OrganizationUser organizationUser)
@@ -2023,6 +2033,10 @@ public class OrganizationService : IOrganizationService
                 await _organizationUserRepository.RevokeAsync(organizationUser.Id);
                 organizationUser.Status = OrganizationUserStatusType.Revoked;
                 await _eventService.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Revoked);
+                if (_featureService.IsEnabled(FeatureFlagKeys.PushSyncOrgKeysOnRevokeRestore) && organizationUser.UserId.HasValue)
+                {
+                    await _pushNotificationService.PushSyncOrgKeysAsync(organizationUser.UserId.Value);
+                }
 
                 result.Add(Tuple.Create(organizationUser, ""));
             }
@@ -2050,12 +2064,22 @@ public class OrganizationService : IOrganizationService
 
         await RepositoryRestoreUserAsync(organizationUser);
         await _eventService.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Restored);
+
+        if (_featureService.IsEnabled(FeatureFlagKeys.PushSyncOrgKeysOnRevokeRestore) && organizationUser.UserId.HasValue)
+        {
+            await _pushNotificationService.PushSyncOrgKeysAsync(organizationUser.UserId.Value);
+        }
     }
 
     public async Task RestoreUserAsync(OrganizationUser organizationUser, EventSystemUser systemUser)
     {
         await RepositoryRestoreUserAsync(organizationUser);
         await _eventService.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Restored, systemUser);
+
+        if (_featureService.IsEnabled(FeatureFlagKeys.PushSyncOrgKeysOnRevokeRestore) && organizationUser.UserId.HasValue)
+        {
+            await _pushNotificationService.PushSyncOrgKeysAsync(organizationUser.UserId.Value);
+        }
     }
 
     private async Task RepositoryRestoreUserAsync(OrganizationUser organizationUser)
@@ -2147,6 +2171,10 @@ public class OrganizationService : IOrganizationService
                 await _organizationUserRepository.RestoreAsync(organizationUser.Id, status);
                 organizationUser.Status = status;
                 await _eventService.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Restored);
+                if (_featureService.IsEnabled(FeatureFlagKeys.PushSyncOrgKeysOnRevokeRestore) && organizationUser.UserId.HasValue)
+                {
+                    await _pushNotificationService.PushSyncOrgKeysAsync(organizationUser.UserId.Value);
+                }
 
                 result.Add(Tuple.Create(organizationUser, ""));
             }
diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index ba3b8b0795..3e59a9390b 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -108,6 +108,7 @@ public static class FeatureFlagKeys
     public const string IntegrationPage = "pm-14505-admin-console-integration-page";
     public const string DeviceApprovalRequestAdminNotifications = "pm-15637-device-approval-request-admin-notifications";
     public const string LimitItemDeletion = "pm-15493-restrict-item-deletion-to-can-manage-permission";
+    public const string PushSyncOrgKeysOnRevokeRestore = "pm-17168-push-sync-org-keys-on-revoke-restore";
 
     /* Tools Team */
     public const string ItemShare = "item-share";
diff --git a/test/Core.Test/AdminConsole/Services/OrganizationServiceTests.cs b/test/Core.Test/AdminConsole/Services/OrganizationServiceTests.cs
index cd680f2ef0..f4440a65a3 100644
--- a/test/Core.Test/AdminConsole/Services/OrganizationServiceTests.cs
+++ b/test/Core.Test/AdminConsole/Services/OrganizationServiceTests.cs
@@ -19,6 +19,7 @@ using Bit.Core.Models.Data;
 using Bit.Core.Models.Data.Organizations.OrganizationUsers;
 using Bit.Core.Models.Mail;
 using Bit.Core.OrganizationFeatures.OrganizationSubscriptions.Interface;
+using Bit.Core.Platform.Push;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Settings;
@@ -1450,76 +1451,174 @@ OrganizationUserInvite invite, SutProvider<OrganizationService> sutProvider)
         [OrganizationUser] OrganizationUser organizationUser, SutProvider<OrganizationService> sutProvider)
     {
         RestoreRevokeUser_Setup(organization, owner, organizationUser, sutProvider);
-        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
-        var eventService = sutProvider.GetDependency<IEventService>();
 
         await sutProvider.Sut.RevokeUserAsync(organizationUser, owner.Id);
 
-        await organizationUserRepository.Received().RevokeAsync(organizationUser.Id);
-        await eventService.Received()
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .Received(1)
+            .RevokeAsync(organizationUser.Id);
+        await sutProvider.GetDependency<IEventService>()
+            .Received(1)
             .LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Revoked);
     }
 
+    [Theory, BitAutoData]
+    public async Task RevokeUser_WithPushSyncOrgKeysOnRevokeRestoreEnabled_Success(Organization organization, [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
+        [OrganizationUser] OrganizationUser organizationUser, SutProvider<OrganizationService> sutProvider)
+    {
+        RestoreRevokeUser_Setup(organization, owner, organizationUser, sutProvider);
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.PushSyncOrgKeysOnRevokeRestore)
+            .Returns(true);
+
+        await sutProvider.Sut.RevokeUserAsync(organizationUser, owner.Id);
+
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .Received(1)
+            .RevokeAsync(organizationUser.Id);
+        await sutProvider.GetDependency<IEventService>()
+            .Received(1)
+            .LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Revoked);
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(1)
+            .PushSyncOrgKeysAsync(organizationUser.UserId!.Value);
+    }
+
     [Theory, BitAutoData]
     public async Task RevokeUser_WithEventSystemUser_Success(Organization organization, [OrganizationUser] OrganizationUser organizationUser, EventSystemUser eventSystemUser, SutProvider<OrganizationService> sutProvider)
     {
         RestoreRevokeUser_Setup(organization, null, organizationUser, sutProvider);
-        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
-        var eventService = sutProvider.GetDependency<IEventService>();
 
         await sutProvider.Sut.RevokeUserAsync(organizationUser, eventSystemUser);
 
-        await organizationUserRepository.Received().RevokeAsync(organizationUser.Id);
-        await eventService.Received()
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .Received(1)
+            .RevokeAsync(organizationUser.Id);
+        await sutProvider.GetDependency<IEventService>()
+            .Received(1)
             .LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Revoked, eventSystemUser);
     }
 
+    [Theory, BitAutoData]
+    public async Task RevokeUser_WithEventSystemUser_WithPushSyncOrgKeysOnRevokeRestoreEnabled_Success(Organization organization, [OrganizationUser] OrganizationUser organizationUser, EventSystemUser eventSystemUser, SutProvider<OrganizationService> sutProvider)
+    {
+        RestoreRevokeUser_Setup(organization, null, organizationUser, sutProvider);
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.PushSyncOrgKeysOnRevokeRestore)
+            .Returns(true);
+
+        await sutProvider.Sut.RevokeUserAsync(organizationUser, eventSystemUser);
+
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .Received(1)
+            .RevokeAsync(organizationUser.Id);
+        await sutProvider.GetDependency<IEventService>()
+            .Received(1)
+            .LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Revoked, eventSystemUser);
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(1)
+            .PushSyncOrgKeysAsync(organizationUser.UserId!.Value);
+    }
+
     [Theory, BitAutoData]
     public async Task RestoreUser_Success(Organization organization, [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
         [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser, SutProvider<OrganizationService> sutProvider)
     {
         RestoreRevokeUser_Setup(organization, owner, organizationUser, sutProvider);
-        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
-        var eventService = sutProvider.GetDependency<IEventService>();
 
         await sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id);
 
-        await organizationUserRepository.Received().RestoreAsync(organizationUser.Id, OrganizationUserStatusType.Invited);
-        await eventService.Received()
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .Received(1)
+            .RestoreAsync(organizationUser.Id, OrganizationUserStatusType.Invited);
+        await sutProvider.GetDependency<IEventService>()
+            .Received(1)
             .LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Restored);
     }
 
+    [Theory, BitAutoData]
+    public async Task RestoreUser_WithPushSyncOrgKeysOnRevokeRestoreEnabled_Success(Organization organization, [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
+        [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser, SutProvider<OrganizationService> sutProvider)
+    {
+        RestoreRevokeUser_Setup(organization, owner, organizationUser, sutProvider);
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.PushSyncOrgKeysOnRevokeRestore)
+            .Returns(true);
+
+        await sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id);
+
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .Received(1)
+            .RestoreAsync(organizationUser.Id, OrganizationUserStatusType.Invited);
+        await sutProvider.GetDependency<IEventService>()
+            .Received(1)
+            .LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Restored);
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(1)
+            .PushSyncOrgKeysAsync(organizationUser.UserId!.Value);
+    }
+
     [Theory, BitAutoData]
     public async Task RestoreUser_WithEventSystemUser_Success(Organization organization, [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser, EventSystemUser eventSystemUser, SutProvider<OrganizationService> sutProvider)
     {
         RestoreRevokeUser_Setup(organization, null, organizationUser, sutProvider);
-        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
-        var eventService = sutProvider.GetDependency<IEventService>();
 
         await sutProvider.Sut.RestoreUserAsync(organizationUser, eventSystemUser);
 
-        await organizationUserRepository.Received().RestoreAsync(organizationUser.Id, OrganizationUserStatusType.Invited);
-        await eventService.Received()
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .Received(1)
+            .RestoreAsync(organizationUser.Id, OrganizationUserStatusType.Invited);
+        await sutProvider.GetDependency<IEventService>()
+            .Received(1)
             .LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Restored, eventSystemUser);
     }
 
+    [Theory, BitAutoData]
+    public async Task RestoreUser_WithEventSystemUser_WithPushSyncOrgKeysOnRevokeRestoreEnabled_Success(Organization organization, [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser, EventSystemUser eventSystemUser, SutProvider<OrganizationService> sutProvider)
+    {
+        RestoreRevokeUser_Setup(organization, null, organizationUser, sutProvider);
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.PushSyncOrgKeysOnRevokeRestore)
+            .Returns(true);
+
+        await sutProvider.Sut.RestoreUserAsync(organizationUser, eventSystemUser);
+
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .Received(1)
+            .RestoreAsync(organizationUser.Id, OrganizationUserStatusType.Invited);
+        await sutProvider.GetDependency<IEventService>()
+            .Received(1)
+            .LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Restored, eventSystemUser);
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(1)
+            .PushSyncOrgKeysAsync(organizationUser.UserId!.Value);
+    }
+
     [Theory, BitAutoData]
     public async Task RestoreUser_RestoreThemselves_Fails(Organization organization, [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
         [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser, SutProvider<OrganizationService> sutProvider)
     {
         organizationUser.UserId = owner.Id;
         RestoreRevokeUser_Setup(organization, owner, organizationUser, sutProvider);
-        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
-        var eventService = sutProvider.GetDependency<IEventService>();
 
         var exception = await Assert.ThrowsAsync<BadRequestException>(
             () => sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id));
 
         Assert.Contains("you cannot restore yourself", exception.Message.ToLowerInvariant());
 
-        await organizationUserRepository.DidNotReceiveWithAnyArgs().RestoreAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType>());
-        await eventService.DidNotReceiveWithAnyArgs()
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .DidNotReceiveWithAnyArgs()
+            .RestoreAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType>());
+        await sutProvider.GetDependency<IEventService>()
+            .DidNotReceiveWithAnyArgs()
             .LogOrganizationUserEventAsync(Arg.Any<OrganizationUser>(), Arg.Any<EventType>(), Arg.Any<EventSystemUser>());
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .DidNotReceiveWithAnyArgs()
+            .PushSyncOrgKeysAsync(Arg.Any<Guid>());
     }
 
     [Theory]
@@ -1531,17 +1630,21 @@ OrganizationUserInvite invite, SutProvider<OrganizationService> sutProvider)
     {
         restoringUser.Type = restoringUserType;
         RestoreRevokeUser_Setup(organization, restoringUser, organizationUser, sutProvider);
-        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
-        var eventService = sutProvider.GetDependency<IEventService>();
 
         var exception = await Assert.ThrowsAsync<BadRequestException>(
             () => sutProvider.Sut.RestoreUserAsync(organizationUser, restoringUser.Id));
 
         Assert.Contains("only owners can restore other owners", exception.Message.ToLowerInvariant());
 
-        await organizationUserRepository.DidNotReceiveWithAnyArgs().RestoreAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType>());
-        await eventService.DidNotReceiveWithAnyArgs()
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .DidNotReceiveWithAnyArgs()
+            .RestoreAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType>());
+        await sutProvider.GetDependency<IEventService>()
+            .DidNotReceiveWithAnyArgs()
             .LogOrganizationUserEventAsync(Arg.Any<OrganizationUser>(), Arg.Any<EventType>(), Arg.Any<EventSystemUser>());
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .DidNotReceiveWithAnyArgs()
+            .PushSyncOrgKeysAsync(Arg.Any<Guid>());
     }
 
     [Theory]
@@ -1553,17 +1656,21 @@ OrganizationUserInvite invite, SutProvider<OrganizationService> sutProvider)
     {
         organizationUser.Status = userStatus;
         RestoreRevokeUser_Setup(organization, owner, organizationUser, sutProvider);
-        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
-        var eventService = sutProvider.GetDependency<IEventService>();
 
         var exception = await Assert.ThrowsAsync<BadRequestException>(
             () => sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id));
 
         Assert.Contains("already active", exception.Message.ToLowerInvariant());
 
-        await organizationUserRepository.DidNotReceiveWithAnyArgs().RestoreAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType>());
-        await eventService.DidNotReceiveWithAnyArgs()
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .DidNotReceiveWithAnyArgs()
+            .RestoreAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType>());
+        await sutProvider.GetDependency<IEventService>()
+            .DidNotReceiveWithAnyArgs()
             .LogOrganizationUserEventAsync(Arg.Any<OrganizationUser>(), Arg.Any<EventType>(), Arg.Any<EventSystemUser>());
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .DidNotReceiveWithAnyArgs()
+            .PushSyncOrgKeysAsync(Arg.Any<Guid>());
     }
 
     [Theory, BitAutoData]
@@ -1575,8 +1682,6 @@ OrganizationUserInvite invite, SutProvider<OrganizationService> sutProvider)
     {
         organizationUser.Email = null; // this is required to mock that the user as had already been confirmed before the revoke
         RestoreRevokeUser_Setup(organization, owner, organizationUser, sutProvider);
-        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
-        var eventService = sutProvider.GetDependency<IEventService>();
 
         sutProvider.GetDependency<IPolicyService>()
             .AnyPoliciesApplicableToUserAsync(organizationUser.UserId.Value, PolicyType.SingleOrg, Arg.Any<OrganizationUserStatusType>())
@@ -1591,9 +1696,15 @@ OrganizationUserInvite invite, SutProvider<OrganizationService> sutProvider)
 
         Assert.Contains("test@bitwarden.com belongs to an organization that doesn't allow them to join multiple organizations", exception.Message.ToLowerInvariant());
 
-        await organizationUserRepository.DidNotReceiveWithAnyArgs().RestoreAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType>());
-        await eventService.DidNotReceiveWithAnyArgs()
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .DidNotReceiveWithAnyArgs()
+            .RestoreAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType>());
+        await sutProvider.GetDependency<IEventService>()
+            .DidNotReceiveWithAnyArgs()
             .LogOrganizationUserEventAsync(Arg.Any<OrganizationUser>(), Arg.Any<EventType>(), Arg.Any<EventSystemUser>());
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .DidNotReceiveWithAnyArgs()
+            .PushSyncOrgKeysAsync(Arg.Any<Guid>());
     }
 
     [Theory, BitAutoData]
@@ -1610,8 +1721,6 @@ OrganizationUserInvite invite, SutProvider<OrganizationService> sutProvider)
             .Returns(new List<(Guid userId, bool twoFactorIsEnabled)>() { (organizationUser.UserId.Value, false) });
 
         RestoreRevokeUser_Setup(organization, owner, organizationUser, sutProvider);
-        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
-        var eventService = sutProvider.GetDependency<IEventService>();
 
         sutProvider.GetDependency<IPolicyService>()
             .GetPoliciesApplicableToUserAsync(organizationUser.UserId.Value, PolicyType.TwoFactorAuthentication, Arg.Any<OrganizationUserStatusType>())
@@ -1626,9 +1735,15 @@ OrganizationUserInvite invite, SutProvider<OrganizationService> sutProvider)
 
         Assert.Contains("test@bitwarden.com is not compliant with the two-step login policy", exception.Message.ToLowerInvariant());
 
-        await organizationUserRepository.DidNotReceiveWithAnyArgs().RestoreAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType>());
-        await eventService.DidNotReceiveWithAnyArgs()
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .DidNotReceiveWithAnyArgs()
+            .RestoreAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType>());
+        await sutProvider.GetDependency<IEventService>()
+            .DidNotReceiveWithAnyArgs()
             .LogOrganizationUserEventAsync(Arg.Any<OrganizationUser>(), Arg.Any<EventType>(), Arg.Any<EventSystemUser>());
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .DidNotReceiveWithAnyArgs()
+            .PushSyncOrgKeysAsync(Arg.Any<Guid>());
     }
 
     [Theory, BitAutoData]
@@ -1640,8 +1755,6 @@ OrganizationUserInvite invite, SutProvider<OrganizationService> sutProvider)
     {
         organizationUser.Email = null; // this is required to mock that the user as had already been confirmed before the revoke
         RestoreRevokeUser_Setup(organization, owner, organizationUser, sutProvider);
-        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
-        var eventService = sutProvider.GetDependency<IEventService>();
 
         sutProvider.GetDependency<IPolicyService>()
             .GetPoliciesApplicableToUserAsync(organizationUser.UserId.Value, PolicyType.TwoFactorAuthentication, Arg.Any<OrganizationUserStatusType>())
@@ -1652,8 +1765,11 @@ OrganizationUserInvite invite, SutProvider<OrganizationService> sutProvider)
 
         await sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id);
 
-        await organizationUserRepository.Received().RestoreAsync(organizationUser.Id, OrganizationUserStatusType.Confirmed);
-        await eventService.Received()
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .Received(1)
+            .RestoreAsync(organizationUser.Id, OrganizationUserStatusType.Confirmed);
+        await sutProvider.GetDependency<IEventService>()
+            .Received(1)
             .LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Restored);
     }
 
@@ -1668,10 +1784,10 @@ OrganizationUserInvite invite, SutProvider<OrganizationService> sutProvider)
         organizationUser.Email = null; // this is required to mock that the user as had already been confirmed before the revoke
         secondOrganizationUser.UserId = organizationUser.UserId;
         RestoreRevokeUser_Setup(organization, owner, organizationUser, sutProvider);
-        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
-        var eventService = sutProvider.GetDependency<IEventService>();
 
-        organizationUserRepository.GetManyByUserAsync(organizationUser.UserId.Value).Returns(new[] { organizationUser, secondOrganizationUser });
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyByUserAsync(organizationUser.UserId.Value)
+            .Returns(new[] { organizationUser, secondOrganizationUser });
         sutProvider.GetDependency<IPolicyService>()
             .GetPoliciesApplicableToUserAsync(organizationUser.UserId.Value, PolicyType.SingleOrg, Arg.Any<OrganizationUserStatusType>())
             .Returns(new[]
@@ -1688,9 +1804,15 @@ OrganizationUserInvite invite, SutProvider<OrganizationService> sutProvider)
 
         Assert.Contains("test@bitwarden.com is not compliant with the single organization policy", exception.Message.ToLowerInvariant());
 
-        await organizationUserRepository.DidNotReceiveWithAnyArgs().RestoreAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType>());
-        await eventService.DidNotReceiveWithAnyArgs()
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .DidNotReceiveWithAnyArgs()
+            .RestoreAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType>());
+        await sutProvider.GetDependency<IEventService>()
+            .DidNotReceiveWithAnyArgs()
             .LogOrganizationUserEventAsync(Arg.Any<OrganizationUser>(), Arg.Any<EventType>(), Arg.Any<EventSystemUser>());
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .DidNotReceiveWithAnyArgs()
+            .PushSyncOrgKeysAsync(Arg.Any<Guid>());
     }
 
     [Theory, BitAutoData]
@@ -1704,11 +1826,8 @@ OrganizationUserInvite invite, SutProvider<OrganizationService> sutProvider)
         organizationUser.Email = null; // this is required to mock that the user as had already been confirmed before the revoke
         secondOrganizationUser.UserId = organizationUser.UserId;
         RestoreRevokeUser_Setup(organization, owner, organizationUser, sutProvider);
-        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
-        var eventService = sutProvider.GetDependency<IEventService>();
-        var twoFactorIsEnabledQuery = sutProvider.GetDependency<ITwoFactorIsEnabledQuery>();
 
-        twoFactorIsEnabledQuery
+        sutProvider.GetDependency<ITwoFactorIsEnabledQuery>()
             .TwoFactorIsEnabledAsync(Arg.Is<IEnumerable<Guid>>(i => i.Contains(organizationUser.UserId.Value)))
             .Returns(new List<(Guid userId, bool twoFactorIsEnabled)>() { (organizationUser.UserId.Value, true) });
 
@@ -1725,9 +1844,15 @@ OrganizationUserInvite invite, SutProvider<OrganizationService> sutProvider)
 
         Assert.Contains("test@bitwarden.com belongs to an organization that doesn't allow them to join multiple organizations", exception.Message.ToLowerInvariant());
 
-        await organizationUserRepository.DidNotReceiveWithAnyArgs().RestoreAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType>());
-        await eventService.DidNotReceiveWithAnyArgs()
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .DidNotReceiveWithAnyArgs()
+            .RestoreAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType>());
+        await sutProvider.GetDependency<IEventService>()
+            .DidNotReceiveWithAnyArgs()
             .LogOrganizationUserEventAsync(Arg.Any<OrganizationUser>(), Arg.Any<EventType>(), Arg.Any<EventSystemUser>());
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .DidNotReceiveWithAnyArgs()
+            .PushSyncOrgKeysAsync(Arg.Any<Guid>());
     }
 
     [Theory, BitAutoData]
@@ -1741,10 +1866,10 @@ OrganizationUserInvite invite, SutProvider<OrganizationService> sutProvider)
         organizationUser.Email = null; // this is required to mock that the user as had already been confirmed before the revoke
         secondOrganizationUser.UserId = organizationUser.UserId;
         RestoreRevokeUser_Setup(organization, owner, organizationUser, sutProvider);
-        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
-        var eventService = sutProvider.GetDependency<IEventService>();
 
-        organizationUserRepository.GetManyByUserAsync(organizationUser.UserId.Value).Returns(new[] { organizationUser, secondOrganizationUser });
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyByUserAsync(organizationUser.UserId.Value)
+            .Returns(new[] { organizationUser, secondOrganizationUser });
         sutProvider.GetDependency<IPolicyService>()
             .GetPoliciesApplicableToUserAsync(organizationUser.UserId.Value, PolicyType.SingleOrg, Arg.Any<OrganizationUserStatusType>())
             .Returns(new[]
@@ -1768,9 +1893,15 @@ OrganizationUserInvite invite, SutProvider<OrganizationService> sutProvider)
 
         Assert.Contains("test@bitwarden.com is not compliant with the single organization and two-step login polciy", exception.Message.ToLowerInvariant());
 
-        await organizationUserRepository.DidNotReceiveWithAnyArgs().RestoreAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType>());
-        await eventService.DidNotReceiveWithAnyArgs()
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .DidNotReceiveWithAnyArgs()
+            .RestoreAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType>());
+        await sutProvider.GetDependency<IEventService>()
+            .DidNotReceiveWithAnyArgs()
             .LogOrganizationUserEventAsync(Arg.Any<OrganizationUser>(), Arg.Any<EventType>(), Arg.Any<EventSystemUser>());
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .DidNotReceiveWithAnyArgs()
+            .PushSyncOrgKeysAsync(Arg.Any<Guid>());
     }
 
     [Theory, BitAutoData]
@@ -1783,8 +1914,6 @@ OrganizationUserInvite invite, SutProvider<OrganizationService> sutProvider)
         organizationUser.Email = null;
 
         RestoreRevokeUser_Setup(organization, owner, organizationUser, sutProvider);
-        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
-        var eventService = sutProvider.GetDependency<IEventService>();
 
         sutProvider.GetDependency<IPolicyService>()
             .GetPoliciesApplicableToUserAsync(organizationUser.UserId.Value, PolicyType.TwoFactorAuthentication, Arg.Any<OrganizationUserStatusType>())
@@ -1799,9 +1928,15 @@ OrganizationUserInvite invite, SutProvider<OrganizationService> sutProvider)
 
         Assert.Contains("test@bitwarden.com is not compliant with the two-step login policy", exception.Message.ToLowerInvariant());
 
-        await organizationUserRepository.DidNotReceiveWithAnyArgs().RestoreAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType>());
-        await eventService.DidNotReceiveWithAnyArgs()
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .DidNotReceiveWithAnyArgs()
+            .RestoreAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType>());
+        await sutProvider.GetDependency<IEventService>()
+            .DidNotReceiveWithAnyArgs()
             .LogOrganizationUserEventAsync(Arg.Any<OrganizationUser>(), Arg.Any<EventType>(), Arg.Any<EventSystemUser>());
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .DidNotReceiveWithAnyArgs()
+            .PushSyncOrgKeysAsync(Arg.Any<Guid>());
     }
 
     [Theory, BitAutoData]
@@ -1813,22 +1948,22 @@ OrganizationUserInvite invite, SutProvider<OrganizationService> sutProvider)
     {
         organizationUser.Email = null; // this is required to mock that the user as had already been confirmed before the revoke
         RestoreRevokeUser_Setup(organization, owner, organizationUser, sutProvider);
-        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
-        var eventService = sutProvider.GetDependency<IEventService>();
-        var twoFactorIsEnabledQuery = sutProvider.GetDependency<ITwoFactorIsEnabledQuery>();
 
         sutProvider.GetDependency<IPolicyService>()
             .GetPoliciesApplicableToUserAsync(organizationUser.UserId.Value, PolicyType.TwoFactorAuthentication, Arg.Any<OrganizationUserStatusType>())
             .Returns(new[] { new OrganizationUserPolicyDetails { OrganizationId = organizationUser.OrganizationId, PolicyType = PolicyType.TwoFactorAuthentication } });
 
-        twoFactorIsEnabledQuery
+        sutProvider.GetDependency<ITwoFactorIsEnabledQuery>()
             .TwoFactorIsEnabledAsync(Arg.Is<IEnumerable<Guid>>(i => i.Contains(organizationUser.UserId.Value)))
             .Returns(new List<(Guid userId, bool twoFactorIsEnabled)>() { (organizationUser.UserId.Value, true) });
 
         await sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id);
 
-        await organizationUserRepository.Received().RestoreAsync(organizationUser.Id, OrganizationUserStatusType.Confirmed);
-        await eventService.Received()
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .Received(1)
+            .RestoreAsync(organizationUser.Id, OrganizationUserStatusType.Confirmed);
+        await sutProvider.GetDependency<IEventService>()
+            .Received(1)
             .LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Restored);
     }
 

From 17f5c97891ad983687455b3a46006d15c8a29c7a Mon Sep 17 00:00:00 2001
From: Vijay Oommen <voommen@livefront.com>
Date: Thu, 6 Feb 2025 08:13:17 -0600
Subject: [PATCH 251/384] PM-6939 - Onyx Integration into freshdesk controller
 (#5365)

---
 src/Billing/Billing.csproj                    |   3 +
 src/Billing/BillingSettings.cs                |   7 +
 src/Billing/Controllers/BitPayController.cs   |   1 +
 .../Controllers/FreshdeskController.cs        | 137 +++++++++++++++
 .../Models/FreshdeskViewTicketModel.cs        |  44 +++++
 .../OnyxAnswerWithCitationRequestModel.cs     |  54 ++++++
 .../OnyxAnswerWithCitationResponseModel.cs    |  30 ++++
 src/Billing/Startup.cs                        |  15 ++
 src/Billing/appsettings.json                  |   6 +-
 .../Controllers/FreshdeskControllerTests.cs   | 156 +++++++++++++++++-
 10 files changed, 451 insertions(+), 2 deletions(-)
 create mode 100644 src/Billing/Models/FreshdeskViewTicketModel.cs
 create mode 100644 src/Billing/Models/OnyxAnswerWithCitationRequestModel.cs
 create mode 100644 src/Billing/Models/OnyxAnswerWithCitationResponseModel.cs

diff --git a/src/Billing/Billing.csproj b/src/Billing/Billing.csproj
index b30d987a95..f32eccfe8c 100644
--- a/src/Billing/Billing.csproj
+++ b/src/Billing/Billing.csproj
@@ -10,5 +10,8 @@
     <ProjectReference Include="..\SharedWeb\SharedWeb.csproj" />
     <ProjectReference Include="..\Core\Core.csproj" />
   </ItemGroup>
+  <ItemGroup>
+    <PackageReference Include="Swashbuckle.AspNetCore" Version="7.2.0" />
+  </ItemGroup>
 
 </Project>
diff --git a/src/Billing/BillingSettings.cs b/src/Billing/BillingSettings.cs
index 91ea8f1221..ffe73808d4 100644
--- a/src/Billing/BillingSettings.cs
+++ b/src/Billing/BillingSettings.cs
@@ -12,6 +12,7 @@ public class BillingSettings
     public virtual FreshDeskSettings FreshDesk { get; set; } = new FreshDeskSettings();
     public virtual string FreshsalesApiKey { get; set; }
     public virtual PayPalSettings PayPal { get; set; } = new PayPalSettings();
+    public virtual OnyxSettings Onyx { get; set; } = new OnyxSettings();
 
     public class PayPalSettings
     {
@@ -31,4 +32,10 @@ public class BillingSettings
         public virtual string UserFieldName { get; set; }
         public virtual string OrgFieldName { get; set; }
     }
+
+    public class OnyxSettings
+    {
+        public virtual string ApiKey { get; set; }
+        public virtual string BaseUrl { get; set; }
+    }
 }
diff --git a/src/Billing/Controllers/BitPayController.cs b/src/Billing/Controllers/BitPayController.cs
index 026909aed1..4caf57aa20 100644
--- a/src/Billing/Controllers/BitPayController.cs
+++ b/src/Billing/Controllers/BitPayController.cs
@@ -13,6 +13,7 @@ using Microsoft.Extensions.Options;
 namespace Bit.Billing.Controllers;
 
 [Route("bitpay")]
+[ApiExplorerSettings(IgnoreApi = true)]
 public class BitPayController : Controller
 {
     private readonly BillingSettings _billingSettings;
diff --git a/src/Billing/Controllers/FreshdeskController.cs b/src/Billing/Controllers/FreshdeskController.cs
index 7aeb60a67f..4bf6b7bad4 100644
--- a/src/Billing/Controllers/FreshdeskController.cs
+++ b/src/Billing/Controllers/FreshdeskController.cs
@@ -1,6 +1,8 @@
 using System.ComponentModel.DataAnnotations;
+using System.Net.Http.Headers;
 using System.Reflection;
 using System.Text;
+using System.Text.Json;
 using System.Web;
 using Bit.Billing.Models;
 using Bit.Core.Repositories;
@@ -142,6 +144,121 @@ public class FreshdeskController : Controller
         }
     }
 
+    [HttpPost("webhook-onyx-ai")]
+    public async Task<IActionResult> PostWebhookOnyxAi([FromQuery, Required] string key,
+        [FromBody, Required] FreshdeskWebhookModel model)
+    {
+        // ensure that the key is from Freshdesk
+        if (!IsValidRequestFromFreshdesk(key))
+        {
+            return new BadRequestResult();
+        }
+
+        // get ticket info from Freshdesk
+        var getTicketRequest = new HttpRequestMessage(HttpMethod.Get,
+            string.Format("https://bitwarden.freshdesk.com/api/v2/tickets/{0}", model.TicketId));
+        var getTicketResponse = await CallFreshdeskApiAsync(getTicketRequest);
+
+        // check if we have a valid response from freshdesk
+        if (getTicketResponse.StatusCode != System.Net.HttpStatusCode.OK)
+        {
+            _logger.LogError("Error getting ticket info from Freshdesk. Ticket Id: {0}. Status code: {1}",
+                            model.TicketId, getTicketResponse.StatusCode);
+            return BadRequest("Failed to retrieve ticket info from Freshdesk");
+        }
+
+        // extract info from the response
+        var ticketInfo = await ExtractTicketInfoFromResponse(getTicketResponse);
+        if (ticketInfo == null)
+        {
+            return BadRequest("Failed to extract ticket info from Freshdesk response");
+        }
+
+        // create the onyx `answer-with-citation` request
+        var onyxRequestModel = new OnyxAnswerWithCitationRequestModel(ticketInfo.DescriptionText);
+        var onyxRequest = new HttpRequestMessage(HttpMethod.Post,
+                            string.Format("{0}/query/answer-with-citation", _billingSettings.Onyx.BaseUrl))
+        {
+            Content = JsonContent.Create(onyxRequestModel, mediaType: new MediaTypeHeaderValue("application/json")),
+        };
+        var (_, onyxJsonResponse) = await CallOnyxApi<OnyxAnswerWithCitationResponseModel>(onyxRequest);
+
+        // the CallOnyxApi will return a null if we have an error response
+        if (onyxJsonResponse?.Answer == null || !string.IsNullOrEmpty(onyxJsonResponse?.ErrorMsg))
+        {
+            return BadRequest(
+                string.Format("Failed to get a valid response from Onyx API. Response: {0}",
+                            JsonSerializer.Serialize(onyxJsonResponse ?? new OnyxAnswerWithCitationResponseModel())));
+        }
+
+        // add the answer as a note to the ticket
+        await AddAnswerNoteToTicketAsync(onyxJsonResponse.Answer, model.TicketId);
+
+        return Ok();
+    }
+
+    private bool IsValidRequestFromFreshdesk(string key)
+    {
+        if (string.IsNullOrWhiteSpace(key)
+                || !CoreHelpers.FixedTimeEquals(key, _billingSettings.FreshDesk.WebhookKey))
+        {
+            return false;
+        }
+
+        return true;
+    }
+
+    private async Task AddAnswerNoteToTicketAsync(string note, string ticketId)
+    {
+        // if there is no content, then we don't need to add a note
+        if (string.IsNullOrWhiteSpace(note))
+        {
+            return;
+        }
+
+        var noteBody = new Dictionary<string, object>
+                {
+                    { "body", $"<b>Onyx AI:</b><ul>{note}</ul>" },
+                    { "private", true }
+                };
+
+        var noteRequest = new HttpRequestMessage(HttpMethod.Post,
+                    string.Format("https://bitwarden.freshdesk.com/api/v2/tickets/{0}/notes", ticketId))
+        {
+            Content = JsonContent.Create(noteBody),
+        };
+
+        var addNoteResponse = await CallFreshdeskApiAsync(noteRequest);
+        if (addNoteResponse.StatusCode != System.Net.HttpStatusCode.Created)
+        {
+            _logger.LogError("Error adding note to Freshdesk ticket. Ticket Id: {0}. Status: {1}",
+                            ticketId, addNoteResponse.ToString());
+        }
+    }
+
+    private async Task<FreshdeskViewTicketModel> ExtractTicketInfoFromResponse(HttpResponseMessage getTicketResponse)
+    {
+        var responseString = string.Empty;
+        try
+        {
+            responseString = await getTicketResponse.Content.ReadAsStringAsync();
+            var ticketInfo = JsonSerializer.Deserialize<FreshdeskViewTicketModel>(responseString,
+                options: new System.Text.Json.JsonSerializerOptions
+                {
+                    PropertyNameCaseInsensitive = true,
+                });
+
+            return ticketInfo;
+        }
+        catch (System.Exception ex)
+        {
+            _logger.LogError("Error deserializing ticket info from Freshdesk response. Response: {0}. Exception {1}",
+                            responseString, ex.ToString());
+        }
+
+        return null;
+    }
+
     private async Task<HttpResponseMessage> CallFreshdeskApiAsync(HttpRequestMessage request, int retriedCount = 0)
     {
         try
@@ -166,6 +283,26 @@ public class FreshdeskController : Controller
         return await CallFreshdeskApiAsync(request, retriedCount++);
     }
 
+    private async Task<(HttpResponseMessage, T)> CallOnyxApi<T>(HttpRequestMessage request)
+    {
+        var httpClient = _httpClientFactory.CreateClient("OnyxApi");
+        var response = await httpClient.SendAsync(request);
+
+        if (response.StatusCode != System.Net.HttpStatusCode.OK)
+        {
+            _logger.LogError("Error calling Onyx AI API. Status code: {0}. Response {1}",
+                response.StatusCode, JsonSerializer.Serialize(response));
+            return (null, default);
+        }
+        var responseStr = await response.Content.ReadAsStringAsync();
+        var responseJson = JsonSerializer.Deserialize<T>(responseStr, options: new JsonSerializerOptions
+        {
+            PropertyNameCaseInsensitive = true,
+        });
+
+        return (response, responseJson);
+    }
+
     private TAttribute GetAttribute<TAttribute>(Enum enumValue) where TAttribute : Attribute
     {
         return enumValue.GetType().GetMember(enumValue.ToString()).First().GetCustomAttribute<TAttribute>();
diff --git a/src/Billing/Models/FreshdeskViewTicketModel.cs b/src/Billing/Models/FreshdeskViewTicketModel.cs
new file mode 100644
index 0000000000..2aa6eff94d
--- /dev/null
+++ b/src/Billing/Models/FreshdeskViewTicketModel.cs
@@ -0,0 +1,44 @@
+namespace Bit.Billing.Models;
+
+using System;
+using System.Collections.Generic;
+using System.Text.Json.Serialization;
+
+public class FreshdeskViewTicketModel
+{
+    [JsonPropertyName("spam")]
+    public bool? Spam { get; set; }
+
+    [JsonPropertyName("priority")]
+    public int? Priority { get; set; }
+
+    [JsonPropertyName("source")]
+    public int? Source { get; set; }
+
+    [JsonPropertyName("status")]
+    public int? Status { get; set; }
+
+    [JsonPropertyName("subject")]
+    public string Subject { get; set; }
+
+    [JsonPropertyName("support_email")]
+    public string SupportEmail { get; set; }
+
+    [JsonPropertyName("id")]
+    public int Id { get; set; }
+
+    [JsonPropertyName("description")]
+    public string Description { get; set; }
+
+    [JsonPropertyName("description_text")]
+    public string DescriptionText { get; set; }
+
+    [JsonPropertyName("created_at")]
+    public DateTime CreatedAt { get; set; }
+
+    [JsonPropertyName("updated_at")]
+    public DateTime UpdatedAt { get; set; }
+
+    [JsonPropertyName("tags")]
+    public List<string> Tags { get; set; }
+}
diff --git a/src/Billing/Models/OnyxAnswerWithCitationRequestModel.cs b/src/Billing/Models/OnyxAnswerWithCitationRequestModel.cs
new file mode 100644
index 0000000000..e7bd29b2f5
--- /dev/null
+++ b/src/Billing/Models/OnyxAnswerWithCitationRequestModel.cs
@@ -0,0 +1,54 @@
+
+using System.Text.Json.Serialization;
+
+namespace Bit.Billing.Models;
+
+public class OnyxAnswerWithCitationRequestModel
+{
+    [JsonPropertyName("messages")]
+    public List<Message> Messages { get; set; }
+
+    [JsonPropertyName("persona_id")]
+    public int PersonaId { get; set; } = 1;
+
+    [JsonPropertyName("prompt_id")]
+    public int PromptId { get; set; } = 1;
+
+    [JsonPropertyName("retrieval_options")]
+    public RetrievalOptions RetrievalOptions { get; set; }
+
+    public OnyxAnswerWithCitationRequestModel(string message)
+    {
+        message = message.Replace(Environment.NewLine, " ").Replace('\r', ' ').Replace('\n', ' ');
+        Messages = new List<Message>() { new Message() { MessageText = message } };
+        RetrievalOptions = new RetrievalOptions();
+    }
+}
+
+public class Message
+{
+    [JsonPropertyName("message")]
+    public string MessageText { get; set; }
+
+    [JsonPropertyName("sender")]
+    public string Sender { get; set; } = "user";
+}
+
+public class RetrievalOptions
+{
+    [JsonPropertyName("run_search")]
+    public string RunSearch { get; set; } = RetrievalOptionsRunSearch.Auto;
+
+    [JsonPropertyName("real_time")]
+    public bool RealTime { get; set; } = true;
+
+    [JsonPropertyName("limit")]
+    public int? Limit { get; set; } = 3;
+}
+
+public class RetrievalOptionsRunSearch
+{
+    public const string Always = "always";
+    public const string Never = "never";
+    public const string Auto = "auto";
+}
diff --git a/src/Billing/Models/OnyxAnswerWithCitationResponseModel.cs b/src/Billing/Models/OnyxAnswerWithCitationResponseModel.cs
new file mode 100644
index 0000000000..e85ee9a674
--- /dev/null
+++ b/src/Billing/Models/OnyxAnswerWithCitationResponseModel.cs
@@ -0,0 +1,30 @@
+using System.Text.Json.Serialization;
+
+namespace Bit.Billing.Models;
+
+public class OnyxAnswerWithCitationResponseModel
+{
+    [JsonPropertyName("answer")]
+    public string Answer { get; set; }
+
+    [JsonPropertyName("rephrase")]
+    public string Rephrase { get; set; }
+
+    [JsonPropertyName("citations")]
+    public List<Citation> Citations { get; set; }
+
+    [JsonPropertyName("llm_selected_doc_indices")]
+    public List<int> LlmSelectedDocIndices { get; set; }
+
+    [JsonPropertyName("error_msg")]
+    public string ErrorMsg { get; set; }
+}
+
+public class Citation
+{
+    [JsonPropertyName("citation_num")]
+    public int CitationNum { get; set; }
+
+    [JsonPropertyName("document_id")]
+    public string DocumentId { get; set; }
+}
diff --git a/src/Billing/Startup.cs b/src/Billing/Startup.cs
index 2d2f109e77..e9f2f53488 100644
--- a/src/Billing/Startup.cs
+++ b/src/Billing/Startup.cs
@@ -1,4 +1,5 @@
 using System.Globalization;
+using System.Net.Http.Headers;
 using Bit.Billing.Services;
 using Bit.Billing.Services.Implementations;
 using Bit.Core.Billing.Extensions;
@@ -34,6 +35,7 @@ public class Startup
         // Settings
         var globalSettings = services.AddGlobalSettingsServices(Configuration, Environment);
         services.Configure<BillingSettings>(Configuration.GetSection("BillingSettings"));
+        var billingSettings = Configuration.GetSection("BillingSettings").Get<BillingSettings>();
 
         // Stripe Billing
         StripeConfiguration.ApiKey = globalSettings.Stripe.ApiKey;
@@ -97,6 +99,10 @@ public class Startup
 
         // Set up HttpClients
         services.AddHttpClient("FreshdeskApi");
+        services.AddHttpClient("OnyxApi", client =>
+        {
+            client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", billingSettings.Onyx.ApiKey);
+        });
 
         services.AddScoped<IStripeFacade, StripeFacade>();
         services.AddScoped<IStripeEventService, StripeEventService>();
@@ -112,6 +118,10 @@ public class Startup
         // Jobs service
         Jobs.JobsHostedService.AddJobsServices(services);
         services.AddHostedService<Jobs.JobsHostedService>();
+
+        // Swagger
+        services.AddEndpointsApiExplorer();
+        services.AddSwaggerGen();
     }
 
     public void Configure(
@@ -128,6 +138,11 @@ public class Startup
         if (env.IsDevelopment())
         {
             app.UseDeveloperExceptionPage();
+            app.UseSwagger();
+            app.UseSwaggerUI(c =>
+            {
+                c.SwaggerEndpoint("/swagger/v1/swagger.json", "Billing API V1");
+            });
         }
 
         app.UseStaticFiles();
diff --git a/src/Billing/appsettings.json b/src/Billing/appsettings.json
index 84a67434f5..2a2864b246 100644
--- a/src/Billing/appsettings.json
+++ b/src/Billing/appsettings.json
@@ -73,6 +73,10 @@
       "region": "US",
       "userFieldName": "cf_user",
       "orgFieldName": "cf_org"
-    }
+    },
+    "onyx": {
+      "apiKey": "SECRET",
+      "baseUrl": "https://cloud.onyx.app/api"
+    }    
   }
 }
diff --git a/test/Billing.Test/Controllers/FreshdeskControllerTests.cs b/test/Billing.Test/Controllers/FreshdeskControllerTests.cs
index f07c64dad9..26ce310b9c 100644
--- a/test/Billing.Test/Controllers/FreshdeskControllerTests.cs
+++ b/test/Billing.Test/Controllers/FreshdeskControllerTests.cs
@@ -1,4 +1,5 @@
-using Bit.Billing.Controllers;
+using System.Text.Json;
+using Bit.Billing.Controllers;
 using Bit.Billing.Models;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.Entities;
@@ -70,6 +71,159 @@ public class FreshdeskControllerTests
         _ = mockHttpMessageHandler.Received(1).Send(Arg.Is<HttpRequestMessage>(m => m.Method == HttpMethod.Post && m.RequestUri.ToString().EndsWith($"{model.TicketId}/notes")), Arg.Any<CancellationToken>());
     }
 
+    [Theory]
+    [BitAutoData((string)null, null)]
+    [BitAutoData((string)null)]
+    [BitAutoData(WebhookKey, null)]
+    public async Task PostWebhookOnyxAi_InvalidWebhookKey_results_in_BadRequest(
+        string freshdeskWebhookKey, FreshdeskWebhookModel model,
+        BillingSettings billingSettings, SutProvider<FreshdeskController> sutProvider)
+    {
+        sutProvider.GetDependency<IOptions<BillingSettings>>()
+            .Value.FreshDesk.WebhookKey.Returns(billingSettings.FreshDesk.WebhookKey);
+
+        var response = await sutProvider.Sut.PostWebhookOnyxAi(freshdeskWebhookKey, model);
+
+        var statusCodeResult = Assert.IsAssignableFrom<StatusCodeResult>(response);
+        Assert.Equal(StatusCodes.Status400BadRequest, statusCodeResult.StatusCode);
+    }
+
+    [Theory]
+    [BitAutoData(WebhookKey)]
+    public async Task PostWebhookOnyxAi_invalid_ticketid_results_in_BadRequest(
+        string freshdeskWebhookKey, FreshdeskWebhookModel model, SutProvider<FreshdeskController> sutProvider)
+    {
+        sutProvider.GetDependency<IOptions<BillingSettings>>()
+            .Value.FreshDesk.WebhookKey.Returns(freshdeskWebhookKey);
+
+        var mockHttpMessageHandler = Substitute.ForPartsOf<MockHttpMessageHandler>();
+        var mockResponse = new HttpResponseMessage(System.Net.HttpStatusCode.BadRequest);
+        mockHttpMessageHandler.Send(Arg.Any<HttpRequestMessage>(), Arg.Any<CancellationToken>())
+           .Returns(mockResponse);
+        var httpClient = new HttpClient(mockHttpMessageHandler);
+
+        sutProvider.GetDependency<IHttpClientFactory>().CreateClient("FreshdeskApi").Returns(httpClient);
+
+        var response = await sutProvider.Sut.PostWebhookOnyxAi(freshdeskWebhookKey, model);
+
+        var result = Assert.IsAssignableFrom<BadRequestObjectResult>(response);
+        Assert.Equal(StatusCodes.Status400BadRequest, result.StatusCode);
+    }
+
+    [Theory]
+    [BitAutoData(WebhookKey)]
+    public async Task PostWebhookOnyxAi_invalid_freshdesk_response_results_in_BadRequest(
+        string freshdeskWebhookKey, FreshdeskWebhookModel model,
+        SutProvider<FreshdeskController> sutProvider)
+    {
+        sutProvider.GetDependency<IOptions<BillingSettings>>()
+            .Value.FreshDesk.WebhookKey.Returns(freshdeskWebhookKey);
+
+        var mockHttpMessageHandler = Substitute.ForPartsOf<MockHttpMessageHandler>();
+        var mockResponse = new HttpResponseMessage(System.Net.HttpStatusCode.OK)
+        {
+            Content = new StringContent("non json content. expect json deserializer to throw error")
+        };
+        mockHttpMessageHandler.Send(Arg.Any<HttpRequestMessage>(), Arg.Any<CancellationToken>())
+           .Returns(mockResponse);
+        var httpClient = new HttpClient(mockHttpMessageHandler);
+
+        sutProvider.GetDependency<IHttpClientFactory>().CreateClient("FreshdeskApi").Returns(httpClient);
+
+        var response = await sutProvider.Sut.PostWebhookOnyxAi(freshdeskWebhookKey, model);
+
+        var result = Assert.IsAssignableFrom<BadRequestObjectResult>(response);
+        Assert.Equal(StatusCodes.Status400BadRequest, result.StatusCode);
+    }
+
+    [Theory]
+    [BitAutoData(WebhookKey)]
+    public async Task PostWebhookOnyxAi_invalid_onyx_response_results_in_BadRequest(
+        string freshdeskWebhookKey, FreshdeskWebhookModel model,
+        FreshdeskViewTicketModel freshdeskTicketInfo, SutProvider<FreshdeskController> sutProvider)
+    {
+        var billingSettings = sutProvider.GetDependency<IOptions<BillingSettings>>().Value;
+        billingSettings.FreshDesk.WebhookKey.Returns(freshdeskWebhookKey);
+        billingSettings.Onyx.BaseUrl.Returns("http://simulate-onyx-api.com/api");
+
+        // mocking freshdesk Api request for ticket info
+        var mockFreshdeskHttpMessageHandler = Substitute.ForPartsOf<MockHttpMessageHandler>();
+        var mockFreshdeskResponse = new HttpResponseMessage(System.Net.HttpStatusCode.OK)
+        {
+            Content = new StringContent(JsonSerializer.Serialize(freshdeskTicketInfo))
+        };
+        mockFreshdeskHttpMessageHandler.Send(Arg.Any<HttpRequestMessage>(), Arg.Any<CancellationToken>())
+           .Returns(mockFreshdeskResponse);
+        var freshdeskHttpClient = new HttpClient(mockFreshdeskHttpMessageHandler);
+
+        // mocking Onyx api response given a ticket description
+        var mockOnyxHttpMessageHandler = Substitute.ForPartsOf<MockHttpMessageHandler>();
+        var mockOnyxResponse = new HttpResponseMessage(System.Net.HttpStatusCode.BadRequest);
+        mockOnyxHttpMessageHandler.Send(Arg.Any<HttpRequestMessage>(), Arg.Any<CancellationToken>())
+           .Returns(mockOnyxResponse);
+        var onyxHttpClient = new HttpClient(mockOnyxHttpMessageHandler);
+
+        sutProvider.GetDependency<IHttpClientFactory>().CreateClient("FreshdeskApi").Returns(freshdeskHttpClient);
+        sutProvider.GetDependency<IHttpClientFactory>().CreateClient("OnyxApi").Returns(onyxHttpClient);
+
+        var response = await sutProvider.Sut.PostWebhookOnyxAi(freshdeskWebhookKey, model);
+
+        var result = Assert.IsAssignableFrom<BadRequestObjectResult>(response);
+        Assert.Equal(StatusCodes.Status400BadRequest, result.StatusCode);
+    }
+
+    [Theory]
+    [BitAutoData(WebhookKey)]
+    public async Task PostWebhookOnyxAi_success(
+        string freshdeskWebhookKey, FreshdeskWebhookModel model,
+        FreshdeskViewTicketModel freshdeskTicketInfo,
+        OnyxAnswerWithCitationResponseModel onyxResponse,
+        SutProvider<FreshdeskController> sutProvider)
+    {
+        var billingSettings = sutProvider.GetDependency<IOptions<BillingSettings>>().Value;
+        billingSettings.FreshDesk.WebhookKey.Returns(freshdeskWebhookKey);
+        billingSettings.Onyx.BaseUrl.Returns("http://simulate-onyx-api.com/api");
+
+        // mocking freshdesk Api request for ticket info (GET)
+        var mockFreshdeskHttpMessageHandler = Substitute.ForPartsOf<MockHttpMessageHandler>();
+        var mockFreshdeskResponse = new HttpResponseMessage(System.Net.HttpStatusCode.OK)
+        {
+            Content = new StringContent(JsonSerializer.Serialize(freshdeskTicketInfo))
+        };
+        mockFreshdeskHttpMessageHandler.Send(
+                Arg.Is<HttpRequestMessage>(_ => _.Method == HttpMethod.Get),
+                Arg.Any<CancellationToken>())
+            .Returns(mockFreshdeskResponse);
+
+        // mocking freshdesk api add note request (POST)
+        var mockFreshdeskAddNoteResponse = new HttpResponseMessage(System.Net.HttpStatusCode.BadRequest);
+        mockFreshdeskHttpMessageHandler.Send(
+                Arg.Is<HttpRequestMessage>(_ => _.Method == HttpMethod.Post),
+                Arg.Any<CancellationToken>())
+            .Returns(mockFreshdeskAddNoteResponse);
+        var freshdeskHttpClient = new HttpClient(mockFreshdeskHttpMessageHandler);
+
+
+        // mocking Onyx api response given a ticket description
+        var mockOnyxHttpMessageHandler = Substitute.ForPartsOf<MockHttpMessageHandler>();
+        onyxResponse.ErrorMsg = string.Empty;
+        var mockOnyxResponse = new HttpResponseMessage(System.Net.HttpStatusCode.OK)
+        {
+            Content = new StringContent(JsonSerializer.Serialize(onyxResponse))
+        };
+        mockOnyxHttpMessageHandler.Send(Arg.Any<HttpRequestMessage>(), Arg.Any<CancellationToken>())
+           .Returns(mockOnyxResponse);
+        var onyxHttpClient = new HttpClient(mockOnyxHttpMessageHandler);
+
+        sutProvider.GetDependency<IHttpClientFactory>().CreateClient("FreshdeskApi").Returns(freshdeskHttpClient);
+        sutProvider.GetDependency<IHttpClientFactory>().CreateClient("OnyxApi").Returns(onyxHttpClient);
+
+        var response = await sutProvider.Sut.PostWebhookOnyxAi(freshdeskWebhookKey, model);
+
+        var result = Assert.IsAssignableFrom<OkResult>(response);
+        Assert.Equal(StatusCodes.Status200OK, result.StatusCode);
+    }
+
     public class MockHttpMessageHandler : HttpMessageHandler
     {
         protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)

From bc27ec2b9b800c7dbb5ffd9e6454d44df144ef3c Mon Sep 17 00:00:00 2001
From: Jonas Hendrickx <jhendrickx@bitwarden.com>
Date: Thu, 6 Feb 2025 15:15:36 +0100
Subject: [PATCH 252/384] =?UTF-8?q?[PM-12765]=20Change=20error=20message?=
 =?UTF-8?q?=20when=20subscription=20canceled=20and=20attemp=E2=80=A6=20(#5?=
 =?UTF-8?q?346)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../Services/Implementations/OrganizationService.cs  | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs b/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
index 6194aea6c7..6f4aba4882 100644
--- a/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
+++ b/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
@@ -1294,6 +1294,12 @@ public class OrganizationService : IOrganizationService
             }
         }
 
+        var subscription = await _paymentService.GetSubscriptionAsync(organization);
+        if (subscription?.Subscription?.Status == StripeConstants.SubscriptionStatus.Canceled)
+        {
+            return (false, "You do not have an active subscription. Reinstate your subscription to make changes");
+        }
+
         if (organization.Seats.HasValue &&
             organization.MaxAutoscaleSeats.HasValue &&
             organization.MaxAutoscaleSeats.Value < organization.Seats.Value + seatsToAdd)
@@ -1301,12 +1307,6 @@ public class OrganizationService : IOrganizationService
             return (false, $"Seat limit has been reached.");
         }
 
-        var subscription = await _paymentService.GetSubscriptionAsync(organization);
-        if (subscription?.Subscription?.Status == StripeConstants.SubscriptionStatus.Canceled)
-        {
-            return (false, "Cannot autoscale with a canceled subscription.");
-        }
-
         return (true, failureReason);
     }
 

From 678d5d5d632447ac3431781d8232971eab713edc Mon Sep 17 00:00:00 2001
From: Jonas Hendrickx <jhendrickx@bitwarden.com>
Date: Thu, 6 Feb 2025 16:34:22 +0100
Subject: [PATCH 253/384] [PM-18028] Attempting to enable automatic tax on
 customer with invalid location (#5374)

---
 .../Implementations/UpcomingInvoiceHandler.cs | 13 +++---
 .../Billing/Extensions/CustomerExtensions.cs  | 16 +++++++
 .../SubscriptionCreateOptionsExtensions.cs    | 26 +++++++++++
 .../SubscriptionUpdateOptionsExtensions.cs    | 35 +++++++++++++++
 .../UpcomingInvoiceOptionsExtensions.cs       | 35 +++++++++++++++
 .../PremiumUserBillingService.cs              |  2 +-
 .../Implementations/SubscriberService.cs      | 20 ++++++---
 .../Implementations/StripePaymentService.cs   | 43 +++++++++----------
 8 files changed, 155 insertions(+), 35 deletions(-)
 create mode 100644 src/Core/Billing/Extensions/CustomerExtensions.cs
 create mode 100644 src/Core/Billing/Extensions/SubscriptionCreateOptionsExtensions.cs
 create mode 100644 src/Core/Billing/Extensions/SubscriptionUpdateOptionsExtensions.cs
 create mode 100644 src/Core/Billing/Extensions/UpcomingInvoiceOptionsExtensions.cs

diff --git a/src/Billing/Services/Implementations/UpcomingInvoiceHandler.cs b/src/Billing/Services/Implementations/UpcomingInvoiceHandler.cs
index c52c03b6aa..409bd0d18b 100644
--- a/src/Billing/Services/Implementations/UpcomingInvoiceHandler.cs
+++ b/src/Billing/Services/Implementations/UpcomingInvoiceHandler.cs
@@ -1,6 +1,7 @@
 using Bit.Billing.Constants;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Repositories;
+using Bit.Core.Billing.Extensions;
 using Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.Interfaces;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
@@ -160,16 +161,16 @@ public class UpcomingInvoiceHandler : IUpcomingInvoiceHandler
 
     private async Task<Subscription> TryEnableAutomaticTaxAsync(Subscription subscription)
     {
-        if (subscription.AutomaticTax.Enabled)
+        var customerGetOptions = new CustomerGetOptions { Expand = ["tax"] };
+        var customer = await _stripeFacade.GetCustomer(subscription.CustomerId, customerGetOptions);
+
+        var subscriptionUpdateOptions = new SubscriptionUpdateOptions();
+
+        if (!subscriptionUpdateOptions.EnableAutomaticTax(customer, subscription))
         {
             return subscription;
         }
 
-        var subscriptionUpdateOptions = new SubscriptionUpdateOptions
-        {
-            AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = true }
-        };
-
         return await _stripeFacade.UpdateSubscription(subscription.Id, subscriptionUpdateOptions);
     }
 
diff --git a/src/Core/Billing/Extensions/CustomerExtensions.cs b/src/Core/Billing/Extensions/CustomerExtensions.cs
new file mode 100644
index 0000000000..62f1a5055c
--- /dev/null
+++ b/src/Core/Billing/Extensions/CustomerExtensions.cs
@@ -0,0 +1,16 @@
+using Bit.Core.Billing.Constants;
+using Stripe;
+
+namespace Bit.Core.Billing.Extensions;
+
+public static class CustomerExtensions
+{
+
+    /// <summary>
+    /// Determines if a Stripe customer supports automatic tax
+    /// </summary>
+    /// <param name="customer"></param>
+    /// <returns></returns>
+    public static bool HasTaxLocationVerified(this Customer customer) =>
+        customer?.Tax?.AutomaticTax == StripeConstants.AutomaticTaxStatus.Supported;
+}
diff --git a/src/Core/Billing/Extensions/SubscriptionCreateOptionsExtensions.cs b/src/Core/Billing/Extensions/SubscriptionCreateOptionsExtensions.cs
new file mode 100644
index 0000000000..d76a0553a3
--- /dev/null
+++ b/src/Core/Billing/Extensions/SubscriptionCreateOptionsExtensions.cs
@@ -0,0 +1,26 @@
+using Stripe;
+
+namespace Bit.Core.Billing.Extensions;
+
+public static class SubscriptionCreateOptionsExtensions
+{
+    /// <summary>
+    /// Attempts to enable automatic tax for given new subscription options.
+    /// </summary>
+    /// <param name="options"></param>
+    /// <param name="customer">The existing customer.</param>
+    /// <returns>Returns true when successful, false when conditions are not met.</returns>
+    public static bool EnableAutomaticTax(this SubscriptionCreateOptions options, Customer customer)
+    {
+        // We might only need to check the automatic tax status.
+        if (!customer.HasTaxLocationVerified() && string.IsNullOrWhiteSpace(customer.Address?.Country))
+        {
+            return false;
+        }
+
+        options.DefaultTaxRates = [];
+        options.AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = true };
+
+        return true;
+    }
+}
diff --git a/src/Core/Billing/Extensions/SubscriptionUpdateOptionsExtensions.cs b/src/Core/Billing/Extensions/SubscriptionUpdateOptionsExtensions.cs
new file mode 100644
index 0000000000..d70af78fa8
--- /dev/null
+++ b/src/Core/Billing/Extensions/SubscriptionUpdateOptionsExtensions.cs
@@ -0,0 +1,35 @@
+using Stripe;
+
+namespace Bit.Core.Billing.Extensions;
+
+public static class SubscriptionUpdateOptionsExtensions
+{
+    /// <summary>
+    /// Attempts to enable automatic tax for given subscription options.
+    /// </summary>
+    /// <param name="options"></param>
+    /// <param name="customer">The existing customer to which the subscription belongs.</param>
+    /// <param name="subscription">The existing subscription.</param>
+    /// <returns>Returns true when successful, false when conditions are not met.</returns>
+    public static bool EnableAutomaticTax(
+        this SubscriptionUpdateOptions options,
+        Customer customer,
+        Subscription subscription)
+    {
+        if (subscription.AutomaticTax.Enabled)
+        {
+            return false;
+        }
+
+        // We might only need to check the automatic tax status.
+        if (!customer.HasTaxLocationVerified() && string.IsNullOrWhiteSpace(customer.Address?.Country))
+        {
+            return false;
+        }
+
+        options.DefaultTaxRates = [];
+        options.AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = true };
+
+        return true;
+    }
+}
diff --git a/src/Core/Billing/Extensions/UpcomingInvoiceOptionsExtensions.cs b/src/Core/Billing/Extensions/UpcomingInvoiceOptionsExtensions.cs
new file mode 100644
index 0000000000..88df5638c9
--- /dev/null
+++ b/src/Core/Billing/Extensions/UpcomingInvoiceOptionsExtensions.cs
@@ -0,0 +1,35 @@
+using Stripe;
+
+namespace Bit.Core.Billing.Extensions;
+
+public static class UpcomingInvoiceOptionsExtensions
+{
+    /// <summary>
+    /// Attempts to enable automatic tax for given upcoming invoice options.
+    /// </summary>
+    /// <param name="options"></param>
+    /// <param name="customer">The existing customer to which the upcoming invoice belongs.</param>
+    /// <param name="subscription">The existing subscription to which the upcoming invoice belongs.</param>
+    /// <returns>Returns true when successful, false when conditions are not met.</returns>
+    public static bool EnableAutomaticTax(
+        this UpcomingInvoiceOptions options,
+        Customer customer,
+        Subscription subscription)
+    {
+        if (subscription != null && subscription.AutomaticTax.Enabled)
+        {
+            return false;
+        }
+
+        // We might only need to check the automatic tax status.
+        if (!customer.HasTaxLocationVerified() && string.IsNullOrWhiteSpace(customer.Address?.Country))
+        {
+            return false;
+        }
+
+        options.AutomaticTax = new InvoiceAutomaticTaxOptions { Enabled = true };
+        options.SubscriptionDefaultTaxRates = [];
+
+        return true;
+    }
+}
diff --git a/src/Core/Billing/Services/Implementations/PremiumUserBillingService.cs b/src/Core/Billing/Services/Implementations/PremiumUserBillingService.cs
index ed841c9576..99815c0557 100644
--- a/src/Core/Billing/Services/Implementations/PremiumUserBillingService.cs
+++ b/src/Core/Billing/Services/Implementations/PremiumUserBillingService.cs
@@ -258,7 +258,7 @@ public class PremiumUserBillingService(
         {
             AutomaticTax = new SubscriptionAutomaticTaxOptions
             {
-                Enabled = true
+                Enabled = customer.Tax?.AutomaticTax == StripeConstants.AutomaticTaxStatus.Supported,
             },
             CollectionMethod = StripeConstants.CollectionMethod.ChargeAutomatically,
             Customer = customer.Id,
diff --git a/src/Core/Billing/Services/Implementations/SubscriberService.cs b/src/Core/Billing/Services/Implementations/SubscriberService.cs
index f4cf22ac19..b2dca19e80 100644
--- a/src/Core/Billing/Services/Implementations/SubscriberService.cs
+++ b/src/Core/Billing/Services/Implementations/SubscriberService.cs
@@ -661,11 +661,21 @@ public class SubscriberService(
             }
         }
 
-        await stripeAdapter.SubscriptionUpdateAsync(subscriber.GatewaySubscriptionId,
-            new SubscriptionUpdateOptions
-            {
-                AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = true },
-            });
+        if (SubscriberIsEligibleForAutomaticTax(subscriber, customer))
+        {
+            await stripeAdapter.SubscriptionUpdateAsync(subscriber.GatewaySubscriptionId,
+                new SubscriptionUpdateOptions
+                {
+                    AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = true }
+                });
+        }
+
+        return;
+
+        bool SubscriberIsEligibleForAutomaticTax(ISubscriber localSubscriber, Customer localCustomer)
+            => !string.IsNullOrEmpty(localSubscriber.GatewaySubscriptionId) &&
+               (localCustomer.Subscriptions?.Any(sub => sub.Id == localSubscriber.GatewaySubscriptionId && !sub.AutomaticTax.Enabled) ?? false) &&
+               localCustomer.Tax?.AutomaticTax == StripeConstants.AutomaticTaxStatus.Supported;
     }
 
     public async Task VerifyBankAccount(
diff --git a/src/Core/Services/Implementations/StripePaymentService.cs b/src/Core/Services/Implementations/StripePaymentService.cs
index fb5c7364a5..553c1c65a8 100644
--- a/src/Core/Services/Implementations/StripePaymentService.cs
+++ b/src/Core/Services/Implementations/StripePaymentService.cs
@@ -177,7 +177,7 @@ public class StripePaymentService : IPaymentService
             customer = await _stripeAdapter.CustomerCreateAsync(customerCreateOptions);
             subCreateOptions.AddExpand("latest_invoice.payment_intent");
             subCreateOptions.Customer = customer.Id;
-            subCreateOptions.AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = true };
+            subCreateOptions.EnableAutomaticTax(customer);
 
             subscription = await _stripeAdapter.SubscriptionCreateAsync(subCreateOptions);
             if (subscription.Status == "incomplete" && subscription.LatestInvoice?.PaymentIntent != null)
@@ -358,10 +358,9 @@ public class StripePaymentService : IPaymentService
             customer = await _stripeAdapter.CustomerUpdateAsync(org.GatewayCustomerId, customerUpdateOptions);
         }
 
-        var subCreateOptions = new OrganizationUpgradeSubscriptionOptions(customer.Id, org, plan, upgrade)
-        {
-            AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = true }
-        };
+        var subCreateOptions = new OrganizationUpgradeSubscriptionOptions(customer.Id, org, plan, upgrade);
+
+        subCreateOptions.EnableAutomaticTax(customer);
 
         var (stripePaymentMethod, paymentMethodType) = IdentifyPaymentMethod(customer, subCreateOptions);
 
@@ -520,10 +519,6 @@ public class StripePaymentService : IPaymentService
 
             var customerCreateOptions = new CustomerCreateOptions
             {
-                Tax = new CustomerTaxOptions
-                {
-                    ValidateLocation = StripeConstants.ValidateTaxLocationTiming.Immediately
-                },
                 Description = user.Name,
                 Email = user.Email,
                 Metadata = stripeCustomerMetadata,
@@ -561,7 +556,6 @@ public class StripePaymentService : IPaymentService
 
         var subCreateOptions = new SubscriptionCreateOptions
         {
-            AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = true },
             Customer = customer.Id,
             Items = [],
             Metadata = new Dictionary<string, string>
@@ -581,10 +575,12 @@ public class StripePaymentService : IPaymentService
             subCreateOptions.Items.Add(new SubscriptionItemOptions
             {
                 Plan = StoragePlanId,
-                Quantity = additionalStorageGb,
+                Quantity = additionalStorageGb
             });
         }
 
+        subCreateOptions.EnableAutomaticTax(customer);
+
         var subscription = await ChargeForNewSubscriptionAsync(user, customer, createdStripeCustomer,
             stripePaymentMethod, paymentMethodType, subCreateOptions, braintreeCustomer);
 
@@ -622,7 +618,10 @@ public class StripePaymentService : IPaymentService
                     SubscriptionItems = ToInvoiceSubscriptionItemOptions(subCreateOptions.Items)
                 });
 
-                previewInvoice.AutomaticTax = new InvoiceAutomaticTax { Enabled = true };
+                if (customer.HasTaxLocationVerified())
+                {
+                    previewInvoice.AutomaticTax = new InvoiceAutomaticTax { Enabled = true };
+                }
 
                 if (previewInvoice.AmountDue > 0)
                 {
@@ -680,12 +679,10 @@ public class StripePaymentService : IPaymentService
                     Customer = customer.Id,
                     SubscriptionItems = ToInvoiceSubscriptionItemOptions(subCreateOptions.Items),
                     SubscriptionDefaultTaxRates = subCreateOptions.DefaultTaxRates,
-                    AutomaticTax = new InvoiceAutomaticTaxOptions
-                    {
-                        Enabled = true
-                    }
                 };
 
+                upcomingInvoiceOptions.EnableAutomaticTax(customer, null);
+
                 var previewInvoice = await _stripeAdapter.InvoiceUpcomingAsync(upcomingInvoiceOptions);
 
                 if (previewInvoice.AmountDue > 0)
@@ -804,11 +801,7 @@ public class StripePaymentService : IPaymentService
             Items = updatedItemOptions,
             ProrationBehavior = invoiceNow ? Constants.AlwaysInvoice : Constants.CreateProrations,
             DaysUntilDue = daysUntilDue ?? 1,
-            CollectionMethod = "send_invoice",
-            AutomaticTax = new SubscriptionAutomaticTaxOptions
-            {
-                Enabled = true
-            }
+            CollectionMethod = "send_invoice"
         };
         if (!invoiceNow && isAnnualPlan && sub.Status.Trim() != "trialing")
         {
@@ -816,6 +809,8 @@ public class StripePaymentService : IPaymentService
                 new SubscriptionPendingInvoiceItemIntervalOptions { Interval = "month" };
         }
 
+        subUpdateOptions.EnableAutomaticTax(sub.Customer, sub);
+
         if (!subscriptionUpdate.UpdateNeeded(sub))
         {
             // No need to update subscription, quantity matches
@@ -1500,11 +1495,13 @@ public class StripePaymentService : IPaymentService
             if (!string.IsNullOrEmpty(subscriber.GatewaySubscriptionId) &&
                 customer.Subscriptions.Any(sub =>
                     sub.Id == subscriber.GatewaySubscriptionId &&
-                    !sub.AutomaticTax.Enabled))
+                    !sub.AutomaticTax.Enabled) &&
+                customer.HasTaxLocationVerified())
             {
                 var subscriptionUpdateOptions = new SubscriptionUpdateOptions
                 {
-                    AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = true }
+                    AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = true },
+                    DefaultTaxRates = []
                 };
 
                 _ = await _stripeAdapter.SubscriptionUpdateAsync(

From a1ef07ea69ad39a92931ada2c3c8963b18237020 Mon Sep 17 00:00:00 2001
From: Jonas Hendrickx <jhendrickx@bitwarden.com>
Date: Thu, 6 Feb 2025 17:11:20 +0100
Subject: [PATCH 254/384] =?UTF-8?q?Revert=20"[PM-18028]=20Attempting=20to?=
 =?UTF-8?q?=20enable=20automatic=20tax=20on=20customer=20with=20invali?=
 =?UTF-8?q?=E2=80=A6"=20(#5375)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This reverts commit 678d5d5d632447ac3431781d8232971eab713edc.
---
 .../Implementations/UpcomingInvoiceHandler.cs | 13 +++---
 .../Billing/Extensions/CustomerExtensions.cs  | 16 -------
 .../SubscriptionCreateOptionsExtensions.cs    | 26 -----------
 .../SubscriptionUpdateOptionsExtensions.cs    | 35 ---------------
 .../UpcomingInvoiceOptionsExtensions.cs       | 35 ---------------
 .../PremiumUserBillingService.cs              |  2 +-
 .../Implementations/SubscriberService.cs      | 20 +++------
 .../Implementations/StripePaymentService.cs   | 43 ++++++++++---------
 8 files changed, 35 insertions(+), 155 deletions(-)
 delete mode 100644 src/Core/Billing/Extensions/CustomerExtensions.cs
 delete mode 100644 src/Core/Billing/Extensions/SubscriptionCreateOptionsExtensions.cs
 delete mode 100644 src/Core/Billing/Extensions/SubscriptionUpdateOptionsExtensions.cs
 delete mode 100644 src/Core/Billing/Extensions/UpcomingInvoiceOptionsExtensions.cs

diff --git a/src/Billing/Services/Implementations/UpcomingInvoiceHandler.cs b/src/Billing/Services/Implementations/UpcomingInvoiceHandler.cs
index 409bd0d18b..c52c03b6aa 100644
--- a/src/Billing/Services/Implementations/UpcomingInvoiceHandler.cs
+++ b/src/Billing/Services/Implementations/UpcomingInvoiceHandler.cs
@@ -1,7 +1,6 @@
 using Bit.Billing.Constants;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Repositories;
-using Bit.Core.Billing.Extensions;
 using Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.Interfaces;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
@@ -161,16 +160,16 @@ public class UpcomingInvoiceHandler : IUpcomingInvoiceHandler
 
     private async Task<Subscription> TryEnableAutomaticTaxAsync(Subscription subscription)
     {
-        var customerGetOptions = new CustomerGetOptions { Expand = ["tax"] };
-        var customer = await _stripeFacade.GetCustomer(subscription.CustomerId, customerGetOptions);
-
-        var subscriptionUpdateOptions = new SubscriptionUpdateOptions();
-
-        if (!subscriptionUpdateOptions.EnableAutomaticTax(customer, subscription))
+        if (subscription.AutomaticTax.Enabled)
         {
             return subscription;
         }
 
+        var subscriptionUpdateOptions = new SubscriptionUpdateOptions
+        {
+            AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = true }
+        };
+
         return await _stripeFacade.UpdateSubscription(subscription.Id, subscriptionUpdateOptions);
     }
 
diff --git a/src/Core/Billing/Extensions/CustomerExtensions.cs b/src/Core/Billing/Extensions/CustomerExtensions.cs
deleted file mode 100644
index 62f1a5055c..0000000000
--- a/src/Core/Billing/Extensions/CustomerExtensions.cs
+++ /dev/null
@@ -1,16 +0,0 @@
-using Bit.Core.Billing.Constants;
-using Stripe;
-
-namespace Bit.Core.Billing.Extensions;
-
-public static class CustomerExtensions
-{
-
-    /// <summary>
-    /// Determines if a Stripe customer supports automatic tax
-    /// </summary>
-    /// <param name="customer"></param>
-    /// <returns></returns>
-    public static bool HasTaxLocationVerified(this Customer customer) =>
-        customer?.Tax?.AutomaticTax == StripeConstants.AutomaticTaxStatus.Supported;
-}
diff --git a/src/Core/Billing/Extensions/SubscriptionCreateOptionsExtensions.cs b/src/Core/Billing/Extensions/SubscriptionCreateOptionsExtensions.cs
deleted file mode 100644
index d76a0553a3..0000000000
--- a/src/Core/Billing/Extensions/SubscriptionCreateOptionsExtensions.cs
+++ /dev/null
@@ -1,26 +0,0 @@
-using Stripe;
-
-namespace Bit.Core.Billing.Extensions;
-
-public static class SubscriptionCreateOptionsExtensions
-{
-    /// <summary>
-    /// Attempts to enable automatic tax for given new subscription options.
-    /// </summary>
-    /// <param name="options"></param>
-    /// <param name="customer">The existing customer.</param>
-    /// <returns>Returns true when successful, false when conditions are not met.</returns>
-    public static bool EnableAutomaticTax(this SubscriptionCreateOptions options, Customer customer)
-    {
-        // We might only need to check the automatic tax status.
-        if (!customer.HasTaxLocationVerified() && string.IsNullOrWhiteSpace(customer.Address?.Country))
-        {
-            return false;
-        }
-
-        options.DefaultTaxRates = [];
-        options.AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = true };
-
-        return true;
-    }
-}
diff --git a/src/Core/Billing/Extensions/SubscriptionUpdateOptionsExtensions.cs b/src/Core/Billing/Extensions/SubscriptionUpdateOptionsExtensions.cs
deleted file mode 100644
index d70af78fa8..0000000000
--- a/src/Core/Billing/Extensions/SubscriptionUpdateOptionsExtensions.cs
+++ /dev/null
@@ -1,35 +0,0 @@
-using Stripe;
-
-namespace Bit.Core.Billing.Extensions;
-
-public static class SubscriptionUpdateOptionsExtensions
-{
-    /// <summary>
-    /// Attempts to enable automatic tax for given subscription options.
-    /// </summary>
-    /// <param name="options"></param>
-    /// <param name="customer">The existing customer to which the subscription belongs.</param>
-    /// <param name="subscription">The existing subscription.</param>
-    /// <returns>Returns true when successful, false when conditions are not met.</returns>
-    public static bool EnableAutomaticTax(
-        this SubscriptionUpdateOptions options,
-        Customer customer,
-        Subscription subscription)
-    {
-        if (subscription.AutomaticTax.Enabled)
-        {
-            return false;
-        }
-
-        // We might only need to check the automatic tax status.
-        if (!customer.HasTaxLocationVerified() && string.IsNullOrWhiteSpace(customer.Address?.Country))
-        {
-            return false;
-        }
-
-        options.DefaultTaxRates = [];
-        options.AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = true };
-
-        return true;
-    }
-}
diff --git a/src/Core/Billing/Extensions/UpcomingInvoiceOptionsExtensions.cs b/src/Core/Billing/Extensions/UpcomingInvoiceOptionsExtensions.cs
deleted file mode 100644
index 88df5638c9..0000000000
--- a/src/Core/Billing/Extensions/UpcomingInvoiceOptionsExtensions.cs
+++ /dev/null
@@ -1,35 +0,0 @@
-using Stripe;
-
-namespace Bit.Core.Billing.Extensions;
-
-public static class UpcomingInvoiceOptionsExtensions
-{
-    /// <summary>
-    /// Attempts to enable automatic tax for given upcoming invoice options.
-    /// </summary>
-    /// <param name="options"></param>
-    /// <param name="customer">The existing customer to which the upcoming invoice belongs.</param>
-    /// <param name="subscription">The existing subscription to which the upcoming invoice belongs.</param>
-    /// <returns>Returns true when successful, false when conditions are not met.</returns>
-    public static bool EnableAutomaticTax(
-        this UpcomingInvoiceOptions options,
-        Customer customer,
-        Subscription subscription)
-    {
-        if (subscription != null && subscription.AutomaticTax.Enabled)
-        {
-            return false;
-        }
-
-        // We might only need to check the automatic tax status.
-        if (!customer.HasTaxLocationVerified() && string.IsNullOrWhiteSpace(customer.Address?.Country))
-        {
-            return false;
-        }
-
-        options.AutomaticTax = new InvoiceAutomaticTaxOptions { Enabled = true };
-        options.SubscriptionDefaultTaxRates = [];
-
-        return true;
-    }
-}
diff --git a/src/Core/Billing/Services/Implementations/PremiumUserBillingService.cs b/src/Core/Billing/Services/Implementations/PremiumUserBillingService.cs
index 99815c0557..ed841c9576 100644
--- a/src/Core/Billing/Services/Implementations/PremiumUserBillingService.cs
+++ b/src/Core/Billing/Services/Implementations/PremiumUserBillingService.cs
@@ -258,7 +258,7 @@ public class PremiumUserBillingService(
         {
             AutomaticTax = new SubscriptionAutomaticTaxOptions
             {
-                Enabled = customer.Tax?.AutomaticTax == StripeConstants.AutomaticTaxStatus.Supported,
+                Enabled = true
             },
             CollectionMethod = StripeConstants.CollectionMethod.ChargeAutomatically,
             Customer = customer.Id,
diff --git a/src/Core/Billing/Services/Implementations/SubscriberService.cs b/src/Core/Billing/Services/Implementations/SubscriberService.cs
index b2dca19e80..f4cf22ac19 100644
--- a/src/Core/Billing/Services/Implementations/SubscriberService.cs
+++ b/src/Core/Billing/Services/Implementations/SubscriberService.cs
@@ -661,21 +661,11 @@ public class SubscriberService(
             }
         }
 
-        if (SubscriberIsEligibleForAutomaticTax(subscriber, customer))
-        {
-            await stripeAdapter.SubscriptionUpdateAsync(subscriber.GatewaySubscriptionId,
-                new SubscriptionUpdateOptions
-                {
-                    AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = true }
-                });
-        }
-
-        return;
-
-        bool SubscriberIsEligibleForAutomaticTax(ISubscriber localSubscriber, Customer localCustomer)
-            => !string.IsNullOrEmpty(localSubscriber.GatewaySubscriptionId) &&
-               (localCustomer.Subscriptions?.Any(sub => sub.Id == localSubscriber.GatewaySubscriptionId && !sub.AutomaticTax.Enabled) ?? false) &&
-               localCustomer.Tax?.AutomaticTax == StripeConstants.AutomaticTaxStatus.Supported;
+        await stripeAdapter.SubscriptionUpdateAsync(subscriber.GatewaySubscriptionId,
+            new SubscriptionUpdateOptions
+            {
+                AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = true },
+            });
     }
 
     public async Task VerifyBankAccount(
diff --git a/src/Core/Services/Implementations/StripePaymentService.cs b/src/Core/Services/Implementations/StripePaymentService.cs
index 553c1c65a8..fb5c7364a5 100644
--- a/src/Core/Services/Implementations/StripePaymentService.cs
+++ b/src/Core/Services/Implementations/StripePaymentService.cs
@@ -177,7 +177,7 @@ public class StripePaymentService : IPaymentService
             customer = await _stripeAdapter.CustomerCreateAsync(customerCreateOptions);
             subCreateOptions.AddExpand("latest_invoice.payment_intent");
             subCreateOptions.Customer = customer.Id;
-            subCreateOptions.EnableAutomaticTax(customer);
+            subCreateOptions.AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = true };
 
             subscription = await _stripeAdapter.SubscriptionCreateAsync(subCreateOptions);
             if (subscription.Status == "incomplete" && subscription.LatestInvoice?.PaymentIntent != null)
@@ -358,9 +358,10 @@ public class StripePaymentService : IPaymentService
             customer = await _stripeAdapter.CustomerUpdateAsync(org.GatewayCustomerId, customerUpdateOptions);
         }
 
-        var subCreateOptions = new OrganizationUpgradeSubscriptionOptions(customer.Id, org, plan, upgrade);
-
-        subCreateOptions.EnableAutomaticTax(customer);
+        var subCreateOptions = new OrganizationUpgradeSubscriptionOptions(customer.Id, org, plan, upgrade)
+        {
+            AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = true }
+        };
 
         var (stripePaymentMethod, paymentMethodType) = IdentifyPaymentMethod(customer, subCreateOptions);
 
@@ -519,6 +520,10 @@ public class StripePaymentService : IPaymentService
 
             var customerCreateOptions = new CustomerCreateOptions
             {
+                Tax = new CustomerTaxOptions
+                {
+                    ValidateLocation = StripeConstants.ValidateTaxLocationTiming.Immediately
+                },
                 Description = user.Name,
                 Email = user.Email,
                 Metadata = stripeCustomerMetadata,
@@ -556,6 +561,7 @@ public class StripePaymentService : IPaymentService
 
         var subCreateOptions = new SubscriptionCreateOptions
         {
+            AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = true },
             Customer = customer.Id,
             Items = [],
             Metadata = new Dictionary<string, string>
@@ -575,12 +581,10 @@ public class StripePaymentService : IPaymentService
             subCreateOptions.Items.Add(new SubscriptionItemOptions
             {
                 Plan = StoragePlanId,
-                Quantity = additionalStorageGb
+                Quantity = additionalStorageGb,
             });
         }
 
-        subCreateOptions.EnableAutomaticTax(customer);
-
         var subscription = await ChargeForNewSubscriptionAsync(user, customer, createdStripeCustomer,
             stripePaymentMethod, paymentMethodType, subCreateOptions, braintreeCustomer);
 
@@ -618,10 +622,7 @@ public class StripePaymentService : IPaymentService
                     SubscriptionItems = ToInvoiceSubscriptionItemOptions(subCreateOptions.Items)
                 });
 
-                if (customer.HasTaxLocationVerified())
-                {
-                    previewInvoice.AutomaticTax = new InvoiceAutomaticTax { Enabled = true };
-                }
+                previewInvoice.AutomaticTax = new InvoiceAutomaticTax { Enabled = true };
 
                 if (previewInvoice.AmountDue > 0)
                 {
@@ -679,10 +680,12 @@ public class StripePaymentService : IPaymentService
                     Customer = customer.Id,
                     SubscriptionItems = ToInvoiceSubscriptionItemOptions(subCreateOptions.Items),
                     SubscriptionDefaultTaxRates = subCreateOptions.DefaultTaxRates,
+                    AutomaticTax = new InvoiceAutomaticTaxOptions
+                    {
+                        Enabled = true
+                    }
                 };
 
-                upcomingInvoiceOptions.EnableAutomaticTax(customer, null);
-
                 var previewInvoice = await _stripeAdapter.InvoiceUpcomingAsync(upcomingInvoiceOptions);
 
                 if (previewInvoice.AmountDue > 0)
@@ -801,7 +804,11 @@ public class StripePaymentService : IPaymentService
             Items = updatedItemOptions,
             ProrationBehavior = invoiceNow ? Constants.AlwaysInvoice : Constants.CreateProrations,
             DaysUntilDue = daysUntilDue ?? 1,
-            CollectionMethod = "send_invoice"
+            CollectionMethod = "send_invoice",
+            AutomaticTax = new SubscriptionAutomaticTaxOptions
+            {
+                Enabled = true
+            }
         };
         if (!invoiceNow && isAnnualPlan && sub.Status.Trim() != "trialing")
         {
@@ -809,8 +816,6 @@ public class StripePaymentService : IPaymentService
                 new SubscriptionPendingInvoiceItemIntervalOptions { Interval = "month" };
         }
 
-        subUpdateOptions.EnableAutomaticTax(sub.Customer, sub);
-
         if (!subscriptionUpdate.UpdateNeeded(sub))
         {
             // No need to update subscription, quantity matches
@@ -1495,13 +1500,11 @@ public class StripePaymentService : IPaymentService
             if (!string.IsNullOrEmpty(subscriber.GatewaySubscriptionId) &&
                 customer.Subscriptions.Any(sub =>
                     sub.Id == subscriber.GatewaySubscriptionId &&
-                    !sub.AutomaticTax.Enabled) &&
-                customer.HasTaxLocationVerified())
+                    !sub.AutomaticTax.Enabled))
             {
                 var subscriptionUpdateOptions = new SubscriptionUpdateOptions
                 {
-                    AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = true },
-                    DefaultTaxRates = []
+                    AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = true }
                 };
 
                 _ = await _stripeAdapter.SubscriptionUpdateAsync(

From f7d882d760cb8cc1d283d1c1297202f4583f0e09 Mon Sep 17 00:00:00 2001
From: Todd Martin <106564991+trmartin4@users.noreply.github.com>
Date: Thu, 6 Feb 2025 14:37:15 -0500
Subject: [PATCH 255/384] Remove feature flag from endpoint (#5342)

---
 src/Api/Auth/Controllers/AccountsController.cs | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/Api/Auth/Controllers/AccountsController.cs b/src/Api/Auth/Controllers/AccountsController.cs
index 7990a5a18a..3f460a3b90 100644
--- a/src/Api/Auth/Controllers/AccountsController.cs
+++ b/src/Api/Auth/Controllers/AccountsController.cs
@@ -974,7 +974,6 @@ public class AccountsController : Controller
         await _userService.ResendNewDeviceVerificationEmail(request.Email, request.Secret);
     }
 
-    [RequireFeature(FeatureFlagKeys.NewDeviceVerification)]
     [HttpPost("verify-devices")]
     [HttpPut("verify-devices")]
     public async Task SetUserVerifyDevicesAsync([FromBody] SetVerifyDevicesRequestModel request)

From 58d2a7ddaaa6d9e78b0ebca5cdfeb8a4ab3f6121 Mon Sep 17 00:00:00 2001
From: Bernd Schoolmann <mail@quexten.com>
Date: Thu, 6 Feb 2025 21:38:50 +0100
Subject: [PATCH 256/384] [PM-17210] Prevent unintentionally corrupting private
 keys (#5285)

* Prevent unintentionally corrupting private keys

* Deny key update only when replacing existing keys

* Fix incorrect use of existing user public/encrypted private key

* Fix test

* Fix tests

* Re-add test

* Pass through error for set-password

* Fix test

* Increase test coverage and simplify checks
---
 .../Auth/Controllers/AccountsController.cs    |  12 +-
 .../Api/Request/Accounts/KeysRequestModel.cs  |  24 +++-
 .../Controllers/AccountsControllerTests.cs    | 127 +++++++++++-------
 3 files changed, 108 insertions(+), 55 deletions(-)

diff --git a/src/Api/Auth/Controllers/AccountsController.cs b/src/Api/Auth/Controllers/AccountsController.cs
index 3f460a3b90..1cd9292386 100644
--- a/src/Api/Auth/Controllers/AccountsController.cs
+++ b/src/Api/Auth/Controllers/AccountsController.cs
@@ -266,8 +266,18 @@ public class AccountsController : Controller
             throw new UnauthorizedAccessException();
         }
 
+        try
+        {
+            user = model.ToUser(user);
+        }
+        catch (Exception e)
+        {
+            ModelState.AddModelError(string.Empty, e.Message);
+            throw new BadRequestException(ModelState);
+        }
+
         var result = await _setInitialMasterPasswordCommand.SetInitialMasterPasswordAsync(
-            model.ToUser(user),
+            user,
             model.MasterPasswordHash,
             model.Key,
             model.OrgIdentifier);
diff --git a/src/Core/Auth/Models/Api/Request/Accounts/KeysRequestModel.cs b/src/Core/Auth/Models/Api/Request/Accounts/KeysRequestModel.cs
index 93832542de..0964fe1a1d 100644
--- a/src/Core/Auth/Models/Api/Request/Accounts/KeysRequestModel.cs
+++ b/src/Core/Auth/Models/Api/Request/Accounts/KeysRequestModel.cs
@@ -1,26 +1,36 @@
 using System.ComponentModel.DataAnnotations;
 using Bit.Core.Entities;
+using Bit.Core.Utilities;
 
 namespace Bit.Core.Auth.Models.Api.Request.Accounts;
 
 public class KeysRequestModel
 {
+    [Required]
     public string PublicKey { get; set; }
     [Required]
     public string EncryptedPrivateKey { get; set; }
 
     public User ToUser(User existingUser)
     {
-        if (string.IsNullOrWhiteSpace(existingUser.PublicKey) && !string.IsNullOrWhiteSpace(PublicKey))
+        if (string.IsNullOrWhiteSpace(PublicKey) || string.IsNullOrWhiteSpace(EncryptedPrivateKey))
+        {
+            throw new InvalidOperationException("Public and private keys are required.");
+        }
+
+        if (string.IsNullOrWhiteSpace(existingUser.PublicKey) && string.IsNullOrWhiteSpace(existingUser.PrivateKey))
         {
             existingUser.PublicKey = PublicKey;
-        }
-
-        if (string.IsNullOrWhiteSpace(existingUser.PrivateKey))
-        {
             existingUser.PrivateKey = EncryptedPrivateKey;
+            return existingUser;
+        }
+        else if (PublicKey == existingUser.PublicKey && CoreHelpers.FixedTimeEquals(EncryptedPrivateKey, existingUser.PrivateKey))
+        {
+            return existingUser;
+        }
+        else
+        {
+            throw new InvalidOperationException("Cannot replace existing key(s) with new key(s).");
         }
-
-        return existingUser;
     }
 }
diff --git a/test/Api.Test/Auth/Controllers/AccountsControllerTests.cs b/test/Api.Test/Auth/Controllers/AccountsControllerTests.cs
index 1b8c040789..33b7e764d4 100644
--- a/test/Api.Test/Auth/Controllers/AccountsControllerTests.cs
+++ b/test/Api.Test/Auth/Controllers/AccountsControllerTests.cs
@@ -419,22 +419,32 @@ public class AccountsControllerTests : IDisposable
 
 
     [Theory]
-    [BitAutoData(true, false)]  // User has PublicKey and PrivateKey, and Keys in request are NOT null
-    [BitAutoData(true, true)]   // User has PublicKey and PrivateKey, and Keys in request are null
-    [BitAutoData(false, false)] // User has neither PublicKey nor PrivateKey, and Keys in request are NOT null
-    [BitAutoData(false, true)]  // User has neither PublicKey nor PrivateKey, and Keys in request are null
+    [BitAutoData(true, "existingPrivateKey", "existingPublicKey", true)] // allow providing existing keys in the request
+    [BitAutoData(true, null, null, true)] // allow not setting the public key when the user already has a key
+    [BitAutoData(false, "newPrivateKey", "newPublicKey", true)] // allow setting new keys when the user has no keys
+    [BitAutoData(false, null, null, true)] // allow not setting the public key when the user has no keys
+    // do not allow single key
+    [BitAutoData(false, "existingPrivateKey", null, false)]
+    [BitAutoData(false, null, "existingPublicKey", false)]
+    [BitAutoData(false, "newPrivateKey", null, false)]
+    [BitAutoData(false, null, "newPublicKey", false)]
+    [BitAutoData(true, "existingPrivateKey", null, false)]
+    [BitAutoData(true, null, "existingPublicKey", false)]
+    [BitAutoData(true, "newPrivateKey", null, false)]
+    [BitAutoData(true, null, "newPublicKey", false)]
+    // reject overwriting existing keys
+    [BitAutoData(true, "newPrivateKey", "newPublicKey", false)]
     public async Task PostSetPasswordAsync_WhenUserExistsAndSettingPasswordSucceeds_ShouldHandleKeysCorrectlyAndReturn(
-    bool hasExistingKeys,
-    bool shouldSetKeysToNull,
-    User user,
-    SetPasswordRequestModel setPasswordRequestModel)
+        bool hasExistingKeys,
+        string requestPrivateKey,
+        string requestPublicKey,
+        bool shouldSucceed,
+        User user,
+        SetPasswordRequestModel setPasswordRequestModel)
     {
         // Arrange
         const string existingPublicKey = "existingPublicKey";
-        const string existingEncryptedPrivateKey = "existingEncryptedPrivateKey";
-
-        const string newPublicKey = "newPublicKey";
-        const string newEncryptedPrivateKey = "newEncryptedPrivateKey";
+        const string existingEncryptedPrivateKey = "existingPrivateKey";
 
         if (hasExistingKeys)
         {
@@ -447,16 +457,16 @@ public class AccountsControllerTests : IDisposable
             user.PrivateKey = null;
         }
 
-        if (shouldSetKeysToNull)
+        if (requestPrivateKey == null && requestPublicKey == null)
         {
             setPasswordRequestModel.Keys = null;
         }
         else
         {
-            setPasswordRequestModel.Keys = new KeysRequestModel()
+            setPasswordRequestModel.Keys = new KeysRequestModel
             {
-                PublicKey = newPublicKey,
-                EncryptedPrivateKey = newEncryptedPrivateKey
+                EncryptedPrivateKey = requestPrivateKey,
+                PublicKey = requestPublicKey
             };
         }
 
@@ -469,44 +479,66 @@ public class AccountsControllerTests : IDisposable
             .Returns(Task.FromResult(IdentityResult.Success));
 
         // Act
-        await _sut.PostSetPasswordAsync(setPasswordRequestModel);
-
-        // Assert
-        await _setInitialMasterPasswordCommand.Received(1)
-            .SetInitialMasterPasswordAsync(
-                Arg.Is<User>(u => u == user),
-                Arg.Is<string>(s => s == setPasswordRequestModel.MasterPasswordHash),
-                Arg.Is<string>(s => s == setPasswordRequestModel.Key),
-                Arg.Is<string>(s => s == setPasswordRequestModel.OrgIdentifier));
-
-        // Additional Assertions for User object modifications
-        Assert.Equal(setPasswordRequestModel.MasterPasswordHint, user.MasterPasswordHint);
-        Assert.Equal(setPasswordRequestModel.Kdf, user.Kdf);
-        Assert.Equal(setPasswordRequestModel.KdfIterations, user.KdfIterations);
-        Assert.Equal(setPasswordRequestModel.KdfMemory, user.KdfMemory);
-        Assert.Equal(setPasswordRequestModel.KdfParallelism, user.KdfParallelism);
-        Assert.Equal(setPasswordRequestModel.Key, user.Key);
-
-        if (hasExistingKeys)
+        if (shouldSucceed)
         {
-            // User Keys should not be modified
-            Assert.Equal(existingPublicKey, user.PublicKey);
-            Assert.Equal(existingEncryptedPrivateKey, user.PrivateKey);
-        }
-        else if (!shouldSetKeysToNull)
-        {
-            // User had no keys so they should be set to the request model's keys
-            Assert.Equal(setPasswordRequestModel.Keys.PublicKey, user.PublicKey);
-            Assert.Equal(setPasswordRequestModel.Keys.EncryptedPrivateKey, user.PrivateKey);
+            await _sut.PostSetPasswordAsync(setPasswordRequestModel);
+            // Assert
+            await _setInitialMasterPasswordCommand.Received(1)
+                .SetInitialMasterPasswordAsync(
+                    Arg.Is<User>(u => u == user),
+                    Arg.Is<string>(s => s == setPasswordRequestModel.MasterPasswordHash),
+                    Arg.Is<string>(s => s == setPasswordRequestModel.Key),
+                    Arg.Is<string>(s => s == setPasswordRequestModel.OrgIdentifier));
+
+            // Additional Assertions for User object modifications
+            Assert.Equal(setPasswordRequestModel.MasterPasswordHint, user.MasterPasswordHint);
+            Assert.Equal(setPasswordRequestModel.Kdf, user.Kdf);
+            Assert.Equal(setPasswordRequestModel.KdfIterations, user.KdfIterations);
+            Assert.Equal(setPasswordRequestModel.KdfMemory, user.KdfMemory);
+            Assert.Equal(setPasswordRequestModel.KdfParallelism, user.KdfParallelism);
+            Assert.Equal(setPasswordRequestModel.Key, user.Key);
         }
         else
         {
-            // User had no keys and the request model's keys were null, so they should be set to null
-            Assert.Null(user.PublicKey);
-            Assert.Null(user.PrivateKey);
+            await Assert.ThrowsAsync<BadRequestException>(() => _sut.PostSetPasswordAsync(setPasswordRequestModel));
         }
     }
 
+    [Theory]
+    [BitAutoData]
+    public async Task PostSetPasswordAsync_WhenUserExistsAndHasKeysAndKeysAreUpdated_ShouldThrowAsync(
+    User user,
+    SetPasswordRequestModel setPasswordRequestModel)
+    {
+        // Arrange
+        const string existingPublicKey = "existingPublicKey";
+        const string existingEncryptedPrivateKey = "existingEncryptedPrivateKey";
+
+        const string newPublicKey = "newPublicKey";
+        const string newEncryptedPrivateKey = "newEncryptedPrivateKey";
+
+        user.PublicKey = existingPublicKey;
+        user.PrivateKey = existingEncryptedPrivateKey;
+
+        setPasswordRequestModel.Keys = new KeysRequestModel()
+        {
+            PublicKey = newPublicKey,
+            EncryptedPrivateKey = newEncryptedPrivateKey
+        };
+
+        _userService.GetUserByPrincipalAsync(Arg.Any<ClaimsPrincipal>()).Returns(Task.FromResult(user));
+        _setInitialMasterPasswordCommand.SetInitialMasterPasswordAsync(
+                user,
+                setPasswordRequestModel.MasterPasswordHash,
+                setPasswordRequestModel.Key,
+                setPasswordRequestModel.OrgIdentifier)
+            .Returns(Task.FromResult(IdentityResult.Success));
+
+        // Act & Assert
+        await Assert.ThrowsAsync<BadRequestException>(() => _sut.PostSetPasswordAsync(setPasswordRequestModel));
+    }
+
+
     [Theory]
     [BitAutoData]
     public async Task PostSetPasswordAsync_WhenUserDoesNotExist_ShouldThrowUnauthorizedAccessException(
@@ -525,6 +557,7 @@ public class AccountsControllerTests : IDisposable
         User user,
         SetPasswordRequestModel model)
     {
+        model.Keys = null;
         // Arrange
         _userService.GetUserByPrincipalAsync(Arg.Any<ClaimsPrincipal>()).Returns(Task.FromResult(user));
         _setInitialMasterPasswordCommand.SetInitialMasterPasswordAsync(Arg.Any<User>(), Arg.Any<string>(), Arg.Any<string>(), Arg.Any<string>())

From f8b65e047751b01cfdfc44ea17a029270863707e Mon Sep 17 00:00:00 2001
From: Conner Turnbull <133619638+cturnbull-bitwarden@users.noreply.github.com>
Date: Thu, 6 Feb 2025 16:46:23 -0500
Subject: [PATCH 257/384] Removed all usages of FluentAssertions (#5378)

---
 .github/renovate.json                         |  1 -
 test/Billing.Test/Billing.Test.csproj         |  1 -
 .../Controllers/PayPalControllerTests.cs      |  9 +--
 .../Services/StripeEventServiceTests.cs       | 79 ++++++++-----------
 4 files changed, 38 insertions(+), 52 deletions(-)

diff --git a/.github/renovate.json b/.github/renovate.json
index affa29bea9..31d78a4d4e 100644
--- a/.github/renovate.json
+++ b/.github/renovate.json
@@ -64,7 +64,6 @@
         "Braintree",
         "coverlet.collector",
         "CsvHelper",
-        "FluentAssertions",
         "Kralizek.AutoFixture.Extensions.MockHttp",
         "Microsoft.AspNetCore.Mvc.Testing",
         "Microsoft.Extensions.Logging",
diff --git a/test/Billing.Test/Billing.Test.csproj b/test/Billing.Test/Billing.Test.csproj
index 4d71425681..b4ea2938f6 100644
--- a/test/Billing.Test/Billing.Test.csproj
+++ b/test/Billing.Test/Billing.Test.csproj
@@ -6,7 +6,6 @@
 
   <ItemGroup>
     <PackageReference Include="Divergic.Logging.Xunit" Version="4.3.0" />
-    <PackageReference Include="FluentAssertions" Version="7.0.0" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(MicrosoftNetTestSdkVersion)" />
     <PackageReference Include="RichardSzalay.MockHttp" Version="7.0.0" />
     <PackageReference Include="xunit" Version="$(XUnitVersion)" />
diff --git a/test/Billing.Test/Controllers/PayPalControllerTests.cs b/test/Billing.Test/Controllers/PayPalControllerTests.cs
index 3c9edd2220..a059207c76 100644
--- a/test/Billing.Test/Controllers/PayPalControllerTests.cs
+++ b/test/Billing.Test/Controllers/PayPalControllerTests.cs
@@ -8,7 +8,6 @@ using Bit.Core.Enums;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Divergic.Logging.Xunit;
-using FluentAssertions;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.Infrastructure;
@@ -577,14 +576,14 @@ public class PayPalControllerTests
     {
         var statusCodeActionResult = (IStatusCodeActionResult)result;
 
-        statusCodeActionResult.StatusCode.Should().Be(statusCode);
+        Assert.Equal(statusCode, statusCodeActionResult.StatusCode);
     }
 
     private static void Logged(ICacheLogger logger, LogLevel logLevel, string message)
     {
-        logger.Last.Should().NotBeNull();
-        logger.Last!.LogLevel.Should().Be(logLevel);
-        logger.Last!.Message.Should().Be(message);
+        Assert.NotNull(logger.Last);
+        Assert.Equal(logLevel, logger.Last!.LogLevel);
+        Assert.Equal(message, logger.Last!.Message);
     }
 
     private static void LoggedError(ICacheLogger logger, string message)
diff --git a/test/Billing.Test/Services/StripeEventServiceTests.cs b/test/Billing.Test/Services/StripeEventServiceTests.cs
index 15aa5c7234..b40e8b9408 100644
--- a/test/Billing.Test/Services/StripeEventServiceTests.cs
+++ b/test/Billing.Test/Services/StripeEventServiceTests.cs
@@ -2,7 +2,6 @@
 using Bit.Billing.Services.Implementations;
 using Bit.Billing.Test.Utilities;
 using Bit.Core.Settings;
-using FluentAssertions;
 using Microsoft.Extensions.Logging;
 using NSubstitute;
 using Stripe;
@@ -36,10 +35,8 @@ public class StripeEventServiceTests
         var function = async () => await _stripeEventService.GetCharge(stripeEvent);
 
         // Assert
-        await function
-            .Should()
-            .ThrowAsync<Exception>()
-            .WithMessage($"Stripe event with ID '{stripeEvent.Id}' does not have object matching type '{nameof(Charge)}'");
+        var exception = await Assert.ThrowsAsync<Exception>(function);
+        Assert.Equal($"Stripe event with ID '{stripeEvent.Id}' does not have object matching type '{nameof(Charge)}'", exception.Message);
 
         await _stripeFacade.DidNotReceiveWithAnyArgs().GetCharge(
             Arg.Any<string>(),
@@ -58,7 +55,7 @@ public class StripeEventServiceTests
         var charge = await _stripeEventService.GetCharge(stripeEvent);
 
         // Assert
-        charge.Should().BeEquivalentTo(stripeEvent.Data.Object as Charge);
+        Assert.Equivalent(stripeEvent.Data.Object as Charge, charge, true);
 
         await _stripeFacade.DidNotReceiveWithAnyArgs().GetCharge(
             Arg.Any<string>(),
@@ -88,8 +85,8 @@ public class StripeEventServiceTests
         var charge = await _stripeEventService.GetCharge(stripeEvent, true, expand);
 
         // Assert
-        charge.Should().Be(apiCharge);
-        charge.Should().NotBeSameAs(eventCharge);
+        Assert.Equal(apiCharge, charge);
+        Assert.NotSame(eventCharge, charge);
 
         await _stripeFacade.Received().GetCharge(
             apiCharge.Id,
@@ -110,10 +107,8 @@ public class StripeEventServiceTests
         var function = async () => await _stripeEventService.GetCustomer(stripeEvent);
 
         // Assert
-        await function
-            .Should()
-            .ThrowAsync<Exception>()
-            .WithMessage($"Stripe event with ID '{stripeEvent.Id}' does not have object matching type '{nameof(Customer)}'");
+        var exception = await Assert.ThrowsAsync<Exception>(function);
+        Assert.Equal($"Stripe event with ID '{stripeEvent.Id}' does not have object matching type '{nameof(Customer)}'", exception.Message);
 
         await _stripeFacade.DidNotReceiveWithAnyArgs().GetCustomer(
             Arg.Any<string>(),
@@ -132,7 +127,7 @@ public class StripeEventServiceTests
         var customer = await _stripeEventService.GetCustomer(stripeEvent);
 
         // Assert
-        customer.Should().BeEquivalentTo(stripeEvent.Data.Object as Customer);
+        Assert.Equivalent(stripeEvent.Data.Object as Customer, customer, true);
 
         await _stripeFacade.DidNotReceiveWithAnyArgs().GetCustomer(
             Arg.Any<string>(),
@@ -162,8 +157,8 @@ public class StripeEventServiceTests
         var customer = await _stripeEventService.GetCustomer(stripeEvent, true, expand);
 
         // Assert
-        customer.Should().Be(apiCustomer);
-        customer.Should().NotBeSameAs(eventCustomer);
+        Assert.Equal(apiCustomer, customer);
+        Assert.NotSame(eventCustomer, customer);
 
         await _stripeFacade.Received().GetCustomer(
             apiCustomer.Id,
@@ -184,10 +179,8 @@ public class StripeEventServiceTests
         var function = async () => await _stripeEventService.GetInvoice(stripeEvent);
 
         // Assert
-        await function
-            .Should()
-            .ThrowAsync<Exception>()
-            .WithMessage($"Stripe event with ID '{stripeEvent.Id}' does not have object matching type '{nameof(Invoice)}'");
+        var exception = await Assert.ThrowsAsync<Exception>(function);
+        Assert.Equal($"Stripe event with ID '{stripeEvent.Id}' does not have object matching type '{nameof(Invoice)}'", exception.Message);
 
         await _stripeFacade.DidNotReceiveWithAnyArgs().GetInvoice(
             Arg.Any<string>(),
@@ -206,7 +199,7 @@ public class StripeEventServiceTests
         var invoice = await _stripeEventService.GetInvoice(stripeEvent);
 
         // Assert
-        invoice.Should().BeEquivalentTo(stripeEvent.Data.Object as Invoice);
+        Assert.Equivalent(stripeEvent.Data.Object as Invoice, invoice, true);
 
         await _stripeFacade.DidNotReceiveWithAnyArgs().GetInvoice(
             Arg.Any<string>(),
@@ -236,8 +229,8 @@ public class StripeEventServiceTests
         var invoice = await _stripeEventService.GetInvoice(stripeEvent, true, expand);
 
         // Assert
-        invoice.Should().Be(apiInvoice);
-        invoice.Should().NotBeSameAs(eventInvoice);
+        Assert.Equal(apiInvoice, invoice);
+        Assert.NotSame(eventInvoice, invoice);
 
         await _stripeFacade.Received().GetInvoice(
             apiInvoice.Id,
@@ -258,10 +251,8 @@ public class StripeEventServiceTests
         var function = async () => await _stripeEventService.GetPaymentMethod(stripeEvent);
 
         // Assert
-        await function
-            .Should()
-            .ThrowAsync<Exception>()
-            .WithMessage($"Stripe event with ID '{stripeEvent.Id}' does not have object matching type '{nameof(PaymentMethod)}'");
+        var exception = await Assert.ThrowsAsync<Exception>(function);
+        Assert.Equal($"Stripe event with ID '{stripeEvent.Id}' does not have object matching type '{nameof(PaymentMethod)}'", exception.Message);
 
         await _stripeFacade.DidNotReceiveWithAnyArgs().GetPaymentMethod(
             Arg.Any<string>(),
@@ -280,7 +271,7 @@ public class StripeEventServiceTests
         var paymentMethod = await _stripeEventService.GetPaymentMethod(stripeEvent);
 
         // Assert
-        paymentMethod.Should().BeEquivalentTo(stripeEvent.Data.Object as PaymentMethod);
+        Assert.Equivalent(stripeEvent.Data.Object as PaymentMethod, paymentMethod, true);
 
         await _stripeFacade.DidNotReceiveWithAnyArgs().GetPaymentMethod(
             Arg.Any<string>(),
@@ -310,8 +301,8 @@ public class StripeEventServiceTests
         var paymentMethod = await _stripeEventService.GetPaymentMethod(stripeEvent, true, expand);
 
         // Assert
-        paymentMethod.Should().Be(apiPaymentMethod);
-        paymentMethod.Should().NotBeSameAs(eventPaymentMethod);
+        Assert.Equal(apiPaymentMethod, paymentMethod);
+        Assert.NotSame(eventPaymentMethod, paymentMethod);
 
         await _stripeFacade.Received().GetPaymentMethod(
             apiPaymentMethod.Id,
@@ -332,10 +323,8 @@ public class StripeEventServiceTests
         var function = async () => await _stripeEventService.GetSubscription(stripeEvent);
 
         // Assert
-        await function
-            .Should()
-            .ThrowAsync<Exception>()
-            .WithMessage($"Stripe event with ID '{stripeEvent.Id}' does not have object matching type '{nameof(Subscription)}'");
+        var exception = await Assert.ThrowsAsync<Exception>(function);
+        Assert.Equal($"Stripe event with ID '{stripeEvent.Id}' does not have object matching type '{nameof(Subscription)}'", exception.Message);
 
         await _stripeFacade.DidNotReceiveWithAnyArgs().GetSubscription(
             Arg.Any<string>(),
@@ -354,7 +343,7 @@ public class StripeEventServiceTests
         var subscription = await _stripeEventService.GetSubscription(stripeEvent);
 
         // Assert
-        subscription.Should().BeEquivalentTo(stripeEvent.Data.Object as Subscription);
+        Assert.Equivalent(stripeEvent.Data.Object as Subscription, subscription, true);
 
         await _stripeFacade.DidNotReceiveWithAnyArgs().GetSubscription(
             Arg.Any<string>(),
@@ -384,8 +373,8 @@ public class StripeEventServiceTests
         var subscription = await _stripeEventService.GetSubscription(stripeEvent, true, expand);
 
         // Assert
-        subscription.Should().Be(apiSubscription);
-        subscription.Should().NotBeSameAs(eventSubscription);
+        Assert.Equal(apiSubscription, subscription);
+        Assert.NotSame(eventSubscription, subscription);
 
         await _stripeFacade.Received().GetSubscription(
             apiSubscription.Id,
@@ -417,7 +406,7 @@ public class StripeEventServiceTests
         var cloudRegionValid = await _stripeEventService.ValidateCloudRegion(stripeEvent);
 
         // Assert
-        cloudRegionValid.Should().BeTrue();
+        Assert.True(cloudRegionValid);
 
         await _stripeFacade.Received(1).GetSubscription(
             subscription.Id,
@@ -447,7 +436,7 @@ public class StripeEventServiceTests
         var cloudRegionValid = await _stripeEventService.ValidateCloudRegion(stripeEvent);
 
         // Assert
-        cloudRegionValid.Should().BeTrue();
+        Assert.True(cloudRegionValid);
 
         await _stripeFacade.Received(1).GetCharge(
             charge.Id,
@@ -475,7 +464,7 @@ public class StripeEventServiceTests
         var cloudRegionValid = await _stripeEventService.ValidateCloudRegion(stripeEvent);
 
         // Assert
-        cloudRegionValid.Should().BeTrue();
+        Assert.True(cloudRegionValid);
 
         await _stripeFacade.Received(1).GetCustomer(
             invoice.CustomerId,
@@ -505,7 +494,7 @@ public class StripeEventServiceTests
         var cloudRegionValid = await _stripeEventService.ValidateCloudRegion(stripeEvent);
 
         // Assert
-        cloudRegionValid.Should().BeTrue();
+        Assert.True(cloudRegionValid);
 
         await _stripeFacade.Received(1).GetInvoice(
             invoice.Id,
@@ -535,7 +524,7 @@ public class StripeEventServiceTests
         var cloudRegionValid = await _stripeEventService.ValidateCloudRegion(stripeEvent);
 
         // Assert
-        cloudRegionValid.Should().BeTrue();
+        Assert.True(cloudRegionValid);
 
         await _stripeFacade.Received(1).GetPaymentMethod(
             paymentMethod.Id,
@@ -561,7 +550,7 @@ public class StripeEventServiceTests
         var cloudRegionValid = await _stripeEventService.ValidateCloudRegion(stripeEvent);
 
         // Assert
-        cloudRegionValid.Should().BeTrue();
+        Assert.True(cloudRegionValid);
 
         await _stripeFacade.Received(1).GetCustomer(
             customer.Id,
@@ -592,7 +581,7 @@ public class StripeEventServiceTests
         var cloudRegionValid = await _stripeEventService.ValidateCloudRegion(stripeEvent);
 
         // Assert
-        cloudRegionValid.Should().BeFalse();
+        Assert.False(cloudRegionValid);
 
         await _stripeFacade.Received(1).GetSubscription(
             subscription.Id,
@@ -623,7 +612,7 @@ public class StripeEventServiceTests
         var cloudRegionValid = await _stripeEventService.ValidateCloudRegion(stripeEvent);
 
         // Assert
-        cloudRegionValid.Should().BeTrue();
+        Assert.True(cloudRegionValid);
 
         await _stripeFacade.Received(1).GetSubscription(
             subscription.Id,
@@ -657,7 +646,7 @@ public class StripeEventServiceTests
         var cloudRegionValid = await _stripeEventService.ValidateCloudRegion(stripeEvent);
 
         // Assert
-        cloudRegionValid.Should().BeTrue();
+        Assert.True(cloudRegionValid);
 
         await _stripeFacade.Received(1).GetSubscription(
             subscription.Id,

From af07dffa6f4e1be0e3fb94fa84e67e753d38d059 Mon Sep 17 00:00:00 2001
From: Justin Baur <19896123+justindbaur@users.noreply.github.com>
Date: Thu, 6 Feb 2025 17:07:43 -0500
Subject: [PATCH 258/384] Relax nullable in test projects (#5379)

* Relax nullable in test projects

* Fix xUnit Warnings

* More xUnit fixes
---
 Directory.Build.props                                      | 5 +++++
 .../Controllers/v2/GroupsControllerTests.cs                | 2 +-
 .../Controllers/v2/UsersControllerTests.cs                 | 2 +-
 test/Api.IntegrationTest/Api.IntegrationTest.csproj        | 1 -
 .../AdminConsole/Services/OrganizationServiceTests.cs      | 2 --
 .../Business/Tokenables/OrgUserInviteTokenableTests.cs     | 2 +-
 test/Core.Test/Utilities/CoreHelpersTests.cs               | 6 +++---
 test/Core.Test/Utilities/EncryptedStringAttributeTests.cs  | 2 +-
 .../Utilities/StrictEmailAddressAttributeTests.cs          | 2 +-
 .../Utilities/StrictEmailAddressListAttributeTests.cs      | 2 +-
 test/Events.IntegrationTest/Events.IntegrationTest.csproj  | 7 +++----
 test/Icons.Test/Models/IconLinkTests.cs                    | 2 +-
 test/Identity.Test/Identity.Test.csproj                    | 3 +--
 .../Infrastructure.Dapper.Test.csproj                      | 6 ++----
 .../Infrastructure.IntegrationTest.csproj                  | 1 -
 15 files changed, 21 insertions(+), 24 deletions(-)

diff --git a/Directory.Build.props b/Directory.Build.props
index 88b63d156c..71650fc16c 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -8,6 +8,11 @@
     <RootNamespace>Bit.$(MSBuildProjectName)</RootNamespace>
     <ImplicitUsings>enable</ImplicitUsings>
     <IncludeSourceRevisionInInformationalVersion>false</IncludeSourceRevisionInInformationalVersion>
+    <!-- Treat it as a test project if the project hasn't set their own value and it follows our test project conventions -->
+    <IsTestProject Condition="'$(IsTestProject)' == '' and ($(MSBuildProjectName.EndsWith('.Test')) or $(MSBuildProjectName.EndsWith('.IntegrationTest')))">true</IsTestProject>
+    <Nullable Condition="'$(Nullable)' == '' and '$(IsTestProject)' == 'true'">annotations</Nullable>
+    <!-- Uncomment the below line when we are ready to enable nullable repo wide -->
+    <!-- <Nullable Condition="'$(Nullable)' == '' and '$(IsTestProject)' != 'true'">enable</Nullable> -->
   </PropertyGroup>
 
   <!--
diff --git a/bitwarden_license/test/Scim.IntegrationTest/Controllers/v2/GroupsControllerTests.cs b/bitwarden_license/test/Scim.IntegrationTest/Controllers/v2/GroupsControllerTests.cs
index 6742c6e0ad..f8150fc1c5 100644
--- a/bitwarden_license/test/Scim.IntegrationTest/Controllers/v2/GroupsControllerTests.cs
+++ b/bitwarden_license/test/Scim.IntegrationTest/Controllers/v2/GroupsControllerTests.cs
@@ -248,7 +248,7 @@ public class GroupsControllerTests : IClassFixture<ScimApplicationFactory>, IAsy
     [InlineData(null)]
     [InlineData("")]
     [InlineData(" ")]
-    public async Task Post_InvalidDisplayName_BadRequest(string displayName)
+    public async Task Post_InvalidDisplayName_BadRequest(string? displayName)
     {
         var organizationId = ScimApplicationFactory.TestOrganizationId1;
         var model = new ScimGroupRequestModel
diff --git a/bitwarden_license/test/Scim.IntegrationTest/Controllers/v2/UsersControllerTests.cs b/bitwarden_license/test/Scim.IntegrationTest/Controllers/v2/UsersControllerTests.cs
index 1c9b0c1127..4c4fda952a 100644
--- a/bitwarden_license/test/Scim.IntegrationTest/Controllers/v2/UsersControllerTests.cs
+++ b/bitwarden_license/test/Scim.IntegrationTest/Controllers/v2/UsersControllerTests.cs
@@ -324,7 +324,7 @@ public class UsersControllerTests : IClassFixture<ScimApplicationFactory>, IAsyn
     [InlineData(null)]
     [InlineData("")]
     [InlineData(" ")]
-    public async Task Post_InvalidEmail_BadRequest(string email)
+    public async Task Post_InvalidEmail_BadRequest(string? email)
     {
         var displayName = "Test User 5";
         var externalId = "UE";
diff --git a/test/Api.IntegrationTest/Api.IntegrationTest.csproj b/test/Api.IntegrationTest/Api.IntegrationTest.csproj
index 3e300df9ca..8fa74f98d4 100644
--- a/test/Api.IntegrationTest/Api.IntegrationTest.csproj
+++ b/test/Api.IntegrationTest/Api.IntegrationTest.csproj
@@ -1,6 +1,5 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">
   <PropertyGroup>
-    <Nullable>enable</Nullable>
     <IsPackable>false</IsPackable>
   </PropertyGroup>
 
diff --git a/test/Core.Test/AdminConsole/Services/OrganizationServiceTests.cs b/test/Core.Test/AdminConsole/Services/OrganizationServiceTests.cs
index f4440a65a3..52dd39e182 100644
--- a/test/Core.Test/AdminConsole/Services/OrganizationServiceTests.cs
+++ b/test/Core.Test/AdminConsole/Services/OrganizationServiceTests.cs
@@ -41,8 +41,6 @@ using Xunit;
 using Organization = Bit.Core.AdminConsole.Entities.Organization;
 using OrganizationUser = Bit.Core.Entities.OrganizationUser;
 
-#nullable enable
-
 namespace Bit.Core.Test.Services;
 
 [SutProviderCustomize]
diff --git a/test/Core.Test/Auth/Models/Business/Tokenables/OrgUserInviteTokenableTests.cs b/test/Core.Test/Auth/Models/Business/Tokenables/OrgUserInviteTokenableTests.cs
index aeeda206fa..866cdbfe29 100644
--- a/test/Core.Test/Auth/Models/Business/Tokenables/OrgUserInviteTokenableTests.cs
+++ b/test/Core.Test/Auth/Models/Business/Tokenables/OrgUserInviteTokenableTests.cs
@@ -109,7 +109,7 @@ public class OrgUserInviteTokenableTests
     [Theory]
     [InlineData(null)]
     [InlineData("")]
-    public void Valid_NullOrEmptyOrgUserEmail_ReturnsFalse(string email)
+    public void Valid_NullOrEmptyOrgUserEmail_ReturnsFalse(string? email)
     {
         var token = new OrgUserInviteTokenable
         {
diff --git a/test/Core.Test/Utilities/CoreHelpersTests.cs b/test/Core.Test/Utilities/CoreHelpersTests.cs
index 2cce276fcb..264a55b6ee 100644
--- a/test/Core.Test/Utilities/CoreHelpersTests.cs
+++ b/test/Core.Test/Utilities/CoreHelpersTests.cs
@@ -271,7 +271,7 @@ public class CoreHelpersTests
     [InlineData("ascii.com", "ascii.com")]
     [InlineData("", "")]
     [InlineData(null, null)]
-    public void PunyEncode_Success(string text, string expected)
+    public void PunyEncode_Success(string? text, string? expected)
     {
         var actual = CoreHelpers.PunyEncode(text);
         Assert.Equal(expected, actual);
@@ -435,7 +435,7 @@ public class CoreHelpersTests
     [InlineData("name@", "name@")] // @ symbol but no domain
     [InlineData("", "")] // Empty string
     [InlineData(null, null)] // null
-    public void ObfuscateEmail_Success(string input, string expected)
+    public void ObfuscateEmail_Success(string? input, string? expected)
     {
         Assert.Equal(expected, CoreHelpers.ObfuscateEmail(input));
     }
@@ -456,7 +456,7 @@ public class CoreHelpersTests
     [InlineData("user@")]
     [InlineData("@example.com")]
     [InlineData("user@ex@ample.com")]
-    public void GetEmailDomain_ReturnsNull(string wrongEmail)
+    public void GetEmailDomain_ReturnsNull(string? wrongEmail)
     {
         Assert.Null(CoreHelpers.GetEmailDomain(wrongEmail));
     }
diff --git a/test/Core.Test/Utilities/EncryptedStringAttributeTests.cs b/test/Core.Test/Utilities/EncryptedStringAttributeTests.cs
index 859d7cd6f2..b5989987fb 100644
--- a/test/Core.Test/Utilities/EncryptedStringAttributeTests.cs
+++ b/test/Core.Test/Utilities/EncryptedStringAttributeTests.cs
@@ -25,7 +25,7 @@ public class EncryptedStringAttributeTests
     [InlineData("Rsa2048_OaepSha256_HmacSha256_B64.QmFzZTY0UGFydA==|QmFzZTY0UGFydA==")] // Valid Rsa2048_OaepSha256_HmacSha256_B64 as a string
     [InlineData("6.QmFzZTY0UGFydA==|QmFzZTY0UGFydA==")] // Valid Rsa2048_OaepSha1_HmacSha256_B64 as a number
     [InlineData("Rsa2048_OaepSha1_HmacSha256_B64.QmFzZTY0UGFydA==|QmFzZTY0UGFydA==")]
-    public void IsValid_ReturnsTrue_WhenValid(string input)
+    public void IsValid_ReturnsTrue_WhenValid(string? input)
     {
         var sut = new EncryptedStringAttribute();
 
diff --git a/test/Core.Test/Utilities/StrictEmailAddressAttributeTests.cs b/test/Core.Test/Utilities/StrictEmailAddressAttributeTests.cs
index bcd3efcc13..3e375a1d9f 100644
--- a/test/Core.Test/Utilities/StrictEmailAddressAttributeTests.cs
+++ b/test/Core.Test/Utilities/StrictEmailAddressAttributeTests.cs
@@ -47,7 +47,7 @@ public class StrictEmailAttributeTests
     [InlineData("hellothere@world.com-")]               // domain ending in hyphen
     [InlineData("hellö@world.com")]                     // unicode at end of local-part
     [InlineData("héllo@world.com")]                     // unicode in middle of local-part
-    public void IsValid_ReturnsFalseWhenInvalid(string email)
+    public void IsValid_ReturnsFalseWhenInvalid(string? email)
     {
         var sut = new StrictEmailAddressAttribute();
 
diff --git a/test/Core.Test/Utilities/StrictEmailAddressListAttributeTests.cs b/test/Core.Test/Utilities/StrictEmailAddressListAttributeTests.cs
index 2ec5a45689..745b5851e1 100644
--- a/test/Core.Test/Utilities/StrictEmailAddressListAttributeTests.cs
+++ b/test/Core.Test/Utilities/StrictEmailAddressListAttributeTests.cs
@@ -42,7 +42,7 @@ public class StrictEmailAddressListAttributeTests
     [Theory]
     [InlineData("single@email.com", false)]
     [InlineData(null, false)]
-    public void IsValid_ReturnsTrue_WhenValid(string email, bool valid)
+    public void IsValid_ReturnsTrue_WhenValid(string? email, bool valid)
     {
         var sut = new StrictEmailAddressListAttribute();
 
diff --git a/test/Events.IntegrationTest/Events.IntegrationTest.csproj b/test/Events.IntegrationTest/Events.IntegrationTest.csproj
index 0b51185298..dbfe147892 100644
--- a/test/Events.IntegrationTest/Events.IntegrationTest.csproj
+++ b/test/Events.IntegrationTest/Events.IntegrationTest.csproj
@@ -3,7 +3,6 @@
   <PropertyGroup>
     <TargetFramework>net8.0</TargetFramework>
     <ImplicitUsings>enable</ImplicitUsings>
-    <Nullable>enable</Nullable>
     <IsPackable>false</IsPackable>
     <IsTestProject>true</IsTestProject>
   </PropertyGroup>
@@ -21,9 +20,9 @@
     </PackageReference>
   </ItemGroup>
 
-  <ItemGroup>
-    <ProjectReference Include="..\..\src\Events\Events.csproj" />
-    <ProjectReference Include="..\IntegrationTestCommon\IntegrationTestCommon.csproj" />
+  <ItemGroup>
+    <ProjectReference Include="..\..\src\Events\Events.csproj" />
+    <ProjectReference Include="..\IntegrationTestCommon\IntegrationTestCommon.csproj" />
   </ItemGroup>
 
 </Project>
diff --git a/test/Icons.Test/Models/IconLinkTests.cs b/test/Icons.Test/Models/IconLinkTests.cs
index 3801558d8d..a4087f2b74 100644
--- a/test/Icons.Test/Models/IconLinkTests.cs
+++ b/test/Icons.Test/Models/IconLinkTests.cs
@@ -45,7 +45,7 @@ public class IconLinkTests
     [InlineData(" ", false)]
     [InlineData("unusable", false)]
     [InlineData("ico", true)]
-    public void WithNoRel_IsUsable(string extension, bool expectedResult)
+    public void WithNoRel_IsUsable(string? extension, bool expectedResult)
     {
         SetAttributeValue("href", $"/favicon.{extension}");
 
diff --git a/test/Identity.Test/Identity.Test.csproj b/test/Identity.Test/Identity.Test.csproj
index f18ecee6e8..fc0cf07b63 100644
--- a/test/Identity.Test/Identity.Test.csproj
+++ b/test/Identity.Test/Identity.Test.csproj
@@ -1,8 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-      <Nullable>enable</Nullable>
-      <IsPackable>false</IsPackable>
+    <IsPackable>false</IsPackable>
   </PropertyGroup>
 
   <ItemGroup>
diff --git a/test/Infrastructure.Dapper.Test/Infrastructure.Dapper.Test.csproj b/test/Infrastructure.Dapper.Test/Infrastructure.Dapper.Test.csproj
index 1ba67ba61e..fdef3c6cac 100644
--- a/test/Infrastructure.Dapper.Test/Infrastructure.Dapper.Test.csproj
+++ b/test/Infrastructure.Dapper.Test/Infrastructure.Dapper.Test.csproj
@@ -3,8 +3,6 @@
   <PropertyGroup>
     <TargetFramework>net8.0</TargetFramework>
     <ImplicitUsings>enable</ImplicitUsings>
-    <Nullable>enable</Nullable>
-
     <IsPackable>false</IsPackable>
     <IsTestProject>true</IsTestProject>
   </PropertyGroup>
@@ -22,8 +20,8 @@
     </PackageReference>
   </ItemGroup>
 
-  <ItemGroup>
-    <ProjectReference Include="..\..\src\Infrastructure.Dapper\Infrastructure.Dapper.csproj" />
+  <ItemGroup>
+    <ProjectReference Include="..\..\src\Infrastructure.Dapper\Infrastructure.Dapper.csproj" />
   </ItemGroup>
 
 </Project>
diff --git a/test/Infrastructure.IntegrationTest/Infrastructure.IntegrationTest.csproj b/test/Infrastructure.IntegrationTest/Infrastructure.IntegrationTest.csproj
index 159572f387..6d9e0d6667 100644
--- a/test/Infrastructure.IntegrationTest/Infrastructure.IntegrationTest.csproj
+++ b/test/Infrastructure.IntegrationTest/Infrastructure.IntegrationTest.csproj
@@ -1,7 +1,6 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <Nullable>enable</Nullable>
     <IsPackable>false</IsPackable>
     <UserSecretsId>6570f288-5c2c-47ad-8978-f3da255079c2</UserSecretsId>
   </PropertyGroup>

From cc211647d72f06c8c73fbc2956d2adaccd95c1f2 Mon Sep 17 00:00:00 2001
From: cyprain-okeke <108260115+cyprain-okeke@users.noreply.github.com>
Date: Fri, 7 Feb 2025 15:43:14 +0100
Subject: [PATCH 259/384] [PM-17540]Do not grant re-subscriptions trial period
 (#5327)

* Remove trial for restarted subscription

Signed-off-by: Cy Okeke <cokeke@bitwarden.com>

* Resolve the pr comment on initial change

Signed-off-by: Cy Okeke <cokeke@bitwarden.com>

* Resolve the issue of not saving payment method

* Refactor the taxinfo mapping

Signed-off-by: Cy Okeke <cokeke@bitwarden.com>

---------

Signed-off-by: Cy Okeke <cokeke@bitwarden.com>
---
 .../Controllers/OrganizationBillingController.cs       | 10 +++++++++-
 src/Core/Billing/Models/Sales/SubscriptionSetup.cs     |  1 +
 .../Implementations/OrganizationBillingService.cs      |  2 +-
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/src/Api/Billing/Controllers/OrganizationBillingController.cs b/src/Api/Billing/Controllers/OrganizationBillingController.cs
index b52241c30e..3ceeaf3c47 100644
--- a/src/Api/Billing/Controllers/OrganizationBillingController.cs
+++ b/src/Api/Billing/Controllers/OrganizationBillingController.cs
@@ -2,6 +2,7 @@
 using Bit.Api.AdminConsole.Models.Request.Organizations;
 using Bit.Api.Billing.Models.Requests;
 using Bit.Api.Billing.Models.Responses;
+using Bit.Core.Billing.Models;
 using Bit.Core.Billing.Models.Sales;
 using Bit.Core.Billing.Services;
 using Bit.Core.Context;
@@ -17,7 +18,6 @@ namespace Bit.Api.Billing.Controllers;
 [Authorize("Application")]
 public class OrganizationBillingController(
     ICurrentContext currentContext,
-    IFeatureService featureService,
     IOrganizationBillingService organizationBillingService,
     IOrganizationRepository organizationRepository,
     IPaymentService paymentService,
@@ -282,7 +282,15 @@ public class OrganizationBillingController(
         var plan = StaticStore.GetPlan(model.PlanType);
         sale.Organization.PlanType = plan.Type;
         sale.Organization.Plan = plan.Name;
+        sale.SubscriptionSetup.SkipTrial = true;
         await organizationBillingService.Finalize(sale);
+        var org = await organizationRepository.GetByIdAsync(organizationId);
+        if (organizationSignup.PaymentMethodType != null)
+        {
+            var paymentSource = new TokenizedPaymentSource(organizationSignup.PaymentMethodType.Value, organizationSignup.PaymentToken);
+            var taxInformation = TaxInformation.From(organizationSignup.TaxInfo);
+            await organizationBillingService.UpdatePaymentMethod(org, paymentSource, taxInformation);
+        }
 
         return TypedResults.Ok();
     }
diff --git a/src/Core/Billing/Models/Sales/SubscriptionSetup.cs b/src/Core/Billing/Models/Sales/SubscriptionSetup.cs
index cd87b2bb1c..39a80a776a 100644
--- a/src/Core/Billing/Models/Sales/SubscriptionSetup.cs
+++ b/src/Core/Billing/Models/Sales/SubscriptionSetup.cs
@@ -9,6 +9,7 @@ public class SubscriptionSetup
     public required Plan Plan { get; set; }
     public required PasswordManager PasswordManagerOptions { get; set; }
     public SecretsManager? SecretsManagerOptions { get; set; }
+    public bool SkipTrial = false;
 
     public class PasswordManager
     {
diff --git a/src/Core/Billing/Services/Implementations/OrganizationBillingService.cs b/src/Core/Billing/Services/Implementations/OrganizationBillingService.cs
index 1bc4f792d7..57a4b1781b 100644
--- a/src/Core/Billing/Services/Implementations/OrganizationBillingService.cs
+++ b/src/Core/Billing/Services/Implementations/OrganizationBillingService.cs
@@ -379,7 +379,7 @@ public class OrganizationBillingService(
                 ["organizationId"] = organizationId.ToString()
             },
             OffSession = true,
-            TrialPeriodDays = plan.TrialPeriodDays
+            TrialPeriodDays = subscriptionSetup.SkipTrial ? 0 : plan.TrialPeriodDays
         };
 
         return await stripeAdapter.SubscriptionCreateAsync(subscriptionCreateOptions);

From a8b2dde61564136f7094ea5a347b4e98af879a75 Mon Sep 17 00:00:00 2001
From: Jimmy Vo <huynhmaivo82@gmail.com>
Date: Fri, 7 Feb 2025 09:47:47 -0500
Subject: [PATCH 260/384] [PM-18079] Fix intermittent failing database
 integration tests. (#5381)

---
 .../Repositories/OrganizationDomainRepositoryTests.cs         | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/test/Infrastructure.IntegrationTest/AdminConsole/Repositories/OrganizationDomainRepositoryTests.cs b/test/Infrastructure.IntegrationTest/AdminConsole/Repositories/OrganizationDomainRepositoryTests.cs
index ad92f40efc..7f0ed582bf 100644
--- a/test/Infrastructure.IntegrationTest/AdminConsole/Repositories/OrganizationDomainRepositoryTests.cs
+++ b/test/Infrastructure.IntegrationTest/AdminConsole/Repositories/OrganizationDomainRepositoryTests.cs
@@ -252,12 +252,12 @@ public class OrganizationDomainRepositoryTests
             Txt = "btw+12345"
         };
 
-        var outside36HoursWindow = 20;
+        var outside36HoursWindow = 50;
         organizationDomain.SetNextRunDate(outside36HoursWindow);
 
         await organizationDomainRepository.CreateAsync(organizationDomain);
 
-        var date = DateTimeOffset.UtcNow.Date.AddDays(1);
+        var date = DateTime.UtcNow.AddDays(1);
 
         // Act
         var domains = await organizationDomainRepository.GetManyByNextRunDateAsync(date);

From 7e47e1397f23a032e9d50c1669433ec67c448345 Mon Sep 17 00:00:00 2001
From: sneakernuts <671942+sneakernuts@users.noreply.github.com>
Date: Fri, 7 Feb 2025 08:47:44 -0700
Subject: [PATCH 261/384] SRE-1912 replaced with new path (#5380)

---
 .../Handlebars/Layouts/Full.html.hbs          | 16 ++++++-------
 .../Handlebars/Layouts/FullUpdated.html.hbs   | 24 +++++++++----------
 2 files changed, 20 insertions(+), 20 deletions(-)

diff --git a/src/Core/MailTemplates/Handlebars/Layouts/Full.html.hbs b/src/Core/MailTemplates/Handlebars/Layouts/Full.html.hbs
index 5e4c0eb0ae..7ed9fb7d1a 100644
--- a/src/Core/MailTemplates/Handlebars/Layouts/Full.html.hbs
+++ b/src/Core/MailTemplates/Handlebars/Layouts/Full.html.hbs
@@ -130,7 +130,7 @@
                             <table class="header" cellpadding="0" cellspacing="0" width="100%">
                                 <tr>
                                     <td valign="middle" class="aligncenter middle logo" style="padding: 20px 0 10px;" align="center">
-                                        <img src="https://bitwarden.com/images/logo-horizontal-blue.png" alt="" width="250" height="39" />
+                                        <img src="https://assets.bitwarden.com/email/v1/logo-horizontal-blue.png" alt="" width="250" height="39" />
                                     </td>
                                 </tr>
                             </table>
@@ -148,13 +148,13 @@
                                     <td class="aligncenter social-icons" align="center" style="margin: 0; padding: 15px 0 0 0;" valign="top">
                                         <table cellpadding="0" cellspacing="0" style="margin: 0 auto;">
                                             <tr>
-                                                <td style="margin: 0; padding: 0 10px;" valign="top"><a href="https://twitter.com/bitwarden" target="_blank"><img src="https://bitwarden.com/images/mail-twitter.png" alt="Twitter" width="30" height="30" /></a></td>
-                                                <td style="margin: 0; padding: 0 10px;" valign="top"><a href="https://www.reddit.com/r/Bitwarden/" target="_blank"><img src="https://bitwarden.com/images/mail-reddit.png" alt="Reddit" width="30" height="30" /></a></td>
-                                                <td style="margin: 0; padding: 0 10px;" valign="top"><a href="https://community.bitwarden.com/" target="_blank"><img src="https://bitwarden.com/images/mail-discourse.png" alt="CommunityForums" width="30" height="30" /></a></td>
-                                                <td style="margin: 0; padding: 0 10px;" valign="top"><a href="https://github.com/bitwarden" target="_blank"><img src="https://bitwarden.com/images/mail-github.png" alt="GitHub" width="30" height="30" /></a></td>
-                                                <td style="margin: 0; padding: 0 10px;" valign="top"><a href="https://www.youtube.com/channel/UCId9a_jQqvJre0_dE2lE_Rw" target="_blank"><img src="https://bitwarden.com/images/mail-youtube.png" alt="Youtube" width="30" height="30" /></a></td>
-                                                <td style="margin: 0; padding: 0 10px;" valign="top"><a href="https://www.linkedin.com/company/bitwarden1/" target="_blank"><img src="https://bitwarden.com/images/mail-linkedin.png" alt="LinkedIn" width="30" height="30" /></a></td>
-                                                <td style="margin: 0; padding: 0 10px;" valign="top"><a href="https://www.facebook.com/bitwarden/" target="_blank"><img src="https://bitwarden.com/images/mail-facebook.png" alt="Facebook" width="30" height="30" /></a></td>
+                                                <td style="margin: 0; padding: 0 10px;" valign="top"><a href="https://twitter.com/bitwarden" target="_blank"><img src="https://assets.bitwarden.com/email/v1/mail-twitter.png" alt="Twitter" width="30" height="30" /></a></td>
+                                                <td style="margin: 0; padding: 0 10px;" valign="top"><a href="https://www.reddit.com/r/Bitwarden/" target="_blank"><img src="https://assets.bitwarden.com/email/v1/mail-reddit.png" alt="Reddit" width="30" height="30" /></a></td>
+                                                <td style="margin: 0; padding: 0 10px;" valign="top"><a href="https://community.bitwarden.com/" target="_blank"><img src="https://assets.bitwarden.com/email/v1/mail-discourse.png" alt="CommunityForums" width="30" height="30" /></a></td>
+                                                <td style="margin: 0; padding: 0 10px;" valign="top"><a href="https://github.com/bitwarden" target="_blank"><img src="https://assets.bitwarden.com/email/v1/mail-github.png" alt="GitHub" width="30" height="30" /></a></td>
+                                                <td style="margin: 0; padding: 0 10px;" valign="top"><a href="https://www.youtube.com/channel/UCId9a_jQqvJre0_dE2lE_Rw" target="_blank"><img src="https://assets.bitwarden.com/email/v1/mail-youtube.png" alt="Youtube" width="30" height="30" /></a></td>
+                                                <td style="margin: 0; padding: 0 10px;" valign="top"><a href="https://www.linkedin.com/company/bitwarden1/" target="_blank"><img src="https://assets.bitwarden.com/email/v1/mail-linkedin.png" alt="LinkedIn" width="30" height="30" /></a></td>
+                                                <td style="margin: 0; padding: 0 10px;" valign="top"><a href="https://www.facebook.com/bitwarden/" target="_blank"><img src="https://assets.bitwarden.com/email/v1/mail-facebook.png" alt="Facebook" width="30" height="30" /></a></td>
                                             </tr>
                                         </table>
                                     </td>
diff --git a/src/Core/MailTemplates/Handlebars/Layouts/FullUpdated.html.hbs b/src/Core/MailTemplates/Handlebars/Layouts/FullUpdated.html.hbs
index f0a8688a41..f5772d61f6 100644
--- a/src/Core/MailTemplates/Handlebars/Layouts/FullUpdated.html.hbs
+++ b/src/Core/MailTemplates/Handlebars/Layouts/FullUpdated.html.hbs
@@ -107,10 +107,10 @@
 
             .footer-text {
                 width: 100% !important;
-            }
-
-            .center {
-                text-align: center !important;
+            }
+
+            .center {
+                text-align: center !important;
             }
 
             .templateColumnContainer{
@@ -159,7 +159,7 @@
                             <table class="header" cellpadding="0" cellspacing="0" width="100%">
                                 <tr>
                                     <td valign="middle" class="aligncenter middle logo" style="padding: 20px 0 10px;" align="center">
-                                        <img src="https://bitwarden.com/images/logo-horizontal-blue.png" alt="" width="250" height="39" />
+                                        <img src="https://assets.bitwarden.com/email/v1/logo-horizontal-blue.png" alt="" width="250" height="39" />
                                     </td>
                                 </tr>
                             </table>
@@ -177,13 +177,13 @@
                                     <td class="aligncenter social-icons" align="center" style="margin: 0; padding: 15px 0 0 0;" valign="top">
                                         <table cellpadding="0" cellspacing="0" style="margin: 0 auto;">
                                             <tr>
-                                                <td style="margin: 0; padding: 0 10px;" valign="top"><a href="https://twitter.com/bitwarden" target="_blank"><img src="https://bitwarden.com/images/mail-twitter.png" alt="Twitter" width="30" height="30" /></a></td>
-                                                <td style="margin: 0; padding: 0 10px;" valign="top"><a href="https://www.reddit.com/r/Bitwarden/" target="_blank"><img src="https://bitwarden.com/images/mail-reddit.png" alt="Reddit" width="30" height="30" /></a></td>
-                                                <td style="margin: 0; padding: 0 10px;" valign="top"><a href="https://community.bitwarden.com/" target="_blank"><img src="https://bitwarden.com/images/mail-discourse.png" alt="CommunityForums" width="30" height="30" /></a></td>
-                                                <td style="margin: 0; padding: 0 10px;" valign="top"><a href="https://github.com/bitwarden" target="_blank"><img src="https://bitwarden.com/images/mail-github.png" alt="GitHub" width="30" height="30" /></a></td>
-                                                <td style="margin: 0; padding: 0 10px;" valign="top"><a href="https://www.youtube.com/channel/UCId9a_jQqvJre0_dE2lE_Rw" target="_blank"><img src="https://bitwarden.com/images/mail-youtube.png" alt="Youtube" width="30" height="30" /></a></td>
-                                                <td style="margin: 0; padding: 0 10px;" valign="top"><a href="https://www.linkedin.com/company/bitwarden1/" target="_blank"><img src="https://bitwarden.com/images/mail-linkedin.png" alt="LinkedIn" width="30" height="30" /></a></td>
-                                                <td style="margin: 0; padding: 0 10px;" valign="top"><a href="https://www.facebook.com/bitwarden/" target="_blank"><img src="https://bitwarden.com/images/mail-facebook.png" alt="Facebook" width="30" height="30" /></a></td>
+                                                <td style="margin: 0; padding: 0 10px;" valign="top"><a href="https://twitter.com/bitwarden" target="_blank"><img src="https://assets.bitwarden.com/email/v1/mail-twitter.png" alt="Twitter" width="30" height="30" /></a></td>
+                                                <td style="margin: 0; padding: 0 10px;" valign="top"><a href="https://www.reddit.com/r/Bitwarden/" target="_blank"><img src="https://assets.bitwarden.com/email/v1/mail-reddit.png" alt="Reddit" width="30" height="30" /></a></td>
+                                                <td style="margin: 0; padding: 0 10px;" valign="top"><a href="https://community.bitwarden.com/" target="_blank"><img src="https://assets.bitwarden.com/email/v1/mail-discourse.png" alt="CommunityForums" width="30" height="30" /></a></td>
+                                                <td style="margin: 0; padding: 0 10px;" valign="top"><a href="https://github.com/bitwarden" target="_blank"><img src="https://assets.bitwarden.com/email/v1/mail-github.png" alt="GitHub" width="30" height="30" /></a></td>
+                                                <td style="margin: 0; padding: 0 10px;" valign="top"><a href="https://www.youtube.com/channel/UCId9a_jQqvJre0_dE2lE_Rw" target="_blank"><img src="https://assets.bitwarden.com/email/v1/mail-youtube.png" alt="Youtube" width="30" height="30" /></a></td>
+                                                <td style="margin: 0; padding: 0 10px;" valign="top"><a href="https://www.linkedin.com/company/bitwarden1/" target="_blank"><img src="https://assets.bitwarden.com/email/v1/mail-linkedin.png" alt="LinkedIn" width="30" height="30" /></a></td>
+                                                <td style="margin: 0; padding: 0 10px;" valign="top"><a href="https://www.facebook.com/bitwarden/" target="_blank"><img src="https://assets.bitwarden.com/email/v1/mail-facebook.png" alt="Facebook" width="30" height="30" /></a></td>
                                             </tr>
                                         </table>
                                     </td>

From d9d76a29a5538fc6edaee0f3737ce1dc7333040c Mon Sep 17 00:00:00 2001
From: Daniel James Smith <2670567+djsmith85@users.noreply.github.com>
Date: Fri, 7 Feb 2025 20:10:10 +0100
Subject: [PATCH 262/384] Remove generator-tools-modernization feature flag
 from server (#5377)

Co-authored-by: Daniel James Smith <djsmith85@users.noreply.github.com>
---
 src/Core/Constants.cs | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index 3e59a9390b..e41cf62024 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -112,7 +112,6 @@ public static class FeatureFlagKeys
 
     /* Tools Team */
     public const string ItemShare = "item-share";
-    public const string GeneratorToolsModernization = "generator-tools-modernization";
     public const string RiskInsightsCriticalApplication = "pm-14466-risk-insights-critical-application";
     public const string EnableRiskInsightsNotifications = "enable-risk-insights-notifications";
 

From e4d862fe6efd01f1a9b51ffb7c8497daca62ae88 Mon Sep 17 00:00:00 2001
From: Github Actions <actions@github.com>
Date: Mon, 10 Feb 2025 11:24:00 +0000
Subject: [PATCH 263/384] Bumped version to 2025.2.0

---
 Directory.Build.props | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Directory.Build.props b/Directory.Build.props
index 71650fc16c..259184e0e2 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -3,7 +3,7 @@
   <PropertyGroup>
     <TargetFramework>net8.0</TargetFramework>
 
-    <Version>2025.1.4</Version>
+    <Version>2025.2.0</Version>
 
     <RootNamespace>Bit.$(MSBuildProjectName)</RootNamespace>
     <ImplicitUsings>enable</ImplicitUsings>
@@ -69,4 +69,4 @@
     </ItemGroup>
   </Target>
 
-</Project>
+</Project>
\ No newline at end of file

From bde11dae3199b10b4a089ebfb70a370fb5bc86cc Mon Sep 17 00:00:00 2001
From: SmithThe4th <gsmith@bitwarden.com>
Date: Mon, 10 Feb 2025 11:39:48 -0500
Subject: [PATCH 264/384] [PM-14590] Modify Notification database table (#5361)

* Added notification type enum

Added option type to entity

* created migration files

* made sprocs backward compatible

* made sprocs backward compatible

* Fixed linting

* Altered table to require an optional taskId

* formatted code

* Added foreignkey

* Formatted code

* fixed order
---
 .../Entities/Notification.cs                  |    1 +
 .../NotificationEntityTypeConfiguration.cs    |    4 +
 .../NotificationCenter/Models/Notification.cs |    2 +
 .../Stored Procedures/Notification_Create.sql |    9 +-
 .../Stored Procedures/Notification_Update.sql |    6 +-
 .../dbo/Tables/Notification.sql               |    7 +-
 ...02-07_00_AddOptionalNotificationTaskId.sql |  107 +
 ..._AddOptionalNotificationTaskId.Designer.cs | 3009 ++++++++++++++++
 ...207204741_AddOptionalNotificationTaskId.cs |   48 +
 .../DatabaseContextModelSnapshot.cs           |   12 +
 ..._AddOptionalNotificationTaskId.Designer.cs | 3015 +++++++++++++++++
 ...207204729_AddOptionalNotificationTaskId.cs |   47 +
 .../DatabaseContextModelSnapshot.cs           |   12 +
 ..._AddOptionalNotificationTaskId.Designer.cs | 2998 ++++++++++++++++
 ...207204735_AddOptionalNotificationTaskId.cs |   47 +
 .../DatabaseContextModelSnapshot.cs           |   12 +
 16 files changed, 9330 insertions(+), 6 deletions(-)
 create mode 100644 util/Migrator/DbScripts/2025-02-07_00_AddOptionalNotificationTaskId.sql
 create mode 100644 util/MySqlMigrations/Migrations/20250207204741_AddOptionalNotificationTaskId.Designer.cs
 create mode 100644 util/MySqlMigrations/Migrations/20250207204741_AddOptionalNotificationTaskId.cs
 create mode 100644 util/PostgresMigrations/Migrations/20250207204729_AddOptionalNotificationTaskId.Designer.cs
 create mode 100644 util/PostgresMigrations/Migrations/20250207204729_AddOptionalNotificationTaskId.cs
 create mode 100644 util/SqliteMigrations/Migrations/20250207204735_AddOptionalNotificationTaskId.Designer.cs
 create mode 100644 util/SqliteMigrations/Migrations/20250207204735_AddOptionalNotificationTaskId.cs

diff --git a/src/Core/NotificationCenter/Entities/Notification.cs b/src/Core/NotificationCenter/Entities/Notification.cs
index 7ab3187524..aba456efbe 100644
--- a/src/Core/NotificationCenter/Entities/Notification.cs
+++ b/src/Core/NotificationCenter/Entities/Notification.cs
@@ -20,6 +20,7 @@ public class Notification : ITableObject<Guid>
     public string? Body { get; set; }
     public DateTime CreationDate { get; set; }
     public DateTime RevisionDate { get; set; }
+    public Guid? TaskId { get; set; }
 
     public void SetNewId()
     {
diff --git a/src/Infrastructure.EntityFramework/NotificationCenter/Configurations/NotificationEntityTypeConfiguration.cs b/src/Infrastructure.EntityFramework/NotificationCenter/Configurations/NotificationEntityTypeConfiguration.cs
index c8bb2fd0ad..fc2bcd81c9 100644
--- a/src/Infrastructure.EntityFramework/NotificationCenter/Configurations/NotificationEntityTypeConfiguration.cs
+++ b/src/Infrastructure.EntityFramework/NotificationCenter/Configurations/NotificationEntityTypeConfiguration.cs
@@ -30,6 +30,10 @@ public class NotificationEntityTypeConfiguration : IEntityTypeConfiguration<Noti
             .HasIndex(n => n.UserId)
             .IsClustered(false);
 
+        builder
+            .HasIndex(n => n.TaskId)
+            .IsClustered(false);
+
         builder.ToTable(nameof(Notification));
     }
 }
diff --git a/src/Infrastructure.EntityFramework/NotificationCenter/Models/Notification.cs b/src/Infrastructure.EntityFramework/NotificationCenter/Models/Notification.cs
index a13e99a276..ec8db45c5a 100644
--- a/src/Infrastructure.EntityFramework/NotificationCenter/Models/Notification.cs
+++ b/src/Infrastructure.EntityFramework/NotificationCenter/Models/Notification.cs
@@ -1,6 +1,7 @@
 using AutoMapper;
 using Bit.Infrastructure.EntityFramework.AdminConsole.Models;
 using Bit.Infrastructure.EntityFramework.Models;
+using Bit.Infrastructure.EntityFramework.Vault.Models;
 
 namespace Bit.Infrastructure.EntityFramework.NotificationCenter.Models;
 
@@ -8,6 +9,7 @@ public class Notification : Core.NotificationCenter.Entities.Notification
 {
     public virtual User User { get; set; }
     public virtual Organization Organization { get; set; }
+    public virtual SecurityTask Task { get; set; }
 }
 
 public class NotificationMapperProfile : Profile
diff --git a/src/Sql/NotificationCenter/dbo/Stored Procedures/Notification_Create.sql b/src/Sql/NotificationCenter/dbo/Stored Procedures/Notification_Create.sql
index 1e396a611b..7f67823055 100644
--- a/src/Sql/NotificationCenter/dbo/Stored Procedures/Notification_Create.sql	
+++ b/src/Sql/NotificationCenter/dbo/Stored Procedures/Notification_Create.sql	
@@ -8,7 +8,8 @@ CREATE PROCEDURE [dbo].[Notification_Create]
     @Title NVARCHAR(256),
     @Body NVARCHAR(MAX),
     @CreationDate DATETIME2(7),
-    @RevisionDate DATETIME2(7)
+    @RevisionDate DATETIME2(7),
+    @TaskId UNIQUEIDENTIFIER = NULL
 AS
 BEGIN
     SET NOCOUNT ON
@@ -23,7 +24,8 @@ BEGIN
         [Title],
         [Body],
         [CreationDate],
-        [RevisionDate]
+        [RevisionDate],
+        [TaskId]
         )
     VALUES (
         @Id,
@@ -35,6 +37,7 @@ BEGIN
         @Title,
         @Body,
         @CreationDate,
-        @RevisionDate
+        @RevisionDate,
+        @TaskId
         )
 END
diff --git a/src/Sql/NotificationCenter/dbo/Stored Procedures/Notification_Update.sql b/src/Sql/NotificationCenter/dbo/Stored Procedures/Notification_Update.sql
index 17d656f5a9..4369c01f71 100644
--- a/src/Sql/NotificationCenter/dbo/Stored Procedures/Notification_Update.sql	
+++ b/src/Sql/NotificationCenter/dbo/Stored Procedures/Notification_Update.sql	
@@ -8,7 +8,8 @@ CREATE PROCEDURE [dbo].[Notification_Update]
     @Title NVARCHAR(256),
     @Body NVARCHAR(MAX),
     @CreationDate DATETIME2(7),
-    @RevisionDate DATETIME2(7)
+    @RevisionDate DATETIME2(7),
+    @TaskId UNIQUEIDENTIFIER = NULL
 AS
 BEGIN
     SET NOCOUNT ON
@@ -22,6 +23,7 @@ BEGIN
         [Title] = @Title,
         [Body] = @Body,
         [CreationDate] = @CreationDate,
-        [RevisionDate] = @RevisionDate
+        [RevisionDate] = @RevisionDate,
+        [TaskId]       = @TaskId
     WHERE [Id] = @Id
 END
diff --git a/src/Sql/NotificationCenter/dbo/Tables/Notification.sql b/src/Sql/NotificationCenter/dbo/Tables/Notification.sql
index 790168780f..009985c5d0 100644
--- a/src/Sql/NotificationCenter/dbo/Tables/Notification.sql
+++ b/src/Sql/NotificationCenter/dbo/Tables/Notification.sql
@@ -10,9 +10,11 @@ CREATE TABLE [dbo].[Notification]
     [Body] NVARCHAR (MAX) NULL,
     [CreationDate] DATETIME2 (7) NOT NULL,
     [RevisionDate] DATETIME2 (7) NOT NULL,
+    [TaskId] UNIQUEIDENTIFIER NULL,
     CONSTRAINT [PK_Notification] PRIMARY KEY CLUSTERED ([Id] ASC),
     CONSTRAINT [FK_Notification_Organization] FOREIGN KEY ([OrganizationId]) REFERENCES [dbo].[Organization] ([Id]),
-    CONSTRAINT [FK_Notification_User] FOREIGN KEY ([UserId]) REFERENCES [dbo].[User] ([Id])
+    CONSTRAINT [FK_Notification_User] FOREIGN KEY ([UserId]) REFERENCES [dbo].[User] ([Id]),
+    CONSTRAINT [FK_Notification_SecurityTask] FOREIGN KEY ([TaskId]) REFERENCES [dbo].[SecurityTask] ([Id])
 );
 
 
@@ -30,3 +32,6 @@ GO
 CREATE NONCLUSTERED INDEX [IX_Notification_OrganizationId]
     ON [dbo].[Notification]([OrganizationId] ASC) WHERE OrganizationId IS NOT NULL;
 
+GO
+CREATE NONCLUSTERED INDEX [IX_Notification_TaskId]
+    ON [dbo].[Notification] ([TaskId] ASC) WHERE TaskId IS NOT NULL;
diff --git a/util/Migrator/DbScripts/2025-02-07_00_AddOptionalNotificationTaskId.sql b/util/Migrator/DbScripts/2025-02-07_00_AddOptionalNotificationTaskId.sql
new file mode 100644
index 0000000000..0e19cb5fe2
--- /dev/null
+++ b/util/Migrator/DbScripts/2025-02-07_00_AddOptionalNotificationTaskId.sql
@@ -0,0 +1,107 @@
+-- Add optional TaskId column to Notification table
+IF COL_LENGTH('[dbo].[Notification]', 'TaskId') IS NULL
+BEGIN
+    ALTER TABLE [dbo].[Notification]
+        ADD [TaskId] UNIQUEIDENTIFIER NULL
+
+    ALTER TABLE [dbo].[Notification]
+        ADD CONSTRAINT [FK_Notification_SecurityTask] FOREIGN KEY ([TaskId]) REFERENCES [dbo].[SecurityTask] ([Id])
+END
+GO
+
+IF NOT EXISTS (SELECT *
+               FROM sys.indexes
+               WHERE name = 'IX_Notification_TaskId')
+    BEGIN
+        CREATE NONCLUSTERED INDEX [IX_Notification_TaskId]
+            ON [dbo].[Notification] ([TaskId] ASC) WHERE TaskId IS NOT NULL;
+    END
+GO
+
+-- Alter Notification_Create and Notification_Update stored procedures to include TaskId
+CREATE OR ALTER PROCEDURE [dbo].[Notification_Create]
+    @Id UNIQUEIDENTIFIER OUTPUT,
+    @Priority TINYINT,
+    @Global BIT,
+    @ClientType TINYINT,
+    @UserId UNIQUEIDENTIFIER,
+    @OrganizationId UNIQUEIDENTIFIER,
+    @Title NVARCHAR(256),
+    @Body NVARCHAR(MAX),
+    @CreationDate DATETIME2(7),
+    @RevisionDate DATETIME2(7),
+    @TaskId UNIQUEIDENTIFIER = NULL
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    INSERT INTO [dbo].[Notification] (
+        [Id],
+        [Priority],
+        [Global],
+        [ClientType],
+        [UserId],
+        [OrganizationId],
+        [Title],
+        [Body],
+        [CreationDate],
+        [RevisionDate],
+        [TaskId]
+    )
+    VALUES (
+       @Id,
+       @Priority,
+       @Global,
+       @ClientType,
+       @UserId,
+       @OrganizationId,
+       @Title,
+       @Body,
+       @CreationDate,
+       @RevisionDate,
+       @TaskId
+   )
+END
+GO
+
+CREATE OR ALTER PROCEDURE [dbo].[Notification_Update]
+    @Id UNIQUEIDENTIFIER,
+    @Priority TINYINT,
+    @Global BIT,
+    @ClientType TINYINT,
+    @UserId UNIQUEIDENTIFIER,
+    @OrganizationId UNIQUEIDENTIFIER,
+    @Title NVARCHAR(256),
+    @Body NVARCHAR(MAX),
+    @CreationDate DATETIME2(7),
+    @RevisionDate DATETIME2(7),
+    @TaskId UNIQUEIDENTIFIER = NULL
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    UPDATE [dbo].[Notification]
+    SET [Priority] = @Priority,
+        [Global] = @Global,
+        [ClientType] = @ClientType,
+        [UserId] = @UserId,
+        [OrganizationId] = @OrganizationId,
+        [Title] = @Title,
+        [Body] = @Body,
+        [CreationDate] = @CreationDate,
+        [RevisionDate] = @RevisionDate,
+        [TaskId]       = @TaskId
+    WHERE [Id] = @Id
+END
+GO
+
+-- Recreate NotificationView
+CREATE OR ALTER VIEW [dbo].[NotificationView]
+AS
+SELECT
+    *
+FROM
+    [dbo].[Notification]
+GO
+
+
diff --git a/util/MySqlMigrations/Migrations/20250207204741_AddOptionalNotificationTaskId.Designer.cs b/util/MySqlMigrations/Migrations/20250207204741_AddOptionalNotificationTaskId.Designer.cs
new file mode 100644
index 0000000000..886f35f6d1
--- /dev/null
+++ b/util/MySqlMigrations/Migrations/20250207204741_AddOptionalNotificationTaskId.Designer.cs
@@ -0,0 +1,3009 @@
+// <auto-generated />
+using System;
+using Bit.Infrastructure.EntityFramework.Repositories;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Metadata;
+using Microsoft.EntityFrameworkCore.Migrations;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
+
+#nullable disable
+
+namespace Bit.MySqlMigrations.Migrations
+{
+    [DbContext(typeof(DatabaseContext))]
+    [Migration("20250207204741_AddOptionalNotifificationTaskId")]
+    partial class AddOptionalNotifificationTaskId
+    {
+        /// <inheritdoc />
+        protected override void BuildTargetModel(ModelBuilder modelBuilder)
+        {
+#pragma warning disable 612, 618
+            modelBuilder
+                .HasAnnotation("ProductVersion", "8.0.8")
+                .HasAnnotation("Relational:MaxIdentifierLength", 64);
+
+            MySqlModelBuilderExtensions.AutoIncrementColumns(modelBuilder);
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("AllowAdminAccessToAllCollectionItems")
+                        .HasColumnType("tinyint(1)")
+                        .HasDefaultValue(true);
+
+                    b.Property<string>("BillingEmail")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasMaxLength(2)
+                        .HasColumnType("varchar(2)");
+
+                    b.Property<string>("BusinessName")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasMaxLength(30)
+                        .HasColumnType("varchar(30)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("Identifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("varchar(100)");
+
+                    b.Property<bool>("LimitCollectionCreation")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("LimitCollectionDeletion")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("LimitItemDeletion")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("MaxAutoscaleSmSeats")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("MaxAutoscaleSmServiceAccounts")
+                        .HasColumnType("int");
+
+                    b.Property<short?>("MaxCollections")
+                        .HasColumnType("smallint");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<DateTime?>("OwnersNotifiedOfAutoscaling")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Plan")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<int?>("Seats")
+                        .HasColumnType("int");
+
+                    b.Property<bool>("SelfHost")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<int?>("SmSeats")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("SmServiceAccounts")
+                        .HasColumnType("int");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("bigint");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("longtext");
+
+                    b.Property<bool>("Use2fa")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseApi")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseCustomPermissions")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseDirectory")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseGroups")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseKeyConnector")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UsePasswordManager")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UsePolicies")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseResetPassword")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseRiskInsights")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseScim")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseSecretsManager")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseSso")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseTotp")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UsersGetPremium")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id", "Enabled")
+                        .HasAnnotation("Npgsql:IndexInclude", new[] { "UseTotp" });
+
+                    b.ToTable("Organization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("longtext");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "Type")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Policy", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("BillingEmail")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BillingPhone")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessName")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Provider", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Settings")
+                        .HasColumnType("longtext");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderOrganization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Email")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("ProviderUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("AccessCode")
+                        .HasMaxLength(25)
+                        .HasColumnType("varchar(25)");
+
+                    b.Property<bool?>("Approved")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime?>("AuthenticationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("MasterPasswordHash")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("RequestDeviceIdentifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<byte>("RequestDeviceType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("RequestIpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<DateTime?>("ResponseDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid?>("ResponseDeviceId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ResponseDeviceId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("AuthRequest", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<Guid?>("GranteeId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("GrantorId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("KeyEncrypted")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime?>("LastNotificationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("RecoveryInitiatedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<int>("WaitTimeDays")
+                        .HasColumnType("int");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("GranteeId");
+
+                    b.HasIndex("GrantorId");
+
+                    b.ToTable("EmergencyAccess", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.Grant", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("int");
+
+                    MySqlPropertyBuilderExtensions.UseMySqlIdentityColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("ClientId")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("varchar(200)");
+
+                    b.Property<DateTime?>("ConsumedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Data")
+                        .IsRequired()
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Description")
+                        .HasMaxLength(200)
+                        .HasColumnType("varchar(200)");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("varchar(200)");
+
+                    b.Property<string>("SessionId")
+                        .HasMaxLength(100)
+                        .HasColumnType("varchar(100)");
+
+                    b.Property<string>("SubjectId")
+                        .HasMaxLength(200)
+                        .HasColumnType("varchar(200)");
+
+                    b.Property<string>("Type")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.HasKey("Id")
+                        .HasName("PK_Grant")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpirationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Key")
+                        .IsUnique();
+
+                    b.ToTable("Grant", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    MySqlPropertyBuilderExtensions.UseMySqlIdentityColumn(b.Property<long>("Id"));
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("longtext");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("SsoConfig", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    MySqlPropertyBuilderExtensions.UseMySqlIdentityColumn(b.Property<long>("Id"));
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId");
+
+                    b.HasIndex("OrganizationId", "ExternalId")
+                        .IsUnique()
+                        .HasAnnotation("Npgsql:IndexInclude", new[] { "UserId" })
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "UserId")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SsoUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("AaGuid")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int>("Counter")
+                        .HasColumnType("int");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("CredentialId")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("varchar(2000)");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("varchar(2000)");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("varchar(2000)");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("PublicKey")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("SupportsPrf")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<string>("Type")
+                        .HasMaxLength(20)
+                        .HasColumnType("varchar(20)");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("WebAuthnCredential", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ClientOrganizationMigrationRecord", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("int");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int>("Seats")
+                        .HasColumnType("int");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId", "OrganizationId")
+                        .IsUnique();
+
+                    b.ToTable("ClientOrganizationMigrationRecord", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid>("InstallationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime?>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("InstallationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationInstallation", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int>("AssignedSeats")
+                        .HasColumnType("int");
+
+                    b.Property<Guid?>("ClientId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("ClientName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<DateTime>("Created")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("InvoiceId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("InvoiceNumber")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("PlanName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<decimal>("Total")
+                        .HasColumnType("decimal(65,30)");
+
+                    b.Property<int>("UsedSeats")
+                        .HasColumnType("int");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderInvoiceItem", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int?>("AllocatedSeats")
+                        .HasColumnType("int");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int?>("PurchasedSeats")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("SeatMinimum")
+                        .HasColumnType("int");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("Id", "PlanType")
+                        .IsUnique();
+
+                    b.ToTable("ProviderPlan", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Cache", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(449)
+                        .HasColumnType("varchar(449)");
+
+                    b.Property<DateTime?>("AbsoluteExpiration")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("ExpiresAtTime")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<long?>("SlidingExpirationInSeconds")
+                        .HasColumnType("bigint");
+
+                    b.Property<byte[]>("Value")
+                        .IsRequired()
+                        .HasColumnType("longblob");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpiresAtTime")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Cache", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("varchar(300)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Collection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("CipherId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("CollectionId", "CipherId");
+
+                    b.HasIndex("CipherId");
+
+                    b.ToTable("CollectionCipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("CollectionId", "GroupId");
+
+                    b.HasIndex("GroupId");
+
+                    b.ToTable("CollectionGroups");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("CollectionId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("tinyint(1)")
+                        .HasDefaultValue(true);
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Identifier")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("PushToken")
+                        .HasMaxLength(255)
+                        .HasColumnType("varchar(255)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Identifier")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "Identifier")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Device", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Event", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("ActingUserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("CollectionId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("Date")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte?>("DeviceType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("DomainName")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid?>("GroupId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("InstallationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("IpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("PolicyId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("ProviderOrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("ProviderUserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("SecretId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte?>("SystemUser")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<int>("Type")
+                        .HasColumnType("int");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Date", "OrganizationId", "ActingUserId", "CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Event", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("varchar(300)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(100)
+                        .HasColumnType("varchar(100)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Group", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("GroupId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("GroupUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("varchar(30)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Config")
+                        .HasColumnType("longtext");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationConnection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("DomainName")
+                        .IsRequired()
+                        .HasMaxLength(255)
+                        .HasColumnType("varchar(255)");
+
+                    b.Property<int>("JobRunCount")
+                        .HasColumnType("int");
+
+                    b.Property<DateTime?>("LastCheckedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("NextRunDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Txt")
+                        .IsRequired()
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime?>("VerifiedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationDomain", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("FriendlyName")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<DateTime?>("LastSyncDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("OfferedToEmail")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<byte?>("PlanSponsorshipType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("SponsoredOrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("SponsoringOrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("SponsoringOrganizationUserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("ToDelete")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime?>("ValidUntil")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SponsoredOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationUserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationSponsorship", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("AccessSecretsManager")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("varchar(300)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("ResetPasswordKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<short>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int>("AccessCount")
+                        .HasColumnType("int");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("DeletionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("Disabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool?>("HideEmail")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<int?>("MaxAccessCount")
+                        .HasColumnType("int");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Password")
+                        .HasMaxLength(300)
+                        .HasColumnType("varchar(300)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("DeletionDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Send", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.TaxRate", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(40)
+                        .HasColumnType("varchar(40)");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<string>("Country")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("PostalCode")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("varchar(10)");
+
+                    b.Property<decimal>("Rate")
+                        .HasColumnType("decimal(65,30)");
+
+                    b.Property<string>("State")
+                        .HasMaxLength(2)
+                        .HasColumnType("varchar(2)");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("TaxRate", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<decimal>("Amount")
+                        .HasColumnType("decimal(65,30)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Details")
+                        .HasMaxLength(100)
+                        .HasColumnType("varchar(100)");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("GatewayId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte?>("PaymentMethodType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool?>("Refunded")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<decimal?>("RefundedAmount")
+                        .HasColumnType("decimal(65,30)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId", "CreationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Transaction", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("AccountRevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("varchar(30)");
+
+                    b.Property<string>("AvatarColor")
+                        .HasMaxLength(7)
+                        .HasColumnType("varchar(7)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Culture")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("varchar(10)");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<bool>("EmailVerified")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<string>("EquivalentDomains")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("ExcludedGlobalEquivalentDomains")
+                        .HasColumnType("longtext");
+
+                    b.Property<int>("FailedLoginCount")
+                        .HasColumnType("int");
+
+                    b.Property<bool>("ForcePasswordReset")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<byte>("Kdf")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<int>("KdfIterations")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("KdfMemory")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("KdfParallelism")
+                        .HasColumnType("int");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime?>("LastEmailChangeDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("LastFailedLoginDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("LastKdfChangeDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("LastKeyRotationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("LastPasswordChangeDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("varchar(100)");
+
+                    b.Property<string>("MasterPassword")
+                        .HasMaxLength(300)
+                        .HasColumnType("varchar(300)");
+
+                    b.Property<string>("MasterPasswordHint")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<bool>("Premium")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime?>("PremiumExpirationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime?>("RenewalReminderDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("SecurityStamp")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("bigint");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("TwoFactorRecoveryCode")
+                        .HasMaxLength(32)
+                        .HasColumnType("varchar(32)");
+
+                    b.Property<bool>("UsesKeyConnector")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("VerifyDevices")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Email")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Premium", "PremiumExpirationDate", "RenewalReminderDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("User", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Body")
+                        .HasColumnType("longtext");
+
+                    b.Property<byte>("ClientType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("Global")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte>("Priority")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid?>("TaskId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Title")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("TaskId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("ClientType", "Global", "UserId", "OrganizationId", "Priority", "CreationDate")
+                        .IsDescending(false, false, false, false, true, true)
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Notification", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("NotificationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("ReadDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("UserId", "NotificationId")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("NotificationId");
+
+                    b.ToTable("NotificationStatus", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Platform.Installation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(150)
+                        .HasColumnType("varchar(150)");
+
+                    b.Property<DateTime?>("LastActivityDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Installation", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Discriminator")
+                        .IsRequired()
+                        .HasMaxLength(34)
+                        .HasColumnType("varchar(34)");
+
+                    b.Property<bool>("Read")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("Write")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.ToTable("AccessPolicy", (string)null);
+
+                    b.HasDiscriminator().HasValue("AccessPolicy");
+
+                    b.UseTphMappingStrategy();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("ClientSecretHash")
+                        .HasMaxLength(128)
+                        .HasColumnType("varchar(128)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("EncryptedPayload")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("varchar(4000)");
+
+                    b.Property<DateTime?>("ExpireAt")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("varchar(200)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Scope")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("varchar(4000)");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ServiceAccountId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Project", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Note")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Value")
+                        .HasColumnType("longtext");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Secret", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ServiceAccount", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Uri")
+                        .HasColumnType("longtext");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("PasswordHealthReportApplication", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Attachments")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Favorites")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Folders")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte?>("Reprompt")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Cipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Folder", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SecurityTask", (string)null);
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.Property<Guid>("ProjectsId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("SecretsId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("ProjectsId", "SecretsId");
+
+                    b.HasIndex("SecretsId");
+
+                    b.ToTable("ProjectSecret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Policies")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Device", "ResponseDevice")
+                        .WithMany()
+                        .HasForeignKey("ResponseDeviceId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("ResponseDevice");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantee")
+                        .WithMany()
+                        .HasForeignKey("GranteeId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantor")
+                        .WithMany()
+                        .HasForeignKey("GrantorId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Grantee");
+
+                    b.Navigation("Grantor");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoConfigs")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Platform.Installation", "Installation")
+                        .WithMany()
+                        .HasForeignKey("InstallationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Installation");
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Collections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CipherId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Collection");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionGroups")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Groups")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Group");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Connections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Domains")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoredOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoredOrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoringOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoringOrganizationId");
+
+                    b.Navigation("SponsoredOrganization");
+
+                    b.Navigation("SponsoringOrganization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Transactions")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Transactions")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", "Task")
+                        .WithMany()
+                        .HasForeignKey("TaskId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Task");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", "Notification")
+                        .WithMany()
+                        .HasForeignKey("NotificationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Notification");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Folders")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany()
+                        .HasForeignKey("CipherId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", null)
+                        .WithMany()
+                        .HasForeignKey("ProjectsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", null)
+                        .WithMany()
+                        .HasForeignKey("SecretsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ProjectAccessPolicies")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany()
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Collections");
+
+                    b.Navigation("Connections");
+
+                    b.Navigation("Domains");
+
+                    b.Navigation("Groups");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("Policies");
+
+                    b.Navigation("SsoConfigs");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+
+                    b.Navigation("CollectionGroups");
+
+                    b.Navigation("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Navigation("CollectionUsers");
+
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Folders");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ProjectAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+                });
+#pragma warning restore 612, 618
+        }
+    }
+}
diff --git a/util/MySqlMigrations/Migrations/20250207204741_AddOptionalNotificationTaskId.cs b/util/MySqlMigrations/Migrations/20250207204741_AddOptionalNotificationTaskId.cs
new file mode 100644
index 0000000000..1ead4bcc99
--- /dev/null
+++ b/util/MySqlMigrations/Migrations/20250207204741_AddOptionalNotificationTaskId.cs
@@ -0,0 +1,48 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace Bit.MySqlMigrations.Migrations;
+
+/// <inheritdoc />
+public partial class AddOptionalNotifificationTaskId : Migration
+{
+    /// <inheritdoc />
+    protected override void Up(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.AddColumn<Guid>(
+            name: "TaskId",
+            table: "Notification",
+            type: "char(36)",
+            nullable: true,
+            collation: "ascii_general_ci");
+
+        migrationBuilder.CreateIndex(
+            name: "IX_Notification_TaskId",
+            table: "Notification",
+            column: "TaskId");
+
+        migrationBuilder.AddForeignKey(
+            name: "FK_Notification_SecurityTask_TaskId",
+            table: "Notification",
+            column: "TaskId",
+            principalTable: "SecurityTask",
+            principalColumn: "Id");
+    }
+
+    /// <inheritdoc />
+    protected override void Down(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.DropForeignKey(
+            name: "FK_Notification_SecurityTask_TaskId",
+            table: "Notification");
+
+        migrationBuilder.DropIndex(
+            name: "IX_Notification_TaskId",
+            table: "Notification");
+
+        migrationBuilder.DropColumn(
+            name: "TaskId",
+            table: "Notification");
+    }
+}
diff --git a/util/MySqlMigrations/Migrations/DatabaseContextModelSnapshot.cs b/util/MySqlMigrations/Migrations/DatabaseContextModelSnapshot.cs
index 5761cd559f..44ef9e01c3 100644
--- a/util/MySqlMigrations/Migrations/DatabaseContextModelSnapshot.cs
+++ b/util/MySqlMigrations/Migrations/DatabaseContextModelSnapshot.cs
@@ -1674,6 +1674,9 @@ namespace Bit.MySqlMigrations.Migrations
                     b.Property<DateTime>("RevisionDate")
                         .HasColumnType("datetime(6)");
 
+                    b.Property<Guid?>("TaskId")
+                        .HasColumnType("char(36)");
+
                     b.Property<string>("Title")
                         .HasMaxLength(256)
                         .HasColumnType("varchar(256)");
@@ -1687,6 +1690,9 @@ namespace Bit.MySqlMigrations.Migrations
                     b.HasIndex("OrganizationId")
                         .HasAnnotation("SqlServer:Clustered", false);
 
+                    b.HasIndex("TaskId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
                     b.HasIndex("UserId")
                         .HasAnnotation("SqlServer:Clustered", false);
 
@@ -2628,12 +2634,18 @@ namespace Bit.MySqlMigrations.Migrations
                         .WithMany()
                         .HasForeignKey("OrganizationId");
 
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", "Task")
+                        .WithMany()
+                        .HasForeignKey("TaskId");
+
                     b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
                         .WithMany()
                         .HasForeignKey("UserId");
 
                     b.Navigation("Organization");
 
+                    b.Navigation("Task");
+
                     b.Navigation("User");
                 });
 
diff --git a/util/PostgresMigrations/Migrations/20250207204729_AddOptionalNotificationTaskId.Designer.cs b/util/PostgresMigrations/Migrations/20250207204729_AddOptionalNotificationTaskId.Designer.cs
new file mode 100644
index 0000000000..57da6883fa
--- /dev/null
+++ b/util/PostgresMigrations/Migrations/20250207204729_AddOptionalNotificationTaskId.Designer.cs
@@ -0,0 +1,3015 @@
+// <auto-generated />
+using System;
+using Bit.Infrastructure.EntityFramework.Repositories;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Migrations;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
+using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata;
+
+#nullable disable
+
+namespace Bit.PostgresMigrations.Migrations
+{
+    [DbContext(typeof(DatabaseContext))]
+    [Migration("20250207204729_AddOptionalNotifificationTaskId")]
+    partial class AddOptionalNotifificationTaskId
+    {
+        /// <inheritdoc />
+        protected override void BuildTargetModel(ModelBuilder modelBuilder)
+        {
+#pragma warning disable 612, 618
+            modelBuilder
+                .HasAnnotation("Npgsql:CollationDefinition:postgresIndetermanisticCollation", "en-u-ks-primary,en-u-ks-primary,icu,False")
+                .HasAnnotation("ProductVersion", "8.0.8")
+                .HasAnnotation("Relational:MaxIdentifierLength", 63);
+
+            NpgsqlModelBuilderExtensions.UseIdentityByDefaultColumns(modelBuilder);
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("AllowAdminAccessToAllCollectionItems")
+                        .HasColumnType("boolean")
+                        .HasDefaultValue(true);
+
+                    b.Property<string>("BillingEmail")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasMaxLength(2)
+                        .HasColumnType("character varying(2)");
+
+                    b.Property<string>("BusinessName")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasMaxLength(30)
+                        .HasColumnType("character varying(30)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("Identifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)")
+                        .UseCollation("postgresIndetermanisticCollation");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<bool>("LimitCollectionCreation")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("LimitCollectionDeletion")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("LimitItemDeletion")
+                        .HasColumnType("boolean");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("MaxAutoscaleSmSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("MaxAutoscaleSmServiceAccounts")
+                        .HasColumnType("integer");
+
+                    b.Property<short?>("MaxCollections")
+                        .HasColumnType("smallint");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<DateTime?>("OwnersNotifiedOfAutoscaling")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Plan")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<int?>("Seats")
+                        .HasColumnType("integer");
+
+                    b.Property<bool>("SelfHost")
+                        .HasColumnType("boolean");
+
+                    b.Property<int?>("SmSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("SmServiceAccounts")
+                        .HasColumnType("integer");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("bigint");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("text");
+
+                    b.Property<bool>("Use2fa")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseApi")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseCustomPermissions")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseDirectory")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseGroups")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseKeyConnector")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UsePasswordManager")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UsePolicies")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseResetPassword")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseRiskInsights")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseScim")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseSecretsManager")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseSso")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseTotp")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UsersGetPremium")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id", "Enabled");
+
+                    NpgsqlIndexBuilderExtensions.IncludeProperties(b.HasIndex("Id", "Enabled"), new[] { "UseTotp" });
+
+                    b.ToTable("Organization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("text");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "Type")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Policy", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("BillingEmail")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BillingPhone")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessName")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasColumnType("text");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Provider", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Settings")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderOrganization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Email")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("ProviderUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("AccessCode")
+                        .HasMaxLength(25)
+                        .HasColumnType("character varying(25)");
+
+                    b.Property<bool?>("Approved")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("AuthenticationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<string>("MasterPasswordHash")
+                        .HasColumnType("text");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("RequestDeviceIdentifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<byte>("RequestDeviceType")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("RequestIpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<DateTime?>("ResponseDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid?>("ResponseDeviceId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ResponseDeviceId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("AuthRequest", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<Guid?>("GranteeId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("GrantorId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("KeyEncrypted")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("LastNotificationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("RecoveryInitiatedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<int>("WaitTimeDays")
+                        .HasColumnType("integer");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("GranteeId");
+
+                    b.HasIndex("GrantorId");
+
+                    b.ToTable("EmergencyAccess", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.Grant", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("ClientId")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<DateTime?>("ConsumedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Data")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("Description")
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<string>("SessionId")
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<string>("SubjectId")
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<string>("Type")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.HasKey("Id")
+                        .HasName("PK_Grant")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpirationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Key")
+                        .IsUnique();
+
+                    b.ToTable("Grant", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("Id"));
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("text");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("SsoConfig", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("Id"));
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)")
+                        .UseCollation("postgresIndetermanisticCollation");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId");
+
+                    b.HasIndex("OrganizationId", "ExternalId")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    NpgsqlIndexBuilderExtensions.IncludeProperties(b.HasIndex("OrganizationId", "ExternalId"), new[] { "UserId" });
+
+                    b.HasIndex("OrganizationId", "UserId")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SsoUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("AaGuid")
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("Counter")
+                        .HasColumnType("integer");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("CredentialId")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("character varying(2000)");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("character varying(2000)");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("character varying(2000)");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("PublicKey")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("SupportsPrf")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("Type")
+                        .HasMaxLength(20)
+                        .HasColumnType("character varying(20)");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("WebAuthnCredential", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ClientOrganizationMigrationRecord", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("Seats")
+                        .HasColumnType("integer");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId", "OrganizationId")
+                        .IsUnique();
+
+                    b.ToTable("ClientOrganizationMigrationRecord", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("InstallationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime?>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("InstallationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationInstallation", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("AssignedSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<Guid?>("ClientId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("ClientName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<DateTime>("Created")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("InvoiceId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("InvoiceNumber")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("PlanName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<decimal>("Total")
+                        .HasColumnType("numeric");
+
+                    b.Property<int>("UsedSeats")
+                        .HasColumnType("integer");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderInvoiceItem", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<int?>("AllocatedSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<int?>("PurchasedSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("SeatMinimum")
+                        .HasColumnType("integer");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("Id", "PlanType")
+                        .IsUnique();
+
+                    b.ToTable("ProviderPlan", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Cache", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(449)
+                        .HasColumnType("character varying(449)");
+
+                    b.Property<DateTime?>("AbsoluteExpiration")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("ExpiresAtTime")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<long?>("SlidingExpirationInSeconds")
+                        .HasColumnType("bigint");
+
+                    b.Property<byte[]>("Value")
+                        .IsRequired()
+                        .HasColumnType("bytea");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpiresAtTime")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Cache", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("character varying(300)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Collection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("CipherId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("CollectionId", "CipherId");
+
+                    b.HasIndex("CipherId");
+
+                    b.ToTable("CollectionCipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("CollectionId", "GroupId");
+
+                    b.HasIndex("GroupId");
+
+                    b.ToTable("CollectionGroups");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("CollectionId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("boolean")
+                        .HasDefaultValue(true);
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Identifier")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("PushToken")
+                        .HasMaxLength(255)
+                        .HasColumnType("character varying(255)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Identifier")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "Identifier")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Device", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Event", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("ActingUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("CollectionId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("Date")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte?>("DeviceType")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("DomainName")
+                        .HasColumnType("text");
+
+                    b.Property<Guid?>("GroupId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("InstallationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("IpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("PolicyId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("ProviderOrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("ProviderUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("SecretId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte?>("SystemUser")
+                        .HasColumnType("smallint");
+
+                    b.Property<int>("Type")
+                        .HasColumnType("integer");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Date", "OrganizationId", "ActingUserId", "CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Event", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("character varying(300)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Group", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("GroupId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("GroupUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("character varying(30)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Config")
+                        .HasColumnType("text");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationConnection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("DomainName")
+                        .IsRequired()
+                        .HasMaxLength(255)
+                        .HasColumnType("character varying(255)");
+
+                    b.Property<int>("JobRunCount")
+                        .HasColumnType("integer");
+
+                    b.Property<DateTime?>("LastCheckedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("NextRunDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Txt")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("VerifiedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationDomain", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("FriendlyName")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<DateTime?>("LastSyncDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("OfferedToEmail")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<byte?>("PlanSponsorshipType")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("SponsoredOrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("SponsoringOrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("SponsoringOrganizationUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("ToDelete")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("ValidUntil")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SponsoredOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationUserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationSponsorship", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("AccessSecretsManager")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("character varying(300)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ResetPasswordKey")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<short>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("AccessCount")
+                        .HasColumnType("integer");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("DeletionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("Disabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool?>("HideEmail")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<int?>("MaxAccessCount")
+                        .HasColumnType("integer");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Password")
+                        .HasMaxLength(300)
+                        .HasColumnType("character varying(300)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("DeletionDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Send", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.TaxRate", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(40)
+                        .HasColumnType("character varying(40)");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("Country")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("PostalCode")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("character varying(10)");
+
+                    b.Property<decimal>("Rate")
+                        .HasColumnType("numeric");
+
+                    b.Property<string>("State")
+                        .HasMaxLength(2)
+                        .HasColumnType("character varying(2)");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("TaxRate", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<decimal>("Amount")
+                        .HasColumnType("numeric");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Details")
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("GatewayId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte?>("PaymentMethodType")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool?>("Refunded")
+                        .HasColumnType("boolean");
+
+                    b.Property<decimal?>("RefundedAmount")
+                        .HasColumnType("numeric");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId", "CreationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Transaction", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("AccountRevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("character varying(30)");
+
+                    b.Property<string>("AvatarColor")
+                        .HasMaxLength(7)
+                        .HasColumnType("character varying(7)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Culture")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("character varying(10)");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)")
+                        .UseCollation("postgresIndetermanisticCollation");
+
+                    b.Property<bool>("EmailVerified")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("EquivalentDomains")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ExcludedGlobalEquivalentDomains")
+                        .HasColumnType("text");
+
+                    b.Property<int>("FailedLoginCount")
+                        .HasColumnType("integer");
+
+                    b.Property<bool>("ForcePasswordReset")
+                        .HasColumnType("boolean");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<byte>("Kdf")
+                        .HasColumnType("smallint");
+
+                    b.Property<int>("KdfIterations")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("KdfMemory")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("KdfParallelism")
+                        .HasColumnType("integer");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("LastEmailChangeDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("LastFailedLoginDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("LastKdfChangeDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("LastKeyRotationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("LastPasswordChangeDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<string>("MasterPassword")
+                        .HasMaxLength(300)
+                        .HasColumnType("character varying(300)");
+
+                    b.Property<string>("MasterPasswordHint")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<bool>("Premium")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("PremiumExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("RenewalReminderDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("SecurityStamp")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("bigint");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("text");
+
+                    b.Property<string>("TwoFactorRecoveryCode")
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<bool>("UsesKeyConnector")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("VerifyDevices")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Email")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Premium", "PremiumExpirationDate", "RenewalReminderDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("User", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Body")
+                        .HasColumnType("text");
+
+                    b.Property<byte>("ClientType")
+                        .HasColumnType("smallint");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("Global")
+                        .HasColumnType("boolean");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte>("Priority")
+                        .HasColumnType("smallint");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid?>("TaskId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Title")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("TaskId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("ClientType", "Global", "UserId", "OrganizationId", "Priority", "CreationDate")
+                        .IsDescending(false, false, false, false, true, true)
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Notification", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("NotificationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("ReadDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("UserId", "NotificationId")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("NotificationId");
+
+                    b.ToTable("NotificationStatus", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Platform.Installation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(150)
+                        .HasColumnType("character varying(150)");
+
+                    b.Property<DateTime?>("LastActivityDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Installation", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Discriminator")
+                        .IsRequired()
+                        .HasMaxLength(34)
+                        .HasColumnType("character varying(34)");
+
+                    b.Property<bool>("Read")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("Write")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.ToTable("AccessPolicy", (string)null);
+
+                    b.HasDiscriminator().HasValue("AccessPolicy");
+
+                    b.UseTphMappingStrategy();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("ClientSecretHash")
+                        .HasMaxLength(128)
+                        .HasColumnType("character varying(128)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("EncryptedPayload")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("character varying(4000)");
+
+                    b.Property<DateTime?>("ExpireAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Scope")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("character varying(4000)");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ServiceAccountId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Project", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Note")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Value")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Secret", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ServiceAccount", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Uri")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("PasswordHealthReportApplication", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Attachments")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Favorites")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Folders")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte?>("Reprompt")
+                        .HasColumnType("smallint");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Cipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Folder", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SecurityTask", (string)null);
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.Property<Guid>("ProjectsId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("SecretsId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("ProjectsId", "SecretsId");
+
+                    b.HasIndex("SecretsId");
+
+                    b.ToTable("ProjectSecret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Policies")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Device", "ResponseDevice")
+                        .WithMany()
+                        .HasForeignKey("ResponseDeviceId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("ResponseDevice");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantee")
+                        .WithMany()
+                        .HasForeignKey("GranteeId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantor")
+                        .WithMany()
+                        .HasForeignKey("GrantorId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Grantee");
+
+                    b.Navigation("Grantor");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoConfigs")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Platform.Installation", "Installation")
+                        .WithMany()
+                        .HasForeignKey("InstallationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Installation");
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Collections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CipherId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Collection");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionGroups")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Groups")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Group");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Connections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Domains")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoredOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoredOrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoringOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoringOrganizationId");
+
+                    b.Navigation("SponsoredOrganization");
+
+                    b.Navigation("SponsoringOrganization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Transactions")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Transactions")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", "Task")
+                        .WithMany()
+                        .HasForeignKey("TaskId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Task");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", "Notification")
+                        .WithMany()
+                        .HasForeignKey("NotificationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Notification");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Folders")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany()
+                        .HasForeignKey("CipherId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", null)
+                        .WithMany()
+                        .HasForeignKey("ProjectsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", null)
+                        .WithMany()
+                        .HasForeignKey("SecretsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ProjectAccessPolicies")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany()
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Collections");
+
+                    b.Navigation("Connections");
+
+                    b.Navigation("Domains");
+
+                    b.Navigation("Groups");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("Policies");
+
+                    b.Navigation("SsoConfigs");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+
+                    b.Navigation("CollectionGroups");
+
+                    b.Navigation("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Navigation("CollectionUsers");
+
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Folders");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ProjectAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+                });
+#pragma warning restore 612, 618
+        }
+    }
+}
diff --git a/util/PostgresMigrations/Migrations/20250207204729_AddOptionalNotificationTaskId.cs b/util/PostgresMigrations/Migrations/20250207204729_AddOptionalNotificationTaskId.cs
new file mode 100644
index 0000000000..3824d7af4d
--- /dev/null
+++ b/util/PostgresMigrations/Migrations/20250207204729_AddOptionalNotificationTaskId.cs
@@ -0,0 +1,47 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace Bit.PostgresMigrations.Migrations;
+
+/// <inheritdoc />
+public partial class AddOptionalNotifificationTaskId : Migration
+{
+    /// <inheritdoc />
+    protected override void Up(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.AddColumn<Guid>(
+            name: "TaskId",
+            table: "Notification",
+            type: "uuid",
+            nullable: true);
+
+        migrationBuilder.CreateIndex(
+            name: "IX_Notification_TaskId",
+            table: "Notification",
+            column: "TaskId");
+
+        migrationBuilder.AddForeignKey(
+            name: "FK_Notification_SecurityTask_TaskId",
+            table: "Notification",
+            column: "TaskId",
+            principalTable: "SecurityTask",
+            principalColumn: "Id");
+    }
+
+    /// <inheritdoc />
+    protected override void Down(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.DropForeignKey(
+            name: "FK_Notification_SecurityTask_TaskId",
+            table: "Notification");
+
+        migrationBuilder.DropIndex(
+            name: "IX_Notification_TaskId",
+            table: "Notification");
+
+        migrationBuilder.DropColumn(
+            name: "TaskId",
+            table: "Notification");
+    }
+}
diff --git a/util/PostgresMigrations/Migrations/DatabaseContextModelSnapshot.cs b/util/PostgresMigrations/Migrations/DatabaseContextModelSnapshot.cs
index 4abfec0343..11fa811d98 100644
--- a/util/PostgresMigrations/Migrations/DatabaseContextModelSnapshot.cs
+++ b/util/PostgresMigrations/Migrations/DatabaseContextModelSnapshot.cs
@@ -1680,6 +1680,9 @@ namespace Bit.PostgresMigrations.Migrations
                     b.Property<DateTime>("RevisionDate")
                         .HasColumnType("timestamp with time zone");
 
+                    b.Property<Guid?>("TaskId")
+                        .HasColumnType("uuid");
+
                     b.Property<string>("Title")
                         .HasMaxLength(256)
                         .HasColumnType("character varying(256)");
@@ -1693,6 +1696,9 @@ namespace Bit.PostgresMigrations.Migrations
                     b.HasIndex("OrganizationId")
                         .HasAnnotation("SqlServer:Clustered", false);
 
+                    b.HasIndex("TaskId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
                     b.HasIndex("UserId")
                         .HasAnnotation("SqlServer:Clustered", false);
 
@@ -2634,12 +2640,18 @@ namespace Bit.PostgresMigrations.Migrations
                         .WithMany()
                         .HasForeignKey("OrganizationId");
 
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", "Task")
+                        .WithMany()
+                        .HasForeignKey("TaskId");
+
                     b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
                         .WithMany()
                         .HasForeignKey("UserId");
 
                     b.Navigation("Organization");
 
+                    b.Navigation("Task");
+
                     b.Navigation("User");
                 });
 
diff --git a/util/SqliteMigrations/Migrations/20250207204735_AddOptionalNotificationTaskId.Designer.cs b/util/SqliteMigrations/Migrations/20250207204735_AddOptionalNotificationTaskId.Designer.cs
new file mode 100644
index 0000000000..98d0871ec1
--- /dev/null
+++ b/util/SqliteMigrations/Migrations/20250207204735_AddOptionalNotificationTaskId.Designer.cs
@@ -0,0 +1,2998 @@
+// <auto-generated />
+using System;
+using Bit.Infrastructure.EntityFramework.Repositories;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Migrations;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
+
+#nullable disable
+
+namespace Bit.SqliteMigrations.Migrations
+{
+    [DbContext(typeof(DatabaseContext))]
+    [Migration("20250207204735_AddOptionalNotifificationTaskId")]
+    partial class AddOptionalNotifificationTaskId
+    {
+        /// <inheritdoc />
+        protected override void BuildTargetModel(ModelBuilder modelBuilder)
+        {
+#pragma warning disable 612, 618
+            modelBuilder.HasAnnotation("ProductVersion", "8.0.8");
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("AllowAdminAccessToAllCollectionItems")
+                        .HasColumnType("INTEGER")
+                        .HasDefaultValue(true);
+
+                    b.Property<string>("BillingEmail")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasMaxLength(2)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessName")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasMaxLength(30)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Identifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("LimitCollectionCreation")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("LimitCollectionDeletion")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("LimitItemDeletion")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("MaxAutoscaleSmSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("MaxAutoscaleSmServiceAccounts")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<short?>("MaxCollections")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("OwnersNotifiedOfAutoscaling")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Plan")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int?>("Seats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("SelfHost")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("SmSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("SmServiceAccounts")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Use2fa")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseApi")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseCustomPermissions")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseDirectory")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseGroups")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseKeyConnector")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UsePasswordManager")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UsePolicies")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseResetPassword")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseRiskInsights")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseScim")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseSecretsManager")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseSso")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseTotp")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UsersGetPremium")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id", "Enabled")
+                        .HasAnnotation("Npgsql:IndexInclude", new[] { "UseTotp" });
+
+                    b.ToTable("Organization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "Type")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Policy", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BillingEmail")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BillingPhone")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessName")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Provider", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Settings")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderOrganization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Email")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("ProviderUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("AccessCode")
+                        .HasMaxLength(25)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool?>("Approved")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("AuthenticationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("MasterPasswordHash")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("RequestDeviceIdentifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("RequestDeviceType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("RequestIpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ResponseDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ResponseDeviceId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ResponseDeviceId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("AuthRequest", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("GranteeId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("GrantorId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("KeyEncrypted")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastNotificationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("RecoveryInitiatedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int>("WaitTimeDays")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("GranteeId");
+
+                    b.HasIndex("GrantorId");
+
+                    b.ToTable("EmergencyAccess", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.Grant", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("ClientId")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ConsumedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Data")
+                        .IsRequired()
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Description")
+                        .HasMaxLength(200)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("SessionId")
+                        .HasMaxLength(100)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("SubjectId")
+                        .HasMaxLength(200)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Type")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasName("PK_Grant")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpirationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Key")
+                        .IsUnique();
+
+                    b.ToTable("Grant", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("SsoConfig", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId");
+
+                    b.HasIndex("OrganizationId", "ExternalId")
+                        .IsUnique()
+                        .HasAnnotation("Npgsql:IndexInclude", new[] { "UserId" })
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "UserId")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SsoUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("AaGuid")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("Counter")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("CredentialId")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PublicKey")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("SupportsPrf")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Type")
+                        .HasMaxLength(20)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("WebAuthnCredential", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ClientOrganizationMigrationRecord", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("Seats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId", "OrganizationId")
+                        .IsUnique();
+
+                    b.ToTable("ClientOrganizationMigrationRecord", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("InstallationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("InstallationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationInstallation", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("AssignedSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("ClientId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ClientName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("Created")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("InvoiceId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("InvoiceNumber")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PlanName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<decimal>("Total")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("UsedSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderInvoiceItem", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int?>("AllocatedSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int?>("PurchasedSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("SeatMinimum")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("Id", "PlanType")
+                        .IsUnique();
+
+                    b.ToTable("ProviderPlan", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Cache", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(449)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("AbsoluteExpiration")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("ExpiresAtTime")
+                        .HasColumnType("TEXT");
+
+                    b.Property<long?>("SlidingExpirationInSeconds")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte[]>("Value")
+                        .IsRequired()
+                        .HasColumnType("BLOB");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpiresAtTime")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Cache", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Collection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("CipherId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("CollectionId", "CipherId");
+
+                    b.HasIndex("CipherId");
+
+                    b.ToTable("CollectionCipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("CollectionId", "GroupId");
+
+                    b.HasIndex("GroupId");
+
+                    b.ToTable("CollectionGroups");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("CollectionId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("INTEGER")
+                        .HasDefaultValue(true);
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Identifier")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PushToken")
+                        .HasMaxLength(255)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Identifier")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "Identifier")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Device", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Event", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ActingUserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("CollectionId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("Date")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("DeviceType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("DomainName")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("GroupId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("InstallationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("IpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("PolicyId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ProviderOrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ProviderUserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("SecretId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("SystemUser")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Date", "OrganizationId", "ActingUserId", "CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Event", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(100)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Group", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("GroupId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("GroupUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Config")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationConnection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("DomainName")
+                        .IsRequired()
+                        .HasMaxLength(255)
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("JobRunCount")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("LastCheckedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("NextRunDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Txt")
+                        .IsRequired()
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("VerifiedDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationDomain", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("FriendlyName")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastSyncDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("OfferedToEmail")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("PlanSponsorshipType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("SponsoredOrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("SponsoringOrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("SponsoringOrganizationUserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("ToDelete")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("ValidUntil")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SponsoredOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationUserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationSponsorship", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("AccessSecretsManager")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ResetPasswordKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<short>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("AccessCount")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("DeletionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Disabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool?>("HideEmail")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int?>("MaxAccessCount")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Password")
+                        .HasMaxLength(300)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("DeletionDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Send", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.TaxRate", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(40)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Country")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PostalCode")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("TEXT");
+
+                    b.Property<decimal>("Rate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("State")
+                        .HasMaxLength(2)
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("TaxRate", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<decimal>("Amount")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Details")
+                        .HasMaxLength(100)
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("GatewayId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("PaymentMethodType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool?>("Refunded")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<decimal?>("RefundedAmount")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId", "CreationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Transaction", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("AccountRevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("AvatarColor")
+                        .HasMaxLength(7)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Culture")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("EmailVerified")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("EquivalentDomains")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ExcludedGlobalEquivalentDomains")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("FailedLoginCount")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("ForcePasswordReset")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Kdf")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int>("KdfIterations")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("KdfMemory")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("KdfParallelism")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastEmailChangeDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastFailedLoginDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastKdfChangeDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastKeyRotationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastPasswordChangeDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("MasterPassword")
+                        .HasMaxLength(300)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("MasterPasswordHint")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Premium")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("PremiumExpirationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("RenewalReminderDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("SecurityStamp")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("TwoFactorRecoveryCode")
+                        .HasMaxLength(32)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("UsesKeyConnector")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("VerifyDevices")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Email")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Premium", "PremiumExpirationDate", "RenewalReminderDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("User", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Body")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("ClientType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Global")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Priority")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("TaskId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Title")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("TaskId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("ClientType", "Global", "UserId", "OrganizationId", "Priority", "CreationDate")
+                        .IsDescending(false, false, false, false, true, true)
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Notification", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("NotificationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ReadDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("UserId", "NotificationId")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("NotificationId");
+
+                    b.ToTable("NotificationStatus", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Platform.Installation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(150)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastActivityDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Installation", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Discriminator")
+                        .IsRequired()
+                        .HasMaxLength(34)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Read")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Write")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.ToTable("AccessPolicy", (string)null);
+
+                    b.HasDiscriminator().HasValue("AccessPolicy");
+
+                    b.UseTphMappingStrategy();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ClientSecretHash")
+                        .HasMaxLength(128)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedPayload")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ExpireAt")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Scope")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ServiceAccountId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Project", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Note")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Value")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Secret", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ServiceAccount", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Uri")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("PasswordHealthReportApplication", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Attachments")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Favorites")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Folders")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("Reprompt")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Cipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Folder", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SecurityTask", (string)null);
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.Property<Guid>("ProjectsId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("SecretsId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("ProjectsId", "SecretsId");
+
+                    b.HasIndex("SecretsId");
+
+                    b.ToTable("ProjectSecret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Policies")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Device", "ResponseDevice")
+                        .WithMany()
+                        .HasForeignKey("ResponseDeviceId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("ResponseDevice");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantee")
+                        .WithMany()
+                        .HasForeignKey("GranteeId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantor")
+                        .WithMany()
+                        .HasForeignKey("GrantorId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Grantee");
+
+                    b.Navigation("Grantor");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoConfigs")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Platform.Installation", "Installation")
+                        .WithMany()
+                        .HasForeignKey("InstallationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Installation");
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Collections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CipherId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Collection");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionGroups")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Groups")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Group");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Connections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Domains")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoredOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoredOrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoringOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoringOrganizationId");
+
+                    b.Navigation("SponsoredOrganization");
+
+                    b.Navigation("SponsoringOrganization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Transactions")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Transactions")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", "Task")
+                        .WithMany()
+                        .HasForeignKey("TaskId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Task");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", "Notification")
+                        .WithMany()
+                        .HasForeignKey("NotificationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Notification");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Folders")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany()
+                        .HasForeignKey("CipherId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", null)
+                        .WithMany()
+                        .HasForeignKey("ProjectsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", null)
+                        .WithMany()
+                        .HasForeignKey("SecretsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ProjectAccessPolicies")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany()
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Collections");
+
+                    b.Navigation("Connections");
+
+                    b.Navigation("Domains");
+
+                    b.Navigation("Groups");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("Policies");
+
+                    b.Navigation("SsoConfigs");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+
+                    b.Navigation("CollectionGroups");
+
+                    b.Navigation("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Navigation("CollectionUsers");
+
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Folders");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ProjectAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+                });
+#pragma warning restore 612, 618
+        }
+    }
+}
diff --git a/util/SqliteMigrations/Migrations/20250207204735_AddOptionalNotificationTaskId.cs b/util/SqliteMigrations/Migrations/20250207204735_AddOptionalNotificationTaskId.cs
new file mode 100644
index 0000000000..8b3b1d3096
--- /dev/null
+++ b/util/SqliteMigrations/Migrations/20250207204735_AddOptionalNotificationTaskId.cs
@@ -0,0 +1,47 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace Bit.SqliteMigrations.Migrations;
+
+/// <inheritdoc />
+public partial class AddOptionalNotifificationTaskId : Migration
+{
+    /// <inheritdoc />
+    protected override void Up(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.AddColumn<Guid>(
+            name: "TaskId",
+            table: "Notification",
+            type: "TEXT",
+            nullable: true);
+
+        migrationBuilder.CreateIndex(
+            name: "IX_Notification_TaskId",
+            table: "Notification",
+            column: "TaskId");
+
+        migrationBuilder.AddForeignKey(
+            name: "FK_Notification_SecurityTask_TaskId",
+            table: "Notification",
+            column: "TaskId",
+            principalTable: "SecurityTask",
+            principalColumn: "Id");
+    }
+
+    /// <inheritdoc />
+    protected override void Down(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.DropForeignKey(
+            name: "FK_Notification_SecurityTask_TaskId",
+            table: "Notification");
+
+        migrationBuilder.DropIndex(
+            name: "IX_Notification_TaskId",
+            table: "Notification");
+
+        migrationBuilder.DropColumn(
+            name: "TaskId",
+            table: "Notification");
+    }
+}
diff --git a/util/SqliteMigrations/Migrations/DatabaseContextModelSnapshot.cs b/util/SqliteMigrations/Migrations/DatabaseContextModelSnapshot.cs
index f90de08a93..8d122f5617 100644
--- a/util/SqliteMigrations/Migrations/DatabaseContextModelSnapshot.cs
+++ b/util/SqliteMigrations/Migrations/DatabaseContextModelSnapshot.cs
@@ -1663,6 +1663,9 @@ namespace Bit.SqliteMigrations.Migrations
                     b.Property<DateTime>("RevisionDate")
                         .HasColumnType("TEXT");
 
+                    b.Property<Guid?>("TaskId")
+                        .HasColumnType("TEXT");
+
                     b.Property<string>("Title")
                         .HasMaxLength(256)
                         .HasColumnType("TEXT");
@@ -1676,6 +1679,9 @@ namespace Bit.SqliteMigrations.Migrations
                     b.HasIndex("OrganizationId")
                         .HasAnnotation("SqlServer:Clustered", false);
 
+                    b.HasIndex("TaskId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
                     b.HasIndex("UserId")
                         .HasAnnotation("SqlServer:Clustered", false);
 
@@ -2617,12 +2623,18 @@ namespace Bit.SqliteMigrations.Migrations
                         .WithMany()
                         .HasForeignKey("OrganizationId");
 
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", "Task")
+                        .WithMany()
+                        .HasForeignKey("TaskId");
+
                     b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
                         .WithMany()
                         .HasForeignKey("UserId");
 
                     b.Navigation("Organization");
 
+                    b.Navigation("Task");
+
                     b.Navigation("User");
                 });
 

From e01cace1896ade7e6ef26b92fe2b1396743e5950 Mon Sep 17 00:00:00 2001
From: Justin Baur <19896123+justindbaur@users.noreply.github.com>
Date: Tue, 11 Feb 2025 08:49:14 -0500
Subject: [PATCH 265/384] Turn on TreatWarningsAsError (#5384)

* Turn on TreatWarningsAsError for Release build

- Break Api intentionally

* Fix Api

* Treat warnings as errors no matter the configuration
---
 Directory.Build.props                                        | 1 +
 src/Api/Api.csproj                                           | 2 ++
 src/Billing/Billing.csproj                                   | 2 ++
 src/Core/Core.csproj                                         | 2 ++
 src/Identity/Identity.csproj                                 | 2 ++
 src/Infrastructure.Dapper/Infrastructure.Dapper.csproj       | 5 +++++
 .../Infrastructure.EntityFramework.csproj                    | 5 +++++
 test/Api.Test/Api.Test.csproj                                | 2 ++
 test/Core.Test/Core.Test.csproj                              | 2 ++
 test/Identity.Test/Identity.Test.csproj                      | 2 ++
 10 files changed, 25 insertions(+)

diff --git a/Directory.Build.props b/Directory.Build.props
index 259184e0e2..c797513c63 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -13,6 +13,7 @@
     <Nullable Condition="'$(Nullable)' == '' and '$(IsTestProject)' == 'true'">annotations</Nullable>
     <!-- Uncomment the below line when we are ready to enable nullable repo wide -->
     <!-- <Nullable Condition="'$(Nullable)' == '' and '$(IsTestProject)' != 'true'">enable</Nullable> -->
+    <TreatWarningsAsErrors Condition="'$(TreatWarningsAsErrors)' == ''">true</TreatWarningsAsErrors>
   </PropertyGroup>
 
   <!--
diff --git a/src/Api/Api.csproj b/src/Api/Api.csproj
index c490e90150..6505fdab5b 100644
--- a/src/Api/Api.csproj
+++ b/src/Api/Api.csproj
@@ -4,6 +4,8 @@
     <MvcRazorCompileOnPublish>false</MvcRazorCompileOnPublish>
     <DocumentationFile>bin\$(Configuration)\$(TargetFramework)\$(AssemblyName).xml</DocumentationFile>
     <ANCMPreConfiguredForIIS>true</ANCMPreConfiguredForIIS>
+    <!-- Temp exclusions until warnings are fixed -->
+    <WarningsNotAsErrors>$(WarningsNotAsErrors);CS8604</WarningsNotAsErrors>
   </PropertyGroup>
 
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|AnyCPU'">
diff --git a/src/Billing/Billing.csproj b/src/Billing/Billing.csproj
index f32eccfe8c..50e372791f 100644
--- a/src/Billing/Billing.csproj
+++ b/src/Billing/Billing.csproj
@@ -3,6 +3,8 @@
   <PropertyGroup>
     <UserSecretsId>bitwarden-Billing</UserSecretsId>
     <MvcRazorCompileOnPublish>false</MvcRazorCompileOnPublish>
+    <!-- Temp exclusions until warnings are fixed -->
+    <WarningsNotAsErrors>$(WarningsNotAsErrors);CS9113</WarningsNotAsErrors>
   </PropertyGroup>
 
   <PropertyGroup Condition=" '$(RunConfiguration)' == 'Billing' " />
diff --git a/src/Core/Core.csproj b/src/Core/Core.csproj
index a2d4660194..e2aaa9aa23 100644
--- a/src/Core/Core.csproj
+++ b/src/Core/Core.csproj
@@ -3,6 +3,8 @@
   <PropertyGroup>
     <GenerateUserSecretsAttribute>false</GenerateUserSecretsAttribute>
     <DocumentationFile>bin\$(Configuration)\$(TargetFramework)\$(AssemblyName).xml</DocumentationFile>
+    <!-- Temp exclusions until warnings are fixed -->
+    <WarningsNotAsErrors>$(WarningsNotAsErrors);CS1570;CS1574;CS8602;CS9113;CS1998;CS8604</WarningsNotAsErrors>
   </PropertyGroup>
 
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|AnyCPU'">
diff --git a/src/Identity/Identity.csproj b/src/Identity/Identity.csproj
index cb506d86e9..e9e188b53f 100644
--- a/src/Identity/Identity.csproj
+++ b/src/Identity/Identity.csproj
@@ -3,6 +3,8 @@
   <PropertyGroup>
     <UserSecretsId>bitwarden-Identity</UserSecretsId>
     <MvcRazorCompileOnPublish>false</MvcRazorCompileOnPublish>
+    <!-- Temp exclusions until warnings are fixed -->
+    <WarningsNotAsErrors>$(WarningsNotAsErrors);CS0162</WarningsNotAsErrors>
   </PropertyGroup>
 
   <PropertyGroup Condition=" '$(RunConfiguration)' == 'Identity' " />
diff --git a/src/Infrastructure.Dapper/Infrastructure.Dapper.csproj b/src/Infrastructure.Dapper/Infrastructure.Dapper.csproj
index 046009ef73..19512670ce 100644
--- a/src/Infrastructure.Dapper/Infrastructure.Dapper.csproj
+++ b/src/Infrastructure.Dapper/Infrastructure.Dapper.csproj
@@ -1,5 +1,10 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
+    <PropertyGroup>
+      <!-- Temp exclusions until warnings are fixed -->
+      <WarningsNotAsErrors>$(WarningsNotAsErrors);CS8618;CS4014</WarningsNotAsErrors>
+    </PropertyGroup>
+
     <ItemGroup>
       <ProjectReference Include="..\Core\Core.csproj" />
     </ItemGroup>
diff --git a/src/Infrastructure.EntityFramework/Infrastructure.EntityFramework.csproj b/src/Infrastructure.EntityFramework/Infrastructure.EntityFramework.csproj
index 972d0eac0e..06ad2dc19a 100644
--- a/src/Infrastructure.EntityFramework/Infrastructure.EntityFramework.csproj
+++ b/src/Infrastructure.EntityFramework/Infrastructure.EntityFramework.csproj
@@ -1,5 +1,10 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
+    <PropertyGroup>
+      <!-- Temp exclusions until warnings are fixed -->
+      <WarningsNotAsErrors>$(WarningsNotAsErrors);CS0108;CS8632</WarningsNotAsErrors>
+    </PropertyGroup>
+
     <ItemGroup>
       <PackageReference Include="AutoMapper.Extensions.Microsoft.DependencyInjection" Version="12.0.1" />
       <PackageReference Include="linq2db" Version="5.4.1" />
diff --git a/test/Api.Test/Api.Test.csproj b/test/Api.Test/Api.Test.csproj
index d6b31ce930..ec22583caf 100644
--- a/test/Api.Test/Api.Test.csproj
+++ b/test/Api.Test/Api.Test.csproj
@@ -2,6 +2,8 @@
 
   <PropertyGroup>
     <IsPackable>false</IsPackable>
+    <!-- Temp exclusions until warnings are fixed -->
+    <WarningsNotAsErrors>$(WarningsNotAsErrors);CS8620;CS0169</WarningsNotAsErrors>
   </PropertyGroup>
 
   <ItemGroup>
diff --git a/test/Core.Test/Core.Test.csproj b/test/Core.Test/Core.Test.csproj
index 4858afe54d..baace97710 100644
--- a/test/Core.Test/Core.Test.csproj
+++ b/test/Core.Test/Core.Test.csproj
@@ -2,6 +2,8 @@
   <PropertyGroup>
     <IsPackable>false</IsPackable>
     <RootNamespace>Bit.Core.Test</RootNamespace>
+    <!-- Temp exclusions until warnings are fixed -->
+    <WarningsNotAsErrors>$(WarningsNotAsErrors);CS4014</WarningsNotAsErrors>
   </PropertyGroup>
   <ItemGroup>
     <PackageReference Include="coverlet.collector" Version="$(CoverletCollectorVersion)">
diff --git a/test/Identity.Test/Identity.Test.csproj b/test/Identity.Test/Identity.Test.csproj
index fc0cf07b63..34010d811b 100644
--- a/test/Identity.Test/Identity.Test.csproj
+++ b/test/Identity.Test/Identity.Test.csproj
@@ -2,6 +2,8 @@
 
   <PropertyGroup>
     <IsPackable>false</IsPackable>
+    <!-- Temp exclusions until warnings are fixed -->
+    <WarningsNotAsErrors>$(WarningsNotAsErrors);CS0672;CS1998</WarningsNotAsErrors>
   </PropertyGroup>
 
   <ItemGroup>

From 02262476d6b13915b5c2313353d048702e4a84a5 Mon Sep 17 00:00:00 2001
From: Brant DeBow <125889545+brant-livefront@users.noreply.github.com>
Date: Tue, 11 Feb 2025 10:20:06 -0500
Subject: [PATCH 266/384] [PM-17562] Add Azure Service Bus for Distributed
 Events (#5382)

* [PM-17562] Add Azure Service Bus for Distributed Events

* Fix failing test

* Addressed issues mentioned in SonarQube

* Respond to PR feedback

* Respond to PR feedback - make webhook opt-in, remove message body from log
---
 dev/docker-compose.yml                        | 15 ++++
 dev/servicebusemulator_config.json            | 38 ++++++++++
 .../Services/EventLoggingListenerService.cs   |  0
 .../AzureServiceBusEventListenerService.cs    | 73 +++++++++++++++++++
 .../AzureServiceBusEventWriteService.cs       | 43 +++++++++++
 .../AzureTableStorageEventHandler.cs          | 14 ++++
 .../RabbitMqEventListenerService.cs           | 18 ++---
 ...EventHandler.cs => WebhookEventHandler.cs} | 12 +--
 src/Core/Settings/GlobalSettings.cs           | 26 ++++++-
 src/Events/Startup.cs                         | 14 ++--
 src/EventsProcessor/Startup.cs                | 33 ++++++++-
 .../Utilities/ServiceCollectionExtensions.cs  | 10 ++-
 ...erTests.cs => WebhookEventHandlerTests.cs} | 18 ++---
 13 files changed, 278 insertions(+), 36 deletions(-)
 create mode 100644 dev/servicebusemulator_config.json
 rename src/Core/{ => AdminConsole}/Services/EventLoggingListenerService.cs (100%)
 create mode 100644 src/Core/AdminConsole/Services/Implementations/AzureServiceBusEventListenerService.cs
 create mode 100644 src/Core/AdminConsole/Services/Implementations/AzureServiceBusEventWriteService.cs
 create mode 100644 src/Core/AdminConsole/Services/Implementations/AzureTableStorageEventHandler.cs
 rename src/Core/{ => AdminConsole}/Services/Implementations/RabbitMqEventListenerService.cs (88%)
 rename src/Core/AdminConsole/Services/Implementations/{HttpPostEventHandler.cs => WebhookEventHandler.cs} (59%)
 rename test/Core.Test/AdminConsole/Services/{HttpPostEventHandlerTests.cs => WebhookEventHandlerTests.cs} (74%)

diff --git a/dev/docker-compose.yml b/dev/docker-compose.yml
index d23eaefbb0..1bfbe0a9d7 100644
--- a/dev/docker-compose.yml
+++ b/dev/docker-compose.yml
@@ -109,6 +109,21 @@ services:
     profiles:
       - proxy
 
+  service-bus:
+    container_name: service-bus
+    image: mcr.microsoft.com/azure-messaging/servicebus-emulator:latest
+    pull_policy: always
+    volumes:
+      - "./servicebusemulator_config.json:/ServiceBus_Emulator/ConfigFiles/Config.json"
+    ports:
+      - "5672:5672"
+    environment:
+      SQL_SERVER: mssql
+      MSSQL_SA_PASSWORD: "${MSSQL_PASSWORD}"
+      ACCEPT_EULA: "Y"
+    profiles:
+      - servicebus
+
 volumes:
   mssql_dev_data:
   postgres_dev_data:
diff --git a/dev/servicebusemulator_config.json b/dev/servicebusemulator_config.json
new file mode 100644
index 0000000000..f0e4279b06
--- /dev/null
+++ b/dev/servicebusemulator_config.json
@@ -0,0 +1,38 @@
+{
+  "UserConfig": {
+    "Namespaces": [
+      {
+        "Name": "sbemulatorns",
+        "Queues": [
+          {
+            "Name": "queue.1",
+            "Properties": {
+              "DeadLetteringOnMessageExpiration": false,
+              "DefaultMessageTimeToLive": "PT1H",
+              "DuplicateDetectionHistoryTimeWindow": "PT20S",
+              "ForwardDeadLetteredMessagesTo": "",
+              "ForwardTo": "",
+              "LockDuration": "PT1M",
+              "MaxDeliveryCount": 3,
+              "RequiresDuplicateDetection": false,
+              "RequiresSession": false
+            }
+          }
+        ],
+        "Topics": [
+          {
+            "Name": "event-logging",
+            "Subscriptions": [
+              {
+                "Name": "events-write-subscription"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "Logging": {
+      "Type": "File"
+    }
+  }
+}
diff --git a/src/Core/Services/EventLoggingListenerService.cs b/src/Core/AdminConsole/Services/EventLoggingListenerService.cs
similarity index 100%
rename from src/Core/Services/EventLoggingListenerService.cs
rename to src/Core/AdminConsole/Services/EventLoggingListenerService.cs
diff --git a/src/Core/AdminConsole/Services/Implementations/AzureServiceBusEventListenerService.cs b/src/Core/AdminConsole/Services/Implementations/AzureServiceBusEventListenerService.cs
new file mode 100644
index 0000000000..5c329ce8ad
--- /dev/null
+++ b/src/Core/AdminConsole/Services/Implementations/AzureServiceBusEventListenerService.cs
@@ -0,0 +1,73 @@
+using System.Text.Json;
+using Azure.Messaging.ServiceBus;
+using Bit.Core.Models.Data;
+using Bit.Core.Settings;
+using Microsoft.Extensions.Logging;
+
+namespace Bit.Core.Services;
+
+public class AzureServiceBusEventListenerService : EventLoggingListenerService
+{
+    private readonly ILogger<AzureServiceBusEventListenerService> _logger;
+    private readonly ServiceBusClient _client;
+    private readonly ServiceBusProcessor _processor;
+
+    public AzureServiceBusEventListenerService(
+        IEventMessageHandler handler,
+        ILogger<AzureServiceBusEventListenerService> logger,
+        GlobalSettings globalSettings,
+        string subscriptionName) : base(handler)
+    {
+        _client = new ServiceBusClient(globalSettings.EventLogging.AzureServiceBus.ConnectionString);
+        _processor = _client.CreateProcessor(globalSettings.EventLogging.AzureServiceBus.TopicName, subscriptionName, new ServiceBusProcessorOptions());
+        _logger = logger;
+    }
+
+    protected override async Task ExecuteAsync(CancellationToken cancellationToken)
+    {
+        _processor.ProcessMessageAsync += async args =>
+        {
+            try
+            {
+                var eventMessage = JsonSerializer.Deserialize<EventMessage>(args.Message.Body.ToString());
+
+                await _handler.HandleEventAsync(eventMessage);
+                await args.CompleteMessageAsync(args.Message);
+            }
+            catch (Exception exception)
+            {
+                _logger.LogError(
+                    exception,
+                    "An error occured while processing message: {MessageId}",
+                    args.Message.MessageId
+                );
+            }
+        };
+
+        _processor.ProcessErrorAsync += args =>
+        {
+            _logger.LogError(
+                args.Exception,
+                "An error occurred. Entity Path: {EntityPath}, Error Source: {ErrorSource}",
+                args.EntityPath,
+                args.ErrorSource
+            );
+            return Task.CompletedTask;
+        };
+
+        await _processor.StartProcessingAsync(cancellationToken);
+    }
+
+    public override async Task StopAsync(CancellationToken cancellationToken)
+    {
+        await _processor.StopProcessingAsync(cancellationToken);
+        await base.StopAsync(cancellationToken);
+    }
+
+    public override void Dispose()
+    {
+        _processor.DisposeAsync().GetAwaiter().GetResult();
+        _client.DisposeAsync().GetAwaiter().GetResult();
+        base.Dispose();
+    }
+}
diff --git a/src/Core/AdminConsole/Services/Implementations/AzureServiceBusEventWriteService.cs b/src/Core/AdminConsole/Services/Implementations/AzureServiceBusEventWriteService.cs
new file mode 100644
index 0000000000..ed8f45ed55
--- /dev/null
+++ b/src/Core/AdminConsole/Services/Implementations/AzureServiceBusEventWriteService.cs
@@ -0,0 +1,43 @@
+using System.Text.Json;
+using Azure.Messaging.ServiceBus;
+using Bit.Core.Models.Data;
+using Bit.Core.Services;
+using Bit.Core.Settings;
+
+namespace Bit.Core.AdminConsole.Services.Implementations;
+
+public class AzureServiceBusEventWriteService : IEventWriteService, IAsyncDisposable
+{
+    private readonly ServiceBusClient _client;
+    private readonly ServiceBusSender _sender;
+
+    public AzureServiceBusEventWriteService(GlobalSettings globalSettings)
+    {
+        _client = new ServiceBusClient(globalSettings.EventLogging.AzureServiceBus.ConnectionString);
+        _sender = _client.CreateSender(globalSettings.EventLogging.AzureServiceBus.TopicName);
+    }
+
+    public async Task CreateAsync(IEvent e)
+    {
+        var message = new ServiceBusMessage(JsonSerializer.SerializeToUtf8Bytes(e))
+        {
+            ContentType = "application/json"
+        };
+
+        await _sender.SendMessageAsync(message);
+    }
+
+    public async Task CreateManyAsync(IEnumerable<IEvent> events)
+    {
+        foreach (var e in events)
+        {
+            await CreateAsync(e);
+        }
+    }
+
+    public async ValueTask DisposeAsync()
+    {
+        await _sender.DisposeAsync();
+        await _client.DisposeAsync();
+    }
+}
diff --git a/src/Core/AdminConsole/Services/Implementations/AzureTableStorageEventHandler.cs b/src/Core/AdminConsole/Services/Implementations/AzureTableStorageEventHandler.cs
new file mode 100644
index 0000000000..2612ba0487
--- /dev/null
+++ b/src/Core/AdminConsole/Services/Implementations/AzureTableStorageEventHandler.cs
@@ -0,0 +1,14 @@
+using Bit.Core.Models.Data;
+using Microsoft.Extensions.DependencyInjection;
+
+namespace Bit.Core.Services;
+
+public class AzureTableStorageEventHandler(
+    [FromKeyedServices("persistent")] IEventWriteService eventWriteService)
+    : IEventMessageHandler
+{
+    public Task HandleEventAsync(EventMessage eventMessage)
+    {
+        return eventWriteService.CreateManyAsync(EventTableEntity.IndexEvent(eventMessage));
+    }
+}
diff --git a/src/Core/Services/Implementations/RabbitMqEventListenerService.cs b/src/Core/AdminConsole/Services/Implementations/RabbitMqEventListenerService.cs
similarity index 88%
rename from src/Core/Services/Implementations/RabbitMqEventListenerService.cs
rename to src/Core/AdminConsole/Services/Implementations/RabbitMqEventListenerService.cs
index 9360170368..c302497142 100644
--- a/src/Core/Services/Implementations/RabbitMqEventListenerService.cs
+++ b/src/Core/AdminConsole/Services/Implementations/RabbitMqEventListenerService.cs
@@ -38,7 +38,10 @@ public class RabbitMqEventListenerService : EventLoggingListenerService
         _connection = await _factory.CreateConnectionAsync(cancellationToken);
         _channel = await _connection.CreateChannelAsync(cancellationToken: cancellationToken);
 
-        await _channel.ExchangeDeclareAsync(exchange: _exchangeName, type: ExchangeType.Fanout, durable: true);
+        await _channel.ExchangeDeclareAsync(exchange: _exchangeName,
+                                            type: ExchangeType.Fanout,
+                                            durable: true,
+                                            cancellationToken: cancellationToken);
         await _channel.QueueDeclareAsync(queue: _queueName,
                                          durable: true,
                                          exclusive: false,
@@ -52,7 +55,7 @@ public class RabbitMqEventListenerService : EventLoggingListenerService
         await base.StartAsync(cancellationToken);
     }
 
-    protected override async Task ExecuteAsync(CancellationToken stoppingToken)
+    protected override async Task ExecuteAsync(CancellationToken cancellationToken)
     {
         var consumer = new AsyncEventingBasicConsumer(_channel);
         consumer.ReceivedAsync += async (_, eventArgs) =>
@@ -68,18 +71,13 @@ public class RabbitMqEventListenerService : EventLoggingListenerService
             }
         };
 
-        await _channel.BasicConsumeAsync(_queueName, autoAck: true, consumer: consumer, cancellationToken: stoppingToken);
-
-        while (!stoppingToken.IsCancellationRequested)
-        {
-            await Task.Delay(1_000, stoppingToken);
-        }
+        await _channel.BasicConsumeAsync(_queueName, autoAck: true, consumer: consumer, cancellationToken: cancellationToken);
     }
 
     public override async Task StopAsync(CancellationToken cancellationToken)
     {
-        await _channel.CloseAsync();
-        await _connection.CloseAsync();
+        await _channel.CloseAsync(cancellationToken);
+        await _connection.CloseAsync(cancellationToken);
         await base.StopAsync(cancellationToken);
     }
 
diff --git a/src/Core/AdminConsole/Services/Implementations/HttpPostEventHandler.cs b/src/Core/AdminConsole/Services/Implementations/WebhookEventHandler.cs
similarity index 59%
rename from src/Core/AdminConsole/Services/Implementations/HttpPostEventHandler.cs
rename to src/Core/AdminConsole/Services/Implementations/WebhookEventHandler.cs
index 8aece0c1da..60abc198d8 100644
--- a/src/Core/AdminConsole/Services/Implementations/HttpPostEventHandler.cs
+++ b/src/Core/AdminConsole/Services/Implementations/WebhookEventHandler.cs
@@ -4,25 +4,25 @@ using Bit.Core.Settings;
 
 namespace Bit.Core.Services;
 
-public class HttpPostEventHandler : IEventMessageHandler
+public class WebhookEventHandler : IEventMessageHandler
 {
     private readonly HttpClient _httpClient;
-    private readonly string _httpPostUrl;
+    private readonly string _webhookUrl;
 
-    public const string HttpClientName = "HttpPostEventHandlerHttpClient";
+    public const string HttpClientName = "WebhookEventHandlerHttpClient";
 
-    public HttpPostEventHandler(
+    public WebhookEventHandler(
         IHttpClientFactory httpClientFactory,
         GlobalSettings globalSettings)
     {
         _httpClient = httpClientFactory.CreateClient(HttpClientName);
-        _httpPostUrl = globalSettings.EventLogging.RabbitMq.HttpPostUrl;
+        _webhookUrl = globalSettings.EventLogging.WebhookUrl;
     }
 
     public async Task HandleEventAsync(EventMessage eventMessage)
     {
         var content = JsonContent.Create(eventMessage);
-        var response = await _httpClient.PostAsync(_httpPostUrl, content);
+        var response = await _httpClient.PostAsync(_webhookUrl, content);
         response.EnsureSuccessStatusCode();
     }
 }
diff --git a/src/Core/Settings/GlobalSettings.cs b/src/Core/Settings/GlobalSettings.cs
index a63a36c1c0..a1c7a4fac6 100644
--- a/src/Core/Settings/GlobalSettings.cs
+++ b/src/Core/Settings/GlobalSettings.cs
@@ -260,8 +260,31 @@ public class GlobalSettings : IGlobalSettings
 
     public class EventLoggingSettings
     {
+        public AzureServiceBusSettings AzureServiceBus { get; set; } = new AzureServiceBusSettings();
+        public virtual string WebhookUrl { get; set; }
         public RabbitMqSettings RabbitMq { get; set; } = new RabbitMqSettings();
 
+        public class AzureServiceBusSettings
+        {
+            private string _connectionString;
+            private string _topicName;
+
+            public virtual string EventRepositorySubscriptionName { get; set; } = "events-write-subscription";
+            public virtual string WebhookSubscriptionName { get; set; } = "events-webhook-subscription";
+
+            public string ConnectionString
+            {
+                get => _connectionString;
+                set => _connectionString = value.Trim('"');
+            }
+
+            public string TopicName
+            {
+                get => _topicName;
+                set => _topicName = value.Trim('"');
+            }
+        }
+
         public class RabbitMqSettings
         {
             private string _hostName;
@@ -270,8 +293,7 @@ public class GlobalSettings : IGlobalSettings
             private string _exchangeName;
 
             public virtual string EventRepositoryQueueName { get; set; } = "events-write-queue";
-            public virtual string HttpPostQueueName { get; set; } = "events-httpPost-queue";
-            public virtual string HttpPostUrl { get; set; }
+            public virtual string WebhookQueueName { get; set; } = "events-webhook-queue";
 
             public string HostName
             {
diff --git a/src/Events/Startup.cs b/src/Events/Startup.cs
index b692733a55..431f449708 100644
--- a/src/Events/Startup.cs
+++ b/src/Events/Startup.cs
@@ -95,20 +95,20 @@ public class Startup
                 new RabbitMqEventListenerService(
                     provider.GetRequiredService<EventRepositoryHandler>(),
                     provider.GetRequiredService<ILogger<RabbitMqEventListenerService>>(),
-                    provider.GetRequiredService<GlobalSettings>(),
+                    globalSettings,
                     globalSettings.EventLogging.RabbitMq.EventRepositoryQueueName));
 
-            if (CoreHelpers.SettingHasValue(globalSettings.EventLogging.RabbitMq.HttpPostUrl))
+            if (CoreHelpers.SettingHasValue(globalSettings.EventLogging.WebhookUrl))
             {
-                services.AddSingleton<HttpPostEventHandler>();
-                services.AddHttpClient(HttpPostEventHandler.HttpClientName);
+                services.AddSingleton<WebhookEventHandler>();
+                services.AddHttpClient(WebhookEventHandler.HttpClientName);
 
                 services.AddSingleton<IHostedService>(provider =>
                     new RabbitMqEventListenerService(
-                        provider.GetRequiredService<HttpPostEventHandler>(),
+                        provider.GetRequiredService<WebhookEventHandler>(),
                         provider.GetRequiredService<ILogger<RabbitMqEventListenerService>>(),
-                        provider.GetRequiredService<GlobalSettings>(),
-                        globalSettings.EventLogging.RabbitMq.HttpPostQueueName));
+                        globalSettings,
+                        globalSettings.EventLogging.RabbitMq.WebhookQueueName));
             }
         }
     }
diff --git a/src/EventsProcessor/Startup.cs b/src/EventsProcessor/Startup.cs
index 2f64c0f926..65d1d36e24 100644
--- a/src/EventsProcessor/Startup.cs
+++ b/src/EventsProcessor/Startup.cs
@@ -1,8 +1,11 @@
 using System.Globalization;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
 using Bit.Core.Settings;
 using Bit.Core.Utilities;
 using Bit.SharedWeb.Utilities;
 using Microsoft.IdentityModel.Logging;
+using TableStorageRepos = Bit.Core.Repositories.TableStorage;
 
 namespace Bit.EventsProcessor;
 
@@ -24,9 +27,37 @@ public class Startup
         services.AddOptions();
 
         // Settings
-        services.AddGlobalSettingsServices(Configuration, Environment);
+        var globalSettings = services.AddGlobalSettingsServices(Configuration, Environment);
 
         // Hosted Services
+
+        // Optional Azure Service Bus Listeners
+        if (CoreHelpers.SettingHasValue(globalSettings.EventLogging.AzureServiceBus.ConnectionString) &&
+            CoreHelpers.SettingHasValue(globalSettings.EventLogging.AzureServiceBus.TopicName))
+        {
+            services.AddSingleton<IEventRepository, TableStorageRepos.EventRepository>();
+            services.AddSingleton<AzureTableStorageEventHandler>();
+            services.AddKeyedSingleton<IEventWriteService, RepositoryEventWriteService>("persistent");
+            services.AddSingleton<IHostedService>(provider =>
+                new AzureServiceBusEventListenerService(
+                    provider.GetRequiredService<AzureTableStorageEventHandler>(),
+                    provider.GetRequiredService<ILogger<AzureServiceBusEventListenerService>>(),
+                    globalSettings,
+                    globalSettings.EventLogging.AzureServiceBus.EventRepositorySubscriptionName));
+
+            if (CoreHelpers.SettingHasValue(globalSettings.EventLogging.WebhookUrl))
+            {
+                services.AddSingleton<WebhookEventHandler>();
+                services.AddHttpClient(WebhookEventHandler.HttpClientName);
+
+                services.AddSingleton<IHostedService>(provider =>
+                    new AzureServiceBusEventListenerService(
+                        provider.GetRequiredService<WebhookEventHandler>(),
+                        provider.GetRequiredService<ILogger<AzureServiceBusEventListenerService>>(),
+                        globalSettings,
+                        globalSettings.EventLogging.AzureServiceBus.WebhookSubscriptionName));
+            }
+        }
         services.AddHostedService<AzureQueueHostedService>();
     }
 
diff --git a/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs b/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
index 622b3d7f39..192871bffc 100644
--- a/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
+++ b/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
@@ -321,7 +321,15 @@ public static class ServiceCollectionExtensions
 
         if (!globalSettings.SelfHosted && CoreHelpers.SettingHasValue(globalSettings.Events.ConnectionString))
         {
-            services.AddSingleton<IEventWriteService, AzureQueueEventWriteService>();
+            if (CoreHelpers.SettingHasValue(globalSettings.EventLogging.AzureServiceBus.ConnectionString) &&
+                CoreHelpers.SettingHasValue(globalSettings.EventLogging.AzureServiceBus.TopicName))
+            {
+                services.AddSingleton<IEventWriteService, AzureServiceBusEventWriteService>();
+            }
+            else
+            {
+                services.AddSingleton<IEventWriteService, AzureQueueEventWriteService>();
+            }
         }
         else if (globalSettings.SelfHosted)
         {
diff --git a/test/Core.Test/AdminConsole/Services/HttpPostEventHandlerTests.cs b/test/Core.Test/AdminConsole/Services/WebhookEventHandlerTests.cs
similarity index 74%
rename from test/Core.Test/AdminConsole/Services/HttpPostEventHandlerTests.cs
rename to test/Core.Test/AdminConsole/Services/WebhookEventHandlerTests.cs
index 414b1c54be..eab0be88a1 100644
--- a/test/Core.Test/AdminConsole/Services/HttpPostEventHandlerTests.cs
+++ b/test/Core.Test/AdminConsole/Services/WebhookEventHandlerTests.cs
@@ -13,14 +13,14 @@ using GlobalSettings = Bit.Core.Settings.GlobalSettings;
 namespace Bit.Core.Test.Services;
 
 [SutProviderCustomize]
-public class HttpPostEventHandlerTests
+public class WebhookEventHandlerTests
 {
     private readonly MockedHttpMessageHandler _handler;
     private HttpClient _httpClient;
 
-    private const string _httpPostUrl = "http://localhost/test/event";
+    private const string _webhookUrl = "http://localhost/test/event";
 
-    public HttpPostEventHandlerTests()
+    public WebhookEventHandlerTests()
     {
         _handler = new MockedHttpMessageHandler();
         _handler.Fallback
@@ -29,15 +29,15 @@ public class HttpPostEventHandlerTests
         _httpClient = _handler.ToHttpClient();
     }
 
-    public SutProvider<HttpPostEventHandler> GetSutProvider()
+    public SutProvider<WebhookEventHandler> GetSutProvider()
     {
         var clientFactory = Substitute.For<IHttpClientFactory>();
-        clientFactory.CreateClient(HttpPostEventHandler.HttpClientName).Returns(_httpClient);
+        clientFactory.CreateClient(WebhookEventHandler.HttpClientName).Returns(_httpClient);
 
         var globalSettings = new GlobalSettings();
-        globalSettings.EventLogging.RabbitMq.HttpPostUrl = _httpPostUrl;
+        globalSettings.EventLogging.WebhookUrl = _webhookUrl;
 
-        return new SutProvider<HttpPostEventHandler>()
+        return new SutProvider<WebhookEventHandler>()
             .SetDependency(globalSettings)
             .SetDependency(clientFactory)
             .Create();
@@ -51,7 +51,7 @@ public class HttpPostEventHandlerTests
 
         await sutProvider.Sut.HandleEventAsync(eventMessage);
         sutProvider.GetDependency<IHttpClientFactory>().Received(1).CreateClient(
-            Arg.Is(AssertHelper.AssertPropertyEqual<string>(HttpPostEventHandler.HttpClientName))
+            Arg.Is(AssertHelper.AssertPropertyEqual<string>(WebhookEventHandler.HttpClientName))
         );
 
         Assert.Single(_handler.CapturedRequests);
@@ -60,7 +60,7 @@ public class HttpPostEventHandlerTests
         var returned = await request.Content.ReadFromJsonAsync<EventMessage>();
 
         Assert.Equal(HttpMethod.Post, request.Method);
-        Assert.Equal(_httpPostUrl, request.RequestUri.ToString());
+        Assert.Equal(_webhookUrl, request.RequestUri.ToString());
         AssertHelper.AssertPropertyEqual(eventMessage, returned, new[] { "IdempotencyId" });
     }
 }

From 9c0f9cf43dcc795d3ea9fe7d70386dcab7ca0af5 Mon Sep 17 00:00:00 2001
From: Alex Morask <144709477+amorask-bitwarden@users.noreply.github.com>
Date: Wed, 12 Feb 2025 09:00:52 -0500
Subject: [PATCH 267/384] [PM-18221] Update credited user's billing location
 when purchasing premium subscription (#5393)

* Moved user crediting to PremiumUserBillingService

* Fix tests
---
 src/Billing/Controllers/BitPayController.cs   | 11 +--
 src/Billing/Controllers/PayPalController.cs   | 11 ++-
 .../Services/IPremiumUserBillingService.cs    |  2 +
 .../PremiumUserBillingService.cs              | 82 +++++++++++++++++++
 .../Controllers/PayPalControllerTests.cs      | 11 ++-
 5 files changed, 102 insertions(+), 15 deletions(-)

diff --git a/src/Billing/Controllers/BitPayController.cs b/src/Billing/Controllers/BitPayController.cs
index 4caf57aa20..3747631bd0 100644
--- a/src/Billing/Controllers/BitPayController.cs
+++ b/src/Billing/Controllers/BitPayController.cs
@@ -1,6 +1,7 @@
 using System.Globalization;
 using Bit.Billing.Models;
 using Bit.Core.AdminConsole.Repositories;
+using Bit.Core.Billing.Services;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Repositories;
@@ -25,6 +26,7 @@ public class BitPayController : Controller
     private readonly IMailService _mailService;
     private readonly IPaymentService _paymentService;
     private readonly ILogger<BitPayController> _logger;
+    private readonly IPremiumUserBillingService _premiumUserBillingService;
 
     public BitPayController(
         IOptions<BillingSettings> billingSettings,
@@ -35,7 +37,8 @@ public class BitPayController : Controller
         IProviderRepository providerRepository,
         IMailService mailService,
         IPaymentService paymentService,
-        ILogger<BitPayController> logger)
+        ILogger<BitPayController> logger,
+        IPremiumUserBillingService premiumUserBillingService)
     {
         _billingSettings = billingSettings?.Value;
         _bitPayClient = bitPayClient;
@@ -46,6 +49,7 @@ public class BitPayController : Controller
         _mailService = mailService;
         _paymentService = paymentService;
         _logger = logger;
+        _premiumUserBillingService = premiumUserBillingService;
     }
 
     [HttpPost("ipn")]
@@ -145,10 +149,7 @@ public class BitPayController : Controller
                 if (user != null)
                 {
                     billingEmail = user.BillingEmailAddress();
-                    if (await _paymentService.CreditAccountAsync(user, tx.Amount))
-                    {
-                        await _userRepository.ReplaceAsync(user);
-                    }
+                    await _premiumUserBillingService.Credit(user, tx.Amount);
                 }
             }
             else if (tx.ProviderId.HasValue)
diff --git a/src/Billing/Controllers/PayPalController.cs b/src/Billing/Controllers/PayPalController.cs
index 2fc8aab4f2..2afde80601 100644
--- a/src/Billing/Controllers/PayPalController.cs
+++ b/src/Billing/Controllers/PayPalController.cs
@@ -1,6 +1,7 @@
 using System.Text;
 using Bit.Billing.Models;
 using Bit.Core.AdminConsole.Repositories;
+using Bit.Core.Billing.Services;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Repositories;
@@ -23,6 +24,7 @@ public class PayPalController : Controller
     private readonly ITransactionRepository _transactionRepository;
     private readonly IUserRepository _userRepository;
     private readonly IProviderRepository _providerRepository;
+    private readonly IPremiumUserBillingService _premiumUserBillingService;
 
     public PayPalController(
         IOptions<BillingSettings> billingSettings,
@@ -32,7 +34,8 @@ public class PayPalController : Controller
         IPaymentService paymentService,
         ITransactionRepository transactionRepository,
         IUserRepository userRepository,
-        IProviderRepository providerRepository)
+        IProviderRepository providerRepository,
+        IPremiumUserBillingService premiumUserBillingService)
     {
         _billingSettings = billingSettings?.Value;
         _logger = logger;
@@ -42,6 +45,7 @@ public class PayPalController : Controller
         _transactionRepository = transactionRepository;
         _userRepository = userRepository;
         _providerRepository = providerRepository;
+        _premiumUserBillingService = premiumUserBillingService;
     }
 
     [HttpPost("ipn")]
@@ -257,10 +261,9 @@ public class PayPalController : Controller
         {
             var user = await _userRepository.GetByIdAsync(transaction.UserId.Value);
 
-            if (await _paymentService.CreditAccountAsync(user, transaction.Amount))
+            if (user != null)
             {
-                await _userRepository.ReplaceAsync(user);
-
+                await _premiumUserBillingService.Credit(user, transaction.Amount);
                 billingEmail = user.BillingEmailAddress();
             }
         }
diff --git a/src/Core/Billing/Services/IPremiumUserBillingService.cs b/src/Core/Billing/Services/IPremiumUserBillingService.cs
index 2161b247b9..b3bb580e2d 100644
--- a/src/Core/Billing/Services/IPremiumUserBillingService.cs
+++ b/src/Core/Billing/Services/IPremiumUserBillingService.cs
@@ -6,6 +6,8 @@ namespace Bit.Core.Billing.Services;
 
 public interface IPremiumUserBillingService
 {
+    Task Credit(User user, decimal amount);
+
     /// <summary>
     /// <para>Establishes the Stripe entities necessary for a Bitwarden <see cref="User"/> using the provided <paramref name="sale"/>.</para>
     /// <para>
diff --git a/src/Core/Billing/Services/Implementations/PremiumUserBillingService.cs b/src/Core/Billing/Services/Implementations/PremiumUserBillingService.cs
index ed841c9576..6f571950f5 100644
--- a/src/Core/Billing/Services/Implementations/PremiumUserBillingService.cs
+++ b/src/Core/Billing/Services/Implementations/PremiumUserBillingService.cs
@@ -27,6 +27,57 @@ public class PremiumUserBillingService(
     ISubscriberService subscriberService,
     IUserRepository userRepository) : IPremiumUserBillingService
 {
+    public async Task Credit(User user, decimal amount)
+    {
+        var customer = await subscriberService.GetCustomer(user);
+
+        // Negative credit represents a balance and all Stripe denomination is in cents.
+        var credit = (long)amount * -100;
+
+        if (customer == null)
+        {
+            var options = new CustomerCreateOptions
+            {
+                Balance = credit,
+                Description = user.Name,
+                Email = user.Email,
+                InvoiceSettings = new CustomerInvoiceSettingsOptions
+                {
+                    CustomFields =
+                    [
+                        new CustomerInvoiceSettingsCustomFieldOptions
+                        {
+                            Name = user.SubscriberType(),
+                            Value = user.SubscriberName().Length <= 30
+                                ? user.SubscriberName()
+                                : user.SubscriberName()[..30]
+                        }
+                    ]
+                },
+                Metadata = new Dictionary<string, string>
+                {
+                    ["region"] = globalSettings.BaseServiceUri.CloudRegion,
+                    ["userId"] = user.Id.ToString()
+                }
+            };
+
+            customer = await stripeAdapter.CustomerCreateAsync(options);
+
+            user.Gateway = GatewayType.Stripe;
+            user.GatewayCustomerId = customer.Id;
+            await userRepository.ReplaceAsync(user);
+        }
+        else
+        {
+            var options = new CustomerUpdateOptions
+            {
+                Balance = customer.Balance + credit
+            };
+
+            await stripeAdapter.CustomerUpdateAsync(customer.Id, options);
+        }
+    }
+
     public async Task Finalize(PremiumUserSale sale)
     {
         var (user, customerSetup, storage) = sale;
@@ -37,6 +88,37 @@ public class PremiumUserBillingService(
             ? await CreateCustomerAsync(user, customerSetup)
             : await subscriberService.GetCustomerOrThrow(user, new CustomerGetOptions { Expand = expand });
 
+        /*
+         * If the customer was previously set up with credit, which does not require a billing location,
+         * we need to update the customer on the fly before we start the subscription.
+         */
+        if (customerSetup is
+            {
+                TokenizedPaymentSource.Type: PaymentMethodType.Credit,
+                TaxInformation: { Country: not null and not "", PostalCode: not null and not "" }
+            })
+        {
+            var options = new CustomerUpdateOptions
+            {
+                Address = new AddressOptions
+                {
+                    Line1 = customerSetup.TaxInformation.Line1,
+                    Line2 = customerSetup.TaxInformation.Line2,
+                    City = customerSetup.TaxInformation.City,
+                    PostalCode = customerSetup.TaxInformation.PostalCode,
+                    State = customerSetup.TaxInformation.State,
+                    Country = customerSetup.TaxInformation.Country,
+                },
+                Expand = ["tax"],
+                Tax = new CustomerTaxOptions
+                {
+                    ValidateLocation = StripeConstants.ValidateTaxLocationTiming.Immediately
+                }
+            };
+
+            customer = await stripeAdapter.CustomerUpdateAsync(customer.Id, options);
+        }
+
         var subscription = await CreateSubscriptionAsync(user.Id, customer, storage);
 
         switch (customerSetup.TokenizedPaymentSource)
diff --git a/test/Billing.Test/Controllers/PayPalControllerTests.cs b/test/Billing.Test/Controllers/PayPalControllerTests.cs
index a059207c76..7ec17bd85a 100644
--- a/test/Billing.Test/Controllers/PayPalControllerTests.cs
+++ b/test/Billing.Test/Controllers/PayPalControllerTests.cs
@@ -3,6 +3,7 @@ using Bit.Billing.Controllers;
 using Bit.Billing.Test.Utilities;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Repositories;
+using Bit.Core.Billing.Services;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Repositories;
@@ -33,6 +34,7 @@ public class PayPalControllerTests
     private readonly ITransactionRepository _transactionRepository = Substitute.For<ITransactionRepository>();
     private readonly IUserRepository _userRepository = Substitute.For<IUserRepository>();
     private readonly IProviderRepository _providerRepository = Substitute.For<IProviderRepository>();
+    private readonly IPremiumUserBillingService _premiumUserBillingService = Substitute.For<IPremiumUserBillingService>();
 
     private const string _defaultWebhookKey = "webhook-key";
 
@@ -385,8 +387,6 @@ public class PayPalControllerTests
 
         _userRepository.GetByIdAsync(userId).Returns(user);
 
-        _paymentService.CreditAccountAsync(user, 48M).Returns(true);
-
         var controller = ConfigureControllerContextWith(logger, _defaultWebhookKey, ipnBody);
 
         var result = await controller.PostIpn();
@@ -398,9 +398,7 @@ public class PayPalControllerTests
             transaction.UserId == userId &&
             transaction.Amount == 48M));
 
-        await _paymentService.Received(1).CreditAccountAsync(user, 48M);
-
-        await _userRepository.Received(1).ReplaceAsync(user);
+        await _premiumUserBillingService.Received(1).Credit(user, 48M);
 
         await _mailService.Received(1).SendAddedCreditAsync(billingEmail, 48M);
     }
@@ -544,7 +542,8 @@ public class PayPalControllerTests
             _paymentService,
             _transactionRepository,
             _userRepository,
-            _providerRepository);
+            _providerRepository,
+            _premiumUserBillingService);
 
         var httpContext = new DefaultHttpContext();
 

From 9f5134e070bbcc0e945874f5d7e852a481a91d88 Mon Sep 17 00:00:00 2001
From: Patrick Honkonen <1883101+SaintPatrck@users.noreply.github.com>
Date: Wed, 12 Feb 2025 10:21:12 -0500
Subject: [PATCH 268/384] [PM-3503] Feature flag: Mobile AnonAddy self host
 alias generation (#5387)

---
 src/Core/Constants.cs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index e41cf62024..a025bbb142 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -174,6 +174,7 @@ public static class FeatureFlagKeys
     public const string EnablePMAuthenticatorSync = "enable-pm-bwa-sync";
     public const string P15179_AddExistingOrgsFromProviderPortal = "pm-15179-add-existing-orgs-from-provider-portal";
     public const string AndroidMutualTls = "mutual-tls";
+    public const string PM3503_MobileAnonAddySelfHostAlias = "anon-addy-self-host-alias";
 
     public static List<string> GetAllKeys()
     {

From ae9bb427a16ff2ff5d1ba3b62101ad7e55bec02e Mon Sep 17 00:00:00 2001
From: Maciej Zieniuk <167752252+mzieniukbw@users.noreply.github.com>
Date: Wed, 12 Feb 2025 16:46:30 +0100
Subject: [PATCH 269/384] [PM-10600] Push notification creation to affected
 clients (#4923)

* PM-10600: Notification push notification

* PM-10600: Sending to specific client types for relay push notifications

* PM-10600: Sending to specific client types for other clients

* PM-10600: Send push notification on notification creation

* PM-10600: Explicit group names

* PM-10600: Id typos

* PM-10600: Revert global push notifications

* PM-10600: Added DeviceType claim

* PM-10600: Sent to organization typo

* PM-10600: UT coverage

* PM-10600: Small refactor, UTs coverage

* PM-10600: UTs coverage

* PM-10600: Startup fix

* PM-10600: Test fix

* PM-10600: Required attribute, organization group for push notification fix

* PM-10600: UT coverage

* PM-10600: Fix Mobile devices not registering to organization push notifications

We only register devices for organization push notifications when the organization is being created. This does not work, since we have a use case (Notification Center) of delivering notifications to all users of organization. This fixes it, by adding the organization id tag when device registers for push notifications.

* PM-10600: Unit Test coverage for NotificationHubPushRegistrationService

Fixed IFeatureService substitute mocking for Android tests.
Added user part of organization test with organizationId tags expectation.

* PM-10600: Unit Tests fix to NotificationHubPushRegistrationService after merge conflict

* PM-10600: Organization push notifications not sending to mobile device from self-hosted.

Self-hosted instance uses relay to register the mobile device against Bitwarden Cloud Api. Only the self-hosted server knows client's organization membership, which means it needs to pass in the organization id's information to the relay. Similarly, for Bitwarden Cloud, the organizaton id will come directly from the server.

* PM-10600: Fix self-hosted organization notification not being received by mobile device.

When mobile device registers on self-hosted through the relay, every single id, like user id, device id and now organization id needs to be prefixed with the installation id. This have been missing in the PushController that handles this for organization id.

* PM-10600: Broken NotificationsController integration test

Device type is now part of JWT access token, so the notification center results in the integration test are now scoped to client type web and all.

* PM-10600: Merge conflicts fix

* merge conflict fix
---
 .../Push/Controllers/PushController.cs        |   6 +-
 src/Core/Context/CurrentContext.cs            |   5 +
 src/Core/Enums/PushType.cs                    |   2 +
 src/Core/Identity/Claims.cs                   |   1 +
 .../Request/PushRegistrationRequestModel.cs   |   1 +
 .../Api/Request/PushSendRequestModel.cs       |  18 +-
 src/Core/Models/PushNotification.cs           |   9 +
 .../Commands/CreateNotificationCommand.cs     |  12 +-
 .../NotificationHub/INotificationHubPool.cs   |   2 +-
 .../NotificationHub/NotificationHubPool.cs    |   2 +-
 .../NotificationHubPushNotificationService.cs |  74 +++--
 .../NotificationHubPushRegistrationService.cs |  49 +--
 .../AzureQueuePushNotificationService.cs      |  43 +--
 .../Push/Services/IPushNotificationService.cs |   9 +-
 .../Push/Services/IPushRegistrationService.cs |   2 +-
 .../MultiServicePushNotificationService.cs    |  35 +-
 .../Services/NoopPushNotificationService.cs   |   7 +-
 .../Services/NoopPushRegistrationService.cs   |   2 +-
 ...NotificationsApiPushNotificationService.cs |  23 +-
 .../Services/RelayPushNotificationService.cs  | 137 ++++----
 .../Services/RelayPushRegistrationService.cs  |   5 +-
 .../Services/Implementations/DeviceService.cs |  13 +-
 src/Identity/IdentityServer/ApiResources.cs   |   1 +
 .../RequestValidators/BaseRequestValidator.cs |   1 +
 src/Notifications/HubHelpers.cs               |  54 +++-
 src/Notifications/NotificationsHub.cs         |  43 ++-
 .../Utilities/ServiceCollectionExtensions.cs  |   6 +-
 .../NotificationsControllerTests.cs           |  25 +-
 .../AutoFixture/QueueClientFixtures.cs        |  35 ++
 .../Api/Request/PushSendRequestModelTests.cs  |  94 ++++++
 .../Commands/CreateNotificationCommandTest.cs |   4 +
 ...ficationHubPushNotificationServiceTests.cs | 248 ++++++++++++--
 ...ficationHubPushRegistrationServiceTests.cs | 306 ++++++++++++++++--
 .../AzureQueuePushNotificationServiceTests.cs |  69 ++--
 ...ultiServicePushNotificationServiceTests.cs |  76 +++--
 test/Core.Test/Services/DeviceServiceTests.cs | 102 ++++--
 .../openid-configuration.json                 |   1 +
 37 files changed, 1187 insertions(+), 335 deletions(-)
 create mode 100644 test/Core.Test/AutoFixture/QueueClientFixtures.cs
 create mode 100644 test/Core.Test/Models/Api/Request/PushSendRequestModelTests.cs

diff --git a/src/Api/Platform/Push/Controllers/PushController.cs b/src/Api/Platform/Push/Controllers/PushController.cs
index 4b9f1c3e11..8b9e8b52a0 100644
--- a/src/Api/Platform/Push/Controllers/PushController.cs
+++ b/src/Api/Platform/Push/Controllers/PushController.cs
@@ -43,7 +43,7 @@ public class PushController : Controller
     {
         CheckUsage();
         await _pushRegistrationService.CreateOrUpdateRegistrationAsync(model.PushToken, Prefix(model.DeviceId),
-            Prefix(model.UserId), Prefix(model.Identifier), model.Type);
+            Prefix(model.UserId), Prefix(model.Identifier), model.Type, model.OrganizationIds.Select(Prefix));
     }
 
     [HttpPost("delete")]
@@ -79,12 +79,12 @@ public class PushController : Controller
         if (!string.IsNullOrWhiteSpace(model.UserId))
         {
             await _pushNotificationService.SendPayloadToUserAsync(Prefix(model.UserId),
-                   model.Type.Value, model.Payload, Prefix(model.Identifier), Prefix(model.DeviceId));
+                model.Type, model.Payload, Prefix(model.Identifier), Prefix(model.DeviceId), model.ClientType);
         }
         else if (!string.IsNullOrWhiteSpace(model.OrganizationId))
         {
             await _pushNotificationService.SendPayloadToOrganizationAsync(Prefix(model.OrganizationId),
-                model.Type.Value, model.Payload, Prefix(model.Identifier), Prefix(model.DeviceId));
+                model.Type, model.Payload, Prefix(model.Identifier), Prefix(model.DeviceId), model.ClientType);
         }
     }
 
diff --git a/src/Core/Context/CurrentContext.cs b/src/Core/Context/CurrentContext.cs
index 2767b5925f..b4a250fe2b 100644
--- a/src/Core/Context/CurrentContext.cs
+++ b/src/Core/Context/CurrentContext.cs
@@ -169,6 +169,11 @@ public class CurrentContext : ICurrentContext
 
         DeviceIdentifier = GetClaimValue(claimsDict, Claims.Device);
 
+        if (Enum.TryParse(GetClaimValue(claimsDict, Claims.DeviceType), out DeviceType deviceType))
+        {
+            DeviceType = deviceType;
+        }
+
         Organizations = GetOrganizations(claimsDict, orgApi);
 
         Providers = GetProviders(claimsDict);
diff --git a/src/Core/Enums/PushType.cs b/src/Core/Enums/PushType.cs
index ee1b59990f..b656e70601 100644
--- a/src/Core/Enums/PushType.cs
+++ b/src/Core/Enums/PushType.cs
@@ -27,4 +27,6 @@ public enum PushType : byte
     SyncOrganizations = 17,
     SyncOrganizationStatusChanged = 18,
     SyncOrganizationCollectionSettingChanged = 19,
+
+    SyncNotification = 20,
 }
diff --git a/src/Core/Identity/Claims.cs b/src/Core/Identity/Claims.cs
index b1223a6e63..65d5eb210a 100644
--- a/src/Core/Identity/Claims.cs
+++ b/src/Core/Identity/Claims.cs
@@ -6,6 +6,7 @@ public static class Claims
     public const string SecurityStamp = "sstamp";
     public const string Premium = "premium";
     public const string Device = "device";
+    public const string DeviceType = "devicetype";
 
     public const string OrganizationOwner = "orgowner";
     public const string OrganizationAdmin = "orgadmin";
diff --git a/src/Core/Models/Api/Request/PushRegistrationRequestModel.cs b/src/Core/Models/Api/Request/PushRegistrationRequestModel.cs
index 580c1c3b60..ee787dd083 100644
--- a/src/Core/Models/Api/Request/PushRegistrationRequestModel.cs
+++ b/src/Core/Models/Api/Request/PushRegistrationRequestModel.cs
@@ -15,4 +15,5 @@ public class PushRegistrationRequestModel
     public DeviceType Type { get; set; }
     [Required]
     public string Identifier { get; set; }
+    public IEnumerable<string> OrganizationIds { get; set; }
 }
diff --git a/src/Core/Models/Api/Request/PushSendRequestModel.cs b/src/Core/Models/Api/Request/PushSendRequestModel.cs
index b85c8fb555..7247e6d25f 100644
--- a/src/Core/Models/Api/Request/PushSendRequestModel.cs
+++ b/src/Core/Models/Api/Request/PushSendRequestModel.cs
@@ -1,18 +1,18 @@
-using System.ComponentModel.DataAnnotations;
+#nullable enable
+using System.ComponentModel.DataAnnotations;
 using Bit.Core.Enums;
 
 namespace Bit.Core.Models.Api;
 
 public class PushSendRequestModel : IValidatableObject
 {
-    public string UserId { get; set; }
-    public string OrganizationId { get; set; }
-    public string DeviceId { get; set; }
-    public string Identifier { get; set; }
-    [Required]
-    public PushType? Type { get; set; }
-    [Required]
-    public object Payload { get; set; }
+    public string? UserId { get; set; }
+    public string? OrganizationId { get; set; }
+    public string? DeviceId { get; set; }
+    public string? Identifier { get; set; }
+    public required PushType Type { get; set; }
+    public required object Payload { get; set; }
+    public ClientType? ClientType { get; set; }
 
     public IEnumerable<ValidationResult> Validate(ValidationContext validationContext)
     {
diff --git a/src/Core/Models/PushNotification.cs b/src/Core/Models/PushNotification.cs
index e2247881ea..fd27ced6c5 100644
--- a/src/Core/Models/PushNotification.cs
+++ b/src/Core/Models/PushNotification.cs
@@ -45,6 +45,15 @@ public class SyncSendPushNotification
     public DateTime RevisionDate { get; set; }
 }
 
+public class SyncNotificationPushNotification
+{
+    public Guid Id { get; set; }
+    public Guid? UserId { get; set; }
+    public Guid? OrganizationId { get; set; }
+    public ClientType ClientType { get; set; }
+    public DateTime RevisionDate { get; set; }
+}
+
 public class AuthRequestPushNotification
 {
     public Guid UserId { get; set; }
diff --git a/src/Core/NotificationCenter/Commands/CreateNotificationCommand.cs b/src/Core/NotificationCenter/Commands/CreateNotificationCommand.cs
index 4f76950a34..f378a3688a 100644
--- a/src/Core/NotificationCenter/Commands/CreateNotificationCommand.cs
+++ b/src/Core/NotificationCenter/Commands/CreateNotificationCommand.cs
@@ -4,6 +4,7 @@ using Bit.Core.NotificationCenter.Authorization;
 using Bit.Core.NotificationCenter.Commands.Interfaces;
 using Bit.Core.NotificationCenter.Entities;
 using Bit.Core.NotificationCenter.Repositories;
+using Bit.Core.Platform.Push;
 using Bit.Core.Utilities;
 using Microsoft.AspNetCore.Authorization;
 
@@ -14,14 +15,17 @@ public class CreateNotificationCommand : ICreateNotificationCommand
     private readonly ICurrentContext _currentContext;
     private readonly IAuthorizationService _authorizationService;
     private readonly INotificationRepository _notificationRepository;
+    private readonly IPushNotificationService _pushNotificationService;
 
     public CreateNotificationCommand(ICurrentContext currentContext,
         IAuthorizationService authorizationService,
-        INotificationRepository notificationRepository)
+        INotificationRepository notificationRepository,
+        IPushNotificationService pushNotificationService)
     {
         _currentContext = currentContext;
         _authorizationService = authorizationService;
         _notificationRepository = notificationRepository;
+        _pushNotificationService = pushNotificationService;
     }
 
     public async Task<Notification> CreateAsync(Notification notification)
@@ -31,6 +35,10 @@ public class CreateNotificationCommand : ICreateNotificationCommand
         await _authorizationService.AuthorizeOrThrowAsync(_currentContext.HttpContext.User, notification,
             NotificationOperations.Create);
 
-        return await _notificationRepository.CreateAsync(notification);
+        var newNotification = await _notificationRepository.CreateAsync(notification);
+
+        await _pushNotificationService.PushSyncNotificationAsync(newNotification);
+
+        return newNotification;
     }
 }
diff --git a/src/Core/NotificationHub/INotificationHubPool.cs b/src/Core/NotificationHub/INotificationHubPool.cs
index 7c383d7b96..18bae98bc6 100644
--- a/src/Core/NotificationHub/INotificationHubPool.cs
+++ b/src/Core/NotificationHub/INotificationHubPool.cs
@@ -4,6 +4,6 @@ namespace Bit.Core.NotificationHub;
 
 public interface INotificationHubPool
 {
-    NotificationHubClient ClientFor(Guid comb);
+    INotificationHubClient ClientFor(Guid comb);
     INotificationHubProxy AllClients { get; }
 }
diff --git a/src/Core/NotificationHub/NotificationHubPool.cs b/src/Core/NotificationHub/NotificationHubPool.cs
index 7448aad5bd..8993ee2b8e 100644
--- a/src/Core/NotificationHub/NotificationHubPool.cs
+++ b/src/Core/NotificationHub/NotificationHubPool.cs
@@ -43,7 +43,7 @@ public class NotificationHubPool : INotificationHubPool
     /// <param name="comb"></param>
     /// <returns></returns>
     /// <exception cref="InvalidOperationException">Thrown when no notification hub is found for a given comb.</exception>
-    public NotificationHubClient ClientFor(Guid comb)
+    public INotificationHubClient ClientFor(Guid comb)
     {
         var possibleConnections = _connections.Where(c => c.RegistrationEnabled(comb)).ToArray();
         if (possibleConnections.Length == 0)
diff --git a/src/Core/NotificationHub/NotificationHubPushNotificationService.cs b/src/Core/NotificationHub/NotificationHubPushNotificationService.cs
index d99cbf3fe7..ed44e69218 100644
--- a/src/Core/NotificationHub/NotificationHubPushNotificationService.cs
+++ b/src/Core/NotificationHub/NotificationHubPushNotificationService.cs
@@ -12,6 +12,7 @@ using Bit.Core.Tools.Entities;
 using Bit.Core.Vault.Entities;
 using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.Logging;
+using Notification = Bit.Core.NotificationCenter.Entities.Notification;
 
 namespace Bit.Core.NotificationHub;
 
@@ -135,11 +136,7 @@ public class NotificationHubPushNotificationService : IPushNotificationService
 
     private async Task PushUserAsync(Guid userId, PushType type, bool excludeCurrentContext = false)
     {
-        var message = new UserPushNotification
-        {
-            UserId = userId,
-            Date = DateTime.UtcNow
-        };
+        var message = new UserPushNotification { UserId = userId, Date = DateTime.UtcNow };
 
         await SendPayloadToUserAsync(userId, type, message, excludeCurrentContext);
     }
@@ -184,31 +181,54 @@ public class NotificationHubPushNotificationService : IPushNotificationService
         await PushAuthRequestAsync(authRequest, PushType.AuthRequestResponse);
     }
 
+    public async Task PushSyncNotificationAsync(Notification notification)
+    {
+        var message = new SyncNotificationPushNotification
+        {
+            Id = notification.Id,
+            UserId = notification.UserId,
+            OrganizationId = notification.OrganizationId,
+            ClientType = notification.ClientType,
+            RevisionDate = notification.RevisionDate
+        };
+
+        if (notification.UserId.HasValue)
+        {
+            await SendPayloadToUserAsync(notification.UserId.Value, PushType.SyncNotification, message, true,
+                notification.ClientType);
+        }
+        else if (notification.OrganizationId.HasValue)
+        {
+            await SendPayloadToOrganizationAsync(notification.OrganizationId.Value, PushType.SyncNotification, message,
+                true, notification.ClientType);
+        }
+    }
+
     private async Task PushAuthRequestAsync(AuthRequest authRequest, PushType type)
     {
-        var message = new AuthRequestPushNotification
-        {
-            Id = authRequest.Id,
-            UserId = authRequest.UserId
-        };
+        var message = new AuthRequestPushNotification { Id = authRequest.Id, UserId = authRequest.UserId };
 
         await SendPayloadToUserAsync(authRequest.UserId, type, message, true);
     }
 
-    private async Task SendPayloadToUserAsync(Guid userId, PushType type, object payload, bool excludeCurrentContext)
+    private async Task SendPayloadToUserAsync(Guid userId, PushType type, object payload, bool excludeCurrentContext,
+        ClientType? clientType = null)
     {
-        await SendPayloadToUserAsync(userId.ToString(), type, payload, GetContextIdentifier(excludeCurrentContext));
+        await SendPayloadToUserAsync(userId.ToString(), type, payload, GetContextIdentifier(excludeCurrentContext),
+            clientType: clientType);
     }
 
-    private async Task SendPayloadToOrganizationAsync(Guid orgId, PushType type, object payload, bool excludeCurrentContext)
+    private async Task SendPayloadToOrganizationAsync(Guid orgId, PushType type, object payload,
+        bool excludeCurrentContext, ClientType? clientType = null)
     {
-        await SendPayloadToUserAsync(orgId.ToString(), type, payload, GetContextIdentifier(excludeCurrentContext));
+        await SendPayloadToOrganizationAsync(orgId.ToString(), type, payload,
+            GetContextIdentifier(excludeCurrentContext), clientType: clientType);
     }
 
     public async Task SendPayloadToUserAsync(string userId, PushType type, object payload, string identifier,
-        string deviceId = null)
+        string deviceId = null, ClientType? clientType = null)
     {
-        var tag = BuildTag($"template:payload_userId:{SanitizeTagInput(userId)}", identifier);
+        var tag = BuildTag($"template:payload_userId:{SanitizeTagInput(userId)}", identifier, clientType);
         await SendPayloadAsync(tag, type, payload);
         if (InstallationDeviceEntity.IsInstallationDeviceId(deviceId))
         {
@@ -217,9 +237,9 @@ public class NotificationHubPushNotificationService : IPushNotificationService
     }
 
     public async Task SendPayloadToOrganizationAsync(string orgId, PushType type, object payload, string identifier,
-        string deviceId = null)
+        string deviceId = null, ClientType? clientType = null)
     {
-        var tag = BuildTag($"template:payload && organizationId:{SanitizeTagInput(orgId)}", identifier);
+        var tag = BuildTag($"template:payload && organizationId:{SanitizeTagInput(orgId)}", identifier, clientType);
         await SendPayloadAsync(tag, type, payload);
         if (InstallationDeviceEntity.IsInstallationDeviceId(deviceId))
         {
@@ -259,18 +279,23 @@ public class NotificationHubPushNotificationService : IPushNotificationService
             return null;
         }
 
-        var currentContext = _httpContextAccessor?.HttpContext?.
-            RequestServices.GetService(typeof(ICurrentContext)) as ICurrentContext;
+        var currentContext =
+            _httpContextAccessor?.HttpContext?.RequestServices.GetService(typeof(ICurrentContext)) as ICurrentContext;
         return currentContext?.DeviceIdentifier;
     }
 
-    private string BuildTag(string tag, string identifier)
+    private string BuildTag(string tag, string identifier, ClientType? clientType)
     {
         if (!string.IsNullOrWhiteSpace(identifier))
         {
             tag += $" && !deviceIdentifier:{SanitizeTagInput(identifier)}";
         }
 
+        if (clientType.HasValue && clientType.Value != ClientType.All)
+        {
+            tag += $" && clientType:{clientType}";
+        }
+
         return $"({tag})";
     }
 
@@ -279,8 +304,7 @@ public class NotificationHubPushNotificationService : IPushNotificationService
         var results = await _notificationHubPool.AllClients.SendTemplateNotificationAsync(
             new Dictionary<string, string>
             {
-                { "type",  ((byte)type).ToString() },
-                { "payload", JsonSerializer.Serialize(payload) }
+                { "type", ((byte)type).ToString() }, { "payload", JsonSerializer.Serialize(payload) }
             }, tag);
 
         if (_enableTracing)
@@ -291,7 +315,9 @@ public class NotificationHubPushNotificationService : IPushNotificationService
                 {
                     continue;
                 }
-                _logger.LogInformation("Azure Notification Hub Tracking ID: {Id} | {Type} push notification with {Success} successes and {Failure} failures with a payload of {@Payload} and result of {@Results}",
+
+                _logger.LogInformation(
+                    "Azure Notification Hub Tracking ID: {Id} | {Type} push notification with {Success} successes and {Failure} failures with a payload of {@Payload} and result of {@Results}",
                     outcome.TrackingId, type, outcome.Success, outcome.Failure, payload, outcome.Results);
             }
         }
diff --git a/src/Core/NotificationHub/NotificationHubPushRegistrationService.cs b/src/Core/NotificationHub/NotificationHubPushRegistrationService.cs
index 180b2b641b..0c9bbea425 100644
--- a/src/Core/NotificationHub/NotificationHubPushRegistrationService.cs
+++ b/src/Core/NotificationHub/NotificationHubPushRegistrationService.cs
@@ -2,36 +2,26 @@
 using Bit.Core.Models.Data;
 using Bit.Core.Platform.Push;
 using Bit.Core.Repositories;
-using Bit.Core.Settings;
+using Bit.Core.Utilities;
 using Microsoft.Azure.NotificationHubs;
-using Microsoft.Extensions.Logging;
 
 namespace Bit.Core.NotificationHub;
 
 public class NotificationHubPushRegistrationService : IPushRegistrationService
 {
     private readonly IInstallationDeviceRepository _installationDeviceRepository;
-    private readonly GlobalSettings _globalSettings;
     private readonly INotificationHubPool _notificationHubPool;
-    private readonly IServiceProvider _serviceProvider;
-    private readonly ILogger<NotificationHubPushRegistrationService> _logger;
 
     public NotificationHubPushRegistrationService(
         IInstallationDeviceRepository installationDeviceRepository,
-        GlobalSettings globalSettings,
-        INotificationHubPool notificationHubPool,
-        IServiceProvider serviceProvider,
-        ILogger<NotificationHubPushRegistrationService> logger)
+        INotificationHubPool notificationHubPool)
     {
         _installationDeviceRepository = installationDeviceRepository;
-        _globalSettings = globalSettings;
         _notificationHubPool = notificationHubPool;
-        _serviceProvider = serviceProvider;
-        _logger = logger;
     }
 
     public async Task CreateOrUpdateRegistrationAsync(string pushToken, string deviceId, string userId,
-        string identifier, DeviceType type)
+        string identifier, DeviceType type, IEnumerable<string> organizationIds)
     {
         if (string.IsNullOrWhiteSpace(pushToken))
         {
@@ -45,16 +35,21 @@ public class NotificationHubPushRegistrationService : IPushRegistrationService
             Templates = new Dictionary<string, InstallationTemplate>()
         };
 
-        installation.Tags = new List<string>
-        {
-            $"userId:{userId}"
-        };
+        var clientType = DeviceTypes.ToClientType(type);
+
+        installation.Tags = new List<string> { $"userId:{userId}", $"clientType:{clientType}" };
 
         if (!string.IsNullOrWhiteSpace(identifier))
         {
             installation.Tags.Add("deviceIdentifier:" + identifier);
         }
 
+        var organizationIdsList = organizationIds.ToList();
+        foreach (var organizationId in organizationIdsList)
+        {
+            installation.Tags.Add($"organizationId:{organizationId}");
+        }
+
         string payloadTemplate = null, messageTemplate = null, badgeMessageTemplate = null;
         switch (type)
         {
@@ -84,10 +79,12 @@ public class NotificationHubPushRegistrationService : IPushRegistrationService
                 break;
         }
 
-        BuildInstallationTemplate(installation, "payload", payloadTemplate, userId, identifier);
-        BuildInstallationTemplate(installation, "message", messageTemplate, userId, identifier);
+        BuildInstallationTemplate(installation, "payload", payloadTemplate, userId, identifier, clientType,
+            organizationIdsList);
+        BuildInstallationTemplate(installation, "message", messageTemplate, userId, identifier, clientType,
+            organizationIdsList);
         BuildInstallationTemplate(installation, "badgeMessage", badgeMessageTemplate ?? messageTemplate,
-            userId, identifier);
+            userId, identifier, clientType, organizationIdsList);
 
         await ClientFor(GetComb(deviceId)).CreateOrUpdateInstallationAsync(installation);
         if (InstallationDeviceEntity.IsInstallationDeviceId(deviceId))
@@ -97,7 +94,7 @@ public class NotificationHubPushRegistrationService : IPushRegistrationService
     }
 
     private void BuildInstallationTemplate(Installation installation, string templateId, string templateBody,
-        string userId, string identifier)
+        string userId, string identifier, ClientType clientType, List<string> organizationIds)
     {
         if (templateBody == null)
         {
@@ -111,8 +108,7 @@ public class NotificationHubPushRegistrationService : IPushRegistrationService
             Body = templateBody,
             Tags = new List<string>
             {
-                fullTemplateId,
-                $"{fullTemplateId}_userId:{userId}"
+                fullTemplateId, $"{fullTemplateId}_userId:{userId}", $"clientType:{clientType}"
             }
         };
 
@@ -121,6 +117,11 @@ public class NotificationHubPushRegistrationService : IPushRegistrationService
             template.Tags.Add($"{fullTemplateId}_deviceIdentifier:{identifier}");
         }
 
+        foreach (var organizationId in organizationIds)
+        {
+            template.Tags.Add($"organizationId:{organizationId}");
+        }
+
         installation.Templates.Add(fullTemplateId, template);
     }
 
@@ -197,7 +198,7 @@ public class NotificationHubPushRegistrationService : IPushRegistrationService
         }
     }
 
-    private NotificationHubClient ClientFor(Guid deviceId)
+    private INotificationHubClient ClientFor(Guid deviceId)
     {
         return _notificationHubPool.ClientFor(deviceId);
     }
diff --git a/src/Core/Platform/Push/Services/AzureQueuePushNotificationService.cs b/src/Core/Platform/Push/Services/AzureQueuePushNotificationService.cs
index 33272ce870..d3509c5437 100644
--- a/src/Core/Platform/Push/Services/AzureQueuePushNotificationService.cs
+++ b/src/Core/Platform/Push/Services/AzureQueuePushNotificationService.cs
@@ -5,26 +5,25 @@ using Bit.Core.Auth.Entities;
 using Bit.Core.Context;
 using Bit.Core.Enums;
 using Bit.Core.Models;
-using Bit.Core.Settings;
+using Bit.Core.NotificationCenter.Entities;
 using Bit.Core.Tools.Entities;
 using Bit.Core.Utilities;
 using Bit.Core.Vault.Entities;
 using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.DependencyInjection;
 
 namespace Bit.Core.Platform.Push.Internal;
 
 public class AzureQueuePushNotificationService : IPushNotificationService
 {
     private readonly QueueClient _queueClient;
-    private readonly GlobalSettings _globalSettings;
     private readonly IHttpContextAccessor _httpContextAccessor;
 
     public AzureQueuePushNotificationService(
-        GlobalSettings globalSettings,
+        [FromKeyedServices("notifications")] QueueClient queueClient,
         IHttpContextAccessor httpContextAccessor)
     {
-        _queueClient = new QueueClient(globalSettings.Notifications.ConnectionString, "notifications");
-        _globalSettings = globalSettings;
+        _queueClient = queueClient;
         _httpContextAccessor = httpContextAccessor;
     }
 
@@ -129,11 +128,7 @@ public class AzureQueuePushNotificationService : IPushNotificationService
 
     private async Task PushUserAsync(Guid userId, PushType type, bool excludeCurrentContext = false)
     {
-        var message = new UserPushNotification
-        {
-            UserId = userId,
-            Date = DateTime.UtcNow
-        };
+        var message = new UserPushNotification { UserId = userId, Date = DateTime.UtcNow };
 
         await SendMessageAsync(type, message, excludeCurrentContext);
     }
@@ -150,11 +145,7 @@ public class AzureQueuePushNotificationService : IPushNotificationService
 
     private async Task PushAuthRequestAsync(AuthRequest authRequest, PushType type)
     {
-        var message = new AuthRequestPushNotification
-        {
-            Id = authRequest.Id,
-            UserId = authRequest.UserId
-        };
+        var message = new AuthRequestPushNotification { Id = authRequest.Id, UserId = authRequest.UserId };
 
         await SendMessageAsync(type, message, true);
     }
@@ -174,6 +165,20 @@ public class AzureQueuePushNotificationService : IPushNotificationService
         await PushSendAsync(send, PushType.SyncSendDelete);
     }
 
+    public async Task PushSyncNotificationAsync(Notification notification)
+    {
+        var message = new SyncNotificationPushNotification
+        {
+            Id = notification.Id,
+            UserId = notification.UserId,
+            OrganizationId = notification.OrganizationId,
+            ClientType = notification.ClientType,
+            RevisionDate = notification.RevisionDate
+        };
+
+        await SendMessageAsync(PushType.SyncNotification, message, true);
+    }
+
     private async Task PushSendAsync(Send send, PushType type)
     {
         if (send.UserId.HasValue)
@@ -204,20 +209,20 @@ public class AzureQueuePushNotificationService : IPushNotificationService
             return null;
         }
 
-        var currentContext = _httpContextAccessor?.HttpContext?.
-            RequestServices.GetService(typeof(ICurrentContext)) as ICurrentContext;
+        var currentContext =
+            _httpContextAccessor?.HttpContext?.RequestServices.GetService(typeof(ICurrentContext)) as ICurrentContext;
         return currentContext?.DeviceIdentifier;
     }
 
     public Task SendPayloadToUserAsync(string userId, PushType type, object payload, string identifier,
-        string deviceId = null)
+        string deviceId = null, ClientType? clientType = null)
     {
         // Noop
         return Task.FromResult(0);
     }
 
     public Task SendPayloadToOrganizationAsync(string orgId, PushType type, object payload, string identifier,
-        string deviceId = null)
+        string deviceId = null, ClientType? clientType = null)
     {
         // Noop
         return Task.FromResult(0);
diff --git a/src/Core/Platform/Push/Services/IPushNotificationService.cs b/src/Core/Platform/Push/Services/IPushNotificationService.cs
index b015c17df2..5e1ab7067e 100644
--- a/src/Core/Platform/Push/Services/IPushNotificationService.cs
+++ b/src/Core/Platform/Push/Services/IPushNotificationService.cs
@@ -1,6 +1,7 @@
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.Auth.Entities;
 using Bit.Core.Enums;
+using Bit.Core.NotificationCenter.Entities;
 using Bit.Core.Tools.Entities;
 using Bit.Core.Vault.Entities;
 
@@ -23,11 +24,13 @@ public interface IPushNotificationService
     Task PushSyncSendCreateAsync(Send send);
     Task PushSyncSendUpdateAsync(Send send);
     Task PushSyncSendDeleteAsync(Send send);
+    Task PushSyncNotificationAsync(Notification notification);
     Task PushAuthRequestAsync(AuthRequest authRequest);
     Task PushAuthRequestResponseAsync(AuthRequest authRequest);
-    Task SendPayloadToUserAsync(string userId, PushType type, object payload, string identifier, string deviceId = null);
-    Task SendPayloadToOrganizationAsync(string orgId, PushType type, object payload, string identifier,
-        string deviceId = null);
     Task PushSyncOrganizationStatusAsync(Organization organization);
     Task PushSyncOrganizationCollectionManagementSettingsAsync(Organization organization);
+    Task SendPayloadToUserAsync(string userId, PushType type, object payload, string identifier,
+        string deviceId = null, ClientType? clientType = null);
+    Task SendPayloadToOrganizationAsync(string orgId, PushType type, object payload, string identifier,
+        string deviceId = null, ClientType? clientType = null);
 }
diff --git a/src/Core/Platform/Push/Services/IPushRegistrationService.cs b/src/Core/Platform/Push/Services/IPushRegistrationService.cs
index 482e7ae1c4..0c4271f061 100644
--- a/src/Core/Platform/Push/Services/IPushRegistrationService.cs
+++ b/src/Core/Platform/Push/Services/IPushRegistrationService.cs
@@ -5,7 +5,7 @@ namespace Bit.Core.Platform.Push;
 public interface IPushRegistrationService
 {
     Task CreateOrUpdateRegistrationAsync(string pushToken, string deviceId, string userId,
-        string identifier, DeviceType type);
+        string identifier, DeviceType type, IEnumerable<string> organizationIds);
     Task DeleteRegistrationAsync(string deviceId);
     Task AddUserRegistrationOrganizationAsync(IEnumerable<string> deviceIds, string organizationId);
     Task DeleteUserRegistrationOrganizationAsync(IEnumerable<string> deviceIds, string organizationId);
diff --git a/src/Core/Platform/Push/Services/MultiServicePushNotificationService.cs b/src/Core/Platform/Push/Services/MultiServicePushNotificationService.cs
index f1a5700013..4ad81e223b 100644
--- a/src/Core/Platform/Push/Services/MultiServicePushNotificationService.cs
+++ b/src/Core/Platform/Push/Services/MultiServicePushNotificationService.cs
@@ -1,6 +1,7 @@
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.Auth.Entities;
 using Bit.Core.Enums;
+using Bit.Core.NotificationCenter.Entities;
 using Bit.Core.Settings;
 using Bit.Core.Tools.Entities;
 using Bit.Core.Vault.Entities;
@@ -131,20 +132,6 @@ public class MultiServicePushNotificationService : IPushNotificationService
         return Task.FromResult(0);
     }
 
-    public Task SendPayloadToUserAsync(string userId, PushType type, object payload, string identifier,
-        string deviceId = null)
-    {
-        PushToServices((s) => s.SendPayloadToUserAsync(userId, type, payload, identifier, deviceId));
-        return Task.FromResult(0);
-    }
-
-    public Task SendPayloadToOrganizationAsync(string orgId, PushType type, object payload, string identifier,
-        string deviceId = null)
-    {
-        PushToServices((s) => s.SendPayloadToOrganizationAsync(orgId, type, payload, identifier, deviceId));
-        return Task.FromResult(0);
-    }
-
     public Task PushSyncOrganizationStatusAsync(Organization organization)
     {
         PushToServices((s) => s.PushSyncOrganizationStatusAsync(organization));
@@ -157,6 +144,26 @@ public class MultiServicePushNotificationService : IPushNotificationService
         return Task.CompletedTask;
     }
 
+    public Task PushSyncNotificationAsync(Notification notification)
+    {
+        PushToServices((s) => s.PushSyncNotificationAsync(notification));
+        return Task.CompletedTask;
+    }
+
+    public Task SendPayloadToUserAsync(string userId, PushType type, object payload, string identifier,
+        string deviceId = null, ClientType? clientType = null)
+    {
+        PushToServices((s) => s.SendPayloadToUserAsync(userId, type, payload, identifier, deviceId, clientType));
+        return Task.FromResult(0);
+    }
+
+    public Task SendPayloadToOrganizationAsync(string orgId, PushType type, object payload, string identifier,
+        string deviceId = null, ClientType? clientType = null)
+    {
+        PushToServices((s) => s.SendPayloadToOrganizationAsync(orgId, type, payload, identifier, deviceId, clientType));
+        return Task.FromResult(0);
+    }
+
     private void PushToServices(Func<IPushNotificationService, Task> pushFunc)
     {
         if (_services != null)
diff --git a/src/Core/Platform/Push/Services/NoopPushNotificationService.cs b/src/Core/Platform/Push/Services/NoopPushNotificationService.cs
index 4a185bee1a..463a2fde88 100644
--- a/src/Core/Platform/Push/Services/NoopPushNotificationService.cs
+++ b/src/Core/Platform/Push/Services/NoopPushNotificationService.cs
@@ -1,6 +1,7 @@
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.Auth.Entities;
 using Bit.Core.Enums;
+using Bit.Core.NotificationCenter.Entities;
 using Bit.Core.Tools.Entities;
 using Bit.Core.Vault.Entities;
 
@@ -84,7 +85,7 @@ public class NoopPushNotificationService : IPushNotificationService
     }
 
     public Task SendPayloadToOrganizationAsync(string orgId, PushType type, object payload, string identifier,
-        string deviceId = null)
+        string deviceId = null, ClientType? clientType = null)
     {
         return Task.FromResult(0);
     }
@@ -107,8 +108,10 @@ public class NoopPushNotificationService : IPushNotificationService
     }
 
     public Task SendPayloadToUserAsync(string userId, PushType type, object payload, string identifier,
-        string deviceId = null)
+        string deviceId = null, ClientType? clientType = null)
     {
         return Task.FromResult(0);
     }
+
+    public Task PushSyncNotificationAsync(Notification notification) => Task.CompletedTask;
 }
diff --git a/src/Core/Platform/Push/Services/NoopPushRegistrationService.cs b/src/Core/Platform/Push/Services/NoopPushRegistrationService.cs
index 6d1716a6ce..6bcf9e893a 100644
--- a/src/Core/Platform/Push/Services/NoopPushRegistrationService.cs
+++ b/src/Core/Platform/Push/Services/NoopPushRegistrationService.cs
@@ -10,7 +10,7 @@ public class NoopPushRegistrationService : IPushRegistrationService
     }
 
     public Task CreateOrUpdateRegistrationAsync(string pushToken, string deviceId, string userId,
-        string identifier, DeviceType type)
+        string identifier, DeviceType type, IEnumerable<string> organizationIds)
     {
         return Task.FromResult(0);
     }
diff --git a/src/Core/Platform/Push/Services/NotificationsApiPushNotificationService.cs b/src/Core/Platform/Push/Services/NotificationsApiPushNotificationService.cs
index 5ebfc811ef..5c6b46f63e 100644
--- a/src/Core/Platform/Push/Services/NotificationsApiPushNotificationService.cs
+++ b/src/Core/Platform/Push/Services/NotificationsApiPushNotificationService.cs
@@ -3,6 +3,7 @@ using Bit.Core.Auth.Entities;
 using Bit.Core.Context;
 using Bit.Core.Enums;
 using Bit.Core.Models;
+using Bit.Core.NotificationCenter.Entities;
 using Bit.Core.Services;
 using Bit.Core.Settings;
 using Bit.Core.Tools.Entities;
@@ -183,6 +184,20 @@ public class NotificationsApiPushNotificationService : BaseIdentityClientService
         await PushSendAsync(send, PushType.SyncSendDelete);
     }
 
+    public async Task PushSyncNotificationAsync(Notification notification)
+    {
+        var message = new SyncNotificationPushNotification
+        {
+            Id = notification.Id,
+            UserId = notification.UserId,
+            OrganizationId = notification.OrganizationId,
+            ClientType = notification.ClientType,
+            RevisionDate = notification.RevisionDate
+        };
+
+        await SendMessageAsync(PushType.SyncNotification, message, true);
+    }
+
     private async Task PushSendAsync(Send send, PushType type)
     {
         if (send.UserId.HasValue)
@@ -212,20 +227,20 @@ public class NotificationsApiPushNotificationService : BaseIdentityClientService
             return null;
         }
 
-        var currentContext = _httpContextAccessor?.HttpContext?.
-            RequestServices.GetService(typeof(ICurrentContext)) as ICurrentContext;
+        var currentContext =
+            _httpContextAccessor?.HttpContext?.RequestServices.GetService(typeof(ICurrentContext)) as ICurrentContext;
         return currentContext?.DeviceIdentifier;
     }
 
     public Task SendPayloadToUserAsync(string userId, PushType type, object payload, string identifier,
-        string deviceId = null)
+        string deviceId = null, ClientType? clientType = null)
     {
         // Noop
         return Task.FromResult(0);
     }
 
     public Task SendPayloadToOrganizationAsync(string orgId, PushType type, object payload, string identifier,
-        string deviceId = null)
+        string deviceId = null, ClientType? clientType = null)
     {
         // Noop
         return Task.FromResult(0);
diff --git a/src/Core/Platform/Push/Services/RelayPushNotificationService.cs b/src/Core/Platform/Push/Services/RelayPushNotificationService.cs
index 6549ab47c3..f51ab004a6 100644
--- a/src/Core/Platform/Push/Services/RelayPushNotificationService.cs
+++ b/src/Core/Platform/Push/Services/RelayPushNotificationService.cs
@@ -5,6 +5,7 @@ using Bit.Core.Enums;
 using Bit.Core.IdentityServer;
 using Bit.Core.Models;
 using Bit.Core.Models.Api;
+using Bit.Core.NotificationCenter.Entities;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Settings;
@@ -138,11 +139,7 @@ public class RelayPushNotificationService : BaseIdentityClientService, IPushNoti
 
     private async Task PushUserAsync(Guid userId, PushType type, bool excludeCurrentContext = false)
     {
-        var message = new UserPushNotification
-        {
-            UserId = userId,
-            Date = DateTime.UtcNow
-        };
+        var message = new UserPushNotification { UserId = userId, Date = DateTime.UtcNow };
 
         await SendPayloadToUserAsync(userId, type, message, excludeCurrentContext);
     }
@@ -189,69 +186,32 @@ public class RelayPushNotificationService : BaseIdentityClientService, IPushNoti
 
     private async Task PushAuthRequestAsync(AuthRequest authRequest, PushType type)
     {
-        var message = new AuthRequestPushNotification
-        {
-            Id = authRequest.Id,
-            UserId = authRequest.UserId
-        };
+        var message = new AuthRequestPushNotification { Id = authRequest.Id, UserId = authRequest.UserId };
 
         await SendPayloadToUserAsync(authRequest.UserId, type, message, true);
     }
 
-    private async Task SendPayloadToUserAsync(Guid userId, PushType type, object payload, bool excludeCurrentContext)
+    public async Task PushSyncNotificationAsync(Notification notification)
     {
-        var request = new PushSendRequestModel
+        var message = new SyncNotificationPushNotification
         {
-            UserId = userId.ToString(),
-            Type = type,
-            Payload = payload
+            Id = notification.Id,
+            UserId = notification.UserId,
+            OrganizationId = notification.OrganizationId,
+            ClientType = notification.ClientType,
+            RevisionDate = notification.RevisionDate
         };
 
-        await AddCurrentContextAsync(request, excludeCurrentContext);
-        await SendAsync(HttpMethod.Post, "push/send", request);
-    }
-
-    private async Task SendPayloadToOrganizationAsync(Guid orgId, PushType type, object payload, bool excludeCurrentContext)
-    {
-        var request = new PushSendRequestModel
+        if (notification.UserId.HasValue)
         {
-            OrganizationId = orgId.ToString(),
-            Type = type,
-            Payload = payload
-        };
-
-        await AddCurrentContextAsync(request, excludeCurrentContext);
-        await SendAsync(HttpMethod.Post, "push/send", request);
-    }
-
-    private async Task AddCurrentContextAsync(PushSendRequestModel request, bool addIdentifier)
-    {
-        var currentContext = _httpContextAccessor?.HttpContext?.
-            RequestServices.GetService(typeof(ICurrentContext)) as ICurrentContext;
-        if (!string.IsNullOrWhiteSpace(currentContext?.DeviceIdentifier))
-        {
-            var device = await _deviceRepository.GetByIdentifierAsync(currentContext.DeviceIdentifier);
-            if (device != null)
-            {
-                request.DeviceId = device.Id.ToString();
-            }
-            if (addIdentifier)
-            {
-                request.Identifier = currentContext.DeviceIdentifier;
-            }
+            await SendPayloadToUserAsync(notification.UserId.Value, PushType.SyncNotification, message, true,
+                notification.ClientType);
+        }
+        else if (notification.OrganizationId.HasValue)
+        {
+            await SendPayloadToOrganizationAsync(notification.OrganizationId.Value, PushType.SyncNotification, message,
+                true, notification.ClientType);
         }
-    }
-
-    public Task SendPayloadToUserAsync(string userId, PushType type, object payload, string identifier,
-        string deviceId = null)
-    {
-        throw new NotImplementedException();
-    }
-
-    public Task SendPayloadToOrganizationAsync(string orgId, PushType type, object payload, string identifier,
-        string deviceId = null)
-    {
-        throw new NotImplementedException();
     }
 
     public async Task PushSyncOrganizationStatusAsync(Organization organization)
@@ -278,4 +238,65 @@ public class RelayPushNotificationService : BaseIdentityClientService, IPushNoti
             },
             false
         );
+
+    private async Task SendPayloadToUserAsync(Guid userId, PushType type, object payload, bool excludeCurrentContext,
+        ClientType? clientType = null)
+    {
+        var request = new PushSendRequestModel
+        {
+            UserId = userId.ToString(),
+            Type = type,
+            Payload = payload,
+            ClientType = clientType
+        };
+
+        await AddCurrentContextAsync(request, excludeCurrentContext);
+        await SendAsync(HttpMethod.Post, "push/send", request);
+    }
+
+    private async Task SendPayloadToOrganizationAsync(Guid orgId, PushType type, object payload,
+        bool excludeCurrentContext, ClientType? clientType = null)
+    {
+        var request = new PushSendRequestModel
+        {
+            OrganizationId = orgId.ToString(),
+            Type = type,
+            Payload = payload,
+            ClientType = clientType
+        };
+
+        await AddCurrentContextAsync(request, excludeCurrentContext);
+        await SendAsync(HttpMethod.Post, "push/send", request);
+    }
+
+    private async Task AddCurrentContextAsync(PushSendRequestModel request, bool addIdentifier)
+    {
+        var currentContext =
+            _httpContextAccessor?.HttpContext?.RequestServices.GetService(typeof(ICurrentContext)) as ICurrentContext;
+        if (!string.IsNullOrWhiteSpace(currentContext?.DeviceIdentifier))
+        {
+            var device = await _deviceRepository.GetByIdentifierAsync(currentContext.DeviceIdentifier);
+            if (device != null)
+            {
+                request.DeviceId = device.Id.ToString();
+            }
+
+            if (addIdentifier)
+            {
+                request.Identifier = currentContext.DeviceIdentifier;
+            }
+        }
+    }
+
+    public Task SendPayloadToUserAsync(string userId, PushType type, object payload, string identifier,
+        string deviceId = null, ClientType? clientType = null)
+    {
+        throw new NotImplementedException();
+    }
+
+    public Task SendPayloadToOrganizationAsync(string orgId, PushType type, object payload, string identifier,
+        string deviceId = null, ClientType? clientType = null)
+    {
+        throw new NotImplementedException();
+    }
 }
diff --git a/src/Core/Platform/Push/Services/RelayPushRegistrationService.cs b/src/Core/Platform/Push/Services/RelayPushRegistrationService.cs
index 79b033e877..b838fbde59 100644
--- a/src/Core/Platform/Push/Services/RelayPushRegistrationService.cs
+++ b/src/Core/Platform/Push/Services/RelayPushRegistrationService.cs
@@ -25,7 +25,7 @@ public class RelayPushRegistrationService : BaseIdentityClientService, IPushRegi
     }
 
     public async Task CreateOrUpdateRegistrationAsync(string pushToken, string deviceId, string userId,
-        string identifier, DeviceType type)
+        string identifier, DeviceType type, IEnumerable<string> organizationIds)
     {
         var requestModel = new PushRegistrationRequestModel
         {
@@ -33,7 +33,8 @@ public class RelayPushRegistrationService : BaseIdentityClientService, IPushRegi
             Identifier = identifier,
             PushToken = pushToken,
             Type = type,
-            UserId = userId
+            UserId = userId,
+            OrganizationIds = organizationIds
         };
         await SendAsync(HttpMethod.Post, "push/register", requestModel);
     }
diff --git a/src/Core/Services/Implementations/DeviceService.cs b/src/Core/Services/Implementations/DeviceService.cs
index afbc574417..28823eeda7 100644
--- a/src/Core/Services/Implementations/DeviceService.cs
+++ b/src/Core/Services/Implementations/DeviceService.cs
@@ -1,6 +1,7 @@
 using Bit.Core.Auth.Models.Api.Request;
 using Bit.Core.Auth.Utilities;
 using Bit.Core.Entities;
+using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Platform.Push;
 using Bit.Core.Repositories;
@@ -11,13 +12,16 @@ public class DeviceService : IDeviceService
 {
     private readonly IDeviceRepository _deviceRepository;
     private readonly IPushRegistrationService _pushRegistrationService;
+    private readonly IOrganizationUserRepository _organizationUserRepository;
 
     public DeviceService(
         IDeviceRepository deviceRepository,
-        IPushRegistrationService pushRegistrationService)
+        IPushRegistrationService pushRegistrationService,
+        IOrganizationUserRepository organizationUserRepository)
     {
         _deviceRepository = deviceRepository;
         _pushRegistrationService = pushRegistrationService;
+        _organizationUserRepository = organizationUserRepository;
     }
 
     public async Task SaveAsync(Device device)
@@ -32,8 +36,13 @@ public class DeviceService : IDeviceService
             await _deviceRepository.ReplaceAsync(device);
         }
 
+        var organizationIdsString =
+            (await _organizationUserRepository.GetManyDetailsByUserAsync(device.UserId,
+                OrganizationUserStatusType.Confirmed))
+            .Select(ou => ou.OrganizationId.ToString());
+
         await _pushRegistrationService.CreateOrUpdateRegistrationAsync(device.PushToken, device.Id.ToString(),
-            device.UserId.ToString(), device.Identifier, device.Type);
+            device.UserId.ToString(), device.Identifier, device.Type, organizationIdsString);
     }
 
     public async Task ClearTokenAsync(Device device)
diff --git a/src/Identity/IdentityServer/ApiResources.cs b/src/Identity/IdentityServer/ApiResources.cs
index a0712aafe7..f969d67908 100644
--- a/src/Identity/IdentityServer/ApiResources.cs
+++ b/src/Identity/IdentityServer/ApiResources.cs
@@ -18,6 +18,7 @@ public class ApiResources
                 Claims.SecurityStamp,
                 Claims.Premium,
                 Claims.Device,
+                Claims.DeviceType,
                 Claims.OrganizationOwner,
                 Claims.OrganizationAdmin,
                 Claims.OrganizationUser,
diff --git a/src/Identity/IdentityServer/RequestValidators/BaseRequestValidator.cs b/src/Identity/IdentityServer/RequestValidators/BaseRequestValidator.cs
index ea207a7aaa..5e78212cf1 100644
--- a/src/Identity/IdentityServer/RequestValidators/BaseRequestValidator.cs
+++ b/src/Identity/IdentityServer/RequestValidators/BaseRequestValidator.cs
@@ -210,6 +210,7 @@ public abstract class BaseRequestValidator<T> where T : class
         if (device != null)
         {
             claims.Add(new Claim(Claims.Device, device.Identifier));
+            claims.Add(new Claim(Claims.DeviceType, device.Type.ToString()));
         }
 
         var customResponse = new Dictionary<string, object>();
diff --git a/src/Notifications/HubHelpers.cs b/src/Notifications/HubHelpers.cs
index 6f49822dc9..6d17ca9955 100644
--- a/src/Notifications/HubHelpers.cs
+++ b/src/Notifications/HubHelpers.cs
@@ -10,6 +10,8 @@ public static class HubHelpers
     private static JsonSerializerOptions _deserializerOptions =
         new JsonSerializerOptions { PropertyNameCaseInsensitive = true };
 
+    private static readonly string _receiveMessageMethod = "ReceiveMessage";
+
     public static async Task SendNotificationToHubAsync(
         string notificationJson,
         IHubContext<NotificationsHub> hubContext,
@@ -18,7 +20,8 @@ public static class HubHelpers
         CancellationToken cancellationToken = default(CancellationToken)
     )
     {
-        var notification = JsonSerializer.Deserialize<PushNotificationData<object>>(notificationJson, _deserializerOptions);
+        var notification =
+            JsonSerializer.Deserialize<PushNotificationData<object>>(notificationJson, _deserializerOptions);
         logger.LogInformation("Sending notification: {NotificationType}", notification.Type);
         switch (notification.Type)
         {
@@ -32,14 +35,15 @@ public static class HubHelpers
                 if (cipherNotification.Payload.UserId.HasValue)
                 {
                     await hubContext.Clients.User(cipherNotification.Payload.UserId.ToString())
-                        .SendAsync("ReceiveMessage", cipherNotification, cancellationToken);
+                        .SendAsync(_receiveMessageMethod, cipherNotification, cancellationToken);
                 }
                 else if (cipherNotification.Payload.OrganizationId.HasValue)
                 {
-                    await hubContext.Clients.Group(
-                        $"Organization_{cipherNotification.Payload.OrganizationId}")
-                        .SendAsync("ReceiveMessage", cipherNotification, cancellationToken);
+                    await hubContext.Clients
+                        .Group(NotificationsHub.GetOrganizationGroup(cipherNotification.Payload.OrganizationId.Value))
+                        .SendAsync(_receiveMessageMethod, cipherNotification, cancellationToken);
                 }
+
                 break;
             case PushType.SyncFolderUpdate:
             case PushType.SyncFolderCreate:
@@ -48,7 +52,7 @@ public static class HubHelpers
                     JsonSerializer.Deserialize<PushNotificationData<SyncFolderPushNotification>>(
                         notificationJson, _deserializerOptions);
                 await hubContext.Clients.User(folderNotification.Payload.UserId.ToString())
-                        .SendAsync("ReceiveMessage", folderNotification, cancellationToken);
+                    .SendAsync(_receiveMessageMethod, folderNotification, cancellationToken);
                 break;
             case PushType.SyncCiphers:
             case PushType.SyncVault:
@@ -60,30 +64,30 @@ public static class HubHelpers
                     JsonSerializer.Deserialize<PushNotificationData<UserPushNotification>>(
                         notificationJson, _deserializerOptions);
                 await hubContext.Clients.User(userNotification.Payload.UserId.ToString())
-                        .SendAsync("ReceiveMessage", userNotification, cancellationToken);
+                    .SendAsync(_receiveMessageMethod, userNotification, cancellationToken);
                 break;
             case PushType.SyncSendCreate:
             case PushType.SyncSendUpdate:
             case PushType.SyncSendDelete:
                 var sendNotification =
                     JsonSerializer.Deserialize<PushNotificationData<SyncSendPushNotification>>(
-                            notificationJson, _deserializerOptions);
+                        notificationJson, _deserializerOptions);
                 await hubContext.Clients.User(sendNotification.Payload.UserId.ToString())
-                    .SendAsync("ReceiveMessage", sendNotification, cancellationToken);
+                    .SendAsync(_receiveMessageMethod, sendNotification, cancellationToken);
                 break;
             case PushType.AuthRequestResponse:
                 var authRequestResponseNotification =
                     JsonSerializer.Deserialize<PushNotificationData<AuthRequestPushNotification>>(
-                            notificationJson, _deserializerOptions);
+                        notificationJson, _deserializerOptions);
                 await anonymousHubContext.Clients.Group(authRequestResponseNotification.Payload.Id.ToString())
                     .SendAsync("AuthRequestResponseRecieved", authRequestResponseNotification, cancellationToken);
                 break;
             case PushType.AuthRequest:
                 var authRequestNotification =
                     JsonSerializer.Deserialize<PushNotificationData<AuthRequestPushNotification>>(
-                            notificationJson, _deserializerOptions);
+                        notificationJson, _deserializerOptions);
                 await hubContext.Clients.User(authRequestNotification.Payload.UserId.ToString())
-                    .SendAsync("ReceiveMessage", authRequestNotification, cancellationToken);
+                    .SendAsync(_receiveMessageMethod, authRequestNotification, cancellationToken);
                 break;
             case PushType.SyncOrganizationStatusChanged:
                 var orgStatusNotification =
@@ -99,6 +103,32 @@ public static class HubHelpers
                 await hubContext.Clients.Group($"Organization_{organizationCollectionSettingsChangedNotification.Payload.OrganizationId}")
                     .SendAsync("ReceiveMessage", organizationCollectionSettingsChangedNotification, cancellationToken);
                 break;
+            case PushType.SyncNotification:
+                var syncNotification =
+                    JsonSerializer.Deserialize<PushNotificationData<SyncNotificationPushNotification>>(
+                        notificationJson, _deserializerOptions);
+                if (syncNotification.Payload.UserId.HasValue)
+                {
+                    if (syncNotification.Payload.ClientType == ClientType.All)
+                    {
+                        await hubContext.Clients.User(syncNotification.Payload.UserId.ToString())
+                            .SendAsync(_receiveMessageMethod, syncNotification, cancellationToken);
+                    }
+                    else
+                    {
+                        await hubContext.Clients.Group(NotificationsHub.GetUserGroup(
+                                syncNotification.Payload.UserId.Value, syncNotification.Payload.ClientType))
+                            .SendAsync(_receiveMessageMethod, syncNotification, cancellationToken);
+                    }
+                }
+                else if (syncNotification.Payload.OrganizationId.HasValue)
+                {
+                    await hubContext.Clients.Group(NotificationsHub.GetOrganizationGroup(
+                            syncNotification.Payload.OrganizationId.Value, syncNotification.Payload.ClientType))
+                        .SendAsync(_receiveMessageMethod, syncNotification, cancellationToken);
+                }
+
+                break;
             default:
                 break;
         }
diff --git a/src/Notifications/NotificationsHub.cs b/src/Notifications/NotificationsHub.cs
index a86cf329c5..27cd19c0a0 100644
--- a/src/Notifications/NotificationsHub.cs
+++ b/src/Notifications/NotificationsHub.cs
@@ -1,5 +1,7 @@
 using Bit.Core.Context;
+using Bit.Core.Enums;
 using Bit.Core.Settings;
+using Bit.Core.Utilities;
 using Microsoft.AspNetCore.Authorization;
 
 namespace Bit.Notifications;
@@ -20,13 +22,25 @@ public class NotificationsHub : Microsoft.AspNetCore.SignalR.Hub
     {
         var currentContext = new CurrentContext(null, null);
         await currentContext.BuildAsync(Context.User, _globalSettings);
+
+        var clientType = DeviceTypes.ToClientType(currentContext.DeviceType);
+        if (clientType != ClientType.All && currentContext.UserId.HasValue)
+        {
+            await Groups.AddToGroupAsync(Context.ConnectionId, GetUserGroup(currentContext.UserId.Value, clientType));
+        }
+
         if (currentContext.Organizations != null)
         {
             foreach (var org in currentContext.Organizations)
             {
-                await Groups.AddToGroupAsync(Context.ConnectionId, $"Organization_{org.Id}");
+                await Groups.AddToGroupAsync(Context.ConnectionId, GetOrganizationGroup(org.Id));
+                if (clientType != ClientType.All)
+                {
+                    await Groups.AddToGroupAsync(Context.ConnectionId, GetOrganizationGroup(org.Id, clientType));
+                }
             }
         }
+
         _connectionCounter.Increment();
         await base.OnConnectedAsync();
     }
@@ -35,14 +49,39 @@ public class NotificationsHub : Microsoft.AspNetCore.SignalR.Hub
     {
         var currentContext = new CurrentContext(null, null);
         await currentContext.BuildAsync(Context.User, _globalSettings);
+
+        var clientType = DeviceTypes.ToClientType(currentContext.DeviceType);
+        if (clientType != ClientType.All && currentContext.UserId.HasValue)
+        {
+            await Groups.RemoveFromGroupAsync(Context.ConnectionId,
+                GetUserGroup(currentContext.UserId.Value, clientType));
+        }
+
         if (currentContext.Organizations != null)
         {
             foreach (var org in currentContext.Organizations)
             {
-                await Groups.RemoveFromGroupAsync(Context.ConnectionId, $"Organization_{org.Id}");
+                await Groups.RemoveFromGroupAsync(Context.ConnectionId, GetOrganizationGroup(org.Id));
+                if (clientType != ClientType.All)
+                {
+                    await Groups.RemoveFromGroupAsync(Context.ConnectionId, GetOrganizationGroup(org.Id, clientType));
+                }
             }
         }
+
         _connectionCounter.Decrement();
         await base.OnDisconnectedAsync(exception);
     }
+
+    public static string GetUserGroup(Guid userId, ClientType clientType)
+    {
+        return $"UserClientType_{userId}_{clientType}";
+    }
+
+    public static string GetOrganizationGroup(Guid organizationId, ClientType? clientType = null)
+    {
+        return clientType is null or ClientType.All
+            ? $"Organization_{organizationId}"
+            : $"OrganizationClientType_{organizationId}_{clientType}";
+    }
 }
diff --git a/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs b/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
index 192871bffc..5a1205c961 100644
--- a/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
+++ b/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
@@ -3,6 +3,7 @@ using System.Reflection;
 using System.Security.Claims;
 using System.Security.Cryptography.X509Certificates;
 using AspNetCoreRateLimit;
+using Azure.Storage.Queues;
 using Bit.Core.AdminConsole.Models.Business.Tokenables;
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
 using Bit.Core.AdminConsole.Services;
@@ -306,7 +307,10 @@ public static class ServiceCollectionExtensions
             services.AddKeyedSingleton<IPushNotificationService, NotificationHubPushNotificationService>("implementation");
             if (CoreHelpers.SettingHasValue(globalSettings.Notifications?.ConnectionString))
             {
-                services.AddKeyedSingleton<IPushNotificationService, AzureQueuePushNotificationService>("implementation");
+                services.AddKeyedSingleton("notifications",
+                    (_, _) => new QueueClient(globalSettings.Notifications.ConnectionString, "notifications"));
+                services.AddKeyedSingleton<IPushNotificationService, AzureQueuePushNotificationService>(
+                    "implementation");
             }
         }
 
diff --git a/test/Api.IntegrationTest/NotificationCenter/Controllers/NotificationsControllerTests.cs b/test/Api.IntegrationTest/NotificationCenter/Controllers/NotificationsControllerTests.cs
index 6d487c5d8f..ca04c9775d 100644
--- a/test/Api.IntegrationTest/NotificationCenter/Controllers/NotificationsControllerTests.cs
+++ b/test/Api.IntegrationTest/NotificationCenter/Controllers/NotificationsControllerTests.cs
@@ -133,12 +133,10 @@ public class NotificationsControllerTests : IClassFixture<ApiApplicationFactory>
     [InlineData(null, null, "2", 10)]
     [InlineData(10, null, "2", 10)]
     [InlineData(10, 2, "3", 10)]
-    [InlineData(10, 3, null, 0)]
-    [InlineData(15, null, "2", 15)]
-    [InlineData(15, 2, null, 5)]
-    [InlineData(20, null, "2", 20)]
-    [InlineData(20, 2, null, 0)]
-    [InlineData(1000, null, null, 20)]
+    [InlineData(10, 3, null, 4)]
+    [InlineData(24, null, "2", 24)]
+    [InlineData(24, 2, null, 0)]
+    [InlineData(1000, null, null, 24)]
     public async Task ListAsync_PaginationFilter_ReturnsNextPageOfNotificationsCorrectOrder(
         int? pageSize, int? pageNumber, string? expectedContinuationToken, int expectedCount)
     {
@@ -505,11 +503,12 @@ public class NotificationsControllerTests : IClassFixture<ApiApplicationFactory>
                 userPartOrOrganizationNotificationWithStatuses
             }
             .SelectMany(n => n)
+            .Where(n => n.Item1.ClientType is ClientType.All or ClientType.Web)
             .ToList();
     }
 
     private async Task<List<Notification>> CreateNotificationsAsync(Guid? userId = null, Guid? organizationId = null,
-        int numberToCreate = 5)
+        int numberToCreate = 3)
     {
         var priorities = Enum.GetValues<Priority>();
         var clientTypes = Enum.GetValues<ClientType>();
@@ -570,13 +569,9 @@ public class NotificationsControllerTests : IClassFixture<ApiApplicationFactory>
                 DeletedDate = DateTime.UtcNow - TimeSpan.FromMinutes(_random.Next(3600))
             });
 
-        return
-        [
-            (notifications[0], readDateNotificationStatus),
-            (notifications[1], deletedDateNotificationStatus),
-            (notifications[2], readDateAndDeletedDateNotificationStatus),
-            (notifications[3], null),
-            (notifications[4], null)
-        ];
+        List<NotificationStatus> statuses =
+            [readDateNotificationStatus, deletedDateNotificationStatus, readDateAndDeletedDateNotificationStatus];
+
+        return notifications.Select(n => (n, statuses.Find(s => s.NotificationId == n.Id))).ToList();
     }
 }
diff --git a/test/Core.Test/AutoFixture/QueueClientFixtures.cs b/test/Core.Test/AutoFixture/QueueClientFixtures.cs
new file mode 100644
index 0000000000..2a722f3853
--- /dev/null
+++ b/test/Core.Test/AutoFixture/QueueClientFixtures.cs
@@ -0,0 +1,35 @@
+#nullable enable
+using AutoFixture;
+using AutoFixture.Kernel;
+using Azure.Storage.Queues;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+
+namespace Bit.Core.Test.AutoFixture;
+
+public class QueueClientBuilder : ISpecimenBuilder
+{
+    public object Create(object request, ISpecimenContext context)
+    {
+        var type = request as Type;
+        if (type == typeof(QueueClient))
+        {
+            return Substitute.For<QueueClient>();
+        }
+
+        return new NoSpecimen();
+    }
+}
+
+public class QueueClientCustomizeAttribute : BitCustomizeAttribute
+{
+    public override ICustomization GetCustomization() => new QueueClientFixtures();
+}
+
+public class QueueClientFixtures : ICustomization
+{
+    public void Customize(IFixture fixture)
+    {
+        fixture.Customizations.Add(new QueueClientBuilder());
+    }
+}
diff --git a/test/Core.Test/Models/Api/Request/PushSendRequestModelTests.cs b/test/Core.Test/Models/Api/Request/PushSendRequestModelTests.cs
new file mode 100644
index 0000000000..41a6c25bf2
--- /dev/null
+++ b/test/Core.Test/Models/Api/Request/PushSendRequestModelTests.cs
@@ -0,0 +1,94 @@
+#nullable enable
+using System.ComponentModel.DataAnnotations;
+using System.Text.Json;
+using Bit.Core.Enums;
+using Bit.Core.Models.Api;
+using Bit.Core.Utilities;
+using Bit.Test.Common.AutoFixture.Attributes;
+using Xunit;
+
+namespace Bit.Core.Test.Models.Api.Request;
+
+public class PushSendRequestModelTests
+{
+    [Theory]
+    [InlineData(null, null)]
+    [InlineData(null, "")]
+    [InlineData(null, " ")]
+    [InlineData("", null)]
+    [InlineData(" ", null)]
+    [InlineData("", "")]
+    [InlineData(" ", " ")]
+    public void Validate_UserIdOrganizationIdNullOrEmpty_Invalid(string? userId, string? organizationId)
+    {
+        var model = new PushSendRequestModel
+        {
+            UserId = userId,
+            OrganizationId = organizationId,
+            Type = PushType.SyncCiphers,
+            Payload = "test"
+        };
+
+        var results = Validate(model);
+
+        Assert.Single(results);
+        Assert.Contains(results, result => result.ErrorMessage == "UserId or OrganizationId is required.");
+    }
+
+    [Theory]
+    [BitAutoData("Payload")]
+    [BitAutoData("Type")]
+    public void Validate_RequiredFieldNotProvided_Invalid(string requiredField)
+    {
+        var model = new PushSendRequestModel
+        {
+            UserId = Guid.NewGuid().ToString(),
+            OrganizationId = Guid.NewGuid().ToString(),
+            Type = PushType.SyncCiphers,
+            Payload = "test"
+        };
+
+        var dictionary = new Dictionary<string, object?>();
+        foreach (var property in model.GetType().GetProperties())
+        {
+            if (property.Name == requiredField)
+            {
+                continue;
+            }
+
+            dictionary[property.Name] = property.GetValue(model);
+        }
+
+        var serialized = JsonSerializer.Serialize(dictionary, JsonHelpers.IgnoreWritingNull);
+        var jsonException =
+            Assert.Throws<JsonException>(() => JsonSerializer.Deserialize<PushSendRequestModel>(serialized));
+        Assert.Contains($"missing required properties, including the following: {requiredField}",
+            jsonException.Message);
+    }
+
+    [Fact]
+    public void Validate_AllFieldsPresent_Valid()
+    {
+        var model = new PushSendRequestModel
+        {
+            UserId = Guid.NewGuid().ToString(),
+            OrganizationId = Guid.NewGuid().ToString(),
+            Type = PushType.SyncCiphers,
+            Payload = "test payload",
+            Identifier = Guid.NewGuid().ToString(),
+            ClientType = ClientType.All,
+            DeviceId = Guid.NewGuid().ToString()
+        };
+
+        var results = Validate(model);
+
+        Assert.Empty(results);
+    }
+
+    private static List<ValidationResult> Validate(PushSendRequestModel model)
+    {
+        var results = new List<ValidationResult>();
+        Validator.TryValidateObject(model, new ValidationContext(model), results, true);
+        return results;
+    }
+}
diff --git a/test/Core.Test/NotificationCenter/Commands/CreateNotificationCommandTest.cs b/test/Core.Test/NotificationCenter/Commands/CreateNotificationCommandTest.cs
index 4f5842d1c7..a51feb6a73 100644
--- a/test/Core.Test/NotificationCenter/Commands/CreateNotificationCommandTest.cs
+++ b/test/Core.Test/NotificationCenter/Commands/CreateNotificationCommandTest.cs
@@ -5,6 +5,7 @@ using Bit.Core.NotificationCenter.Authorization;
 using Bit.Core.NotificationCenter.Commands;
 using Bit.Core.NotificationCenter.Entities;
 using Bit.Core.NotificationCenter.Repositories;
+using Bit.Core.Platform.Push;
 using Bit.Core.Test.NotificationCenter.AutoFixture;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
@@ -55,5 +56,8 @@ public class CreateNotificationCommandTest
         Assert.Equal(notification, newNotification);
         Assert.Equal(DateTime.UtcNow, notification.CreationDate, TimeSpan.FromMinutes(1));
         Assert.Equal(notification.CreationDate, notification.RevisionDate);
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(1)
+            .PushSyncNotificationAsync(newNotification);
     }
 }
diff --git a/test/Core.Test/NotificationHub/NotificationHubPushNotificationServiceTests.cs b/test/Core.Test/NotificationHub/NotificationHubPushNotificationServiceTests.cs
index c26fc23460..dc391b9801 100644
--- a/test/Core.Test/NotificationHub/NotificationHubPushNotificationServiceTests.cs
+++ b/test/Core.Test/NotificationHub/NotificationHubPushNotificationServiceTests.cs
@@ -1,42 +1,236 @@
-using Bit.Core.NotificationHub;
-using Bit.Core.Platform.Push;
+#nullable enable
+using System.Text.Json;
+using Bit.Core.Enums;
+using Bit.Core.Models;
+using Bit.Core.Models.Data;
+using Bit.Core.NotificationCenter.Entities;
+using Bit.Core.NotificationHub;
 using Bit.Core.Repositories;
-using Microsoft.AspNetCore.Http;
-using Microsoft.Extensions.Logging;
+using Bit.Core.Test.NotificationCenter.AutoFixture;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
 using NSubstitute;
 using Xunit;
 
 namespace Bit.Core.Test.NotificationHub;
 
+[SutProviderCustomize]
 public class NotificationHubPushNotificationServiceTests
 {
-    private readonly NotificationHubPushNotificationService _sut;
-
-    private readonly IInstallationDeviceRepository _installationDeviceRepository;
-    private readonly INotificationHubPool _notificationHubPool;
-    private readonly IHttpContextAccessor _httpContextAccessor;
-    private readonly ILogger<NotificationsApiPushNotificationService> _logger;
-
-    public NotificationHubPushNotificationServiceTests()
+    [Theory]
+    [BitAutoData]
+    [NotificationCustomize]
+    public async void PushSyncNotificationAsync_Global_NotSent(
+        SutProvider<NotificationHubPushNotificationService> sutProvider, Notification notification)
     {
-        _installationDeviceRepository = Substitute.For<IInstallationDeviceRepository>();
-        _httpContextAccessor = Substitute.For<IHttpContextAccessor>();
-        _notificationHubPool = Substitute.For<INotificationHubPool>();
-        _logger = Substitute.For<ILogger<NotificationsApiPushNotificationService>>();
+        await sutProvider.Sut.PushSyncNotificationAsync(notification);
 
-        _sut = new NotificationHubPushNotificationService(
-            _installationDeviceRepository,
-            _notificationHubPool,
-            _httpContextAccessor,
-            _logger
-        );
+        await sutProvider.GetDependency<INotificationHubPool>()
+            .Received(0)
+            .AllClients
+            .Received(0)
+            .SendTemplateNotificationAsync(Arg.Any<IDictionary<string, string>>(), Arg.Any<string>());
+        await sutProvider.GetDependency<IInstallationDeviceRepository>()
+            .Received(0)
+            .UpsertAsync(Arg.Any<InstallationDeviceEntity>());
     }
 
-    // Remove this test when we add actual tests. It only proves that
-    // we've properly constructed the system under test.
-    [Fact(Skip = "Needs additional work")]
-    public void ServiceExists()
+    [Theory]
+    [BitAutoData(false)]
+    [BitAutoData(true)]
+    [NotificationCustomize(false)]
+    public async void PushSyncNotificationAsync_UserIdProvidedClientTypeAll_SentToUser(
+        bool organizationIdNull, SutProvider<NotificationHubPushNotificationService> sutProvider,
+        Notification notification)
     {
-        Assert.NotNull(_sut);
+        if (organizationIdNull)
+        {
+            notification.OrganizationId = null;
+        }
+
+        notification.ClientType = ClientType.All;
+        var expectedSyncNotification = ToSyncNotificationPushNotification(notification);
+
+        await sutProvider.Sut.PushSyncNotificationAsync(notification);
+
+        await AssertSendTemplateNotificationAsync(sutProvider, PushType.SyncNotification, expectedSyncNotification,
+            $"(template:payload_userId:{notification.UserId})");
+        await sutProvider.GetDependency<IInstallationDeviceRepository>()
+            .Received(0)
+            .UpsertAsync(Arg.Any<InstallationDeviceEntity>());
+    }
+
+    [Theory]
+    [BitAutoData(false, ClientType.Browser)]
+    [BitAutoData(false, ClientType.Desktop)]
+    [BitAutoData(false, ClientType.Web)]
+    [BitAutoData(false, ClientType.Mobile)]
+    [BitAutoData(true, ClientType.Browser)]
+    [BitAutoData(true, ClientType.Desktop)]
+    [BitAutoData(true, ClientType.Web)]
+    [BitAutoData(true, ClientType.Mobile)]
+    [NotificationCustomize(false)]
+    public async void PushSyncNotificationAsync_UserIdProvidedClientTypeNotAll_SentToUser(bool organizationIdNull,
+        ClientType clientType, SutProvider<NotificationHubPushNotificationService> sutProvider,
+        Notification notification)
+    {
+        if (organizationIdNull)
+        {
+            notification.OrganizationId = null;
+        }
+
+        notification.ClientType = clientType;
+        var expectedSyncNotification = ToSyncNotificationPushNotification(notification);
+
+        await sutProvider.Sut.PushSyncNotificationAsync(notification);
+
+        await AssertSendTemplateNotificationAsync(sutProvider, PushType.SyncNotification, expectedSyncNotification,
+            $"(template:payload_userId:{notification.UserId} && clientType:{clientType})");
+        await sutProvider.GetDependency<IInstallationDeviceRepository>()
+            .Received(0)
+            .UpsertAsync(Arg.Any<InstallationDeviceEntity>());
+    }
+
+    [Theory]
+    [BitAutoData]
+    [NotificationCustomize(false)]
+    public async void PushSyncNotificationAsync_UserIdNullOrganizationIdProvidedClientTypeAll_SentToOrganization(
+        SutProvider<NotificationHubPushNotificationService> sutProvider, Notification notification)
+    {
+        notification.UserId = null;
+        notification.ClientType = ClientType.All;
+        var expectedSyncNotification = ToSyncNotificationPushNotification(notification);
+
+        await sutProvider.Sut.PushSyncNotificationAsync(notification);
+
+        await AssertSendTemplateNotificationAsync(sutProvider, PushType.SyncNotification, expectedSyncNotification,
+            $"(template:payload && organizationId:{notification.OrganizationId})");
+        await sutProvider.GetDependency<IInstallationDeviceRepository>()
+            .Received(0)
+            .UpsertAsync(Arg.Any<InstallationDeviceEntity>());
+    }
+
+    [Theory]
+    [BitAutoData(ClientType.Browser)]
+    [BitAutoData(ClientType.Desktop)]
+    [BitAutoData(ClientType.Web)]
+    [BitAutoData(ClientType.Mobile)]
+    [NotificationCustomize(false)]
+    public async void PushSyncNotificationAsync_UserIdNullOrganizationIdProvidedClientTypeNotAll_SentToOrganization(
+        ClientType clientType, SutProvider<NotificationHubPushNotificationService> sutProvider,
+        Notification notification)
+    {
+        notification.UserId = null;
+        notification.ClientType = clientType;
+
+        var expectedSyncNotification = ToSyncNotificationPushNotification(notification);
+
+        await sutProvider.Sut.PushSyncNotificationAsync(notification);
+
+        await AssertSendTemplateNotificationAsync(sutProvider, PushType.SyncNotification, expectedSyncNotification,
+            $"(template:payload && organizationId:{notification.OrganizationId} && clientType:{clientType})");
+        await sutProvider.GetDependency<IInstallationDeviceRepository>()
+            .Received(0)
+            .UpsertAsync(Arg.Any<InstallationDeviceEntity>());
+    }
+
+    [Theory]
+    [BitAutoData([null])]
+    [BitAutoData(ClientType.All)]
+    public async void SendPayloadToUserAsync_ClientTypeNullOrAll_SentToUser(ClientType? clientType,
+        SutProvider<NotificationHubPushNotificationService> sutProvider, Guid userId, PushType pushType, string payload,
+        string identifier)
+    {
+        await sutProvider.Sut.SendPayloadToUserAsync(userId.ToString(), pushType, payload, identifier, null,
+            clientType);
+
+        await AssertSendTemplateNotificationAsync(sutProvider, pushType, payload,
+            $"(template:payload_userId:{userId} && !deviceIdentifier:{identifier})");
+        await sutProvider.GetDependency<IInstallationDeviceRepository>()
+            .Received(0)
+            .UpsertAsync(Arg.Any<InstallationDeviceEntity>());
+    }
+
+    [Theory]
+    [BitAutoData(ClientType.Browser)]
+    [BitAutoData(ClientType.Desktop)]
+    [BitAutoData(ClientType.Mobile)]
+    [BitAutoData(ClientType.Web)]
+    public async void SendPayloadToUserAsync_ClientTypeExplicit_SentToUserAndClientType(ClientType clientType,
+        SutProvider<NotificationHubPushNotificationService> sutProvider, Guid userId, PushType pushType, string payload,
+        string identifier)
+    {
+        await sutProvider.Sut.SendPayloadToUserAsync(userId.ToString(), pushType, payload, identifier, null,
+            clientType);
+
+        await AssertSendTemplateNotificationAsync(sutProvider, pushType, payload,
+            $"(template:payload_userId:{userId} && !deviceIdentifier:{identifier} && clientType:{clientType})");
+        await sutProvider.GetDependency<IInstallationDeviceRepository>()
+            .Received(0)
+            .UpsertAsync(Arg.Any<InstallationDeviceEntity>());
+    }
+
+    [Theory]
+    [BitAutoData([null])]
+    [BitAutoData(ClientType.All)]
+    public async void SendPayloadToOrganizationAsync_ClientTypeNullOrAll_SentToOrganization(ClientType? clientType,
+        SutProvider<NotificationHubPushNotificationService> sutProvider, Guid organizationId, PushType pushType,
+        string payload, string identifier)
+    {
+        await sutProvider.Sut.SendPayloadToOrganizationAsync(organizationId.ToString(), pushType, payload, identifier,
+            null, clientType);
+
+        await AssertSendTemplateNotificationAsync(sutProvider, pushType, payload,
+            $"(template:payload && organizationId:{organizationId} && !deviceIdentifier:{identifier})");
+        await sutProvider.GetDependency<IInstallationDeviceRepository>()
+            .Received(0)
+            .UpsertAsync(Arg.Any<InstallationDeviceEntity>());
+    }
+
+    [Theory]
+    [BitAutoData(ClientType.Browser)]
+    [BitAutoData(ClientType.Desktop)]
+    [BitAutoData(ClientType.Mobile)]
+    [BitAutoData(ClientType.Web)]
+    public async void SendPayloadToOrganizationAsync_ClientTypeExplicit_SentToOrganizationAndClientType(
+        ClientType clientType, SutProvider<NotificationHubPushNotificationService> sutProvider, Guid organizationId,
+        PushType pushType, string payload, string identifier)
+    {
+        await sutProvider.Sut.SendPayloadToOrganizationAsync(organizationId.ToString(), pushType, payload, identifier,
+            null, clientType);
+
+        await AssertSendTemplateNotificationAsync(sutProvider, pushType, payload,
+            $"(template:payload && organizationId:{organizationId} && !deviceIdentifier:{identifier} && clientType:{clientType})");
+        await sutProvider.GetDependency<IInstallationDeviceRepository>()
+            .Received(0)
+            .UpsertAsync(Arg.Any<InstallationDeviceEntity>());
+    }
+
+    private static SyncNotificationPushNotification ToSyncNotificationPushNotification(Notification notification) =>
+        new()
+        {
+            Id = notification.Id,
+            UserId = notification.UserId,
+            OrganizationId = notification.OrganizationId,
+            ClientType = notification.ClientType,
+            RevisionDate = notification.RevisionDate
+        };
+
+    private static async Task AssertSendTemplateNotificationAsync(
+        SutProvider<NotificationHubPushNotificationService> sutProvider, PushType type, object payload, string tag)
+    {
+        await sutProvider.GetDependency<INotificationHubPool>()
+            .Received(1)
+            .AllClients
+            .Received(1)
+            .SendTemplateNotificationAsync(
+                Arg.Is<IDictionary<string, string>>(dictionary => MatchingSendPayload(dictionary, type, payload)),
+                tag);
+    }
+
+    private static bool MatchingSendPayload(IDictionary<string, string> dictionary, PushType type, object payload)
+    {
+        return dictionary.ContainsKey("type") && dictionary["type"].Equals(((byte)type).ToString()) &&
+               dictionary.ContainsKey("payload") && dictionary["payload"].Equals(JsonSerializer.Serialize(payload));
     }
 }
diff --git a/test/Core.Test/NotificationHub/NotificationHubPushRegistrationServiceTests.cs b/test/Core.Test/NotificationHub/NotificationHubPushRegistrationServiceTests.cs
index c5851f2791..d51df9c882 100644
--- a/test/Core.Test/NotificationHub/NotificationHubPushRegistrationServiceTests.cs
+++ b/test/Core.Test/NotificationHub/NotificationHubPushRegistrationServiceTests.cs
@@ -1,44 +1,290 @@
-using Bit.Core.NotificationHub;
-using Bit.Core.Repositories;
-using Bit.Core.Settings;
-using Microsoft.Extensions.Logging;
+#nullable enable
+using Bit.Core.Enums;
+using Bit.Core.NotificationHub;
+using Bit.Core.Utilities;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using Microsoft.Azure.NotificationHubs;
 using NSubstitute;
 using Xunit;
 
 namespace Bit.Core.Test.NotificationHub;
 
+[SutProviderCustomize]
 public class NotificationHubPushRegistrationServiceTests
 {
-    private readonly NotificationHubPushRegistrationService _sut;
-
-    private readonly IInstallationDeviceRepository _installationDeviceRepository;
-    private readonly IServiceProvider _serviceProvider;
-    private readonly ILogger<NotificationHubPushRegistrationService> _logger;
-    private readonly GlobalSettings _globalSettings;
-    private readonly INotificationHubPool _notificationHubPool;
-
-    public NotificationHubPushRegistrationServiceTests()
+    [Theory]
+    [BitAutoData([null])]
+    [BitAutoData("")]
+    [BitAutoData(" ")]
+    public async Task CreateOrUpdateRegistrationAsync_PushTokenNullOrEmpty_InstallationNotCreated(string? pushToken,
+        SutProvider<NotificationHubPushRegistrationService> sutProvider, Guid deviceId, Guid userId, Guid identifier,
+        Guid organizationId)
     {
-        _installationDeviceRepository = Substitute.For<IInstallationDeviceRepository>();
-        _serviceProvider = Substitute.For<IServiceProvider>();
-        _logger = Substitute.For<ILogger<NotificationHubPushRegistrationService>>();
-        _globalSettings = new GlobalSettings();
-        _notificationHubPool = Substitute.For<INotificationHubPool>();
+        await sutProvider.Sut.CreateOrUpdateRegistrationAsync(pushToken, deviceId.ToString(), userId.ToString(),
+            identifier.ToString(), DeviceType.Android, [organizationId.ToString()]);
 
-        _sut = new NotificationHubPushRegistrationService(
-            _installationDeviceRepository,
-            _globalSettings,
-            _notificationHubPool,
-            _serviceProvider,
-            _logger
-        );
+        sutProvider.GetDependency<INotificationHubPool>()
+            .Received(0)
+            .ClientFor(deviceId);
     }
 
-    // Remove this test when we add actual tests. It only proves that
-    // we've properly constructed the system under test.
-    [Fact(Skip = "Needs additional work")]
-    public void ServiceExists()
+    [Theory]
+    [BitAutoData(false, false)]
+    [BitAutoData(false, true)]
+    [BitAutoData(true, false)]
+    [BitAutoData(true, true)]
+    public async Task CreateOrUpdateRegistrationAsync_DeviceTypeAndroid_InstallationCreated(bool identifierNull,
+        bool partOfOrganizationId, SutProvider<NotificationHubPushRegistrationService> sutProvider, Guid deviceId,
+        Guid userId, Guid? identifier, Guid organizationId)
     {
-        Assert.NotNull(_sut);
+        var notificationHubClient = Substitute.For<INotificationHubClient>();
+        sutProvider.GetDependency<INotificationHubPool>().ClientFor(Arg.Any<Guid>()).Returns(notificationHubClient);
+
+        var pushToken = "test push token";
+
+        await sutProvider.Sut.CreateOrUpdateRegistrationAsync(pushToken, deviceId.ToString(), userId.ToString(),
+            identifierNull ? null : identifier.ToString(), DeviceType.Android,
+            partOfOrganizationId ? [organizationId.ToString()] : []);
+
+        sutProvider.GetDependency<INotificationHubPool>()
+            .Received(1)
+            .ClientFor(deviceId);
+        await notificationHubClient
+            .Received(1)
+            .CreateOrUpdateInstallationAsync(Arg.Is<Installation>(installation =>
+                installation.InstallationId == deviceId.ToString() &&
+                installation.PushChannel == pushToken &&
+                installation.Platform == NotificationPlatform.FcmV1 &&
+                installation.Tags.Contains($"userId:{userId}") &&
+                installation.Tags.Contains("clientType:Mobile") &&
+                (identifierNull || installation.Tags.Contains($"deviceIdentifier:{identifier}")) &&
+                (!partOfOrganizationId || installation.Tags.Contains($"organizationId:{organizationId}")) &&
+                installation.Templates.Count == 3));
+        await notificationHubClient
+            .Received(1)
+            .CreateOrUpdateInstallationAsync(Arg.Is<Installation>(installation => MatchingInstallationTemplate(
+                installation.Templates, "template:payload",
+                "{\"message\":{\"data\":{\"type\":\"$(type)\",\"payload\":\"$(payload)\"}}}",
+                new List<string?>
+                {
+                    "template:payload",
+                    $"template:payload_userId:{userId}",
+                    "clientType:Mobile",
+                    identifierNull ? null : $"template:payload_deviceIdentifier:{identifier}",
+                    partOfOrganizationId ? $"organizationId:{organizationId}" : null,
+                })));
+        await notificationHubClient
+            .Received(1)
+            .CreateOrUpdateInstallationAsync(Arg.Is<Installation>(installation => MatchingInstallationTemplate(
+                installation.Templates, "template:message",
+                "{\"message\":{\"data\":{\"type\":\"$(type)\"},\"notification\":{\"title\":\"$(title)\",\"body\":\"$(message)\"}}}",
+                new List<string?>
+                {
+                    "template:message",
+                    $"template:message_userId:{userId}",
+                    "clientType:Mobile",
+                    identifierNull ? null : $"template:message_deviceIdentifier:{identifier}",
+                    partOfOrganizationId ? $"organizationId:{organizationId}" : null,
+                })));
+        await notificationHubClient
+            .Received(1)
+            .CreateOrUpdateInstallationAsync(Arg.Is<Installation>(installation => MatchingInstallationTemplate(
+                installation.Templates, "template:badgeMessage",
+                "{\"message\":{\"data\":{\"type\":\"$(type)\"},\"notification\":{\"title\":\"$(title)\",\"body\":\"$(message)\"}}}",
+                new List<string?>
+                {
+                    "template:badgeMessage",
+                    $"template:badgeMessage_userId:{userId}",
+                    "clientType:Mobile",
+                    identifierNull ? null : $"template:badgeMessage_deviceIdentifier:{identifier}",
+                    partOfOrganizationId ? $"organizationId:{organizationId}" : null,
+                })));
+    }
+
+    [Theory]
+    [BitAutoData(false, false)]
+    [BitAutoData(false, true)]
+    [BitAutoData(true, false)]
+    [BitAutoData(true, true)]
+    public async Task CreateOrUpdateRegistrationAsync_DeviceTypeIOS_InstallationCreated(bool identifierNull,
+        bool partOfOrganizationId, SutProvider<NotificationHubPushRegistrationService> sutProvider, Guid deviceId,
+        Guid userId, Guid identifier, Guid organizationId)
+    {
+        var notificationHubClient = Substitute.For<INotificationHubClient>();
+        sutProvider.GetDependency<INotificationHubPool>().ClientFor(Arg.Any<Guid>()).Returns(notificationHubClient);
+
+        var pushToken = "test push token";
+
+        await sutProvider.Sut.CreateOrUpdateRegistrationAsync(pushToken, deviceId.ToString(), userId.ToString(),
+            identifierNull ? null : identifier.ToString(), DeviceType.iOS,
+            partOfOrganizationId ? [organizationId.ToString()] : []);
+
+        sutProvider.GetDependency<INotificationHubPool>()
+            .Received(1)
+            .ClientFor(deviceId);
+        await notificationHubClient
+            .Received(1)
+            .CreateOrUpdateInstallationAsync(Arg.Is<Installation>(installation =>
+                installation.InstallationId == deviceId.ToString() &&
+                installation.PushChannel == pushToken &&
+                installation.Platform == NotificationPlatform.Apns &&
+                installation.Tags.Contains($"userId:{userId}") &&
+                installation.Tags.Contains("clientType:Mobile") &&
+                (identifierNull || installation.Tags.Contains($"deviceIdentifier:{identifier}")) &&
+                (!partOfOrganizationId || installation.Tags.Contains($"organizationId:{organizationId}")) &&
+                installation.Templates.Count == 3));
+        await notificationHubClient
+            .Received(1)
+            .CreateOrUpdateInstallationAsync(Arg.Is<Installation>(installation => MatchingInstallationTemplate(
+                installation.Templates, "template:payload",
+                "{\"data\":{\"type\":\"#(type)\",\"payload\":\"$(payload)\"},\"aps\":{\"content-available\":1}}",
+                new List<string?>
+                {
+                    "template:payload",
+                    $"template:payload_userId:{userId}",
+                    "clientType:Mobile",
+                    identifierNull ? null : $"template:payload_deviceIdentifier:{identifier}",
+                    partOfOrganizationId ? $"organizationId:{organizationId}" : null,
+                })));
+        await notificationHubClient
+            .Received(1)
+            .CreateOrUpdateInstallationAsync(Arg.Is<Installation>(installation => MatchingInstallationTemplate(
+                installation.Templates, "template:message",
+                "{\"data\":{\"type\":\"#(type)\"},\"aps\":{\"alert\":\"$(message)\",\"badge\":null,\"content-available\":1}}",
+                new List<string?>
+                {
+                    "template:message",
+                    $"template:message_userId:{userId}",
+                    "clientType:Mobile",
+                    identifierNull ? null : $"template:message_deviceIdentifier:{identifier}",
+                    partOfOrganizationId ? $"organizationId:{organizationId}" : null,
+                })));
+        await notificationHubClient
+            .Received(1)
+            .CreateOrUpdateInstallationAsync(Arg.Is<Installation>(installation => MatchingInstallationTemplate(
+                installation.Templates, "template:badgeMessage",
+                "{\"data\":{\"type\":\"#(type)\"},\"aps\":{\"alert\":\"$(message)\",\"badge\":\"#(badge)\",\"content-available\":1}}",
+                new List<string?>
+                {
+                    "template:badgeMessage",
+                    $"template:badgeMessage_userId:{userId}",
+                    "clientType:Mobile",
+                    identifierNull ? null : $"template:badgeMessage_deviceIdentifier:{identifier}",
+                    partOfOrganizationId ? $"organizationId:{organizationId}" : null,
+                })));
+    }
+
+    [Theory]
+    [BitAutoData(false, false)]
+    [BitAutoData(false, true)]
+    [BitAutoData(true, false)]
+    [BitAutoData(true, true)]
+    public async Task CreateOrUpdateRegistrationAsync_DeviceTypeAndroidAmazon_InstallationCreated(bool identifierNull,
+        bool partOfOrganizationId, SutProvider<NotificationHubPushRegistrationService> sutProvider, Guid deviceId,
+        Guid userId, Guid identifier, Guid organizationId)
+    {
+        var notificationHubClient = Substitute.For<INotificationHubClient>();
+        sutProvider.GetDependency<INotificationHubPool>().ClientFor(Arg.Any<Guid>()).Returns(notificationHubClient);
+
+        var pushToken = "test push token";
+
+        await sutProvider.Sut.CreateOrUpdateRegistrationAsync(pushToken, deviceId.ToString(), userId.ToString(),
+            identifierNull ? null : identifier.ToString(), DeviceType.AndroidAmazon,
+            partOfOrganizationId ? [organizationId.ToString()] : []);
+
+        sutProvider.GetDependency<INotificationHubPool>()
+            .Received(1)
+            .ClientFor(deviceId);
+        await notificationHubClient
+            .Received(1)
+            .CreateOrUpdateInstallationAsync(Arg.Is<Installation>(installation =>
+                installation.InstallationId == deviceId.ToString() &&
+                installation.PushChannel == pushToken &&
+                installation.Platform == NotificationPlatform.Adm &&
+                installation.Tags.Contains($"userId:{userId}") &&
+                installation.Tags.Contains("clientType:Mobile") &&
+                (identifierNull || installation.Tags.Contains($"deviceIdentifier:{identifier}")) &&
+                (!partOfOrganizationId || installation.Tags.Contains($"organizationId:{organizationId}")) &&
+                installation.Templates.Count == 3));
+        await notificationHubClient
+            .Received(1)
+            .CreateOrUpdateInstallationAsync(Arg.Is<Installation>(installation => MatchingInstallationTemplate(
+                installation.Templates, "template:payload",
+                "{\"data\":{\"type\":\"#(type)\",\"payload\":\"$(payload)\"}}",
+                new List<string?>
+                {
+                    "template:payload",
+                    $"template:payload_userId:{userId}",
+                    "clientType:Mobile",
+                    identifierNull ? null : $"template:payload_deviceIdentifier:{identifier}",
+                    partOfOrganizationId ? $"organizationId:{organizationId}" : null,
+                })));
+        await notificationHubClient
+            .Received(1)
+            .CreateOrUpdateInstallationAsync(Arg.Is<Installation>(installation => MatchingInstallationTemplate(
+                installation.Templates, "template:message",
+                "{\"data\":{\"type\":\"#(type)\",\"message\":\"$(message)\"}}",
+                new List<string?>
+                {
+                    "template:message",
+                    $"template:message_userId:{userId}",
+                    "clientType:Mobile",
+                    identifierNull ? null : $"template:message_deviceIdentifier:{identifier}",
+                    partOfOrganizationId ? $"organizationId:{organizationId}" : null,
+                })));
+        await notificationHubClient
+            .Received(1)
+            .CreateOrUpdateInstallationAsync(Arg.Is<Installation>(installation => MatchingInstallationTemplate(
+                installation.Templates, "template:badgeMessage",
+                "{\"data\":{\"type\":\"#(type)\",\"message\":\"$(message)\"}}",
+                new List<string?>
+                {
+                    "template:badgeMessage",
+                    $"template:badgeMessage_userId:{userId}",
+                    "clientType:Mobile",
+                    identifierNull ? null : $"template:badgeMessage_deviceIdentifier:{identifier}",
+                    partOfOrganizationId ? $"organizationId:{organizationId}" : null,
+                })));
+    }
+
+    [Theory]
+    [BitAutoData(DeviceType.ChromeBrowser)]
+    [BitAutoData(DeviceType.ChromeExtension)]
+    [BitAutoData(DeviceType.MacOsDesktop)]
+    public async Task CreateOrUpdateRegistrationAsync_DeviceTypeNotMobile_InstallationCreated(DeviceType deviceType,
+        SutProvider<NotificationHubPushRegistrationService> sutProvider, Guid deviceId, Guid userId, Guid identifier,
+        Guid organizationId)
+    {
+        var notificationHubClient = Substitute.For<INotificationHubClient>();
+        sutProvider.GetDependency<INotificationHubPool>().ClientFor(Arg.Any<Guid>()).Returns(notificationHubClient);
+
+        var pushToken = "test push token";
+
+        await sutProvider.Sut.CreateOrUpdateRegistrationAsync(pushToken, deviceId.ToString(), userId.ToString(),
+            identifier.ToString(), deviceType, [organizationId.ToString()]);
+
+        sutProvider.GetDependency<INotificationHubPool>()
+            .Received(1)
+            .ClientFor(deviceId);
+        await notificationHubClient
+            .Received(1)
+            .CreateOrUpdateInstallationAsync(Arg.Is<Installation>(installation =>
+                installation.InstallationId == deviceId.ToString() &&
+                installation.PushChannel == pushToken &&
+                installation.Tags.Contains($"userId:{userId}") &&
+                installation.Tags.Contains($"clientType:{DeviceTypes.ToClientType(deviceType)}") &&
+                installation.Tags.Contains($"deviceIdentifier:{identifier}") &&
+                installation.Tags.Contains($"organizationId:{organizationId}") &&
+                installation.Templates.Count == 0));
+    }
+
+    private static bool MatchingInstallationTemplate(IDictionary<string, InstallationTemplate> templates, string key,
+        string body, List<string?> tags)
+    {
+        var tagsNoNulls = tags.FindAll(tag => tag != null);
+        return templates.ContainsKey(key) && templates[key].Body == body &&
+               templates[key].Tags.Count == tagsNoNulls.Count &&
+               templates[key].Tags.All(tagsNoNulls.Contains);
     }
 }
diff --git a/test/Core.Test/Platform/Push/Services/AzureQueuePushNotificationServiceTests.cs b/test/Core.Test/Platform/Push/Services/AzureQueuePushNotificationServiceTests.cs
index 85ce5a79ac..7aa053ec6d 100644
--- a/test/Core.Test/Platform/Push/Services/AzureQueuePushNotificationServiceTests.cs
+++ b/test/Core.Test/Platform/Push/Services/AzureQueuePushNotificationServiceTests.cs
@@ -1,33 +1,66 @@
-using Bit.Core.Settings;
+#nullable enable
+using System.Text.Json;
+using Azure.Storage.Queues;
+using Bit.Core.Context;
+using Bit.Core.Enums;
+using Bit.Core.Models;
+using Bit.Core.NotificationCenter.Entities;
+using Bit.Core.Test.AutoFixture;
+using Bit.Core.Test.AutoFixture.CurrentContextFixtures;
+using Bit.Core.Test.NotificationCenter.AutoFixture;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
 using Microsoft.AspNetCore.Http;
 using NSubstitute;
 using Xunit;
 
 namespace Bit.Core.Platform.Push.Internal.Test;
 
+[QueueClientCustomize]
+[SutProviderCustomize]
 public class AzureQueuePushNotificationServiceTests
 {
-    private readonly AzureQueuePushNotificationService _sut;
-
-    private readonly GlobalSettings _globalSettings;
-    private readonly IHttpContextAccessor _httpContextAccessor;
-
-    public AzureQueuePushNotificationServiceTests()
+    [Theory]
+    [BitAutoData]
+    [NotificationCustomize]
+    [CurrentContextCustomize]
+    public async void PushSyncNotificationAsync_Notification_Sent(
+        SutProvider<AzureQueuePushNotificationService> sutProvider, Notification notification, Guid deviceIdentifier,
+        ICurrentContext currentContext)
     {
-        _globalSettings = new GlobalSettings();
-        _httpContextAccessor = Substitute.For<IHttpContextAccessor>();
+        currentContext.DeviceIdentifier.Returns(deviceIdentifier.ToString());
+        sutProvider.GetDependency<IHttpContextAccessor>().HttpContext!.RequestServices
+            .GetService(Arg.Any<Type>()).Returns(currentContext);
 
-        _sut = new AzureQueuePushNotificationService(
-            _globalSettings,
-            _httpContextAccessor
-        );
+        await sutProvider.Sut.PushSyncNotificationAsync(notification);
+
+        await sutProvider.GetDependency<QueueClient>().Received(1)
+            .SendMessageAsync(Arg.Is<string>(message =>
+                MatchMessage(PushType.SyncNotification, message, new SyncNotificationEquals(notification),
+                    deviceIdentifier.ToString())));
     }
 
-    // Remove this test when we add actual tests. It only proves that
-    // we've properly constructed the system under test.
-    [Fact(Skip = "Needs additional work")]
-    public void ServiceExists()
+    private static bool MatchMessage<T>(PushType pushType, string message, IEquatable<T> expectedPayloadEquatable,
+        string contextId)
     {
-        Assert.NotNull(_sut);
+        var pushNotificationData =
+            JsonSerializer.Deserialize<PushNotificationData<T>>(message);
+        return pushNotificationData != null &&
+               pushNotificationData.Type == pushType &&
+               expectedPayloadEquatable.Equals(pushNotificationData.Payload) &&
+               pushNotificationData.ContextId == contextId;
+    }
+
+    private class SyncNotificationEquals(Notification notification) : IEquatable<SyncNotificationPushNotification>
+    {
+        public bool Equals(SyncNotificationPushNotification? other)
+        {
+            return other != null &&
+                   other.Id == notification.Id &&
+                   other.UserId == notification.UserId &&
+                   other.OrganizationId == notification.OrganizationId &&
+                   other.ClientType == notification.ClientType &&
+                   other.RevisionDate == notification.RevisionDate;
+        }
     }
 }
diff --git a/test/Core.Test/Platform/Push/Services/MultiServicePushNotificationServiceTests.cs b/test/Core.Test/Platform/Push/Services/MultiServicePushNotificationServiceTests.cs
index 021aa7f2cc..35997f80e9 100644
--- a/test/Core.Test/Platform/Push/Services/MultiServicePushNotificationServiceTests.cs
+++ b/test/Core.Test/Platform/Push/Services/MultiServicePushNotificationServiceTests.cs
@@ -1,44 +1,62 @@
-using AutoFixture;
+#nullable enable
+using Bit.Core.Enums;
+using Bit.Core.NotificationCenter.Entities;
+using Bit.Core.Test.NotificationCenter.AutoFixture;
 using Bit.Test.Common.AutoFixture;
-using Microsoft.Extensions.Logging;
+using Bit.Test.Common.AutoFixture.Attributes;
 using NSubstitute;
 using Xunit;
-using GlobalSettingsCustomization = Bit.Test.Common.AutoFixture.GlobalSettings;
 
 namespace Bit.Core.Platform.Push.Internal.Test;
 
+[SutProviderCustomize]
 public class MultiServicePushNotificationServiceTests
 {
-    private readonly MultiServicePushNotificationService _sut;
-
-    private readonly ILogger<MultiServicePushNotificationService> _logger;
-    private readonly ILogger<RelayPushNotificationService> _relayLogger;
-    private readonly ILogger<NotificationsApiPushNotificationService> _hubLogger;
-    private readonly IEnumerable<IPushNotificationService> _services;
-    private readonly Settings.GlobalSettings _globalSettings;
-
-    public MultiServicePushNotificationServiceTests()
+    [Theory]
+    [BitAutoData]
+    [NotificationCustomize]
+    public async Task PushSyncNotificationAsync_Notification_Sent(
+        SutProvider<MultiServicePushNotificationService> sutProvider, Notification notification)
     {
-        _logger = Substitute.For<ILogger<MultiServicePushNotificationService>>();
-        _relayLogger = Substitute.For<ILogger<RelayPushNotificationService>>();
-        _hubLogger = Substitute.For<ILogger<NotificationsApiPushNotificationService>>();
+        await sutProvider.Sut.PushSyncNotificationAsync(notification);
 
-        var fixture = new Fixture().WithAutoNSubstitutions().Customize(new GlobalSettingsCustomization());
-        _services = fixture.CreateMany<IPushNotificationService>();
-        _globalSettings = fixture.Create<Settings.GlobalSettings>();
-
-        _sut = new MultiServicePushNotificationService(
-            _services,
-            _logger,
-            _globalSettings
-        );
+        await sutProvider.GetDependency<IEnumerable<IPushNotificationService>>()
+            .First()
+            .Received(1)
+            .PushSyncNotificationAsync(notification);
     }
 
-    // Remove this test when we add actual tests. It only proves that
-    // we've properly constructed the system under test.
-    [Fact]
-    public void ServiceExists()
+    [Theory]
+    [BitAutoData([null, null])]
+    [BitAutoData(ClientType.All, null)]
+    [BitAutoData([null, "test device id"])]
+    [BitAutoData(ClientType.All, "test device id")]
+    public async Task SendPayloadToUserAsync_Message_Sent(ClientType? clientType, string? deviceId, string userId,
+        PushType type, object payload, string identifier, SutProvider<MultiServicePushNotificationService> sutProvider)
     {
-        Assert.NotNull(_sut);
+        await sutProvider.Sut.SendPayloadToUserAsync(userId, type, payload, identifier, deviceId, clientType);
+
+        await sutProvider.GetDependency<IEnumerable<IPushNotificationService>>()
+            .First()
+            .Received(1)
+            .SendPayloadToUserAsync(userId, type, payload, identifier, deviceId, clientType);
+    }
+
+    [Theory]
+    [BitAutoData([null, null])]
+    [BitAutoData(ClientType.All, null)]
+    [BitAutoData([null, "test device id"])]
+    [BitAutoData(ClientType.All, "test device id")]
+    public async Task SendPayloadToOrganizationAsync_Message_Sent(ClientType? clientType, string? deviceId,
+        string organizationId, PushType type, object payload, string identifier,
+        SutProvider<MultiServicePushNotificationService> sutProvider)
+    {
+        await sutProvider.Sut.SendPayloadToOrganizationAsync(organizationId, type, payload, identifier, deviceId,
+            clientType);
+
+        await sutProvider.GetDependency<IEnumerable<IPushNotificationService>>()
+            .First()
+            .Received(1)
+            .SendPayloadToOrganizationAsync(organizationId, type, payload, identifier, deviceId, clientType);
     }
 }
diff --git a/test/Core.Test/Services/DeviceServiceTests.cs b/test/Core.Test/Services/DeviceServiceTests.cs
index 41ef0b4d74..98b04eb7d3 100644
--- a/test/Core.Test/Services/DeviceServiceTests.cs
+++ b/test/Core.Test/Services/DeviceServiceTests.cs
@@ -3,6 +3,7 @@ using Bit.Core.Auth.Models.Api.Request;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
+using Bit.Core.Models.Data.Organizations.OrganizationUsers;
 using Bit.Core.Platform.Push;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
@@ -16,15 +17,23 @@ namespace Bit.Core.Test.Services;
 [SutProviderCustomize]
 public class DeviceServiceTests
 {
-    [Fact]
-    public async Task DeviceSaveShouldUpdateRevisionDateAndPushRegistration()
+    [Theory]
+    [BitAutoData]
+    public async Task SaveAsync_IdProvided_UpdatedRevisionDateAndPushRegistration(Guid id, Guid userId,
+        Guid organizationId1, Guid organizationId2,
+        OrganizationUserOrganizationDetails organizationUserOrganizationDetails1,
+        OrganizationUserOrganizationDetails organizationUserOrganizationDetails2)
     {
+        organizationUserOrganizationDetails1.OrganizationId = organizationId1;
+        organizationUserOrganizationDetails2.OrganizationId = organizationId2;
+
         var deviceRepo = Substitute.For<IDeviceRepository>();
         var pushRepo = Substitute.For<IPushRegistrationService>();
-        var deviceService = new DeviceService(deviceRepo, pushRepo);
+        var organizationUserRepository = Substitute.For<IOrganizationUserRepository>();
+        organizationUserRepository.GetManyDetailsByUserAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType?>())
+            .Returns([organizationUserOrganizationDetails1, organizationUserOrganizationDetails2]);
+        var deviceService = new DeviceService(deviceRepo, pushRepo, organizationUserRepository);
 
-        var id = Guid.NewGuid();
-        var userId = Guid.NewGuid();
         var device = new Device
         {
             Id = id,
@@ -37,8 +46,53 @@ public class DeviceServiceTests
         await deviceService.SaveAsync(device);
 
         Assert.True(device.RevisionDate - DateTime.UtcNow < TimeSpan.FromSeconds(1));
-        await pushRepo.Received().CreateOrUpdateRegistrationAsync("testtoken", id.ToString(),
-            userId.ToString(), "testid", DeviceType.Android);
+        await pushRepo.Received(1).CreateOrUpdateRegistrationAsync("testtoken", id.ToString(),
+            userId.ToString(), "testid", DeviceType.Android,
+            Arg.Do<IEnumerable<string>>(organizationIds =>
+            {
+                var organizationIdsList = organizationIds.ToList();
+                Assert.Equal(2, organizationIdsList.Count);
+                Assert.Contains(organizationId1.ToString(), organizationIdsList);
+                Assert.Contains(organizationId2.ToString(), organizationIdsList);
+            }));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task SaveAsync_IdNotProvided_CreatedAndPushRegistration(Guid userId, Guid organizationId1,
+        Guid organizationId2,
+        OrganizationUserOrganizationDetails organizationUserOrganizationDetails1,
+        OrganizationUserOrganizationDetails organizationUserOrganizationDetails2)
+    {
+        organizationUserOrganizationDetails1.OrganizationId = organizationId1;
+        organizationUserOrganizationDetails2.OrganizationId = organizationId2;
+
+        var deviceRepo = Substitute.For<IDeviceRepository>();
+        var pushRepo = Substitute.For<IPushRegistrationService>();
+        var organizationUserRepository = Substitute.For<IOrganizationUserRepository>();
+        organizationUserRepository.GetManyDetailsByUserAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType?>())
+            .Returns([organizationUserOrganizationDetails1, organizationUserOrganizationDetails2]);
+        var deviceService = new DeviceService(deviceRepo, pushRepo, organizationUserRepository);
+
+        var device = new Device
+        {
+            Name = "test device",
+            Type = DeviceType.Android,
+            UserId = userId,
+            PushToken = "testtoken",
+            Identifier = "testid"
+        };
+        await deviceService.SaveAsync(device);
+
+        await pushRepo.Received(1).CreateOrUpdateRegistrationAsync("testtoken",
+            Arg.Do<string>(id => Guid.TryParse(id, out var _)), userId.ToString(), "testid", DeviceType.Android,
+            Arg.Do<IEnumerable<string>>(organizationIds =>
+            {
+                var organizationIdsList = organizationIds.ToList();
+                Assert.Equal(2, organizationIdsList.Count);
+                Assert.Contains(organizationId1.ToString(), organizationIdsList);
+                Assert.Contains(organizationId2.ToString(), organizationIdsList);
+            }));
     }
 
     /// <summary>
@@ -62,12 +116,7 @@ public class DeviceServiceTests
 
         sutProvider.GetDependency<IDeviceRepository>()
             .GetManyByUserIdAsync(currentUserId)
-            .Returns(new List<Device>
-            {
-                deviceOne,
-                deviceTwo,
-                deviceThree,
-            });
+            .Returns(new List<Device> { deviceOne, deviceTwo, deviceThree, });
 
         var currentDeviceModel = new DeviceKeysUpdateRequestModel
         {
@@ -85,7 +134,8 @@ public class DeviceServiceTests
             },
         };
 
-        await sutProvider.Sut.UpdateDevicesTrustAsync("current_device", currentUserId, currentDeviceModel, alteredDeviceModels);
+        await sutProvider.Sut.UpdateDevicesTrustAsync("current_device", currentUserId, currentDeviceModel,
+            alteredDeviceModels);
 
         // Updating trust, "current" or "other" only needs to change the EncryptedPublicKey & EncryptedUserKey
         await sutProvider.GetDependency<IDeviceRepository>()
@@ -149,11 +199,7 @@ public class DeviceServiceTests
 
         sutProvider.GetDependency<IDeviceRepository>()
             .GetManyByUserIdAsync(currentUserId)
-            .Returns(new List<Device>
-            {
-                deviceOne,
-                deviceTwo,
-            });
+            .Returns(new List<Device> { deviceOne, deviceTwo, });
 
         var currentDeviceModel = new DeviceKeysUpdateRequestModel
         {
@@ -171,7 +217,8 @@ public class DeviceServiceTests
             },
         };
 
-        await sutProvider.Sut.UpdateDevicesTrustAsync("current_device", currentUserId, currentDeviceModel, alteredDeviceModels);
+        await sutProvider.Sut.UpdateDevicesTrustAsync("current_device", currentUserId, currentDeviceModel,
+            alteredDeviceModels);
 
         // Check that UpsertAsync was called for the trusted device
         await sutProvider.GetDependency<IDeviceRepository>()
@@ -203,11 +250,7 @@ public class DeviceServiceTests
 
         sutProvider.GetDependency<IDeviceRepository>()
             .GetManyByUserIdAsync(currentUserId)
-            .Returns(new List<Device>
-            {
-                deviceOne,
-                deviceTwo,
-            });
+            .Returns(new List<Device> { deviceOne, deviceTwo, });
 
         var currentDeviceModel = new DeviceKeysUpdateRequestModel
         {
@@ -237,11 +280,7 @@ public class DeviceServiceTests
 
         sutProvider.GetDependency<IDeviceRepository>()
             .GetManyByUserIdAsync(currentUserId)
-            .Returns(new List<Device>
-            {
-                deviceOne,
-                deviceTwo,
-            });
+            .Returns(new List<Device> { deviceOne, deviceTwo, });
 
         var currentDeviceModel = new DeviceKeysUpdateRequestModel
         {
@@ -260,6 +299,7 @@ public class DeviceServiceTests
         };
 
         await Assert.ThrowsAsync<BadRequestException>(() =>
-            sutProvider.Sut.UpdateDevicesTrustAsync("current_device", currentUserId, currentDeviceModel, alteredDeviceModels));
+            sutProvider.Sut.UpdateDevicesTrustAsync("current_device", currentUserId, currentDeviceModel,
+                alteredDeviceModels));
     }
 }
diff --git a/test/Identity.IntegrationTest/openid-configuration.json b/test/Identity.IntegrationTest/openid-configuration.json
index 23e5a67c06..4d74f66009 100644
--- a/test/Identity.IntegrationTest/openid-configuration.json
+++ b/test/Identity.IntegrationTest/openid-configuration.json
@@ -24,6 +24,7 @@
     "sstamp",
     "premium",
     "device",
+    "devicetype",
     "orgowner",
     "orgadmin",
     "orguser",

From b98b74cef6135af29a3152def0960baa948745be Mon Sep 17 00:00:00 2001
From: Maciej Zieniuk <167752252+mzieniukbw@users.noreply.github.com>
Date: Wed, 12 Feb 2025 17:31:03 +0100
Subject: [PATCH 270/384] [PM-10600] Push notification with full notification
 center content (#5086)

* PM-10600: Notification push notification

* PM-10600: Sending to specific client types for relay push notifications

* PM-10600: Sending to specific client types for other clients

* PM-10600: Send push notification on notification creation

* PM-10600: Explicit group names

* PM-10600: Id typos

* PM-10600: Revert global push notifications

* PM-10600: Added DeviceType claim

* PM-10600: Sent to organization typo

* PM-10600: UT coverage

* PM-10600: Small refactor, UTs coverage

* PM-10600: UTs coverage

* PM-10600: Startup fix

* PM-10600: Test fix

* PM-10600: Required attribute, organization group for push notification fix

* PM-10600: UT coverage

* PM-10600: Fix Mobile devices not registering to organization push notifications

We only register devices for organization push notifications when the organization is being created. This does not work, since we have a use case (Notification Center) of delivering notifications to all users of organization. This fixes it, by adding the organization id tag when device registers for push notifications.

* PM-10600: Unit Test coverage for NotificationHubPushRegistrationService

Fixed IFeatureService substitute mocking for Android tests.
Added user part of organization test with organizationId tags expectation.

* PM-10600: Unit Tests fix to NotificationHubPushRegistrationService after merge conflict

* PM-10600: Organization push notifications not sending to mobile device from self-hosted.

Self-hosted instance uses relay to register the mobile device against Bitwarden Cloud Api. Only the self-hosted server knows client's organization membership, which means it needs to pass in the organization id's information to the relay. Similarly, for Bitwarden Cloud, the organizaton id will come directly from the server.

* PM-10600: Fix self-hosted organization notification not being received by mobile device.

When mobile device registers on self-hosted through the relay, every single id, like user id, device id and now organization id needs to be prefixed with the installation id. This have been missing in the PushController that handles this for organization id.

* PM-10600: Broken NotificationsController integration test

Device type is now part of JWT access token, so the notification center results in the integration test are now scoped to client type web and all.

* PM-10600: Merge conflicts fix

* merge conflict fix

* PM-10600: Push notification with full notification center content.

Notification Center push notification now includes all the fields.
---
 src/Core/Models/PushNotification.cs           | 12 ++++++--
 .../Commands/CreateNotificationCommand.cs     |  2 +-
 .../Entities/Notification.cs                  |  5 ++--
 .../NotificationHubPushNotificationService.cs | 11 +++++--
 .../AzureQueuePushNotificationService.cs      | 11 +++++--
 .../Push/Services/IPushNotificationService.cs |  2 +-
 .../MultiServicePushNotificationService.cs    |  4 +--
 .../Services/NoopPushNotificationService.cs   |  2 +-
 ...NotificationsApiPushNotificationService.cs | 11 +++++--
 .../Services/RelayPushNotificationService.cs  | 11 +++++--
 src/Notifications/HubHelpers.cs               |  2 +-
 .../Commands/CreateNotificationCommandTest.cs |  2 +-
 ...ficationHubPushNotificationServiceTests.cs | 29 +++++++++++--------
 .../AzureQueuePushNotificationServiceTests.cs | 22 +++++++++-----
 ...ultiServicePushNotificationServiceTests.cs |  6 ++--
 15 files changed, 85 insertions(+), 47 deletions(-)

diff --git a/src/Core/Models/PushNotification.cs b/src/Core/Models/PushNotification.cs
index fd27ced6c5..a6e8852e95 100644
--- a/src/Core/Models/PushNotification.cs
+++ b/src/Core/Models/PushNotification.cs
@@ -1,4 +1,5 @@
 using Bit.Core.Enums;
+using Bit.Core.NotificationCenter.Enums;
 
 namespace Bit.Core.Models;
 
@@ -45,14 +46,21 @@ public class SyncSendPushNotification
     public DateTime RevisionDate { get; set; }
 }
 
-public class SyncNotificationPushNotification
+#nullable enable
+public class NotificationPushNotification
 {
     public Guid Id { get; set; }
+    public Priority Priority { get; set; }
+    public bool Global { get; set; }
+    public ClientType ClientType { get; set; }
     public Guid? UserId { get; set; }
     public Guid? OrganizationId { get; set; }
-    public ClientType ClientType { get; set; }
+    public string? Title { get; set; }
+    public string? Body { get; set; }
+    public DateTime CreationDate { get; set; }
     public DateTime RevisionDate { get; set; }
 }
+#nullable disable
 
 public class AuthRequestPushNotification
 {
diff --git a/src/Core/NotificationCenter/Commands/CreateNotificationCommand.cs b/src/Core/NotificationCenter/Commands/CreateNotificationCommand.cs
index f378a3688a..3fddafcdc7 100644
--- a/src/Core/NotificationCenter/Commands/CreateNotificationCommand.cs
+++ b/src/Core/NotificationCenter/Commands/CreateNotificationCommand.cs
@@ -37,7 +37,7 @@ public class CreateNotificationCommand : ICreateNotificationCommand
 
         var newNotification = await _notificationRepository.CreateAsync(notification);
 
-        await _pushNotificationService.PushSyncNotificationAsync(newNotification);
+        await _pushNotificationService.PushNotificationAsync(newNotification);
 
         return newNotification;
     }
diff --git a/src/Core/NotificationCenter/Entities/Notification.cs b/src/Core/NotificationCenter/Entities/Notification.cs
index aba456efbe..ad43299f55 100644
--- a/src/Core/NotificationCenter/Entities/Notification.cs
+++ b/src/Core/NotificationCenter/Entities/Notification.cs
@@ -15,9 +15,8 @@ public class Notification : ITableObject<Guid>
     public ClientType ClientType { get; set; }
     public Guid? UserId { get; set; }
     public Guid? OrganizationId { get; set; }
-    [MaxLength(256)]
-    public string? Title { get; set; }
-    public string? Body { get; set; }
+    [MaxLength(256)] public string? Title { get; set; }
+    [MaxLength(3000)] public string? Body { get; set; }
     public DateTime CreationDate { get; set; }
     public DateTime RevisionDate { get; set; }
     public Guid? TaskId { get; set; }
diff --git a/src/Core/NotificationHub/NotificationHubPushNotificationService.cs b/src/Core/NotificationHub/NotificationHubPushNotificationService.cs
index ed44e69218..d1c7749d9f 100644
--- a/src/Core/NotificationHub/NotificationHubPushNotificationService.cs
+++ b/src/Core/NotificationHub/NotificationHubPushNotificationService.cs
@@ -181,14 +181,19 @@ public class NotificationHubPushNotificationService : IPushNotificationService
         await PushAuthRequestAsync(authRequest, PushType.AuthRequestResponse);
     }
 
-    public async Task PushSyncNotificationAsync(Notification notification)
+    public async Task PushNotificationAsync(Notification notification)
     {
-        var message = new SyncNotificationPushNotification
+        var message = new NotificationPushNotification
         {
             Id = notification.Id,
+            Priority = notification.Priority,
+            Global = notification.Global,
+            ClientType = notification.ClientType,
             UserId = notification.UserId,
             OrganizationId = notification.OrganizationId,
-            ClientType = notification.ClientType,
+            Title = notification.Title,
+            Body = notification.Body,
+            CreationDate = notification.CreationDate,
             RevisionDate = notification.RevisionDate
         };
 
diff --git a/src/Core/Platform/Push/Services/AzureQueuePushNotificationService.cs b/src/Core/Platform/Push/Services/AzureQueuePushNotificationService.cs
index d3509c5437..a25a017192 100644
--- a/src/Core/Platform/Push/Services/AzureQueuePushNotificationService.cs
+++ b/src/Core/Platform/Push/Services/AzureQueuePushNotificationService.cs
@@ -165,14 +165,19 @@ public class AzureQueuePushNotificationService : IPushNotificationService
         await PushSendAsync(send, PushType.SyncSendDelete);
     }
 
-    public async Task PushSyncNotificationAsync(Notification notification)
+    public async Task PushNotificationAsync(Notification notification)
     {
-        var message = new SyncNotificationPushNotification
+        var message = new NotificationPushNotification
         {
             Id = notification.Id,
+            Priority = notification.Priority,
+            Global = notification.Global,
+            ClientType = notification.ClientType,
             UserId = notification.UserId,
             OrganizationId = notification.OrganizationId,
-            ClientType = notification.ClientType,
+            Title = notification.Title,
+            Body = notification.Body,
+            CreationDate = notification.CreationDate,
             RevisionDate = notification.RevisionDate
         };
 
diff --git a/src/Core/Platform/Push/Services/IPushNotificationService.cs b/src/Core/Platform/Push/Services/IPushNotificationService.cs
index 5e1ab7067e..7f2b6c90fe 100644
--- a/src/Core/Platform/Push/Services/IPushNotificationService.cs
+++ b/src/Core/Platform/Push/Services/IPushNotificationService.cs
@@ -24,7 +24,7 @@ public interface IPushNotificationService
     Task PushSyncSendCreateAsync(Send send);
     Task PushSyncSendUpdateAsync(Send send);
     Task PushSyncSendDeleteAsync(Send send);
-    Task PushSyncNotificationAsync(Notification notification);
+    Task PushNotificationAsync(Notification notification);
     Task PushAuthRequestAsync(AuthRequest authRequest);
     Task PushAuthRequestResponseAsync(AuthRequest authRequest);
     Task PushSyncOrganizationStatusAsync(Organization organization);
diff --git a/src/Core/Platform/Push/Services/MultiServicePushNotificationService.cs b/src/Core/Platform/Push/Services/MultiServicePushNotificationService.cs
index 4ad81e223b..db3107b6c3 100644
--- a/src/Core/Platform/Push/Services/MultiServicePushNotificationService.cs
+++ b/src/Core/Platform/Push/Services/MultiServicePushNotificationService.cs
@@ -144,9 +144,9 @@ public class MultiServicePushNotificationService : IPushNotificationService
         return Task.CompletedTask;
     }
 
-    public Task PushSyncNotificationAsync(Notification notification)
+    public Task PushNotificationAsync(Notification notification)
     {
-        PushToServices((s) => s.PushSyncNotificationAsync(notification));
+        PushToServices((s) => s.PushNotificationAsync(notification));
         return Task.CompletedTask;
     }
 
diff --git a/src/Core/Platform/Push/Services/NoopPushNotificationService.cs b/src/Core/Platform/Push/Services/NoopPushNotificationService.cs
index 463a2fde88..fb4121179f 100644
--- a/src/Core/Platform/Push/Services/NoopPushNotificationService.cs
+++ b/src/Core/Platform/Push/Services/NoopPushNotificationService.cs
@@ -113,5 +113,5 @@ public class NoopPushNotificationService : IPushNotificationService
         return Task.FromResult(0);
     }
 
-    public Task PushSyncNotificationAsync(Notification notification) => Task.CompletedTask;
+    public Task PushNotificationAsync(Notification notification) => Task.CompletedTask;
 }
diff --git a/src/Core/Platform/Push/Services/NotificationsApiPushNotificationService.cs b/src/Core/Platform/Push/Services/NotificationsApiPushNotificationService.cs
index 5c6b46f63e..fb3814fd64 100644
--- a/src/Core/Platform/Push/Services/NotificationsApiPushNotificationService.cs
+++ b/src/Core/Platform/Push/Services/NotificationsApiPushNotificationService.cs
@@ -184,14 +184,19 @@ public class NotificationsApiPushNotificationService : BaseIdentityClientService
         await PushSendAsync(send, PushType.SyncSendDelete);
     }
 
-    public async Task PushSyncNotificationAsync(Notification notification)
+    public async Task PushNotificationAsync(Notification notification)
     {
-        var message = new SyncNotificationPushNotification
+        var message = new NotificationPushNotification
         {
             Id = notification.Id,
+            Priority = notification.Priority,
+            Global = notification.Global,
+            ClientType = notification.ClientType,
             UserId = notification.UserId,
             OrganizationId = notification.OrganizationId,
-            ClientType = notification.ClientType,
+            Title = notification.Title,
+            Body = notification.Body,
+            CreationDate = notification.CreationDate,
             RevisionDate = notification.RevisionDate
         };
 
diff --git a/src/Core/Platform/Push/Services/RelayPushNotificationService.cs b/src/Core/Platform/Push/Services/RelayPushNotificationService.cs
index f51ab004a6..4d99f04768 100644
--- a/src/Core/Platform/Push/Services/RelayPushNotificationService.cs
+++ b/src/Core/Platform/Push/Services/RelayPushNotificationService.cs
@@ -191,14 +191,19 @@ public class RelayPushNotificationService : BaseIdentityClientService, IPushNoti
         await SendPayloadToUserAsync(authRequest.UserId, type, message, true);
     }
 
-    public async Task PushSyncNotificationAsync(Notification notification)
+    public async Task PushNotificationAsync(Notification notification)
     {
-        var message = new SyncNotificationPushNotification
+        var message = new NotificationPushNotification
         {
             Id = notification.Id,
+            Priority = notification.Priority,
+            Global = notification.Global,
+            ClientType = notification.ClientType,
             UserId = notification.UserId,
             OrganizationId = notification.OrganizationId,
-            ClientType = notification.ClientType,
+            Title = notification.Title,
+            Body = notification.Body,
+            CreationDate = notification.CreationDate,
             RevisionDate = notification.RevisionDate
         };
 
diff --git a/src/Notifications/HubHelpers.cs b/src/Notifications/HubHelpers.cs
index 6d17ca9955..9b0164fdc5 100644
--- a/src/Notifications/HubHelpers.cs
+++ b/src/Notifications/HubHelpers.cs
@@ -105,7 +105,7 @@ public static class HubHelpers
                 break;
             case PushType.SyncNotification:
                 var syncNotification =
-                    JsonSerializer.Deserialize<PushNotificationData<SyncNotificationPushNotification>>(
+                    JsonSerializer.Deserialize<PushNotificationData<NotificationPushNotification>>(
                         notificationJson, _deserializerOptions);
                 if (syncNotification.Payload.UserId.HasValue)
                 {
diff --git a/test/Core.Test/NotificationCenter/Commands/CreateNotificationCommandTest.cs b/test/Core.Test/NotificationCenter/Commands/CreateNotificationCommandTest.cs
index a51feb6a73..41efce82ab 100644
--- a/test/Core.Test/NotificationCenter/Commands/CreateNotificationCommandTest.cs
+++ b/test/Core.Test/NotificationCenter/Commands/CreateNotificationCommandTest.cs
@@ -58,6 +58,6 @@ public class CreateNotificationCommandTest
         Assert.Equal(notification.CreationDate, notification.RevisionDate);
         await sutProvider.GetDependency<IPushNotificationService>()
             .Received(1)
-            .PushSyncNotificationAsync(newNotification);
+            .PushNotificationAsync(newNotification);
     }
 }
diff --git a/test/Core.Test/NotificationHub/NotificationHubPushNotificationServiceTests.cs b/test/Core.Test/NotificationHub/NotificationHubPushNotificationServiceTests.cs
index dc391b9801..f1cfdc9f85 100644
--- a/test/Core.Test/NotificationHub/NotificationHubPushNotificationServiceTests.cs
+++ b/test/Core.Test/NotificationHub/NotificationHubPushNotificationServiceTests.cs
@@ -20,10 +20,10 @@ public class NotificationHubPushNotificationServiceTests
     [Theory]
     [BitAutoData]
     [NotificationCustomize]
-    public async void PushSyncNotificationAsync_Global_NotSent(
+    public async void PushNotificationAsync_Global_NotSent(
         SutProvider<NotificationHubPushNotificationService> sutProvider, Notification notification)
     {
-        await sutProvider.Sut.PushSyncNotificationAsync(notification);
+        await sutProvider.Sut.PushNotificationAsync(notification);
 
         await sutProvider.GetDependency<INotificationHubPool>()
             .Received(0)
@@ -39,7 +39,7 @@ public class NotificationHubPushNotificationServiceTests
     [BitAutoData(false)]
     [BitAutoData(true)]
     [NotificationCustomize(false)]
-    public async void PushSyncNotificationAsync_UserIdProvidedClientTypeAll_SentToUser(
+    public async void PushNotificationAsync_UserIdProvidedClientTypeAll_SentToUser(
         bool organizationIdNull, SutProvider<NotificationHubPushNotificationService> sutProvider,
         Notification notification)
     {
@@ -51,7 +51,7 @@ public class NotificationHubPushNotificationServiceTests
         notification.ClientType = ClientType.All;
         var expectedSyncNotification = ToSyncNotificationPushNotification(notification);
 
-        await sutProvider.Sut.PushSyncNotificationAsync(notification);
+        await sutProvider.Sut.PushNotificationAsync(notification);
 
         await AssertSendTemplateNotificationAsync(sutProvider, PushType.SyncNotification, expectedSyncNotification,
             $"(template:payload_userId:{notification.UserId})");
@@ -70,7 +70,7 @@ public class NotificationHubPushNotificationServiceTests
     [BitAutoData(true, ClientType.Web)]
     [BitAutoData(true, ClientType.Mobile)]
     [NotificationCustomize(false)]
-    public async void PushSyncNotificationAsync_UserIdProvidedClientTypeNotAll_SentToUser(bool organizationIdNull,
+    public async void PushNotificationAsync_UserIdProvidedClientTypeNotAll_SentToUser(bool organizationIdNull,
         ClientType clientType, SutProvider<NotificationHubPushNotificationService> sutProvider,
         Notification notification)
     {
@@ -82,7 +82,7 @@ public class NotificationHubPushNotificationServiceTests
         notification.ClientType = clientType;
         var expectedSyncNotification = ToSyncNotificationPushNotification(notification);
 
-        await sutProvider.Sut.PushSyncNotificationAsync(notification);
+        await sutProvider.Sut.PushNotificationAsync(notification);
 
         await AssertSendTemplateNotificationAsync(sutProvider, PushType.SyncNotification, expectedSyncNotification,
             $"(template:payload_userId:{notification.UserId} && clientType:{clientType})");
@@ -94,14 +94,14 @@ public class NotificationHubPushNotificationServiceTests
     [Theory]
     [BitAutoData]
     [NotificationCustomize(false)]
-    public async void PushSyncNotificationAsync_UserIdNullOrganizationIdProvidedClientTypeAll_SentToOrganization(
+    public async void PushNotificationAsync_UserIdNullOrganizationIdProvidedClientTypeAll_SentToOrganization(
         SutProvider<NotificationHubPushNotificationService> sutProvider, Notification notification)
     {
         notification.UserId = null;
         notification.ClientType = ClientType.All;
         var expectedSyncNotification = ToSyncNotificationPushNotification(notification);
 
-        await sutProvider.Sut.PushSyncNotificationAsync(notification);
+        await sutProvider.Sut.PushNotificationAsync(notification);
 
         await AssertSendTemplateNotificationAsync(sutProvider, PushType.SyncNotification, expectedSyncNotification,
             $"(template:payload && organizationId:{notification.OrganizationId})");
@@ -116,7 +116,7 @@ public class NotificationHubPushNotificationServiceTests
     [BitAutoData(ClientType.Web)]
     [BitAutoData(ClientType.Mobile)]
     [NotificationCustomize(false)]
-    public async void PushSyncNotificationAsync_UserIdNullOrganizationIdProvidedClientTypeNotAll_SentToOrganization(
+    public async void PushNotificationAsync_UserIdNullOrganizationIdProvidedClientTypeNotAll_SentToOrganization(
         ClientType clientType, SutProvider<NotificationHubPushNotificationService> sutProvider,
         Notification notification)
     {
@@ -125,7 +125,7 @@ public class NotificationHubPushNotificationServiceTests
 
         var expectedSyncNotification = ToSyncNotificationPushNotification(notification);
 
-        await sutProvider.Sut.PushSyncNotificationAsync(notification);
+        await sutProvider.Sut.PushNotificationAsync(notification);
 
         await AssertSendTemplateNotificationAsync(sutProvider, PushType.SyncNotification, expectedSyncNotification,
             $"(template:payload && organizationId:{notification.OrganizationId} && clientType:{clientType})");
@@ -206,13 +206,18 @@ public class NotificationHubPushNotificationServiceTests
             .UpsertAsync(Arg.Any<InstallationDeviceEntity>());
     }
 
-    private static SyncNotificationPushNotification ToSyncNotificationPushNotification(Notification notification) =>
+    private static NotificationPushNotification ToSyncNotificationPushNotification(Notification notification) =>
         new()
         {
             Id = notification.Id,
+            Priority = notification.Priority,
+            Global = notification.Global,
+            ClientType = notification.ClientType,
             UserId = notification.UserId,
             OrganizationId = notification.OrganizationId,
-            ClientType = notification.ClientType,
+            Title = notification.Title,
+            Body = notification.Body,
+            CreationDate = notification.CreationDate,
             RevisionDate = notification.RevisionDate
         };
 
diff --git a/test/Core.Test/Platform/Push/Services/AzureQueuePushNotificationServiceTests.cs b/test/Core.Test/Platform/Push/Services/AzureQueuePushNotificationServiceTests.cs
index 7aa053ec6d..a84a76152a 100644
--- a/test/Core.Test/Platform/Push/Services/AzureQueuePushNotificationServiceTests.cs
+++ b/test/Core.Test/Platform/Push/Services/AzureQueuePushNotificationServiceTests.cs
@@ -24,7 +24,7 @@ public class AzureQueuePushNotificationServiceTests
     [BitAutoData]
     [NotificationCustomize]
     [CurrentContextCustomize]
-    public async void PushSyncNotificationAsync_Notification_Sent(
+    public async void PushNotificationAsync_Notification_Sent(
         SutProvider<AzureQueuePushNotificationService> sutProvider, Notification notification, Guid deviceIdentifier,
         ICurrentContext currentContext)
     {
@@ -32,7 +32,7 @@ public class AzureQueuePushNotificationServiceTests
         sutProvider.GetDependency<IHttpContextAccessor>().HttpContext!.RequestServices
             .GetService(Arg.Any<Type>()).Returns(currentContext);
 
-        await sutProvider.Sut.PushSyncNotificationAsync(notification);
+        await sutProvider.Sut.PushNotificationAsync(notification);
 
         await sutProvider.GetDependency<QueueClient>().Received(1)
             .SendMessageAsync(Arg.Is<string>(message =>
@@ -43,23 +43,29 @@ public class AzureQueuePushNotificationServiceTests
     private static bool MatchMessage<T>(PushType pushType, string message, IEquatable<T> expectedPayloadEquatable,
         string contextId)
     {
-        var pushNotificationData =
-            JsonSerializer.Deserialize<PushNotificationData<T>>(message);
+        var pushNotificationData = JsonSerializer.Deserialize<PushNotificationData<T>>(message);
         return pushNotificationData != null &&
                pushNotificationData.Type == pushType &&
                expectedPayloadEquatable.Equals(pushNotificationData.Payload) &&
                pushNotificationData.ContextId == contextId;
     }
 
-    private class SyncNotificationEquals(Notification notification) : IEquatable<SyncNotificationPushNotification>
+    private class SyncNotificationEquals(Notification notification) : IEquatable<NotificationPushNotification>
     {
-        public bool Equals(SyncNotificationPushNotification? other)
+        public bool Equals(NotificationPushNotification? other)
         {
             return other != null &&
                    other.Id == notification.Id &&
-                   other.UserId == notification.UserId &&
-                   other.OrganizationId == notification.OrganizationId &&
+                   other.Priority == notification.Priority &&
+                   other.Global == notification.Global &&
                    other.ClientType == notification.ClientType &&
+                   other.UserId.HasValue == notification.UserId.HasValue &&
+                   other.UserId == notification.UserId &&
+                   other.OrganizationId.HasValue == notification.OrganizationId.HasValue &&
+                   other.OrganizationId == notification.OrganizationId &&
+                   other.Title == notification.Title &&
+                   other.Body == notification.Body &&
+                   other.CreationDate == notification.CreationDate &&
                    other.RevisionDate == notification.RevisionDate;
         }
     }
diff --git a/test/Core.Test/Platform/Push/Services/MultiServicePushNotificationServiceTests.cs b/test/Core.Test/Platform/Push/Services/MultiServicePushNotificationServiceTests.cs
index 35997f80e9..edbd297708 100644
--- a/test/Core.Test/Platform/Push/Services/MultiServicePushNotificationServiceTests.cs
+++ b/test/Core.Test/Platform/Push/Services/MultiServicePushNotificationServiceTests.cs
@@ -15,15 +15,15 @@ public class MultiServicePushNotificationServiceTests
     [Theory]
     [BitAutoData]
     [NotificationCustomize]
-    public async Task PushSyncNotificationAsync_Notification_Sent(
+    public async Task PushNotificationAsync_Notification_Sent(
         SutProvider<MultiServicePushNotificationService> sutProvider, Notification notification)
     {
-        await sutProvider.Sut.PushSyncNotificationAsync(notification);
+        await sutProvider.Sut.PushNotificationAsync(notification);
 
         await sutProvider.GetDependency<IEnumerable<IPushNotificationService>>()
             .First()
             .Received(1)
-            .PushSyncNotificationAsync(notification);
+            .PushNotificationAsync(notification);
     }
 
     [Theory]

From 71f293138edefb06cd74d627e5dcfa9f6f23702f Mon Sep 17 00:00:00 2001
From: Robyn MacCallum <robyntmaccallum@gmail.com>
Date: Wed, 12 Feb 2025 11:39:17 -0500
Subject: [PATCH 271/384] Remove extra BWA sync flags (#5396)

---
 src/Core/Constants.cs | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index a025bbb142..6b3d0485b0 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -159,15 +159,11 @@ public static class FeatureFlagKeys
     public const string InlineMenuTotp = "inline-menu-totp";
     public const string SelfHostLicenseRefactor = "pm-11516-self-host-license-refactor";
     public const string PrivateKeyRegeneration = "pm-12241-private-key-regeneration";
-    public const string AuthenticatorSynciOS = "enable-authenticator-sync-ios";
-    public const string AuthenticatorSyncAndroid = "enable-authenticator-sync-android";
     public const string AppReviewPrompt = "app-review-prompt";
     public const string ResellerManagedOrgAlert = "PM-15814-alert-owners-of-reseller-managed-orgs";
     public const string Argon2Default = "argon2-default";
     public const string UsePricingService = "use-pricing-service";
     public const string RecordInstallationLastActivityDate = "installation-last-activity-date";
-    public const string EnablePasswordManagerSyncAndroid = "enable-password-manager-sync-android";
-    public const string EnablePasswordManagerSynciOS = "enable-password-manager-sync-ios";
     public const string AccountDeprovisioningBanner = "pm-17120-account-deprovisioning-admin-console-banner";
     public const string SingleTapPasskeyCreation = "single-tap-passkey-creation";
     public const string SingleTapPasskeyAuthentication = "single-tap-passkey-authentication";

From 5d3294c3768aea9312b97691e6216464f496795a Mon Sep 17 00:00:00 2001
From: Alex Morask <144709477+amorask-bitwarden@users.noreply.github.com>
Date: Wed, 12 Feb 2025 13:42:24 -0500
Subject: [PATCH 272/384] Fix issue with credit card payment (#5399)

---
 .../PremiumUserBillingService.cs              | 62 +++++++++++--------
 1 file changed, 36 insertions(+), 26 deletions(-)

diff --git a/src/Core/Billing/Services/Implementations/PremiumUserBillingService.cs b/src/Core/Billing/Services/Implementations/PremiumUserBillingService.cs
index 6f571950f5..6b9f32e8f9 100644
--- a/src/Core/Billing/Services/Implementations/PremiumUserBillingService.cs
+++ b/src/Core/Billing/Services/Implementations/PremiumUserBillingService.cs
@@ -92,32 +92,7 @@ public class PremiumUserBillingService(
          * If the customer was previously set up with credit, which does not require a billing location,
          * we need to update the customer on the fly before we start the subscription.
          */
-        if (customerSetup is
-            {
-                TokenizedPaymentSource.Type: PaymentMethodType.Credit,
-                TaxInformation: { Country: not null and not "", PostalCode: not null and not "" }
-            })
-        {
-            var options = new CustomerUpdateOptions
-            {
-                Address = new AddressOptions
-                {
-                    Line1 = customerSetup.TaxInformation.Line1,
-                    Line2 = customerSetup.TaxInformation.Line2,
-                    City = customerSetup.TaxInformation.City,
-                    PostalCode = customerSetup.TaxInformation.PostalCode,
-                    State = customerSetup.TaxInformation.State,
-                    Country = customerSetup.TaxInformation.Country,
-                },
-                Expand = ["tax"],
-                Tax = new CustomerTaxOptions
-                {
-                    ValidateLocation = StripeConstants.ValidateTaxLocationTiming.Immediately
-                }
-            };
-
-            customer = await stripeAdapter.CustomerUpdateAsync(customer.Id, options);
-        }
+        customer = await ReconcileBillingLocationAsync(customer, customerSetup.TaxInformation);
 
         var subscription = await CreateSubscriptionAsync(user.Id, customer, storage);
 
@@ -167,6 +142,11 @@ public class PremiumUserBillingService(
         User user,
         CustomerSetup customerSetup)
     {
+        /*
+         * Creating a Customer via the adding of a payment method or the purchasing of a subscription requires
+         * an actual payment source. The only time this is not the case is when the Customer is created when the
+         * User purchases credit.
+         */
         if (customerSetup.TokenizedPaymentSource is not
             {
                 Type: PaymentMethodType.BankAccount or PaymentMethodType.Card or PaymentMethodType.PayPal,
@@ -367,4 +347,34 @@ public class PremiumUserBillingService(
 
         return subscription;
     }
+
+    private async Task<Customer> ReconcileBillingLocationAsync(
+        Customer customer,
+        TaxInformation taxInformation)
+    {
+        if (customer is { Address: { Country: not null and not "", PostalCode: not null and not "" } })
+        {
+            return customer;
+        }
+
+        var options = new CustomerUpdateOptions
+        {
+            Address = new AddressOptions
+            {
+                Line1 = taxInformation.Line1,
+                Line2 = taxInformation.Line2,
+                City = taxInformation.City,
+                PostalCode = taxInformation.PostalCode,
+                State = taxInformation.State,
+                Country = taxInformation.Country,
+            },
+            Expand = ["tax"],
+            Tax = new CustomerTaxOptions
+            {
+                ValidateLocation = StripeConstants.ValidateTaxLocationTiming.Immediately
+            }
+        };
+
+        return await stripeAdapter.CustomerUpdateAsync(customer.Id, options);
+    }
 }

From 459c91a5a95b882c9eb6dd39979c05cc39035304 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rui=20Tom=C3=A9?=
 <108268980+r-tome@users.noreply.github.com>
Date: Thu, 13 Feb 2025 10:30:50 +0000
Subject: [PATCH 273/384] [PM-13748] Remove SCIM provider type checks from
 group endpoints (#5231)

* [PM-13748] Remove SCIM provider type checks from group endpoints

* Remove Okta provider type config from group command tests

---------

Co-authored-by: bnagawiecki <107435978+bnagawiecki@users.noreply.github.com>
---
 .../src/Scim/Groups/PostGroupCommand.cs              | 12 ------------
 bitwarden_license/src/Scim/Groups/PutGroupCommand.cs | 11 -----------
 .../test/Scim.Test/Groups/PostGroupCommandTests.cs   |  6 ------
 .../test/Scim.Test/Groups/PutGroupCommandTests.cs    |  6 ------
 4 files changed, 35 deletions(-)

diff --git a/bitwarden_license/src/Scim/Groups/PostGroupCommand.cs b/bitwarden_license/src/Scim/Groups/PostGroupCommand.cs
index 9cc8c8d13c..5a7a03f1f4 100644
--- a/bitwarden_license/src/Scim/Groups/PostGroupCommand.cs
+++ b/bitwarden_license/src/Scim/Groups/PostGroupCommand.cs
@@ -1,11 +1,8 @@
 using Bit.Core.AdminConsole.Entities;
-using Bit.Core.AdminConsole.Enums;
 using Bit.Core.AdminConsole.OrganizationFeatures.Groups.Interfaces;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
-using Bit.Core.Repositories;
-using Bit.Scim.Context;
 using Bit.Scim.Groups.Interfaces;
 using Bit.Scim.Models;
 
@@ -14,17 +11,13 @@ namespace Bit.Scim.Groups;
 public class PostGroupCommand : IPostGroupCommand
 {
     private readonly IGroupRepository _groupRepository;
-    private readonly IScimContext _scimContext;
     private readonly ICreateGroupCommand _createGroupCommand;
 
     public PostGroupCommand(
         IGroupRepository groupRepository,
-        IOrganizationRepository organizationRepository,
-        IScimContext scimContext,
         ICreateGroupCommand createGroupCommand)
     {
         _groupRepository = groupRepository;
-        _scimContext = scimContext;
         _createGroupCommand = createGroupCommand;
     }
 
@@ -50,11 +43,6 @@ public class PostGroupCommand : IPostGroupCommand
 
     private async Task UpdateGroupMembersAsync(Group group, ScimGroupRequestModel model)
     {
-        if (_scimContext.RequestScimProvider != ScimProviderType.Okta)
-        {
-            return;
-        }
-
         if (model.Members == null)
         {
             return;
diff --git a/bitwarden_license/src/Scim/Groups/PutGroupCommand.cs b/bitwarden_license/src/Scim/Groups/PutGroupCommand.cs
index 2503380a00..c2cef246a9 100644
--- a/bitwarden_license/src/Scim/Groups/PutGroupCommand.cs
+++ b/bitwarden_license/src/Scim/Groups/PutGroupCommand.cs
@@ -1,10 +1,8 @@
 using Bit.Core.AdminConsole.Entities;
-using Bit.Core.AdminConsole.Enums;
 using Bit.Core.AdminConsole.OrganizationFeatures.Groups.Interfaces;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
-using Bit.Scim.Context;
 using Bit.Scim.Groups.Interfaces;
 using Bit.Scim.Models;
 
@@ -13,16 +11,13 @@ namespace Bit.Scim.Groups;
 public class PutGroupCommand : IPutGroupCommand
 {
     private readonly IGroupRepository _groupRepository;
-    private readonly IScimContext _scimContext;
     private readonly IUpdateGroupCommand _updateGroupCommand;
 
     public PutGroupCommand(
         IGroupRepository groupRepository,
-        IScimContext scimContext,
         IUpdateGroupCommand updateGroupCommand)
     {
         _groupRepository = groupRepository;
-        _scimContext = scimContext;
         _updateGroupCommand = updateGroupCommand;
     }
 
@@ -43,12 +38,6 @@ public class PutGroupCommand : IPutGroupCommand
 
     private async Task UpdateGroupMembersAsync(Group group, ScimGroupRequestModel model)
     {
-        if (_scimContext.RequestScimProvider != ScimProviderType.Okta &&
-            _scimContext.RequestScimProvider != ScimProviderType.Ping)
-        {
-            return;
-        }
-
         if (model.Members == null)
         {
             return;
diff --git a/bitwarden_license/test/Scim.Test/Groups/PostGroupCommandTests.cs b/bitwarden_license/test/Scim.Test/Groups/PostGroupCommandTests.cs
index acf1c6c782..b44295192b 100644
--- a/bitwarden_license/test/Scim.Test/Groups/PostGroupCommandTests.cs
+++ b/bitwarden_license/test/Scim.Test/Groups/PostGroupCommandTests.cs
@@ -1,10 +1,8 @@
 using Bit.Core.AdminConsole.Entities;
-using Bit.Core.AdminConsole.Enums;
 using Bit.Core.AdminConsole.OrganizationFeatures.Groups.Interfaces;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
-using Bit.Scim.Context;
 using Bit.Scim.Groups;
 using Bit.Scim.Models;
 using Bit.Scim.Utilities;
@@ -73,10 +71,6 @@ public class PostGroupCommandTests
             .GetManyByOrganizationIdAsync(organization.Id)
             .Returns(groups);
 
-        sutProvider.GetDependency<IScimContext>()
-            .RequestScimProvider
-            .Returns(ScimProviderType.Okta);
-
         var group = await sutProvider.Sut.PostGroupAsync(organization, scimGroupRequestModel);
 
         await sutProvider.GetDependency<ICreateGroupCommand>().Received(1).CreateGroupAsync(group, organization, EventSystemUser.SCIM, null);
diff --git a/bitwarden_license/test/Scim.Test/Groups/PutGroupCommandTests.cs b/bitwarden_license/test/Scim.Test/Groups/PutGroupCommandTests.cs
index 579a4b4e64..fb67cd684b 100644
--- a/bitwarden_license/test/Scim.Test/Groups/PutGroupCommandTests.cs
+++ b/bitwarden_license/test/Scim.Test/Groups/PutGroupCommandTests.cs
@@ -1,10 +1,8 @@
 using Bit.Core.AdminConsole.Entities;
-using Bit.Core.AdminConsole.Enums;
 using Bit.Core.AdminConsole.OrganizationFeatures.Groups.Interfaces;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
-using Bit.Scim.Context;
 using Bit.Scim.Groups;
 using Bit.Scim.Models;
 using Bit.Scim.Utilities;
@@ -62,10 +60,6 @@ public class PutGroupCommandTests
             .GetByIdAsync(group.Id)
             .Returns(group);
 
-        sutProvider.GetDependency<IScimContext>()
-            .RequestScimProvider
-            .Returns(ScimProviderType.Okta);
-
         var inputModel = new ScimGroupRequestModel
         {
             DisplayName = displayName,

From 0c482eea3234636062283142d000ddb2f4cf32b6 Mon Sep 17 00:00:00 2001
From: Maciej Zieniuk <167752252+mzieniukbw@users.noreply.github.com>
Date: Thu, 13 Feb 2025 14:14:55 +0100
Subject: [PATCH 274/384] PM-10600: Missing Notification Center MaxLength on
 Body column (#5402)

---
 ...8_NotificationCenterBodyLength.Designer.cs | 3010 ++++++++++++++++
 ...0213120818_NotificationCenterBodyLength.cs |   41 +
 .../DatabaseContextModelSnapshot.cs           |    3 +-
 ...9_NotificationCenterBodyLength.Designer.cs | 3016 +++++++++++++++++
 ...0213120809_NotificationCenterBodyLength.cs |   37 +
 .../DatabaseContextModelSnapshot.cs           |    3 +-
 ...4_NotificationCenterBodyLength.Designer.cs | 2999 ++++++++++++++++
 ...0213120814_NotificationCenterBodyLength.cs |   21 +
 .../DatabaseContextModelSnapshot.cs           |    1 +
 9 files changed, 9129 insertions(+), 2 deletions(-)
 create mode 100644 util/MySqlMigrations/Migrations/20250213120818_NotificationCenterBodyLength.Designer.cs
 create mode 100644 util/MySqlMigrations/Migrations/20250213120818_NotificationCenterBodyLength.cs
 create mode 100644 util/PostgresMigrations/Migrations/20250213120809_NotificationCenterBodyLength.Designer.cs
 create mode 100644 util/PostgresMigrations/Migrations/20250213120809_NotificationCenterBodyLength.cs
 create mode 100644 util/SqliteMigrations/Migrations/20250213120814_NotificationCenterBodyLength.Designer.cs
 create mode 100644 util/SqliteMigrations/Migrations/20250213120814_NotificationCenterBodyLength.cs

diff --git a/util/MySqlMigrations/Migrations/20250213120818_NotificationCenterBodyLength.Designer.cs b/util/MySqlMigrations/Migrations/20250213120818_NotificationCenterBodyLength.Designer.cs
new file mode 100644
index 0000000000..78771a45b7
--- /dev/null
+++ b/util/MySqlMigrations/Migrations/20250213120818_NotificationCenterBodyLength.Designer.cs
@@ -0,0 +1,3010 @@
+// <auto-generated />
+using System;
+using Bit.Infrastructure.EntityFramework.Repositories;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Metadata;
+using Microsoft.EntityFrameworkCore.Migrations;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
+
+#nullable disable
+
+namespace Bit.MySqlMigrations.Migrations
+{
+    [DbContext(typeof(DatabaseContext))]
+    [Migration("20250213120818_NotificationCenterBodyLength")]
+    partial class NotificationCenterBodyLength
+    {
+        /// <inheritdoc />
+        protected override void BuildTargetModel(ModelBuilder modelBuilder)
+        {
+#pragma warning disable 612, 618
+            modelBuilder
+                .HasAnnotation("ProductVersion", "8.0.8")
+                .HasAnnotation("Relational:MaxIdentifierLength", 64);
+
+            MySqlModelBuilderExtensions.AutoIncrementColumns(modelBuilder);
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("AllowAdminAccessToAllCollectionItems")
+                        .HasColumnType("tinyint(1)")
+                        .HasDefaultValue(true);
+
+                    b.Property<string>("BillingEmail")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasMaxLength(2)
+                        .HasColumnType("varchar(2)");
+
+                    b.Property<string>("BusinessName")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasMaxLength(30)
+                        .HasColumnType("varchar(30)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("Identifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("varchar(100)");
+
+                    b.Property<bool>("LimitCollectionCreation")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("LimitCollectionDeletion")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("LimitItemDeletion")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("MaxAutoscaleSmSeats")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("MaxAutoscaleSmServiceAccounts")
+                        .HasColumnType("int");
+
+                    b.Property<short?>("MaxCollections")
+                        .HasColumnType("smallint");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<DateTime?>("OwnersNotifiedOfAutoscaling")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Plan")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<int?>("Seats")
+                        .HasColumnType("int");
+
+                    b.Property<bool>("SelfHost")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<int?>("SmSeats")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("SmServiceAccounts")
+                        .HasColumnType("int");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("bigint");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("longtext");
+
+                    b.Property<bool>("Use2fa")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseApi")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseCustomPermissions")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseDirectory")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseGroups")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseKeyConnector")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UsePasswordManager")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UsePolicies")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseResetPassword")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseRiskInsights")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseScim")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseSecretsManager")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseSso")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseTotp")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UsersGetPremium")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id", "Enabled")
+                        .HasAnnotation("Npgsql:IndexInclude", new[] { "UseTotp" });
+
+                    b.ToTable("Organization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("longtext");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "Type")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Policy", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("BillingEmail")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BillingPhone")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessName")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Provider", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Settings")
+                        .HasColumnType("longtext");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderOrganization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Email")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("ProviderUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("AccessCode")
+                        .HasMaxLength(25)
+                        .HasColumnType("varchar(25)");
+
+                    b.Property<bool?>("Approved")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime?>("AuthenticationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("MasterPasswordHash")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("RequestDeviceIdentifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<byte>("RequestDeviceType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("RequestIpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<DateTime?>("ResponseDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid?>("ResponseDeviceId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ResponseDeviceId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("AuthRequest", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<Guid?>("GranteeId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("GrantorId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("KeyEncrypted")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime?>("LastNotificationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("RecoveryInitiatedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<int>("WaitTimeDays")
+                        .HasColumnType("int");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("GranteeId");
+
+                    b.HasIndex("GrantorId");
+
+                    b.ToTable("EmergencyAccess", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.Grant", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("int");
+
+                    MySqlPropertyBuilderExtensions.UseMySqlIdentityColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("ClientId")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("varchar(200)");
+
+                    b.Property<DateTime?>("ConsumedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Data")
+                        .IsRequired()
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Description")
+                        .HasMaxLength(200)
+                        .HasColumnType("varchar(200)");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("varchar(200)");
+
+                    b.Property<string>("SessionId")
+                        .HasMaxLength(100)
+                        .HasColumnType("varchar(100)");
+
+                    b.Property<string>("SubjectId")
+                        .HasMaxLength(200)
+                        .HasColumnType("varchar(200)");
+
+                    b.Property<string>("Type")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.HasKey("Id")
+                        .HasName("PK_Grant")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpirationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Key")
+                        .IsUnique();
+
+                    b.ToTable("Grant", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    MySqlPropertyBuilderExtensions.UseMySqlIdentityColumn(b.Property<long>("Id"));
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("longtext");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("SsoConfig", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    MySqlPropertyBuilderExtensions.UseMySqlIdentityColumn(b.Property<long>("Id"));
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId");
+
+                    b.HasIndex("OrganizationId", "ExternalId")
+                        .IsUnique()
+                        .HasAnnotation("Npgsql:IndexInclude", new[] { "UserId" })
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "UserId")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SsoUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("AaGuid")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int>("Counter")
+                        .HasColumnType("int");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("CredentialId")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("varchar(2000)");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("varchar(2000)");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("varchar(2000)");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("PublicKey")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("SupportsPrf")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<string>("Type")
+                        .HasMaxLength(20)
+                        .HasColumnType("varchar(20)");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("WebAuthnCredential", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ClientOrganizationMigrationRecord", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("int");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int>("Seats")
+                        .HasColumnType("int");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId", "OrganizationId")
+                        .IsUnique();
+
+                    b.ToTable("ClientOrganizationMigrationRecord", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid>("InstallationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime?>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("InstallationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationInstallation", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int>("AssignedSeats")
+                        .HasColumnType("int");
+
+                    b.Property<Guid?>("ClientId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("ClientName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<DateTime>("Created")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("InvoiceId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("InvoiceNumber")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("PlanName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<decimal>("Total")
+                        .HasColumnType("decimal(65,30)");
+
+                    b.Property<int>("UsedSeats")
+                        .HasColumnType("int");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderInvoiceItem", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int?>("AllocatedSeats")
+                        .HasColumnType("int");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int?>("PurchasedSeats")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("SeatMinimum")
+                        .HasColumnType("int");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("Id", "PlanType")
+                        .IsUnique();
+
+                    b.ToTable("ProviderPlan", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Cache", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(449)
+                        .HasColumnType("varchar(449)");
+
+                    b.Property<DateTime?>("AbsoluteExpiration")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("ExpiresAtTime")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<long?>("SlidingExpirationInSeconds")
+                        .HasColumnType("bigint");
+
+                    b.Property<byte[]>("Value")
+                        .IsRequired()
+                        .HasColumnType("longblob");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpiresAtTime")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Cache", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("varchar(300)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Collection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("CipherId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("CollectionId", "CipherId");
+
+                    b.HasIndex("CipherId");
+
+                    b.ToTable("CollectionCipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("CollectionId", "GroupId");
+
+                    b.HasIndex("GroupId");
+
+                    b.ToTable("CollectionGroups");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("CollectionId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("tinyint(1)")
+                        .HasDefaultValue(true);
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Identifier")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("PushToken")
+                        .HasMaxLength(255)
+                        .HasColumnType("varchar(255)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Identifier")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "Identifier")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Device", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Event", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("ActingUserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("CollectionId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("Date")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte?>("DeviceType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("DomainName")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid?>("GroupId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("InstallationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("IpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("PolicyId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("ProviderOrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("ProviderUserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("SecretId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte?>("SystemUser")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<int>("Type")
+                        .HasColumnType("int");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Date", "OrganizationId", "ActingUserId", "CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Event", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("varchar(300)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(100)
+                        .HasColumnType("varchar(100)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Group", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("GroupId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("GroupUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("varchar(30)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Config")
+                        .HasColumnType("longtext");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationConnection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("DomainName")
+                        .IsRequired()
+                        .HasMaxLength(255)
+                        .HasColumnType("varchar(255)");
+
+                    b.Property<int>("JobRunCount")
+                        .HasColumnType("int");
+
+                    b.Property<DateTime?>("LastCheckedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("NextRunDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Txt")
+                        .IsRequired()
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime?>("VerifiedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationDomain", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("FriendlyName")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<DateTime?>("LastSyncDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("OfferedToEmail")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<byte?>("PlanSponsorshipType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("SponsoredOrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("SponsoringOrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("SponsoringOrganizationUserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("ToDelete")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime?>("ValidUntil")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SponsoredOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationUserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationSponsorship", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("AccessSecretsManager")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("varchar(300)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("ResetPasswordKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<short>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int>("AccessCount")
+                        .HasColumnType("int");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("DeletionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("Disabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool?>("HideEmail")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<int?>("MaxAccessCount")
+                        .HasColumnType("int");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Password")
+                        .HasMaxLength(300)
+                        .HasColumnType("varchar(300)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("DeletionDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Send", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.TaxRate", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(40)
+                        .HasColumnType("varchar(40)");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<string>("Country")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("PostalCode")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("varchar(10)");
+
+                    b.Property<decimal>("Rate")
+                        .HasColumnType("decimal(65,30)");
+
+                    b.Property<string>("State")
+                        .HasMaxLength(2)
+                        .HasColumnType("varchar(2)");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("TaxRate", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<decimal>("Amount")
+                        .HasColumnType("decimal(65,30)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Details")
+                        .HasMaxLength(100)
+                        .HasColumnType("varchar(100)");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("GatewayId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte?>("PaymentMethodType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool?>("Refunded")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<decimal?>("RefundedAmount")
+                        .HasColumnType("decimal(65,30)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId", "CreationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Transaction", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("AccountRevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("varchar(30)");
+
+                    b.Property<string>("AvatarColor")
+                        .HasMaxLength(7)
+                        .HasColumnType("varchar(7)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Culture")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("varchar(10)");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<bool>("EmailVerified")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<string>("EquivalentDomains")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("ExcludedGlobalEquivalentDomains")
+                        .HasColumnType("longtext");
+
+                    b.Property<int>("FailedLoginCount")
+                        .HasColumnType("int");
+
+                    b.Property<bool>("ForcePasswordReset")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<byte>("Kdf")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<int>("KdfIterations")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("KdfMemory")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("KdfParallelism")
+                        .HasColumnType("int");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime?>("LastEmailChangeDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("LastFailedLoginDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("LastKdfChangeDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("LastKeyRotationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("LastPasswordChangeDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("varchar(100)");
+
+                    b.Property<string>("MasterPassword")
+                        .HasMaxLength(300)
+                        .HasColumnType("varchar(300)");
+
+                    b.Property<string>("MasterPasswordHint")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<bool>("Premium")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime?>("PremiumExpirationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime?>("RenewalReminderDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("SecurityStamp")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("bigint");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("TwoFactorRecoveryCode")
+                        .HasMaxLength(32)
+                        .HasColumnType("varchar(32)");
+
+                    b.Property<bool>("UsesKeyConnector")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("VerifyDevices")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Email")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Premium", "PremiumExpirationDate", "RenewalReminderDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("User", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Body")
+                        .HasMaxLength(3000)
+                        .HasColumnType("varchar(3000)");
+
+                    b.Property<byte>("ClientType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("Global")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte>("Priority")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid?>("TaskId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Title")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("TaskId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("ClientType", "Global", "UserId", "OrganizationId", "Priority", "CreationDate")
+                        .IsDescending(false, false, false, false, true, true)
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Notification", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("NotificationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("ReadDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("UserId", "NotificationId")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("NotificationId");
+
+                    b.ToTable("NotificationStatus", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Platform.Installation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(150)
+                        .HasColumnType("varchar(150)");
+
+                    b.Property<DateTime?>("LastActivityDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Installation", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Discriminator")
+                        .IsRequired()
+                        .HasMaxLength(34)
+                        .HasColumnType("varchar(34)");
+
+                    b.Property<bool>("Read")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("Write")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.ToTable("AccessPolicy", (string)null);
+
+                    b.HasDiscriminator().HasValue("AccessPolicy");
+
+                    b.UseTphMappingStrategy();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("ClientSecretHash")
+                        .HasMaxLength(128)
+                        .HasColumnType("varchar(128)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("EncryptedPayload")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("varchar(4000)");
+
+                    b.Property<DateTime?>("ExpireAt")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("varchar(200)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Scope")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("varchar(4000)");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ServiceAccountId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Project", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Note")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Value")
+                        .HasColumnType("longtext");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Secret", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ServiceAccount", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Uri")
+                        .HasColumnType("longtext");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("PasswordHealthReportApplication", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Attachments")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Favorites")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Folders")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte?>("Reprompt")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Cipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Folder", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SecurityTask", (string)null);
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.Property<Guid>("ProjectsId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("SecretsId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("ProjectsId", "SecretsId");
+
+                    b.HasIndex("SecretsId");
+
+                    b.ToTable("ProjectSecret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Policies")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Device", "ResponseDevice")
+                        .WithMany()
+                        .HasForeignKey("ResponseDeviceId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("ResponseDevice");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantee")
+                        .WithMany()
+                        .HasForeignKey("GranteeId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantor")
+                        .WithMany()
+                        .HasForeignKey("GrantorId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Grantee");
+
+                    b.Navigation("Grantor");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoConfigs")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Platform.Installation", "Installation")
+                        .WithMany()
+                        .HasForeignKey("InstallationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Installation");
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Collections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CipherId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Collection");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionGroups")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Groups")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Group");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Connections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Domains")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoredOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoredOrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoringOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoringOrganizationId");
+
+                    b.Navigation("SponsoredOrganization");
+
+                    b.Navigation("SponsoringOrganization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Transactions")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Transactions")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", "Task")
+                        .WithMany()
+                        .HasForeignKey("TaskId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Task");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", "Notification")
+                        .WithMany()
+                        .HasForeignKey("NotificationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Notification");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Folders")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany()
+                        .HasForeignKey("CipherId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", null)
+                        .WithMany()
+                        .HasForeignKey("ProjectsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", null)
+                        .WithMany()
+                        .HasForeignKey("SecretsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ProjectAccessPolicies")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany()
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Collections");
+
+                    b.Navigation("Connections");
+
+                    b.Navigation("Domains");
+
+                    b.Navigation("Groups");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("Policies");
+
+                    b.Navigation("SsoConfigs");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+
+                    b.Navigation("CollectionGroups");
+
+                    b.Navigation("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Navigation("CollectionUsers");
+
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Folders");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ProjectAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+                });
+#pragma warning restore 612, 618
+        }
+    }
+}
diff --git a/util/MySqlMigrations/Migrations/20250213120818_NotificationCenterBodyLength.cs b/util/MySqlMigrations/Migrations/20250213120818_NotificationCenterBodyLength.cs
new file mode 100644
index 0000000000..47888410b1
--- /dev/null
+++ b/util/MySqlMigrations/Migrations/20250213120818_NotificationCenterBodyLength.cs
@@ -0,0 +1,41 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace Bit.MySqlMigrations.Migrations;
+
+/// <inheritdoc />
+public partial class NotificationCenterBodyLength : Migration
+{
+    /// <inheritdoc />
+    protected override void Up(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.AlterColumn<string>(
+            name: "Body",
+            table: "Notification",
+            type: "varchar(3000)",
+            maxLength: 3000,
+            nullable: true,
+            oldClrType: typeof(string),
+            oldType: "longtext",
+            oldNullable: true)
+            .Annotation("MySql:CharSet", "utf8mb4")
+            .OldAnnotation("MySql:CharSet", "utf8mb4");
+    }
+
+    /// <inheritdoc />
+    protected override void Down(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.AlterColumn<string>(
+            name: "Body",
+            table: "Notification",
+            type: "longtext",
+            nullable: true,
+            oldClrType: typeof(string),
+            oldType: "varchar(3000)",
+            oldMaxLength: 3000,
+            oldNullable: true)
+            .Annotation("MySql:CharSet", "utf8mb4")
+            .OldAnnotation("MySql:CharSet", "utf8mb4");
+    }
+}
diff --git a/util/MySqlMigrations/Migrations/DatabaseContextModelSnapshot.cs b/util/MySqlMigrations/Migrations/DatabaseContextModelSnapshot.cs
index 44ef9e01c3..73ed8e0c6b 100644
--- a/util/MySqlMigrations/Migrations/DatabaseContextModelSnapshot.cs
+++ b/util/MySqlMigrations/Migrations/DatabaseContextModelSnapshot.cs
@@ -1654,7 +1654,8 @@ namespace Bit.MySqlMigrations.Migrations
                         .HasColumnType("char(36)");
 
                     b.Property<string>("Body")
-                        .HasColumnType("longtext");
+                        .HasMaxLength(3000)
+                        .HasColumnType("varchar(3000)");
 
                     b.Property<byte>("ClientType")
                         .HasColumnType("tinyint unsigned");
diff --git a/util/PostgresMigrations/Migrations/20250213120809_NotificationCenterBodyLength.Designer.cs b/util/PostgresMigrations/Migrations/20250213120809_NotificationCenterBodyLength.Designer.cs
new file mode 100644
index 0000000000..12c3821158
--- /dev/null
+++ b/util/PostgresMigrations/Migrations/20250213120809_NotificationCenterBodyLength.Designer.cs
@@ -0,0 +1,3016 @@
+// <auto-generated />
+using System;
+using Bit.Infrastructure.EntityFramework.Repositories;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Migrations;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
+using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata;
+
+#nullable disable
+
+namespace Bit.PostgresMigrations.Migrations
+{
+    [DbContext(typeof(DatabaseContext))]
+    [Migration("20250213120809_NotificationCenterBodyLength")]
+    partial class NotificationCenterBodyLength
+    {
+        /// <inheritdoc />
+        protected override void BuildTargetModel(ModelBuilder modelBuilder)
+        {
+#pragma warning disable 612, 618
+            modelBuilder
+                .HasAnnotation("Npgsql:CollationDefinition:postgresIndetermanisticCollation", "en-u-ks-primary,en-u-ks-primary,icu,False")
+                .HasAnnotation("ProductVersion", "8.0.8")
+                .HasAnnotation("Relational:MaxIdentifierLength", 63);
+
+            NpgsqlModelBuilderExtensions.UseIdentityByDefaultColumns(modelBuilder);
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("AllowAdminAccessToAllCollectionItems")
+                        .HasColumnType("boolean")
+                        .HasDefaultValue(true);
+
+                    b.Property<string>("BillingEmail")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasMaxLength(2)
+                        .HasColumnType("character varying(2)");
+
+                    b.Property<string>("BusinessName")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasMaxLength(30)
+                        .HasColumnType("character varying(30)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("Identifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)")
+                        .UseCollation("postgresIndetermanisticCollation");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<bool>("LimitCollectionCreation")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("LimitCollectionDeletion")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("LimitItemDeletion")
+                        .HasColumnType("boolean");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("MaxAutoscaleSmSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("MaxAutoscaleSmServiceAccounts")
+                        .HasColumnType("integer");
+
+                    b.Property<short?>("MaxCollections")
+                        .HasColumnType("smallint");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<DateTime?>("OwnersNotifiedOfAutoscaling")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Plan")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<int?>("Seats")
+                        .HasColumnType("integer");
+
+                    b.Property<bool>("SelfHost")
+                        .HasColumnType("boolean");
+
+                    b.Property<int?>("SmSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("SmServiceAccounts")
+                        .HasColumnType("integer");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("bigint");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("text");
+
+                    b.Property<bool>("Use2fa")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseApi")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseCustomPermissions")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseDirectory")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseGroups")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseKeyConnector")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UsePasswordManager")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UsePolicies")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseResetPassword")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseRiskInsights")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseScim")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseSecretsManager")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseSso")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseTotp")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UsersGetPremium")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id", "Enabled");
+
+                    NpgsqlIndexBuilderExtensions.IncludeProperties(b.HasIndex("Id", "Enabled"), new[] { "UseTotp" });
+
+                    b.ToTable("Organization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("text");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "Type")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Policy", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("BillingEmail")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BillingPhone")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessName")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasColumnType("text");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Provider", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Settings")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderOrganization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Email")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("ProviderUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("AccessCode")
+                        .HasMaxLength(25)
+                        .HasColumnType("character varying(25)");
+
+                    b.Property<bool?>("Approved")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("AuthenticationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<string>("MasterPasswordHash")
+                        .HasColumnType("text");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("RequestDeviceIdentifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<byte>("RequestDeviceType")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("RequestIpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<DateTime?>("ResponseDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid?>("ResponseDeviceId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ResponseDeviceId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("AuthRequest", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<Guid?>("GranteeId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("GrantorId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("KeyEncrypted")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("LastNotificationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("RecoveryInitiatedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<int>("WaitTimeDays")
+                        .HasColumnType("integer");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("GranteeId");
+
+                    b.HasIndex("GrantorId");
+
+                    b.ToTable("EmergencyAccess", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.Grant", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("ClientId")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<DateTime?>("ConsumedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Data")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("Description")
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<string>("SessionId")
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<string>("SubjectId")
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<string>("Type")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.HasKey("Id")
+                        .HasName("PK_Grant")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpirationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Key")
+                        .IsUnique();
+
+                    b.ToTable("Grant", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("Id"));
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("text");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("SsoConfig", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("Id"));
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)")
+                        .UseCollation("postgresIndetermanisticCollation");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId");
+
+                    b.HasIndex("OrganizationId", "ExternalId")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    NpgsqlIndexBuilderExtensions.IncludeProperties(b.HasIndex("OrganizationId", "ExternalId"), new[] { "UserId" });
+
+                    b.HasIndex("OrganizationId", "UserId")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SsoUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("AaGuid")
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("Counter")
+                        .HasColumnType("integer");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("CredentialId")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("character varying(2000)");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("character varying(2000)");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("character varying(2000)");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("PublicKey")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("SupportsPrf")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("Type")
+                        .HasMaxLength(20)
+                        .HasColumnType("character varying(20)");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("WebAuthnCredential", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ClientOrganizationMigrationRecord", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("Seats")
+                        .HasColumnType("integer");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId", "OrganizationId")
+                        .IsUnique();
+
+                    b.ToTable("ClientOrganizationMigrationRecord", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("InstallationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime?>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("InstallationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationInstallation", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("AssignedSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<Guid?>("ClientId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("ClientName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<DateTime>("Created")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("InvoiceId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("InvoiceNumber")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("PlanName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<decimal>("Total")
+                        .HasColumnType("numeric");
+
+                    b.Property<int>("UsedSeats")
+                        .HasColumnType("integer");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderInvoiceItem", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<int?>("AllocatedSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<int?>("PurchasedSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("SeatMinimum")
+                        .HasColumnType("integer");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("Id", "PlanType")
+                        .IsUnique();
+
+                    b.ToTable("ProviderPlan", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Cache", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(449)
+                        .HasColumnType("character varying(449)");
+
+                    b.Property<DateTime?>("AbsoluteExpiration")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("ExpiresAtTime")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<long?>("SlidingExpirationInSeconds")
+                        .HasColumnType("bigint");
+
+                    b.Property<byte[]>("Value")
+                        .IsRequired()
+                        .HasColumnType("bytea");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpiresAtTime")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Cache", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("character varying(300)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Collection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("CipherId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("CollectionId", "CipherId");
+
+                    b.HasIndex("CipherId");
+
+                    b.ToTable("CollectionCipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("CollectionId", "GroupId");
+
+                    b.HasIndex("GroupId");
+
+                    b.ToTable("CollectionGroups");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("CollectionId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("boolean")
+                        .HasDefaultValue(true);
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Identifier")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("PushToken")
+                        .HasMaxLength(255)
+                        .HasColumnType("character varying(255)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Identifier")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "Identifier")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Device", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Event", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("ActingUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("CollectionId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("Date")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte?>("DeviceType")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("DomainName")
+                        .HasColumnType("text");
+
+                    b.Property<Guid?>("GroupId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("InstallationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("IpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("PolicyId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("ProviderOrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("ProviderUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("SecretId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte?>("SystemUser")
+                        .HasColumnType("smallint");
+
+                    b.Property<int>("Type")
+                        .HasColumnType("integer");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Date", "OrganizationId", "ActingUserId", "CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Event", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("character varying(300)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Group", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("GroupId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("GroupUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("character varying(30)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Config")
+                        .HasColumnType("text");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationConnection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("DomainName")
+                        .IsRequired()
+                        .HasMaxLength(255)
+                        .HasColumnType("character varying(255)");
+
+                    b.Property<int>("JobRunCount")
+                        .HasColumnType("integer");
+
+                    b.Property<DateTime?>("LastCheckedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("NextRunDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Txt")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("VerifiedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationDomain", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("FriendlyName")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<DateTime?>("LastSyncDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("OfferedToEmail")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<byte?>("PlanSponsorshipType")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("SponsoredOrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("SponsoringOrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("SponsoringOrganizationUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("ToDelete")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("ValidUntil")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SponsoredOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationUserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationSponsorship", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("AccessSecretsManager")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("character varying(300)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ResetPasswordKey")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<short>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("AccessCount")
+                        .HasColumnType("integer");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("DeletionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("Disabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool?>("HideEmail")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<int?>("MaxAccessCount")
+                        .HasColumnType("integer");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Password")
+                        .HasMaxLength(300)
+                        .HasColumnType("character varying(300)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("DeletionDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Send", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.TaxRate", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(40)
+                        .HasColumnType("character varying(40)");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("Country")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("PostalCode")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("character varying(10)");
+
+                    b.Property<decimal>("Rate")
+                        .HasColumnType("numeric");
+
+                    b.Property<string>("State")
+                        .HasMaxLength(2)
+                        .HasColumnType("character varying(2)");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("TaxRate", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<decimal>("Amount")
+                        .HasColumnType("numeric");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Details")
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("GatewayId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte?>("PaymentMethodType")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool?>("Refunded")
+                        .HasColumnType("boolean");
+
+                    b.Property<decimal?>("RefundedAmount")
+                        .HasColumnType("numeric");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId", "CreationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Transaction", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("AccountRevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("character varying(30)");
+
+                    b.Property<string>("AvatarColor")
+                        .HasMaxLength(7)
+                        .HasColumnType("character varying(7)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Culture")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("character varying(10)");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)")
+                        .UseCollation("postgresIndetermanisticCollation");
+
+                    b.Property<bool>("EmailVerified")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("EquivalentDomains")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ExcludedGlobalEquivalentDomains")
+                        .HasColumnType("text");
+
+                    b.Property<int>("FailedLoginCount")
+                        .HasColumnType("integer");
+
+                    b.Property<bool>("ForcePasswordReset")
+                        .HasColumnType("boolean");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<byte>("Kdf")
+                        .HasColumnType("smallint");
+
+                    b.Property<int>("KdfIterations")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("KdfMemory")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("KdfParallelism")
+                        .HasColumnType("integer");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("LastEmailChangeDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("LastFailedLoginDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("LastKdfChangeDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("LastKeyRotationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("LastPasswordChangeDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<string>("MasterPassword")
+                        .HasMaxLength(300)
+                        .HasColumnType("character varying(300)");
+
+                    b.Property<string>("MasterPasswordHint")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<bool>("Premium")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("PremiumExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("RenewalReminderDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("SecurityStamp")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("bigint");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("text");
+
+                    b.Property<string>("TwoFactorRecoveryCode")
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<bool>("UsesKeyConnector")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("VerifyDevices")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Email")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Premium", "PremiumExpirationDate", "RenewalReminderDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("User", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Body")
+                        .HasMaxLength(3000)
+                        .HasColumnType("character varying(3000)");
+
+                    b.Property<byte>("ClientType")
+                        .HasColumnType("smallint");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("Global")
+                        .HasColumnType("boolean");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte>("Priority")
+                        .HasColumnType("smallint");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid?>("TaskId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Title")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("TaskId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("ClientType", "Global", "UserId", "OrganizationId", "Priority", "CreationDate")
+                        .IsDescending(false, false, false, false, true, true)
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Notification", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("NotificationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("ReadDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("UserId", "NotificationId")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("NotificationId");
+
+                    b.ToTable("NotificationStatus", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Platform.Installation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(150)
+                        .HasColumnType("character varying(150)");
+
+                    b.Property<DateTime?>("LastActivityDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Installation", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Discriminator")
+                        .IsRequired()
+                        .HasMaxLength(34)
+                        .HasColumnType("character varying(34)");
+
+                    b.Property<bool>("Read")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("Write")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.ToTable("AccessPolicy", (string)null);
+
+                    b.HasDiscriminator().HasValue("AccessPolicy");
+
+                    b.UseTphMappingStrategy();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("ClientSecretHash")
+                        .HasMaxLength(128)
+                        .HasColumnType("character varying(128)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("EncryptedPayload")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("character varying(4000)");
+
+                    b.Property<DateTime?>("ExpireAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Scope")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("character varying(4000)");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ServiceAccountId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Project", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Note")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Value")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Secret", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ServiceAccount", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Uri")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("PasswordHealthReportApplication", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Attachments")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Favorites")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Folders")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte?>("Reprompt")
+                        .HasColumnType("smallint");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Cipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Folder", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SecurityTask", (string)null);
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.Property<Guid>("ProjectsId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("SecretsId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("ProjectsId", "SecretsId");
+
+                    b.HasIndex("SecretsId");
+
+                    b.ToTable("ProjectSecret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Policies")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Device", "ResponseDevice")
+                        .WithMany()
+                        .HasForeignKey("ResponseDeviceId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("ResponseDevice");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantee")
+                        .WithMany()
+                        .HasForeignKey("GranteeId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantor")
+                        .WithMany()
+                        .HasForeignKey("GrantorId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Grantee");
+
+                    b.Navigation("Grantor");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoConfigs")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Platform.Installation", "Installation")
+                        .WithMany()
+                        .HasForeignKey("InstallationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Installation");
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Collections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CipherId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Collection");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionGroups")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Groups")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Group");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Connections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Domains")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoredOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoredOrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoringOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoringOrganizationId");
+
+                    b.Navigation("SponsoredOrganization");
+
+                    b.Navigation("SponsoringOrganization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Transactions")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Transactions")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", "Task")
+                        .WithMany()
+                        .HasForeignKey("TaskId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Task");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", "Notification")
+                        .WithMany()
+                        .HasForeignKey("NotificationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Notification");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Folders")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany()
+                        .HasForeignKey("CipherId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", null)
+                        .WithMany()
+                        .HasForeignKey("ProjectsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", null)
+                        .WithMany()
+                        .HasForeignKey("SecretsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ProjectAccessPolicies")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany()
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Collections");
+
+                    b.Navigation("Connections");
+
+                    b.Navigation("Domains");
+
+                    b.Navigation("Groups");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("Policies");
+
+                    b.Navigation("SsoConfigs");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+
+                    b.Navigation("CollectionGroups");
+
+                    b.Navigation("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Navigation("CollectionUsers");
+
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Folders");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ProjectAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+                });
+#pragma warning restore 612, 618
+        }
+    }
+}
diff --git a/util/PostgresMigrations/Migrations/20250213120809_NotificationCenterBodyLength.cs b/util/PostgresMigrations/Migrations/20250213120809_NotificationCenterBodyLength.cs
new file mode 100644
index 0000000000..11aac4ef56
--- /dev/null
+++ b/util/PostgresMigrations/Migrations/20250213120809_NotificationCenterBodyLength.cs
@@ -0,0 +1,37 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace Bit.PostgresMigrations.Migrations;
+
+/// <inheritdoc />
+public partial class NotificationCenterBodyLength : Migration
+{
+    /// <inheritdoc />
+    protected override void Up(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.AlterColumn<string>(
+            name: "Body",
+            table: "Notification",
+            type: "character varying(3000)",
+            maxLength: 3000,
+            nullable: true,
+            oldClrType: typeof(string),
+            oldType: "text",
+            oldNullable: true);
+    }
+
+    /// <inheritdoc />
+    protected override void Down(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.AlterColumn<string>(
+            name: "Body",
+            table: "Notification",
+            type: "text",
+            nullable: true,
+            oldClrType: typeof(string),
+            oldType: "character varying(3000)",
+            oldMaxLength: 3000,
+            oldNullable: true);
+    }
+}
diff --git a/util/PostgresMigrations/Migrations/DatabaseContextModelSnapshot.cs b/util/PostgresMigrations/Migrations/DatabaseContextModelSnapshot.cs
index 11fa811d98..a6017652bf 100644
--- a/util/PostgresMigrations/Migrations/DatabaseContextModelSnapshot.cs
+++ b/util/PostgresMigrations/Migrations/DatabaseContextModelSnapshot.cs
@@ -1660,7 +1660,8 @@ namespace Bit.PostgresMigrations.Migrations
                         .HasColumnType("uuid");
 
                     b.Property<string>("Body")
-                        .HasColumnType("text");
+                        .HasMaxLength(3000)
+                        .HasColumnType("character varying(3000)");
 
                     b.Property<byte>("ClientType")
                         .HasColumnType("smallint");
diff --git a/util/SqliteMigrations/Migrations/20250213120814_NotificationCenterBodyLength.Designer.cs b/util/SqliteMigrations/Migrations/20250213120814_NotificationCenterBodyLength.Designer.cs
new file mode 100644
index 0000000000..91b7b87e88
--- /dev/null
+++ b/util/SqliteMigrations/Migrations/20250213120814_NotificationCenterBodyLength.Designer.cs
@@ -0,0 +1,2999 @@
+// <auto-generated />
+using System;
+using Bit.Infrastructure.EntityFramework.Repositories;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Migrations;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
+
+#nullable disable
+
+namespace Bit.SqliteMigrations.Migrations
+{
+    [DbContext(typeof(DatabaseContext))]
+    [Migration("20250213120814_NotificationCenterBodyLength")]
+    partial class NotificationCenterBodyLength
+    {
+        /// <inheritdoc />
+        protected override void BuildTargetModel(ModelBuilder modelBuilder)
+        {
+#pragma warning disable 612, 618
+            modelBuilder.HasAnnotation("ProductVersion", "8.0.8");
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("AllowAdminAccessToAllCollectionItems")
+                        .HasColumnType("INTEGER")
+                        .HasDefaultValue(true);
+
+                    b.Property<string>("BillingEmail")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasMaxLength(2)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessName")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasMaxLength(30)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Identifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("LimitCollectionCreation")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("LimitCollectionDeletion")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("LimitItemDeletion")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("MaxAutoscaleSmSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("MaxAutoscaleSmServiceAccounts")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<short?>("MaxCollections")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("OwnersNotifiedOfAutoscaling")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Plan")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int?>("Seats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("SelfHost")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("SmSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("SmServiceAccounts")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Use2fa")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseApi")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseCustomPermissions")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseDirectory")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseGroups")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseKeyConnector")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UsePasswordManager")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UsePolicies")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseResetPassword")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseRiskInsights")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseScim")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseSecretsManager")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseSso")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseTotp")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UsersGetPremium")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id", "Enabled")
+                        .HasAnnotation("Npgsql:IndexInclude", new[] { "UseTotp" });
+
+                    b.ToTable("Organization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "Type")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Policy", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BillingEmail")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BillingPhone")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessName")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Provider", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Settings")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderOrganization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Email")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("ProviderUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("AccessCode")
+                        .HasMaxLength(25)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool?>("Approved")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("AuthenticationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("MasterPasswordHash")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("RequestDeviceIdentifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("RequestDeviceType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("RequestIpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ResponseDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ResponseDeviceId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ResponseDeviceId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("AuthRequest", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("GranteeId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("GrantorId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("KeyEncrypted")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastNotificationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("RecoveryInitiatedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int>("WaitTimeDays")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("GranteeId");
+
+                    b.HasIndex("GrantorId");
+
+                    b.ToTable("EmergencyAccess", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.Grant", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("ClientId")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ConsumedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Data")
+                        .IsRequired()
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Description")
+                        .HasMaxLength(200)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("SessionId")
+                        .HasMaxLength(100)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("SubjectId")
+                        .HasMaxLength(200)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Type")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasName("PK_Grant")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpirationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Key")
+                        .IsUnique();
+
+                    b.ToTable("Grant", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("SsoConfig", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId");
+
+                    b.HasIndex("OrganizationId", "ExternalId")
+                        .IsUnique()
+                        .HasAnnotation("Npgsql:IndexInclude", new[] { "UserId" })
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "UserId")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SsoUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("AaGuid")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("Counter")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("CredentialId")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PublicKey")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("SupportsPrf")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Type")
+                        .HasMaxLength(20)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("WebAuthnCredential", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ClientOrganizationMigrationRecord", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("Seats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId", "OrganizationId")
+                        .IsUnique();
+
+                    b.ToTable("ClientOrganizationMigrationRecord", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("InstallationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("InstallationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationInstallation", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("AssignedSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("ClientId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ClientName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("Created")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("InvoiceId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("InvoiceNumber")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PlanName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<decimal>("Total")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("UsedSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderInvoiceItem", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int?>("AllocatedSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int?>("PurchasedSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("SeatMinimum")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("Id", "PlanType")
+                        .IsUnique();
+
+                    b.ToTable("ProviderPlan", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Cache", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(449)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("AbsoluteExpiration")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("ExpiresAtTime")
+                        .HasColumnType("TEXT");
+
+                    b.Property<long?>("SlidingExpirationInSeconds")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte[]>("Value")
+                        .IsRequired()
+                        .HasColumnType("BLOB");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpiresAtTime")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Cache", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Collection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("CipherId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("CollectionId", "CipherId");
+
+                    b.HasIndex("CipherId");
+
+                    b.ToTable("CollectionCipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("CollectionId", "GroupId");
+
+                    b.HasIndex("GroupId");
+
+                    b.ToTable("CollectionGroups");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("CollectionId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("INTEGER")
+                        .HasDefaultValue(true);
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Identifier")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PushToken")
+                        .HasMaxLength(255)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Identifier")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "Identifier")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Device", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Event", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ActingUserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("CollectionId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("Date")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("DeviceType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("DomainName")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("GroupId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("InstallationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("IpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("PolicyId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ProviderOrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ProviderUserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("SecretId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("SystemUser")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Date", "OrganizationId", "ActingUserId", "CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Event", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(100)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Group", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("GroupId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("GroupUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Config")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationConnection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("DomainName")
+                        .IsRequired()
+                        .HasMaxLength(255)
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("JobRunCount")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("LastCheckedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("NextRunDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Txt")
+                        .IsRequired()
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("VerifiedDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationDomain", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("FriendlyName")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastSyncDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("OfferedToEmail")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("PlanSponsorshipType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("SponsoredOrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("SponsoringOrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("SponsoringOrganizationUserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("ToDelete")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("ValidUntil")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SponsoredOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationUserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationSponsorship", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("AccessSecretsManager")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ResetPasswordKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<short>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("AccessCount")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("DeletionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Disabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool?>("HideEmail")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int?>("MaxAccessCount")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Password")
+                        .HasMaxLength(300)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("DeletionDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Send", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.TaxRate", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(40)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Country")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PostalCode")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("TEXT");
+
+                    b.Property<decimal>("Rate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("State")
+                        .HasMaxLength(2)
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("TaxRate", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<decimal>("Amount")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Details")
+                        .HasMaxLength(100)
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("GatewayId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("PaymentMethodType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool?>("Refunded")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<decimal?>("RefundedAmount")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId", "CreationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Transaction", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("AccountRevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("AvatarColor")
+                        .HasMaxLength(7)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Culture")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("EmailVerified")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("EquivalentDomains")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ExcludedGlobalEquivalentDomains")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("FailedLoginCount")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("ForcePasswordReset")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Kdf")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int>("KdfIterations")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("KdfMemory")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("KdfParallelism")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastEmailChangeDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastFailedLoginDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastKdfChangeDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastKeyRotationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastPasswordChangeDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("MasterPassword")
+                        .HasMaxLength(300)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("MasterPasswordHint")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Premium")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("PremiumExpirationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("RenewalReminderDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("SecurityStamp")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("TwoFactorRecoveryCode")
+                        .HasMaxLength(32)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("UsesKeyConnector")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("VerifyDevices")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Email")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Premium", "PremiumExpirationDate", "RenewalReminderDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("User", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Body")
+                        .HasMaxLength(3000)
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("ClientType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Global")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Priority")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("TaskId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Title")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("TaskId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("ClientType", "Global", "UserId", "OrganizationId", "Priority", "CreationDate")
+                        .IsDescending(false, false, false, false, true, true)
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Notification", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("NotificationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ReadDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("UserId", "NotificationId")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("NotificationId");
+
+                    b.ToTable("NotificationStatus", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Platform.Installation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(150)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastActivityDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Installation", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Discriminator")
+                        .IsRequired()
+                        .HasMaxLength(34)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Read")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Write")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.ToTable("AccessPolicy", (string)null);
+
+                    b.HasDiscriminator().HasValue("AccessPolicy");
+
+                    b.UseTphMappingStrategy();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ClientSecretHash")
+                        .HasMaxLength(128)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedPayload")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ExpireAt")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Scope")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ServiceAccountId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Project", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Note")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Value")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Secret", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ServiceAccount", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Uri")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("PasswordHealthReportApplication", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Attachments")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Favorites")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Folders")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("Reprompt")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Cipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Folder", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SecurityTask", (string)null);
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.Property<Guid>("ProjectsId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("SecretsId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("ProjectsId", "SecretsId");
+
+                    b.HasIndex("SecretsId");
+
+                    b.ToTable("ProjectSecret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Policies")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Device", "ResponseDevice")
+                        .WithMany()
+                        .HasForeignKey("ResponseDeviceId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("ResponseDevice");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantee")
+                        .WithMany()
+                        .HasForeignKey("GranteeId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantor")
+                        .WithMany()
+                        .HasForeignKey("GrantorId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Grantee");
+
+                    b.Navigation("Grantor");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoConfigs")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Platform.Installation", "Installation")
+                        .WithMany()
+                        .HasForeignKey("InstallationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Installation");
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Collections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CipherId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Collection");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionGroups")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Groups")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Group");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Connections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Domains")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoredOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoredOrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoringOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoringOrganizationId");
+
+                    b.Navigation("SponsoredOrganization");
+
+                    b.Navigation("SponsoringOrganization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Transactions")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Transactions")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", "Task")
+                        .WithMany()
+                        .HasForeignKey("TaskId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Task");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", "Notification")
+                        .WithMany()
+                        .HasForeignKey("NotificationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Notification");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Folders")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany()
+                        .HasForeignKey("CipherId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", null)
+                        .WithMany()
+                        .HasForeignKey("ProjectsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", null)
+                        .WithMany()
+                        .HasForeignKey("SecretsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ProjectAccessPolicies")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany()
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Collections");
+
+                    b.Navigation("Connections");
+
+                    b.Navigation("Domains");
+
+                    b.Navigation("Groups");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("Policies");
+
+                    b.Navigation("SsoConfigs");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+
+                    b.Navigation("CollectionGroups");
+
+                    b.Navigation("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Navigation("CollectionUsers");
+
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Folders");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ProjectAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+                });
+#pragma warning restore 612, 618
+        }
+    }
+}
diff --git a/util/SqliteMigrations/Migrations/20250213120814_NotificationCenterBodyLength.cs b/util/SqliteMigrations/Migrations/20250213120814_NotificationCenterBodyLength.cs
new file mode 100644
index 0000000000..0dac35755d
--- /dev/null
+++ b/util/SqliteMigrations/Migrations/20250213120814_NotificationCenterBodyLength.cs
@@ -0,0 +1,21 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace Bit.SqliteMigrations.Migrations;
+
+/// <inheritdoc />
+public partial class NotificationCenterBodyLength : Migration
+{
+    /// <inheritdoc />
+    protected override void Up(MigrationBuilder migrationBuilder)
+    {
+
+    }
+
+    /// <inheritdoc />
+    protected override void Down(MigrationBuilder migrationBuilder)
+    {
+
+    }
+}
diff --git a/util/SqliteMigrations/Migrations/DatabaseContextModelSnapshot.cs b/util/SqliteMigrations/Migrations/DatabaseContextModelSnapshot.cs
index 8d122f5617..185caf3074 100644
--- a/util/SqliteMigrations/Migrations/DatabaseContextModelSnapshot.cs
+++ b/util/SqliteMigrations/Migrations/DatabaseContextModelSnapshot.cs
@@ -1643,6 +1643,7 @@ namespace Bit.SqliteMigrations.Migrations
                         .HasColumnType("TEXT");
 
                     b.Property<string>("Body")
+                        .HasMaxLength(3000)
                         .HasColumnType("TEXT");
 
                     b.Property<byte>("ClientType")

From c3924bbf3bb6eb78a0339477a7ae03a95fb0d4c7 Mon Sep 17 00:00:00 2001
From: Maciej Zieniuk <167752252+mzieniukbw@users.noreply.github.com>
Date: Thu, 13 Feb 2025 14:23:33 +0100
Subject: [PATCH 275/384] [PM-10564] Push notification updates to other clients
 (#5057)

* PM-10600: Notification push notification

* PM-10600: Sending to specific client types for relay push notifications

* PM-10600: Sending to specific client types for other clients

* PM-10600: Send push notification on notification creation

* PM-10600: Explicit group names

* PM-10600: Id typos

* PM-10600: Revert global push notifications

* PM-10600: Added DeviceType claim

* PM-10600: Sent to organization typo

* PM-10600: UT coverage

* PM-10600: Small refactor, UTs coverage

* PM-10600: UTs coverage

* PM-10600: Startup fix

* PM-10600: Test fix

* PM-10600: Required attribute, organization group for push notification fix

* PM-10600: UT coverage

* PM-10600: Fix Mobile devices not registering to organization push notifications

We only register devices for organization push notifications when the organization is being created. This does not work, since we have a use case (Notification Center) of delivering notifications to all users of organization. This fixes it, by adding the organization id tag when device registers for push notifications.

* PM-10600: Unit Test coverage for NotificationHubPushRegistrationService

Fixed IFeatureService substitute mocking for Android tests.
Added user part of organization test with organizationId tags expectation.

* PM-10600: Unit Tests fix to NotificationHubPushRegistrationService after merge conflict

* PM-10600: Organization push notifications not sending to mobile device from self-hosted.

Self-hosted instance uses relay to register the mobile device against Bitwarden Cloud Api. Only the self-hosted server knows client's organization membership, which means it needs to pass in the organization id's information to the relay. Similarly, for Bitwarden Cloud, the organizaton id will come directly from the server.

* PM-10600: Fix self-hosted organization notification not being received by mobile device.

When mobile device registers on self-hosted through the relay, every single id, like user id, device id and now organization id needs to be prefixed with the installation id. This have been missing in the PushController that handles this for organization id.

* PM-10600: Broken NotificationsController integration test

Device type is now part of JWT access token, so the notification center results in the integration test are now scoped to client type web and all.

* PM-10600: Merge conflicts fix

* merge conflict fix

* PM-10600: Push notification with full notification center content.

Notification Center push notification now includes all the fields.

* PM-10564: Push notification updates to other clients

Cherry-picked and squashed commits:
d9711b6031a1bc1d96b920e521e6f37de1b434ec 6e69c8a0ce9a5ee29df9988b20c6e531c0b4e4a3 01c814595e572911574066802b661c83b116a865 3885885d5f4be39fdc2b8d258867c8a7536491cd 1285a7e994921b0e6f9ba78f9b84d8e7a6ceda2f fcf346985f367c462ef7b65ce7d5d2612f7345cc 28ff53c293f4d37de5fa40d2964f924368e13c95 57804ae27cbf25d88d148f399ce81c1c09997e10 1c9339b6869926e59076202e06341e5d4a403cc7

* null check fix

* logging using template formatting
---
 src/Core/Enums/PushType.cs                    |   1 +
 src/Core/Models/PushNotification.cs           |  13 +-
 .../CreateNotificationStatusCommand.cs        |  12 +-
 .../MarkNotificationDeletedCommand.cs         |  12 +-
 .../Commands/MarkNotificationReadCommand.cs   |  12 +-
 .../Commands/UpdateNotificationCommand.cs     |   8 +-
 .../NotificationHubPushNotificationService.cs |  50 +++-
 .../AzureQueuePushNotificationService.cs      |  36 ++-
 .../Push/Services/IPushNotificationService.cs |  12 +-
 .../MultiServicePushNotificationService.cs    |  33 ++-
 .../Services/NoopPushNotificationService.cs   |  14 +-
 ...NotificationsApiPushNotificationService.cs |  40 +++-
 .../Services/RelayPushNotificationService.cs  |  45 +++-
 src/Notifications/HubHelpers.cs               |   1 +
 .../Commands/CreateNotificationCommandTest.cs |   9 +
 .../CreateNotificationStatusCommandTest.cs    |  25 ++
 .../MarkNotificationDeletedCommandTest.cs     |  77 +++++-
 .../MarkNotificationReadCommandTest.cs        |  77 +++++-
 .../Commands/UpdateNotificationCommandTest.cs |  19 ++
 ...ficationHubPushNotificationServiceTests.cs | 226 +++++++++++++++---
 .../AzureQueuePushNotificationServiceTests.cs |  34 ++-
 ...ultiServicePushNotificationServiceTests.cs |  16 ++
 22 files changed, 646 insertions(+), 126 deletions(-)

diff --git a/src/Core/Enums/PushType.cs b/src/Core/Enums/PushType.cs
index b656e70601..d4a4caeb9e 100644
--- a/src/Core/Enums/PushType.cs
+++ b/src/Core/Enums/PushType.cs
@@ -29,4 +29,5 @@ public enum PushType : byte
     SyncOrganizationCollectionSettingChanged = 19,
 
     SyncNotification = 20,
+    SyncNotificationStatus = 21
 }
diff --git a/src/Core/Models/PushNotification.cs b/src/Core/Models/PushNotification.cs
index a6e8852e95..775c3443f2 100644
--- a/src/Core/Models/PushNotification.cs
+++ b/src/Core/Models/PushNotification.cs
@@ -1,11 +1,12 @@
-using Bit.Core.Enums;
+#nullable enable
+using Bit.Core.Enums;
 using Bit.Core.NotificationCenter.Enums;
 
 namespace Bit.Core.Models;
 
 public class PushNotificationData<T>
 {
-    public PushNotificationData(PushType type, T payload, string contextId)
+    public PushNotificationData(PushType type, T payload, string? contextId)
     {
         Type = type;
         Payload = payload;
@@ -14,7 +15,7 @@ public class PushNotificationData<T>
 
     public PushType Type { get; set; }
     public T Payload { get; set; }
-    public string ContextId { get; set; }
+    public string? ContextId { get; set; }
 }
 
 public class SyncCipherPushNotification
@@ -22,7 +23,7 @@ public class SyncCipherPushNotification
     public Guid Id { get; set; }
     public Guid? UserId { get; set; }
     public Guid? OrganizationId { get; set; }
-    public IEnumerable<Guid> CollectionIds { get; set; }
+    public IEnumerable<Guid>? CollectionIds { get; set; }
     public DateTime RevisionDate { get; set; }
 }
 
@@ -46,7 +47,6 @@ public class SyncSendPushNotification
     public DateTime RevisionDate { get; set; }
 }
 
-#nullable enable
 public class NotificationPushNotification
 {
     public Guid Id { get; set; }
@@ -59,8 +59,9 @@ public class NotificationPushNotification
     public string? Body { get; set; }
     public DateTime CreationDate { get; set; }
     public DateTime RevisionDate { get; set; }
+    public DateTime? ReadDate { get; set; }
+    public DateTime? DeletedDate { get; set; }
 }
-#nullable disable
 
 public class AuthRequestPushNotification
 {
diff --git a/src/Core/NotificationCenter/Commands/CreateNotificationStatusCommand.cs b/src/Core/NotificationCenter/Commands/CreateNotificationStatusCommand.cs
index fcd61ceebc..793da22f81 100644
--- a/src/Core/NotificationCenter/Commands/CreateNotificationStatusCommand.cs
+++ b/src/Core/NotificationCenter/Commands/CreateNotificationStatusCommand.cs
@@ -5,6 +5,7 @@ using Bit.Core.NotificationCenter.Authorization;
 using Bit.Core.NotificationCenter.Commands.Interfaces;
 using Bit.Core.NotificationCenter.Entities;
 using Bit.Core.NotificationCenter.Repositories;
+using Bit.Core.Platform.Push;
 using Bit.Core.Utilities;
 using Microsoft.AspNetCore.Authorization;
 
@@ -16,16 +17,19 @@ public class CreateNotificationStatusCommand : ICreateNotificationStatusCommand
     private readonly IAuthorizationService _authorizationService;
     private readonly INotificationRepository _notificationRepository;
     private readonly INotificationStatusRepository _notificationStatusRepository;
+    private readonly IPushNotificationService _pushNotificationService;
 
     public CreateNotificationStatusCommand(ICurrentContext currentContext,
         IAuthorizationService authorizationService,
         INotificationRepository notificationRepository,
-        INotificationStatusRepository notificationStatusRepository)
+        INotificationStatusRepository notificationStatusRepository,
+        IPushNotificationService pushNotificationService)
     {
         _currentContext = currentContext;
         _authorizationService = authorizationService;
         _notificationRepository = notificationRepository;
         _notificationStatusRepository = notificationStatusRepository;
+        _pushNotificationService = pushNotificationService;
     }
 
     public async Task<NotificationStatus> CreateAsync(NotificationStatus notificationStatus)
@@ -42,6 +46,10 @@ public class CreateNotificationStatusCommand : ICreateNotificationStatusCommand
         await _authorizationService.AuthorizeOrThrowAsync(_currentContext.HttpContext.User, notificationStatus,
             NotificationStatusOperations.Create);
 
-        return await _notificationStatusRepository.CreateAsync(notificationStatus);
+        var newNotificationStatus = await _notificationStatusRepository.CreateAsync(notificationStatus);
+
+        await _pushNotificationService.PushNotificationStatusAsync(notification, newNotificationStatus);
+
+        return newNotificationStatus;
     }
 }
diff --git a/src/Core/NotificationCenter/Commands/MarkNotificationDeletedCommand.cs b/src/Core/NotificationCenter/Commands/MarkNotificationDeletedCommand.cs
index 2ca7aa9051..256702c10c 100644
--- a/src/Core/NotificationCenter/Commands/MarkNotificationDeletedCommand.cs
+++ b/src/Core/NotificationCenter/Commands/MarkNotificationDeletedCommand.cs
@@ -5,6 +5,7 @@ using Bit.Core.NotificationCenter.Authorization;
 using Bit.Core.NotificationCenter.Commands.Interfaces;
 using Bit.Core.NotificationCenter.Entities;
 using Bit.Core.NotificationCenter.Repositories;
+using Bit.Core.Platform.Push;
 using Bit.Core.Utilities;
 using Microsoft.AspNetCore.Authorization;
 
@@ -16,16 +17,19 @@ public class MarkNotificationDeletedCommand : IMarkNotificationDeletedCommand
     private readonly IAuthorizationService _authorizationService;
     private readonly INotificationRepository _notificationRepository;
     private readonly INotificationStatusRepository _notificationStatusRepository;
+    private readonly IPushNotificationService _pushNotificationService;
 
     public MarkNotificationDeletedCommand(ICurrentContext currentContext,
         IAuthorizationService authorizationService,
         INotificationRepository notificationRepository,
-        INotificationStatusRepository notificationStatusRepository)
+        INotificationStatusRepository notificationStatusRepository,
+        IPushNotificationService pushNotificationService)
     {
         _currentContext = currentContext;
         _authorizationService = authorizationService;
         _notificationRepository = notificationRepository;
         _notificationStatusRepository = notificationStatusRepository;
+        _pushNotificationService = pushNotificationService;
     }
 
     public async Task MarkDeletedAsync(Guid notificationId)
@@ -59,7 +63,9 @@ public class MarkNotificationDeletedCommand : IMarkNotificationDeletedCommand
             await _authorizationService.AuthorizeOrThrowAsync(_currentContext.HttpContext.User, notificationStatus,
                 NotificationStatusOperations.Create);
 
-            await _notificationStatusRepository.CreateAsync(notificationStatus);
+            var newNotificationStatus = await _notificationStatusRepository.CreateAsync(notificationStatus);
+
+            await _pushNotificationService.PushNotificationStatusAsync(notification, newNotificationStatus);
         }
         else
         {
@@ -69,6 +75,8 @@ public class MarkNotificationDeletedCommand : IMarkNotificationDeletedCommand
             notificationStatus.DeletedDate = DateTime.UtcNow;
 
             await _notificationStatusRepository.UpdateAsync(notificationStatus);
+
+            await _pushNotificationService.PushNotificationStatusAsync(notification, notificationStatus);
         }
     }
 }
diff --git a/src/Core/NotificationCenter/Commands/MarkNotificationReadCommand.cs b/src/Core/NotificationCenter/Commands/MarkNotificationReadCommand.cs
index 400e44463a..9c9d1d48a2 100644
--- a/src/Core/NotificationCenter/Commands/MarkNotificationReadCommand.cs
+++ b/src/Core/NotificationCenter/Commands/MarkNotificationReadCommand.cs
@@ -5,6 +5,7 @@ using Bit.Core.NotificationCenter.Authorization;
 using Bit.Core.NotificationCenter.Commands.Interfaces;
 using Bit.Core.NotificationCenter.Entities;
 using Bit.Core.NotificationCenter.Repositories;
+using Bit.Core.Platform.Push;
 using Bit.Core.Utilities;
 using Microsoft.AspNetCore.Authorization;
 
@@ -16,16 +17,19 @@ public class MarkNotificationReadCommand : IMarkNotificationReadCommand
     private readonly IAuthorizationService _authorizationService;
     private readonly INotificationRepository _notificationRepository;
     private readonly INotificationStatusRepository _notificationStatusRepository;
+    private readonly IPushNotificationService _pushNotificationService;
 
     public MarkNotificationReadCommand(ICurrentContext currentContext,
         IAuthorizationService authorizationService,
         INotificationRepository notificationRepository,
-        INotificationStatusRepository notificationStatusRepository)
+        INotificationStatusRepository notificationStatusRepository,
+        IPushNotificationService pushNotificationService)
     {
         _currentContext = currentContext;
         _authorizationService = authorizationService;
         _notificationRepository = notificationRepository;
         _notificationStatusRepository = notificationStatusRepository;
+        _pushNotificationService = pushNotificationService;
     }
 
     public async Task MarkReadAsync(Guid notificationId)
@@ -59,7 +63,9 @@ public class MarkNotificationReadCommand : IMarkNotificationReadCommand
             await _authorizationService.AuthorizeOrThrowAsync(_currentContext.HttpContext.User, notificationStatus,
                 NotificationStatusOperations.Create);
 
-            await _notificationStatusRepository.CreateAsync(notificationStatus);
+            var newNotificationStatus = await _notificationStatusRepository.CreateAsync(notificationStatus);
+
+            await _pushNotificationService.PushNotificationStatusAsync(notification, newNotificationStatus);
         }
         else
         {
@@ -69,6 +75,8 @@ public class MarkNotificationReadCommand : IMarkNotificationReadCommand
             notificationStatus.ReadDate = DateTime.UtcNow;
 
             await _notificationStatusRepository.UpdateAsync(notificationStatus);
+
+            await _pushNotificationService.PushNotificationStatusAsync(notification, notificationStatus);
         }
     }
 }
diff --git a/src/Core/NotificationCenter/Commands/UpdateNotificationCommand.cs b/src/Core/NotificationCenter/Commands/UpdateNotificationCommand.cs
index f049478178..471786aac6 100644
--- a/src/Core/NotificationCenter/Commands/UpdateNotificationCommand.cs
+++ b/src/Core/NotificationCenter/Commands/UpdateNotificationCommand.cs
@@ -5,6 +5,7 @@ using Bit.Core.NotificationCenter.Authorization;
 using Bit.Core.NotificationCenter.Commands.Interfaces;
 using Bit.Core.NotificationCenter.Entities;
 using Bit.Core.NotificationCenter.Repositories;
+using Bit.Core.Platform.Push;
 using Bit.Core.Utilities;
 using Microsoft.AspNetCore.Authorization;
 
@@ -15,14 +16,17 @@ public class UpdateNotificationCommand : IUpdateNotificationCommand
     private readonly ICurrentContext _currentContext;
     private readonly IAuthorizationService _authorizationService;
     private readonly INotificationRepository _notificationRepository;
+    private readonly IPushNotificationService _pushNotificationService;
 
     public UpdateNotificationCommand(ICurrentContext currentContext,
         IAuthorizationService authorizationService,
-        INotificationRepository notificationRepository)
+        INotificationRepository notificationRepository,
+        IPushNotificationService pushNotificationService)
     {
         _currentContext = currentContext;
         _authorizationService = authorizationService;
         _notificationRepository = notificationRepository;
+        _pushNotificationService = pushNotificationService;
     }
 
     public async Task UpdateAsync(Notification notificationToUpdate)
@@ -43,5 +47,7 @@ public class UpdateNotificationCommand : IUpdateNotificationCommand
         notification.RevisionDate = DateTime.UtcNow;
 
         await _notificationRepository.ReplaceAsync(notification);
+
+        await _pushNotificationService.PushNotificationAsync(notification);
     }
 }
diff --git a/src/Core/NotificationHub/NotificationHubPushNotificationService.cs b/src/Core/NotificationHub/NotificationHubPushNotificationService.cs
index d1c7749d9f..7baf0352ee 100644
--- a/src/Core/NotificationHub/NotificationHubPushNotificationService.cs
+++ b/src/Core/NotificationHub/NotificationHubPushNotificationService.cs
@@ -1,4 +1,5 @@
-using System.Text.Json;
+#nullable enable
+using System.Text.Json;
 using System.Text.RegularExpressions;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.Auth.Entities;
@@ -6,6 +7,7 @@ using Bit.Core.Context;
 using Bit.Core.Enums;
 using Bit.Core.Models;
 using Bit.Core.Models.Data;
+using Bit.Core.NotificationCenter.Entities;
 using Bit.Core.Platform.Push;
 using Bit.Core.Repositories;
 using Bit.Core.Tools.Entities;
@@ -51,7 +53,7 @@ public class NotificationHubPushNotificationService : IPushNotificationService
         await PushCipherAsync(cipher, PushType.SyncLoginDelete, null);
     }
 
-    private async Task PushCipherAsync(Cipher cipher, PushType type, IEnumerable<Guid> collectionIds)
+    private async Task PushCipherAsync(Cipher cipher, PushType type, IEnumerable<Guid>? collectionIds)
     {
         if (cipher.OrganizationId.HasValue)
         {
@@ -209,6 +211,36 @@ public class NotificationHubPushNotificationService : IPushNotificationService
         }
     }
 
+    public async Task PushNotificationStatusAsync(Notification notification, NotificationStatus notificationStatus)
+    {
+        var message = new NotificationPushNotification
+        {
+            Id = notification.Id,
+            Priority = notification.Priority,
+            Global = notification.Global,
+            ClientType = notification.ClientType,
+            UserId = notification.UserId,
+            OrganizationId = notification.OrganizationId,
+            Title = notification.Title,
+            Body = notification.Body,
+            CreationDate = notification.CreationDate,
+            RevisionDate = notification.RevisionDate,
+            ReadDate = notificationStatus.ReadDate,
+            DeletedDate = notificationStatus.DeletedDate
+        };
+
+        if (notification.UserId.HasValue)
+        {
+            await SendPayloadToUserAsync(notification.UserId.Value, PushType.SyncNotificationStatus, message, true,
+                notification.ClientType);
+        }
+        else if (notification.OrganizationId.HasValue)
+        {
+            await SendPayloadToOrganizationAsync(notification.OrganizationId.Value, PushType.SyncNotificationStatus, message,
+                true, notification.ClientType);
+        }
+    }
+
     private async Task PushAuthRequestAsync(AuthRequest authRequest, PushType type)
     {
         var message = new AuthRequestPushNotification { Id = authRequest.Id, UserId = authRequest.UserId };
@@ -230,8 +262,8 @@ public class NotificationHubPushNotificationService : IPushNotificationService
             GetContextIdentifier(excludeCurrentContext), clientType: clientType);
     }
 
-    public async Task SendPayloadToUserAsync(string userId, PushType type, object payload, string identifier,
-        string deviceId = null, ClientType? clientType = null)
+    public async Task SendPayloadToUserAsync(string userId, PushType type, object payload, string? identifier,
+        string? deviceId = null, ClientType? clientType = null)
     {
         var tag = BuildTag($"template:payload_userId:{SanitizeTagInput(userId)}", identifier, clientType);
         await SendPayloadAsync(tag, type, payload);
@@ -241,8 +273,8 @@ public class NotificationHubPushNotificationService : IPushNotificationService
         }
     }
 
-    public async Task SendPayloadToOrganizationAsync(string orgId, PushType type, object payload, string identifier,
-        string deviceId = null, ClientType? clientType = null)
+    public async Task SendPayloadToOrganizationAsync(string orgId, PushType type, object payload, string? identifier,
+        string? deviceId = null, ClientType? clientType = null)
     {
         var tag = BuildTag($"template:payload && organizationId:{SanitizeTagInput(orgId)}", identifier, clientType);
         await SendPayloadAsync(tag, type, payload);
@@ -277,7 +309,7 @@ public class NotificationHubPushNotificationService : IPushNotificationService
             false
         );
 
-    private string GetContextIdentifier(bool excludeCurrentContext)
+    private string? GetContextIdentifier(bool excludeCurrentContext)
     {
         if (!excludeCurrentContext)
         {
@@ -285,11 +317,11 @@ public class NotificationHubPushNotificationService : IPushNotificationService
         }
 
         var currentContext =
-            _httpContextAccessor?.HttpContext?.RequestServices.GetService(typeof(ICurrentContext)) as ICurrentContext;
+            _httpContextAccessor.HttpContext?.RequestServices.GetService(typeof(ICurrentContext)) as ICurrentContext;
         return currentContext?.DeviceIdentifier;
     }
 
-    private string BuildTag(string tag, string identifier, ClientType? clientType)
+    private string BuildTag(string tag, string? identifier, ClientType? clientType)
     {
         if (!string.IsNullOrWhiteSpace(identifier))
         {
diff --git a/src/Core/Platform/Push/Services/AzureQueuePushNotificationService.cs b/src/Core/Platform/Push/Services/AzureQueuePushNotificationService.cs
index a25a017192..c32212c6b2 100644
--- a/src/Core/Platform/Push/Services/AzureQueuePushNotificationService.cs
+++ b/src/Core/Platform/Push/Services/AzureQueuePushNotificationService.cs
@@ -1,4 +1,5 @@
-using System.Text.Json;
+#nullable enable
+using System.Text.Json;
 using Azure.Storage.Queues;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.Auth.Entities;
@@ -42,7 +43,7 @@ public class AzureQueuePushNotificationService : IPushNotificationService
         await PushCipherAsync(cipher, PushType.SyncLoginDelete, null);
     }
 
-    private async Task PushCipherAsync(Cipher cipher, PushType type, IEnumerable<Guid> collectionIds)
+    private async Task PushCipherAsync(Cipher cipher, PushType type, IEnumerable<Guid>? collectionIds)
     {
         if (cipher.OrganizationId.HasValue)
         {
@@ -184,6 +185,27 @@ public class AzureQueuePushNotificationService : IPushNotificationService
         await SendMessageAsync(PushType.SyncNotification, message, true);
     }
 
+    public async Task PushNotificationStatusAsync(Notification notification, NotificationStatus notificationStatus)
+    {
+        var message = new NotificationPushNotification
+        {
+            Id = notification.Id,
+            Priority = notification.Priority,
+            Global = notification.Global,
+            ClientType = notification.ClientType,
+            UserId = notification.UserId,
+            OrganizationId = notification.OrganizationId,
+            Title = notification.Title,
+            Body = notification.Body,
+            CreationDate = notification.CreationDate,
+            RevisionDate = notification.RevisionDate,
+            ReadDate = notificationStatus.ReadDate,
+            DeletedDate = notificationStatus.DeletedDate
+        };
+
+        await SendMessageAsync(PushType.SyncNotificationStatus, message, true);
+    }
+
     private async Task PushSendAsync(Send send, PushType type)
     {
         if (send.UserId.HasValue)
@@ -207,7 +229,7 @@ public class AzureQueuePushNotificationService : IPushNotificationService
         await _queueClient.SendMessageAsync(message);
     }
 
-    private string GetContextIdentifier(bool excludeCurrentContext)
+    private string? GetContextIdentifier(bool excludeCurrentContext)
     {
         if (!excludeCurrentContext)
         {
@@ -219,15 +241,15 @@ public class AzureQueuePushNotificationService : IPushNotificationService
         return currentContext?.DeviceIdentifier;
     }
 
-    public Task SendPayloadToUserAsync(string userId, PushType type, object payload, string identifier,
-        string deviceId = null, ClientType? clientType = null)
+    public Task SendPayloadToUserAsync(string userId, PushType type, object payload, string? identifier,
+        string? deviceId = null, ClientType? clientType = null)
     {
         // Noop
         return Task.FromResult(0);
     }
 
-    public Task SendPayloadToOrganizationAsync(string orgId, PushType type, object payload, string identifier,
-        string deviceId = null, ClientType? clientType = null)
+    public Task SendPayloadToOrganizationAsync(string orgId, PushType type, object payload, string? identifier,
+        string? deviceId = null, ClientType? clientType = null)
     {
         // Noop
         return Task.FromResult(0);
diff --git a/src/Core/Platform/Push/Services/IPushNotificationService.cs b/src/Core/Platform/Push/Services/IPushNotificationService.cs
index 7f2b6c90fe..1c7fdc659b 100644
--- a/src/Core/Platform/Push/Services/IPushNotificationService.cs
+++ b/src/Core/Platform/Push/Services/IPushNotificationService.cs
@@ -1,4 +1,5 @@
-using Bit.Core.AdminConsole.Entities;
+#nullable enable
+using Bit.Core.AdminConsole.Entities;
 using Bit.Core.Auth.Entities;
 using Bit.Core.Enums;
 using Bit.Core.NotificationCenter.Entities;
@@ -25,12 +26,13 @@ public interface IPushNotificationService
     Task PushSyncSendUpdateAsync(Send send);
     Task PushSyncSendDeleteAsync(Send send);
     Task PushNotificationAsync(Notification notification);
+    Task PushNotificationStatusAsync(Notification notification, NotificationStatus notificationStatus);
     Task PushAuthRequestAsync(AuthRequest authRequest);
     Task PushAuthRequestResponseAsync(AuthRequest authRequest);
     Task PushSyncOrganizationStatusAsync(Organization organization);
     Task PushSyncOrganizationCollectionManagementSettingsAsync(Organization organization);
-    Task SendPayloadToUserAsync(string userId, PushType type, object payload, string identifier,
-        string deviceId = null, ClientType? clientType = null);
-    Task SendPayloadToOrganizationAsync(string orgId, PushType type, object payload, string identifier,
-        string deviceId = null, ClientType? clientType = null);
+    Task SendPayloadToUserAsync(string userId, PushType type, object payload, string? identifier,
+        string? deviceId = null, ClientType? clientType = null);
+    Task SendPayloadToOrganizationAsync(string orgId, PushType type, object payload, string? identifier,
+        string? deviceId = null, ClientType? clientType = null);
 }
diff --git a/src/Core/Platform/Push/Services/MultiServicePushNotificationService.cs b/src/Core/Platform/Push/Services/MultiServicePushNotificationService.cs
index db3107b6c3..9b4e66ae1a 100644
--- a/src/Core/Platform/Push/Services/MultiServicePushNotificationService.cs
+++ b/src/Core/Platform/Push/Services/MultiServicePushNotificationService.cs
@@ -1,4 +1,5 @@
-using Bit.Core.AdminConsole.Entities;
+#nullable enable
+using Bit.Core.AdminConsole.Entities;
 using Bit.Core.Auth.Entities;
 using Bit.Core.Enums;
 using Bit.Core.NotificationCenter.Entities;
@@ -24,7 +25,7 @@ public class MultiServicePushNotificationService : IPushNotificationService
 
         _logger = logger;
         _logger.LogInformation("Hub services: {Services}", _services.Count());
-        globalSettings?.NotificationHubPool?.NotificationHubs?.ForEach(hub =>
+        globalSettings.NotificationHubPool?.NotificationHubs?.ForEach(hub =>
         {
             _logger.LogInformation("HubName: {HubName}, EnableSendTracing: {EnableSendTracing}, RegistrationStartDate: {RegistrationStartDate}, RegistrationEndDate: {RegistrationEndDate}", hub.HubName, hub.EnableSendTracing, hub.RegistrationStartDate, hub.RegistrationEndDate);
         });
@@ -150,15 +151,21 @@ public class MultiServicePushNotificationService : IPushNotificationService
         return Task.CompletedTask;
     }
 
-    public Task SendPayloadToUserAsync(string userId, PushType type, object payload, string identifier,
-        string deviceId = null, ClientType? clientType = null)
+    public Task PushNotificationStatusAsync(Notification notification, NotificationStatus notificationStatus)
+    {
+        PushToServices((s) => s.PushNotificationStatusAsync(notification, notificationStatus));
+        return Task.CompletedTask;
+    }
+
+    public Task SendPayloadToUserAsync(string userId, PushType type, object payload, string? identifier,
+        string? deviceId = null, ClientType? clientType = null)
     {
         PushToServices((s) => s.SendPayloadToUserAsync(userId, type, payload, identifier, deviceId, clientType));
         return Task.FromResult(0);
     }
 
-    public Task SendPayloadToOrganizationAsync(string orgId, PushType type, object payload, string identifier,
-        string deviceId = null, ClientType? clientType = null)
+    public Task SendPayloadToOrganizationAsync(string orgId, PushType type, object payload, string? identifier,
+        string? deviceId = null, ClientType? clientType = null)
     {
         PushToServices((s) => s.SendPayloadToOrganizationAsync(orgId, type, payload, identifier, deviceId, clientType));
         return Task.FromResult(0);
@@ -166,12 +173,16 @@ public class MultiServicePushNotificationService : IPushNotificationService
 
     private void PushToServices(Func<IPushNotificationService, Task> pushFunc)
     {
-        if (_services != null)
+        if (!_services.Any())
         {
-            foreach (var service in _services)
-            {
-                pushFunc(service);
-            }
+            _logger.LogWarning("No services found to push notification");
+            return;
+        }
+
+        foreach (var service in _services)
+        {
+            _logger.LogDebug("Pushing notification to service {ServiceName}", service.GetType().Name);
+            pushFunc(service);
         }
     }
 }
diff --git a/src/Core/Platform/Push/Services/NoopPushNotificationService.cs b/src/Core/Platform/Push/Services/NoopPushNotificationService.cs
index fb4121179f..57c446c5e5 100644
--- a/src/Core/Platform/Push/Services/NoopPushNotificationService.cs
+++ b/src/Core/Platform/Push/Services/NoopPushNotificationService.cs
@@ -1,4 +1,5 @@
-using Bit.Core.AdminConsole.Entities;
+#nullable enable
+using Bit.Core.AdminConsole.Entities;
 using Bit.Core.Auth.Entities;
 using Bit.Core.Enums;
 using Bit.Core.NotificationCenter.Entities;
@@ -84,8 +85,8 @@ public class NoopPushNotificationService : IPushNotificationService
         return Task.FromResult(0);
     }
 
-    public Task SendPayloadToOrganizationAsync(string orgId, PushType type, object payload, string identifier,
-        string deviceId = null, ClientType? clientType = null)
+    public Task SendPayloadToOrganizationAsync(string orgId, PushType type, object payload, string? identifier,
+        string? deviceId = null, ClientType? clientType = null)
     {
         return Task.FromResult(0);
     }
@@ -107,11 +108,14 @@ public class NoopPushNotificationService : IPushNotificationService
         return Task.FromResult(0);
     }
 
-    public Task SendPayloadToUserAsync(string userId, PushType type, object payload, string identifier,
-        string deviceId = null, ClientType? clientType = null)
+    public Task SendPayloadToUserAsync(string userId, PushType type, object payload, string? identifier,
+        string? deviceId = null, ClientType? clientType = null)
     {
         return Task.FromResult(0);
     }
 
     public Task PushNotificationAsync(Notification notification) => Task.CompletedTask;
+
+    public Task PushNotificationStatusAsync(Notification notification, NotificationStatus notificationStatus) =>
+        Task.CompletedTask;
 }
diff --git a/src/Core/Platform/Push/Services/NotificationsApiPushNotificationService.cs b/src/Core/Platform/Push/Services/NotificationsApiPushNotificationService.cs
index fb3814fd64..7a557e8978 100644
--- a/src/Core/Platform/Push/Services/NotificationsApiPushNotificationService.cs
+++ b/src/Core/Platform/Push/Services/NotificationsApiPushNotificationService.cs
@@ -1,4 +1,5 @@
-using Bit.Core.AdminConsole.Entities;
+#nullable enable
+using Bit.Core.AdminConsole.Entities;
 using Bit.Core.Auth.Entities;
 using Bit.Core.Context;
 using Bit.Core.Enums;
@@ -16,7 +17,6 @@ namespace Bit.Core.Platform.Push;
 
 public class NotificationsApiPushNotificationService : BaseIdentityClientService, IPushNotificationService
 {
-    private readonly GlobalSettings _globalSettings;
     private readonly IHttpContextAccessor _httpContextAccessor;
 
     public NotificationsApiPushNotificationService(
@@ -33,7 +33,6 @@ public class NotificationsApiPushNotificationService : BaseIdentityClientService
             globalSettings.InternalIdentityKey,
             logger)
     {
-        _globalSettings = globalSettings;
         _httpContextAccessor = httpContextAccessor;
     }
 
@@ -52,7 +51,7 @@ public class NotificationsApiPushNotificationService : BaseIdentityClientService
         await PushCipherAsync(cipher, PushType.SyncLoginDelete, null);
     }
 
-    private async Task PushCipherAsync(Cipher cipher, PushType type, IEnumerable<Guid> collectionIds)
+    private async Task PushCipherAsync(Cipher cipher, PushType type, IEnumerable<Guid>? collectionIds)
     {
         if (cipher.OrganizationId.HasValue)
         {
@@ -203,6 +202,27 @@ public class NotificationsApiPushNotificationService : BaseIdentityClientService
         await SendMessageAsync(PushType.SyncNotification, message, true);
     }
 
+    public async Task PushNotificationStatusAsync(Notification notification, NotificationStatus notificationStatus)
+    {
+        var message = new NotificationPushNotification
+        {
+            Id = notification.Id,
+            Priority = notification.Priority,
+            Global = notification.Global,
+            ClientType = notification.ClientType,
+            UserId = notification.UserId,
+            OrganizationId = notification.OrganizationId,
+            Title = notification.Title,
+            Body = notification.Body,
+            CreationDate = notification.CreationDate,
+            RevisionDate = notification.RevisionDate,
+            ReadDate = notificationStatus.ReadDate,
+            DeletedDate = notificationStatus.DeletedDate
+        };
+
+        await SendMessageAsync(PushType.SyncNotificationStatus, message, true);
+    }
+
     private async Task PushSendAsync(Send send, PushType type)
     {
         if (send.UserId.HasValue)
@@ -225,7 +245,7 @@ public class NotificationsApiPushNotificationService : BaseIdentityClientService
         await SendAsync(HttpMethod.Post, "send", request);
     }
 
-    private string GetContextIdentifier(bool excludeCurrentContext)
+    private string? GetContextIdentifier(bool excludeCurrentContext)
     {
         if (!excludeCurrentContext)
         {
@@ -233,19 +253,19 @@ public class NotificationsApiPushNotificationService : BaseIdentityClientService
         }
 
         var currentContext =
-            _httpContextAccessor?.HttpContext?.RequestServices.GetService(typeof(ICurrentContext)) as ICurrentContext;
+            _httpContextAccessor.HttpContext?.RequestServices.GetService(typeof(ICurrentContext)) as ICurrentContext;
         return currentContext?.DeviceIdentifier;
     }
 
-    public Task SendPayloadToUserAsync(string userId, PushType type, object payload, string identifier,
-        string deviceId = null, ClientType? clientType = null)
+    public Task SendPayloadToUserAsync(string userId, PushType type, object payload, string? identifier,
+        string? deviceId = null, ClientType? clientType = null)
     {
         // Noop
         return Task.FromResult(0);
     }
 
-    public Task SendPayloadToOrganizationAsync(string orgId, PushType type, object payload, string identifier,
-        string deviceId = null, ClientType? clientType = null)
+    public Task SendPayloadToOrganizationAsync(string orgId, PushType type, object payload, string? identifier,
+        string? deviceId = null, ClientType? clientType = null)
     {
         // Noop
         return Task.FromResult(0);
diff --git a/src/Core/Platform/Push/Services/RelayPushNotificationService.cs b/src/Core/Platform/Push/Services/RelayPushNotificationService.cs
index 4d99f04768..09f42fd0d1 100644
--- a/src/Core/Platform/Push/Services/RelayPushNotificationService.cs
+++ b/src/Core/Platform/Push/Services/RelayPushNotificationService.cs
@@ -1,4 +1,5 @@
-using Bit.Core.AdminConsole.Entities;
+#nullable enable
+using Bit.Core.AdminConsole.Entities;
 using Bit.Core.Auth.Entities;
 using Bit.Core.Context;
 using Bit.Core.Enums;
@@ -55,7 +56,7 @@ public class RelayPushNotificationService : BaseIdentityClientService, IPushNoti
         await PushCipherAsync(cipher, PushType.SyncLoginDelete, null);
     }
 
-    private async Task PushCipherAsync(Cipher cipher, PushType type, IEnumerable<Guid> collectionIds)
+    private async Task PushCipherAsync(Cipher cipher, PushType type, IEnumerable<Guid>? collectionIds)
     {
         if (cipher.OrganizationId.HasValue)
         {
@@ -219,6 +220,36 @@ public class RelayPushNotificationService : BaseIdentityClientService, IPushNoti
         }
     }
 
+    public async Task PushNotificationStatusAsync(Notification notification, NotificationStatus notificationStatus)
+    {
+        var message = new NotificationPushNotification
+        {
+            Id = notification.Id,
+            Priority = notification.Priority,
+            Global = notification.Global,
+            ClientType = notification.ClientType,
+            UserId = notification.UserId,
+            OrganizationId = notification.OrganizationId,
+            Title = notification.Title,
+            Body = notification.Body,
+            CreationDate = notification.CreationDate,
+            RevisionDate = notification.RevisionDate,
+            ReadDate = notificationStatus.ReadDate,
+            DeletedDate = notificationStatus.DeletedDate
+        };
+
+        if (notification.UserId.HasValue)
+        {
+            await SendPayloadToUserAsync(notification.UserId.Value, PushType.SyncNotificationStatus, message, true,
+                notification.ClientType);
+        }
+        else if (notification.OrganizationId.HasValue)
+        {
+            await SendPayloadToOrganizationAsync(notification.OrganizationId.Value, PushType.SyncNotificationStatus, message,
+                true, notification.ClientType);
+        }
+    }
+
     public async Task PushSyncOrganizationStatusAsync(Organization organization)
     {
         var message = new OrganizationStatusPushNotification
@@ -277,7 +308,7 @@ public class RelayPushNotificationService : BaseIdentityClientService, IPushNoti
     private async Task AddCurrentContextAsync(PushSendRequestModel request, bool addIdentifier)
     {
         var currentContext =
-            _httpContextAccessor?.HttpContext?.RequestServices.GetService(typeof(ICurrentContext)) as ICurrentContext;
+            _httpContextAccessor.HttpContext?.RequestServices.GetService(typeof(ICurrentContext)) as ICurrentContext;
         if (!string.IsNullOrWhiteSpace(currentContext?.DeviceIdentifier))
         {
             var device = await _deviceRepository.GetByIdentifierAsync(currentContext.DeviceIdentifier);
@@ -293,14 +324,14 @@ public class RelayPushNotificationService : BaseIdentityClientService, IPushNoti
         }
     }
 
-    public Task SendPayloadToUserAsync(string userId, PushType type, object payload, string identifier,
-        string deviceId = null, ClientType? clientType = null)
+    public Task SendPayloadToUserAsync(string userId, PushType type, object payload, string? identifier,
+        string? deviceId = null, ClientType? clientType = null)
     {
         throw new NotImplementedException();
     }
 
-    public Task SendPayloadToOrganizationAsync(string orgId, PushType type, object payload, string identifier,
-        string deviceId = null, ClientType? clientType = null)
+    public Task SendPayloadToOrganizationAsync(string orgId, PushType type, object payload, string? identifier,
+        string? deviceId = null, ClientType? clientType = null)
     {
         throw new NotImplementedException();
     }
diff --git a/src/Notifications/HubHelpers.cs b/src/Notifications/HubHelpers.cs
index 9b0164fdc5..af571e48c4 100644
--- a/src/Notifications/HubHelpers.cs
+++ b/src/Notifications/HubHelpers.cs
@@ -104,6 +104,7 @@ public static class HubHelpers
                     .SendAsync("ReceiveMessage", organizationCollectionSettingsChangedNotification, cancellationToken);
                 break;
             case PushType.SyncNotification:
+            case PushType.SyncNotificationStatus:
                 var syncNotification =
                     JsonSerializer.Deserialize<PushNotificationData<NotificationPushNotification>>(
                         notificationJson, _deserializerOptions);
diff --git a/test/Core.Test/NotificationCenter/Commands/CreateNotificationCommandTest.cs b/test/Core.Test/NotificationCenter/Commands/CreateNotificationCommandTest.cs
index 41efce82ab..3256f2f9cb 100644
--- a/test/Core.Test/NotificationCenter/Commands/CreateNotificationCommandTest.cs
+++ b/test/Core.Test/NotificationCenter/Commands/CreateNotificationCommandTest.cs
@@ -41,6 +41,12 @@ public class CreateNotificationCommandTest
         Setup(sutProvider, notification, authorized: false);
 
         await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.CreateAsync(notification));
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(0)
+            .PushNotificationAsync(Arg.Any<Notification>());
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(0)
+            .PushNotificationStatusAsync(Arg.Any<Notification>(), Arg.Any<NotificationStatus>());
     }
 
     [Theory]
@@ -59,5 +65,8 @@ public class CreateNotificationCommandTest
         await sutProvider.GetDependency<IPushNotificationService>()
             .Received(1)
             .PushNotificationAsync(newNotification);
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(0)
+            .PushNotificationStatusAsync(Arg.Any<Notification>(), Arg.Any<NotificationStatus>());
     }
 }
diff --git a/test/Core.Test/NotificationCenter/Commands/CreateNotificationStatusCommandTest.cs b/test/Core.Test/NotificationCenter/Commands/CreateNotificationStatusCommandTest.cs
index 8dc8524926..78aaaba18f 100644
--- a/test/Core.Test/NotificationCenter/Commands/CreateNotificationStatusCommandTest.cs
+++ b/test/Core.Test/NotificationCenter/Commands/CreateNotificationStatusCommandTest.cs
@@ -5,6 +5,7 @@ using Bit.Core.NotificationCenter.Authorization;
 using Bit.Core.NotificationCenter.Commands;
 using Bit.Core.NotificationCenter.Entities;
 using Bit.Core.NotificationCenter.Repositories;
+using Bit.Core.Platform.Push;
 using Bit.Core.Test.NotificationCenter.AutoFixture;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
@@ -50,6 +51,12 @@ public class CreateNotificationStatusCommandTest
         Setup(sutProvider, notification: null, notificationStatus, true, true);
 
         await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.CreateAsync(notificationStatus));
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(0)
+            .PushNotificationStatusAsync(Arg.Any<Notification>(), Arg.Any<NotificationStatus>());
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(0)
+            .PushNotificationAsync(Arg.Any<Notification>());
     }
 
     [Theory]
@@ -61,6 +68,12 @@ public class CreateNotificationStatusCommandTest
         Setup(sutProvider, notification, notificationStatus, authorizedNotification: false, true);
 
         await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.CreateAsync(notificationStatus));
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(0)
+            .PushNotificationStatusAsync(Arg.Any<Notification>(), Arg.Any<NotificationStatus>());
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(0)
+            .PushNotificationAsync(Arg.Any<Notification>());
     }
 
     [Theory]
@@ -72,6 +85,12 @@ public class CreateNotificationStatusCommandTest
         Setup(sutProvider, notification, notificationStatus, true, authorizedCreate: false);
 
         await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.CreateAsync(notificationStatus));
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(0)
+            .PushNotificationStatusAsync(Arg.Any<Notification>(), Arg.Any<NotificationStatus>());
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(0)
+            .PushNotificationAsync(Arg.Any<Notification>());
     }
 
     [Theory]
@@ -85,5 +104,11 @@ public class CreateNotificationStatusCommandTest
         var newNotificationStatus = await sutProvider.Sut.CreateAsync(notificationStatus);
 
         Assert.Equal(notificationStatus, newNotificationStatus);
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(1)
+            .PushNotificationStatusAsync(notification, notificationStatus);
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(0)
+            .PushNotificationAsync(Arg.Any<Notification>());
     }
 }
diff --git a/test/Core.Test/NotificationCenter/Commands/MarkNotificationDeletedCommandTest.cs b/test/Core.Test/NotificationCenter/Commands/MarkNotificationDeletedCommandTest.cs
index a5bb20423c..f1d23b5f18 100644
--- a/test/Core.Test/NotificationCenter/Commands/MarkNotificationDeletedCommandTest.cs
+++ b/test/Core.Test/NotificationCenter/Commands/MarkNotificationDeletedCommandTest.cs
@@ -6,6 +6,7 @@ using Bit.Core.NotificationCenter.Authorization;
 using Bit.Core.NotificationCenter.Commands;
 using Bit.Core.NotificationCenter.Entities;
 using Bit.Core.NotificationCenter.Repositories;
+using Bit.Core.Platform.Push;
 using Bit.Core.Test.NotificationCenter.AutoFixture;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
@@ -63,6 +64,12 @@ public class MarkNotificationDeletedCommandTest
         Setup(sutProvider, notificationId, userId: null, notification, notificationStatus, true, true, true);
 
         await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.MarkDeletedAsync(notificationId));
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(0)
+            .PushNotificationStatusAsync(Arg.Any<Notification>(), Arg.Any<NotificationStatus>());
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(0)
+            .PushNotificationAsync(Arg.Any<Notification>());
     }
 
     [Theory]
@@ -74,6 +81,12 @@ public class MarkNotificationDeletedCommandTest
         Setup(sutProvider, notificationId, userId, notification: null, notificationStatus, true, true, true);
 
         await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.MarkDeletedAsync(notificationId));
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(0)
+            .PushNotificationStatusAsync(Arg.Any<Notification>(), Arg.Any<NotificationStatus>());
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(0)
+            .PushNotificationAsync(Arg.Any<Notification>());
     }
 
     [Theory]
@@ -86,6 +99,12 @@ public class MarkNotificationDeletedCommandTest
             true, true);
 
         await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.MarkDeletedAsync(notificationId));
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(0)
+            .PushNotificationStatusAsync(Arg.Any<Notification>(), Arg.Any<NotificationStatus>());
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(0)
+            .PushNotificationAsync(Arg.Any<Notification>());
     }
 
     [Theory]
@@ -98,6 +117,12 @@ public class MarkNotificationDeletedCommandTest
             authorizedCreate: false, true);
 
         await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.MarkDeletedAsync(notificationId));
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(0)
+            .PushNotificationStatusAsync(Arg.Any<Notification>(), Arg.Any<NotificationStatus>());
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(0)
+            .PushNotificationAsync(Arg.Any<Notification>());
     }
 
     [Theory]
@@ -110,6 +135,12 @@ public class MarkNotificationDeletedCommandTest
             authorizedUpdate: false);
 
         await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.MarkDeletedAsync(notificationId));
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(0)
+            .PushNotificationStatusAsync(Arg.Any<Notification>(), Arg.Any<NotificationStatus>());
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(0)
+            .PushNotificationAsync(Arg.Any<Notification>());
     }
 
     [Theory]
@@ -119,13 +150,25 @@ public class MarkNotificationDeletedCommandTest
         Guid notificationId, Guid userId, Notification notification)
     {
         Setup(sutProvider, notificationId, userId, notification, notificationStatus: null, true, true, true);
+        var expectedNotificationStatus = new NotificationStatus
+        {
+            NotificationId = notificationId,
+            UserId = userId,
+            ReadDate = null,
+            DeletedDate = DateTime.UtcNow
+        };
 
         await sutProvider.Sut.MarkDeletedAsync(notificationId);
 
         await sutProvider.GetDependency<INotificationStatusRepository>().Received(1)
-            .CreateAsync(Arg.Is<NotificationStatus>(ns =>
-                ns.NotificationId == notificationId && ns.UserId == userId && !ns.ReadDate.HasValue &&
-                ns.DeletedDate.HasValue && DateTime.UtcNow - ns.DeletedDate.Value < TimeSpan.FromMinutes(1)));
+            .CreateAsync(Arg.Do<NotificationStatus>(ns => AssertNotificationStatus(expectedNotificationStatus, ns)));
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(1)
+            .PushNotificationStatusAsync(notification,
+                Arg.Do<NotificationStatus>(ns => AssertNotificationStatus(expectedNotificationStatus, ns)));
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(0)
+            .PushNotificationAsync(Arg.Any<Notification>());
     }
 
     [Theory]
@@ -134,18 +177,30 @@ public class MarkNotificationDeletedCommandTest
         SutProvider<MarkNotificationDeletedCommand> sutProvider,
         Guid notificationId, Guid userId, Notification notification, NotificationStatus notificationStatus)
     {
-        var deletedDate = notificationStatus.DeletedDate;
-
         Setup(sutProvider, notificationId, userId, notification, notificationStatus, true, true, true);
 
         await sutProvider.Sut.MarkDeletedAsync(notificationId);
 
         await sutProvider.GetDependency<INotificationStatusRepository>().Received(1)
-            .UpdateAsync(Arg.Is<NotificationStatus>(ns =>
-                ns.Equals(notificationStatus) &&
-                ns.NotificationId == notificationStatus.NotificationId && ns.UserId == notificationStatus.UserId &&
-                ns.ReadDate == notificationStatus.ReadDate && ns.DeletedDate != deletedDate &&
-                ns.DeletedDate.HasValue &&
-                DateTime.UtcNow - ns.DeletedDate.Value < TimeSpan.FromMinutes(1)));
+            .UpdateAsync(Arg.Do<NotificationStatus>(ns => AssertNotificationStatus(notificationStatus, ns)));
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(1)
+            .PushNotificationStatusAsync(notification,
+                Arg.Do<NotificationStatus>(ns => AssertNotificationStatus(notificationStatus, ns)));
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(0)
+            .PushNotificationAsync(Arg.Any<Notification>());
+    }
+
+    private static void AssertNotificationStatus(NotificationStatus expectedNotificationStatus,
+        NotificationStatus? actualNotificationStatus)
+    {
+        Assert.NotNull(actualNotificationStatus);
+        Assert.Equal(expectedNotificationStatus.NotificationId, actualNotificationStatus.NotificationId);
+        Assert.Equal(expectedNotificationStatus.UserId, actualNotificationStatus.UserId);
+        Assert.Equal(expectedNotificationStatus.ReadDate, actualNotificationStatus.ReadDate);
+        Assert.NotEqual(expectedNotificationStatus.DeletedDate, actualNotificationStatus.DeletedDate);
+        Assert.NotNull(actualNotificationStatus.DeletedDate);
+        Assert.Equal(DateTime.UtcNow, actualNotificationStatus.DeletedDate.Value, TimeSpan.FromMinutes(1));
     }
 }
diff --git a/test/Core.Test/NotificationCenter/Commands/MarkNotificationReadCommandTest.cs b/test/Core.Test/NotificationCenter/Commands/MarkNotificationReadCommandTest.cs
index f80234c075..481a973d32 100644
--- a/test/Core.Test/NotificationCenter/Commands/MarkNotificationReadCommandTest.cs
+++ b/test/Core.Test/NotificationCenter/Commands/MarkNotificationReadCommandTest.cs
@@ -6,6 +6,7 @@ using Bit.Core.NotificationCenter.Authorization;
 using Bit.Core.NotificationCenter.Commands;
 using Bit.Core.NotificationCenter.Entities;
 using Bit.Core.NotificationCenter.Repositories;
+using Bit.Core.Platform.Push;
 using Bit.Core.Test.NotificationCenter.AutoFixture;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
@@ -63,6 +64,12 @@ public class MarkNotificationReadCommandTest
         Setup(sutProvider, notificationId, userId: null, notification, notificationStatus, true, true, true);
 
         await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.MarkReadAsync(notificationId));
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(0)
+            .PushNotificationStatusAsync(Arg.Any<Notification>(), Arg.Any<NotificationStatus>());
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(0)
+            .PushNotificationAsync(Arg.Any<Notification>());
     }
 
     [Theory]
@@ -74,6 +81,12 @@ public class MarkNotificationReadCommandTest
         Setup(sutProvider, notificationId, userId, notification: null, notificationStatus, true, true, true);
 
         await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.MarkReadAsync(notificationId));
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(0)
+            .PushNotificationStatusAsync(Arg.Any<Notification>(), Arg.Any<NotificationStatus>());
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(0)
+            .PushNotificationAsync(Arg.Any<Notification>());
     }
 
     [Theory]
@@ -86,6 +99,12 @@ public class MarkNotificationReadCommandTest
             true, true);
 
         await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.MarkReadAsync(notificationId));
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(0)
+            .PushNotificationStatusAsync(Arg.Any<Notification>(), Arg.Any<NotificationStatus>());
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(0)
+            .PushNotificationAsync(Arg.Any<Notification>());
     }
 
     [Theory]
@@ -98,6 +117,12 @@ public class MarkNotificationReadCommandTest
             authorizedCreate: false, true);
 
         await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.MarkReadAsync(notificationId));
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(0)
+            .PushNotificationStatusAsync(Arg.Any<Notification>(), Arg.Any<NotificationStatus>());
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(0)
+            .PushNotificationAsync(Arg.Any<Notification>());
     }
 
     [Theory]
@@ -110,6 +135,12 @@ public class MarkNotificationReadCommandTest
             authorizedUpdate: false);
 
         await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.MarkReadAsync(notificationId));
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(0)
+            .PushNotificationStatusAsync(Arg.Any<Notification>(), Arg.Any<NotificationStatus>());
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(0)
+            .PushNotificationAsync(Arg.Any<Notification>());
     }
 
     [Theory]
@@ -119,13 +150,25 @@ public class MarkNotificationReadCommandTest
         Guid notificationId, Guid userId, Notification notification)
     {
         Setup(sutProvider, notificationId, userId, notification, notificationStatus: null, true, true, true);
+        var expectedNotificationStatus = new NotificationStatus
+        {
+            NotificationId = notificationId,
+            UserId = userId,
+            ReadDate = DateTime.UtcNow,
+            DeletedDate = null
+        };
 
         await sutProvider.Sut.MarkReadAsync(notificationId);
 
         await sutProvider.GetDependency<INotificationStatusRepository>().Received(1)
-            .CreateAsync(Arg.Is<NotificationStatus>(ns =>
-                ns.NotificationId == notificationId && ns.UserId == userId && !ns.DeletedDate.HasValue &&
-                ns.ReadDate.HasValue && DateTime.UtcNow - ns.ReadDate.Value < TimeSpan.FromMinutes(1)));
+            .CreateAsync(Arg.Do<NotificationStatus>(ns => AssertNotificationStatus(expectedNotificationStatus, ns)));
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(1)
+            .PushNotificationStatusAsync(notification,
+                Arg.Do<NotificationStatus>(ns => AssertNotificationStatus(expectedNotificationStatus, ns)));
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(0)
+            .PushNotificationAsync(Arg.Any<Notification>());
     }
 
     [Theory]
@@ -134,18 +177,30 @@ public class MarkNotificationReadCommandTest
         SutProvider<MarkNotificationReadCommand> sutProvider,
         Guid notificationId, Guid userId, Notification notification, NotificationStatus notificationStatus)
     {
-        var readDate = notificationStatus.ReadDate;
-
         Setup(sutProvider, notificationId, userId, notification, notificationStatus, true, true, true);
 
         await sutProvider.Sut.MarkReadAsync(notificationId);
 
         await sutProvider.GetDependency<INotificationStatusRepository>().Received(1)
-            .UpdateAsync(Arg.Is<NotificationStatus>(ns =>
-                ns.Equals(notificationStatus) &&
-                ns.NotificationId == notificationStatus.NotificationId && ns.UserId == notificationStatus.UserId &&
-                ns.DeletedDate == notificationStatus.DeletedDate && ns.ReadDate != readDate &&
-                ns.ReadDate.HasValue &&
-                DateTime.UtcNow - ns.ReadDate.Value < TimeSpan.FromMinutes(1)));
+            .UpdateAsync(Arg.Do<NotificationStatus>(ns => AssertNotificationStatus(notificationStatus, ns)));
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(1)
+            .PushNotificationStatusAsync(notification,
+                Arg.Do<NotificationStatus>(ns => AssertNotificationStatus(notificationStatus, ns)));
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(0)
+            .PushNotificationAsync(Arg.Any<Notification>());
+    }
+
+    private static void AssertNotificationStatus(NotificationStatus expectedNotificationStatus,
+        NotificationStatus? actualNotificationStatus)
+    {
+        Assert.NotNull(actualNotificationStatus);
+        Assert.Equal(expectedNotificationStatus.NotificationId, actualNotificationStatus.NotificationId);
+        Assert.Equal(expectedNotificationStatus.UserId, actualNotificationStatus.UserId);
+        Assert.NotEqual(expectedNotificationStatus.ReadDate, actualNotificationStatus.ReadDate);
+        Assert.NotNull(actualNotificationStatus.ReadDate);
+        Assert.Equal(DateTime.UtcNow, actualNotificationStatus.ReadDate.Value, TimeSpan.FromMinutes(1));
+        Assert.Equal(expectedNotificationStatus.DeletedDate, actualNotificationStatus.DeletedDate);
     }
 }
diff --git a/test/Core.Test/NotificationCenter/Commands/UpdateNotificationCommandTest.cs b/test/Core.Test/NotificationCenter/Commands/UpdateNotificationCommandTest.cs
index 976d1d77a3..406347e0df 100644
--- a/test/Core.Test/NotificationCenter/Commands/UpdateNotificationCommandTest.cs
+++ b/test/Core.Test/NotificationCenter/Commands/UpdateNotificationCommandTest.cs
@@ -7,6 +7,7 @@ using Bit.Core.NotificationCenter.Commands;
 using Bit.Core.NotificationCenter.Entities;
 using Bit.Core.NotificationCenter.Enums;
 using Bit.Core.NotificationCenter.Repositories;
+using Bit.Core.Platform.Push;
 using Bit.Core.Test.NotificationCenter.AutoFixture;
 using Bit.Core.Utilities;
 using Bit.Test.Common.AutoFixture;
@@ -45,6 +46,12 @@ public class UpdateNotificationCommandTest
         Setup(sutProvider, notification.Id, notification: null, true);
 
         await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.UpdateAsync(notification));
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(0)
+            .PushNotificationAsync(Arg.Any<Notification>());
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(0)
+            .PushNotificationStatusAsync(Arg.Any<Notification>(), Arg.Any<NotificationStatus>());
     }
 
     [Theory]
@@ -56,6 +63,12 @@ public class UpdateNotificationCommandTest
         Setup(sutProvider, notification.Id, notification, authorized: false);
 
         await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.UpdateAsync(notification));
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(0)
+            .PushNotificationAsync(Arg.Any<Notification>());
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(0)
+            .PushNotificationStatusAsync(Arg.Any<Notification>(), Arg.Any<NotificationStatus>());
     }
 
     [Theory]
@@ -91,5 +104,11 @@ public class UpdateNotificationCommandTest
                 n.Priority == notificationToUpdate.Priority && n.ClientType == notificationToUpdate.ClientType &&
                 n.Title == notificationToUpdate.Title && n.Body == notificationToUpdate.Body &&
                 DateTime.UtcNow - n.RevisionDate < TimeSpan.FromMinutes(1)));
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(1)
+            .PushNotificationAsync(notification);
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(0)
+            .PushNotificationStatusAsync(Arg.Any<Notification>(), Arg.Any<NotificationStatus>());
     }
 }
diff --git a/test/Core.Test/NotificationHub/NotificationHubPushNotificationServiceTests.cs b/test/Core.Test/NotificationHub/NotificationHubPushNotificationServiceTests.cs
index f1cfdc9f85..2b8ff88dc1 100644
--- a/test/Core.Test/NotificationHub/NotificationHubPushNotificationServiceTests.cs
+++ b/test/Core.Test/NotificationHub/NotificationHubPushNotificationServiceTests.cs
@@ -15,12 +15,13 @@ using Xunit;
 namespace Bit.Core.Test.NotificationHub;
 
 [SutProviderCustomize]
+[NotificationStatusCustomize]
 public class NotificationHubPushNotificationServiceTests
 {
     [Theory]
     [BitAutoData]
     [NotificationCustomize]
-    public async void PushNotificationAsync_Global_NotSent(
+    public async Task PushNotificationAsync_Global_NotSent(
         SutProvider<NotificationHubPushNotificationService> sutProvider, Notification notification)
     {
         await sutProvider.Sut.PushNotificationAsync(notification);
@@ -39,7 +40,7 @@ public class NotificationHubPushNotificationServiceTests
     [BitAutoData(false)]
     [BitAutoData(true)]
     [NotificationCustomize(false)]
-    public async void PushNotificationAsync_UserIdProvidedClientTypeAll_SentToUser(
+    public async Task PushNotificationAsync_UserIdProvidedClientTypeAll_SentToUser(
         bool organizationIdNull, SutProvider<NotificationHubPushNotificationService> sutProvider,
         Notification notification)
     {
@@ -49,11 +50,12 @@ public class NotificationHubPushNotificationServiceTests
         }
 
         notification.ClientType = ClientType.All;
-        var expectedSyncNotification = ToSyncNotificationPushNotification(notification);
+        var expectedNotification = ToNotificationPushNotification(notification, null);
 
         await sutProvider.Sut.PushNotificationAsync(notification);
 
-        await AssertSendTemplateNotificationAsync(sutProvider, PushType.SyncNotification, expectedSyncNotification,
+        await AssertSendTemplateNotificationAsync(sutProvider, PushType.SyncNotification,
+            expectedNotification,
             $"(template:payload_userId:{notification.UserId})");
         await sutProvider.GetDependency<IInstallationDeviceRepository>()
             .Received(0)
@@ -61,30 +63,46 @@ public class NotificationHubPushNotificationServiceTests
     }
 
     [Theory]
-    [BitAutoData(false, ClientType.Browser)]
-    [BitAutoData(false, ClientType.Desktop)]
-    [BitAutoData(false, ClientType.Web)]
-    [BitAutoData(false, ClientType.Mobile)]
-    [BitAutoData(true, ClientType.Browser)]
-    [BitAutoData(true, ClientType.Desktop)]
-    [BitAutoData(true, ClientType.Web)]
-    [BitAutoData(true, ClientType.Mobile)]
+    [BitAutoData(ClientType.Browser)]
+    [BitAutoData(ClientType.Desktop)]
+    [BitAutoData(ClientType.Web)]
+    [BitAutoData(ClientType.Mobile)]
     [NotificationCustomize(false)]
-    public async void PushNotificationAsync_UserIdProvidedClientTypeNotAll_SentToUser(bool organizationIdNull,
+    public async Task PushNotificationAsync_UserIdProvidedOrganizationIdNullClientTypeNotAll_SentToUser(
         ClientType clientType, SutProvider<NotificationHubPushNotificationService> sutProvider,
         Notification notification)
     {
-        if (organizationIdNull)
-        {
-            notification.OrganizationId = null;
-        }
-
+        notification.OrganizationId = null;
         notification.ClientType = clientType;
-        var expectedSyncNotification = ToSyncNotificationPushNotification(notification);
+        var expectedNotification = ToNotificationPushNotification(notification, null);
 
         await sutProvider.Sut.PushNotificationAsync(notification);
 
-        await AssertSendTemplateNotificationAsync(sutProvider, PushType.SyncNotification, expectedSyncNotification,
+        await AssertSendTemplateNotificationAsync(sutProvider, PushType.SyncNotification,
+            expectedNotification,
+            $"(template:payload_userId:{notification.UserId} && clientType:{clientType})");
+        await sutProvider.GetDependency<IInstallationDeviceRepository>()
+            .Received(0)
+            .UpsertAsync(Arg.Any<InstallationDeviceEntity>());
+    }
+
+    [Theory]
+    [BitAutoData(ClientType.Browser)]
+    [BitAutoData(ClientType.Desktop)]
+    [BitAutoData(ClientType.Web)]
+    [BitAutoData(ClientType.Mobile)]
+    [NotificationCustomize(false)]
+    public async Task PushNotificationAsync_UserIdProvidedOrganizationIdProvidedClientTypeNotAll_SentToUser(
+        ClientType clientType, SutProvider<NotificationHubPushNotificationService> sutProvider,
+        Notification notification)
+    {
+        notification.ClientType = clientType;
+        var expectedNotification = ToNotificationPushNotification(notification, null);
+
+        await sutProvider.Sut.PushNotificationAsync(notification);
+
+        await AssertSendTemplateNotificationAsync(sutProvider, PushType.SyncNotification,
+            expectedNotification,
             $"(template:payload_userId:{notification.UserId} && clientType:{clientType})");
         await sutProvider.GetDependency<IInstallationDeviceRepository>()
             .Received(0)
@@ -94,16 +112,17 @@ public class NotificationHubPushNotificationServiceTests
     [Theory]
     [BitAutoData]
     [NotificationCustomize(false)]
-    public async void PushNotificationAsync_UserIdNullOrganizationIdProvidedClientTypeAll_SentToOrganization(
+    public async Task PushNotificationAsync_UserIdNullOrganizationIdProvidedClientTypeAll_SentToOrganization(
         SutProvider<NotificationHubPushNotificationService> sutProvider, Notification notification)
     {
         notification.UserId = null;
         notification.ClientType = ClientType.All;
-        var expectedSyncNotification = ToSyncNotificationPushNotification(notification);
+        var expectedNotification = ToNotificationPushNotification(notification, null);
 
         await sutProvider.Sut.PushNotificationAsync(notification);
 
-        await AssertSendTemplateNotificationAsync(sutProvider, PushType.SyncNotification, expectedSyncNotification,
+        await AssertSendTemplateNotificationAsync(sutProvider, PushType.SyncNotification,
+            expectedNotification,
             $"(template:payload && organizationId:{notification.OrganizationId})");
         await sutProvider.GetDependency<IInstallationDeviceRepository>()
             .Received(0)
@@ -116,18 +135,156 @@ public class NotificationHubPushNotificationServiceTests
     [BitAutoData(ClientType.Web)]
     [BitAutoData(ClientType.Mobile)]
     [NotificationCustomize(false)]
-    public async void PushNotificationAsync_UserIdNullOrganizationIdProvidedClientTypeNotAll_SentToOrganization(
+    public async Task PushNotificationAsync_UserIdNullOrganizationIdProvidedClientTypeNotAll_SentToOrganization(
         ClientType clientType, SutProvider<NotificationHubPushNotificationService> sutProvider,
         Notification notification)
     {
         notification.UserId = null;
         notification.ClientType = clientType;
-
-        var expectedSyncNotification = ToSyncNotificationPushNotification(notification);
+        var expectedNotification = ToNotificationPushNotification(notification, null);
 
         await sutProvider.Sut.PushNotificationAsync(notification);
 
-        await AssertSendTemplateNotificationAsync(sutProvider, PushType.SyncNotification, expectedSyncNotification,
+        await AssertSendTemplateNotificationAsync(sutProvider, PushType.SyncNotification,
+            expectedNotification,
+            $"(template:payload && organizationId:{notification.OrganizationId} && clientType:{clientType})");
+        await sutProvider.GetDependency<IInstallationDeviceRepository>()
+            .Received(0)
+            .UpsertAsync(Arg.Any<InstallationDeviceEntity>());
+    }
+
+    [Theory]
+    [BitAutoData]
+    [NotificationCustomize]
+    public async Task PushNotificationStatusAsync_Global_NotSent(
+        SutProvider<NotificationHubPushNotificationService> sutProvider, Notification notification,
+        NotificationStatus notificationStatus)
+    {
+        await sutProvider.Sut.PushNotificationStatusAsync(notification, notificationStatus);
+
+        await sutProvider.GetDependency<INotificationHubPool>()
+            .Received(0)
+            .AllClients
+            .Received(0)
+            .SendTemplateNotificationAsync(Arg.Any<IDictionary<string, string>>(), Arg.Any<string>());
+        await sutProvider.GetDependency<IInstallationDeviceRepository>()
+            .Received(0)
+            .UpsertAsync(Arg.Any<InstallationDeviceEntity>());
+    }
+
+    [Theory]
+    [BitAutoData(false)]
+    [BitAutoData(true)]
+    [NotificationCustomize(false)]
+    public async Task PushNotificationStatusAsync_UserIdProvidedClientTypeAll_SentToUser(
+        bool organizationIdNull, SutProvider<NotificationHubPushNotificationService> sutProvider,
+        Notification notification, NotificationStatus notificationStatus)
+    {
+        if (organizationIdNull)
+        {
+            notification.OrganizationId = null;
+        }
+
+        notification.ClientType = ClientType.All;
+        var expectedNotification = ToNotificationPushNotification(notification, notificationStatus);
+
+        await sutProvider.Sut.PushNotificationStatusAsync(notification, notificationStatus);
+
+        await AssertSendTemplateNotificationAsync(sutProvider, PushType.SyncNotificationStatus,
+            expectedNotification,
+            $"(template:payload_userId:{notification.UserId})");
+        await sutProvider.GetDependency<IInstallationDeviceRepository>()
+            .Received(0)
+            .UpsertAsync(Arg.Any<InstallationDeviceEntity>());
+    }
+
+    [Theory]
+    [BitAutoData(ClientType.Browser)]
+    [BitAutoData(ClientType.Desktop)]
+    [BitAutoData(ClientType.Web)]
+    [BitAutoData(ClientType.Mobile)]
+    [NotificationCustomize(false)]
+    public async Task PushNotificationStatusAsync_UserIdProvidedOrganizationIdNullClientTypeNotAll_SentToUser(
+        ClientType clientType, SutProvider<NotificationHubPushNotificationService> sutProvider,
+        Notification notification, NotificationStatus notificationStatus)
+    {
+        notification.OrganizationId = null;
+        notification.ClientType = clientType;
+        var expectedNotification = ToNotificationPushNotification(notification, notificationStatus);
+
+        await sutProvider.Sut.PushNotificationStatusAsync(notification, notificationStatus);
+
+        await AssertSendTemplateNotificationAsync(sutProvider, PushType.SyncNotificationStatus,
+            expectedNotification,
+            $"(template:payload_userId:{notification.UserId} && clientType:{clientType})");
+        await sutProvider.GetDependency<IInstallationDeviceRepository>()
+            .Received(0)
+            .UpsertAsync(Arg.Any<InstallationDeviceEntity>());
+    }
+
+    [Theory]
+    [BitAutoData(ClientType.Browser)]
+    [BitAutoData(ClientType.Desktop)]
+    [BitAutoData(ClientType.Web)]
+    [BitAutoData(ClientType.Mobile)]
+    [NotificationCustomize(false)]
+    public async Task PushNotificationStatusAsync_UserIdProvidedOrganizationIdProvidedClientTypeNotAll_SentToUser(
+        ClientType clientType, SutProvider<NotificationHubPushNotificationService> sutProvider,
+        Notification notification, NotificationStatus notificationStatus)
+    {
+        notification.ClientType = clientType;
+        var expectedNotification = ToNotificationPushNotification(notification, notificationStatus);
+
+        await sutProvider.Sut.PushNotificationStatusAsync(notification, notificationStatus);
+
+        await AssertSendTemplateNotificationAsync(sutProvider, PushType.SyncNotificationStatus,
+            expectedNotification,
+            $"(template:payload_userId:{notification.UserId} && clientType:{clientType})");
+        await sutProvider.GetDependency<IInstallationDeviceRepository>()
+            .Received(0)
+            .UpsertAsync(Arg.Any<InstallationDeviceEntity>());
+    }
+
+    [Theory]
+    [BitAutoData]
+    [NotificationCustomize(false)]
+    public async Task PushNotificationStatusAsync_UserIdNullOrganizationIdProvidedClientTypeAll_SentToOrganization(
+        SutProvider<NotificationHubPushNotificationService> sutProvider, Notification notification,
+        NotificationStatus notificationStatus)
+    {
+        notification.UserId = null;
+        notification.ClientType = ClientType.All;
+        var expectedNotification = ToNotificationPushNotification(notification, notificationStatus);
+
+        await sutProvider.Sut.PushNotificationStatusAsync(notification, notificationStatus);
+
+        await AssertSendTemplateNotificationAsync(sutProvider, PushType.SyncNotificationStatus,
+            expectedNotification,
+            $"(template:payload && organizationId:{notification.OrganizationId})");
+        await sutProvider.GetDependency<IInstallationDeviceRepository>()
+            .Received(0)
+            .UpsertAsync(Arg.Any<InstallationDeviceEntity>());
+    }
+
+    [Theory]
+    [BitAutoData(ClientType.Browser)]
+    [BitAutoData(ClientType.Desktop)]
+    [BitAutoData(ClientType.Web)]
+    [BitAutoData(ClientType.Mobile)]
+    [NotificationCustomize(false)]
+    public async Task
+        PushNotificationStatusAsync_UserIdNullOrganizationIdProvidedClientTypeNotAll_SentToOrganization(
+            ClientType clientType, SutProvider<NotificationHubPushNotificationService> sutProvider,
+            Notification notification, NotificationStatus notificationStatus)
+    {
+        notification.UserId = null;
+        notification.ClientType = clientType;
+        var expectedNotification = ToNotificationPushNotification(notification, notificationStatus);
+
+        await sutProvider.Sut.PushNotificationStatusAsync(notification, notificationStatus);
+
+        await AssertSendTemplateNotificationAsync(sutProvider, PushType.SyncNotificationStatus,
+            expectedNotification,
             $"(template:payload && organizationId:{notification.OrganizationId} && clientType:{clientType})");
         await sutProvider.GetDependency<IInstallationDeviceRepository>()
             .Received(0)
@@ -137,7 +294,7 @@ public class NotificationHubPushNotificationServiceTests
     [Theory]
     [BitAutoData([null])]
     [BitAutoData(ClientType.All)]
-    public async void SendPayloadToUserAsync_ClientTypeNullOrAll_SentToUser(ClientType? clientType,
+    public async Task SendPayloadToUserAsync_ClientTypeNullOrAll_SentToUser(ClientType? clientType,
         SutProvider<NotificationHubPushNotificationService> sutProvider, Guid userId, PushType pushType, string payload,
         string identifier)
     {
@@ -156,7 +313,7 @@ public class NotificationHubPushNotificationServiceTests
     [BitAutoData(ClientType.Desktop)]
     [BitAutoData(ClientType.Mobile)]
     [BitAutoData(ClientType.Web)]
-    public async void SendPayloadToUserAsync_ClientTypeExplicit_SentToUserAndClientType(ClientType clientType,
+    public async Task SendPayloadToUserAsync_ClientTypeExplicit_SentToUserAndClientType(ClientType clientType,
         SutProvider<NotificationHubPushNotificationService> sutProvider, Guid userId, PushType pushType, string payload,
         string identifier)
     {
@@ -173,7 +330,7 @@ public class NotificationHubPushNotificationServiceTests
     [Theory]
     [BitAutoData([null])]
     [BitAutoData(ClientType.All)]
-    public async void SendPayloadToOrganizationAsync_ClientTypeNullOrAll_SentToOrganization(ClientType? clientType,
+    public async Task SendPayloadToOrganizationAsync_ClientTypeNullOrAll_SentToOrganization(ClientType? clientType,
         SutProvider<NotificationHubPushNotificationService> sutProvider, Guid organizationId, PushType pushType,
         string payload, string identifier)
     {
@@ -192,7 +349,7 @@ public class NotificationHubPushNotificationServiceTests
     [BitAutoData(ClientType.Desktop)]
     [BitAutoData(ClientType.Mobile)]
     [BitAutoData(ClientType.Web)]
-    public async void SendPayloadToOrganizationAsync_ClientTypeExplicit_SentToOrganizationAndClientType(
+    public async Task SendPayloadToOrganizationAsync_ClientTypeExplicit_SentToOrganizationAndClientType(
         ClientType clientType, SutProvider<NotificationHubPushNotificationService> sutProvider, Guid organizationId,
         PushType pushType, string payload, string identifier)
     {
@@ -206,7 +363,8 @@ public class NotificationHubPushNotificationServiceTests
             .UpsertAsync(Arg.Any<InstallationDeviceEntity>());
     }
 
-    private static NotificationPushNotification ToSyncNotificationPushNotification(Notification notification) =>
+    private static NotificationPushNotification ToNotificationPushNotification(Notification notification,
+        NotificationStatus? notificationStatus) =>
         new()
         {
             Id = notification.Id,
@@ -218,7 +376,9 @@ public class NotificationHubPushNotificationServiceTests
             Title = notification.Title,
             Body = notification.Body,
             CreationDate = notification.CreationDate,
-            RevisionDate = notification.RevisionDate
+            RevisionDate = notification.RevisionDate,
+            ReadDate = notificationStatus?.ReadDate,
+            DeletedDate = notificationStatus?.DeletedDate
         };
 
     private static async Task AssertSendTemplateNotificationAsync(
diff --git a/test/Core.Test/Platform/Push/Services/AzureQueuePushNotificationServiceTests.cs b/test/Core.Test/Platform/Push/Services/AzureQueuePushNotificationServiceTests.cs
index a84a76152a..22161924ea 100644
--- a/test/Core.Test/Platform/Push/Services/AzureQueuePushNotificationServiceTests.cs
+++ b/test/Core.Test/Platform/Push/Services/AzureQueuePushNotificationServiceTests.cs
@@ -24,7 +24,7 @@ public class AzureQueuePushNotificationServiceTests
     [BitAutoData]
     [NotificationCustomize]
     [CurrentContextCustomize]
-    public async void PushNotificationAsync_Notification_Sent(
+    public async Task PushNotificationAsync_Notification_Sent(
         SutProvider<AzureQueuePushNotificationService> sutProvider, Notification notification, Guid deviceIdentifier,
         ICurrentContext currentContext)
     {
@@ -36,7 +36,30 @@ public class AzureQueuePushNotificationServiceTests
 
         await sutProvider.GetDependency<QueueClient>().Received(1)
             .SendMessageAsync(Arg.Is<string>(message =>
-                MatchMessage(PushType.SyncNotification, message, new SyncNotificationEquals(notification),
+                MatchMessage(PushType.SyncNotification, message,
+                    new NotificationPushNotificationEquals(notification, null),
+                    deviceIdentifier.ToString())));
+    }
+
+    [Theory]
+    [BitAutoData]
+    [NotificationCustomize]
+    [NotificationStatusCustomize]
+    [CurrentContextCustomize]
+    public async Task PushNotificationStatusAsync_Notification_Sent(
+        SutProvider<AzureQueuePushNotificationService> sutProvider, Notification notification, Guid deviceIdentifier,
+        ICurrentContext currentContext, NotificationStatus notificationStatus)
+    {
+        currentContext.DeviceIdentifier.Returns(deviceIdentifier.ToString());
+        sutProvider.GetDependency<IHttpContextAccessor>().HttpContext!.RequestServices
+            .GetService(Arg.Any<Type>()).Returns(currentContext);
+
+        await sutProvider.Sut.PushNotificationStatusAsync(notification, notificationStatus);
+
+        await sutProvider.GetDependency<QueueClient>().Received(1)
+            .SendMessageAsync(Arg.Is<string>(message =>
+                MatchMessage(PushType.SyncNotificationStatus, message,
+                    new NotificationPushNotificationEquals(notification, notificationStatus),
                     deviceIdentifier.ToString())));
     }
 
@@ -50,7 +73,8 @@ public class AzureQueuePushNotificationServiceTests
                pushNotificationData.ContextId == contextId;
     }
 
-    private class SyncNotificationEquals(Notification notification) : IEquatable<NotificationPushNotification>
+    private class NotificationPushNotificationEquals(Notification notification, NotificationStatus? notificationStatus)
+        : IEquatable<NotificationPushNotification>
     {
         public bool Equals(NotificationPushNotification? other)
         {
@@ -66,7 +90,9 @@ public class AzureQueuePushNotificationServiceTests
                    other.Title == notification.Title &&
                    other.Body == notification.Body &&
                    other.CreationDate == notification.CreationDate &&
-                   other.RevisionDate == notification.RevisionDate;
+                   other.RevisionDate == notification.RevisionDate &&
+                   other.ReadDate == notificationStatus?.ReadDate &&
+                   other.DeletedDate == notificationStatus?.DeletedDate;
         }
     }
 }
diff --git a/test/Core.Test/Platform/Push/Services/MultiServicePushNotificationServiceTests.cs b/test/Core.Test/Platform/Push/Services/MultiServicePushNotificationServiceTests.cs
index edbd297708..08dfd0a5c0 100644
--- a/test/Core.Test/Platform/Push/Services/MultiServicePushNotificationServiceTests.cs
+++ b/test/Core.Test/Platform/Push/Services/MultiServicePushNotificationServiceTests.cs
@@ -26,6 +26,22 @@ public class MultiServicePushNotificationServiceTests
             .PushNotificationAsync(notification);
     }
 
+    [Theory]
+    [BitAutoData]
+    [NotificationCustomize]
+    [NotificationStatusCustomize]
+    public async Task PushNotificationStatusAsync_Notification_Sent(
+        SutProvider<MultiServicePushNotificationService> sutProvider, Notification notification,
+        NotificationStatus notificationStatus)
+    {
+        await sutProvider.Sut.PushNotificationStatusAsync(notification, notificationStatus);
+
+        await sutProvider.GetDependency<IEnumerable<IPushNotificationService>>()
+            .First()
+            .Received(1)
+            .PushNotificationStatusAsync(notification, notificationStatus);
+    }
+
     [Theory]
     [BitAutoData([null, null])]
     [BitAutoData(ClientType.All, null)]

From 6cb00ebc8e3550647c714ca94dd5a2de6f045974 Mon Sep 17 00:00:00 2001
From: rkac-bw <148072202+rkac-bw@users.noreply.github.com>
Date: Thu, 13 Feb 2025 08:57:41 -0700
Subject: [PATCH 276/384] Add entity path to database test workflow (#5401)

* Add entity path to database test workflow

* Add entity path to pull request - path database test workflow

---------

Co-authored-by: Maciej Zieniuk <167752252+mzieniukbw@users.noreply.github.com>
---
 .github/workflows/test-database.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/test-database.yml b/.github/workflows/test-database.yml
index b7b06688b4..a668ddb37d 100644
--- a/.github/workflows/test-database.yml
+++ b/.github/workflows/test-database.yml
@@ -17,6 +17,7 @@ on:
       - "src/Infrastructure.Dapper/**" # Changes to SQL Server Dapper Repository Layer
       - "src/Infrastructure.EntityFramework/**" # Changes to Entity Framework Repository Layer
       - "test/Infrastructure.IntegrationTest/**" # Any changes to the tests
+      - "src/**/Entities/**/*.cs" # Database entity definitions
   pull_request:
     paths:
       - ".github/workflows/test-database.yml" # This file
@@ -28,6 +29,7 @@ on:
       - "src/Infrastructure.Dapper/**" # Changes to SQL Server Dapper Repository Layer
       - "src/Infrastructure.EntityFramework/**" # Changes to Entity Framework Repository Layer
       - "test/Infrastructure.IntegrationTest/**" # Any changes to the tests
+      - "src/**/Entities/**/*.cs" # Database entity definitions
 
 jobs:
   check-test-secrets:

From 465549b812eaa65dec0403f51ce93ca12759772d Mon Sep 17 00:00:00 2001
From: Graham Walker <ghwtx@icloud.com>
Date: Thu, 13 Feb 2025 12:43:34 -0600
Subject: [PATCH 277/384] PM-17954 changing import permissions around based on
 requirements (#5385)

Co-authored-by: Daniel James Smith <2670567+djsmith85@users.noreply.github.com>
---
 src/Api/Tools/Controllers/ImportCiphersController.cs | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/Api/Tools/Controllers/ImportCiphersController.cs b/src/Api/Tools/Controllers/ImportCiphersController.cs
index c268500f71..d6104de354 100644
--- a/src/Api/Tools/Controllers/ImportCiphersController.cs
+++ b/src/Api/Tools/Controllers/ImportCiphersController.cs
@@ -96,12 +96,6 @@ public class ImportCiphersController : Controller
             return true;
         }
 
-        //Users allowed to import if they CanCreate Collections
-        if (!(await _authorizationService.AuthorizeAsync(User, collections, BulkCollectionOperations.Create)).Succeeded)
-        {
-            return false;
-        }
-
         //Calling Repository instead of Service as we want to get all the collections, regardless of permission
         //Permissions check will be done later on AuthorizationService
         var orgCollectionIds =
@@ -118,6 +112,12 @@ public class ImportCiphersController : Controller
             return false;
         };
 
+        //Users allowed to import if they CanCreate Collections
+        if (!(await _authorizationService.AuthorizeAsync(User, collections, BulkCollectionOperations.Create)).Succeeded)
+        {
+            return false;
+        }
+
         return true;
     }
 }

From ac6bc40d85c115fb012884756c94b05244bd8dbe Mon Sep 17 00:00:00 2001
From: Patrick-Pimentel-Bitwarden <ppimentel@bitwarden.com>
Date: Thu, 13 Feb 2025 15:51:36 -0500
Subject: [PATCH 278/384] feat(2FA): [PM-17129] Login with 2FA Recovery Code

* feat(2FA): [PM-17129] Login with 2FA Recovery Code - Login with Recovery Code working.

* feat(2FA): [PM-17129] Login with 2FA Recovery Code - Feature flagged implementation.

* style(2FA): [PM-17129] Login with 2FA Recovery Code - Code cleanup.

* test(2FA): [PM-17129] Login with 2FA Recovery Code - Tests.
---
 .../Auth/Controllers/TwoFactorController.cs   | 28 +++++----
 src/Core/Auth/Enums/TwoFactorProviderType.cs  |  1 +
 src/Core/Constants.cs                         |  1 +
 src/Core/Services/IUserService.cs             | 29 +++++++---
 .../Services/Implementations/UserService.cs   | 29 +++++++++-
 .../RequestValidators/BaseRequestValidator.cs | 56 ++++++++++--------
 .../TwoFactorAuthenticationValidator.cs       | 52 +++++++++++------
 test/Core.Test/Services/UserServiceTests.cs   | 40 +++++++++++++
 .../BaseRequestValidatorTests.cs              |  2 +-
 .../TwoFactorAuthenticationValidatorTests.cs  | 58 ++++++++++++++++---
 10 files changed, 220 insertions(+), 76 deletions(-)

diff --git a/src/Api/Auth/Controllers/TwoFactorController.cs b/src/Api/Auth/Controllers/TwoFactorController.cs
index 2714b9aba3..c7d39f64b0 100644
--- a/src/Api/Auth/Controllers/TwoFactorController.cs
+++ b/src/Api/Auth/Controllers/TwoFactorController.cs
@@ -304,7 +304,7 @@ public class TwoFactorController : Controller
 
         if (user != null)
         {
-            // check if 2FA email is from passwordless
+            // Check if 2FA email is from Passwordless.
             if (!string.IsNullOrEmpty(requestModel.AuthRequestAccessCode))
             {
                 if (await _verifyAuthRequestCommand
@@ -317,17 +317,14 @@ public class TwoFactorController : Controller
             }
             else if (!string.IsNullOrEmpty(requestModel.SsoEmail2FaSessionToken))
             {
-                if (this.ValidateSsoEmail2FaToken(requestModel.SsoEmail2FaSessionToken, user))
+                if (ValidateSsoEmail2FaToken(requestModel.SsoEmail2FaSessionToken, user))
                 {
                     await _userService.SendTwoFactorEmailAsync(user);
                     return;
                 }
-                else
-                {
-                    await this.ThrowDelayedBadRequestExceptionAsync(
-                        "Cannot send two-factor email: a valid, non-expired SSO Email 2FA Session token is required to send 2FA emails.",
-                        2000);
-                }
+
+                await ThrowDelayedBadRequestExceptionAsync(
+                    "Cannot send two-factor email: a valid, non-expired SSO Email 2FA Session token is required to send 2FA emails.");
             }
             else if (await _userService.VerifySecretAsync(user, requestModel.Secret))
             {
@@ -336,8 +333,7 @@ public class TwoFactorController : Controller
             }
         }
 
-        await this.ThrowDelayedBadRequestExceptionAsync(
-            "Cannot send two-factor email.", 2000);
+        await ThrowDelayedBadRequestExceptionAsync("Cannot send two-factor email.");
     }
 
     [HttpPut("email")]
@@ -374,7 +370,7 @@ public class TwoFactorController : Controller
     public async Task<TwoFactorProviderResponseModel> PutOrganizationDisable(string id,
         [FromBody] TwoFactorProviderRequestModel model)
     {
-        var user = await CheckAsync(model, false);
+        await CheckAsync(model, false);
 
         var orgIdGuid = new Guid(id);
         if (!await _currentContext.ManagePolicies(orgIdGuid))
@@ -401,6 +397,10 @@ public class TwoFactorController : Controller
         return response;
     }
 
+    /// <summary>
+    /// To be removed when the feature flag pm-17128-recovery-code-login is removed PM-18175.
+    /// </summary>
+    [Obsolete("Two Factor recovery is handled in the TwoFactorAuthenticationValidator.")]
     [HttpPost("recover")]
     [AllowAnonymous]
     public async Task PostRecover([FromBody] TwoFactorRecoveryRequestModel model)
@@ -463,10 +463,8 @@ public class TwoFactorController : Controller
             await Task.Delay(2000);
             throw new BadRequestException(name, $"{name} is invalid.");
         }
-        else
-        {
-            await Task.Delay(500);
-        }
+
+        await Task.Delay(500);
     }
 
     private bool ValidateSsoEmail2FaToken(string ssoEmail2FaSessionToken, User user)
diff --git a/src/Core/Auth/Enums/TwoFactorProviderType.cs b/src/Core/Auth/Enums/TwoFactorProviderType.cs
index a17b61c3cd..07a52dc429 100644
--- a/src/Core/Auth/Enums/TwoFactorProviderType.cs
+++ b/src/Core/Auth/Enums/TwoFactorProviderType.cs
@@ -10,4 +10,5 @@ public enum TwoFactorProviderType : byte
     Remember = 5,
     OrganizationDuo = 6,
     WebAuthn = 7,
+    RecoveryCode = 8,
 }
diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index 6b3d0485b0..0b0d21f7bb 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -170,6 +170,7 @@ public static class FeatureFlagKeys
     public const string EnablePMAuthenticatorSync = "enable-pm-bwa-sync";
     public const string P15179_AddExistingOrgsFromProviderPortal = "pm-15179-add-existing-orgs-from-provider-portal";
     public const string AndroidMutualTls = "mutual-tls";
+    public const string RecoveryCodeLogin = "pm-17128-recovery-code-login";
     public const string PM3503_MobileAnonAddySelfHostAlias = "anon-addy-self-host-alias";
 
     public static List<string> GetAllKeys()
diff --git a/src/Core/Services/IUserService.cs b/src/Core/Services/IUserService.cs
index 0886d18897..d1c61e4418 100644
--- a/src/Core/Services/IUserService.cs
+++ b/src/Core/Services/IUserService.cs
@@ -22,7 +22,6 @@ public interface IUserService
     Task<IdentityResult> CreateUserAsync(User user, string masterPasswordHash);
     Task SendMasterPasswordHintAsync(string email);
     Task SendTwoFactorEmailAsync(User user);
-    Task<bool> VerifyTwoFactorEmailAsync(User user, string token);
     Task<CredentialCreateOptions> StartWebAuthnRegistrationAsync(User user);
     Task<bool> DeleteWebAuthnKeyAsync(User user, int id);
     Task<bool> CompleteWebAuthRegistrationAsync(User user, int value, string name, AuthenticatorAttestationRawResponse attestationResponse);
@@ -41,8 +40,6 @@ public interface IUserService
     Task<IdentityResult> RefreshSecurityStampAsync(User user, string masterPasswordHash);
     Task UpdateTwoFactorProviderAsync(User user, TwoFactorProviderType type, bool setEnabled = true, bool logEvent = true);
     Task DisableTwoFactorProviderAsync(User user, TwoFactorProviderType type);
-    Task<bool> RecoverTwoFactorAsync(string email, string masterPassword, string recoveryCode);
-    Task<string> GenerateUserTokenAsync(User user, string tokenProvider, string purpose);
     Task<IdentityResult> DeleteAsync(User user);
     Task<IdentityResult> DeleteAsync(User user, string token);
     Task SendDeleteConfirmationAsync(string email);
@@ -55,9 +52,7 @@ public interface IUserService
     Task CancelPremiumAsync(User user, bool? endOfPeriod = null);
     Task ReinstatePremiumAsync(User user);
     Task EnablePremiumAsync(Guid userId, DateTime? expirationDate);
-    Task EnablePremiumAsync(User user, DateTime? expirationDate);
     Task DisablePremiumAsync(Guid userId, DateTime? expirationDate);
-    Task DisablePremiumAsync(User user, DateTime? expirationDate);
     Task UpdatePremiumExpirationAsync(Guid userId, DateTime? expirationDate);
     Task<UserLicense> GenerateLicenseAsync(User user, SubscriptionInfo subscriptionInfo = null,
         int? version = null);
@@ -91,9 +86,26 @@ public interface IUserService
 
     void SetTwoFactorProvider(User user, TwoFactorProviderType type, bool setEnabled = true);
 
+    [Obsolete("To be removed when the feature flag pm-17128-recovery-code-login is removed PM-18175.")]
+    Task<bool> RecoverTwoFactorAsync(string email, string masterPassword, string recoveryCode);
+
     /// <summary>
-    /// Returns true if the user is a legacy user. Legacy users use their master key as their encryption key.
-    /// We force these users to the web to migrate their encryption scheme.
+    /// This method is used by the TwoFactorAuthenticationValidator to recover two
+    /// factor for a user. This allows users to be logged in after a successful recovery
+    /// attempt.
+    ///
+    /// This method logs the event, sends an email to the user, and removes two factor
+    /// providers on the user account. This means that a user will have to accomplish
+    /// new device verification on their account on new logins, if it is enabled for their user.
+    /// </summary>
+    /// <param name="recoveryCode">recovery code associated with the user logging in</param>
+    /// <param name="user">The user to refresh the 2FA and Recovery Code on.</param>
+    /// <returns>true if the recovery code is valid; false otherwise</returns>
+    Task<bool> RecoverTwoFactorAsync(User user, string recoveryCode);
+
+    /// <summary>
+    /// Returns true if the user is a legacy user. Legacy users use their master key as their
+    /// encryption key. We force these users to the web to migrate their encryption scheme.
     /// </summary>
     Task<bool> IsLegacyUser(string userId);
 
@@ -101,7 +113,8 @@ public interface IUserService
     /// Indicates if the user is managed by any organization.
     /// </summary>
     /// <remarks>
-    /// A user is considered managed by an organization if their email domain matches one of the verified domains of that organization, and the user is a member of it.
+    /// A user is considered managed by an organization if their email domain matches one of the
+    /// verified domains of that organization, and the user is a member of it.
     /// The organization must be enabled and able to have verified domains.
     /// </remarks>
     /// <returns>
diff --git a/src/Core/Services/Implementations/UserService.cs b/src/Core/Services/Implementations/UserService.cs
index 11d4042def..e04290a686 100644
--- a/src/Core/Services/Implementations/UserService.cs
+++ b/src/Core/Services/Implementations/UserService.cs
@@ -315,7 +315,7 @@ public class UserService : UserManager<User>, IUserService, IDisposable
             return;
         }
 
-        var token = await base.GenerateUserTokenAsync(user, TokenOptions.DefaultProvider, "DeleteAccount");
+        var token = await GenerateUserTokenAsync(user, TokenOptions.DefaultProvider, "DeleteAccount");
         await _mailService.SendVerifyDeleteEmailAsync(user.Email, user.Id, token);
     }
 
@@ -868,6 +868,10 @@ public class UserService : UserManager<User>, IUserService, IDisposable
         }
     }
 
+    /// <summary>
+    /// To be removed when the feature flag pm-17128-recovery-code-login is removed PM-18175.
+    /// </summary>
+    [Obsolete("Two Factor recovery is handled in the TwoFactorAuthenticationValidator.")]
     public async Task<bool> RecoverTwoFactorAsync(string email, string secret, string recoveryCode)
     {
         var user = await _userRepository.GetByEmailAsync(email);
@@ -897,6 +901,25 @@ public class UserService : UserManager<User>, IUserService, IDisposable
         return true;
     }
 
+    public async Task<bool> RecoverTwoFactorAsync(User user, string recoveryCode)
+    {
+        if (!CoreHelpers.FixedTimeEquals(
+                user.TwoFactorRecoveryCode,
+                recoveryCode.Replace(" ", string.Empty).Trim().ToLower()))
+        {
+            return false;
+        }
+
+        user.TwoFactorProviders = null;
+        user.TwoFactorRecoveryCode = CoreHelpers.SecureRandomString(32, upper: false, special: false);
+        await SaveUserAsync(user);
+        await _mailService.SendRecoverTwoFactorEmail(user.Email, DateTime.UtcNow, _currentContext.IpAddress);
+        await _eventService.LogUserEventAsync(user.Id, EventType.User_Recovered2fa);
+        await CheckPoliciesOnTwoFactorRemovalAsync(user);
+
+        return true;
+    }
+
     public async Task<Tuple<bool, string>> SignUpPremiumAsync(User user, string paymentToken,
         PaymentMethodType paymentMethodType, short additionalStorageGb, UserLicense license,
         TaxInfo taxInfo)
@@ -1081,7 +1104,7 @@ public class UserService : UserManager<User>, IUserService, IDisposable
         await EnablePremiumAsync(user, expirationDate);
     }
 
-    public async Task EnablePremiumAsync(User user, DateTime? expirationDate)
+    private async Task EnablePremiumAsync(User user, DateTime? expirationDate)
     {
         if (user != null && !user.Premium && user.Gateway.HasValue)
         {
@@ -1098,7 +1121,7 @@ public class UserService : UserManager<User>, IUserService, IDisposable
         await DisablePremiumAsync(user, expirationDate);
     }
 
-    public async Task DisablePremiumAsync(User user, DateTime? expirationDate)
+    private async Task DisablePremiumAsync(User user, DateTime? expirationDate)
     {
         if (user != null && user.Premium)
         {
diff --git a/src/Identity/IdentityServer/RequestValidators/BaseRequestValidator.cs b/src/Identity/IdentityServer/RequestValidators/BaseRequestValidator.cs
index 5e78212cf1..88691fa8f7 100644
--- a/src/Identity/IdentityServer/RequestValidators/BaseRequestValidator.cs
+++ b/src/Identity/IdentityServer/RequestValidators/BaseRequestValidator.cs
@@ -77,7 +77,7 @@ public abstract class BaseRequestValidator<T> where T : class
     protected async Task ValidateAsync(T context, ValidatedTokenRequest request,
         CustomValidatorRequestContext validatorContext)
     {
-        // 1. we need to check if the user is a bot and if their master password hash is correct
+        // 1. We need to check if the user is a bot and if their master password hash is correct.
         var isBot = validatorContext.CaptchaResponse?.IsBot ?? false;
         var valid = await ValidateContextAsync(context, validatorContext);
         var user = validatorContext.User;
@@ -99,7 +99,7 @@ public abstract class BaseRequestValidator<T> where T : class
             return;
         }
 
-        // 2. Does this user belong to an organization that requires SSO
+        // 2. Decide if this user belongs to an organization that requires SSO.
         validatorContext.SsoRequired = await RequireSsoLoginAsync(user, request.GrantType);
         if (validatorContext.SsoRequired)
         {
@@ -111,17 +111,22 @@ public abstract class BaseRequestValidator<T> where T : class
             return;
         }
 
-        // 3. Check if 2FA is required
-        (validatorContext.TwoFactorRequired, var twoFactorOrganization) = await _twoFactorAuthenticationValidator.RequiresTwoFactorAsync(user, request);
-        // This flag is used to determine if the user wants a rememberMe token sent when authentication is successful
+        // 3. Check if 2FA is required.
+        (validatorContext.TwoFactorRequired, var twoFactorOrganization) =
+            await _twoFactorAuthenticationValidator.RequiresTwoFactorAsync(user, request);
+
+        // This flag is used to determine if the user wants a rememberMe token sent when
+        // authentication is successful.
         var returnRememberMeToken = false;
+
         if (validatorContext.TwoFactorRequired)
         {
-            var twoFactorToken = request.Raw["TwoFactorToken"]?.ToString();
-            var twoFactorProvider = request.Raw["TwoFactorProvider"]?.ToString();
+            var twoFactorToken = request.Raw["TwoFactorToken"];
+            var twoFactorProvider = request.Raw["TwoFactorProvider"];
             var validTwoFactorRequest = !string.IsNullOrWhiteSpace(twoFactorToken) &&
                                         !string.IsNullOrWhiteSpace(twoFactorProvider);
-            // response for 2FA required and not provided state
+
+            // 3a. Response for 2FA required and not provided state.
             if (!validTwoFactorRequest ||
                 !Enum.TryParse(twoFactorProvider, out TwoFactorProviderType twoFactorProviderType))
             {
@@ -133,26 +138,27 @@ public abstract class BaseRequestValidator<T> where T : class
                     return;
                 }
 
-                // Include Master Password Policy in 2FA response
-                resultDict.Add("MasterPasswordPolicy", await GetMasterPasswordPolicy(user));
+                // Include Master Password Policy in 2FA response.
+                resultDict.Add("MasterPasswordPolicy", await GetMasterPasswordPolicyAsync(user));
                 SetTwoFactorResult(context, resultDict);
                 return;
             }
 
-            var twoFactorTokenValid = await _twoFactorAuthenticationValidator
-                                    .VerifyTwoFactor(user, twoFactorOrganization, twoFactorProviderType, twoFactorToken);
+            var twoFactorTokenValid =
+                await _twoFactorAuthenticationValidator
+                    .VerifyTwoFactorAsync(user, twoFactorOrganization, twoFactorProviderType, twoFactorToken);
 
-            // response for 2FA required but request is not valid or remember token expired state
+            // 3b. Response for 2FA required but request is not valid or remember token expired state.
             if (!twoFactorTokenValid)
             {
-                // The remember me token has expired
+                // The remember me token has expired.
                 if (twoFactorProviderType == TwoFactorProviderType.Remember)
                 {
                     var resultDict = await _twoFactorAuthenticationValidator
                                             .BuildTwoFactorResultAsync(user, twoFactorOrganization);
 
                     // Include Master Password Policy in 2FA response
-                    resultDict.Add("MasterPasswordPolicy", await GetMasterPasswordPolicy(user));
+                    resultDict.Add("MasterPasswordPolicy", await GetMasterPasswordPolicyAsync(user));
                     SetTwoFactorResult(context, resultDict);
                 }
                 else
@@ -163,17 +169,19 @@ public abstract class BaseRequestValidator<T> where T : class
                 return;
             }
 
-            // When the two factor authentication is successful, we can check if the user wants a rememberMe token
-            var twoFactorRemember = request.Raw["TwoFactorRemember"]?.ToString() == "1";
-            if (twoFactorRemember // Check if the user wants a rememberMe token
-                && twoFactorTokenValid // Make sure two factor authentication was successful
-                && twoFactorProviderType != TwoFactorProviderType.Remember) // if the two factor auth was rememberMe do not send another token
+            // 3c. When the 2FA authentication is successful, we can check if the user wants a
+            // rememberMe token.
+            var twoFactorRemember = request.Raw["TwoFactorRemember"] == "1";
+            // Check if the user wants a rememberMe token.
+            if (twoFactorRemember
+                // if the 2FA auth was rememberMe do not send another token.
+                && twoFactorProviderType != TwoFactorProviderType.Remember)
             {
                 returnRememberMeToken = true;
             }
         }
 
-        // 4. Check if the user is logging in from a new device
+        // 4. Check if the user is logging in from a new device.
         var deviceValid = await _deviceValidator.ValidateRequestDeviceAsync(request, validatorContext);
         if (!deviceValid)
         {
@@ -182,7 +190,7 @@ public abstract class BaseRequestValidator<T> where T : class
             return;
         }
 
-        // 5. Force legacy users to the web for migration
+        // 5. Force legacy users to the web for migration.
         if (UserService.IsLegacyUser(user) && request.ClientId != "web")
         {
             await FailAuthForLegacyUserAsync(user, context);
@@ -224,7 +232,7 @@ public abstract class BaseRequestValidator<T> where T : class
             customResponse.Add("Key", user.Key);
         }
 
-        customResponse.Add("MasterPasswordPolicy", await GetMasterPasswordPolicy(user));
+        customResponse.Add("MasterPasswordPolicy", await GetMasterPasswordPolicyAsync(user));
         customResponse.Add("ForcePasswordReset", user.ForcePasswordReset);
         customResponse.Add("ResetMasterPassword", string.IsNullOrWhiteSpace(user.MasterPassword));
         customResponse.Add("Kdf", (byte)user.Kdf);
@@ -403,7 +411,7 @@ public abstract class BaseRequestValidator<T> where T : class
         return unknownDevice && failedLoginCeiling > 0 && failedLoginCount == failedLoginCeiling;
     }
 
-    private async Task<MasterPasswordPolicyResponseModel> GetMasterPasswordPolicy(User user)
+    private async Task<MasterPasswordPolicyResponseModel> GetMasterPasswordPolicyAsync(User user)
     {
         // Check current context/cache to see if user is in any organizations, avoids extra DB call if not
         var orgs = (await CurrentContext.OrganizationMembershipAsync(_organizationUserRepository, user.Id))
diff --git a/src/Identity/IdentityServer/RequestValidators/TwoFactorAuthenticationValidator.cs b/src/Identity/IdentityServer/RequestValidators/TwoFactorAuthenticationValidator.cs
index e2c6406c89..856846cdd6 100644
--- a/src/Identity/IdentityServer/RequestValidators/TwoFactorAuthenticationValidator.cs
+++ b/src/Identity/IdentityServer/RequestValidators/TwoFactorAuthenticationValidator.cs
@@ -1,4 +1,5 @@
 using System.Text.Json;
+using Bit.Core;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Identity.TokenProviders;
@@ -44,7 +45,7 @@ public interface ITwoFactorAuthenticationValidator
     /// <param name="twoFactorProviderType">Two Factor Provider to use to verify the token</param>
     /// <param name="token">secret passed from the user and consumed by the two-factor provider's verify method</param>
     /// <returns>boolean</returns>
-    Task<bool> VerifyTwoFactor(User user, Organization organization, TwoFactorProviderType twoFactorProviderType, string token);
+    Task<bool> VerifyTwoFactorAsync(User user, Organization organization, TwoFactorProviderType twoFactorProviderType, string token);
 }
 
 public class TwoFactorAuthenticationValidator(
@@ -139,7 +140,7 @@ public class TwoFactorAuthenticationValidator(
         return twoFactorResultDict;
     }
 
-    public async Task<bool> VerifyTwoFactor(
+    public async Task<bool> VerifyTwoFactorAsync(
         User user,
         Organization organization,
         TwoFactorProviderType type,
@@ -154,24 +155,39 @@ public class TwoFactorAuthenticationValidator(
             return false;
         }
 
-        switch (type)
+        if (_featureService.IsEnabled(FeatureFlagKeys.RecoveryCodeLogin))
         {
-            case TwoFactorProviderType.Authenticator:
-            case TwoFactorProviderType.Email:
-            case TwoFactorProviderType.Duo:
-            case TwoFactorProviderType.YubiKey:
-            case TwoFactorProviderType.WebAuthn:
-            case TwoFactorProviderType.Remember:
-                if (type != TwoFactorProviderType.Remember &&
-                    !await _userService.TwoFactorProviderIsEnabledAsync(type, user))
-                {
-                    return false;
-                }
-                return await _userManager.VerifyTwoFactorTokenAsync(user,
-                    CoreHelpers.CustomProviderName(type), token);
-            default:
-                return false;
+            if (type is TwoFactorProviderType.RecoveryCode)
+            {
+                return await _userService.RecoverTwoFactorAsync(user, token);
+            }
         }
+
+        // These cases we want to always return false, U2f is deprecated and OrganizationDuo
+        // uses a different flow than the other two factor providers, it follows the same
+        // structure of a UserTokenProvider but has it's logic ran outside the usual token
+        // provider flow. See IOrganizationDuoUniversalTokenProvider.cs
+        if (type is TwoFactorProviderType.U2f or TwoFactorProviderType.OrganizationDuo)
+        {
+            return false;
+        }
+
+        // Now we are concerning the rest of the Two Factor Provider Types
+
+        // The intent of this check is to make sure that the user is using a 2FA provider that
+        // is enabled and allowed by their premium status. The exception for Remember
+        // is because it is a "special" 2FA type that isn't ever explicitly
+        // enabled by a user, so we can't check the user's 2FA providers to see if they're
+        // enabled. We just have to check if the token is valid.
+        if (type != TwoFactorProviderType.Remember &&
+            !await _userService.TwoFactorProviderIsEnabledAsync(type, user))
+        {
+            return false;
+        }
+
+        // Finally, verify the token based on the provider type.
+        return await _userManager.VerifyTwoFactorTokenAsync(
+            user, CoreHelpers.CustomProviderName(type), token);
     }
 
     private async Task<List<KeyValuePair<TwoFactorProviderType, TwoFactorProvider>>> GetEnabledTwoFactorProvidersAsync(
diff --git a/test/Core.Test/Services/UserServiceTests.cs b/test/Core.Test/Services/UserServiceTests.cs
index 9539767f6f..88c214f471 100644
--- a/test/Core.Test/Services/UserServiceTests.cs
+++ b/test/Core.Test/Services/UserServiceTests.cs
@@ -730,6 +730,46 @@ public class UserServiceTests
                 .RemoveAsync(Arg.Any<string>());
     }
 
+    [Theory, BitAutoData]
+    public async Task RecoverTwoFactorAsync_CorrectCode_ReturnsTrueAndProcessesPolicies(
+        User user, SutProvider<UserService> sutProvider)
+    {
+        // Arrange
+        var recoveryCode = "1234";
+        user.TwoFactorRecoveryCode = recoveryCode;
+
+        // Act
+        var response = await sutProvider.Sut.RecoverTwoFactorAsync(user, recoveryCode);
+
+        // Assert
+        Assert.True(response);
+        Assert.Null(user.TwoFactorProviders);
+        // Make sure a new code was generated for the user
+        Assert.NotEqual(recoveryCode, user.TwoFactorRecoveryCode);
+        await sutProvider.GetDependency<IMailService>()
+            .Received(1)
+            .SendRecoverTwoFactorEmail(Arg.Any<string>(), Arg.Any<DateTime>(), Arg.Any<string>());
+        await sutProvider.GetDependency<IEventService>()
+            .Received(1)
+            .LogUserEventAsync(user.Id, EventType.User_Recovered2fa);
+    }
+
+    [Theory, BitAutoData]
+    public async Task RecoverTwoFactorAsync_IncorrectCode_ReturnsFalse(
+        User user, SutProvider<UserService> sutProvider)
+    {
+        // Arrange
+        var recoveryCode = "1234";
+        user.TwoFactorRecoveryCode = "4567";
+
+        // Act
+        var response = await sutProvider.Sut.RecoverTwoFactorAsync(user, recoveryCode);
+
+        // Assert
+        Assert.False(response);
+        Assert.NotNull(user.TwoFactorProviders);
+    }
+
     private static void SetupUserAndDevice(User user,
         bool shouldHavePassword)
     {
diff --git a/test/Identity.Test/IdentityServer/BaseRequestValidatorTests.cs b/test/Identity.Test/IdentityServer/BaseRequestValidatorTests.cs
index 916b52e1d0..589aac2842 100644
--- a/test/Identity.Test/IdentityServer/BaseRequestValidatorTests.cs
+++ b/test/Identity.Test/IdentityServer/BaseRequestValidatorTests.cs
@@ -105,7 +105,7 @@ public class BaseRequestValidatorTests
         // Assert
         await _eventService.Received(1)
                            .LogUserEventAsync(context.CustomValidatorRequestContext.User.Id,
-                                             Core.Enums.EventType.User_FailedLogIn);
+                                             EventType.User_FailedLogIn);
         Assert.True(context.GrantResult.IsError);
         Assert.Equal("Username or password is incorrect. Try again.", errorResponse.Message);
     }
diff --git a/test/Identity.Test/IdentityServer/TwoFactorAuthenticationValidatorTests.cs b/test/Identity.Test/IdentityServer/TwoFactorAuthenticationValidatorTests.cs
index dfb877b8d6..e59a66a9e7 100644
--- a/test/Identity.Test/IdentityServer/TwoFactorAuthenticationValidatorTests.cs
+++ b/test/Identity.Test/IdentityServer/TwoFactorAuthenticationValidatorTests.cs
@@ -1,4 +1,5 @@
-using Bit.Core.AdminConsole.Entities;
+using Bit.Core;
+using Bit.Core.AdminConsole.Entities;
 using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Identity.TokenProviders;
 using Bit.Core.Auth.Models.Business.Tokenables;
@@ -328,7 +329,7 @@ public class TwoFactorAuthenticationValidatorTests
         _userManager.TWO_FACTOR_PROVIDERS = ["email"];
 
         // Act
-        var result = await _sut.VerifyTwoFactor(
+        var result = await _sut.VerifyTwoFactorAsync(
             user, null, TwoFactorProviderType.U2f, token);
 
         // Assert
@@ -348,7 +349,7 @@ public class TwoFactorAuthenticationValidatorTests
         _userManager.TWO_FACTOR_PROVIDERS = ["email"];
 
         // Act
-        var result = await _sut.VerifyTwoFactor(
+        var result = await _sut.VerifyTwoFactorAsync(
             user, null, TwoFactorProviderType.Email, token);
 
         // Assert
@@ -368,7 +369,7 @@ public class TwoFactorAuthenticationValidatorTests
         _userManager.TWO_FACTOR_PROVIDERS = ["OrganizationDuo"];
 
         // Act
-        var result = await _sut.VerifyTwoFactor(
+        var result = await _sut.VerifyTwoFactorAsync(
             user, null, TwoFactorProviderType.OrganizationDuo, token);
 
         // Assert
@@ -394,7 +395,7 @@ public class TwoFactorAuthenticationValidatorTests
         _userManager.TWO_FACTOR_TOKEN_VERIFIED = true;
 
         // Act
-        var result = await _sut.VerifyTwoFactor(user, null, providerType, token);
+        var result = await _sut.VerifyTwoFactorAsync(user, null, providerType, token);
 
         // Assert
         Assert.True(result);
@@ -419,7 +420,7 @@ public class TwoFactorAuthenticationValidatorTests
         _userManager.TWO_FACTOR_TOKEN_VERIFIED = false;
 
         // Act
-        var result = await _sut.VerifyTwoFactor(user, null, providerType, token);
+        var result = await _sut.VerifyTwoFactorAsync(user, null, providerType, token);
 
         // Assert
         Assert.False(result);
@@ -445,13 +446,56 @@ public class TwoFactorAuthenticationValidatorTests
         organization.Enabled = true;
 
         // Act
-        var result = await _sut.VerifyTwoFactor(
+        var result = await _sut.VerifyTwoFactorAsync(
             user, organization, providerType, token);
 
         // Assert
         Assert.True(result);
     }
 
+    [Theory]
+    [BitAutoData(TwoFactorProviderType.RecoveryCode)]
+    public async void VerifyTwoFactorAsync_RecoveryCode_ValidToken_ReturnsTrue(
+        TwoFactorProviderType providerType,
+        User user,
+        Organization organization)
+    {
+        var token = "1234";
+        user.TwoFactorRecoveryCode = token;
+
+        _userService.RecoverTwoFactorAsync(Arg.Is(user), Arg.Is(token)).Returns(true);
+        _featureService.IsEnabled(FeatureFlagKeys.RecoveryCodeLogin).Returns(true);
+
+        // Act
+        var result = await _sut.VerifyTwoFactorAsync(
+            user, organization, providerType, token);
+
+        // Assert
+        Assert.True(result);
+    }
+
+    [Theory]
+    [BitAutoData(TwoFactorProviderType.RecoveryCode)]
+    public async void VerifyTwoFactorAsync_RecoveryCode_InvalidToken_ReturnsFalse(
+        TwoFactorProviderType providerType,
+        User user,
+        Organization organization)
+    {
+        // Arrange
+        var token = "1234";
+        user.TwoFactorRecoveryCode = token;
+
+        _userService.RecoverTwoFactorAsync(Arg.Is(user), Arg.Is(token)).Returns(false);
+        _featureService.IsEnabled(FeatureFlagKeys.RecoveryCodeLogin).Returns(true);
+
+        // Act
+        var result = await _sut.VerifyTwoFactorAsync(
+            user, organization, providerType, token);
+
+        // Assert
+        Assert.False(result);
+    }
+
     private static UserManagerTestWrapper<User> SubstituteUserManager()
     {
         return new UserManagerTestWrapper<User>(

From 54d59b3b92711cd4263f85ef6a18c9c9652e39b3 Mon Sep 17 00:00:00 2001
From: Thomas Rittson <31796059+eliykat@users.noreply.github.com>
Date: Fri, 14 Feb 2025 11:09:01 +1000
Subject: [PATCH 279/384] [PM-16812] Shortcut duplicate group patch requests
 (#5354)

* Copy PatchGroupCommand to vNext and refactor

* Detect duplicate add requests and return early

* Update read repository method to use HA replica

* Add new write repository method
---
 .../Scim/Controllers/v2/GroupsController.cs   |  27 +-
 .../Interfaces/IPatchGroupCommandvNext.cs     |   9 +
 .../src/Scim/Groups/PatchGroupCommandvNext.cs | 170 ++++++++
 .../src/Scim/Utilities/ScimConstants.cs       |  13 +
 .../ScimServiceCollectionExtensions.cs        |   1 +
 .../v2/GroupsControllerPatchTests.cs          | 237 +++++++++++
 .../v2/GroupsControllerPatchTestsvNext.cs     | 251 ++++++++++++
 .../Controllers/v2/GroupsControllerTests.cs   | 221 +---------
 .../Factories/ScimApplicationFactory.cs       |  40 +-
 .../Groups/PatchGroupCommandvNextTests.cs     | 381 ++++++++++++++++++
 .../Repositories/IGroupRepository.cs          |  20 +-
 src/Core/Constants.cs                         |   1 +
 .../Repositories/GroupRepository.cs           |  19 +-
 .../Repositories/GroupRepository.cs           |  27 +-
 .../Stored Procedures/GroupUser_AddUsers.sql  |  39 ++
 .../AdminConsole/OrganizationTestHelpers.cs   |  57 +++
 .../Repositories/GroupRepositoryTests.cs      | 129 ++++++
 .../OrganizationDomainRepositoryTests.cs      |   2 +-
 .../OrganizationRepositoryTests.cs            |   2 +-
 .../OrganizationUserRepositoryTests.cs        |   2 +-
 .../2025-02-13_00_GroupUser_AddUsers.sql      |  39 ++
 21 files changed, 1437 insertions(+), 250 deletions(-)
 create mode 100644 bitwarden_license/src/Scim/Groups/Interfaces/IPatchGroupCommandvNext.cs
 create mode 100644 bitwarden_license/src/Scim/Groups/PatchGroupCommandvNext.cs
 create mode 100644 bitwarden_license/test/Scim.IntegrationTest/Controllers/v2/GroupsControllerPatchTests.cs
 create mode 100644 bitwarden_license/test/Scim.IntegrationTest/Controllers/v2/GroupsControllerPatchTestsvNext.cs
 create mode 100644 bitwarden_license/test/Scim.Test/Groups/PatchGroupCommandvNextTests.cs
 create mode 100644 src/Sql/dbo/Stored Procedures/GroupUser_AddUsers.sql
 create mode 100644 test/Infrastructure.IntegrationTest/AdminConsole/OrganizationTestHelpers.cs
 create mode 100644 test/Infrastructure.IntegrationTest/AdminConsole/Repositories/GroupRepositoryTests.cs
 create mode 100644 util/Migrator/DbScripts/2025-02-13_00_GroupUser_AddUsers.sql

diff --git a/bitwarden_license/src/Scim/Controllers/v2/GroupsController.cs b/bitwarden_license/src/Scim/Controllers/v2/GroupsController.cs
index 5df0b29216..8c21793a9d 100644
--- a/bitwarden_license/src/Scim/Controllers/v2/GroupsController.cs
+++ b/bitwarden_license/src/Scim/Controllers/v2/GroupsController.cs
@@ -1,8 +1,10 @@
-using Bit.Core.AdminConsole.OrganizationFeatures.Groups.Interfaces;
+using Bit.Core;
+using Bit.Core.AdminConsole.OrganizationFeatures.Groups.Interfaces;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Repositories;
+using Bit.Core.Services;
 using Bit.Scim.Groups.Interfaces;
 using Bit.Scim.Models;
 using Bit.Scim.Utilities;
@@ -22,9 +24,10 @@ public class GroupsController : Controller
     private readonly IGetGroupsListQuery _getGroupsListQuery;
     private readonly IDeleteGroupCommand _deleteGroupCommand;
     private readonly IPatchGroupCommand _patchGroupCommand;
+    private readonly IPatchGroupCommandvNext _patchGroupCommandvNext;
     private readonly IPostGroupCommand _postGroupCommand;
     private readonly IPutGroupCommand _putGroupCommand;
-    private readonly ILogger<GroupsController> _logger;
+    private readonly IFeatureService _featureService;
 
     public GroupsController(
         IGroupRepository groupRepository,
@@ -32,18 +35,21 @@ public class GroupsController : Controller
         IGetGroupsListQuery getGroupsListQuery,
         IDeleteGroupCommand deleteGroupCommand,
         IPatchGroupCommand patchGroupCommand,
+        IPatchGroupCommandvNext patchGroupCommandvNext,
         IPostGroupCommand postGroupCommand,
         IPutGroupCommand putGroupCommand,
-        ILogger<GroupsController> logger)
+        IFeatureService featureService
+        )
     {
         _groupRepository = groupRepository;
         _organizationRepository = organizationRepository;
         _getGroupsListQuery = getGroupsListQuery;
         _deleteGroupCommand = deleteGroupCommand;
         _patchGroupCommand = patchGroupCommand;
+        _patchGroupCommandvNext = patchGroupCommandvNext;
         _postGroupCommand = postGroupCommand;
         _putGroupCommand = putGroupCommand;
-        _logger = logger;
+        _featureService = featureService;
     }
 
     [HttpGet("{id}")]
@@ -97,8 +103,21 @@ public class GroupsController : Controller
     [HttpPatch("{id}")]
     public async Task<IActionResult> Patch(Guid organizationId, Guid id, [FromBody] ScimPatchModel model)
     {
+        if (_featureService.IsEnabled(FeatureFlagKeys.ShortcutDuplicatePatchRequests))
+        {
+            var group = await _groupRepository.GetByIdAsync(id);
+            if (group == null || group.OrganizationId != organizationId)
+            {
+                throw new NotFoundException("Group not found.");
+            }
+
+            await _patchGroupCommandvNext.PatchGroupAsync(group, model);
+            return new NoContentResult();
+        }
+
         var organization = await _organizationRepository.GetByIdAsync(organizationId);
         await _patchGroupCommand.PatchGroupAsync(organization, id, model);
+
         return new NoContentResult();
     }
 
diff --git a/bitwarden_license/src/Scim/Groups/Interfaces/IPatchGroupCommandvNext.cs b/bitwarden_license/src/Scim/Groups/Interfaces/IPatchGroupCommandvNext.cs
new file mode 100644
index 0000000000..f51cc54079
--- /dev/null
+++ b/bitwarden_license/src/Scim/Groups/Interfaces/IPatchGroupCommandvNext.cs
@@ -0,0 +1,9 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Scim.Models;
+
+namespace Bit.Scim.Groups.Interfaces;
+
+public interface IPatchGroupCommandvNext
+{
+    Task PatchGroupAsync(Group group, ScimPatchModel model);
+}
diff --git a/bitwarden_license/src/Scim/Groups/PatchGroupCommandvNext.cs b/bitwarden_license/src/Scim/Groups/PatchGroupCommandvNext.cs
new file mode 100644
index 0000000000..359df4bc94
--- /dev/null
+++ b/bitwarden_license/src/Scim/Groups/PatchGroupCommandvNext.cs
@@ -0,0 +1,170 @@
+using System.Text.Json;
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.OrganizationFeatures.Groups.Interfaces;
+using Bit.Core.AdminConsole.Repositories;
+using Bit.Core.AdminConsole.Services;
+using Bit.Core.Enums;
+using Bit.Core.Exceptions;
+using Bit.Core.Repositories;
+using Bit.Scim.Groups.Interfaces;
+using Bit.Scim.Models;
+using Bit.Scim.Utilities;
+
+namespace Bit.Scim.Groups;
+
+public class PatchGroupCommandvNext : IPatchGroupCommandvNext
+{
+    private readonly IGroupRepository _groupRepository;
+    private readonly IGroupService _groupService;
+    private readonly IUpdateGroupCommand _updateGroupCommand;
+    private readonly ILogger<PatchGroupCommandvNext> _logger;
+    private readonly IOrganizationRepository _organizationRepository;
+
+    public PatchGroupCommandvNext(
+        IGroupRepository groupRepository,
+        IGroupService groupService,
+        IUpdateGroupCommand updateGroupCommand,
+        ILogger<PatchGroupCommandvNext> logger,
+        IOrganizationRepository organizationRepository)
+    {
+        _groupRepository = groupRepository;
+        _groupService = groupService;
+        _updateGroupCommand = updateGroupCommand;
+        _logger = logger;
+        _organizationRepository = organizationRepository;
+    }
+
+    public async Task PatchGroupAsync(Group group, ScimPatchModel model)
+    {
+        foreach (var operation in model.Operations)
+        {
+            await HandleOperationAsync(group, operation);
+        }
+    }
+
+    private async Task HandleOperationAsync(Group group, ScimPatchModel.OperationModel operation)
+    {
+        switch (operation.Op?.ToLowerInvariant())
+        {
+            // Replace a list of members
+            case PatchOps.Replace when operation.Path?.ToLowerInvariant() == PatchPaths.Members:
+                {
+                    var ids = GetOperationValueIds(operation.Value);
+                    await _groupRepository.UpdateUsersAsync(group.Id, ids);
+                    break;
+                }
+
+            // Replace group name from path
+            case PatchOps.Replace when operation.Path?.ToLowerInvariant() == PatchPaths.DisplayName:
+                {
+                    group.Name = operation.Value.GetString();
+                    var organization = await _organizationRepository.GetByIdAsync(group.OrganizationId);
+                    if (organization == null)
+                    {
+                        throw new NotFoundException();
+                    }
+                    await _updateGroupCommand.UpdateGroupAsync(group, organization, EventSystemUser.SCIM);
+                    break;
+                }
+
+            // Replace group name from value object
+            case PatchOps.Replace when
+                string.IsNullOrWhiteSpace(operation.Path) &&
+                operation.Value.TryGetProperty("displayName", out var displayNameProperty):
+                {
+                    group.Name = displayNameProperty.GetString();
+                    var organization = await _organizationRepository.GetByIdAsync(group.OrganizationId);
+                    if (organization == null)
+                    {
+                        throw new NotFoundException();
+                    }
+                    await _updateGroupCommand.UpdateGroupAsync(group, organization, EventSystemUser.SCIM);
+                    break;
+                }
+
+            // Add a single member
+            case PatchOps.Add when
+                !string.IsNullOrWhiteSpace(operation.Path) &&
+                operation.Path.StartsWith("members[value eq ", StringComparison.OrdinalIgnoreCase) &&
+                TryGetOperationPathId(operation.Path, out var addId):
+                {
+                    await AddMembersAsync(group, [addId]);
+                    break;
+                }
+
+            // Add a list of members
+            case PatchOps.Add when
+                operation.Path?.ToLowerInvariant() == PatchPaths.Members:
+                {
+                    await AddMembersAsync(group, GetOperationValueIds(operation.Value));
+                    break;
+                }
+
+            // Remove a single member
+            case PatchOps.Remove when
+                !string.IsNullOrWhiteSpace(operation.Path) &&
+                operation.Path.StartsWith("members[value eq ", StringComparison.OrdinalIgnoreCase) &&
+                TryGetOperationPathId(operation.Path, out var removeId):
+                {
+                    await _groupService.DeleteUserAsync(group, removeId, EventSystemUser.SCIM);
+                    break;
+                }
+
+            // Remove a list of members
+            case PatchOps.Remove when
+                operation.Path?.ToLowerInvariant() == PatchPaths.Members:
+                {
+                    var orgUserIds = (await _groupRepository.GetManyUserIdsByIdAsync(group.Id)).ToHashSet();
+                    foreach (var v in GetOperationValueIds(operation.Value))
+                    {
+                        orgUserIds.Remove(v);
+                    }
+                    await _groupRepository.UpdateUsersAsync(group.Id, orgUserIds);
+                    break;
+                }
+
+            default:
+                {
+                    _logger.LogWarning("Group patch operation not handled: {OperationOp}:{OperationPath}", operation.Op, operation.Path);
+                    break;
+                }
+        }
+    }
+
+    private async Task AddMembersAsync(Group group, HashSet<Guid> usersToAdd)
+    {
+        // Azure Entra ID is known to send redundant "add" requests for each existing member every time any member
+        // is removed. To avoid excessive load on the database, we check against the high availability replica and
+        // return early if they already exist.
+        var groupMembers = await _groupRepository.GetManyUserIdsByIdAsync(group.Id, useReadOnlyReplica: true);
+        if (usersToAdd.IsSubsetOf(groupMembers))
+        {
+            _logger.LogDebug("Ignoring duplicate SCIM request to add members {Members} to group {Group}", usersToAdd, group.Id);
+            return;
+        }
+
+        await _groupRepository.AddGroupUsersByIdAsync(group.Id, usersToAdd);
+    }
+
+    private static HashSet<Guid> GetOperationValueIds(JsonElement objArray)
+    {
+        var ids = new HashSet<Guid>();
+        foreach (var obj in objArray.EnumerateArray())
+        {
+            if (obj.TryGetProperty("value", out var valueProperty))
+            {
+                if (valueProperty.TryGetGuid(out var guid))
+                {
+                    ids.Add(guid);
+                }
+            }
+        }
+        return ids;
+    }
+
+    private static bool TryGetOperationPathId(string path, out Guid pathId)
+    {
+        // Parse Guid from string like: members[value eq "{GUID}"}]
+        return Guid.TryParse(path.Substring(18).Replace("\"]", string.Empty), out pathId);
+    }
+}
diff --git a/bitwarden_license/src/Scim/Utilities/ScimConstants.cs b/bitwarden_license/src/Scim/Utilities/ScimConstants.cs
index 219be6534f..0836a72c7f 100644
--- a/bitwarden_license/src/Scim/Utilities/ScimConstants.cs
+++ b/bitwarden_license/src/Scim/Utilities/ScimConstants.cs
@@ -7,3 +7,16 @@ public static class ScimConstants
     public const string Scim2SchemaUser = "urn:ietf:params:scim:schemas:core:2.0:User";
     public const string Scim2SchemaGroup = "urn:ietf:params:scim:schemas:core:2.0:Group";
 }
+
+public static class PatchOps
+{
+    public const string Replace = "replace";
+    public const string Add = "add";
+    public const string Remove = "remove";
+}
+
+public static class PatchPaths
+{
+    public const string Members = "members";
+    public const string DisplayName = "displayname";
+}
diff --git a/bitwarden_license/src/Scim/Utilities/ScimServiceCollectionExtensions.cs b/bitwarden_license/src/Scim/Utilities/ScimServiceCollectionExtensions.cs
index 75b60a71fc..b5d866524a 100644
--- a/bitwarden_license/src/Scim/Utilities/ScimServiceCollectionExtensions.cs
+++ b/bitwarden_license/src/Scim/Utilities/ScimServiceCollectionExtensions.cs
@@ -10,6 +10,7 @@ public static class ScimServiceCollectionExtensions
     public static void AddScimGroupCommands(this IServiceCollection services)
     {
         services.AddScoped<IPatchGroupCommand, PatchGroupCommand>();
+        services.AddScoped<IPatchGroupCommandvNext, PatchGroupCommandvNext>();
         services.AddScoped<IPostGroupCommand, PostGroupCommand>();
         services.AddScoped<IPutGroupCommand, PutGroupCommand>();
     }
diff --git a/bitwarden_license/test/Scim.IntegrationTest/Controllers/v2/GroupsControllerPatchTests.cs b/bitwarden_license/test/Scim.IntegrationTest/Controllers/v2/GroupsControllerPatchTests.cs
new file mode 100644
index 0000000000..eaa5b3dcd7
--- /dev/null
+++ b/bitwarden_license/test/Scim.IntegrationTest/Controllers/v2/GroupsControllerPatchTests.cs
@@ -0,0 +1,237 @@
+using System.Text.Json;
+using Bit.Scim.IntegrationTest.Factories;
+using Bit.Scim.Models;
+using Bit.Scim.Utilities;
+using Bit.Test.Common.Helpers;
+using Xunit;
+
+namespace Bit.Scim.IntegrationTest.Controllers.v2;
+
+public class GroupsControllerPatchTests : IClassFixture<ScimApplicationFactory>, IAsyncLifetime
+{
+    private readonly ScimApplicationFactory _factory;
+
+    public GroupsControllerPatchTests(ScimApplicationFactory factory)
+    {
+        _factory = factory;
+    }
+
+    public Task InitializeAsync()
+    {
+        var databaseContext = _factory.GetDatabaseContext();
+        _factory.ReinitializeDbForTests(databaseContext);
+        return Task.CompletedTask;
+    }
+
+    Task IAsyncLifetime.DisposeAsync() => Task.CompletedTask;
+
+    [Fact]
+    public async Task Patch_ReplaceDisplayName_Success()
+    {
+        var organizationId = ScimApplicationFactory.TestOrganizationId1;
+        var groupId = ScimApplicationFactory.TestGroupId1;
+        var newDisplayName = "Patch Display Name";
+        var inputModel = new ScimPatchModel
+        {
+            Operations = new List<ScimPatchModel.OperationModel>()
+            {
+                new ScimPatchModel.OperationModel
+                {
+                    Op = "replace",
+                    Value = JsonDocument.Parse($"{{\"displayName\":\"{newDisplayName}\"}}").RootElement
+                }
+            },
+            Schemas = new List<string>() { ScimConstants.Scim2SchemaGroup }
+        };
+
+        var context = await _factory.GroupsPatchAsync(organizationId, groupId, inputModel);
+
+        Assert.Equal(StatusCodes.Status204NoContent, context.Response.StatusCode);
+
+        var databaseContext = _factory.GetDatabaseContext();
+        var group = databaseContext.Groups.FirstOrDefault(g => g.Id == groupId);
+        Assert.Equal(newDisplayName, group.Name);
+
+        Assert.Equal(ScimApplicationFactory.InitialGroupUsersCount, databaseContext.GroupUsers.Count());
+        Assert.True(databaseContext.GroupUsers.Any(gu => gu.OrganizationUserId == ScimApplicationFactory.TestOrganizationUserId1));
+        Assert.True(databaseContext.GroupUsers.Any(gu => gu.OrganizationUserId == ScimApplicationFactory.TestOrganizationUserId4));
+    }
+
+    [Fact]
+    public async Task Patch_ReplaceMembers_Success()
+    {
+        var organizationId = ScimApplicationFactory.TestOrganizationId1;
+        var groupId = ScimApplicationFactory.TestGroupId1;
+        var inputModel = new ScimPatchModel
+        {
+            Operations = new List<ScimPatchModel.OperationModel>()
+            {
+                new ScimPatchModel.OperationModel
+                {
+                    Op = "replace",
+                    Path = "members",
+                    Value = JsonDocument.Parse($"[{{\"value\":\"{ScimApplicationFactory.TestOrganizationUserId2}\"}}]").RootElement
+                }
+            },
+            Schemas = new List<string>() { ScimConstants.Scim2SchemaGroup }
+        };
+
+        var context = await _factory.GroupsPatchAsync(organizationId, groupId, inputModel);
+
+        Assert.Equal(StatusCodes.Status204NoContent, context.Response.StatusCode);
+
+        var databaseContext = _factory.GetDatabaseContext();
+        Assert.Single(databaseContext.GroupUsers);
+
+        Assert.Equal(ScimApplicationFactory.InitialGroupUsersCount - 1, databaseContext.GroupUsers.Count());
+        var groupUser = databaseContext.GroupUsers.FirstOrDefault();
+        Assert.Equal(ScimApplicationFactory.TestOrganizationUserId2, groupUser.OrganizationUserId);
+    }
+
+    [Fact]
+    public async Task Patch_AddSingleMember_Success()
+    {
+        var organizationId = ScimApplicationFactory.TestOrganizationId1;
+        var groupId = ScimApplicationFactory.TestGroupId1;
+        var inputModel = new ScimPatchModel
+        {
+            Operations = new List<ScimPatchModel.OperationModel>()
+            {
+                new ScimPatchModel.OperationModel
+                {
+                    Op = "add",
+                    Path = $"members[value eq \"{ScimApplicationFactory.TestOrganizationUserId2}\"]",
+                    Value = JsonDocument.Parse("{}").RootElement
+                }
+            },
+            Schemas = new List<string>() { ScimConstants.Scim2SchemaGroup }
+        };
+
+        var context = await _factory.GroupsPatchAsync(organizationId, groupId, inputModel);
+
+        Assert.Equal(StatusCodes.Status204NoContent, context.Response.StatusCode);
+
+        var databaseContext = _factory.GetDatabaseContext();
+        Assert.Equal(ScimApplicationFactory.InitialGroupUsersCount + 1, databaseContext.GroupUsers.Count());
+        Assert.True(databaseContext.GroupUsers.Any(gu => gu.GroupId == groupId && gu.OrganizationUserId == ScimApplicationFactory.TestOrganizationUserId1));
+        Assert.True(databaseContext.GroupUsers.Any(gu => gu.GroupId == groupId && gu.OrganizationUserId == ScimApplicationFactory.TestOrganizationUserId2));
+        Assert.True(databaseContext.GroupUsers.Any(gu => gu.GroupId == groupId && gu.OrganizationUserId == ScimApplicationFactory.TestOrganizationUserId4));
+    }
+
+    [Fact]
+    public async Task Patch_AddListMembers_Success()
+    {
+        var organizationId = ScimApplicationFactory.TestOrganizationId1;
+        var groupId = ScimApplicationFactory.TestGroupId2;
+        var inputModel = new ScimPatchModel
+        {
+            Operations = new List<ScimPatchModel.OperationModel>()
+            {
+                new ScimPatchModel.OperationModel
+                {
+                    Op = "add",
+                    Path = "members",
+                    Value = JsonDocument.Parse($"[{{\"value\":\"{ScimApplicationFactory.TestOrganizationUserId2}\"}},{{\"value\":\"{ScimApplicationFactory.TestOrganizationUserId3}\"}}]").RootElement
+                }
+            },
+            Schemas = new List<string>() { ScimConstants.Scim2SchemaGroup }
+        };
+
+        var context = await _factory.GroupsPatchAsync(organizationId, groupId, inputModel);
+
+        Assert.Equal(StatusCodes.Status204NoContent, context.Response.StatusCode);
+
+        var databaseContext = _factory.GetDatabaseContext();
+        Assert.True(databaseContext.GroupUsers.Any(gu => gu.GroupId == groupId && gu.OrganizationUserId == ScimApplicationFactory.TestOrganizationUserId2));
+        Assert.True(databaseContext.GroupUsers.Any(gu => gu.GroupId == groupId && gu.OrganizationUserId == ScimApplicationFactory.TestOrganizationUserId3));
+    }
+
+    [Fact]
+    public async Task Patch_RemoveSingleMember_ReplaceDisplayName_Success()
+    {
+        var organizationId = ScimApplicationFactory.TestOrganizationId1;
+        var groupId = ScimApplicationFactory.TestGroupId1;
+        var newDisplayName = "Patch Display Name";
+        var inputModel = new ScimPatchModel
+        {
+            Operations = new List<ScimPatchModel.OperationModel>()
+            {
+                new ScimPatchModel.OperationModel
+                {
+                    Op = "remove",
+                    Path = $"members[value eq \"{ScimApplicationFactory.TestOrganizationUserId1}\"]",
+                    Value = JsonDocument.Parse("{}").RootElement
+                },
+                new ScimPatchModel.OperationModel
+                {
+                    Op = "replace",
+                    Value = JsonDocument.Parse($"{{\"displayName\":\"{newDisplayName}\"}}").RootElement
+                }
+            },
+            Schemas = new List<string>() { ScimConstants.Scim2SchemaGroup }
+        };
+
+        var context = await _factory.GroupsPatchAsync(organizationId, groupId, inputModel);
+
+        Assert.Equal(StatusCodes.Status204NoContent, context.Response.StatusCode);
+
+        var databaseContext = _factory.GetDatabaseContext();
+        Assert.Equal(ScimApplicationFactory.InitialGroupUsersCount - 1, databaseContext.GroupUsers.Count());
+        Assert.Equal(ScimApplicationFactory.InitialGroupCount, databaseContext.Groups.Count());
+
+        var group = databaseContext.Groups.FirstOrDefault(g => g.Id == groupId);
+        Assert.Equal(newDisplayName, group.Name);
+    }
+
+    [Fact]
+    public async Task Patch_RemoveListMembers_Success()
+    {
+        var organizationId = ScimApplicationFactory.TestOrganizationId1;
+        var groupId = ScimApplicationFactory.TestGroupId1;
+        var inputModel = new ScimPatchModel
+        {
+            Operations = new List<ScimPatchModel.OperationModel>()
+            {
+                new ScimPatchModel.OperationModel
+                {
+                    Op = "remove",
+                    Path = "members",
+                    Value = JsonDocument.Parse($"[{{\"value\":\"{ScimApplicationFactory.TestOrganizationUserId1}\"}}, {{\"value\":\"{ScimApplicationFactory.TestOrganizationUserId4}\"}}]").RootElement
+                }
+            },
+            Schemas = new List<string>() { ScimConstants.Scim2SchemaGroup }
+        };
+
+        var context = await _factory.GroupsPatchAsync(organizationId, groupId, inputModel);
+
+        Assert.Equal(StatusCodes.Status204NoContent, context.Response.StatusCode);
+
+        var databaseContext = _factory.GetDatabaseContext();
+        Assert.Empty(databaseContext.GroupUsers);
+    }
+
+    [Fact]
+    public async Task Patch_NotFound()
+    {
+        var organizationId = ScimApplicationFactory.TestOrganizationId1;
+        var groupId = Guid.NewGuid();
+        var inputModel = new Models.ScimPatchModel
+        {
+            Operations = new List<ScimPatchModel.OperationModel>(),
+            Schemas = new List<string>() { ScimConstants.Scim2SchemaGroup }
+        };
+        var expectedResponse = new ScimErrorResponseModel
+        {
+            Status = StatusCodes.Status404NotFound,
+            Detail = "Group not found.",
+            Schemas = new List<string> { ScimConstants.Scim2SchemaError }
+        };
+
+        var context = await _factory.GroupsPatchAsync(organizationId, groupId, inputModel);
+
+        Assert.Equal(StatusCodes.Status404NotFound, context.Response.StatusCode);
+
+        var responseModel = JsonSerializer.Deserialize<ScimErrorResponseModel>(context.Response.Body, new JsonSerializerOptions { PropertyNamingPolicy = JsonNamingPolicy.CamelCase });
+        AssertHelper.AssertPropertyEqual(expectedResponse, responseModel);
+    }
+}
diff --git a/bitwarden_license/test/Scim.IntegrationTest/Controllers/v2/GroupsControllerPatchTestsvNext.cs b/bitwarden_license/test/Scim.IntegrationTest/Controllers/v2/GroupsControllerPatchTestsvNext.cs
new file mode 100644
index 0000000000..f66184a8a2
--- /dev/null
+++ b/bitwarden_license/test/Scim.IntegrationTest/Controllers/v2/GroupsControllerPatchTestsvNext.cs
@@ -0,0 +1,251 @@
+using System.Text.Json;
+using Bit.Core;
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.Services;
+using Bit.Scim.Groups.Interfaces;
+using Bit.Scim.IntegrationTest.Factories;
+using Bit.Scim.Models;
+using Bit.Scim.Utilities;
+using Bit.Test.Common.Helpers;
+using NSubstitute;
+using NSubstitute.ExceptionExtensions;
+using Xunit;
+
+namespace Bit.Scim.IntegrationTest.Controllers.v2;
+
+public class GroupsControllerPatchTestsvNext : IClassFixture<ScimApplicationFactory>, IAsyncLifetime
+{
+    private readonly ScimApplicationFactory _factory;
+
+    public GroupsControllerPatchTestsvNext(ScimApplicationFactory factory)
+    {
+        _factory = factory;
+
+        // Enable the feature flag for new PatchGroupsCommand and stub out the old command to be safe
+        _factory.SubstituteService((IFeatureService featureService)
+            => featureService.IsEnabled(FeatureFlagKeys.ShortcutDuplicatePatchRequests).Returns(true));
+        _factory.SubstituteService((IPatchGroupCommand patchGroupCommand)
+            => patchGroupCommand.PatchGroupAsync(Arg.Any<Organization>(), Arg.Any<Guid>(), Arg.Any<ScimPatchModel>())
+                .ThrowsAsync(new Exception("This test suite should be testing the vNext command, but the existing command was called.")));
+    }
+
+    public Task InitializeAsync()
+    {
+        var databaseContext = _factory.GetDatabaseContext();
+        _factory.ReinitializeDbForTests(databaseContext);
+
+        return Task.CompletedTask;
+    }
+
+    Task IAsyncLifetime.DisposeAsync() => Task.CompletedTask;
+
+    [Fact]
+    public async Task Patch_ReplaceDisplayName_Success()
+    {
+        var organizationId = ScimApplicationFactory.TestOrganizationId1;
+        var groupId = ScimApplicationFactory.TestGroupId1;
+        var newDisplayName = "Patch Display Name";
+        var inputModel = new ScimPatchModel
+        {
+            Operations = new List<ScimPatchModel.OperationModel>()
+            {
+                new ScimPatchModel.OperationModel
+                {
+                    Op = "replace",
+                    Value = JsonDocument.Parse($"{{\"displayName\":\"{newDisplayName}\"}}").RootElement
+                }
+            },
+            Schemas = new List<string>() { ScimConstants.Scim2SchemaGroup }
+        };
+
+        var context = await _factory.GroupsPatchAsync(organizationId, groupId, inputModel);
+
+        Assert.Equal(StatusCodes.Status204NoContent, context.Response.StatusCode);
+
+        var databaseContext = _factory.GetDatabaseContext();
+        var group = databaseContext.Groups.FirstOrDefault(g => g.Id == groupId);
+        Assert.Equal(newDisplayName, group.Name);
+
+        Assert.Equal(ScimApplicationFactory.InitialGroupUsersCount, databaseContext.GroupUsers.Count());
+        Assert.True(databaseContext.GroupUsers.Any(gu => gu.OrganizationUserId == ScimApplicationFactory.TestOrganizationUserId1));
+        Assert.True(databaseContext.GroupUsers.Any(gu => gu.OrganizationUserId == ScimApplicationFactory.TestOrganizationUserId4));
+    }
+
+    [Fact]
+    public async Task Patch_ReplaceMembers_Success()
+    {
+        var organizationId = ScimApplicationFactory.TestOrganizationId1;
+        var groupId = ScimApplicationFactory.TestGroupId1;
+        var inputModel = new ScimPatchModel
+        {
+            Operations = new List<ScimPatchModel.OperationModel>()
+            {
+                new ScimPatchModel.OperationModel
+                {
+                    Op = "replace",
+                    Path = "members",
+                    Value = JsonDocument.Parse($"[{{\"value\":\"{ScimApplicationFactory.TestOrganizationUserId2}\"}}]").RootElement
+                }
+            },
+            Schemas = new List<string>() { ScimConstants.Scim2SchemaGroup }
+        };
+
+        var context = await _factory.GroupsPatchAsync(organizationId, groupId, inputModel);
+
+        Assert.Equal(StatusCodes.Status204NoContent, context.Response.StatusCode);
+
+        var databaseContext = _factory.GetDatabaseContext();
+        Assert.Single(databaseContext.GroupUsers);
+
+        Assert.Equal(ScimApplicationFactory.InitialGroupUsersCount - 1, databaseContext.GroupUsers.Count());
+        var groupUser = databaseContext.GroupUsers.FirstOrDefault();
+        Assert.Equal(ScimApplicationFactory.TestOrganizationUserId2, groupUser.OrganizationUserId);
+    }
+
+    [Fact]
+    public async Task Patch_AddSingleMember_Success()
+    {
+        var organizationId = ScimApplicationFactory.TestOrganizationId1;
+        var groupId = ScimApplicationFactory.TestGroupId1;
+        var inputModel = new ScimPatchModel
+        {
+            Operations = new List<ScimPatchModel.OperationModel>()
+            {
+                new ScimPatchModel.OperationModel
+                {
+                    Op = "add",
+                    Path = $"members[value eq \"{ScimApplicationFactory.TestOrganizationUserId2}\"]",
+                    Value = JsonDocument.Parse("{}").RootElement
+                }
+            },
+            Schemas = new List<string>() { ScimConstants.Scim2SchemaGroup }
+        };
+
+        var context = await _factory.GroupsPatchAsync(organizationId, groupId, inputModel);
+
+        Assert.Equal(StatusCodes.Status204NoContent, context.Response.StatusCode);
+
+        var databaseContext = _factory.GetDatabaseContext();
+        Assert.Equal(ScimApplicationFactory.InitialGroupUsersCount + 1, databaseContext.GroupUsers.Count());
+        Assert.True(databaseContext.GroupUsers.Any(gu => gu.GroupId == groupId && gu.OrganizationUserId == ScimApplicationFactory.TestOrganizationUserId1));
+        Assert.True(databaseContext.GroupUsers.Any(gu => gu.GroupId == groupId && gu.OrganizationUserId == ScimApplicationFactory.TestOrganizationUserId2));
+        Assert.True(databaseContext.GroupUsers.Any(gu => gu.GroupId == groupId && gu.OrganizationUserId == ScimApplicationFactory.TestOrganizationUserId4));
+    }
+
+    [Fact]
+    public async Task Patch_AddListMembers_Success()
+    {
+        var organizationId = ScimApplicationFactory.TestOrganizationId1;
+        var groupId = ScimApplicationFactory.TestGroupId2;
+        var inputModel = new ScimPatchModel
+        {
+            Operations = new List<ScimPatchModel.OperationModel>()
+            {
+                new ScimPatchModel.OperationModel
+                {
+                    Op = "add",
+                    Path = "members",
+                    Value = JsonDocument.Parse($"[{{\"value\":\"{ScimApplicationFactory.TestOrganizationUserId2}\"}},{{\"value\":\"{ScimApplicationFactory.TestOrganizationUserId3}\"}}]").RootElement
+                }
+            },
+            Schemas = new List<string>() { ScimConstants.Scim2SchemaGroup }
+        };
+
+        var context = await _factory.GroupsPatchAsync(organizationId, groupId, inputModel);
+
+        Assert.Equal(StatusCodes.Status204NoContent, context.Response.StatusCode);
+
+        var databaseContext = _factory.GetDatabaseContext();
+        Assert.True(databaseContext.GroupUsers.Any(gu => gu.GroupId == groupId && gu.OrganizationUserId == ScimApplicationFactory.TestOrganizationUserId2));
+        Assert.True(databaseContext.GroupUsers.Any(gu => gu.GroupId == groupId && gu.OrganizationUserId == ScimApplicationFactory.TestOrganizationUserId3));
+    }
+
+    [Fact]
+    public async Task Patch_RemoveSingleMember_ReplaceDisplayName_Success()
+    {
+        var organizationId = ScimApplicationFactory.TestOrganizationId1;
+        var groupId = ScimApplicationFactory.TestGroupId1;
+        var newDisplayName = "Patch Display Name";
+        var inputModel = new ScimPatchModel
+        {
+            Operations = new List<ScimPatchModel.OperationModel>()
+            {
+                new ScimPatchModel.OperationModel
+                {
+                    Op = "remove",
+                    Path = $"members[value eq \"{ScimApplicationFactory.TestOrganizationUserId1}\"]",
+                    Value = JsonDocument.Parse("{}").RootElement
+                },
+                new ScimPatchModel.OperationModel
+                {
+                    Op = "replace",
+                    Value = JsonDocument.Parse($"{{\"displayName\":\"{newDisplayName}\"}}").RootElement
+                }
+            },
+            Schemas = new List<string>() { ScimConstants.Scim2SchemaGroup }
+        };
+
+        var context = await _factory.GroupsPatchAsync(organizationId, groupId, inputModel);
+
+        Assert.Equal(StatusCodes.Status204NoContent, context.Response.StatusCode);
+
+        var databaseContext = _factory.GetDatabaseContext();
+        Assert.Equal(ScimApplicationFactory.InitialGroupUsersCount - 1, databaseContext.GroupUsers.Count());
+        Assert.Equal(ScimApplicationFactory.InitialGroupCount, databaseContext.Groups.Count());
+
+        var group = databaseContext.Groups.FirstOrDefault(g => g.Id == groupId);
+        Assert.Equal(newDisplayName, group.Name);
+    }
+
+    [Fact]
+    public async Task Patch_RemoveListMembers_Success()
+    {
+        var organizationId = ScimApplicationFactory.TestOrganizationId1;
+        var groupId = ScimApplicationFactory.TestGroupId1;
+        var inputModel = new ScimPatchModel
+        {
+            Operations = new List<ScimPatchModel.OperationModel>()
+            {
+                new ScimPatchModel.OperationModel
+                {
+                    Op = "remove",
+                    Path = "members",
+                    Value = JsonDocument.Parse($"[{{\"value\":\"{ScimApplicationFactory.TestOrganizationUserId1}\"}}, {{\"value\":\"{ScimApplicationFactory.TestOrganizationUserId4}\"}}]").RootElement
+                }
+            },
+            Schemas = new List<string>() { ScimConstants.Scim2SchemaGroup }
+        };
+
+        var context = await _factory.GroupsPatchAsync(organizationId, groupId, inputModel);
+
+        Assert.Equal(StatusCodes.Status204NoContent, context.Response.StatusCode);
+
+        var databaseContext = _factory.GetDatabaseContext();
+        Assert.Empty(databaseContext.GroupUsers);
+    }
+
+    [Fact]
+    public async Task Patch_NotFound()
+    {
+        var organizationId = ScimApplicationFactory.TestOrganizationId1;
+        var groupId = Guid.NewGuid();
+        var inputModel = new Models.ScimPatchModel
+        {
+            Operations = new List<ScimPatchModel.OperationModel>(),
+            Schemas = new List<string>() { ScimConstants.Scim2SchemaGroup }
+        };
+        var expectedResponse = new ScimErrorResponseModel
+        {
+            Status = StatusCodes.Status404NotFound,
+            Detail = "Group not found.",
+            Schemas = new List<string> { ScimConstants.Scim2SchemaError }
+        };
+
+        var context = await _factory.GroupsPatchAsync(organizationId, groupId, inputModel);
+
+        Assert.Equal(StatusCodes.Status404NotFound, context.Response.StatusCode);
+
+        var responseModel = JsonSerializer.Deserialize<ScimErrorResponseModel>(context.Response.Body, new JsonSerializerOptions { PropertyNamingPolicy = JsonNamingPolicy.CamelCase });
+        AssertHelper.AssertPropertyEqual(expectedResponse, responseModel);
+    }
+}
diff --git a/bitwarden_license/test/Scim.IntegrationTest/Controllers/v2/GroupsControllerTests.cs b/bitwarden_license/test/Scim.IntegrationTest/Controllers/v2/GroupsControllerTests.cs
index f8150fc1c5..5f562a30c5 100644
--- a/bitwarden_license/test/Scim.IntegrationTest/Controllers/v2/GroupsControllerTests.cs
+++ b/bitwarden_license/test/Scim.IntegrationTest/Controllers/v2/GroupsControllerTests.cs
@@ -9,9 +9,6 @@ namespace Bit.Scim.IntegrationTest.Controllers.v2;
 
 public class GroupsControllerTests : IClassFixture<ScimApplicationFactory>, IAsyncLifetime
 {
-    private const int _initialGroupCount = 3;
-    private const int _initialGroupUsersCount = 2;
-
     private readonly ScimApplicationFactory _factory;
 
     public GroupsControllerTests(ScimApplicationFactory factory)
@@ -237,10 +234,10 @@ public class GroupsControllerTests : IClassFixture<ScimApplicationFactory>, IAsy
         AssertHelper.AssertPropertyEqual(expectedResponse, responseModel, "Id");
 
         var databaseContext = _factory.GetDatabaseContext();
-        Assert.Equal(_initialGroupCount + 1, databaseContext.Groups.Count());
+        Assert.Equal(ScimApplicationFactory.InitialGroupCount + 1, databaseContext.Groups.Count());
         Assert.True(databaseContext.Groups.Any(g => g.Name == displayName && g.ExternalId == externalId));
 
-        Assert.Equal(_initialGroupUsersCount + 1, databaseContext.GroupUsers.Count());
+        Assert.Equal(ScimApplicationFactory.InitialGroupUsersCount + 1, databaseContext.GroupUsers.Count());
         Assert.True(databaseContext.GroupUsers.Any(gu => gu.GroupId == responseModel.Id && gu.OrganizationUserId == ScimApplicationFactory.TestOrganizationUserId1));
     }
 
@@ -281,7 +278,7 @@ public class GroupsControllerTests : IClassFixture<ScimApplicationFactory>, IAsy
         Assert.Equal(StatusCodes.Status409Conflict, context.Response.StatusCode);
 
         var databaseContext = _factory.GetDatabaseContext();
-        Assert.Equal(_initialGroupCount, databaseContext.Groups.Count());
+        Assert.Equal(ScimApplicationFactory.InitialGroupCount, databaseContext.Groups.Count());
         Assert.False(databaseContext.Groups.Any(g => g.Name == "New Group"));
     }
 
@@ -354,216 +351,6 @@ public class GroupsControllerTests : IClassFixture<ScimApplicationFactory>, IAsy
         AssertHelper.AssertPropertyEqual(expectedResponse, responseModel);
     }
 
-    [Fact]
-    public async Task Patch_ReplaceDisplayName_Success()
-    {
-        var organizationId = ScimApplicationFactory.TestOrganizationId1;
-        var groupId = ScimApplicationFactory.TestGroupId1;
-        var newDisplayName = "Patch Display Name";
-        var inputModel = new ScimPatchModel
-        {
-            Operations = new List<ScimPatchModel.OperationModel>()
-            {
-                new ScimPatchModel.OperationModel
-                {
-                    Op = "replace",
-                    Value = JsonDocument.Parse($"{{\"displayName\":\"{newDisplayName}\"}}").RootElement
-                }
-            },
-            Schemas = new List<string>() { ScimConstants.Scim2SchemaGroup }
-        };
-
-        var context = await _factory.GroupsPatchAsync(organizationId, groupId, inputModel);
-
-        Assert.Equal(StatusCodes.Status204NoContent, context.Response.StatusCode);
-
-        var databaseContext = _factory.GetDatabaseContext();
-        var group = databaseContext.Groups.FirstOrDefault(g => g.Id == groupId);
-        Assert.Equal(newDisplayName, group.Name);
-
-        Assert.Equal(_initialGroupUsersCount, databaseContext.GroupUsers.Count());
-        Assert.True(databaseContext.GroupUsers.Any(gu => gu.OrganizationUserId == ScimApplicationFactory.TestOrganizationUserId1));
-        Assert.True(databaseContext.GroupUsers.Any(gu => gu.OrganizationUserId == ScimApplicationFactory.TestOrganizationUserId4));
-    }
-
-    [Fact]
-    public async Task Patch_ReplaceMembers_Success()
-    {
-        var organizationId = ScimApplicationFactory.TestOrganizationId1;
-        var groupId = ScimApplicationFactory.TestGroupId1;
-        var inputModel = new ScimPatchModel
-        {
-            Operations = new List<ScimPatchModel.OperationModel>()
-            {
-                new ScimPatchModel.OperationModel
-                {
-                    Op = "replace",
-                    Path = "members",
-                    Value = JsonDocument.Parse($"[{{\"value\":\"{ScimApplicationFactory.TestOrganizationUserId2}\"}}]").RootElement
-                }
-            },
-            Schemas = new List<string>() { ScimConstants.Scim2SchemaGroup }
-        };
-
-        var context = await _factory.GroupsPatchAsync(organizationId, groupId, inputModel);
-
-        Assert.Equal(StatusCodes.Status204NoContent, context.Response.StatusCode);
-
-        var databaseContext = _factory.GetDatabaseContext();
-        Assert.Single(databaseContext.GroupUsers);
-
-        Assert.Equal(_initialGroupUsersCount - 1, databaseContext.GroupUsers.Count());
-        var groupUser = databaseContext.GroupUsers.FirstOrDefault();
-        Assert.Equal(ScimApplicationFactory.TestOrganizationUserId2, groupUser.OrganizationUserId);
-    }
-
-    [Fact]
-    public async Task Patch_AddSingleMember_Success()
-    {
-        var organizationId = ScimApplicationFactory.TestOrganizationId1;
-        var groupId = ScimApplicationFactory.TestGroupId1;
-        var inputModel = new ScimPatchModel
-        {
-            Operations = new List<ScimPatchModel.OperationModel>()
-            {
-                new ScimPatchModel.OperationModel
-                {
-                    Op = "add",
-                    Path = $"members[value eq \"{ScimApplicationFactory.TestOrganizationUserId2}\"]",
-                    Value = JsonDocument.Parse("{}").RootElement
-                }
-            },
-            Schemas = new List<string>() { ScimConstants.Scim2SchemaGroup }
-        };
-
-        var context = await _factory.GroupsPatchAsync(organizationId, groupId, inputModel);
-
-        Assert.Equal(StatusCodes.Status204NoContent, context.Response.StatusCode);
-
-        var databaseContext = _factory.GetDatabaseContext();
-        Assert.Equal(_initialGroupUsersCount + 1, databaseContext.GroupUsers.Count());
-        Assert.True(databaseContext.GroupUsers.Any(gu => gu.GroupId == groupId && gu.OrganizationUserId == ScimApplicationFactory.TestOrganizationUserId1));
-        Assert.True(databaseContext.GroupUsers.Any(gu => gu.GroupId == groupId && gu.OrganizationUserId == ScimApplicationFactory.TestOrganizationUserId2));
-        Assert.True(databaseContext.GroupUsers.Any(gu => gu.GroupId == groupId && gu.OrganizationUserId == ScimApplicationFactory.TestOrganizationUserId4));
-    }
-
-    [Fact]
-    public async Task Patch_AddListMembers_Success()
-    {
-        var organizationId = ScimApplicationFactory.TestOrganizationId1;
-        var groupId = ScimApplicationFactory.TestGroupId2;
-        var inputModel = new ScimPatchModel
-        {
-            Operations = new List<ScimPatchModel.OperationModel>()
-            {
-                new ScimPatchModel.OperationModel
-                {
-                    Op = "add",
-                    Path = "members",
-                    Value = JsonDocument.Parse($"[{{\"value\":\"{ScimApplicationFactory.TestOrganizationUserId2}\"}},{{\"value\":\"{ScimApplicationFactory.TestOrganizationUserId3}\"}}]").RootElement
-                }
-            },
-            Schemas = new List<string>() { ScimConstants.Scim2SchemaGroup }
-        };
-
-        var context = await _factory.GroupsPatchAsync(organizationId, groupId, inputModel);
-
-        Assert.Equal(StatusCodes.Status204NoContent, context.Response.StatusCode);
-
-        var databaseContext = _factory.GetDatabaseContext();
-        Assert.True(databaseContext.GroupUsers.Any(gu => gu.GroupId == groupId && gu.OrganizationUserId == ScimApplicationFactory.TestOrganizationUserId2));
-        Assert.True(databaseContext.GroupUsers.Any(gu => gu.GroupId == groupId && gu.OrganizationUserId == ScimApplicationFactory.TestOrganizationUserId3));
-    }
-
-    [Fact]
-    public async Task Patch_RemoveSingleMember_ReplaceDisplayName_Success()
-    {
-        var organizationId = ScimApplicationFactory.TestOrganizationId1;
-        var groupId = ScimApplicationFactory.TestGroupId1;
-        var newDisplayName = "Patch Display Name";
-        var inputModel = new ScimPatchModel
-        {
-            Operations = new List<ScimPatchModel.OperationModel>()
-            {
-                new ScimPatchModel.OperationModel
-                {
-                    Op = "remove",
-                    Path = $"members[value eq \"{ScimApplicationFactory.TestOrganizationUserId1}\"]",
-                    Value = JsonDocument.Parse("{}").RootElement
-                },
-                new ScimPatchModel.OperationModel
-                {
-                    Op = "replace",
-                    Value = JsonDocument.Parse($"{{\"displayName\":\"{newDisplayName}\"}}").RootElement
-                }
-            },
-            Schemas = new List<string>() { ScimConstants.Scim2SchemaGroup }
-        };
-
-        var context = await _factory.GroupsPatchAsync(organizationId, groupId, inputModel);
-
-        Assert.Equal(StatusCodes.Status204NoContent, context.Response.StatusCode);
-
-        var databaseContext = _factory.GetDatabaseContext();
-        Assert.Equal(_initialGroupUsersCount - 1, databaseContext.GroupUsers.Count());
-        Assert.Equal(_initialGroupCount, databaseContext.Groups.Count());
-
-        var group = databaseContext.Groups.FirstOrDefault(g => g.Id == groupId);
-        Assert.Equal(newDisplayName, group.Name);
-    }
-
-    [Fact]
-    public async Task Patch_RemoveListMembers_Success()
-    {
-        var organizationId = ScimApplicationFactory.TestOrganizationId1;
-        var groupId = ScimApplicationFactory.TestGroupId1;
-        var inputModel = new ScimPatchModel
-        {
-            Operations = new List<ScimPatchModel.OperationModel>()
-            {
-                new ScimPatchModel.OperationModel
-                {
-                    Op = "remove",
-                    Path = "members",
-                    Value = JsonDocument.Parse($"[{{\"value\":\"{ScimApplicationFactory.TestOrganizationUserId1}\"}}, {{\"value\":\"{ScimApplicationFactory.TestOrganizationUserId4}\"}}]").RootElement
-                }
-            },
-            Schemas = new List<string>() { ScimConstants.Scim2SchemaGroup }
-        };
-
-        var context = await _factory.GroupsPatchAsync(organizationId, groupId, inputModel);
-
-        Assert.Equal(StatusCodes.Status204NoContent, context.Response.StatusCode);
-
-        var databaseContext = _factory.GetDatabaseContext();
-        Assert.Empty(databaseContext.GroupUsers);
-    }
-
-    [Fact]
-    public async Task Patch_NotFound()
-    {
-        var organizationId = ScimApplicationFactory.TestOrganizationId1;
-        var groupId = Guid.NewGuid();
-        var inputModel = new Models.ScimPatchModel
-        {
-            Operations = new List<ScimPatchModel.OperationModel>(),
-            Schemas = new List<string>() { ScimConstants.Scim2SchemaGroup }
-        };
-        var expectedResponse = new ScimErrorResponseModel
-        {
-            Status = StatusCodes.Status404NotFound,
-            Detail = "Group not found.",
-            Schemas = new List<string> { ScimConstants.Scim2SchemaError }
-        };
-
-        var context = await _factory.GroupsPatchAsync(organizationId, groupId, inputModel);
-
-        Assert.Equal(StatusCodes.Status404NotFound, context.Response.StatusCode);
-
-        var responseModel = JsonSerializer.Deserialize<ScimErrorResponseModel>(context.Response.Body, new JsonSerializerOptions { PropertyNamingPolicy = JsonNamingPolicy.CamelCase });
-        AssertHelper.AssertPropertyEqual(expectedResponse, responseModel);
-    }
-
     [Fact]
     public async Task Delete_Success()
     {
@@ -575,7 +362,7 @@ public class GroupsControllerTests : IClassFixture<ScimApplicationFactory>, IAsy
         Assert.Equal(StatusCodes.Status204NoContent, context.Response.StatusCode);
 
         var databaseContext = _factory.GetDatabaseContext();
-        Assert.Equal(_initialGroupCount - 1, databaseContext.Groups.Count());
+        Assert.Equal(ScimApplicationFactory.InitialGroupCount - 1, databaseContext.Groups.Count());
         Assert.True(databaseContext.Groups.FirstOrDefault(g => g.Id == groupId) == null);
     }
 
diff --git a/bitwarden_license/test/Scim.IntegrationTest/Factories/ScimApplicationFactory.cs b/bitwarden_license/test/Scim.IntegrationTest/Factories/ScimApplicationFactory.cs
index b9c6191f75..1a5cdde41c 100644
--- a/bitwarden_license/test/Scim.IntegrationTest/Factories/ScimApplicationFactory.cs
+++ b/bitwarden_license/test/Scim.IntegrationTest/Factories/ScimApplicationFactory.cs
@@ -9,8 +9,6 @@ using Bit.Infrastructure.EntityFramework.Repositories;
 using Bit.IntegrationTestCommon.Factories;
 using Bit.Scim.Models;
 using Microsoft.AspNetCore.Authentication;
-using Microsoft.AspNetCore.Mvc.Testing;
-using Microsoft.AspNetCore.TestHost;
 using Microsoft.Extensions.Options;
 using Microsoft.Net.Http.Headers;
 
@@ -18,7 +16,8 @@ namespace Bit.Scim.IntegrationTest.Factories;
 
 public class ScimApplicationFactory : WebApplicationFactoryBase<Startup>
 {
-    public readonly new TestServer Server;
+    public const int InitialGroupCount = 3;
+    public const int InitialGroupUsersCount = 2;
 
     public static readonly Guid TestUserId1 = Guid.Parse("2e8173db-8e8d-4de1-ac38-91b15c6d8dcb");
     public static readonly Guid TestUserId2 = Guid.Parse("b57846fc-0e94-4c93-9de5-9d0389eeadfb");
@@ -33,32 +32,29 @@ public class ScimApplicationFactory : WebApplicationFactoryBase<Startup>
     public static readonly Guid TestOrganizationUserId3 = Guid.Parse("be2f9045-e2b6-4173-ad44-4c69c3ea8140");
     public static readonly Guid TestOrganizationUserId4 = Guid.Parse("1f5689b7-e96e-4840-b0b1-eb3d5b5fd514");
 
-    public ScimApplicationFactory()
+    protected override void ConfigureWebHost(IWebHostBuilder builder)
     {
-        WebApplicationFactory<Startup> webApplicationFactory = WithWebHostBuilder(builder =>
+        base.ConfigureWebHost(builder);
+
+        builder.ConfigureServices(services =>
         {
-            builder.ConfigureServices(services =>
+            services
+                .AddAuthentication("Test")
+                .AddScheme<AuthenticationSchemeOptions, TestAuthHandler>("Test", options => { });
+
+            // Override to bypass SCIM authorization
+            services.AddAuthorization(config =>
             {
-                services
-                    .AddAuthentication("Test")
-                    .AddScheme<AuthenticationSchemeOptions, TestAuthHandler>("Test", options => { });
-
-                // Override to bypass SCIM authorization
-                services.AddAuthorization(config =>
+                config.AddPolicy("Scim", policy =>
                 {
-                    config.AddPolicy("Scim", policy =>
-                    {
-                        policy.RequireAssertion(a => true);
-                    });
+                    policy.RequireAssertion(a => true);
                 });
-
-                var mailService = services.First(sd => sd.ServiceType == typeof(IMailService));
-                services.Remove(mailService);
-                services.AddSingleton<IMailService, NoopMailService>();
             });
-        });
 
-        Server = webApplicationFactory.Server;
+            var mailService = services.First(sd => sd.ServiceType == typeof(IMailService));
+            services.Remove(mailService);
+            services.AddSingleton<IMailService, NoopMailService>();
+        });
     }
 
     public async Task<HttpContext> GroupsGetAsync(Guid organizationId, Guid id)
diff --git a/bitwarden_license/test/Scim.Test/Groups/PatchGroupCommandvNextTests.cs b/bitwarden_license/test/Scim.Test/Groups/PatchGroupCommandvNextTests.cs
new file mode 100644
index 0000000000..b9877f0b71
--- /dev/null
+++ b/bitwarden_license/test/Scim.Test/Groups/PatchGroupCommandvNextTests.cs
@@ -0,0 +1,381 @@
+using System.Text.Json;
+using AutoFixture;
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.OrganizationFeatures.Groups.Interfaces;
+using Bit.Core.AdminConsole.Repositories;
+using Bit.Core.AdminConsole.Services;
+using Bit.Core.Enums;
+using Bit.Core.Repositories;
+using Bit.Scim.Groups;
+using Bit.Scim.Models;
+using Bit.Scim.Utilities;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Scim.Test.Groups;
+
+[SutProviderCustomize]
+public class PatchGroupCommandvNextTests
+{
+    [Theory]
+    [BitAutoData]
+    public async Task PatchGroup_ReplaceListMembers_Success(SutProvider<PatchGroupCommandvNext> sutProvider,
+        Organization organization, Group group, IEnumerable<Guid> userIds)
+    {
+        group.OrganizationId = organization.Id;
+
+        var scimPatchModel = new ScimPatchModel
+        {
+            Operations = new List<ScimPatchModel.OperationModel>
+            {
+                new()
+                {
+                    Op = "replace",
+                    Path = "members",
+                    Value = JsonDocument.Parse(JsonSerializer.Serialize(userIds.Select(uid => new { value = uid }).ToArray())).RootElement
+                }
+            },
+            Schemas = new List<string> { ScimConstants.Scim2SchemaUser }
+        };
+
+        await sutProvider.Sut.PatchGroupAsync(group, scimPatchModel);
+
+        await sutProvider.GetDependency<IGroupRepository>().Received(1).UpdateUsersAsync(
+            group.Id,
+            Arg.Is<IEnumerable<Guid>>(arg =>
+                arg.Count() == userIds.Count() &&
+                arg.ToHashSet().SetEquals(userIds)));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task PatchGroup_ReplaceDisplayNameFromPath_Success(
+        SutProvider<PatchGroupCommandvNext> sutProvider, Organization organization, Group group, string displayName)
+    {
+        group.OrganizationId = organization.Id;
+
+        sutProvider.GetDependency<IOrganizationRepository>()
+            .GetByIdAsync(organization.Id)
+            .Returns(organization);
+
+        var scimPatchModel = new ScimPatchModel
+        {
+            Operations = new List<ScimPatchModel.OperationModel>
+            {
+                new()
+                {
+                    Op = "replace",
+                    Path = "displayname",
+                    Value = JsonDocument.Parse($"\"{displayName}\"").RootElement
+                }
+            },
+            Schemas = new List<string> { ScimConstants.Scim2SchemaUser }
+        };
+
+        await sutProvider.Sut.PatchGroupAsync(group, scimPatchModel);
+
+        await sutProvider.GetDependency<IUpdateGroupCommand>().Received(1).UpdateGroupAsync(group, organization, EventSystemUser.SCIM);
+        Assert.Equal(displayName, group.Name);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task PatchGroup_ReplaceDisplayNameFromValueObject_Success(SutProvider<PatchGroupCommandvNext> sutProvider, Organization organization, Group group, string displayName)
+    {
+        group.OrganizationId = organization.Id;
+
+        sutProvider.GetDependency<IOrganizationRepository>()
+            .GetByIdAsync(organization.Id)
+            .Returns(organization);
+
+        var scimPatchModel = new ScimPatchModel
+        {
+            Operations = new List<ScimPatchModel.OperationModel>
+            {
+                new()
+                {
+                    Op = "replace",
+                    Value = JsonDocument.Parse($"{{\"displayName\":\"{displayName}\"}}").RootElement
+                }
+            },
+            Schemas = new List<string> { ScimConstants.Scim2SchemaUser }
+        };
+
+        await sutProvider.Sut.PatchGroupAsync(group, scimPatchModel);
+
+        await sutProvider.GetDependency<IUpdateGroupCommand>().Received(1).UpdateGroupAsync(group, organization, EventSystemUser.SCIM);
+        Assert.Equal(displayName, group.Name);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task PatchGroup_AddSingleMember_Success(SutProvider<PatchGroupCommandvNext> sutProvider, Organization organization, Group group, ICollection<Guid> existingMembers, Guid userId)
+    {
+        group.OrganizationId = organization.Id;
+
+        sutProvider.GetDependency<IGroupRepository>()
+            .GetManyUserIdsByIdAsync(group.Id, true)
+            .Returns(existingMembers);
+
+        var scimPatchModel = new ScimPatchModel
+        {
+            Operations = new List<ScimPatchModel.OperationModel>
+            {
+                new()
+                {
+                    Op = "add",
+                    Path = $"members[value eq \"{userId}\"]",
+                }
+            },
+            Schemas = new List<string> { ScimConstants.Scim2SchemaUser }
+        };
+
+        await sutProvider.Sut.PatchGroupAsync(group, scimPatchModel);
+
+        await sutProvider.GetDependency<IGroupRepository>().Received(1).AddGroupUsersByIdAsync(
+            group.Id,
+            Arg.Is<IEnumerable<Guid>>(arg => arg.Single() == userId));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task PatchGroup_AddSingleMember_ReturnsEarlyIfAlreadyInGroup(
+        SutProvider<PatchGroupCommandvNext> sutProvider,
+        Organization organization,
+        Group group,
+        ICollection<Guid> existingMembers)
+    {
+        // User being added is already in group
+        var userId = existingMembers.First();
+        group.OrganizationId = organization.Id;
+
+        sutProvider.GetDependency<IGroupRepository>()
+            .GetManyUserIdsByIdAsync(group.Id, true)
+            .Returns(existingMembers);
+
+        var scimPatchModel = new ScimPatchModel
+        {
+            Operations = new List<ScimPatchModel.OperationModel>
+            {
+                new()
+                {
+                    Op = "add",
+                    Path = $"members[value eq \"{userId}\"]",
+                }
+            },
+            Schemas = new List<string> { ScimConstants.Scim2SchemaUser }
+        };
+
+        await sutProvider.Sut.PatchGroupAsync(group, scimPatchModel);
+
+        await sutProvider.GetDependency<IGroupRepository>()
+            .DidNotReceiveWithAnyArgs()
+            .AddGroupUsersByIdAsync(default, default);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task PatchGroup_AddListMembers_Success(SutProvider<PatchGroupCommandvNext> sutProvider, Organization organization, Group group, ICollection<Guid> existingMembers, ICollection<Guid> userIds)
+    {
+        group.OrganizationId = organization.Id;
+
+        sutProvider.GetDependency<IGroupRepository>()
+            .GetManyUserIdsByIdAsync(group.Id, true)
+            .Returns(existingMembers);
+
+        var scimPatchModel = new ScimPatchModel
+        {
+            Operations = new List<ScimPatchModel.OperationModel>
+            {
+                new()
+                {
+                    Op = "add",
+                    Path = $"members",
+                    Value = JsonDocument.Parse(JsonSerializer.Serialize(userIds.Select(uid => new { value = uid }).ToArray())).RootElement
+                }
+            },
+            Schemas = new List<string> { ScimConstants.Scim2SchemaUser }
+        };
+
+        await sutProvider.Sut.PatchGroupAsync(group, scimPatchModel);
+
+        await sutProvider.GetDependency<IGroupRepository>().Received(1).AddGroupUsersByIdAsync(
+            group.Id,
+            Arg.Is<IEnumerable<Guid>>(arg =>
+                arg.Count() == userIds.Count &&
+                arg.ToHashSet().SetEquals(userIds)));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task PatchGroup_AddListMembers_IgnoresDuplicatesInRequest(
+        SutProvider<PatchGroupCommandvNext> sutProvider, Organization organization, Group group,
+        ICollection<Guid> existingMembers)
+    {
+        // Create 3 userIds
+        var fixture = new Fixture { RepeatCount = 3 };
+        var userIds = fixture.CreateMany<Guid>().ToList();
+
+        // Copy the list and add a duplicate
+        var userIdsWithDuplicate = userIds.Append(userIds.First()).ToList();
+        Assert.Equal(4, userIdsWithDuplicate.Count);
+
+        group.OrganizationId = organization.Id;
+
+        sutProvider.GetDependency<IGroupRepository>()
+            .GetManyUserIdsByIdAsync(group.Id, true)
+            .Returns(existingMembers);
+
+        var scimPatchModel = new ScimPatchModel
+        {
+            Operations = new List<ScimPatchModel.OperationModel>
+            {
+                new()
+                {
+                    Op = "add",
+                    Path = $"members",
+                    Value = JsonDocument.Parse(JsonSerializer
+                        .Serialize(userIdsWithDuplicate
+                            .Select(uid => new { value = uid })
+                            .ToArray())).RootElement
+                }
+            },
+            Schemas = new List<string> { ScimConstants.Scim2SchemaUser }
+        };
+
+        await sutProvider.Sut.PatchGroupAsync(group, scimPatchModel);
+
+        await sutProvider.GetDependency<IGroupRepository>().Received(1).AddGroupUsersByIdAsync(
+            group.Id,
+            Arg.Is<IEnumerable<Guid>>(arg =>
+                arg.Count() == 3 &&
+                arg.ToHashSet().SetEquals(userIds)));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task PatchGroup_AddListMembers_SuccessIfOnlySomeUsersAreInGroup(
+        SutProvider<PatchGroupCommandvNext> sutProvider,
+        Organization organization, Group group,
+        ICollection<Guid> existingMembers,
+        ICollection<Guid> userIds)
+    {
+        // A user is already in the group, but some still need to be added
+        userIds.Add(existingMembers.First());
+
+        group.OrganizationId = organization.Id;
+
+        sutProvider.GetDependency<IGroupRepository>()
+            .GetManyUserIdsByIdAsync(group.Id, true)
+            .Returns(existingMembers);
+
+        var scimPatchModel = new ScimPatchModel
+        {
+            Operations = new List<ScimPatchModel.OperationModel>
+            {
+                new()
+                {
+                    Op = "add",
+                    Path = $"members",
+                    Value = JsonDocument.Parse(JsonSerializer.Serialize(userIds.Select(uid => new { value = uid }).ToArray())).RootElement
+                }
+            },
+            Schemas = new List<string> { ScimConstants.Scim2SchemaUser }
+        };
+
+        await sutProvider.Sut.PatchGroupAsync(group, scimPatchModel);
+
+        await sutProvider.GetDependency<IGroupRepository>()
+            .Received(1)
+            .AddGroupUsersByIdAsync(
+                group.Id,
+                Arg.Is<IEnumerable<Guid>>(arg =>
+                    arg.Count() == userIds.Count &&
+                    arg.ToHashSet().SetEquals(userIds)));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task PatchGroup_RemoveSingleMember_Success(SutProvider<PatchGroupCommandvNext> sutProvider, Organization organization, Group group, Guid userId)
+    {
+        group.OrganizationId = organization.Id;
+
+        var scimPatchModel = new Models.ScimPatchModel
+        {
+            Operations = new List<ScimPatchModel.OperationModel>
+            {
+                new ScimPatchModel.OperationModel
+                {
+                    Op = "remove",
+                    Path = $"members[value eq \"{userId}\"]",
+                }
+            },
+            Schemas = new List<string> { ScimConstants.Scim2SchemaUser }
+        };
+
+        await sutProvider.Sut.PatchGroupAsync(group, scimPatchModel);
+
+        await sutProvider.GetDependency<IGroupService>().Received(1).DeleteUserAsync(group, userId, EventSystemUser.SCIM);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task PatchGroup_RemoveListMembers_Success(SutProvider<PatchGroupCommandvNext> sutProvider,
+        Organization organization, Group group, ICollection<Guid> existingMembers)
+    {
+        List<Guid> usersToRemove = [existingMembers.First(), existingMembers.Skip(1).First()];
+        group.OrganizationId = organization.Id;
+
+        sutProvider.GetDependency<IGroupRepository>()
+            .GetManyUserIdsByIdAsync(group.Id)
+            .Returns(existingMembers);
+
+        var scimPatchModel = new Models.ScimPatchModel
+        {
+            Operations = new List<ScimPatchModel.OperationModel>
+            {
+                new()
+                {
+                    Op = "remove",
+                    Path = $"members",
+                    Value = JsonDocument.Parse(JsonSerializer.Serialize(usersToRemove.Select(uid => new { value = uid }).ToArray())).RootElement
+                }
+            },
+            Schemas = new List<string> { ScimConstants.Scim2SchemaUser }
+        };
+
+        await sutProvider.Sut.PatchGroupAsync(group, scimPatchModel);
+
+        var expectedRemainingUsers = existingMembers.Skip(2).ToList();
+        await sutProvider.GetDependency<IGroupRepository>()
+            .Received(1)
+            .UpdateUsersAsync(
+                group.Id,
+                Arg.Is<IEnumerable<Guid>>(arg =>
+                    arg.Count() == expectedRemainingUsers.Count &&
+                    arg.ToHashSet().SetEquals(expectedRemainingUsers)));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task PatchGroup_NoAction_Success(
+        SutProvider<PatchGroupCommandvNext> sutProvider, Organization organization, Group group)
+    {
+        group.OrganizationId = organization.Id;
+
+        var scimPatchModel = new Models.ScimPatchModel
+        {
+            Operations = new List<ScimPatchModel.OperationModel>(),
+            Schemas = new List<string> { ScimConstants.Scim2SchemaUser }
+        };
+
+        await sutProvider.Sut.PatchGroupAsync(group, scimPatchModel);
+
+        await sutProvider.GetDependency<IGroupRepository>().DidNotReceiveWithAnyArgs().UpdateUsersAsync(default, default);
+        await sutProvider.GetDependency<IGroupRepository>().DidNotReceiveWithAnyArgs().GetManyUserIdsByIdAsync(default);
+        await sutProvider.GetDependency<IUpdateGroupCommand>().DidNotReceiveWithAnyArgs().UpdateGroupAsync(default, default);
+        await sutProvider.GetDependency<IGroupService>().DidNotReceiveWithAnyArgs().DeleteUserAsync(default, default);
+    }
+}
diff --git a/src/Core/AdminConsole/Repositories/IGroupRepository.cs b/src/Core/AdminConsole/Repositories/IGroupRepository.cs
index 6519b19833..b70331a3f5 100644
--- a/src/Core/AdminConsole/Repositories/IGroupRepository.cs
+++ b/src/Core/AdminConsole/Repositories/IGroupRepository.cs
@@ -14,11 +14,29 @@ public interface IGroupRepository : IRepository<Group, Guid>
         Guid organizationId);
     Task<ICollection<Group>> GetManyByManyIds(IEnumerable<Guid> groupIds);
     Task<ICollection<Guid>> GetManyIdsByUserIdAsync(Guid organizationUserId);
-    Task<ICollection<Guid>> GetManyUserIdsByIdAsync(Guid id);
+    /// <summary>
+    /// Query all OrganizationUserIds who are a member of the specified group.
+    /// </summary>
+    /// <param name="id">The group id.</param>
+    /// <param name="useReadOnlyReplica">
+    /// Whether to use the high-availability database replica. This is for paths with high traffic where immediate data
+    /// consistency is not required. You generally do not want this.
+    /// </param>
+    /// <returns></returns>
+    Task<ICollection<Guid>> GetManyUserIdsByIdAsync(Guid id, bool useReadOnlyReplica = false);
     Task<ICollection<GroupUser>> GetManyGroupUsersByOrganizationIdAsync(Guid organizationId);
     Task CreateAsync(Group obj, IEnumerable<CollectionAccessSelection> collections);
     Task ReplaceAsync(Group obj, IEnumerable<CollectionAccessSelection> collections);
     Task DeleteUserAsync(Guid groupId, Guid organizationUserId);
+    /// <summary>
+    /// Update a group's members. Replaces all members currently in the group.
+    /// Ignores members that do not belong to the same organization as the group.
+    /// </summary>
     Task UpdateUsersAsync(Guid groupId, IEnumerable<Guid> organizationUserIds);
+    /// <summary>
+    /// Add members to a group. Gracefully ignores members that are already in the group,
+    /// duplicate organizationUserIds, and organizationUsers who are not part of the organization.
+    /// </summary>
+    Task AddGroupUsersByIdAsync(Guid groupId, IEnumerable<Guid> organizationUserIds);
     Task DeleteManyAsync(IEnumerable<Guid> groupIds);
 }
diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index 0b0d21f7bb..21360703a2 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -108,6 +108,7 @@ public static class FeatureFlagKeys
     public const string IntegrationPage = "pm-14505-admin-console-integration-page";
     public const string DeviceApprovalRequestAdminNotifications = "pm-15637-device-approval-request-admin-notifications";
     public const string LimitItemDeletion = "pm-15493-restrict-item-deletion-to-can-manage-permission";
+    public const string ShortcutDuplicatePatchRequests = "pm-16812-shortcut-duplicate-patch-requests";
     public const string PushSyncOrgKeysOnRevokeRestore = "pm-17168-push-sync-org-keys-on-revoke-restore";
 
     /* Tools Team */
diff --git a/src/Infrastructure.Dapper/AdminConsole/Repositories/GroupRepository.cs b/src/Infrastructure.Dapper/AdminConsole/Repositories/GroupRepository.cs
index d8245ce719..2b4db3940c 100644
--- a/src/Infrastructure.Dapper/AdminConsole/Repositories/GroupRepository.cs
+++ b/src/Infrastructure.Dapper/AdminConsole/Repositories/GroupRepository.cs
@@ -109,9 +109,13 @@ public class GroupRepository : Repository<Group, Guid>, IGroupRepository
         }
     }
 
-    public async Task<ICollection<Guid>> GetManyUserIdsByIdAsync(Guid id)
+    public async Task<ICollection<Guid>> GetManyUserIdsByIdAsync(Guid id, bool useReadOnlyReplica = false)
     {
-        using (var connection = new SqlConnection(ConnectionString))
+        var connectionString = useReadOnlyReplica
+            ? ReadOnlyConnectionString
+            : ConnectionString;
+
+        using (var connection = new SqlConnection(connectionString))
         {
             var results = await connection.QueryAsync<Guid>(
                 $"[{Schema}].[GroupUser_ReadOrganizationUserIdsByGroupId]",
@@ -186,6 +190,17 @@ public class GroupRepository : Repository<Group, Guid>, IGroupRepository
         }
     }
 
+    public async Task AddGroupUsersByIdAsync(Guid groupId, IEnumerable<Guid> organizationUserIds)
+    {
+        using (var connection = new SqlConnection(ConnectionString))
+        {
+            var results = await connection.ExecuteAsync(
+                "[dbo].[GroupUser_AddUsers]",
+                new { GroupId = groupId, OrganizationUserIds = organizationUserIds.ToGuidIdArrayTVP() },
+                commandType: CommandType.StoredProcedure);
+        }
+    }
+
     public async Task DeleteManyAsync(IEnumerable<Guid> groupIds)
     {
         using (var connection = new SqlConnection(ConnectionString))
diff --git a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/GroupRepository.cs b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/GroupRepository.cs
index 0e91bd42ef..305a715d4c 100644
--- a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/GroupRepository.cs
+++ b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/GroupRepository.cs
@@ -163,8 +163,10 @@ public class GroupRepository : Repository<AdminConsoleEntities.Group, Group, Gui
         }
     }
 
-    public async Task<ICollection<Guid>> GetManyUserIdsByIdAsync(Guid id)
+    public async Task<ICollection<Guid>> GetManyUserIdsByIdAsync(Guid id, bool useReadOnlyReplica = false)
     {
+        // EF is only used for self-hosted so read-only replica parameter is ignored
+
         using (var scope = ServiceScopeFactory.CreateScope())
         {
             var dbContext = GetDatabaseContext(scope);
@@ -255,6 +257,29 @@ public class GroupRepository : Repository<AdminConsoleEntities.Group, Group, Gui
         }
     }
 
+    public async Task AddGroupUsersByIdAsync(Guid groupId, IEnumerable<Guid> organizationUserIds)
+    {
+        using (var scope = ServiceScopeFactory.CreateScope())
+        {
+            var dbContext = GetDatabaseContext(scope);
+            var orgId = (await dbContext.Groups.FindAsync(groupId)).OrganizationId;
+            var insert = from ou in dbContext.OrganizationUsers
+                         where organizationUserIds.Contains(ou.Id) &&
+                             ou.OrganizationId == orgId &&
+                             !dbContext.GroupUsers.Any(gu => gu.GroupId == groupId && ou.Id == gu.OrganizationUserId)
+                         select new GroupUser
+                         {
+                             GroupId = groupId,
+                             OrganizationUserId = ou.Id,
+                         };
+            await dbContext.AddRangeAsync(insert);
+
+            await dbContext.SaveChangesAsync();
+            await dbContext.UserBumpAccountRevisionDateByOrganizationIdAsync(orgId);
+            await dbContext.SaveChangesAsync();
+        }
+    }
+
     public async Task DeleteManyAsync(IEnumerable<Guid> groupIds)
     {
         using (var scope = ServiceScopeFactory.CreateScope())
diff --git a/src/Sql/dbo/Stored Procedures/GroupUser_AddUsers.sql b/src/Sql/dbo/Stored Procedures/GroupUser_AddUsers.sql
new file mode 100644
index 0000000000..362cdce785
--- /dev/null
+++ b/src/Sql/dbo/Stored Procedures/GroupUser_AddUsers.sql	
@@ -0,0 +1,39 @@
+CREATE PROCEDURE [dbo].[GroupUser_AddUsers]
+    @GroupId UNIQUEIDENTIFIER,
+    @OrganizationUserIds AS [dbo].[GuidIdArray] READONLY
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    DECLARE @OrgId UNIQUEIDENTIFIER = (
+        SELECT TOP 1
+            [OrganizationId]
+        FROM
+            [dbo].[Group]
+        WHERE
+            [Id] = @GroupId
+    )
+
+    -- Insert
+    INSERT INTO
+        [dbo].[GroupUser] (GroupId, OrganizationUserId)
+    SELECT DISTINCT
+        @GroupId,
+        [Source].[Id]
+    FROM
+        @OrganizationUserIds AS [Source]
+    INNER JOIN
+        [dbo].[OrganizationUser] OU ON [Source].[Id] = OU.[Id] AND OU.[OrganizationId] = @OrgId
+    WHERE
+        NOT EXISTS (
+            SELECT
+                1
+            FROM
+                [dbo].[GroupUser]
+            WHERE
+                [GroupId] = @GroupId
+                AND [OrganizationUserId] = [Source].[Id]
+        )
+
+    EXEC [dbo].[User_BumpAccountRevisionDateByOrganizationId] @OrgId
+END
diff --git a/test/Infrastructure.IntegrationTest/AdminConsole/OrganizationTestHelpers.cs b/test/Infrastructure.IntegrationTest/AdminConsole/OrganizationTestHelpers.cs
new file mode 100644
index 0000000000..e631280bb3
--- /dev/null
+++ b/test/Infrastructure.IntegrationTest/AdminConsole/OrganizationTestHelpers.cs
@@ -0,0 +1,57 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Repositories;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Repositories;
+
+namespace Bit.Infrastructure.IntegrationTest.AdminConsole;
+
+/// <summary>
+/// A set of extension methods used to arrange simple test data.
+/// This should only be used for basic, repetitive data arrangement, not for anything complex or for
+/// the repository method under test.
+/// </summary>
+public static class OrganizationTestHelpers
+{
+    public static Task<User> CreateTestUserAsync(this IUserRepository userRepository, string identifier = "test")
+    {
+        var id = Guid.NewGuid();
+        return userRepository.CreateAsync(new User
+        {
+            Id = id,
+            Name = $"{identifier}-{id}",
+            Email = $"{id}@example.com",
+            ApiKey = "TEST",
+            SecurityStamp = "stamp",
+        });
+    }
+
+    public static Task<Organization> CreateTestOrganizationAsync(this IOrganizationRepository organizationRepository,
+        string identifier = "test")
+        => organizationRepository.CreateAsync(new Organization
+        {
+            Name = $"{identifier}-{Guid.NewGuid()}",
+            BillingEmail = "billing@example.com", // TODO: EF does not enforce this being NOT NULL
+            Plan = "Test", // TODO: EF does not enforce this being NOT NULl
+        });
+
+    public static Task<OrganizationUser> CreateTestOrganizationUserAsync(
+        this IOrganizationUserRepository organizationUserRepository,
+        Organization organization,
+        User user)
+        => organizationUserRepository.CreateAsync(new OrganizationUser
+        {
+            OrganizationId = organization.Id,
+            UserId = user.Id,
+            Status = OrganizationUserStatusType.Confirmed,
+            Type = OrganizationUserType.Owner
+        });
+
+    public static Task<Group> CreateTestGroupAsync(
+        this IGroupRepository groupRepository,
+        Organization organization,
+        string identifier = "test")
+        => groupRepository.CreateAsync(
+            new Group { OrganizationId = organization.Id, Name = $"{identifier} {Guid.NewGuid()}" }
+        );
+}
diff --git a/test/Infrastructure.IntegrationTest/AdminConsole/Repositories/GroupRepositoryTests.cs b/test/Infrastructure.IntegrationTest/AdminConsole/Repositories/GroupRepositoryTests.cs
new file mode 100644
index 0000000000..e2c2cbfa02
--- /dev/null
+++ b/test/Infrastructure.IntegrationTest/AdminConsole/Repositories/GroupRepositoryTests.cs
@@ -0,0 +1,129 @@
+using Bit.Core.AdminConsole.Repositories;
+using Bit.Core.Repositories;
+using Xunit;
+
+namespace Bit.Infrastructure.IntegrationTest.AdminConsole.Repositories;
+
+public class GroupRepositoryTests
+{
+    [DatabaseTheory, DatabaseData]
+    public async Task AddGroupUsersByIdAsync_CreatesGroupUsers(
+        IGroupRepository groupRepository,
+        IUserRepository userRepository,
+        IOrganizationUserRepository organizationUserRepository,
+        IOrganizationRepository organizationRepository)
+    {
+        // Arrange
+        var user1 = await userRepository.CreateTestUserAsync("user1");
+        var user2 = await userRepository.CreateTestUserAsync("user2");
+        var user3 = await userRepository.CreateTestUserAsync("user3");
+
+        var org = await organizationRepository.CreateTestOrganizationAsync();
+        var orgUser1 = await organizationUserRepository.CreateTestOrganizationUserAsync(org, user1);
+        var orgUser2 = await organizationUserRepository.CreateTestOrganizationUserAsync(org, user2);
+        var orgUser3 = await organizationUserRepository.CreateTestOrganizationUserAsync(org, user3);
+        var orgUserIds = new List<Guid>([orgUser1.Id, orgUser2.Id, orgUser3.Id]);
+        var group = await groupRepository.CreateTestGroupAsync(org);
+
+        // Act
+        await groupRepository.AddGroupUsersByIdAsync(group.Id, orgUserIds);
+
+        // Assert
+        var actual = await groupRepository.GetManyUserIdsByIdAsync(group.Id);
+        Assert.Equal(orgUserIds!.Order(), actual.Order());
+    }
+
+    [DatabaseTheory, DatabaseData]
+    public async Task AddGroupUsersByIdAsync_IgnoresExistingGroupUsers(
+        IGroupRepository groupRepository,
+        IUserRepository userRepository,
+        IOrganizationUserRepository organizationUserRepository,
+        IOrganizationRepository organizationRepository)
+    {
+        // Arrange
+        var user1 = await userRepository.CreateTestUserAsync("user1");
+        var user2 = await userRepository.CreateTestUserAsync("user2");
+        var user3 = await userRepository.CreateTestUserAsync("user3");
+
+        var org = await organizationRepository.CreateTestOrganizationAsync();
+        var orgUser1 = await organizationUserRepository.CreateTestOrganizationUserAsync(org, user1);
+        var orgUser2 = await organizationUserRepository.CreateTestOrganizationUserAsync(org, user2);
+        var orgUser3 = await organizationUserRepository.CreateTestOrganizationUserAsync(org, user3);
+        var orgUserIds = new List<Guid>([orgUser1.Id, orgUser2.Id, orgUser3.Id]);
+        var group = await groupRepository.CreateTestGroupAsync(org);
+
+        // Add user 2 to the group already, make sure this is executed correctly before proceeding
+        await groupRepository.UpdateUsersAsync(group.Id, [orgUser2.Id]);
+        var existingUsers = await groupRepository.GetManyUserIdsByIdAsync(group.Id);
+        Assert.Equal([orgUser2.Id], existingUsers);
+
+        // Act
+        await groupRepository.AddGroupUsersByIdAsync(group.Id, orgUserIds);
+
+        // Assert - group should contain all users
+        var actual = await groupRepository.GetManyUserIdsByIdAsync(group.Id);
+        Assert.Equal(orgUserIds!.Order(), actual.Order());
+    }
+
+    [DatabaseTheory, DatabaseData]
+    public async Task AddGroupUsersByIdAsync_IgnoresUsersNotInOrganization(
+        IGroupRepository groupRepository,
+        IUserRepository userRepository,
+        IOrganizationUserRepository organizationUserRepository,
+        IOrganizationRepository organizationRepository)
+    {
+        // Arrange
+        var user1 = await userRepository.CreateTestUserAsync("user1");
+        var user2 = await userRepository.CreateTestUserAsync("user2");
+        var user3 = await userRepository.CreateTestUserAsync("user3");
+
+        var org = await organizationRepository.CreateTestOrganizationAsync();
+        var orgUser1 = await organizationUserRepository.CreateTestOrganizationUserAsync(org, user1);
+        var orgUser2 = await organizationUserRepository.CreateTestOrganizationUserAsync(org, user2);
+
+        // User3 belongs to a different org
+        var otherOrg = await organizationRepository.CreateTestOrganizationAsync();
+        var orgUser3 = await organizationUserRepository.CreateTestOrganizationUserAsync(otherOrg, user3);
+
+        var orgUserIds = new List<Guid>([orgUser1.Id, orgUser2.Id, orgUser3.Id]);
+        var group = await groupRepository.CreateTestGroupAsync(org);
+
+        // Act
+        await groupRepository.AddGroupUsersByIdAsync(group.Id, orgUserIds);
+
+        // Assert
+        var actual = await groupRepository.GetManyUserIdsByIdAsync(group.Id);
+        Assert.Equal(2, actual.Count);
+        Assert.Contains(orgUser1.Id, actual);
+        Assert.Contains(orgUser2.Id, actual);
+        Assert.DoesNotContain(orgUser3.Id, actual);
+    }
+
+    [DatabaseTheory, DatabaseData]
+    public async Task AddGroupUsersByIdAsync_IgnoresDuplicateUsers(
+        IGroupRepository groupRepository,
+        IUserRepository userRepository,
+        IOrganizationUserRepository organizationUserRepository,
+        IOrganizationRepository organizationRepository)
+    {
+        // Arrange
+        var user1 = await userRepository.CreateTestUserAsync("user1");
+        var user2 = await userRepository.CreateTestUserAsync("user2");
+
+        var org = await organizationRepository.CreateTestOrganizationAsync();
+        var orgUser1 = await organizationUserRepository.CreateTestOrganizationUserAsync(org, user1);
+        var orgUser2 = await organizationUserRepository.CreateTestOrganizationUserAsync(org, user2);
+
+        var orgUserIds = new List<Guid>([orgUser1.Id, orgUser2.Id, orgUser2.Id]); // duplicate orgUser2
+        var group = await groupRepository.CreateTestGroupAsync(org);
+
+        // Act
+        await groupRepository.AddGroupUsersByIdAsync(group.Id, orgUserIds);
+
+        // Assert
+        var actual = await groupRepository.GetManyUserIdsByIdAsync(group.Id);
+        Assert.Equal(2, actual.Count);
+        Assert.Contains(orgUser1.Id, actual);
+        Assert.Contains(orgUser2.Id, actual);
+    }
+}
diff --git a/test/Infrastructure.IntegrationTest/AdminConsole/Repositories/OrganizationDomainRepositoryTests.cs b/test/Infrastructure.IntegrationTest/AdminConsole/Repositories/OrganizationDomainRepositoryTests.cs
index 7f0ed582bf..a1c5f9bd07 100644
--- a/test/Infrastructure.IntegrationTest/AdminConsole/Repositories/OrganizationDomainRepositoryTests.cs
+++ b/test/Infrastructure.IntegrationTest/AdminConsole/Repositories/OrganizationDomainRepositoryTests.cs
@@ -3,7 +3,7 @@ using Bit.Core.Entities;
 using Bit.Core.Repositories;
 using Xunit;
 
-namespace Bit.Infrastructure.IntegrationTest.Repositories;
+namespace Bit.Infrastructure.IntegrationTest.AdminConsole.Repositories;
 
 public class OrganizationDomainRepositoryTests
 {
diff --git a/test/Infrastructure.IntegrationTest/AdminConsole/Repositories/OrganizationRepositoryTests.cs b/test/Infrastructure.IntegrationTest/AdminConsole/Repositories/OrganizationRepositoryTests.cs
index f6dc4a989d..f7c61ad957 100644
--- a/test/Infrastructure.IntegrationTest/AdminConsole/Repositories/OrganizationRepositoryTests.cs
+++ b/test/Infrastructure.IntegrationTest/AdminConsole/Repositories/OrganizationRepositoryTests.cs
@@ -4,7 +4,7 @@ using Bit.Core.Enums;
 using Bit.Core.Repositories;
 using Xunit;
 
-namespace Bit.Infrastructure.IntegrationTest.Repositories;
+namespace Bit.Infrastructure.IntegrationTest.AdminConsole.Repositories;
 
 public class OrganizationRepositoryTests
 {
diff --git a/test/Infrastructure.IntegrationTest/AdminConsole/Repositories/OrganizationUserRepositoryTests.cs b/test/Infrastructure.IntegrationTest/AdminConsole/Repositories/OrganizationUserRepositoryTests.cs
index aee4beb8ce..e82be49173 100644
--- a/test/Infrastructure.IntegrationTest/AdminConsole/Repositories/OrganizationUserRepositoryTests.cs
+++ b/test/Infrastructure.IntegrationTest/AdminConsole/Repositories/OrganizationUserRepositoryTests.cs
@@ -4,7 +4,7 @@ using Bit.Core.Enums;
 using Bit.Core.Repositories;
 using Xunit;
 
-namespace Bit.Infrastructure.IntegrationTest.Repositories;
+namespace Bit.Infrastructure.IntegrationTest.AdminConsole.Repositories;
 
 public class OrganizationUserRepositoryTests
 {
diff --git a/util/Migrator/DbScripts/2025-02-13_00_GroupUser_AddUsers.sql b/util/Migrator/DbScripts/2025-02-13_00_GroupUser_AddUsers.sql
new file mode 100644
index 0000000000..46ea72003e
--- /dev/null
+++ b/util/Migrator/DbScripts/2025-02-13_00_GroupUser_AddUsers.sql
@@ -0,0 +1,39 @@
+CREATE OR ALTER PROCEDURE [dbo].[GroupUser_AddUsers]
+    @GroupId UNIQUEIDENTIFIER,
+    @OrganizationUserIds AS [dbo].[GuidIdArray] READONLY
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    DECLARE @OrgId UNIQUEIDENTIFIER = (
+        SELECT TOP 1
+            [OrganizationId]
+        FROM
+            [dbo].[Group]
+        WHERE
+            [Id] = @GroupId
+    )
+
+    -- Insert
+    INSERT INTO
+        [dbo].[GroupUser] (GroupId, OrganizationUserId)
+    SELECT DISTINCT
+        @GroupId,
+        [Source].[Id]
+    FROM
+        @OrganizationUserIds AS [Source]
+    INNER JOIN
+        [dbo].[OrganizationUser] OU ON [Source].[Id] = OU.[Id] AND OU.[OrganizationId] = @OrgId
+    WHERE
+        NOT EXISTS (
+            SELECT
+                1
+            FROM
+                [dbo].[GroupUser]
+            WHERE
+                [GroupId] = @GroupId
+                AND [OrganizationUserId] = [Source].[Id]
+        )
+
+    EXEC [dbo].[User_BumpAccountRevisionDateByOrganizationId] @OrgId
+END

From f4341b2f3bed714e651439f3191190e1aea07997 Mon Sep 17 00:00:00 2001
From: Thomas Rittson <31796059+eliykat@users.noreply.github.com>
Date: Fri, 14 Feb 2025 21:05:49 +1000
Subject: [PATCH 280/384] [PM-14439] Add PolicyRequirementQuery for enforcement
 logic (#5336)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Add PolicyRequirementQuery, helpers and models in preparation for migrating domain code

Co-authored-by: Rui Tomé <108268980+r-tome@users.noreply.github.com>
---
 .../Organizations/Policies/PolicyDetails.cs   |  39 ++
 .../Policies/IPolicyRequirementQuery.cs       |  18 +
 .../Implementations/PolicyRequirementQuery.cs |  28 ++
 .../PolicyRequirements/IPolicyRequirement.cs  |  24 ++
 .../PolicyRequirementHelpers.cs               |  41 ++
 .../PolicyServiceCollectionExtensions.cs      |  38 ++
 .../Repositories/IPolicyRepository.cs         |  20 +
 src/Core/Constants.cs                         |   1 +
 .../Repositories/PolicyRepository.cs          |  14 +
 .../Repositories/PolicyRepository.cs          |  41 ++
 .../PolicyDetails_ReadByUserId.sql            |  43 ++
 .../Policies/PolicyRequirementQueryTests.cs   |  60 +++
 .../GetPolicyDetailsByUserIdTests.cs          | 385 ++++++++++++++++++
 ...25-02-14_00_PolicyDetails_ReadByUserId.sql |  43 ++
 14 files changed, 795 insertions(+)
 create mode 100644 src/Core/AdminConsole/Models/Data/Organizations/Policies/PolicyDetails.cs
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/Policies/IPolicyRequirementQuery.cs
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/Policies/Implementations/PolicyRequirementQuery.cs
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/IPolicyRequirement.cs
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/PolicyRequirementHelpers.cs
 create mode 100644 src/Sql/dbo/Stored Procedures/PolicyDetails_ReadByUserId.sql
 create mode 100644 test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyRequirementQueryTests.cs
 create mode 100644 test/Infrastructure.IntegrationTest/AdminConsole/Repositories/PolicyRepository/GetPolicyDetailsByUserIdTests.cs
 create mode 100644 util/Migrator/DbScripts/2025-02-14_00_PolicyDetails_ReadByUserId.sql

diff --git a/src/Core/AdminConsole/Models/Data/Organizations/Policies/PolicyDetails.cs b/src/Core/AdminConsole/Models/Data/Organizations/Policies/PolicyDetails.cs
new file mode 100644
index 0000000000..5b5db85f65
--- /dev/null
+++ b/src/Core/AdminConsole/Models/Data/Organizations/Policies/PolicyDetails.cs
@@ -0,0 +1,39 @@
+#nullable enable
+
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+using Bit.Core.Enums;
+using Bit.Core.Models.Data;
+using Bit.Core.Utilities;
+
+namespace Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
+
+/// <summary>
+/// Represents an OrganizationUser and a Policy which *may* be enforced against them.
+/// You may assume that the Policy is enabled and that the organization's plan supports policies.
+/// This is consumed by <see cref="IPolicyRequirement"/> to create requirements for specific policy types.
+/// </summary>
+public class PolicyDetails
+{
+    public Guid OrganizationUserId { get; set; }
+    public Guid OrganizationId { get; set; }
+    public PolicyType PolicyType { get; set; }
+    public string? PolicyData { get; set; }
+    public OrganizationUserType OrganizationUserType { get; set; }
+    public OrganizationUserStatusType OrganizationUserStatus { get; set; }
+    /// <summary>
+    /// Custom permissions for the organization user, if any. Use <see cref="GetOrganizationUserCustomPermissions"/>
+    /// to deserialize.
+    /// </summary>
+    public string? OrganizationUserPermissionsData { get; set; }
+    /// <summary>
+    /// True if the user is also a ProviderUser for the organization, false otherwise.
+    /// </summary>
+    public bool IsProvider { get; set; }
+
+    public T GetDataModel<T>() where T : IPolicyDataModel, new()
+        => CoreHelpers.LoadClassFromJsonData<T>(PolicyData);
+
+    public Permissions GetOrganizationUserCustomPermissions()
+        => CoreHelpers.LoadClassFromJsonData<Permissions>(OrganizationUserPermissionsData);
+}
diff --git a/src/Core/AdminConsole/OrganizationFeatures/Policies/IPolicyRequirementQuery.cs b/src/Core/AdminConsole/OrganizationFeatures/Policies/IPolicyRequirementQuery.cs
new file mode 100644
index 0000000000..5736078f22
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/Policies/IPolicyRequirementQuery.cs
@@ -0,0 +1,18 @@
+#nullable enable
+
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.Policies;
+
+public interface IPolicyRequirementQuery
+{
+    /// <summary>
+    /// Get a policy requirement for a specific user.
+    /// The policy requirement represents how one or more policy types should be enforced against the user.
+    /// It will always return a value even if there are no policies that should be enforced.
+    /// This should be used for all policy checks.
+    /// </summary>
+    /// <param name="userId">The user that you need to enforce the policy against.</param>
+    /// <typeparam name="T">The IPolicyRequirement that corresponds to the policy you want to enforce.</typeparam>
+    Task<T> GetAsync<T>(Guid userId) where T : IPolicyRequirement;
+}
diff --git a/src/Core/AdminConsole/OrganizationFeatures/Policies/Implementations/PolicyRequirementQuery.cs b/src/Core/AdminConsole/OrganizationFeatures/Policies/Implementations/PolicyRequirementQuery.cs
new file mode 100644
index 0000000000..585d2348ef
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/Policies/Implementations/PolicyRequirementQuery.cs
@@ -0,0 +1,28 @@
+#nullable enable
+
+using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+using Bit.Core.AdminConsole.Repositories;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.Policies.Implementations;
+
+public class PolicyRequirementQuery(
+    IPolicyRepository policyRepository,
+    IEnumerable<RequirementFactory<IPolicyRequirement>> factories)
+    : IPolicyRequirementQuery
+{
+    public async Task<T> GetAsync<T>(Guid userId) where T : IPolicyRequirement
+    {
+        var factory = factories.OfType<RequirementFactory<T>>().SingleOrDefault();
+        if (factory is null)
+        {
+            throw new NotImplementedException("No Policy Requirement found for " + typeof(T));
+        }
+
+        return factory(await GetPolicyDetails(userId));
+    }
+
+    private Task<IEnumerable<PolicyDetails>> GetPolicyDetails(Guid userId) =>
+        policyRepository.GetPolicyDetailsByUserId(userId);
+}
+
diff --git a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/IPolicyRequirement.cs b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/IPolicyRequirement.cs
new file mode 100644
index 0000000000..3f331b1130
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/IPolicyRequirement.cs
@@ -0,0 +1,24 @@
+#nullable enable
+
+using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+
+/// <summary>
+/// Represents the business requirements of how one or more enterprise policies will be enforced against a user.
+/// The implementation of this interface will depend on how the policies are enforced in the relevant domain.
+/// </summary>
+public interface IPolicyRequirement;
+
+/// <summary>
+/// A factory function that takes a sequence of <see cref="PolicyDetails"/> and transforms them into a single
+/// <see cref="IPolicyRequirement"/> for consumption by the relevant domain. This will receive *all* policy types
+/// that may be enforced against a user; when implementing this delegate, you must filter out irrelevant policy types
+/// as well as policies that should not be enforced against a user (e.g. due to the user's role or status).
+/// </summary>
+/// <remarks>
+/// See <see cref="PolicyRequirementHelpers"/> for extension methods to handle common requirements when implementing
+/// this delegate.
+/// </remarks>
+public delegate T RequirementFactory<out T>(IEnumerable<PolicyDetails> policyDetails)
+    where T : IPolicyRequirement;
diff --git a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/PolicyRequirementHelpers.cs b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/PolicyRequirementHelpers.cs
new file mode 100644
index 0000000000..fc4cd91a3d
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/PolicyRequirementHelpers.cs
@@ -0,0 +1,41 @@
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
+using Bit.Core.Enums;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+
+public static class PolicyRequirementHelpers
+{
+    /// <summary>
+    /// Filters the PolicyDetails by PolicyType. This is generally required to only get the PolicyDetails that your
+    /// IPolicyRequirement relates to.
+    /// </summary>
+    public static IEnumerable<PolicyDetails> GetPolicyType(
+        this IEnumerable<PolicyDetails> policyDetails,
+        PolicyType type)
+        => policyDetails.Where(x => x.PolicyType == type);
+
+    /// <summary>
+    /// Filters the PolicyDetails to remove the specified user roles. This can be used to exempt
+    /// owners and admins from policy enforcement.
+    /// </summary>
+    public static IEnumerable<PolicyDetails> ExemptRoles(
+        this IEnumerable<PolicyDetails> policyDetails,
+        IEnumerable<OrganizationUserType> roles)
+        => policyDetails.Where(x => !roles.Contains(x.OrganizationUserType));
+
+    /// <summary>
+    /// Filters the PolicyDetails to remove organization users who are also provider users for the organization.
+    /// This can be used to exempt provider users from policy enforcement.
+    /// </summary>
+    public static IEnumerable<PolicyDetails> ExemptProviders(this IEnumerable<PolicyDetails> policyDetails)
+        => policyDetails.Where(x => !x.IsProvider);
+
+    /// <summary>
+    /// Filters the PolicyDetails to remove the specified organization user statuses. For example, this can be used
+    /// to exempt users in the invited and revoked statuses from policy enforcement.
+    /// </summary>
+    public static IEnumerable<PolicyDetails> ExemptStatus(
+        this IEnumerable<PolicyDetails> policyDetails, IEnumerable<OrganizationUserStatusType> status)
+        => policyDetails.Where(x => !status.Contains(x.OrganizationUserStatus));
+}
diff --git a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyServiceCollectionExtensions.cs b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyServiceCollectionExtensions.cs
index 4e88976c10..f7b35f2f06 100644
--- a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyServiceCollectionExtensions.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyServiceCollectionExtensions.cs
@@ -1,4 +1,5 @@
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies.Implementations;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyValidators;
 using Bit.Core.AdminConsole.Services;
 using Bit.Core.AdminConsole.Services.Implementations;
@@ -12,7 +13,14 @@ public static class PolicyServiceCollectionExtensions
     {
         services.AddScoped<IPolicyService, PolicyService>();
         services.AddScoped<ISavePolicyCommand, SavePolicyCommand>();
+        services.AddScoped<IPolicyRequirementQuery, PolicyRequirementQuery>();
 
+        services.AddPolicyValidators();
+        services.AddPolicyRequirements();
+    }
+
+    private static void AddPolicyValidators(this IServiceCollection services)
+    {
         services.AddScoped<IPolicyValidator, TwoFactorAuthenticationPolicyValidator>();
         services.AddScoped<IPolicyValidator, SingleOrgPolicyValidator>();
         services.AddScoped<IPolicyValidator, RequireSsoPolicyValidator>();
@@ -20,4 +28,34 @@ public static class PolicyServiceCollectionExtensions
         services.AddScoped<IPolicyValidator, MaximumVaultTimeoutPolicyValidator>();
         services.AddScoped<IPolicyValidator, FreeFamiliesForEnterprisePolicyValidator>();
     }
+
+    private static void AddPolicyRequirements(this IServiceCollection services)
+    {
+        // Register policy requirement factories here
+    }
+
+    /// <summary>
+    /// Used to register simple policy requirements where its factory method implements CreateRequirement.
+    /// This MUST be used rather than calling AddScoped directly, because it will ensure the factory method has
+    /// the correct type to be injected and then identified by <see cref="PolicyRequirementQuery"/> at runtime.
+    /// </summary>
+    /// <typeparam name="T">The specific PolicyRequirement being registered.</typeparam>
+    private static void AddPolicyRequirement<T>(this IServiceCollection serviceCollection, RequirementFactory<T> factory)
+        where T : class, IPolicyRequirement
+        => serviceCollection.AddPolicyRequirement(_ => factory);
+
+    /// <summary>
+    /// Used to register policy requirements where you need to access additional dependencies (usually to return a
+    /// curried factory method).
+    /// This MUST be used rather than calling AddScoped directly, because it will ensure the factory method has
+    /// the correct type to be injected and then identified by <see cref="PolicyRequirementQuery"/> at runtime.
+    /// </summary>
+    /// <typeparam name="T">
+    /// A callback that takes IServiceProvider and returns a RequirementFactory for
+    /// your policy requirement.
+    /// </typeparam>
+    private static void AddPolicyRequirement<T>(this IServiceCollection serviceCollection,
+        Func<IServiceProvider, RequirementFactory<T>> factory)
+        where T : class, IPolicyRequirement
+        => serviceCollection.AddScoped<RequirementFactory<IPolicyRequirement>>(factory);
 }
diff --git a/src/Core/AdminConsole/Repositories/IPolicyRepository.cs b/src/Core/AdminConsole/Repositories/IPolicyRepository.cs
index ad0654dd3c..4c0c03536d 100644
--- a/src/Core/AdminConsole/Repositories/IPolicyRepository.cs
+++ b/src/Core/AdminConsole/Repositories/IPolicyRepository.cs
@@ -1,5 +1,7 @@
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
 using Bit.Core.Repositories;
 
 #nullable enable
@@ -8,7 +10,25 @@ namespace Bit.Core.AdminConsole.Repositories;
 
 public interface IPolicyRepository : IRepository<Policy, Guid>
 {
+    /// <summary>
+    /// Gets all policies of a given type for an organization.
+    /// </summary>
+    /// <remarks>
+    /// WARNING: do not use this to enforce policies against a user! It returns raw data and does not take into account
+    /// various business rules. Use <see cref="IPolicyRequirementQuery"/> instead.
+    /// </remarks>
     Task<Policy?> GetByOrganizationIdTypeAsync(Guid organizationId, PolicyType type);
     Task<ICollection<Policy>> GetManyByOrganizationIdAsync(Guid organizationId);
     Task<ICollection<Policy>> GetManyByUserIdAsync(Guid userId);
+    /// <summary>
+    /// Gets all PolicyDetails for a user for all policy types.
+    /// </summary>
+    /// <remarks>
+    /// Each PolicyDetail represents an OrganizationUser and a Policy which *may* be enforced
+    /// against them. It only returns PolicyDetails for policies that are enabled and where the organization's plan
+    /// supports policies. It also excludes "revoked invited" users who are not subject to policy enforcement.
+    /// This is consumed by <see cref="IPolicyRequirementQuery"/> to create requirements for specific policy types.
+    /// You probably do not want to call it directly.
+    /// </remarks>
+    Task<IEnumerable<PolicyDetails>> GetPolicyDetailsByUserId(Guid userId);
 }
diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index 21360703a2..91637e3893 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -110,6 +110,7 @@ public static class FeatureFlagKeys
     public const string LimitItemDeletion = "pm-15493-restrict-item-deletion-to-can-manage-permission";
     public const string ShortcutDuplicatePatchRequests = "pm-16812-shortcut-duplicate-patch-requests";
     public const string PushSyncOrgKeysOnRevokeRestore = "pm-17168-push-sync-org-keys-on-revoke-restore";
+    public const string PolicyRequirements = "pm-14439-policy-requirements";
 
     /* Tools Team */
     public const string ItemShare = "item-share";
diff --git a/src/Infrastructure.Dapper/AdminConsole/Repositories/PolicyRepository.cs b/src/Infrastructure.Dapper/AdminConsole/Repositories/PolicyRepository.cs
index 196f3e3733..071ff3153a 100644
--- a/src/Infrastructure.Dapper/AdminConsole/Repositories/PolicyRepository.cs
+++ b/src/Infrastructure.Dapper/AdminConsole/Repositories/PolicyRepository.cs
@@ -1,6 +1,7 @@
 using System.Data;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Settings;
 using Bit.Infrastructure.Dapper.Repositories;
@@ -59,4 +60,17 @@ public class PolicyRepository : Repository<Policy, Guid>, IPolicyRepository
             return results.ToList();
         }
     }
+
+    public async Task<IEnumerable<PolicyDetails>> GetPolicyDetailsByUserId(Guid userId)
+    {
+        using (var connection = new SqlConnection(ConnectionString))
+        {
+            var results = await connection.QueryAsync<PolicyDetails>(
+                $"[{Schema}].[PolicyDetails_ReadByUserId]",
+                new { UserId = userId },
+                commandType: CommandType.StoredProcedure);
+
+            return results.ToList();
+        }
+    }
 }
diff --git a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/PolicyRepository.cs b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/PolicyRepository.cs
index 3eb4ac934b..0564681341 100644
--- a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/PolicyRepository.cs
+++ b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/PolicyRepository.cs
@@ -1,6 +1,8 @@
 using AutoMapper;
 using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
 using Bit.Core.AdminConsole.Repositories;
+using Bit.Core.Enums;
 using Bit.Infrastructure.EntityFramework.AdminConsole.Models;
 using Bit.Infrastructure.EntityFramework.AdminConsole.Repositories.Queries;
 using Bit.Infrastructure.EntityFramework.Repositories;
@@ -50,4 +52,43 @@ public class PolicyRepository : Repository<AdminConsoleEntities.Policy, Policy,
             return Mapper.Map<List<AdminConsoleEntities.Policy>>(results);
         }
     }
+
+    public async Task<IEnumerable<PolicyDetails>> GetPolicyDetailsByUserId(Guid userId)
+    {
+        using var scope = ServiceScopeFactory.CreateScope();
+        var dbContext = GetDatabaseContext(scope);
+
+        var providerOrganizations = from pu in dbContext.ProviderUsers
+                                    where pu.UserId == userId
+                                    join po in dbContext.ProviderOrganizations
+                                        on pu.ProviderId equals po.ProviderId
+                                    select po;
+
+        var query = from p in dbContext.Policies
+                    join ou in dbContext.OrganizationUsers
+                        on p.OrganizationId equals ou.OrganizationId
+                    join o in dbContext.Organizations
+                        on p.OrganizationId equals o.Id
+                    where
+                        p.Enabled &&
+                        o.Enabled &&
+                        o.UsePolicies &&
+                        (
+                            (ou.Status != OrganizationUserStatusType.Invited && ou.UserId == userId) ||
+                            // Invited orgUsers do not have a UserId associated with them, so we have to match up their email
+                            (ou.Status == OrganizationUserStatusType.Invited && ou.Email == dbContext.Users.Find(userId).Email)
+                        )
+                    select new PolicyDetails
+                    {
+                        OrganizationUserId = ou.Id,
+                        OrganizationId = p.OrganizationId,
+                        PolicyType = p.Type,
+                        PolicyData = p.Data,
+                        OrganizationUserType = ou.Type,
+                        OrganizationUserStatus = ou.Status,
+                        OrganizationUserPermissionsData = ou.Permissions,
+                        IsProvider = providerOrganizations.Any(po => po.OrganizationId == p.OrganizationId)
+                    };
+        return await query.ToListAsync();
+    }
 }
diff --git a/src/Sql/dbo/Stored Procedures/PolicyDetails_ReadByUserId.sql b/src/Sql/dbo/Stored Procedures/PolicyDetails_ReadByUserId.sql
new file mode 100644
index 0000000000..910ff3c4c6
--- /dev/null
+++ b/src/Sql/dbo/Stored Procedures/PolicyDetails_ReadByUserId.sql	
@@ -0,0 +1,43 @@
+CREATE PROCEDURE [dbo].[PolicyDetails_ReadByUserId]
+    @UserId UNIQUEIDENTIFIER
+AS
+BEGIN
+    SET NOCOUNT ON
+SELECT
+    OU.[Id] AS OrganizationUserId,
+    P.[OrganizationId],
+    P.[Type] AS PolicyType,
+    P.[Data] AS PolicyData,
+    OU.[Type] AS OrganizationUserType,
+    OU.[Status] AS OrganizationUserStatus,
+    OU.[Permissions] AS OrganizationUserPermissionsData,
+    CASE WHEN EXISTS (
+            SELECT 1
+            FROM [dbo].[ProviderUserView] PU
+            INNER JOIN [dbo].[ProviderOrganizationView] PO ON PO.[ProviderId] = PU.[ProviderId]
+            WHERE PU.[UserId] = OU.[UserId] AND PO.[OrganizationId] = P.[OrganizationId]
+        ) THEN 1 ELSE 0 END AS IsProvider
+FROM [dbo].[PolicyView] P
+INNER JOIN [dbo].[OrganizationUserView] OU
+    ON P.[OrganizationId] = OU.[OrganizationId]
+INNER JOIN [dbo].[OrganizationView] O
+    ON P.[OrganizationId] = O.[Id]
+WHERE
+    P.Enabled = 1
+    AND O.Enabled = 1
+    AND O.UsePolicies = 1
+    AND (
+            -- OrgUsers who have accepted their invite and are linked to a UserId
+            -- (Note: this excludes "invited but revoked" users who don't have an OU.UserId yet,
+            -- but those users will go through policy enforcement later as part of accepting their invite after being restored.
+            -- This is an intentionally unhandled edge case for now.)
+            (OU.[Status] != 0 AND OU.[UserId] = @UserId)
+
+            -- 'Invited' OrgUsers are not linked to a UserId yet, so we have to look up their email
+            OR EXISTS (
+                SELECT 1
+                FROM [dbo].[UserView] U
+                WHERE U.[Id] = @UserId AND OU.[Email] = U.[Email] AND OU.[Status] = 0
+            )
+        )
+END
diff --git a/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyRequirementQueryTests.cs b/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyRequirementQueryTests.cs
new file mode 100644
index 0000000000..4c98353774
--- /dev/null
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyRequirementQueryTests.cs
@@ -0,0 +1,60 @@
+using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.Implementations;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+using Bit.Core.AdminConsole.Repositories;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Core.Test.AdminConsole.OrganizationFeatures.Policies;
+
+[SutProviderCustomize]
+public class PolicyRequirementQueryTests
+{
+    /// <summary>
+    /// Tests that the query correctly registers, retrieves and instantiates arbitrary IPolicyRequirements
+    /// according to their provided CreateRequirement delegate.
+    /// </summary>
+    [Theory, BitAutoData]
+    public async Task GetAsync_Works(Guid userId, Guid organizationId)
+    {
+        var policyRepository = Substitute.For<IPolicyRepository>();
+        var factories = new List<RequirementFactory<IPolicyRequirement>>
+        {
+            // In prod this cast is handled when the CreateRequirement delegate is registered in DI
+            (RequirementFactory<TestPolicyRequirement>)TestPolicyRequirement.Create
+        };
+
+        var sut = new PolicyRequirementQuery(policyRepository, factories);
+        policyRepository.GetPolicyDetailsByUserId(userId).Returns([
+            new PolicyDetails
+            {
+                OrganizationId = organizationId
+            }
+        ]);
+
+        var requirement = await sut.GetAsync<TestPolicyRequirement>(userId);
+        Assert.Equal(organizationId, requirement.OrganizationId);
+    }
+
+    [Theory, BitAutoData]
+    public async Task GetAsync_ThrowsIfNoRequirementRegistered(Guid userId)
+    {
+        var policyRepository = Substitute.For<IPolicyRepository>();
+        var sut = new PolicyRequirementQuery(policyRepository, []);
+
+        var exception = await Assert.ThrowsAsync<NotImplementedException>(()
+            => sut.GetAsync<TestPolicyRequirement>(userId));
+        Assert.Contains("No Policy Requirement found", exception.Message);
+    }
+
+    /// <summary>
+    /// Intentionally simplified PolicyRequirement that just holds the Policy.OrganizationId for us to assert against.
+    /// </summary>
+    private class TestPolicyRequirement : IPolicyRequirement
+    {
+        public Guid OrganizationId { get; init; }
+        public static TestPolicyRequirement Create(IEnumerable<PolicyDetails> policyDetails)
+            => new() { OrganizationId = policyDetails.Single().OrganizationId };
+    }
+}
diff --git a/test/Infrastructure.IntegrationTest/AdminConsole/Repositories/PolicyRepository/GetPolicyDetailsByUserIdTests.cs b/test/Infrastructure.IntegrationTest/AdminConsole/Repositories/PolicyRepository/GetPolicyDetailsByUserIdTests.cs
new file mode 100644
index 0000000000..07cb82dc02
--- /dev/null
+++ b/test/Infrastructure.IntegrationTest/AdminConsole/Repositories/PolicyRepository/GetPolicyDetailsByUserIdTests.cs
@@ -0,0 +1,385 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Entities.Provider;
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Enums.Provider;
+using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
+using Bit.Core.AdminConsole.Repositories;
+using Bit.Core.Billing.Enums;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Models.Data;
+using Bit.Core.Repositories;
+using Bit.Core.Utilities;
+using Xunit;
+
+namespace Bit.Infrastructure.IntegrationTest.AdminConsole.Repositories.PolicyRepository;
+
+public class GetPolicyDetailsByUserIdTests
+{
+    [DatabaseTheory, DatabaseData]
+    public async Task GetPolicyDetailsByUserId_NonInvitedUsers_Works(
+        IUserRepository userRepository,
+        IOrganizationUserRepository organizationUserRepository,
+        IOrganizationRepository organizationRepository,
+        IPolicyRepository policyRepository)
+    {
+        // Arrange
+        // OrgUser1 - owner of org1 - confirmed
+        var user = await userRepository.CreateTestUserAsync();
+        var org1 = await CreateEnterpriseOrg(organizationRepository);
+        var orgUser1 = new OrganizationUser
+        {
+            OrganizationId = org1.Id,
+            UserId = user.Id,
+            Status = OrganizationUserStatusType.Confirmed,
+            Type = OrganizationUserType.Owner,
+            Email = null    // confirmed OrgUsers use the email on the User table
+        };
+        await organizationUserRepository.CreateAsync(orgUser1);
+        await policyRepository.CreateAsync(new Policy
+        {
+            OrganizationId = org1.Id,
+            Enabled = true,
+            Type = PolicyType.SingleOrg,
+            Data = CoreHelpers.ClassToJsonData(new TestPolicyData { BoolSetting = true, IntSetting = 5 })
+        });
+
+        // OrgUser2 - custom user of org2 - accepted
+        var org2 = await CreateEnterpriseOrg(organizationRepository);
+        var orgUser2 = new OrganizationUser
+        {
+            OrganizationId = org2.Id,
+            UserId = user.Id,
+            Status = OrganizationUserStatusType.Accepted,
+            Type = OrganizationUserType.Custom,
+            Email = null    // accepted OrgUsers use the email on the User table
+        };
+        orgUser2.SetPermissions(new Permissions
+        {
+            ManagePolicies = true
+        });
+        await organizationUserRepository.CreateAsync(orgUser2);
+        await policyRepository.CreateAsync(new Policy
+        {
+            OrganizationId = org2.Id,
+            Enabled = true,
+            Type = PolicyType.SingleOrg,
+            Data = CoreHelpers.ClassToJsonData(new TestPolicyData { BoolSetting = false, IntSetting = 15 })
+        });
+
+        // Act
+        var policyDetails = (await policyRepository.GetPolicyDetailsByUserId(user.Id)).ToList();
+
+        // Assert
+        Assert.Equal(2, policyDetails.Count);
+
+        var actualPolicyDetails1 = policyDetails.Find(p => p.OrganizationUserId == orgUser1.Id);
+        var expectedPolicyDetails1 = new PolicyDetails
+        {
+            OrganizationUserId = orgUser1.Id,
+            OrganizationId = org1.Id,
+            PolicyType = PolicyType.SingleOrg,
+            PolicyData = CoreHelpers.ClassToJsonData(new TestPolicyData { BoolSetting = true, IntSetting = 5 }),
+            OrganizationUserType = OrganizationUserType.Owner,
+            OrganizationUserStatus = OrganizationUserStatusType.Confirmed,
+            OrganizationUserPermissionsData = null,
+            IsProvider = false
+        };
+        Assert.Equivalent(expectedPolicyDetails1, actualPolicyDetails1);
+        Assert.Equivalent(expectedPolicyDetails1.GetDataModel<TestPolicyData>(), new TestPolicyData { BoolSetting = true, IntSetting = 5 });
+
+        var actualPolicyDetails2 = policyDetails.Find(p => p.OrganizationUserId == orgUser2.Id);
+        var expectedPolicyDetails2 = new PolicyDetails
+        {
+            OrganizationUserId = orgUser2.Id,
+            OrganizationId = org2.Id,
+            PolicyType = PolicyType.SingleOrg,
+            PolicyData = CoreHelpers.ClassToJsonData(new TestPolicyData { BoolSetting = false, IntSetting = 15 }),
+            OrganizationUserType = OrganizationUserType.Custom,
+            OrganizationUserStatus = OrganizationUserStatusType.Accepted,
+            OrganizationUserPermissionsData = CoreHelpers.ClassToJsonData(new Permissions { ManagePolicies = true }),
+            IsProvider = false
+        };
+        Assert.Equivalent(expectedPolicyDetails2, actualPolicyDetails2);
+        Assert.Equivalent(expectedPolicyDetails2.GetDataModel<TestPolicyData>(), new TestPolicyData { BoolSetting = false, IntSetting = 15 });
+        Assert.Equivalent(new Permissions { ManagePolicies = true }, actualPolicyDetails2.GetOrganizationUserCustomPermissions(), strict: true);
+    }
+
+    [DatabaseTheory, DatabaseData]
+    public async Task GetPolicyDetailsByUserId_InvitedUser_Works(
+        IUserRepository userRepository,
+        IOrganizationUserRepository organizationUserRepository,
+        IOrganizationRepository organizationRepository,
+        IPolicyRepository policyRepository)
+    {
+        // Arrange
+        var user = await userRepository.CreateTestUserAsync();
+        var org = await CreateEnterpriseOrg(organizationRepository);
+        var orgUser = new OrganizationUser
+        {
+            OrganizationId = org.Id,
+            UserId = null, // invited users have null userId
+            Status = OrganizationUserStatusType.Invited,
+            Type = OrganizationUserType.Custom,
+            Email = user.Email  // invited users have matching Email
+        };
+        await organizationUserRepository.CreateAsync(orgUser);
+        await policyRepository.CreateAsync(new Policy
+        {
+            OrganizationId = org.Id,
+            Enabled = true,
+            Type = PolicyType.SingleOrg,
+        });
+
+        // Act
+        var actualPolicyDetails = await policyRepository.GetPolicyDetailsByUserId(user.Id);
+
+        // Assert
+        var expectedPolicyDetails = new PolicyDetails
+        {
+            OrganizationUserId = orgUser.Id,
+            OrganizationId = org.Id,
+            PolicyType = PolicyType.SingleOrg,
+            OrganizationUserType = OrganizationUserType.Custom,
+            OrganizationUserStatus = OrganizationUserStatusType.Invited,
+            IsProvider = false
+        };
+
+        Assert.Equivalent(expectedPolicyDetails, actualPolicyDetails.Single());
+    }
+
+    [DatabaseTheory, DatabaseData]
+    public async Task GetPolicyDetailsByUserId_RevokedConfirmedUser_Works(
+        IUserRepository userRepository,
+        IOrganizationUserRepository organizationUserRepository,
+        IOrganizationRepository organizationRepository,
+        IPolicyRepository policyRepository)
+    {
+        // Arrange
+        var user = await userRepository.CreateTestUserAsync();
+        var org = await CreateEnterpriseOrg(organizationRepository);
+        // User has been confirmed to the org but then revoked
+        var orgUser = new OrganizationUser
+        {
+            OrganizationId = org.Id,
+            UserId = user.Id,
+            Status = OrganizationUserStatusType.Revoked,
+            Type = OrganizationUserType.Owner,
+            Email = null
+        };
+        await organizationUserRepository.CreateAsync(orgUser);
+        await policyRepository.CreateAsync(new Policy
+        {
+            OrganizationId = org.Id,
+            Enabled = true,
+            Type = PolicyType.SingleOrg,
+        });
+
+        // Act
+        var actualPolicyDetails = await policyRepository.GetPolicyDetailsByUserId(user.Id);
+
+        // Assert
+        var expectedPolicyDetails = new PolicyDetails
+        {
+            OrganizationUserId = orgUser.Id,
+            OrganizationId = org.Id,
+            PolicyType = PolicyType.SingleOrg,
+            OrganizationUserType = OrganizationUserType.Owner,
+            OrganizationUserStatus = OrganizationUserStatusType.Revoked,
+            IsProvider = false
+        };
+
+        Assert.Equivalent(expectedPolicyDetails, actualPolicyDetails.Single());
+    }
+
+    [DatabaseTheory, DatabaseData]
+    public async Task GetPolicyDetailsByUserId_RevokedInvitedUser_DoesntReturnPolicies(
+        IUserRepository userRepository,
+        IOrganizationUserRepository organizationUserRepository,
+        IOrganizationRepository organizationRepository,
+        IPolicyRepository policyRepository)
+    {
+        // Arrange
+        var user = await userRepository.CreateTestUserAsync();
+        var org = await CreateEnterpriseOrg(organizationRepository);
+        // User has been invited to the org but then revoked - without ever being confirmed and linked to a user.
+        // This is an unhandled edge case because those users will go through policy enforcement later,
+        // as part of accepting their invite after being restored. For now this is just documented as expected behavior.
+        var orgUser = new OrganizationUser
+        {
+            OrganizationId = org.Id,
+            UserId = null,
+            Status = OrganizationUserStatusType.Revoked,
+            Type = OrganizationUserType.Owner,
+            Email = user.Email
+        };
+        await organizationUserRepository.CreateAsync(orgUser);
+        await policyRepository.CreateAsync(new Policy
+        {
+            OrganizationId = org.Id,
+            Enabled = true,
+            Type = PolicyType.SingleOrg,
+        });
+
+        // Act
+        var actualPolicyDetails = await policyRepository.GetPolicyDetailsByUserId(user.Id);
+
+        Assert.Empty(actualPolicyDetails);
+    }
+
+    [DatabaseTheory, DatabaseData]
+    public async Task GetPolicyDetailsByUserId_SetsIsProvider(
+        IUserRepository userRepository,
+        IOrganizationUserRepository organizationUserRepository,
+        IOrganizationRepository organizationRepository,
+        IPolicyRepository policyRepository,
+        IProviderRepository providerRepository,
+        IProviderUserRepository providerUserRepository,
+        IProviderOrganizationRepository providerOrganizationRepository)
+    {
+        // Arrange
+        var user = await userRepository.CreateTestUserAsync();
+        var org = await CreateEnterpriseOrg(organizationRepository);
+        var orgUser = await organizationUserRepository.CreateTestOrganizationUserAsync(org, user);
+        await policyRepository.CreateAsync(new Policy
+        {
+            OrganizationId = org.Id,
+            Enabled = true,
+            Type = PolicyType.SingleOrg,
+        });
+
+        // Arrange provider
+        var provider = await providerRepository.CreateAsync(new Provider
+        {
+            Name = Guid.NewGuid().ToString(),
+            Enabled = true
+        });
+        await providerUserRepository.CreateAsync(new ProviderUser
+        {
+            ProviderId = provider.Id,
+            UserId = user.Id,
+            Status = ProviderUserStatusType.Confirmed
+        });
+        await providerOrganizationRepository.CreateAsync(new ProviderOrganization
+        {
+            OrganizationId = org.Id,
+            ProviderId = provider.Id
+        });
+
+        // Act
+        var actualPolicyDetails = await policyRepository.GetPolicyDetailsByUserId(user.Id);
+
+        // Assert
+        var expectedPolicyDetails = new PolicyDetails
+        {
+            OrganizationUserId = orgUser.Id,
+            OrganizationId = org.Id,
+            PolicyType = PolicyType.SingleOrg,
+            OrganizationUserType = OrganizationUserType.Owner,
+            OrganizationUserStatus = OrganizationUserStatusType.Confirmed,
+            IsProvider = true
+        };
+
+        Assert.Equivalent(expectedPolicyDetails, actualPolicyDetails.Single());
+    }
+
+    [DatabaseTheory, DatabaseData]
+    public async Task GetPolicyDetailsByUserId_IgnoresDisabledOrganizations(
+        IUserRepository userRepository,
+        IOrganizationUserRepository organizationUserRepository,
+        IOrganizationRepository organizationRepository,
+        IPolicyRepository policyRepository)
+    {
+        // Arrange
+        var user = await userRepository.CreateTestUserAsync();
+        var org = await CreateEnterpriseOrg(organizationRepository);
+        await organizationUserRepository.CreateTestOrganizationUserAsync(org, user);
+        await policyRepository.CreateAsync(new Policy
+        {
+            OrganizationId = org.Id,
+            Enabled = true,
+            Type = PolicyType.SingleOrg,
+        });
+
+        // Org is disabled; its policies remain, but it is now inactive
+        org.Enabled = false;
+        await organizationRepository.ReplaceAsync(org);
+
+        // Act
+        var actualPolicyDetails = await policyRepository.GetPolicyDetailsByUserId(user.Id);
+
+        // Assert
+        Assert.Empty(actualPolicyDetails);
+    }
+
+    [DatabaseTheory, DatabaseData]
+    public async Task GetPolicyDetailsByUserId_IgnoresDowngradedOrganizations(
+        IUserRepository userRepository,
+        IOrganizationUserRepository organizationUserRepository,
+        IOrganizationRepository organizationRepository,
+        IPolicyRepository policyRepository)
+    {
+        // Arrange
+        var user = await userRepository.CreateTestUserAsync();
+        var org = await CreateEnterpriseOrg(organizationRepository);
+        await organizationUserRepository.CreateTestOrganizationUserAsync(org, user);
+        await policyRepository.CreateAsync(new Policy
+        {
+            OrganizationId = org.Id,
+            Enabled = true,
+            Type = PolicyType.SingleOrg,
+        });
+
+        // Org is downgraded; its policies remain but its plan no longer supports them
+        org.UsePolicies = false;
+        org.PlanType = PlanType.TeamsAnnually;
+        await organizationRepository.ReplaceAsync(org);
+
+        // Act
+        var actualPolicyDetails = await policyRepository.GetPolicyDetailsByUserId(user.Id);
+
+        // Assert
+        Assert.Empty(actualPolicyDetails);
+    }
+
+    [DatabaseTheory, DatabaseData]
+    public async Task GetPolicyDetailsByUserId_IgnoresDisabledPolicies(
+        IUserRepository userRepository,
+        IOrganizationUserRepository organizationUserRepository,
+        IOrganizationRepository organizationRepository,
+        IPolicyRepository policyRepository)
+    {
+        // Arrange
+        var user = await userRepository.CreateTestUserAsync();
+        var org = await CreateEnterpriseOrg(organizationRepository);
+        await organizationUserRepository.CreateTestOrganizationUserAsync(org, user);
+        await policyRepository.CreateAsync(new Policy
+        {
+            OrganizationId = org.Id,
+            Enabled = false,
+            Type = PolicyType.SingleOrg,
+        });
+
+        // Act
+        var actualPolicyDetails = await policyRepository.GetPolicyDetailsByUserId(user.Id);
+
+        // Assert
+        Assert.Empty(actualPolicyDetails);
+    }
+
+    private class TestPolicyData : IPolicyDataModel
+    {
+        public bool BoolSetting { get; set; }
+        public int IntSetting { get; set; }
+    }
+
+    private Task<Organization> CreateEnterpriseOrg(IOrganizationRepository organizationRepository)
+        => organizationRepository.CreateAsync(new Organization
+        {
+            Name = Guid.NewGuid().ToString(),
+            BillingEmail = "billing@example.com", // TODO: EF does not enforce this being NOT NULL
+            Plan = "Test", // TODO: EF does not enforce this being NOT NULl
+            PlanType = PlanType.EnterpriseAnnually,
+            UsePolicies = true
+        });
+}
diff --git a/util/Migrator/DbScripts/2025-02-14_00_PolicyDetails_ReadByUserId.sql b/util/Migrator/DbScripts/2025-02-14_00_PolicyDetails_ReadByUserId.sql
new file mode 100644
index 0000000000..d50a092e18
--- /dev/null
+++ b/util/Migrator/DbScripts/2025-02-14_00_PolicyDetails_ReadByUserId.sql
@@ -0,0 +1,43 @@
+CREATE OR ALTER PROCEDURE [dbo].[PolicyDetails_ReadByUserId]
+    @UserId UNIQUEIDENTIFIER
+AS
+BEGIN
+    SET NOCOUNT ON
+SELECT
+    OU.[Id] AS OrganizationUserId,
+    P.[OrganizationId],
+    P.[Type] AS PolicyType,
+    P.[Data] AS PolicyData,
+    OU.[Type] AS OrganizationUserType,
+    OU.[Status] AS OrganizationUserStatus,
+    OU.[Permissions] AS OrganizationUserPermissionsData,
+    CASE WHEN EXISTS (
+            SELECT 1
+            FROM [dbo].[ProviderUserView] PU
+            INNER JOIN [dbo].[ProviderOrganizationView] PO ON PO.[ProviderId] = PU.[ProviderId]
+            WHERE PU.[UserId] = OU.[UserId] AND PO.[OrganizationId] = P.[OrganizationId]
+        ) THEN 1 ELSE 0 END AS IsProvider
+FROM [dbo].[PolicyView] P
+INNER JOIN [dbo].[OrganizationUserView] OU
+    ON P.[OrganizationId] = OU.[OrganizationId]
+INNER JOIN [dbo].[OrganizationView] O
+    ON P.[OrganizationId] = O.[Id]
+WHERE
+    P.Enabled = 1
+    AND O.Enabled = 1
+    AND O.UsePolicies = 1
+    AND (
+            -- OrgUsers who have accepted their invite and are linked to a UserId
+            -- (Note: this excludes "invited but revoked" users who don't have an OU.UserId yet,
+            -- but those users will go through policy enforcement later as part of accepting their invite after being restored.
+            -- This is an intentionally unhandled edge case for now.)
+            (OU.[Status] != 0 AND OU.[UserId] = @UserId)
+
+            -- 'Invited' OrgUsers are not linked to a UserId yet, so we have to look up their email
+            OR EXISTS (
+                SELECT 1
+                FROM [dbo].[UserView] U
+                WHERE U.[Id] = @UserId AND OU.[Email] = U.[Email] AND OU.[Status] = 0
+            )
+        )
+END

From f4c37df883f2920036359a518028272ba62e442c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rui=20Tom=C3=A9?=
 <108268980+r-tome@users.noreply.github.com>
Date: Fri, 14 Feb 2025 11:25:29 +0000
Subject: [PATCH 281/384] [PM-12490] Extract OrganizationService.EnableAsync
 into commands (#5321)

* Add organization enable command implementation

* Add unit tests for OrganizationEnableCommand

* Add organization enable command registration for dependency injection

* Refactor payment and subscription handlers to use IOrganizationEnableCommand for organization enabling

* Remove EnableAsync methods from IOrganizationService and OrganizationService

* Add xmldoc to IOrganizationEnableCommand

* Refactor OrganizationEnableCommand to consolidate enable logic and add optional expiration
---
 .../PaymentSucceededHandler.cs                |  11 +-
 .../SubscriptionUpdatedHandler.cs             |   8 +-
 .../Interfaces/IOrganizationEnableCommand.cs  |  11 ++
 .../OrganizationEnableCommand.cs              |  39 +++++
 .../Services/IOrganizationService.cs          |   2 -
 .../Implementations/OrganizationService.cs    |  22 ---
 ...OrganizationServiceCollectionExtensions.cs |   4 +
 .../OrganizationEnableCommandTests.cs         | 147 ++++++++++++++++++
 8 files changed, 213 insertions(+), 31 deletions(-)
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/Organizations/Interfaces/IOrganizationEnableCommand.cs
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/Organizations/OrganizationEnableCommand.cs
 create mode 100644 test/Core.Test/AdminConsole/OrganizationFeatures/Organizations/OrganizationEnableCommandTests.cs

diff --git a/src/Billing/Services/Implementations/PaymentSucceededHandler.cs b/src/Billing/Services/Implementations/PaymentSucceededHandler.cs
index b16baea52e..1577e77c9e 100644
--- a/src/Billing/Services/Implementations/PaymentSucceededHandler.cs
+++ b/src/Billing/Services/Implementations/PaymentSucceededHandler.cs
@@ -1,4 +1,5 @@
 using Bit.Billing.Constants;
+using Bit.Core.AdminConsole.OrganizationFeatures.Organizations.Interfaces;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Billing.Enums;
 using Bit.Core.Context;
@@ -17,7 +18,6 @@ public class PaymentSucceededHandler : IPaymentSucceededHandler
 {
     private readonly ILogger<PaymentSucceededHandler> _logger;
     private readonly IStripeEventService _stripeEventService;
-    private readonly IOrganizationService _organizationService;
     private readonly IUserService _userService;
     private readonly IStripeFacade _stripeFacade;
     private readonly IProviderRepository _providerRepository;
@@ -27,6 +27,7 @@ public class PaymentSucceededHandler : IPaymentSucceededHandler
     private readonly IUserRepository _userRepository;
     private readonly IStripeEventUtilityService _stripeEventUtilityService;
     private readonly IPushNotificationService _pushNotificationService;
+    private readonly IOrganizationEnableCommand _organizationEnableCommand;
 
     public PaymentSucceededHandler(
         ILogger<PaymentSucceededHandler> logger,
@@ -39,8 +40,8 @@ public class PaymentSucceededHandler : IPaymentSucceededHandler
         IUserRepository userRepository,
         IStripeEventUtilityService stripeEventUtilityService,
         IUserService userService,
-        IOrganizationService organizationService,
-        IPushNotificationService pushNotificationService)
+        IPushNotificationService pushNotificationService,
+        IOrganizationEnableCommand organizationEnableCommand)
     {
         _logger = logger;
         _stripeEventService = stripeEventService;
@@ -52,8 +53,8 @@ public class PaymentSucceededHandler : IPaymentSucceededHandler
         _userRepository = userRepository;
         _stripeEventUtilityService = stripeEventUtilityService;
         _userService = userService;
-        _organizationService = organizationService;
         _pushNotificationService = pushNotificationService;
+        _organizationEnableCommand = organizationEnableCommand;
     }
 
     /// <summary>
@@ -142,7 +143,7 @@ public class PaymentSucceededHandler : IPaymentSucceededHandler
                 return;
             }
 
-            await _organizationService.EnableAsync(organizationId.Value, subscription.CurrentPeriodEnd);
+            await _organizationEnableCommand.EnableAsync(organizationId.Value, subscription.CurrentPeriodEnd);
             var organization = await _organizationRepository.GetByIdAsync(organizationId.Value);
             await _pushNotificationService.PushSyncOrganizationStatusAsync(organization);
 
diff --git a/src/Billing/Services/Implementations/SubscriptionUpdatedHandler.cs b/src/Billing/Services/Implementations/SubscriptionUpdatedHandler.cs
index ea277a6307..10a1d1a186 100644
--- a/src/Billing/Services/Implementations/SubscriptionUpdatedHandler.cs
+++ b/src/Billing/Services/Implementations/SubscriptionUpdatedHandler.cs
@@ -1,6 +1,7 @@
 using Bit.Billing.Constants;
 using Bit.Billing.Jobs;
 using Bit.Core;
+using Bit.Core.AdminConsole.OrganizationFeatures.Organizations.Interfaces;
 using Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.Interfaces;
 using Bit.Core.Platform.Push;
 using Bit.Core.Repositories;
@@ -24,6 +25,7 @@ public class SubscriptionUpdatedHandler : ISubscriptionUpdatedHandler
     private readonly IOrganizationRepository _organizationRepository;
     private readonly ISchedulerFactory _schedulerFactory;
     private readonly IFeatureService _featureService;
+    private readonly IOrganizationEnableCommand _organizationEnableCommand;
 
     public SubscriptionUpdatedHandler(
         IStripeEventService stripeEventService,
@@ -35,7 +37,8 @@ public class SubscriptionUpdatedHandler : ISubscriptionUpdatedHandler
         IPushNotificationService pushNotificationService,
         IOrganizationRepository organizationRepository,
         ISchedulerFactory schedulerFactory,
-        IFeatureService featureService)
+        IFeatureService featureService,
+        IOrganizationEnableCommand organizationEnableCommand)
     {
         _stripeEventService = stripeEventService;
         _stripeEventUtilityService = stripeEventUtilityService;
@@ -47,6 +50,7 @@ public class SubscriptionUpdatedHandler : ISubscriptionUpdatedHandler
         _organizationRepository = organizationRepository;
         _schedulerFactory = schedulerFactory;
         _featureService = featureService;
+        _organizationEnableCommand = organizationEnableCommand;
     }
 
     /// <summary>
@@ -90,7 +94,7 @@ public class SubscriptionUpdatedHandler : ISubscriptionUpdatedHandler
                 }
             case StripeSubscriptionStatus.Active when organizationId.HasValue:
                 {
-                    await _organizationService.EnableAsync(organizationId.Value);
+                    await _organizationEnableCommand.EnableAsync(organizationId.Value);
                     var organization = await _organizationRepository.GetByIdAsync(organizationId.Value);
                     await _pushNotificationService.PushSyncOrganizationStatusAsync(organization);
                     break;
diff --git a/src/Core/AdminConsole/OrganizationFeatures/Organizations/Interfaces/IOrganizationEnableCommand.cs b/src/Core/AdminConsole/OrganizationFeatures/Organizations/Interfaces/IOrganizationEnableCommand.cs
new file mode 100644
index 0000000000..522aa04a60
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/Organizations/Interfaces/IOrganizationEnableCommand.cs
@@ -0,0 +1,11 @@
+namespace Bit.Core.AdminConsole.OrganizationFeatures.Organizations.Interfaces;
+
+public interface IOrganizationEnableCommand
+{
+    /// <summary>
+    /// Enables an organization that is currently disabled and has a gateway configured.
+    /// </summary>
+    /// <param name="organizationId">The unique identifier of the organization to enable.</param>
+    /// <param name="expirationDate">When provided, sets the date the organization's subscription will expire. If not provided, no expiration date will be set.</param>
+    Task EnableAsync(Guid organizationId, DateTime? expirationDate = null);
+}
diff --git a/src/Core/AdminConsole/OrganizationFeatures/Organizations/OrganizationEnableCommand.cs b/src/Core/AdminConsole/OrganizationFeatures/Organizations/OrganizationEnableCommand.cs
new file mode 100644
index 0000000000..660c792563
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/Organizations/OrganizationEnableCommand.cs
@@ -0,0 +1,39 @@
+using Bit.Core.AdminConsole.OrganizationFeatures.Organizations.Interfaces;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.Organizations;
+
+public class OrganizationEnableCommand : IOrganizationEnableCommand
+{
+    private readonly IApplicationCacheService _applicationCacheService;
+    private readonly IOrganizationRepository _organizationRepository;
+
+    public OrganizationEnableCommand(
+        IApplicationCacheService applicationCacheService,
+        IOrganizationRepository organizationRepository)
+    {
+        _applicationCacheService = applicationCacheService;
+        _organizationRepository = organizationRepository;
+    }
+
+    public async Task EnableAsync(Guid organizationId, DateTime? expirationDate = null)
+    {
+        var organization = await _organizationRepository.GetByIdAsync(organizationId);
+        if (organization is null || organization.Enabled || expirationDate is not null && organization.Gateway is null)
+        {
+            return;
+        }
+
+        organization.Enabled = true;
+
+        if (expirationDate is not null && organization.Gateway is not null)
+        {
+            organization.ExpirationDate = expirationDate;
+            organization.RevisionDate = DateTime.UtcNow;
+        }
+
+        await _organizationRepository.ReplaceAsync(organization);
+        await _applicationCacheService.UpsertOrganizationAbilityAsync(organization);
+    }
+}
diff --git a/src/Core/AdminConsole/Services/IOrganizationService.cs b/src/Core/AdminConsole/Services/IOrganizationService.cs
index 7d73a3c903..683fbe9902 100644
--- a/src/Core/AdminConsole/Services/IOrganizationService.cs
+++ b/src/Core/AdminConsole/Services/IOrganizationService.cs
@@ -28,10 +28,8 @@ public interface IOrganizationService
     /// </summary>
     Task<(Organization organization, OrganizationUser organizationUser)> SignUpAsync(OrganizationLicense license, User owner,
         string ownerKey, string collectionName, string publicKey, string privateKey);
-    Task EnableAsync(Guid organizationId, DateTime? expirationDate);
     Task DisableAsync(Guid organizationId, DateTime? expirationDate);
     Task UpdateExpirationDateAsync(Guid organizationId, DateTime? expirationDate);
-    Task EnableAsync(Guid organizationId);
     Task UpdateAsync(Organization organization, bool updateBilling = false, EventType eventType = EventType.Organization_Updated);
     Task UpdateTwoFactorProviderAsync(Organization organization, TwoFactorProviderType type);
     Task DisableTwoFactorProviderAsync(Organization organization, TwoFactorProviderType type);
diff --git a/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs b/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
index 6f4aba4882..284c11cc78 100644
--- a/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
+++ b/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
@@ -686,18 +686,6 @@ public class OrganizationService : IOrganizationService
         }
     }
 
-    public async Task EnableAsync(Guid organizationId, DateTime? expirationDate)
-    {
-        var org = await GetOrgById(organizationId);
-        if (org != null && !org.Enabled && org.Gateway.HasValue)
-        {
-            org.Enabled = true;
-            org.ExpirationDate = expirationDate;
-            org.RevisionDate = DateTime.UtcNow;
-            await ReplaceAndUpdateCacheAsync(org);
-        }
-    }
-
     public async Task DisableAsync(Guid organizationId, DateTime? expirationDate)
     {
         var org = await GetOrgById(organizationId);
@@ -723,16 +711,6 @@ public class OrganizationService : IOrganizationService
         }
     }
 
-    public async Task EnableAsync(Guid organizationId)
-    {
-        var org = await GetOrgById(organizationId);
-        if (org != null && !org.Enabled)
-        {
-            org.Enabled = true;
-            await ReplaceAndUpdateCacheAsync(org);
-        }
-    }
-
     public async Task UpdateAsync(Organization organization, bool updateBilling = false, EventType eventType = EventType.Organization_Updated)
     {
         if (organization.Id == default(Guid))
diff --git a/src/Core/OrganizationFeatures/OrganizationServiceCollectionExtensions.cs b/src/Core/OrganizationFeatures/OrganizationServiceCollectionExtensions.cs
index 9d2e6e51e6..7db514887c 100644
--- a/src/Core/OrganizationFeatures/OrganizationServiceCollectionExtensions.cs
+++ b/src/Core/OrganizationFeatures/OrganizationServiceCollectionExtensions.cs
@@ -54,6 +54,7 @@ public static class OrganizationServiceCollectionExtensions
         services.AddOrganizationDomainCommandsQueries();
         services.AddOrganizationSignUpCommands();
         services.AddOrganizationDeleteCommands();
+        services.AddOrganizationEnableCommands();
         services.AddOrganizationAuthCommands();
         services.AddOrganizationUserCommands();
         services.AddOrganizationUserCommandsQueries();
@@ -69,6 +70,9 @@ public static class OrganizationServiceCollectionExtensions
         services.AddScoped<IOrganizationInitiateDeleteCommand, OrganizationInitiateDeleteCommand>();
     }
 
+    private static void AddOrganizationEnableCommands(this IServiceCollection services) =>
+        services.AddScoped<IOrganizationEnableCommand, OrganizationEnableCommand>();
+
     private static void AddOrganizationConnectionCommands(this IServiceCollection services)
     {
         services.AddScoped<ICreateOrganizationConnectionCommand, CreateOrganizationConnectionCommand>();
diff --git a/test/Core.Test/AdminConsole/OrganizationFeatures/Organizations/OrganizationEnableCommandTests.cs b/test/Core.Test/AdminConsole/OrganizationFeatures/Organizations/OrganizationEnableCommandTests.cs
new file mode 100644
index 0000000000..6289c3b8e3
--- /dev/null
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/Organizations/OrganizationEnableCommandTests.cs
@@ -0,0 +1,147 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.OrganizationFeatures.Organizations;
+using Bit.Core.Enums;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Core.Test.AdminConsole.OrganizationFeatures.Organizations;
+
+[SutProviderCustomize]
+public class OrganizationEnableCommandTests
+{
+    [Theory, BitAutoData]
+    public async Task EnableAsync_WhenOrganizationDoesNotExist_DoesNothing(
+        Guid organizationId,
+        SutProvider<OrganizationEnableCommand> sutProvider)
+    {
+        sutProvider.GetDependency<IOrganizationRepository>()
+            .GetByIdAsync(organizationId)
+            .Returns((Organization)null);
+
+        await sutProvider.Sut.EnableAsync(organizationId);
+
+        await sutProvider.GetDependency<IOrganizationRepository>()
+            .DidNotReceive()
+            .ReplaceAsync(Arg.Any<Organization>());
+        await sutProvider.GetDependency<IApplicationCacheService>()
+            .DidNotReceive()
+            .UpsertOrganizationAbilityAsync(Arg.Any<Organization>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task EnableAsync_WhenOrganizationAlreadyEnabled_DoesNothing(
+        Organization organization,
+        SutProvider<OrganizationEnableCommand> sutProvider)
+    {
+        organization.Enabled = true;
+        sutProvider.GetDependency<IOrganizationRepository>()
+            .GetByIdAsync(organization.Id)
+            .Returns(organization);
+
+        await sutProvider.Sut.EnableAsync(organization.Id);
+
+        await sutProvider.GetDependency<IOrganizationRepository>()
+            .DidNotReceive()
+            .ReplaceAsync(Arg.Any<Organization>());
+        await sutProvider.GetDependency<IApplicationCacheService>()
+            .DidNotReceive()
+            .UpsertOrganizationAbilityAsync(Arg.Any<Organization>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task EnableAsync_WhenOrganizationDisabled_EnablesAndSaves(
+        Organization organization,
+        SutProvider<OrganizationEnableCommand> sutProvider)
+    {
+        organization.Enabled = false;
+        sutProvider.GetDependency<IOrganizationRepository>()
+            .GetByIdAsync(organization.Id)
+            .Returns(organization);
+
+        await sutProvider.Sut.EnableAsync(organization.Id);
+
+        Assert.True(organization.Enabled);
+        await sutProvider.GetDependency<IOrganizationRepository>()
+            .Received(1)
+            .ReplaceAsync(organization);
+        await sutProvider.GetDependency<IApplicationCacheService>()
+            .Received(1)
+            .UpsertOrganizationAbilityAsync(organization);
+    }
+
+    [Theory, BitAutoData]
+    public async Task EnableAsync_WithExpiration_WhenOrganizationHasNoGateway_DoesNothing(
+        Organization organization,
+        DateTime expirationDate,
+        SutProvider<OrganizationEnableCommand> sutProvider)
+    {
+        organization.Enabled = false;
+        organization.Gateway = null;
+        sutProvider.GetDependency<IOrganizationRepository>()
+            .GetByIdAsync(organization.Id)
+            .Returns(organization);
+
+        await sutProvider.Sut.EnableAsync(organization.Id, expirationDate);
+
+        await sutProvider.GetDependency<IOrganizationRepository>()
+            .DidNotReceive()
+            .ReplaceAsync(Arg.Any<Organization>());
+        await sutProvider.GetDependency<IApplicationCacheService>()
+            .DidNotReceive()
+            .UpsertOrganizationAbilityAsync(Arg.Any<Organization>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task EnableAsync_WithExpiration_WhenValid_EnablesAndSetsExpiration(
+        Organization organization,
+        DateTime expirationDate,
+        SutProvider<OrganizationEnableCommand> sutProvider)
+    {
+        organization.Enabled = false;
+        organization.Gateway = GatewayType.Stripe;
+        organization.RevisionDate = DateTime.UtcNow.AddDays(-1);
+        var originalRevisionDate = organization.RevisionDate;
+        sutProvider.GetDependency<IOrganizationRepository>()
+            .GetByIdAsync(organization.Id)
+            .Returns(organization);
+
+        await sutProvider.Sut.EnableAsync(organization.Id, expirationDate);
+
+        Assert.True(organization.Enabled);
+        Assert.Equal(expirationDate, organization.ExpirationDate);
+        Assert.True(organization.RevisionDate > originalRevisionDate);
+        await sutProvider.GetDependency<IOrganizationRepository>()
+            .Received(1)
+            .ReplaceAsync(organization);
+        await sutProvider.GetDependency<IApplicationCacheService>()
+            .Received(1)
+            .UpsertOrganizationAbilityAsync(organization);
+    }
+
+    [Theory, BitAutoData]
+    public async Task EnableAsync_WithoutExpiration_DoesNotUpdateRevisionDate(
+        Organization organization,
+        SutProvider<OrganizationEnableCommand> sutProvider)
+    {
+        organization.Enabled = false;
+        var originalRevisionDate = organization.RevisionDate;
+        sutProvider.GetDependency<IOrganizationRepository>()
+            .GetByIdAsync(organization.Id)
+            .Returns(organization);
+
+        await sutProvider.Sut.EnableAsync(organization.Id);
+
+        Assert.True(organization.Enabled);
+        Assert.Equal(originalRevisionDate, organization.RevisionDate);
+        await sutProvider.GetDependency<IOrganizationRepository>()
+            .Received(1)
+            .ReplaceAsync(organization);
+        await sutProvider.GetDependency<IApplicationCacheService>()
+            .Received(1)
+            .UpsertOrganizationAbilityAsync(organization);
+    }
+}

From 762acdbd0371b1470d59d44f625fb6bb519560e4 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Fri, 14 Feb 2025 17:37:34 +0100
Subject: [PATCH 282/384] [deps] Tools: Update MailKit to 4.10.0 (#5408)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Daniel James Smith <2670567+djsmith85@users.noreply.github.com>
---
 src/Core/Core.csproj | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Core/Core.csproj b/src/Core/Core.csproj
index e2aaa9aa23..860cf33298 100644
--- a/src/Core/Core.csproj
+++ b/src/Core/Core.csproj
@@ -42,7 +42,7 @@
     <PackageReference Include="DnsClient" Version="1.8.0" />
     <PackageReference Include="Fido2.AspNet" Version="3.0.1" />
     <PackageReference Include="Handlebars.Net" Version="2.1.6" />
-    <PackageReference Include="MailKit" Version="4.9.0" />
+    <PackageReference Include="MailKit" Version="4.10.0" />
     <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.10" />
     <PackageReference Include="Microsoft.Azure.Cosmos" Version="3.46.1" />
     <PackageReference Include="Microsoft.Azure.NotificationHubs" Version="4.2.0" />

From 288f08da2ad26086b58e8145129b91ed86cd6ea7 Mon Sep 17 00:00:00 2001
From: Jonas Hendrickx <jhendrickx@bitwarden.com>
Date: Fri, 14 Feb 2025 18:01:49 +0100
Subject: [PATCH 283/384] =?UTF-8?q?[PM-18268]=20SM=20Marketing=20Initiated?=
 =?UTF-8?q?=20Trials=20cause=20invoice=20previewing=20to=20=E2=80=A6=20(#5?=
 =?UTF-8?q?404)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../Implementations/StripePaymentService.cs   | 33 +++++++------------
 1 file changed, 11 insertions(+), 22 deletions(-)

diff --git a/src/Core/Services/Implementations/StripePaymentService.cs b/src/Core/Services/Implementations/StripePaymentService.cs
index fb5c7364a5..4813608fb5 100644
--- a/src/Core/Services/Implementations/StripePaymentService.cs
+++ b/src/Core/Services/Implementations/StripePaymentService.cs
@@ -1852,7 +1852,6 @@ public class StripePaymentService : IPaymentService
                 Enabled = true,
             },
             Currency = "usd",
-            Discounts = new List<InvoiceDiscountOptions>(),
             SubscriptionDetails = new InvoiceSubscriptionDetailsOptions
             {
                 Items =
@@ -1903,29 +1902,23 @@ public class StripePaymentService : IPaymentService
             ];
         }
 
-        if (gatewayCustomerId != null)
+        if (!string.IsNullOrWhiteSpace(gatewayCustomerId))
         {
             var gatewayCustomer = await _stripeAdapter.CustomerGetAsync(gatewayCustomerId);
 
             if (gatewayCustomer.Discount != null)
             {
-                options.Discounts.Add(new InvoiceDiscountOptions
-                {
-                    Discount = gatewayCustomer.Discount.Id
-                });
+                options.Coupon = gatewayCustomer.Discount.Coupon.Id;
             }
+        }
 
-            if (gatewaySubscriptionId != null)
+        if (!string.IsNullOrWhiteSpace(gatewaySubscriptionId))
+        {
+            var gatewaySubscription = await _stripeAdapter.SubscriptionGetAsync(gatewaySubscriptionId);
+
+            if (gatewaySubscription?.Discount != null)
             {
-                var gatewaySubscription = await _stripeAdapter.SubscriptionGetAsync(gatewaySubscriptionId);
-
-                if (gatewaySubscription?.Discount != null)
-                {
-                    options.Discounts.Add(new InvoiceDiscountOptions
-                    {
-                        Discount = gatewaySubscription.Discount.Id
-                    });
-                }
+                options.Coupon ??= gatewaySubscription.Discount.Coupon.Id;
             }
         }
 
@@ -1976,7 +1969,6 @@ public class StripePaymentService : IPaymentService
                 Enabled = true,
             },
             Currency = "usd",
-            Discounts = new List<InvoiceDiscountOptions>(),
             SubscriptionDetails = new InvoiceSubscriptionDetailsOptions
             {
                 Items =
@@ -2069,7 +2061,7 @@ public class StripePaymentService : IPaymentService
 
             if (gatewayCustomer.Discount != null)
             {
-                options.Discounts.Add(new InvoiceDiscountOptions { Discount = gatewayCustomer.Discount.Id });
+                options.Coupon = gatewayCustomer.Discount.Coupon.Id;
             }
         }
 
@@ -2079,10 +2071,7 @@ public class StripePaymentService : IPaymentService
 
             if (gatewaySubscription?.Discount != null)
             {
-                options.Discounts.Add(new InvoiceDiscountOptions
-                {
-                    Discount = gatewaySubscription.Discount.Id
-                });
+                options.Coupon ??= gatewaySubscription.Discount.Coupon.Id;
             }
         }
 

From 5709ea36f4d174049704ac83669158fa5a073b68 Mon Sep 17 00:00:00 2001
From: Alex Morask <144709477+amorask-bitwarden@users.noreply.github.com>
Date: Fri, 14 Feb 2025 12:03:09 -0500
Subject: [PATCH 284/384] [PM-15485] Add provider plan details to provider
 Admin pages (#5326)

* Add Provider Plan details to Provider Admin pages

* Run dotnet format

* Thomas' feedback

* Updated code ownership

* Robert's feedback

* Thomas' feedback
---
 src/Admin/Admin.csproj                        |  1 -
 .../Controllers/ProvidersController.cs        |  3 +-
 .../AdminConsole/Models/ProviderEditModel.cs  |  2 +-
 .../AdminConsole/Models/ProviderViewModel.cs  | 49 +++++++++++++++++--
 .../AdminConsole/Views/Providers/Edit.cshtml  |  4 ++
 .../AdminConsole/Views/Providers/View.cshtml  |  4 ++
 .../Billing/Models/ProviderPlanViewModel.cs   | 26 ++++++++++
 .../Views/Providers/ProviderPlans.cshtml      | 18 +++++++
 ...ProviderOrganizationOrganizationDetails.cs |  2 +
 ...rganizationDetailsReadByProviderIdQuery.cs |  1 +
 ...derOrganizationOrganizationDetailsView.sql |  1 +
 ...derOrganizationOrganizationDetailsView.sql | 23 +++++++++
 12 files changed, 128 insertions(+), 6 deletions(-)
 create mode 100644 src/Admin/Billing/Models/ProviderPlanViewModel.cs
 create mode 100644 src/Admin/Billing/Views/Providers/ProviderPlans.cshtml
 create mode 100644 util/Migrator/DbScripts/2025-01-29_00_AddPlanTypeToProviderOrganizationOrganizationDetailsView.sql

diff --git a/src/Admin/Admin.csproj b/src/Admin/Admin.csproj
index 5493e65afd..4a255eefb2 100644
--- a/src/Admin/Admin.csproj
+++ b/src/Admin/Admin.csproj
@@ -16,7 +16,6 @@
   </ItemGroup>
   <ItemGroup>
     <Folder Include="Billing\Controllers\" />
-    <Folder Include="Billing\Models\" />
   </ItemGroup>
 
   <Choose>
diff --git a/src/Admin/AdminConsole/Controllers/ProvidersController.cs b/src/Admin/AdminConsole/Controllers/ProvidersController.cs
index 8a56483a60..6229a4deab 100644
--- a/src/Admin/AdminConsole/Controllers/ProvidersController.cs
+++ b/src/Admin/AdminConsole/Controllers/ProvidersController.cs
@@ -235,7 +235,8 @@ public class ProvidersController : Controller
 
         var users = await _providerUserRepository.GetManyDetailsByProviderAsync(id);
         var providerOrganizations = await _providerOrganizationRepository.GetManyDetailsByProviderAsync(id);
-        return View(new ProviderViewModel(provider, users, providerOrganizations));
+        var providerPlans = await _providerPlanRepository.GetByProviderId(id);
+        return View(new ProviderViewModel(provider, users, providerOrganizations, providerPlans.ToList()));
     }
 
     [SelfHosted(NotSelfHostedOnly = true)]
diff --git a/src/Admin/AdminConsole/Models/ProviderEditModel.cs b/src/Admin/AdminConsole/Models/ProviderEditModel.cs
index 7fd5c765c8..bcdf602c07 100644
--- a/src/Admin/AdminConsole/Models/ProviderEditModel.cs
+++ b/src/Admin/AdminConsole/Models/ProviderEditModel.cs
@@ -19,7 +19,7 @@ public class ProviderEditModel : ProviderViewModel, IValidatableObject
         IEnumerable<ProviderOrganizationOrganizationDetails> organizations,
         IReadOnlyCollection<ProviderPlan> providerPlans,
         string gatewayCustomerUrl = null,
-        string gatewaySubscriptionUrl = null) : base(provider, providerUsers, organizations)
+        string gatewaySubscriptionUrl = null) : base(provider, providerUsers, organizations, providerPlans)
     {
         Name = provider.DisplayName();
         BusinessName = provider.DisplayBusinessName();
diff --git a/src/Admin/AdminConsole/Models/ProviderViewModel.cs b/src/Admin/AdminConsole/Models/ProviderViewModel.cs
index 9c4d07e8bf..724e6220b3 100644
--- a/src/Admin/AdminConsole/Models/ProviderViewModel.cs
+++ b/src/Admin/AdminConsole/Models/ProviderViewModel.cs
@@ -1,6 +1,9 @@
-using Bit.Core.AdminConsole.Entities.Provider;
+using Bit.Admin.Billing.Models;
+using Bit.Core.AdminConsole.Entities.Provider;
 using Bit.Core.AdminConsole.Enums.Provider;
 using Bit.Core.AdminConsole.Models.Data.Provider;
+using Bit.Core.Billing.Entities;
+using Bit.Core.Billing.Enums;
 
 namespace Bit.Admin.AdminConsole.Models;
 
@@ -8,17 +11,57 @@ public class ProviderViewModel
 {
     public ProviderViewModel() { }
 
-    public ProviderViewModel(Provider provider, IEnumerable<ProviderUserUserDetails> providerUsers, IEnumerable<ProviderOrganizationOrganizationDetails> organizations)
+    public ProviderViewModel(
+        Provider provider,
+        IEnumerable<ProviderUserUserDetails> providerUsers,
+        IEnumerable<ProviderOrganizationOrganizationDetails> organizations,
+        IReadOnlyCollection<ProviderPlan> providerPlans)
     {
         Provider = provider;
         UserCount = providerUsers.Count();
         ProviderAdmins = providerUsers.Where(u => u.Type == ProviderUserType.ProviderAdmin);
-
         ProviderOrganizations = organizations.Where(o => o.ProviderId == provider.Id);
+
+        if (Provider.Type == ProviderType.Msp)
+        {
+            var usedTeamsSeats = ProviderOrganizations.Where(po => po.PlanType == PlanType.TeamsMonthly)
+                .Sum(po => po.OccupiedSeats) ?? 0;
+            var teamsProviderPlan = providerPlans.FirstOrDefault(plan => plan.PlanType == PlanType.TeamsMonthly);
+            if (teamsProviderPlan != null && teamsProviderPlan.IsConfigured())
+            {
+                ProviderPlanViewModels.Add(new ProviderPlanViewModel("Teams (Monthly) Subscription", teamsProviderPlan, usedTeamsSeats));
+            }
+
+            var usedEnterpriseSeats = ProviderOrganizations.Where(po => po.PlanType == PlanType.EnterpriseMonthly)
+                .Sum(po => po.OccupiedSeats) ?? 0;
+            var enterpriseProviderPlan = providerPlans.FirstOrDefault(plan => plan.PlanType == PlanType.EnterpriseMonthly);
+            if (enterpriseProviderPlan != null && enterpriseProviderPlan.IsConfigured())
+            {
+                ProviderPlanViewModels.Add(new ProviderPlanViewModel("Enterprise (Monthly) Subscription", enterpriseProviderPlan, usedEnterpriseSeats));
+            }
+        }
+        else if (Provider.Type == ProviderType.MultiOrganizationEnterprise)
+        {
+            var usedEnterpriseSeats = ProviderOrganizations.Where(po => po.PlanType == PlanType.EnterpriseMonthly)
+                .Sum(po => po.OccupiedSeats).GetValueOrDefault(0);
+            var enterpriseProviderPlan = providerPlans.FirstOrDefault();
+            if (enterpriseProviderPlan != null && enterpriseProviderPlan.IsConfigured())
+            {
+                var planLabel = enterpriseProviderPlan.PlanType switch
+                {
+                    PlanType.EnterpriseMonthly => "Enterprise (Monthly) Subscription",
+                    PlanType.EnterpriseAnnually => "Enterprise (Annually) Subscription",
+                    _ => string.Empty
+                };
+
+                ProviderPlanViewModels.Add(new ProviderPlanViewModel(planLabel, enterpriseProviderPlan, usedEnterpriseSeats));
+            }
+        }
     }
 
     public int UserCount { get; set; }
     public Provider Provider { get; set; }
     public IEnumerable<ProviderUserUserDetails> ProviderAdmins { get; set; }
     public IEnumerable<ProviderOrganizationOrganizationDetails> ProviderOrganizations { get; set; }
+    public List<ProviderPlanViewModel> ProviderPlanViewModels { get; set; } = [];
 }
diff --git a/src/Admin/AdminConsole/Views/Providers/Edit.cshtml b/src/Admin/AdminConsole/Views/Providers/Edit.cshtml
index 43d72338be..be13a7c740 100644
--- a/src/Admin/AdminConsole/Views/Providers/Edit.cshtml
+++ b/src/Admin/AdminConsole/Views/Providers/Edit.cshtml
@@ -17,6 +17,10 @@
 
 <h2>Provider Information</h2>
 @await Html.PartialAsync("_ViewInformation", Model)
+@if (Model.ProviderPlanViewModels.Any())
+{
+    @await Html.PartialAsync("~/Billing/Views/Providers/ProviderPlans.cshtml", Model.ProviderPlanViewModels)
+}
 @await Html.PartialAsync("Admins", Model)
 <form method="post" id="edit-form">
     <div asp-validation-summary="All" class="alert alert-danger"></div>
diff --git a/src/Admin/AdminConsole/Views/Providers/View.cshtml b/src/Admin/AdminConsole/Views/Providers/View.cshtml
index 0ae31627fc..0774ee2f70 100644
--- a/src/Admin/AdminConsole/Views/Providers/View.cshtml
+++ b/src/Admin/AdminConsole/Views/Providers/View.cshtml
@@ -7,5 +7,9 @@
 
 <h2>Information</h2>
 @await Html.PartialAsync("_ViewInformation", Model)
+@if (Model.ProviderPlanViewModels.Any())
+{
+    @await Html.PartialAsync("ProviderPlans", Model.ProviderPlanViewModels)
+}
 @await Html.PartialAsync("Admins", Model)
 @await Html.PartialAsync("Organizations", Model)
diff --git a/src/Admin/Billing/Models/ProviderPlanViewModel.cs b/src/Admin/Billing/Models/ProviderPlanViewModel.cs
new file mode 100644
index 0000000000..7a50aba286
--- /dev/null
+++ b/src/Admin/Billing/Models/ProviderPlanViewModel.cs
@@ -0,0 +1,26 @@
+using Bit.Core.Billing.Entities;
+
+namespace Bit.Admin.Billing.Models;
+
+public class ProviderPlanViewModel
+{
+    public string Name { get; set; }
+    public int PurchasedSeats { get; set; }
+    public int AssignedSeats { get; set; }
+    public int UsedSeats { get; set; }
+    public int RemainingSeats { get; set; }
+
+    public ProviderPlanViewModel(
+        string name,
+        ProviderPlan providerPlan,
+        int usedSeats)
+    {
+        var purchasedSeats = (providerPlan.SeatMinimum ?? 0) + (providerPlan.PurchasedSeats ?? 0);
+
+        Name = name;
+        PurchasedSeats = purchasedSeats;
+        AssignedSeats = providerPlan.AllocatedSeats ?? 0;
+        UsedSeats = usedSeats;
+        RemainingSeats = purchasedSeats - AssignedSeats;
+    }
+}
diff --git a/src/Admin/Billing/Views/Providers/ProviderPlans.cshtml b/src/Admin/Billing/Views/Providers/ProviderPlans.cshtml
new file mode 100644
index 0000000000..e84f5a2779
--- /dev/null
+++ b/src/Admin/Billing/Views/Providers/ProviderPlans.cshtml
@@ -0,0 +1,18 @@
+@model List<Bit.Admin.Billing.Models.ProviderPlanViewModel>
+@foreach (var plan in Model)
+{
+    <h2>@plan.Name</h2>
+    <dl class="row">
+        <dt class="col-sm-4 col-lg-3">Purchased Seats</dt>
+        <dd class="col-sm-8 col-lg-9">@plan.PurchasedSeats</dd>
+
+        <dt class="col-sm-4 col-lg-3">Assigned Seats</dt>
+        <dd class="col-sm-8 col-lg-9">@plan.AssignedSeats</dd>
+
+        <dt class="col-sm-4 col-lg-3">Used Seats</dt>
+        <dd class="col-sm-8 col-lg-9">@plan.UsedSeats</dd>
+
+        <dt class="col-sm-4 col-lg-3">Remaining Seats</dt>
+        <dd class="col-sm-8 col-lg-9">@plan.RemainingSeats</dd>
+    </dl>
+}
diff --git a/src/Core/AdminConsole/Models/Data/Provider/ProviderOrganizationOrganizationDetails.cs b/src/Core/AdminConsole/Models/Data/Provider/ProviderOrganizationOrganizationDetails.cs
index 1b2112707c..9d84f60c4c 100644
--- a/src/Core/AdminConsole/Models/Data/Provider/ProviderOrganizationOrganizationDetails.cs
+++ b/src/Core/AdminConsole/Models/Data/Provider/ProviderOrganizationOrganizationDetails.cs
@@ -1,5 +1,6 @@
 using System.Net;
 using System.Text.Json.Serialization;
+using Bit.Core.Billing.Enums;
 using Bit.Core.Enums;
 using Bit.Core.Utilities;
 
@@ -23,6 +24,7 @@ public class ProviderOrganizationOrganizationDetails
     public int? OccupiedSeats { get; set; }
     public int? Seats { get; set; }
     public string Plan { get; set; }
+    public PlanType PlanType { get; set; }
     public OrganizationStatusType Status { get; set; }
 
     /// <summary>
diff --git a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/Queries/ProviderOrganizationOrganizationDetailsReadByProviderIdQuery.cs b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/Queries/ProviderOrganizationOrganizationDetailsReadByProviderIdQuery.cs
index 62e46566d7..4f99391a24 100644
--- a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/Queries/ProviderOrganizationOrganizationDetailsReadByProviderIdQuery.cs
+++ b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/Queries/ProviderOrganizationOrganizationDetailsReadByProviderIdQuery.cs
@@ -35,6 +35,7 @@ public class ProviderOrganizationOrganizationDetailsReadByProviderIdQuery : IQue
             OccupiedSeats = x.o.OrganizationUsers.Count(ou => ou.Status >= 0),
             Seats = x.o.Seats,
             Plan = x.o.Plan,
+            PlanType = x.o.PlanType,
             Status = x.o.Status
         });
     }
diff --git a/src/Sql/dbo/Views/ProviderOrganizationOrganizationDetailsView.sql b/src/Sql/dbo/Views/ProviderOrganizationOrganizationDetailsView.sql
index 0fcff73699..3a08418ed3 100644
--- a/src/Sql/dbo/Views/ProviderOrganizationOrganizationDetailsView.sql
+++ b/src/Sql/dbo/Views/ProviderOrganizationOrganizationDetailsView.sql
@@ -13,6 +13,7 @@ SELECT
     (SELECT COUNT(1) FROM [dbo].[OrganizationUser] OU WHERE OU.OrganizationId = PO.OrganizationId AND OU.Status >= 0) OccupiedSeats,
     O.[Seats],
     O.[Plan],
+    O.[PlanType],
     O.[Status]
 FROM
     [dbo].[ProviderOrganization] PO
diff --git a/util/Migrator/DbScripts/2025-01-29_00_AddPlanTypeToProviderOrganizationOrganizationDetailsView.sql b/util/Migrator/DbScripts/2025-01-29_00_AddPlanTypeToProviderOrganizationOrganizationDetailsView.sql
new file mode 100644
index 0000000000..df4c145b71
--- /dev/null
+++ b/util/Migrator/DbScripts/2025-01-29_00_AddPlanTypeToProviderOrganizationOrganizationDetailsView.sql
@@ -0,0 +1,23 @@
+-- Add column 'PlanType'
+CREATE OR AlTER VIEW [dbo].[ProviderOrganizationOrganizationDetailsView]
+AS
+SELECT
+    PO.[Id],
+    PO.[ProviderId],
+    PO.[OrganizationId],
+    O.[Name] OrganizationName,
+    PO.[Key],
+    PO.[Settings],
+    PO.[CreationDate],
+    PO.[RevisionDate],
+    (SELECT COUNT(1) FROM [dbo].[OrganizationUser] OU WHERE OU.OrganizationId = PO.OrganizationId AND OU.Status = 2) UserCount,
+    (SELECT COUNT(1) FROM [dbo].[OrganizationUser] OU WHERE OU.OrganizationId = PO.OrganizationId AND OU.Status >= 0) OccupiedSeats,
+    O.[Seats],
+    O.[Plan],
+    O.[PlanType],
+    O.[Status]
+FROM
+    [dbo].[ProviderOrganization] PO
+        LEFT JOIN
+    [dbo].[Organization] O ON O.[Id] = PO.[OrganizationId]
+GO

From f80acaec0a9bea60aadf44b18ed77a838ea4be28 Mon Sep 17 00:00:00 2001
From: Brant DeBow <125889545+brant-livefront@users.noreply.github.com>
Date: Fri, 14 Feb 2025 13:38:27 -0500
Subject: [PATCH 285/384] [PM-17562] Refactor to Support Multiple Message
 Payloads (#5400)

* [PM-17562] Refactor to Support Multiple Message Payloads

* Change signature as per PR suggestion
---
 .../Services/IEventMessageHandler.cs          |  2 ++
 .../AzureServiceBusEventListenerService.cs    | 18 +++++++++++---
 .../AzureServiceBusEventWriteService.cs       |  8 ++++---
 .../AzureTableStorageEventHandler.cs          |  5 ++++
 .../Implementations/EventRepositoryHandler.cs |  5 ++++
 .../RabbitMqEventListenerService.cs           | 19 ++++++++++++---
 .../RabbitMqEventWriteService.cs              |  7 ++----
 .../Implementations/WebhookEventHandler.cs    | 24 ++++++++++---------
 src/Events/Startup.cs                         | 23 ++++++++++++++++--
 .../Services/EventRepositoryHandlerTests.cs   | 11 +++++++++
 .../Services/WebhookEventHandlerTests.cs      | 23 ++++++++++++++++--
 11 files changed, 116 insertions(+), 29 deletions(-)

diff --git a/src/Core/AdminConsole/Services/IEventMessageHandler.cs b/src/Core/AdminConsole/Services/IEventMessageHandler.cs
index 5df9544c29..83c5e33ecb 100644
--- a/src/Core/AdminConsole/Services/IEventMessageHandler.cs
+++ b/src/Core/AdminConsole/Services/IEventMessageHandler.cs
@@ -5,4 +5,6 @@ namespace Bit.Core.Services;
 public interface IEventMessageHandler
 {
     Task HandleEventAsync(EventMessage eventMessage);
+
+    Task HandleManyEventsAsync(IEnumerable<EventMessage> eventMessages);
 }
diff --git a/src/Core/AdminConsole/Services/Implementations/AzureServiceBusEventListenerService.cs b/src/Core/AdminConsole/Services/Implementations/AzureServiceBusEventListenerService.cs
index 5c329ce8ad..4cd71ae77e 100644
--- a/src/Core/AdminConsole/Services/Implementations/AzureServiceBusEventListenerService.cs
+++ b/src/Core/AdminConsole/Services/Implementations/AzureServiceBusEventListenerService.cs
@@ -1,4 +1,5 @@
-using System.Text.Json;
+using System.Text;
+using System.Text.Json;
 using Azure.Messaging.ServiceBus;
 using Bit.Core.Models.Data;
 using Bit.Core.Settings;
@@ -29,9 +30,20 @@ public class AzureServiceBusEventListenerService : EventLoggingListenerService
         {
             try
             {
-                var eventMessage = JsonSerializer.Deserialize<EventMessage>(args.Message.Body.ToString());
+                using var jsonDocument = JsonDocument.Parse(Encoding.UTF8.GetString(args.Message.Body));
+                var root = jsonDocument.RootElement;
 
-                await _handler.HandleEventAsync(eventMessage);
+                if (root.ValueKind == JsonValueKind.Array)
+                {
+                    var eventMessages = root.Deserialize<IEnumerable<EventMessage>>();
+                    await _handler.HandleManyEventsAsync(eventMessages);
+                }
+                else if (root.ValueKind == JsonValueKind.Object)
+                {
+                    var eventMessage = root.Deserialize<EventMessage>();
+                    await _handler.HandleEventAsync(eventMessage);
+
+                }
                 await args.CompleteMessageAsync(args.Message);
             }
             catch (Exception exception)
diff --git a/src/Core/AdminConsole/Services/Implementations/AzureServiceBusEventWriteService.cs b/src/Core/AdminConsole/Services/Implementations/AzureServiceBusEventWriteService.cs
index ed8f45ed55..fc865b327c 100644
--- a/src/Core/AdminConsole/Services/Implementations/AzureServiceBusEventWriteService.cs
+++ b/src/Core/AdminConsole/Services/Implementations/AzureServiceBusEventWriteService.cs
@@ -29,10 +29,12 @@ public class AzureServiceBusEventWriteService : IEventWriteService, IAsyncDispos
 
     public async Task CreateManyAsync(IEnumerable<IEvent> events)
     {
-        foreach (var e in events)
+        var message = new ServiceBusMessage(JsonSerializer.SerializeToUtf8Bytes(events))
         {
-            await CreateAsync(e);
-        }
+            ContentType = "application/json"
+        };
+
+        await _sender.SendMessageAsync(message);
     }
 
     public async ValueTask DisposeAsync()
diff --git a/src/Core/AdminConsole/Services/Implementations/AzureTableStorageEventHandler.cs b/src/Core/AdminConsole/Services/Implementations/AzureTableStorageEventHandler.cs
index 2612ba0487..aa545913b1 100644
--- a/src/Core/AdminConsole/Services/Implementations/AzureTableStorageEventHandler.cs
+++ b/src/Core/AdminConsole/Services/Implementations/AzureTableStorageEventHandler.cs
@@ -11,4 +11,9 @@ public class AzureTableStorageEventHandler(
     {
         return eventWriteService.CreateManyAsync(EventTableEntity.IndexEvent(eventMessage));
     }
+
+    public Task HandleManyEventsAsync(IEnumerable<EventMessage> eventMessages)
+    {
+        return eventWriteService.CreateManyAsync(eventMessages.SelectMany(EventTableEntity.IndexEvent));
+    }
 }
diff --git a/src/Core/AdminConsole/Services/Implementations/EventRepositoryHandler.cs b/src/Core/AdminConsole/Services/Implementations/EventRepositoryHandler.cs
index 6e4158122c..ee3a2d5db2 100644
--- a/src/Core/AdminConsole/Services/Implementations/EventRepositoryHandler.cs
+++ b/src/Core/AdminConsole/Services/Implementations/EventRepositoryHandler.cs
@@ -11,4 +11,9 @@ public class EventRepositoryHandler(
     {
         return eventWriteService.CreateAsync(eventMessage);
     }
+
+    public Task HandleManyEventsAsync(IEnumerable<EventMessage> eventMessages)
+    {
+        return eventWriteService.CreateManyAsync(eventMessages);
+    }
 }
diff --git a/src/Core/AdminConsole/Services/Implementations/RabbitMqEventListenerService.cs b/src/Core/AdminConsole/Services/Implementations/RabbitMqEventListenerService.cs
index c302497142..1ee3fa5ea7 100644
--- a/src/Core/AdminConsole/Services/Implementations/RabbitMqEventListenerService.cs
+++ b/src/Core/AdminConsole/Services/Implementations/RabbitMqEventListenerService.cs
@@ -1,4 +1,5 @@
-using System.Text.Json;
+using System.Text;
+using System.Text.Json;
 using Bit.Core.Models.Data;
 using Bit.Core.Settings;
 using Microsoft.Extensions.Logging;
@@ -62,8 +63,20 @@ public class RabbitMqEventListenerService : EventLoggingListenerService
         {
             try
             {
-                var eventMessage = JsonSerializer.Deserialize<EventMessage>(eventArgs.Body.Span);
-                await _handler.HandleEventAsync(eventMessage);
+                using var jsonDocument = JsonDocument.Parse(Encoding.UTF8.GetString(eventArgs.Body.Span));
+                var root = jsonDocument.RootElement;
+
+                if (root.ValueKind == JsonValueKind.Array)
+                {
+                    var eventMessages = root.Deserialize<IEnumerable<EventMessage>>();
+                    await _handler.HandleManyEventsAsync(eventMessages);
+                }
+                else if (root.ValueKind == JsonValueKind.Object)
+                {
+                    var eventMessage = root.Deserialize<EventMessage>();
+                    await _handler.HandleEventAsync(eventMessage);
+
+                }
             }
             catch (Exception ex)
             {
diff --git a/src/Core/AdminConsole/Services/Implementations/RabbitMqEventWriteService.cs b/src/Core/AdminConsole/Services/Implementations/RabbitMqEventWriteService.cs
index d89cf890ac..86abddec58 100644
--- a/src/Core/AdminConsole/Services/Implementations/RabbitMqEventWriteService.cs
+++ b/src/Core/AdminConsole/Services/Implementations/RabbitMqEventWriteService.cs
@@ -41,12 +41,9 @@ public class RabbitMqEventWriteService : IEventWriteService, IAsyncDisposable
         using var channel = await connection.CreateChannelAsync();
         await channel.ExchangeDeclareAsync(exchange: _exchangeName, type: ExchangeType.Fanout, durable: true);
 
-        foreach (var e in events)
-        {
-            var body = JsonSerializer.SerializeToUtf8Bytes(e);
+        var body = JsonSerializer.SerializeToUtf8Bytes(events);
 
-            await channel.BasicPublishAsync(exchange: _exchangeName, routingKey: string.Empty, body: body);
-        }
+        await channel.BasicPublishAsync(exchange: _exchangeName, routingKey: string.Empty, body: body);
     }
 
     public async ValueTask DisposeAsync()
diff --git a/src/Core/AdminConsole/Services/Implementations/WebhookEventHandler.cs b/src/Core/AdminConsole/Services/Implementations/WebhookEventHandler.cs
index 60abc198d8..d152f9011b 100644
--- a/src/Core/AdminConsole/Services/Implementations/WebhookEventHandler.cs
+++ b/src/Core/AdminConsole/Services/Implementations/WebhookEventHandler.cs
@@ -4,25 +4,27 @@ using Bit.Core.Settings;
 
 namespace Bit.Core.Services;
 
-public class WebhookEventHandler : IEventMessageHandler
+public class WebhookEventHandler(
+    IHttpClientFactory httpClientFactory,
+    GlobalSettings globalSettings)
+    : IEventMessageHandler
 {
-    private readonly HttpClient _httpClient;
-    private readonly string _webhookUrl;
+    private readonly HttpClient _httpClient = httpClientFactory.CreateClient(HttpClientName);
+    private readonly string _webhookUrl = globalSettings.EventLogging.WebhookUrl;
 
     public const string HttpClientName = "WebhookEventHandlerHttpClient";
 
-    public WebhookEventHandler(
-        IHttpClientFactory httpClientFactory,
-        GlobalSettings globalSettings)
-    {
-        _httpClient = httpClientFactory.CreateClient(HttpClientName);
-        _webhookUrl = globalSettings.EventLogging.WebhookUrl;
-    }
-
     public async Task HandleEventAsync(EventMessage eventMessage)
     {
         var content = JsonContent.Create(eventMessage);
         var response = await _httpClient.PostAsync(_webhookUrl, content);
         response.EnsureSuccessStatusCode();
     }
+
+    public async Task HandleManyEventsAsync(IEnumerable<EventMessage> eventMessages)
+    {
+        var content = JsonContent.Create(eventMessages);
+        var response = await _httpClient.PostAsync(_webhookUrl, content);
+        response.EnsureSuccessStatusCode();
+    }
 }
diff --git a/src/Events/Startup.cs b/src/Events/Startup.cs
index 431f449708..57af285b03 100644
--- a/src/Events/Startup.cs
+++ b/src/Events/Startup.cs
@@ -1,4 +1,5 @@
 using System.Globalization;
+using Bit.Core.AdminConsole.Services.Implementations;
 using Bit.Core.Context;
 using Bit.Core.IdentityServer;
 using Bit.Core.Services;
@@ -63,11 +64,29 @@ public class Startup
         services.AddScoped<IEventService, EventService>();
         if (!globalSettings.SelfHosted && CoreHelpers.SettingHasValue(globalSettings.Events.ConnectionString))
         {
-            services.AddSingleton<IEventWriteService, AzureQueueEventWriteService>();
+            if (CoreHelpers.SettingHasValue(globalSettings.EventLogging.AzureServiceBus.ConnectionString) &&
+                CoreHelpers.SettingHasValue(globalSettings.EventLogging.AzureServiceBus.TopicName))
+            {
+                services.AddSingleton<IEventWriteService, AzureServiceBusEventWriteService>();
+            }
+            else
+            {
+                services.AddSingleton<IEventWriteService, AzureQueueEventWriteService>();
+            }
         }
         else
         {
-            services.AddSingleton<IEventWriteService, RepositoryEventWriteService>();
+            if (CoreHelpers.SettingHasValue(globalSettings.EventLogging.RabbitMq.HostName) &&
+                CoreHelpers.SettingHasValue(globalSettings.EventLogging.RabbitMq.Username) &&
+                CoreHelpers.SettingHasValue(globalSettings.EventLogging.RabbitMq.Password) &&
+                CoreHelpers.SettingHasValue(globalSettings.EventLogging.RabbitMq.ExchangeName))
+            {
+                services.AddSingleton<IEventWriteService, RabbitMqEventWriteService>();
+            }
+            else
+            {
+                services.AddSingleton<IEventWriteService, RepositoryEventWriteService>();
+            }
         }
 
         services.AddOptionality();
diff --git a/test/Core.Test/AdminConsole/Services/EventRepositoryHandlerTests.cs b/test/Core.Test/AdminConsole/Services/EventRepositoryHandlerTests.cs
index 2b143f5cb8..48c3a143d4 100644
--- a/test/Core.Test/AdminConsole/Services/EventRepositoryHandlerTests.cs
+++ b/test/Core.Test/AdminConsole/Services/EventRepositoryHandlerTests.cs
@@ -21,4 +21,15 @@ public class EventRepositoryHandlerTests
             Arg.Is(AssertHelper.AssertPropertyEqual<IEvent>(eventMessage))
         );
     }
+
+    [Theory, BitAutoData]
+    public async Task HandleManyEventAsync_WritesEventsToIEventWriteService(
+        IEnumerable<EventMessage> eventMessages,
+        SutProvider<EventRepositoryHandler> sutProvider)
+    {
+        await sutProvider.Sut.HandleManyEventsAsync(eventMessages);
+        await sutProvider.GetDependency<IEventWriteService>().Received(1).CreateManyAsync(
+            Arg.Is(AssertHelper.AssertPropertyEqual<IEvent>(eventMessages))
+        );
+    }
 }
diff --git a/test/Core.Test/AdminConsole/Services/WebhookEventHandlerTests.cs b/test/Core.Test/AdminConsole/Services/WebhookEventHandlerTests.cs
index eab0be88a1..6c7d7178c1 100644
--- a/test/Core.Test/AdminConsole/Services/WebhookEventHandlerTests.cs
+++ b/test/Core.Test/AdminConsole/Services/WebhookEventHandlerTests.cs
@@ -44,10 +44,9 @@ public class WebhookEventHandlerTests
     }
 
     [Theory, BitAutoData]
-    public async Task HandleEventAsync_PostsEventsToUrl(EventMessage eventMessage)
+    public async Task HandleEventAsync_PostsEventToUrl(EventMessage eventMessage)
     {
         var sutProvider = GetSutProvider();
-        var content = JsonContent.Create(eventMessage);
 
         await sutProvider.Sut.HandleEventAsync(eventMessage);
         sutProvider.GetDependency<IHttpClientFactory>().Received(1).CreateClient(
@@ -63,4 +62,24 @@ public class WebhookEventHandlerTests
         Assert.Equal(_webhookUrl, request.RequestUri.ToString());
         AssertHelper.AssertPropertyEqual(eventMessage, returned, new[] { "IdempotencyId" });
     }
+
+    [Theory, BitAutoData]
+    public async Task HandleEventManyAsync_PostsEventsToUrl(IEnumerable<EventMessage> eventMessages)
+    {
+        var sutProvider = GetSutProvider();
+
+        await sutProvider.Sut.HandleManyEventsAsync(eventMessages);
+        sutProvider.GetDependency<IHttpClientFactory>().Received(1).CreateClient(
+            Arg.Is(AssertHelper.AssertPropertyEqual<string>(WebhookEventHandler.HttpClientName))
+        );
+
+        Assert.Single(_handler.CapturedRequests);
+        var request = _handler.CapturedRequests[0];
+        Assert.NotNull(request);
+        var returned = request.Content.ReadFromJsonAsAsyncEnumerable<EventMessage>();
+
+        Assert.Equal(HttpMethod.Post, request.Method);
+        Assert.Equal(_webhookUrl, request.RequestUri.ToString());
+        AssertHelper.AssertPropertyEqual(eventMessages, returned, new[] { "IdempotencyId" });
+    }
 }

From ac443ed495ba087e04fc470163b2180f6b28f6f8 Mon Sep 17 00:00:00 2001
From: Jimmy Vo <huynhmaivo82@gmail.com>
Date: Tue, 18 Feb 2025 09:53:49 -0500
Subject: [PATCH 286/384] [pm-13985] Add a cancel endpoint to prevent
 authorization errors (#5229)

---
 .../AdminConsole/Controllers/ProvidersController.cs  | 12 ++++++++++++
 .../Views/Providers/CreateOrganization.cshtml        |  4 ++--
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/src/Admin/AdminConsole/Controllers/ProvidersController.cs b/src/Admin/AdminConsole/Controllers/ProvidersController.cs
index 6229a4deab..38e25939c4 100644
--- a/src/Admin/AdminConsole/Controllers/ProvidersController.cs
+++ b/src/Admin/AdminConsole/Controllers/ProvidersController.cs
@@ -251,6 +251,18 @@ public class ProvidersController : Controller
         return View(provider);
     }
 
+    [SelfHosted(NotSelfHostedOnly = true)]
+    public async Task<IActionResult> Cancel(Guid id)
+    {
+        var provider = await GetEditModel(id);
+        if (provider == null)
+        {
+            return RedirectToAction("Index");
+        }
+
+        return RedirectToAction("Edit", new { id });
+    }
+
     [HttpPost]
     [ValidateAntiForgeryToken]
     [SelfHosted(NotSelfHostedOnly = true)]
diff --git a/src/Admin/AdminConsole/Views/Providers/CreateOrganization.cshtml b/src/Admin/AdminConsole/Views/Providers/CreateOrganization.cshtml
index 6b7ccbdb12..eb790f20ba 100644
--- a/src/Admin/AdminConsole/Views/Providers/CreateOrganization.cshtml
+++ b/src/Admin/AdminConsole/Views/Providers/CreateOrganization.cshtml
@@ -19,8 +19,8 @@
 <div class="d-flex mt-4">
     <button type="submit" class="btn btn-primary" form="edit-form">Save</button>
     <div class="ms-auto d-flex">
-        <form asp-controller="Providers" asp-action="Edit" asp-route-id="@Model.Provider.Id"
-              onsubmit="return confirm('Are you sure you want to cancel?')">
+        <form asp-controller="Providers" asp-action="Cancel" asp-route-id="@Model.Provider.Id"
+            onsubmit="return confirm('Are you sure you want to cancel?')">
             <button class="btn btn-outline-secondary" type="submit">Cancel</button>
         </form>
     </div>

From 055e4e3066593b386d18b01fca632e3af2ade50c Mon Sep 17 00:00:00 2001
From: Todd Martin <106564991+trmartin4@users.noreply.github.com>
Date: Tue, 18 Feb 2025 10:42:00 -0500
Subject: [PATCH 287/384] Add RequestDeviceIdentifier to response (#5403)

---
 src/Api/Auth/Models/Response/AuthRequestResponseModel.cs | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/Api/Auth/Models/Response/AuthRequestResponseModel.cs b/src/Api/Auth/Models/Response/AuthRequestResponseModel.cs
index 3a07873451..50f7f5a3e7 100644
--- a/src/Api/Auth/Models/Response/AuthRequestResponseModel.cs
+++ b/src/Api/Auth/Models/Response/AuthRequestResponseModel.cs
@@ -18,6 +18,7 @@ public class AuthRequestResponseModel : ResponseModel
 
         Id = authRequest.Id;
         PublicKey = authRequest.PublicKey;
+        RequestDeviceIdentifier = authRequest.RequestDeviceIdentifier;
         RequestDeviceTypeValue = authRequest.RequestDeviceType;
         RequestDeviceType = authRequest.RequestDeviceType.GetType().GetMember(authRequest.RequestDeviceType.ToString())
             .FirstOrDefault()?.GetCustomAttribute<DisplayAttribute>()?.GetName();
@@ -32,6 +33,7 @@ public class AuthRequestResponseModel : ResponseModel
 
     public Guid Id { get; set; }
     public string PublicKey { get; set; }
+    public string RequestDeviceIdentifier { get; set; }
     public DeviceType RequestDeviceTypeValue { get; set; }
     public string RequestDeviceType { get; set; }
     public string RequestIpAddress { get; set; }

From f27886e3124976669515e239da9d8d1f9c3baeb8 Mon Sep 17 00:00:00 2001
From: Todd Martin <106564991+trmartin4@users.noreply.github.com>
Date: Tue, 18 Feb 2025 12:54:11 -0500
Subject: [PATCH 288/384] [PM-17932] Convert Renovate config to JSON5 (#5414)

* Migrated Renovate config to JSON5

* Apply Prettier

* Added comment for demonstration

---------

Co-authored-by: Matt Bishop <mbishop@bitwarden.com>
---
 .github/renovate.json  | 199 -----------------------------------------
 .github/renovate.json5 | 199 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 199 insertions(+), 199 deletions(-)
 delete mode 100644 .github/renovate.json
 create mode 100644 .github/renovate.json5

diff --git a/.github/renovate.json b/.github/renovate.json
deleted file mode 100644
index 31d78a4d4e..0000000000
--- a/.github/renovate.json
+++ /dev/null
@@ -1,199 +0,0 @@
-{
-  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": ["github>bitwarden/renovate-config"],
-  "enabledManagers": [
-    "dockerfile",
-    "docker-compose",
-    "github-actions",
-    "npm",
-    "nuget"
-  ],
-  "packageRules": [
-    {
-      "groupName": "dockerfile minor",
-      "matchManagers": ["dockerfile"],
-      "matchUpdateTypes": ["minor"]
-    },
-    {
-      "groupName": "docker-compose minor",
-      "matchManagers": ["docker-compose"],
-      "matchUpdateTypes": ["minor"]
-    },
-    {
-      "groupName": "github-action minor",
-      "matchManagers": ["github-actions"],
-      "matchUpdateTypes": ["minor"]
-    },
-    {
-      "matchManagers": ["dockerfile", "docker-compose"],
-      "commitMessagePrefix": "[deps] BRE:"
-    },
-    {
-      "matchPackageNames": ["DnsClient"],
-      "description": "Admin Console owned dependencies",
-      "commitMessagePrefix": "[deps] AC:",
-      "reviewers": ["team:team-admin-console-dev"]
-    },
-    {
-      "matchFileNames": ["src/Admin/package.json", "src/Sso/package.json"],
-      "description": "Admin & SSO npm packages",
-      "commitMessagePrefix": "[deps] Auth:",
-      "reviewers": ["team:team-auth-dev"]
-    },
-    {
-      "matchPackageNames": [
-        "Azure.Extensions.AspNetCore.DataProtection.Blobs",
-        "DuoUniversal",
-        "Fido2.AspNet",
-        "Duende.IdentityServer",
-        "Microsoft.Extensions.Identity.Stores",
-        "Otp.NET",
-        "Sustainsys.Saml2.AspNetCore2",
-        "YubicoDotNetClient"
-      ],
-      "description": "Auth owned dependencies",
-      "commitMessagePrefix": "[deps] Auth:",
-      "reviewers": ["team:team-auth-dev"]
-    },
-    {
-      "matchPackageNames": [
-        "AutoFixture.AutoNSubstitute",
-        "AutoFixture.Xunit2",
-        "BenchmarkDotNet",
-        "BitPay.Light",
-        "Braintree",
-        "coverlet.collector",
-        "CsvHelper",
-        "Kralizek.AutoFixture.Extensions.MockHttp",
-        "Microsoft.AspNetCore.Mvc.Testing",
-        "Microsoft.Extensions.Logging",
-        "Microsoft.Extensions.Logging.Console",
-        "Newtonsoft.Json",
-        "NSubstitute",
-        "Sentry.Serilog",
-        "Serilog.AspNetCore",
-        "Serilog.Extensions.Logging",
-        "Serilog.Extensions.Logging.File",
-        "Serilog.Sinks.AzureCosmosDB",
-        "Serilog.Sinks.SyslogMessages",
-        "Stripe.net",
-        "Swashbuckle.AspNetCore",
-        "Swashbuckle.AspNetCore.SwaggerGen",
-        "xunit",
-        "xunit.runner.visualstudio"
-      ],
-      "description": "Billing owned dependencies",
-      "commitMessagePrefix": "[deps] Billing:",
-      "reviewers": ["team:team-billing-dev"]
-    },
-    {
-      "matchPackagePatterns": ["^Microsoft.Extensions.Logging"],
-      "groupName": "Microsoft.Extensions.Logging",
-      "description": "Group Microsoft.Extensions.Logging to exclude them from the dotnet monorepo preset"
-    },
-    {
-      "matchPackageNames": [
-        "Dapper",
-        "dbup-sqlserver",
-        "dotnet-ef",
-        "linq2db.EntityFrameworkCore",
-        "Microsoft.Azure.Cosmos",
-        "Microsoft.Data.SqlClient",
-        "Microsoft.EntityFrameworkCore.Design",
-        "Microsoft.EntityFrameworkCore.InMemory",
-        "Microsoft.EntityFrameworkCore.Relational",
-        "Microsoft.EntityFrameworkCore.Sqlite",
-        "Microsoft.EntityFrameworkCore.SqlServer",
-        "Microsoft.Extensions.Caching.Cosmos",
-        "Microsoft.Extensions.Caching.SqlServer",
-        "Microsoft.Extensions.Caching.StackExchangeRedis",
-        "Npgsql.EntityFrameworkCore.PostgreSQL",
-        "Pomelo.EntityFrameworkCore.MySql"
-      ],
-      "description": "DbOps owned dependencies",
-      "commitMessagePrefix": "[deps] DbOps:",
-      "reviewers": ["team:dept-dbops"]
-    },
-    {
-      "matchPackageNames": ["CommandDotNet", "YamlDotNet"],
-      "description": "DevOps owned dependencies",
-      "commitMessagePrefix": "[deps] BRE:",
-      "reviewers": ["team:dept-bre"]
-    },
-    {
-      "matchPackageNames": [
-        "AspNetCoreRateLimit",
-        "AspNetCoreRateLimit.Redis",
-        "Azure.Data.Tables",
-        "Azure.Messaging.EventGrid",
-        "Azure.Messaging.ServiceBus",
-        "Azure.Storage.Blobs",
-        "Azure.Storage.Queues",
-        "Microsoft.AspNetCore.Authentication.JwtBearer",
-        "Microsoft.AspNetCore.Http",
-        "Quartz"
-      ],
-      "description": "Platform owned dependencies",
-      "commitMessagePrefix": "[deps] Platform:",
-      "reviewers": ["team:team-platform-dev"]
-    },
-    {
-      "matchPackagePatterns": ["EntityFrameworkCore", "^dotnet-ef"],
-      "groupName": "EntityFrameworkCore",
-      "description": "Group EntityFrameworkCore to exclude them from the dotnet monorepo preset"
-    },
-    {
-      "matchPackageNames": [
-        "AutoMapper.Extensions.Microsoft.DependencyInjection",
-        "AWSSDK.SimpleEmail",
-        "AWSSDK.SQS",
-        "Handlebars.Net",
-        "LaunchDarkly.ServerSdk",
-        "MailKit",
-        "Microsoft.AspNetCore.SignalR.Protocols.MessagePack",
-        "Microsoft.AspNetCore.SignalR.StackExchangeRedis",
-        "Microsoft.Azure.NotificationHubs",
-        "Microsoft.Extensions.Configuration.EnvironmentVariables",
-        "Microsoft.Extensions.Configuration.UserSecrets",
-        "Microsoft.Extensions.Configuration",
-        "Microsoft.Extensions.DependencyInjection.Abstractions",
-        "Microsoft.Extensions.DependencyInjection",
-        "SendGrid"
-      ],
-      "description": "Tools owned dependencies",
-      "commitMessagePrefix": "[deps] Tools:",
-      "reviewers": ["team:team-tools-dev"]
-    },
-    {
-      "matchPackagePatterns": ["^Microsoft.AspNetCore.SignalR"],
-      "groupName": "SignalR",
-      "description": "Group SignalR to exclude them from the dotnet monorepo preset"
-    },
-    {
-      "matchPackagePatterns": ["^Microsoft.Extensions.Configuration"],
-      "groupName": "Microsoft.Extensions.Configuration",
-      "description": "Group Microsoft.Extensions.Configuration to exclude them from the dotnet monorepo preset"
-    },
-    {
-      "matchPackagePatterns": ["^Microsoft.Extensions.DependencyInjection"],
-      "groupName": "Microsoft.Extensions.DependencyInjection",
-      "description": "Group Microsoft.Extensions.DependencyInjection to exclude them from the dotnet monorepo preset"
-    },
-    {
-      "matchPackageNames": [
-        "AngleSharp",
-        "AspNetCore.HealthChecks.AzureServiceBus",
-        "AspNetCore.HealthChecks.AzureStorage",
-        "AspNetCore.HealthChecks.Network",
-        "AspNetCore.HealthChecks.Redis",
-        "AspNetCore.HealthChecks.SendGrid",
-        "AspNetCore.HealthChecks.SqlServer",
-        "AspNetCore.HealthChecks.Uris"
-      ],
-      "description": "Vault owned dependencies",
-      "commitMessagePrefix": "[deps] Vault:",
-      "reviewers": ["team:team-vault-dev"]
-    }
-  ],
-  "ignoreDeps": ["dotnet-sdk"]
-}
diff --git a/.github/renovate.json5 b/.github/renovate.json5
new file mode 100644
index 0000000000..4722307d10
--- /dev/null
+++ b/.github/renovate.json5
@@ -0,0 +1,199 @@
+{
+  $schema: "https://docs.renovatebot.com/renovate-schema.json",
+  extends: ["github>bitwarden/renovate-config"], // Extends our default configuration for pinned dependencies
+  enabledManagers: [
+    "dockerfile",
+    "docker-compose",
+    "github-actions",
+    "npm",
+    "nuget",
+  ],
+  packageRules: [
+    {
+      groupName: "dockerfile minor",
+      matchManagers: ["dockerfile"],
+      matchUpdateTypes: ["minor"],
+    },
+    {
+      groupName: "docker-compose minor",
+      matchManagers: ["docker-compose"],
+      matchUpdateTypes: ["minor"],
+    },
+    {
+      groupName: "github-action minor",
+      matchManagers: ["github-actions"],
+      matchUpdateTypes: ["minor"],
+    },
+    {
+      matchManagers: ["dockerfile", "docker-compose"],
+      commitMessagePrefix: "[deps] BRE:",
+    },
+    {
+      matchPackageNames: ["DnsClient"],
+      description: "Admin Console owned dependencies",
+      commitMessagePrefix: "[deps] AC:",
+      reviewers: ["team:team-admin-console-dev"],
+    },
+    {
+      matchFileNames: ["src/Admin/package.json", "src/Sso/package.json"],
+      description: "Admin & SSO npm packages",
+      commitMessagePrefix: "[deps] Auth:",
+      reviewers: ["team:team-auth-dev"],
+    },
+    {
+      matchPackageNames: [
+        "Azure.Extensions.AspNetCore.DataProtection.Blobs",
+        "DuoUniversal",
+        "Fido2.AspNet",
+        "Duende.IdentityServer",
+        "Microsoft.Extensions.Identity.Stores",
+        "Otp.NET",
+        "Sustainsys.Saml2.AspNetCore2",
+        "YubicoDotNetClient",
+      ],
+      description: "Auth owned dependencies",
+      commitMessagePrefix: "[deps] Auth:",
+      reviewers: ["team:team-auth-dev"],
+    },
+    {
+      matchPackageNames: [
+        "AutoFixture.AutoNSubstitute",
+        "AutoFixture.Xunit2",
+        "BenchmarkDotNet",
+        "BitPay.Light",
+        "Braintree",
+        "coverlet.collector",
+        "CsvHelper",
+        "Kralizek.AutoFixture.Extensions.MockHttp",
+        "Microsoft.AspNetCore.Mvc.Testing",
+        "Microsoft.Extensions.Logging",
+        "Microsoft.Extensions.Logging.Console",
+        "Newtonsoft.Json",
+        "NSubstitute",
+        "Sentry.Serilog",
+        "Serilog.AspNetCore",
+        "Serilog.Extensions.Logging",
+        "Serilog.Extensions.Logging.File",
+        "Serilog.Sinks.AzureCosmosDB",
+        "Serilog.Sinks.SyslogMessages",
+        "Stripe.net",
+        "Swashbuckle.AspNetCore",
+        "Swashbuckle.AspNetCore.SwaggerGen",
+        "xunit",
+        "xunit.runner.visualstudio",
+      ],
+      description: "Billing owned dependencies",
+      commitMessagePrefix: "[deps] Billing:",
+      reviewers: ["team:team-billing-dev"],
+    },
+    {
+      matchPackagePatterns: ["^Microsoft.Extensions.Logging"],
+      groupName: "Microsoft.Extensions.Logging",
+      description: "Group Microsoft.Extensions.Logging to exclude them from the dotnet monorepo preset",
+    },
+    {
+      matchPackageNames: [
+        "Dapper",
+        "dbup-sqlserver",
+        "dotnet-ef",
+        "linq2db.EntityFrameworkCore",
+        "Microsoft.Azure.Cosmos",
+        "Microsoft.Data.SqlClient",
+        "Microsoft.EntityFrameworkCore.Design",
+        "Microsoft.EntityFrameworkCore.InMemory",
+        "Microsoft.EntityFrameworkCore.Relational",
+        "Microsoft.EntityFrameworkCore.Sqlite",
+        "Microsoft.EntityFrameworkCore.SqlServer",
+        "Microsoft.Extensions.Caching.Cosmos",
+        "Microsoft.Extensions.Caching.SqlServer",
+        "Microsoft.Extensions.Caching.StackExchangeRedis",
+        "Npgsql.EntityFrameworkCore.PostgreSQL",
+        "Pomelo.EntityFrameworkCore.MySql",
+      ],
+      description: "DbOps owned dependencies",
+      commitMessagePrefix: "[deps] DbOps:",
+      reviewers: ["team:dept-dbops"],
+    },
+    {
+      matchPackageNames: ["CommandDotNet", "YamlDotNet"],
+      description: "DevOps owned dependencies",
+      commitMessagePrefix: "[deps] BRE:",
+      reviewers: ["team:dept-bre"],
+    },
+    {
+      matchPackageNames: [
+        "AspNetCoreRateLimit",
+        "AspNetCoreRateLimit.Redis",
+        "Azure.Data.Tables",
+        "Azure.Messaging.EventGrid",
+        "Azure.Messaging.ServiceBus",
+        "Azure.Storage.Blobs",
+        "Azure.Storage.Queues",
+        "Microsoft.AspNetCore.Authentication.JwtBearer",
+        "Microsoft.AspNetCore.Http",
+        "Quartz",
+      ],
+      description: "Platform owned dependencies",
+      commitMessagePrefix: "[deps] Platform:",
+      reviewers: ["team:team-platform-dev"],
+    },
+    {
+      matchPackagePatterns: ["EntityFrameworkCore", "^dotnet-ef"],
+      groupName: "EntityFrameworkCore",
+      description: "Group EntityFrameworkCore to exclude them from the dotnet monorepo preset",
+    },
+    {
+      matchPackageNames: [
+        "AutoMapper.Extensions.Microsoft.DependencyInjection",
+        "AWSSDK.SimpleEmail",
+        "AWSSDK.SQS",
+        "Handlebars.Net",
+        "LaunchDarkly.ServerSdk",
+        "MailKit",
+        "Microsoft.AspNetCore.SignalR.Protocols.MessagePack",
+        "Microsoft.AspNetCore.SignalR.StackExchangeRedis",
+        "Microsoft.Azure.NotificationHubs",
+        "Microsoft.Extensions.Configuration.EnvironmentVariables",
+        "Microsoft.Extensions.Configuration.UserSecrets",
+        "Microsoft.Extensions.Configuration",
+        "Microsoft.Extensions.DependencyInjection.Abstractions",
+        "Microsoft.Extensions.DependencyInjection",
+        "SendGrid",
+      ],
+      description: "Tools owned dependencies",
+      commitMessagePrefix: "[deps] Tools:",
+      reviewers: ["team:team-tools-dev"],
+    },
+    {
+      matchPackagePatterns: ["^Microsoft.AspNetCore.SignalR"],
+      groupName: "SignalR",
+      description: "Group SignalR to exclude them from the dotnet monorepo preset",
+    },
+    {
+      matchPackagePatterns: ["^Microsoft.Extensions.Configuration"],
+      groupName: "Microsoft.Extensions.Configuration",
+      description: "Group Microsoft.Extensions.Configuration to exclude them from the dotnet monorepo preset",
+    },
+    {
+      matchPackagePatterns: ["^Microsoft.Extensions.DependencyInjection"],
+      groupName: "Microsoft.Extensions.DependencyInjection",
+      description: "Group Microsoft.Extensions.DependencyInjection to exclude them from the dotnet monorepo preset",
+    },
+    {
+      matchPackageNames: [
+        "AngleSharp",
+        "AspNetCore.HealthChecks.AzureServiceBus",
+        "AspNetCore.HealthChecks.AzureStorage",
+        "AspNetCore.HealthChecks.Network",
+        "AspNetCore.HealthChecks.Redis",
+        "AspNetCore.HealthChecks.SendGrid",
+        "AspNetCore.HealthChecks.SqlServer",
+        "AspNetCore.HealthChecks.Uris",
+      ],
+      description: "Vault owned dependencies",
+      commitMessagePrefix: "[deps] Vault:",
+      reviewers: ["team:team-vault-dev"],
+    },
+  ],
+  ignoreDeps: ["dotnet-sdk"],
+}

From fcb98481800fc410c2d445be04ebee350f9e37a3 Mon Sep 17 00:00:00 2001
From: cyprain-okeke <108260115+cyprain-okeke@users.noreply.github.com>
Date: Wed, 19 Feb 2025 13:13:48 +0100
Subject: [PATCH 289/384] [PM-13620]Existing user email linking to
 create-organization (#5315)

* Changes for the existing customer

Signed-off-by: Cy Okeke <cokeke@bitwarden.com>

* removed the added character

Signed-off-by: Cy Okeke <cokeke@bitwarden.com>

---------

Signed-off-by: Cy Okeke <cokeke@bitwarden.com>
---
 .../Models/Mail/TrialInititaionVerifyEmail.cs | 19 +++++++++++++++----
 ...alInitiationEmailForRegistrationCommand.cs |  5 +----
 src/Core/Services/IMailService.cs             |  1 +
 .../Implementations/HandlebarsMailService.cs  |  2 ++
 .../NoopImplementations/NoopMailService.cs    |  1 +
 5 files changed, 20 insertions(+), 8 deletions(-)

diff --git a/src/Core/Billing/Models/Mail/TrialInititaionVerifyEmail.cs b/src/Core/Billing/Models/Mail/TrialInititaionVerifyEmail.cs
index df08296083..33b9578d0e 100644
--- a/src/Core/Billing/Models/Mail/TrialInititaionVerifyEmail.cs
+++ b/src/Core/Billing/Models/Mail/TrialInititaionVerifyEmail.cs
@@ -5,6 +5,7 @@ namespace Bit.Core.Billing.Models.Mail;
 
 public class TrialInitiationVerifyEmail : RegisterVerifyEmail
 {
+    public bool IsExistingUser { get; set; }
     /// <summary>
     /// See comment on <see cref="RegisterVerifyEmail"/>.<see cref="RegisterVerifyEmail.Url"/>
     /// </summary>
@@ -26,8 +27,18 @@ public class TrialInitiationVerifyEmail : RegisterVerifyEmail
     /// Currently we only support one product type at a time, despite Product being a collection.
     /// If we receive both PasswordManager and SecretsManager, we'll send the user to the PM trial route
     /// </summary>
-    private string Route =>
-        Product.Any(p => p == ProductType.PasswordManager)
-            ? "trial-initiation"
-            : "secrets-manager-trial-initiation";
+    private string Route
+    {
+        get
+        {
+            if (IsExistingUser)
+            {
+                return "create-organization";
+            }
+
+            return Product.Any(p => p == ProductType.PasswordManager)
+                ? "trial-initiation"
+                : "secrets-manager-trial-initiation";
+        }
+    }
 }
diff --git a/src/Core/Billing/TrialInitiation/Registration/Implementations/SendTrialInitiationEmailForRegistrationCommand.cs b/src/Core/Billing/TrialInitiation/Registration/Implementations/SendTrialInitiationEmailForRegistrationCommand.cs
index 6657be085e..385d7ebbd6 100644
--- a/src/Core/Billing/TrialInitiation/Registration/Implementations/SendTrialInitiationEmailForRegistrationCommand.cs
+++ b/src/Core/Billing/TrialInitiation/Registration/Implementations/SendTrialInitiationEmailForRegistrationCommand.cs
@@ -43,10 +43,7 @@ public class SendTrialInitiationEmailForRegistrationCommand(
 
         await PerformConstantTimeOperationsAsync();
 
-        if (!userExists)
-        {
-            await mailService.SendTrialInitiationSignupEmailAsync(email, token, productTier, products);
-        }
+        await mailService.SendTrialInitiationSignupEmailAsync(userExists, email, token, productTier, products);
 
         return null;
     }
diff --git a/src/Core/Services/IMailService.cs b/src/Core/Services/IMailService.cs
index 77914c0188..92d05ddb7d 100644
--- a/src/Core/Services/IMailService.cs
+++ b/src/Core/Services/IMailService.cs
@@ -14,6 +14,7 @@ public interface IMailService
     Task SendVerifyEmailEmailAsync(string email, Guid userId, string token);
     Task SendRegistrationVerificationEmailAsync(string email, string token);
     Task SendTrialInitiationSignupEmailAsync(
+        bool isExistingUser,
         string email,
         string token,
         ProductTierType productTier,
diff --git a/src/Core/Services/Implementations/HandlebarsMailService.cs b/src/Core/Services/Implementations/HandlebarsMailService.cs
index 630c5b0bf0..d18a29b13a 100644
--- a/src/Core/Services/Implementations/HandlebarsMailService.cs
+++ b/src/Core/Services/Implementations/HandlebarsMailService.cs
@@ -74,6 +74,7 @@ public class HandlebarsMailService : IMailService
     }
 
     public async Task SendTrialInitiationSignupEmailAsync(
+        bool isExistingUser,
         string email,
         string token,
         ProductTierType productTier,
@@ -82,6 +83,7 @@ public class HandlebarsMailService : IMailService
         var message = CreateDefaultMessage("Verify your email", email);
         var model = new TrialInitiationVerifyEmail
         {
+            IsExistingUser = isExistingUser,
             Token = WebUtility.UrlEncode(token),
             Email = WebUtility.UrlEncode(email),
             WebVaultUrl = _globalSettings.BaseServiceUri.VaultWithHash,
diff --git a/src/Core/Services/NoopImplementations/NoopMailService.cs b/src/Core/Services/NoopImplementations/NoopMailService.cs
index 13914ddd86..d6b330294d 100644
--- a/src/Core/Services/NoopImplementations/NoopMailService.cs
+++ b/src/Core/Services/NoopImplementations/NoopMailService.cs
@@ -26,6 +26,7 @@ public class NoopMailService : IMailService
     }
 
     public Task SendTrialInitiationSignupEmailAsync(
+        bool isExistingUser,
         string email,
         string token,
         ProductTierType productTier,

From 43be2dbc8304e1fdc36aa58f14e63471e9bdada0 Mon Sep 17 00:00:00 2001
From: Alex Morask <144709477+amorask-bitwarden@users.noreply.github.com>
Date: Wed, 19 Feb 2025 09:52:17 -0500
Subject: [PATCH 290/384] Prevent organization disablement on addition to
 provider (#5419)

---
 .../Services/Implementations/SubscriptionDeletedHandler.cs   | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/Billing/Services/Implementations/SubscriptionDeletedHandler.cs b/src/Billing/Services/Implementations/SubscriptionDeletedHandler.cs
index 06692ab016..26a1c30c14 100644
--- a/src/Billing/Services/Implementations/SubscriptionDeletedHandler.cs
+++ b/src/Billing/Services/Implementations/SubscriptionDeletedHandler.cs
@@ -33,13 +33,16 @@ public class SubscriptionDeletedHandler : ISubscriptionDeletedHandler
         var subCanceled = subscription.Status == StripeSubscriptionStatus.Canceled;
 
         const string providerMigrationCancellationComment = "Cancelled as part of provider migration to Consolidated Billing";
+        const string addedToProviderCancellationComment = "Organization was added to Provider";
 
         if (!subCanceled)
         {
             return;
         }
 
-        if (organizationId.HasValue && subscription is not { CancellationDetails.Comment: providerMigrationCancellationComment })
+        if (organizationId.HasValue &&
+            subscription.CancellationDetails.Comment != providerMigrationCancellationComment &&
+            !subscription.CancellationDetails.Comment.Contains(addedToProviderCancellationComment))
         {
             await _organizationService.DisableAsync(organizationId.Value, subscription.CurrentPeriodEnd);
         }

From 4f73081e4158bafad74dbd9e2142ec423885a9bf Mon Sep 17 00:00:00 2001
From: Alex Morask <144709477+amorask-bitwarden@users.noreply.github.com>
Date: Wed, 19 Feb 2025 10:13:03 -0500
Subject: [PATCH 291/384] Give provider credit for unused client organization
 time (#5421)

---
 .../Billing/ProviderBillingService.cs               | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/bitwarden_license/src/Commercial.Core/Billing/ProviderBillingService.cs b/bitwarden_license/src/Commercial.Core/Billing/ProviderBillingService.cs
index abba8aff90..da59c3c35c 100644
--- a/bitwarden_license/src/Commercial.Core/Billing/ProviderBillingService.cs
+++ b/bitwarden_license/src/Commercial.Core/Billing/ProviderBillingService.cs
@@ -117,6 +117,19 @@ public class ProviderBillingService(
             ScaleSeats(provider, organization.PlanType, organization.Seats!.Value)
         );
 
+        var clientCustomer = await subscriberService.GetCustomer(organization);
+
+        if (clientCustomer.Balance != 0)
+        {
+            await stripeAdapter.CustomerBalanceTransactionCreate(provider.GatewayCustomerId,
+                new CustomerBalanceTransactionCreateOptions
+                {
+                    Amount = clientCustomer.Balance,
+                    Currency = "USD",
+                    Description = $"Unused, prorated time for client organization with ID {organization.Id}."
+                });
+        }
+
         await eventService.LogProviderOrganizationEventAsync(
             providerOrganization,
             EventType.ProviderOrganization_Added);

From 228ce3b2e9d9b58fae89532d5858c1e0ec1139d2 Mon Sep 17 00:00:00 2001
From: Alex Morask <144709477+amorask-bitwarden@users.noreply.github.com>
Date: Wed, 19 Feb 2025 12:01:11 -0500
Subject: [PATCH 292/384] Scale seats before inserting ProviderOrganization
 when adding existing organization (#5420)

---
 .../Commercial.Core/Billing/ProviderBillingService.cs    | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/bitwarden_license/src/Commercial.Core/Billing/ProviderBillingService.cs b/bitwarden_license/src/Commercial.Core/Billing/ProviderBillingService.cs
index da59c3c35c..7b10793283 100644
--- a/bitwarden_license/src/Commercial.Core/Billing/ProviderBillingService.cs
+++ b/bitwarden_license/src/Commercial.Core/Billing/ProviderBillingService.cs
@@ -111,10 +111,15 @@ public class ProviderBillingService(
             Key = key
         };
 
+        /*
+         * We have to scale the provider's seats before the ProviderOrganization
+         * row is inserted so the added organization's seats don't get double counted.
+         */
+        await ScaleSeats(provider, organization.PlanType, organization.Seats!.Value);
+
         await Task.WhenAll(
             organizationRepository.ReplaceAsync(organization),
-            providerOrganizationRepository.CreateAsync(providerOrganization),
-            ScaleSeats(provider, organization.PlanType, organization.Seats!.Value)
+            providerOrganizationRepository.CreateAsync(providerOrganization)
         );
 
         var clientCustomer = await subscriberService.GetCustomer(organization);

From 9f4aa1ab2bcda4aaef9dcf25350a1f3f78eb3417 Mon Sep 17 00:00:00 2001
From: Maciej Zieniuk <167752252+mzieniukbw@users.noreply.github.com>
Date: Thu, 20 Feb 2025 15:35:48 +0100
Subject: [PATCH 293/384] [PM-15084] Push global notification creation to
 affected clients (#5079)

* PM-10600: Notification push notification

* PM-10600: Sending to specific client types for relay push notifications

* PM-10600: Sending to specific client types for other clients

* PM-10600: Send push notification on notification creation

* PM-10600: Explicit group names

* PM-10600: Id typos

* PM-10600: Revert global push notifications

* PM-10600: Added DeviceType claim

* PM-10600: Sent to organization typo

* PM-10600: UT coverage

* PM-10600: Small refactor, UTs coverage

* PM-10600: UTs coverage

* PM-10600: Startup fix

* PM-10600: Test fix

* PM-10600: Required attribute, organization group for push notification fix

* PM-10600: UT coverage

* PM-10600: Fix Mobile devices not registering to organization push notifications

We only register devices for organization push notifications when the organization is being created. This does not work, since we have a use case (Notification Center) of delivering notifications to all users of organization. This fixes it, by adding the organization id tag when device registers for push notifications.

* PM-10600: Unit Test coverage for NotificationHubPushRegistrationService

Fixed IFeatureService substitute mocking for Android tests.
Added user part of organization test with organizationId tags expectation.

* PM-10600: Unit Tests fix to NotificationHubPushRegistrationService after merge conflict

* PM-10600: Organization push notifications not sending to mobile device from self-hosted.

Self-hosted instance uses relay to register the mobile device against Bitwarden Cloud Api. Only the self-hosted server knows client's organization membership, which means it needs to pass in the organization id's information to the relay. Similarly, for Bitwarden Cloud, the organizaton id will come directly from the server.

* PM-10600: Fix self-hosted organization notification not being received by mobile device.

When mobile device registers on self-hosted through the relay, every single id, like user id, device id and now organization id needs to be prefixed with the installation id. This have been missing in the PushController that handles this for organization id.

* PM-10600: Broken NotificationsController integration test

Device type is now part of JWT access token, so the notification center results in the integration test are now scoped to client type web and all.

* PM-10600: Merge conflicts fix

* merge conflict fix

* PM-10600: Push notification with full notification center content.

Notification Center push notification now includes all the fields.

* PM-10564: Push notification updates to other clients

Cherry-picked and squashed commits:
d9711b6031a1bc1d96b920e521e6f37de1b434ec 6e69c8a0ce9a5ee29df9988b20c6e531c0b4e4a3 01c814595e572911574066802b661c83b116a865 3885885d5f4be39fdc2b8d258867c8a7536491cd 1285a7e994921b0e6f9ba78f9b84d8e7a6ceda2f fcf346985f367c462ef7b65ce7d5d2612f7345cc 28ff53c293f4d37de5fa40d2964f924368e13c95 57804ae27cbf25d88d148f399ce81c1c09997e10 1c9339b6869926e59076202e06341e5d4a403cc7

* PM-15084: Push global notification creation to affected clients

Cherry-picked and squashed commits:
ed5051e0ebc578ac6c5fce1f406d66bede3fa2b6 181f3e4ae643072c737ac00bf44a2fbbdd458ee8 49fe7c93fd5eb6fd5df680194403cf4b2beabace a8efb45a63d685cce83a6e5ea28f2320c3e52dae 7b4122c8379df5444e839297b4e7f9163550861a d21d4a67b32af85f5cd4d7dff2491852fd7d2028 186a09bb9206417616d8645cbbd18478f31a305c 1531f564b54ec1a031399fc1e2754e59dbd7e743

* PM-15084: Log warning when invalid notification push notification sent

* explicit Guid default value

* push notification tests in wrong namespace

* Installation push notification not received for on global notification center message

* wrong merge conflict

* wrong merge conflict

* installation id type Guid in push registration request
---
 .../Push/Controllers/PushController.cs        |  32 +-
 src/Core/Enums/PushType.cs                    |   4 +-
 .../Request/PushRegistrationRequestModel.cs   |  16 +-
 .../Api/Request/PushSendRequestModel.cs       |   8 +-
 src/Core/Models/PushNotification.cs           |   1 +
 .../NotificationHubPushNotificationService.cs |  94 +++++-
 .../NotificationHubPushRegistrationService.cs |  20 +-
 .../AzureQueuePushNotificationService.cs      |  24 +-
 .../Push/Services/IPushNotificationService.cs |   3 +
 .../Push/Services/IPushRegistrationService.cs |   2 +-
 .../MultiServicePushNotificationService.cs    |   8 +
 .../Services/NoopPushNotificationService.cs   |  13 +-
 .../Services/NoopPushRegistrationService.cs   |   2 +-
 ...NotificationsApiPushNotificationService.cs |  18 +-
 .../Services/RelayPushNotificationService.cs  |  56 +++-
 .../Services/RelayPushRegistrationService.cs  |   5 +-
 .../Services/Implementations/DeviceService.cs |   9 +-
 src/Notifications/HubHelpers.cs               |  41 +--
 src/Notifications/NotificationsHub.cs         |  28 ++
 .../Utilities/ServiceCollectionExtensions.cs  |  10 +-
 .../Push/Controllers/PushControllerTests.cs   | 288 ++++++++++++++++++
 .../Api/Request/PushSendRequestModelTests.cs  |  72 ++++-
 ...ficationHubPushNotificationServiceTests.cs | 180 +++++++++--
 ...ficationHubPushRegistrationServiceTests.cs |  64 ++--
 .../AzureQueuePushNotificationServiceTests.cs |  74 ++++-
 ...ultiServicePushNotificationServiceTests.cs |  22 +-
 ...icationsApiPushNotificationServiceTests.cs |   5 +-
 .../RelayPushNotificationServiceTests.cs      |   5 +-
 .../RelayPushRegistrationServiceTests.cs      |   5 +-
 test/Core.Test/Services/DeviceServiceTests.cs |  17 +-
 30 files changed, 963 insertions(+), 163 deletions(-)
 create mode 100644 test/Api.Test/Platform/Push/Controllers/PushControllerTests.cs

diff --git a/src/Api/Platform/Push/Controllers/PushController.cs b/src/Api/Platform/Push/Controllers/PushController.cs
index 8b9e8b52a0..f88fa4aa9e 100644
--- a/src/Api/Platform/Push/Controllers/PushController.cs
+++ b/src/Api/Platform/Push/Controllers/PushController.cs
@@ -22,14 +22,14 @@ public class PushController : Controller
     private readonly IPushNotificationService _pushNotificationService;
     private readonly IWebHostEnvironment _environment;
     private readonly ICurrentContext _currentContext;
-    private readonly GlobalSettings _globalSettings;
+    private readonly IGlobalSettings _globalSettings;
 
     public PushController(
         IPushRegistrationService pushRegistrationService,
         IPushNotificationService pushNotificationService,
         IWebHostEnvironment environment,
         ICurrentContext currentContext,
-        GlobalSettings globalSettings)
+        IGlobalSettings globalSettings)
     {
         _currentContext = currentContext;
         _environment = environment;
@@ -39,22 +39,23 @@ public class PushController : Controller
     }
 
     [HttpPost("register")]
-    public async Task PostRegister([FromBody] PushRegistrationRequestModel model)
+    public async Task RegisterAsync([FromBody] PushRegistrationRequestModel model)
     {
         CheckUsage();
         await _pushRegistrationService.CreateOrUpdateRegistrationAsync(model.PushToken, Prefix(model.DeviceId),
-            Prefix(model.UserId), Prefix(model.Identifier), model.Type, model.OrganizationIds.Select(Prefix));
+            Prefix(model.UserId), Prefix(model.Identifier), model.Type, model.OrganizationIds.Select(Prefix),
+            model.InstallationId);
     }
 
     [HttpPost("delete")]
-    public async Task PostDelete([FromBody] PushDeviceRequestModel model)
+    public async Task DeleteAsync([FromBody] PushDeviceRequestModel model)
     {
         CheckUsage();
         await _pushRegistrationService.DeleteRegistrationAsync(Prefix(model.Id));
     }
 
     [HttpPut("add-organization")]
-    public async Task PutAddOrganization([FromBody] PushUpdateRequestModel model)
+    public async Task AddOrganizationAsync([FromBody] PushUpdateRequestModel model)
     {
         CheckUsage();
         await _pushRegistrationService.AddUserRegistrationOrganizationAsync(
@@ -63,7 +64,7 @@ public class PushController : Controller
     }
 
     [HttpPut("delete-organization")]
-    public async Task PutDeleteOrganization([FromBody] PushUpdateRequestModel model)
+    public async Task DeleteOrganizationAsync([FromBody] PushUpdateRequestModel model)
     {
         CheckUsage();
         await _pushRegistrationService.DeleteUserRegistrationOrganizationAsync(
@@ -72,11 +73,22 @@ public class PushController : Controller
     }
 
     [HttpPost("send")]
-    public async Task PostSend([FromBody] PushSendRequestModel model)
+    public async Task SendAsync([FromBody] PushSendRequestModel model)
     {
         CheckUsage();
 
-        if (!string.IsNullOrWhiteSpace(model.UserId))
+        if (!string.IsNullOrWhiteSpace(model.InstallationId))
+        {
+            if (_currentContext.InstallationId!.Value.ToString() != model.InstallationId!)
+            {
+                throw new BadRequestException("InstallationId does not match current context.");
+            }
+
+            await _pushNotificationService.SendPayloadToInstallationAsync(
+                _currentContext.InstallationId.Value.ToString(), model.Type, model.Payload, Prefix(model.Identifier),
+                Prefix(model.DeviceId), model.ClientType);
+        }
+        else if (!string.IsNullOrWhiteSpace(model.UserId))
         {
             await _pushNotificationService.SendPayloadToUserAsync(Prefix(model.UserId),
                 model.Type, model.Payload, Prefix(model.Identifier), Prefix(model.DeviceId), model.ClientType);
@@ -95,7 +107,7 @@ public class PushController : Controller
             return null;
         }
 
-        return $"{_currentContext.InstallationId.Value}_{value}";
+        return $"{_currentContext.InstallationId!.Value}_{value}";
     }
 
     private void CheckUsage()
diff --git a/src/Core/Enums/PushType.cs b/src/Core/Enums/PushType.cs
index d4a4caeb9e..6d0dd9393c 100644
--- a/src/Core/Enums/PushType.cs
+++ b/src/Core/Enums/PushType.cs
@@ -28,6 +28,6 @@ public enum PushType : byte
     SyncOrganizationStatusChanged = 18,
     SyncOrganizationCollectionSettingChanged = 19,
 
-    SyncNotification = 20,
-    SyncNotificationStatus = 21
+    Notification = 20,
+    NotificationStatus = 21
 }
diff --git a/src/Core/Models/Api/Request/PushRegistrationRequestModel.cs b/src/Core/Models/Api/Request/PushRegistrationRequestModel.cs
index ee787dd083..0c87bf98d1 100644
--- a/src/Core/Models/Api/Request/PushRegistrationRequestModel.cs
+++ b/src/Core/Models/Api/Request/PushRegistrationRequestModel.cs
@@ -5,15 +5,11 @@ namespace Bit.Core.Models.Api;
 
 public class PushRegistrationRequestModel
 {
-    [Required]
-    public string DeviceId { get; set; }
-    [Required]
-    public string PushToken { get; set; }
-    [Required]
-    public string UserId { get; set; }
-    [Required]
-    public DeviceType Type { get; set; }
-    [Required]
-    public string Identifier { get; set; }
+    [Required] public string DeviceId { get; set; }
+    [Required] public string PushToken { get; set; }
+    [Required] public string UserId { get; set; }
+    [Required] public DeviceType Type { get; set; }
+    [Required] public string Identifier { get; set; }
     public IEnumerable<string> OrganizationIds { get; set; }
+    public Guid InstallationId { get; set; }
 }
diff --git a/src/Core/Models/Api/Request/PushSendRequestModel.cs b/src/Core/Models/Api/Request/PushSendRequestModel.cs
index 7247e6d25f..0ef7e999e3 100644
--- a/src/Core/Models/Api/Request/PushSendRequestModel.cs
+++ b/src/Core/Models/Api/Request/PushSendRequestModel.cs
@@ -13,12 +13,16 @@ public class PushSendRequestModel : IValidatableObject
     public required PushType Type { get; set; }
     public required object Payload { get; set; }
     public ClientType? ClientType { get; set; }
+    public string? InstallationId { get; set; }
 
     public IEnumerable<ValidationResult> Validate(ValidationContext validationContext)
     {
-        if (string.IsNullOrWhiteSpace(UserId) && string.IsNullOrWhiteSpace(OrganizationId))
+        if (string.IsNullOrWhiteSpace(UserId) &&
+            string.IsNullOrWhiteSpace(OrganizationId) &&
+            string.IsNullOrWhiteSpace(InstallationId))
         {
-            yield return new ValidationResult($"{nameof(UserId)} or {nameof(OrganizationId)} is required.");
+            yield return new ValidationResult(
+                $"{nameof(UserId)} or {nameof(OrganizationId)} or {nameof(InstallationId)} is required.");
         }
     }
 }
diff --git a/src/Core/Models/PushNotification.cs b/src/Core/Models/PushNotification.cs
index 775c3443f2..63058be692 100644
--- a/src/Core/Models/PushNotification.cs
+++ b/src/Core/Models/PushNotification.cs
@@ -55,6 +55,7 @@ public class NotificationPushNotification
     public ClientType ClientType { get; set; }
     public Guid? UserId { get; set; }
     public Guid? OrganizationId { get; set; }
+    public Guid? InstallationId { get; set; }
     public string? Title { get; set; }
     public string? Body { get; set; }
     public DateTime CreationDate { get; set; }
diff --git a/src/Core/NotificationHub/NotificationHubPushNotificationService.cs b/src/Core/NotificationHub/NotificationHubPushNotificationService.cs
index 7baf0352ee..6bc5b0db6b 100644
--- a/src/Core/NotificationHub/NotificationHubPushNotificationService.cs
+++ b/src/Core/NotificationHub/NotificationHubPushNotificationService.cs
@@ -10,6 +10,7 @@ using Bit.Core.Models.Data;
 using Bit.Core.NotificationCenter.Entities;
 using Bit.Core.Platform.Push;
 using Bit.Core.Repositories;
+using Bit.Core.Settings;
 using Bit.Core.Tools.Entities;
 using Bit.Core.Vault.Entities;
 using Microsoft.AspNetCore.Http;
@@ -18,6 +19,11 @@ using Notification = Bit.Core.NotificationCenter.Entities.Notification;
 
 namespace Bit.Core.NotificationHub;
 
+/// <summary>
+/// Sends mobile push notifications to the Azure Notification Hub.
+/// Used by Cloud-Hosted environments.
+/// Received by Firebase for Android or APNS for iOS.
+/// </summary>
 public class NotificationHubPushNotificationService : IPushNotificationService
 {
     private readonly IInstallationDeviceRepository _installationDeviceRepository;
@@ -25,17 +31,25 @@ public class NotificationHubPushNotificationService : IPushNotificationService
     private readonly bool _enableTracing = false;
     private readonly INotificationHubPool _notificationHubPool;
     private readonly ILogger _logger;
+    private readonly IGlobalSettings _globalSettings;
 
     public NotificationHubPushNotificationService(
         IInstallationDeviceRepository installationDeviceRepository,
         INotificationHubPool notificationHubPool,
         IHttpContextAccessor httpContextAccessor,
-        ILogger<NotificationsApiPushNotificationService> logger)
+        ILogger<NotificationHubPushNotificationService> logger,
+        IGlobalSettings globalSettings)
     {
         _installationDeviceRepository = installationDeviceRepository;
         _httpContextAccessor = httpContextAccessor;
         _notificationHubPool = notificationHubPool;
         _logger = logger;
+        _globalSettings = globalSettings;
+
+        if (globalSettings.Installation.Id == Guid.Empty)
+        {
+            logger.LogWarning("Installation ID is not set. Push notifications for installations will not work.");
+        }
     }
 
     public async Task PushSyncCipherCreateAsync(Cipher cipher, IEnumerable<Guid> collectionIds)
@@ -185,6 +199,10 @@ public class NotificationHubPushNotificationService : IPushNotificationService
 
     public async Task PushNotificationAsync(Notification notification)
     {
+        Guid? installationId = notification.Global && _globalSettings.Installation.Id != Guid.Empty
+            ? _globalSettings.Installation.Id
+            : null;
+
         var message = new NotificationPushNotification
         {
             Id = notification.Id,
@@ -193,26 +211,49 @@ public class NotificationHubPushNotificationService : IPushNotificationService
             ClientType = notification.ClientType,
             UserId = notification.UserId,
             OrganizationId = notification.OrganizationId,
+            InstallationId = installationId,
             Title = notification.Title,
             Body = notification.Body,
             CreationDate = notification.CreationDate,
             RevisionDate = notification.RevisionDate
         };
 
-        if (notification.UserId.HasValue)
+        if (notification.Global)
         {
-            await SendPayloadToUserAsync(notification.UserId.Value, PushType.SyncNotification, message, true,
+            if (installationId.HasValue)
+            {
+                await SendPayloadToInstallationAsync(installationId.Value, PushType.Notification, message, true,
+                    notification.ClientType);
+            }
+            else
+            {
+                _logger.LogWarning(
+                    "Invalid global notification id {NotificationId} push notification. No installation id provided.",
+                    notification.Id);
+            }
+        }
+        else if (notification.UserId.HasValue)
+        {
+            await SendPayloadToUserAsync(notification.UserId.Value, PushType.Notification, message, true,
                 notification.ClientType);
         }
         else if (notification.OrganizationId.HasValue)
         {
-            await SendPayloadToOrganizationAsync(notification.OrganizationId.Value, PushType.SyncNotification, message,
+            await SendPayloadToOrganizationAsync(notification.OrganizationId.Value, PushType.Notification, message,
                 true, notification.ClientType);
         }
+        else
+        {
+            _logger.LogWarning("Invalid notification id {NotificationId} push notification", notification.Id);
+        }
     }
 
     public async Task PushNotificationStatusAsync(Notification notification, NotificationStatus notificationStatus)
     {
+        Guid? installationId = notification.Global && _globalSettings.Installation.Id != Guid.Empty
+            ? _globalSettings.Installation.Id
+            : null;
+
         var message = new NotificationPushNotification
         {
             Id = notification.Id,
@@ -221,6 +262,7 @@ public class NotificationHubPushNotificationService : IPushNotificationService
             ClientType = notification.ClientType,
             UserId = notification.UserId,
             OrganizationId = notification.OrganizationId,
+            InstallationId = installationId,
             Title = notification.Title,
             Body = notification.Body,
             CreationDate = notification.CreationDate,
@@ -229,15 +271,33 @@ public class NotificationHubPushNotificationService : IPushNotificationService
             DeletedDate = notificationStatus.DeletedDate
         };
 
-        if (notification.UserId.HasValue)
+        if (notification.Global)
         {
-            await SendPayloadToUserAsync(notification.UserId.Value, PushType.SyncNotificationStatus, message, true,
+            if (installationId.HasValue)
+            {
+                await SendPayloadToInstallationAsync(installationId.Value, PushType.NotificationStatus, message, true,
+                    notification.ClientType);
+            }
+            else
+            {
+                _logger.LogWarning(
+                    "Invalid global notification status id {NotificationId} push notification. No installation id provided.",
+                    notification.Id);
+            }
+        }
+        else if (notification.UserId.HasValue)
+        {
+            await SendPayloadToUserAsync(notification.UserId.Value, PushType.NotificationStatus, message, true,
                 notification.ClientType);
         }
         else if (notification.OrganizationId.HasValue)
         {
-            await SendPayloadToOrganizationAsync(notification.OrganizationId.Value, PushType.SyncNotificationStatus, message,
-                true, notification.ClientType);
+            await SendPayloadToOrganizationAsync(notification.OrganizationId.Value, PushType.NotificationStatus,
+                message, true, notification.ClientType);
+        }
+        else
+        {
+            _logger.LogWarning("Invalid notification status id {NotificationId} push notification", notification.Id);
         }
     }
 
@@ -248,6 +308,13 @@ public class NotificationHubPushNotificationService : IPushNotificationService
         await SendPayloadToUserAsync(authRequest.UserId, type, message, true);
     }
 
+    private async Task SendPayloadToInstallationAsync(Guid installationId, PushType type, object payload,
+        bool excludeCurrentContext, ClientType? clientType = null)
+    {
+        await SendPayloadToInstallationAsync(installationId.ToString(), type, payload,
+            GetContextIdentifier(excludeCurrentContext), clientType: clientType);
+    }
+
     private async Task SendPayloadToUserAsync(Guid userId, PushType type, object payload, bool excludeCurrentContext,
         ClientType? clientType = null)
     {
@@ -262,6 +329,17 @@ public class NotificationHubPushNotificationService : IPushNotificationService
             GetContextIdentifier(excludeCurrentContext), clientType: clientType);
     }
 
+    public async Task SendPayloadToInstallationAsync(string installationId, PushType type, object payload,
+        string? identifier, string? deviceId = null, ClientType? clientType = null)
+    {
+        var tag = BuildTag($"template:payload && installationId:{installationId}", identifier, clientType);
+        await SendPayloadAsync(tag, type, payload);
+        if (InstallationDeviceEntity.IsInstallationDeviceId(deviceId))
+        {
+            await _installationDeviceRepository.UpsertAsync(new InstallationDeviceEntity(deviceId));
+        }
+    }
+
     public async Task SendPayloadToUserAsync(string userId, PushType type, object payload, string? identifier,
         string? deviceId = null, ClientType? clientType = null)
     {
diff --git a/src/Core/NotificationHub/NotificationHubPushRegistrationService.cs b/src/Core/NotificationHub/NotificationHubPushRegistrationService.cs
index 0c9bbea425..9793c8198a 100644
--- a/src/Core/NotificationHub/NotificationHubPushRegistrationService.cs
+++ b/src/Core/NotificationHub/NotificationHubPushRegistrationService.cs
@@ -21,7 +21,7 @@ public class NotificationHubPushRegistrationService : IPushRegistrationService
     }
 
     public async Task CreateOrUpdateRegistrationAsync(string pushToken, string deviceId, string userId,
-        string identifier, DeviceType type, IEnumerable<string> organizationIds)
+        string identifier, DeviceType type, IEnumerable<string> organizationIds, Guid installationId)
     {
         if (string.IsNullOrWhiteSpace(pushToken))
         {
@@ -50,6 +50,11 @@ public class NotificationHubPushRegistrationService : IPushRegistrationService
             installation.Tags.Add($"organizationId:{organizationId}");
         }
 
+        if (installationId != Guid.Empty)
+        {
+            installation.Tags.Add($"installationId:{installationId}");
+        }
+
         string payloadTemplate = null, messageTemplate = null, badgeMessageTemplate = null;
         switch (type)
         {
@@ -80,11 +85,11 @@ public class NotificationHubPushRegistrationService : IPushRegistrationService
         }
 
         BuildInstallationTemplate(installation, "payload", payloadTemplate, userId, identifier, clientType,
-            organizationIdsList);
+            organizationIdsList, installationId);
         BuildInstallationTemplate(installation, "message", messageTemplate, userId, identifier, clientType,
-            organizationIdsList);
+            organizationIdsList, installationId);
         BuildInstallationTemplate(installation, "badgeMessage", badgeMessageTemplate ?? messageTemplate,
-            userId, identifier, clientType, organizationIdsList);
+            userId, identifier, clientType, organizationIdsList, installationId);
 
         await ClientFor(GetComb(deviceId)).CreateOrUpdateInstallationAsync(installation);
         if (InstallationDeviceEntity.IsInstallationDeviceId(deviceId))
@@ -94,7 +99,7 @@ public class NotificationHubPushRegistrationService : IPushRegistrationService
     }
 
     private void BuildInstallationTemplate(Installation installation, string templateId, string templateBody,
-        string userId, string identifier, ClientType clientType, List<string> organizationIds)
+        string userId, string identifier, ClientType clientType, List<string> organizationIds, Guid installationId)
     {
         if (templateBody == null)
         {
@@ -122,6 +127,11 @@ public class NotificationHubPushRegistrationService : IPushRegistrationService
             template.Tags.Add($"organizationId:{organizationId}");
         }
 
+        if (installationId != Guid.Empty)
+        {
+            template.Tags.Add($"installationId:{installationId}");
+        }
+
         installation.Templates.Add(fullTemplateId, template);
     }
 
diff --git a/src/Core/Platform/Push/Services/AzureQueuePushNotificationService.cs b/src/Core/Platform/Push/Services/AzureQueuePushNotificationService.cs
index c32212c6b2..f88c0641c5 100644
--- a/src/Core/Platform/Push/Services/AzureQueuePushNotificationService.cs
+++ b/src/Core/Platform/Push/Services/AzureQueuePushNotificationService.cs
@@ -7,11 +7,13 @@ using Bit.Core.Context;
 using Bit.Core.Enums;
 using Bit.Core.Models;
 using Bit.Core.NotificationCenter.Entities;
+using Bit.Core.Settings;
 using Bit.Core.Tools.Entities;
 using Bit.Core.Utilities;
 using Bit.Core.Vault.Entities;
 using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
 
 namespace Bit.Core.Platform.Push.Internal;
 
@@ -19,13 +21,22 @@ public class AzureQueuePushNotificationService : IPushNotificationService
 {
     private readonly QueueClient _queueClient;
     private readonly IHttpContextAccessor _httpContextAccessor;
+    private readonly IGlobalSettings _globalSettings;
 
     public AzureQueuePushNotificationService(
         [FromKeyedServices("notifications")] QueueClient queueClient,
-        IHttpContextAccessor httpContextAccessor)
+        IHttpContextAccessor httpContextAccessor,
+        IGlobalSettings globalSettings,
+        ILogger<AzureQueuePushNotificationService> logger)
     {
         _queueClient = queueClient;
         _httpContextAccessor = httpContextAccessor;
+        _globalSettings = globalSettings;
+
+        if (globalSettings.Installation.Id == Guid.Empty)
+        {
+            logger.LogWarning("Installation ID is not set. Push notifications for installations will not work.");
+        }
     }
 
     public async Task PushSyncCipherCreateAsync(Cipher cipher, IEnumerable<Guid> collectionIds)
@@ -176,13 +187,14 @@ public class AzureQueuePushNotificationService : IPushNotificationService
             ClientType = notification.ClientType,
             UserId = notification.UserId,
             OrganizationId = notification.OrganizationId,
+            InstallationId = notification.Global ? _globalSettings.Installation.Id : null,
             Title = notification.Title,
             Body = notification.Body,
             CreationDate = notification.CreationDate,
             RevisionDate = notification.RevisionDate
         };
 
-        await SendMessageAsync(PushType.SyncNotification, message, true);
+        await SendMessageAsync(PushType.Notification, message, true);
     }
 
     public async Task PushNotificationStatusAsync(Notification notification, NotificationStatus notificationStatus)
@@ -195,6 +207,7 @@ public class AzureQueuePushNotificationService : IPushNotificationService
             ClientType = notification.ClientType,
             UserId = notification.UserId,
             OrganizationId = notification.OrganizationId,
+            InstallationId = notification.Global ? _globalSettings.Installation.Id : null,
             Title = notification.Title,
             Body = notification.Body,
             CreationDate = notification.CreationDate,
@@ -203,7 +216,7 @@ public class AzureQueuePushNotificationService : IPushNotificationService
             DeletedDate = notificationStatus.DeletedDate
         };
 
-        await SendMessageAsync(PushType.SyncNotificationStatus, message, true);
+        await SendMessageAsync(PushType.NotificationStatus, message, true);
     }
 
     private async Task PushSendAsync(Send send, PushType type)
@@ -241,6 +254,11 @@ public class AzureQueuePushNotificationService : IPushNotificationService
         return currentContext?.DeviceIdentifier;
     }
 
+    public Task SendPayloadToInstallationAsync(string installationId, PushType type, object payload, string? identifier,
+        string? deviceId = null, ClientType? clientType = null) =>
+        // Noop
+        Task.CompletedTask;
+
     public Task SendPayloadToUserAsync(string userId, PushType type, object payload, string? identifier,
         string? deviceId = null, ClientType? clientType = null)
     {
diff --git a/src/Core/Platform/Push/Services/IPushNotificationService.cs b/src/Core/Platform/Push/Services/IPushNotificationService.cs
index 1c7fdc659b..d0f18cd8ac 100644
--- a/src/Core/Platform/Push/Services/IPushNotificationService.cs
+++ b/src/Core/Platform/Push/Services/IPushNotificationService.cs
@@ -31,6 +31,9 @@ public interface IPushNotificationService
     Task PushAuthRequestResponseAsync(AuthRequest authRequest);
     Task PushSyncOrganizationStatusAsync(Organization organization);
     Task PushSyncOrganizationCollectionManagementSettingsAsync(Organization organization);
+
+    Task SendPayloadToInstallationAsync(string installationId, PushType type, object payload, string? identifier,
+        string? deviceId = null, ClientType? clientType = null);
     Task SendPayloadToUserAsync(string userId, PushType type, object payload, string? identifier,
         string? deviceId = null, ClientType? clientType = null);
     Task SendPayloadToOrganizationAsync(string orgId, PushType type, object payload, string? identifier,
diff --git a/src/Core/Platform/Push/Services/IPushRegistrationService.cs b/src/Core/Platform/Push/Services/IPushRegistrationService.cs
index 0c4271f061..0f2a28700b 100644
--- a/src/Core/Platform/Push/Services/IPushRegistrationService.cs
+++ b/src/Core/Platform/Push/Services/IPushRegistrationService.cs
@@ -5,7 +5,7 @@ namespace Bit.Core.Platform.Push;
 public interface IPushRegistrationService
 {
     Task CreateOrUpdateRegistrationAsync(string pushToken, string deviceId, string userId,
-        string identifier, DeviceType type, IEnumerable<string> organizationIds);
+        string identifier, DeviceType type, IEnumerable<string> organizationIds, Guid installationId);
     Task DeleteRegistrationAsync(string deviceId);
     Task AddUserRegistrationOrganizationAsync(IEnumerable<string> deviceIds, string organizationId);
     Task DeleteUserRegistrationOrganizationAsync(IEnumerable<string> deviceIds, string organizationId);
diff --git a/src/Core/Platform/Push/Services/MultiServicePushNotificationService.cs b/src/Core/Platform/Push/Services/MultiServicePushNotificationService.cs
index 9b4e66ae1a..1f88f5dcc6 100644
--- a/src/Core/Platform/Push/Services/MultiServicePushNotificationService.cs
+++ b/src/Core/Platform/Push/Services/MultiServicePushNotificationService.cs
@@ -157,6 +157,14 @@ public class MultiServicePushNotificationService : IPushNotificationService
         return Task.CompletedTask;
     }
 
+    public Task SendPayloadToInstallationAsync(string installationId, PushType type, object payload, string? identifier,
+        string? deviceId = null, ClientType? clientType = null)
+    {
+        PushToServices((s) =>
+            s.SendPayloadToInstallationAsync(installationId, type, payload, identifier, deviceId, clientType));
+        return Task.CompletedTask;
+    }
+
     public Task SendPayloadToUserAsync(string userId, PushType type, object payload, string? identifier,
         string? deviceId = null, ClientType? clientType = null)
     {
diff --git a/src/Core/Platform/Push/Services/NoopPushNotificationService.cs b/src/Core/Platform/Push/Services/NoopPushNotificationService.cs
index 57c446c5e5..e005f9d7af 100644
--- a/src/Core/Platform/Push/Services/NoopPushNotificationService.cs
+++ b/src/Core/Platform/Push/Services/NoopPushNotificationService.cs
@@ -108,14 +108,17 @@ public class NoopPushNotificationService : IPushNotificationService
         return Task.FromResult(0);
     }
 
+    public Task PushNotificationAsync(Notification notification) => Task.CompletedTask;
+
+    public Task PushNotificationStatusAsync(Notification notification, NotificationStatus notificationStatus) =>
+        Task.CompletedTask;
+
+    public Task SendPayloadToInstallationAsync(string installationId, PushType type, object payload, string? identifier,
+        string? deviceId = null, ClientType? clientType = null) => Task.CompletedTask;
+
     public Task SendPayloadToUserAsync(string userId, PushType type, object payload, string? identifier,
         string? deviceId = null, ClientType? clientType = null)
     {
         return Task.FromResult(0);
     }
-
-    public Task PushNotificationAsync(Notification notification) => Task.CompletedTask;
-
-    public Task PushNotificationStatusAsync(Notification notification, NotificationStatus notificationStatus) =>
-        Task.CompletedTask;
 }
diff --git a/src/Core/Platform/Push/Services/NoopPushRegistrationService.cs b/src/Core/Platform/Push/Services/NoopPushRegistrationService.cs
index 6bcf9e893a..ac6f8a814b 100644
--- a/src/Core/Platform/Push/Services/NoopPushRegistrationService.cs
+++ b/src/Core/Platform/Push/Services/NoopPushRegistrationService.cs
@@ -10,7 +10,7 @@ public class NoopPushRegistrationService : IPushRegistrationService
     }
 
     public Task CreateOrUpdateRegistrationAsync(string pushToken, string deviceId, string userId,
-        string identifier, DeviceType type, IEnumerable<string> organizationIds)
+        string identifier, DeviceType type, IEnumerable<string> organizationIds, Guid installationId)
     {
         return Task.FromResult(0);
     }
diff --git a/src/Core/Platform/Push/Services/NotificationsApiPushNotificationService.cs b/src/Core/Platform/Push/Services/NotificationsApiPushNotificationService.cs
index 7a557e8978..2833c43985 100644
--- a/src/Core/Platform/Push/Services/NotificationsApiPushNotificationService.cs
+++ b/src/Core/Platform/Push/Services/NotificationsApiPushNotificationService.cs
@@ -15,8 +15,14 @@ using Microsoft.Extensions.Logging;
 // This service is not in the `Internal` namespace because it has direct external references.
 namespace Bit.Core.Platform.Push;
 
+/// <summary>
+/// Sends non-mobile push notifications to the Azure Queue Api, later received by Notifications Api.
+/// Used by Cloud-Hosted environments.
+/// Received by AzureQueueHostedService message receiver in Notifications project.
+/// </summary>
 public class NotificationsApiPushNotificationService : BaseIdentityClientService, IPushNotificationService
 {
+    private readonly IGlobalSettings _globalSettings;
     private readonly IHttpContextAccessor _httpContextAccessor;
 
     public NotificationsApiPushNotificationService(
@@ -33,6 +39,7 @@ public class NotificationsApiPushNotificationService : BaseIdentityClientService
             globalSettings.InternalIdentityKey,
             logger)
     {
+        _globalSettings = globalSettings;
         _httpContextAccessor = httpContextAccessor;
     }
 
@@ -193,13 +200,14 @@ public class NotificationsApiPushNotificationService : BaseIdentityClientService
             ClientType = notification.ClientType,
             UserId = notification.UserId,
             OrganizationId = notification.OrganizationId,
+            InstallationId = notification.Global ? _globalSettings.Installation.Id : null,
             Title = notification.Title,
             Body = notification.Body,
             CreationDate = notification.CreationDate,
             RevisionDate = notification.RevisionDate
         };
 
-        await SendMessageAsync(PushType.SyncNotification, message, true);
+        await SendMessageAsync(PushType.Notification, message, true);
     }
 
     public async Task PushNotificationStatusAsync(Notification notification, NotificationStatus notificationStatus)
@@ -212,6 +220,7 @@ public class NotificationsApiPushNotificationService : BaseIdentityClientService
             ClientType = notification.ClientType,
             UserId = notification.UserId,
             OrganizationId = notification.OrganizationId,
+            InstallationId = notification.Global ? _globalSettings.Installation.Id : null,
             Title = notification.Title,
             Body = notification.Body,
             CreationDate = notification.CreationDate,
@@ -220,7 +229,7 @@ public class NotificationsApiPushNotificationService : BaseIdentityClientService
             DeletedDate = notificationStatus.DeletedDate
         };
 
-        await SendMessageAsync(PushType.SyncNotificationStatus, message, true);
+        await SendMessageAsync(PushType.NotificationStatus, message, true);
     }
 
     private async Task PushSendAsync(Send send, PushType type)
@@ -257,6 +266,11 @@ public class NotificationsApiPushNotificationService : BaseIdentityClientService
         return currentContext?.DeviceIdentifier;
     }
 
+    public Task SendPayloadToInstallationAsync(string installationId, PushType type, object payload, string? identifier,
+        string? deviceId = null, ClientType? clientType = null) =>
+        // Noop
+        Task.CompletedTask;
+
     public Task SendPayloadToUserAsync(string userId, PushType type, object payload, string? identifier,
         string? deviceId = null, ClientType? clientType = null)
     {
diff --git a/src/Core/Platform/Push/Services/RelayPushNotificationService.cs b/src/Core/Platform/Push/Services/RelayPushNotificationService.cs
index 09f42fd0d1..d111efa2a8 100644
--- a/src/Core/Platform/Push/Services/RelayPushNotificationService.cs
+++ b/src/Core/Platform/Push/Services/RelayPushNotificationService.cs
@@ -17,9 +17,15 @@ using Microsoft.Extensions.Logging;
 
 namespace Bit.Core.Platform.Push.Internal;
 
+/// <summary>
+/// Sends mobile push notifications to the Bitwarden Cloud API, then relayed to Azure Notification Hub.
+/// Used by Self-Hosted environments.
+/// Received by PushController endpoint in Api project.
+/// </summary>
 public class RelayPushNotificationService : BaseIdentityClientService, IPushNotificationService
 {
     private readonly IDeviceRepository _deviceRepository;
+    private readonly IGlobalSettings _globalSettings;
     private readonly IHttpContextAccessor _httpContextAccessor;
 
     public RelayPushNotificationService(
@@ -38,6 +44,7 @@ public class RelayPushNotificationService : BaseIdentityClientService, IPushNoti
             logger)
     {
         _deviceRepository = deviceRepository;
+        _globalSettings = globalSettings;
         _httpContextAccessor = httpContextAccessor;
     }
 
@@ -202,22 +209,31 @@ public class RelayPushNotificationService : BaseIdentityClientService, IPushNoti
             ClientType = notification.ClientType,
             UserId = notification.UserId,
             OrganizationId = notification.OrganizationId,
+            InstallationId = notification.Global ? _globalSettings.Installation.Id : null,
             Title = notification.Title,
             Body = notification.Body,
             CreationDate = notification.CreationDate,
             RevisionDate = notification.RevisionDate
         };
 
-        if (notification.UserId.HasValue)
+        if (notification.Global)
         {
-            await SendPayloadToUserAsync(notification.UserId.Value, PushType.SyncNotification, message, true,
+            await SendPayloadToInstallationAsync(PushType.Notification, message, true, notification.ClientType);
+        }
+        else if (notification.UserId.HasValue)
+        {
+            await SendPayloadToUserAsync(notification.UserId.Value, PushType.Notification, message, true,
                 notification.ClientType);
         }
         else if (notification.OrganizationId.HasValue)
         {
-            await SendPayloadToOrganizationAsync(notification.OrganizationId.Value, PushType.SyncNotification, message,
+            await SendPayloadToOrganizationAsync(notification.OrganizationId.Value, PushType.Notification, message,
                 true, notification.ClientType);
         }
+        else
+        {
+            _logger.LogWarning("Invalid notification id {NotificationId} push notification", notification.Id);
+        }
     }
 
     public async Task PushNotificationStatusAsync(Notification notification, NotificationStatus notificationStatus)
@@ -230,6 +246,7 @@ public class RelayPushNotificationService : BaseIdentityClientService, IPushNoti
             ClientType = notification.ClientType,
             UserId = notification.UserId,
             OrganizationId = notification.OrganizationId,
+            InstallationId = notification.Global ? _globalSettings.Installation.Id : null,
             Title = notification.Title,
             Body = notification.Body,
             CreationDate = notification.CreationDate,
@@ -238,16 +255,24 @@ public class RelayPushNotificationService : BaseIdentityClientService, IPushNoti
             DeletedDate = notificationStatus.DeletedDate
         };
 
-        if (notification.UserId.HasValue)
+        if (notification.Global)
         {
-            await SendPayloadToUserAsync(notification.UserId.Value, PushType.SyncNotificationStatus, message, true,
+            await SendPayloadToInstallationAsync(PushType.NotificationStatus, message, true, notification.ClientType);
+        }
+        else if (notification.UserId.HasValue)
+        {
+            await SendPayloadToUserAsync(notification.UserId.Value, PushType.NotificationStatus, message, true,
                 notification.ClientType);
         }
         else if (notification.OrganizationId.HasValue)
         {
-            await SendPayloadToOrganizationAsync(notification.OrganizationId.Value, PushType.SyncNotificationStatus, message,
+            await SendPayloadToOrganizationAsync(notification.OrganizationId.Value, PushType.NotificationStatus, message,
                 true, notification.ClientType);
         }
+        else
+        {
+            _logger.LogWarning("Invalid notification status id {NotificationId} push notification", notification.Id);
+        }
     }
 
     public async Task PushSyncOrganizationStatusAsync(Organization organization)
@@ -275,6 +300,21 @@ public class RelayPushNotificationService : BaseIdentityClientService, IPushNoti
             false
         );
 
+    private async Task SendPayloadToInstallationAsync(PushType type, object payload, bool excludeCurrentContext,
+        ClientType? clientType = null)
+    {
+        var request = new PushSendRequestModel
+        {
+            InstallationId = _globalSettings.Installation.Id.ToString(),
+            Type = type,
+            Payload = payload,
+            ClientType = clientType
+        };
+
+        await AddCurrentContextAsync(request, excludeCurrentContext);
+        await SendAsync(HttpMethod.Post, "push/send", request);
+    }
+
     private async Task SendPayloadToUserAsync(Guid userId, PushType type, object payload, bool excludeCurrentContext,
         ClientType? clientType = null)
     {
@@ -324,6 +364,10 @@ public class RelayPushNotificationService : BaseIdentityClientService, IPushNoti
         }
     }
 
+    public Task SendPayloadToInstallationAsync(string installationId, PushType type, object payload, string? identifier,
+        string? deviceId = null, ClientType? clientType = null) =>
+        throw new NotImplementedException();
+
     public Task SendPayloadToUserAsync(string userId, PushType type, object payload, string? identifier,
         string? deviceId = null, ClientType? clientType = null)
     {
diff --git a/src/Core/Platform/Push/Services/RelayPushRegistrationService.cs b/src/Core/Platform/Push/Services/RelayPushRegistrationService.cs
index b838fbde59..58a34c15c5 100644
--- a/src/Core/Platform/Push/Services/RelayPushRegistrationService.cs
+++ b/src/Core/Platform/Push/Services/RelayPushRegistrationService.cs
@@ -25,7 +25,7 @@ public class RelayPushRegistrationService : BaseIdentityClientService, IPushRegi
     }
 
     public async Task CreateOrUpdateRegistrationAsync(string pushToken, string deviceId, string userId,
-        string identifier, DeviceType type, IEnumerable<string> organizationIds)
+        string identifier, DeviceType type, IEnumerable<string> organizationIds, Guid installationId)
     {
         var requestModel = new PushRegistrationRequestModel
         {
@@ -34,7 +34,8 @@ public class RelayPushRegistrationService : BaseIdentityClientService, IPushRegi
             PushToken = pushToken,
             Type = type,
             UserId = userId,
-            OrganizationIds = organizationIds
+            OrganizationIds = organizationIds,
+            InstallationId = installationId
         };
         await SendAsync(HttpMethod.Post, "push/register", requestModel);
     }
diff --git a/src/Core/Services/Implementations/DeviceService.cs b/src/Core/Services/Implementations/DeviceService.cs
index 28823eeda7..c8b0134932 100644
--- a/src/Core/Services/Implementations/DeviceService.cs
+++ b/src/Core/Services/Implementations/DeviceService.cs
@@ -5,6 +5,7 @@ using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Platform.Push;
 using Bit.Core.Repositories;
+using Bit.Core.Settings;
 
 namespace Bit.Core.Services;
 
@@ -13,15 +14,18 @@ public class DeviceService : IDeviceService
     private readonly IDeviceRepository _deviceRepository;
     private readonly IPushRegistrationService _pushRegistrationService;
     private readonly IOrganizationUserRepository _organizationUserRepository;
+    private readonly IGlobalSettings _globalSettings;
 
     public DeviceService(
         IDeviceRepository deviceRepository,
         IPushRegistrationService pushRegistrationService,
-        IOrganizationUserRepository organizationUserRepository)
+        IOrganizationUserRepository organizationUserRepository,
+        IGlobalSettings globalSettings)
     {
         _deviceRepository = deviceRepository;
         _pushRegistrationService = pushRegistrationService;
         _organizationUserRepository = organizationUserRepository;
+        _globalSettings = globalSettings;
     }
 
     public async Task SaveAsync(Device device)
@@ -42,7 +46,8 @@ public class DeviceService : IDeviceService
             .Select(ou => ou.OrganizationId.ToString());
 
         await _pushRegistrationService.CreateOrUpdateRegistrationAsync(device.PushToken, device.Id.ToString(),
-            device.UserId.ToString(), device.Identifier, device.Type, organizationIdsString);
+            device.UserId.ToString(), device.Identifier, device.Type, organizationIdsString,
+            _globalSettings.Installation.Id);
     }
 
     public async Task ClearTokenAsync(Device device)
diff --git a/src/Notifications/HubHelpers.cs b/src/Notifications/HubHelpers.cs
index af571e48c4..8fa74f7b84 100644
--- a/src/Notifications/HubHelpers.cs
+++ b/src/Notifications/HubHelpers.cs
@@ -93,40 +93,45 @@ public static class HubHelpers
                 var orgStatusNotification =
                     JsonSerializer.Deserialize<PushNotificationData<OrganizationStatusPushNotification>>(
                         notificationJson, _deserializerOptions);
-                await hubContext.Clients.Group($"Organization_{orgStatusNotification.Payload.OrganizationId}")
-                    .SendAsync("ReceiveMessage", orgStatusNotification, cancellationToken);
+                await hubContext.Clients.Group(NotificationsHub.GetOrganizationGroup(orgStatusNotification.Payload.OrganizationId))
+                    .SendAsync(_receiveMessageMethod, orgStatusNotification, cancellationToken);
                 break;
             case PushType.SyncOrganizationCollectionSettingChanged:
                 var organizationCollectionSettingsChangedNotification =
                     JsonSerializer.Deserialize<PushNotificationData<OrganizationStatusPushNotification>>(
                         notificationJson, _deserializerOptions);
-                await hubContext.Clients.Group($"Organization_{organizationCollectionSettingsChangedNotification.Payload.OrganizationId}")
-                    .SendAsync("ReceiveMessage", organizationCollectionSettingsChangedNotification, cancellationToken);
+                await hubContext.Clients.Group(NotificationsHub.GetOrganizationGroup(organizationCollectionSettingsChangedNotification.Payload.OrganizationId))
+                    .SendAsync(_receiveMessageMethod, organizationCollectionSettingsChangedNotification, cancellationToken);
                 break;
-            case PushType.SyncNotification:
-            case PushType.SyncNotificationStatus:
-                var syncNotification =
-                    JsonSerializer.Deserialize<PushNotificationData<NotificationPushNotification>>(
-                        notificationJson, _deserializerOptions);
-                if (syncNotification.Payload.UserId.HasValue)
+            case PushType.Notification:
+            case PushType.NotificationStatus:
+                var notificationData = JsonSerializer.Deserialize<PushNotificationData<NotificationPushNotification>>(
+                    notificationJson, _deserializerOptions);
+                if (notificationData.Payload.InstallationId.HasValue)
                 {
-                    if (syncNotification.Payload.ClientType == ClientType.All)
+                    await hubContext.Clients.Group(NotificationsHub.GetInstallationGroup(
+                            notificationData.Payload.InstallationId.Value, notificationData.Payload.ClientType))
+                        .SendAsync(_receiveMessageMethod, notificationData, cancellationToken);
+                }
+                else if (notificationData.Payload.UserId.HasValue)
+                {
+                    if (notificationData.Payload.ClientType == ClientType.All)
                     {
-                        await hubContext.Clients.User(syncNotification.Payload.UserId.ToString())
-                            .SendAsync(_receiveMessageMethod, syncNotification, cancellationToken);
+                        await hubContext.Clients.User(notificationData.Payload.UserId.ToString())
+                            .SendAsync(_receiveMessageMethod, notificationData, cancellationToken);
                     }
                     else
                     {
                         await hubContext.Clients.Group(NotificationsHub.GetUserGroup(
-                                syncNotification.Payload.UserId.Value, syncNotification.Payload.ClientType))
-                            .SendAsync(_receiveMessageMethod, syncNotification, cancellationToken);
+                                notificationData.Payload.UserId.Value, notificationData.Payload.ClientType))
+                            .SendAsync(_receiveMessageMethod, notificationData, cancellationToken);
                     }
                 }
-                else if (syncNotification.Payload.OrganizationId.HasValue)
+                else if (notificationData.Payload.OrganizationId.HasValue)
                 {
                     await hubContext.Clients.Group(NotificationsHub.GetOrganizationGroup(
-                            syncNotification.Payload.OrganizationId.Value, syncNotification.Payload.ClientType))
-                        .SendAsync(_receiveMessageMethod, syncNotification, cancellationToken);
+                            notificationData.Payload.OrganizationId.Value, notificationData.Payload.ClientType))
+                        .SendAsync(_receiveMessageMethod, notificationData, cancellationToken);
                 }
 
                 break;
diff --git a/src/Notifications/NotificationsHub.cs b/src/Notifications/NotificationsHub.cs
index 27cd19c0a0..ed62dbbd66 100644
--- a/src/Notifications/NotificationsHub.cs
+++ b/src/Notifications/NotificationsHub.cs
@@ -29,6 +29,16 @@ public class NotificationsHub : Microsoft.AspNetCore.SignalR.Hub
             await Groups.AddToGroupAsync(Context.ConnectionId, GetUserGroup(currentContext.UserId.Value, clientType));
         }
 
+        if (_globalSettings.Installation.Id != Guid.Empty)
+        {
+            await Groups.AddToGroupAsync(Context.ConnectionId, GetInstallationGroup(_globalSettings.Installation.Id));
+            if (clientType != ClientType.All)
+            {
+                await Groups.AddToGroupAsync(Context.ConnectionId,
+                    GetInstallationGroup(_globalSettings.Installation.Id, clientType));
+            }
+        }
+
         if (currentContext.Organizations != null)
         {
             foreach (var org in currentContext.Organizations)
@@ -57,6 +67,17 @@ public class NotificationsHub : Microsoft.AspNetCore.SignalR.Hub
                 GetUserGroup(currentContext.UserId.Value, clientType));
         }
 
+        if (_globalSettings.Installation.Id != Guid.Empty)
+        {
+            await Groups.RemoveFromGroupAsync(Context.ConnectionId,
+                GetInstallationGroup(_globalSettings.Installation.Id));
+            if (clientType != ClientType.All)
+            {
+                await Groups.RemoveFromGroupAsync(Context.ConnectionId,
+                    GetInstallationGroup(_globalSettings.Installation.Id, clientType));
+            }
+        }
+
         if (currentContext.Organizations != null)
         {
             foreach (var org in currentContext.Organizations)
@@ -73,6 +94,13 @@ public class NotificationsHub : Microsoft.AspNetCore.SignalR.Hub
         await base.OnDisconnectedAsync(exception);
     }
 
+    public static string GetInstallationGroup(Guid installationId, ClientType? clientType = null)
+    {
+        return clientType is null or ClientType.All
+            ? $"Installation_{installationId}"
+            : $"Installation_ClientType_{installationId}_{clientType}";
+    }
+
     public static string GetUserGroup(Guid userId, ClientType clientType)
     {
         return $"UserClientType_{userId}_{clientType}";
diff --git a/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs b/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
index 5a1205c961..85bd014c91 100644
--- a/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
+++ b/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
@@ -282,9 +282,13 @@ public static class ServiceCollectionExtensions
         services.AddSingleton<IPushNotificationService, MultiServicePushNotificationService>();
         if (globalSettings.SelfHosted)
         {
+            if (globalSettings.Installation.Id == Guid.Empty)
+            {
+                throw new InvalidOperationException("Installation Id must be set for self-hosted installations.");
+            }
+
             if (CoreHelpers.SettingHasValue(globalSettings.PushRelayBaseUri) &&
-                globalSettings.Installation?.Id != null &&
-                CoreHelpers.SettingHasValue(globalSettings.Installation?.Key))
+                CoreHelpers.SettingHasValue(globalSettings.Installation.Key))
             {
                 services.AddKeyedSingleton<IPushNotificationService, RelayPushNotificationService>("implementation");
                 services.AddSingleton<IPushRegistrationService, RelayPushRegistrationService>();
@@ -300,7 +304,7 @@ public static class ServiceCollectionExtensions
                 services.AddKeyedSingleton<IPushNotificationService, NotificationsApiPushNotificationService>("implementation");
             }
         }
-        else if (!globalSettings.SelfHosted)
+        else
         {
             services.AddSingleton<INotificationHubPool, NotificationHubPool>();
             services.AddSingleton<IPushRegistrationService, NotificationHubPushRegistrationService>();
diff --git a/test/Api.Test/Platform/Push/Controllers/PushControllerTests.cs b/test/Api.Test/Platform/Push/Controllers/PushControllerTests.cs
new file mode 100644
index 0000000000..70e1e83edb
--- /dev/null
+++ b/test/Api.Test/Platform/Push/Controllers/PushControllerTests.cs
@@ -0,0 +1,288 @@
+#nullable enable
+using Bit.Api.Platform.Push;
+using Bit.Core.Context;
+using Bit.Core.Enums;
+using Bit.Core.Exceptions;
+using Bit.Core.Models.Api;
+using Bit.Core.Platform.Push;
+using Bit.Core.Settings;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Api.Test.Platform.Push.Controllers;
+
+[ControllerCustomize(typeof(PushController))]
+[SutProviderCustomize]
+public class PushControllerTests
+{
+    [Theory]
+    [BitAutoData(false, true)]
+    [BitAutoData(false, false)]
+    [BitAutoData(true, true)]
+    public async Task SendAsync_InstallationIdNotSetOrSelfHosted_BadRequest(bool haveInstallationId, bool selfHosted,
+        SutProvider<PushController> sutProvider, Guid installationId, Guid userId, Guid organizationId)
+    {
+        sutProvider.GetDependency<IGlobalSettings>().SelfHosted = selfHosted;
+        if (haveInstallationId)
+        {
+            sutProvider.GetDependency<ICurrentContext>().InstallationId.Returns(installationId);
+        }
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(() =>
+            sutProvider.Sut.SendAsync(new PushSendRequestModel
+            {
+                Type = PushType.Notification,
+                UserId = userId.ToString(),
+                OrganizationId = organizationId.ToString(),
+                InstallationId = installationId.ToString(),
+                Payload = "test-payload"
+            }));
+
+        Assert.Equal("Not correctly configured for push relays.", exception.Message);
+
+        await sutProvider.GetDependency<IPushNotificationService>().Received(0)
+            .SendPayloadToUserAsync(Arg.Any<string>(), Arg.Any<PushType>(), Arg.Any<object>(), Arg.Any<string>(),
+                Arg.Any<string?>(), Arg.Any<ClientType?>());
+        await sutProvider.GetDependency<IPushNotificationService>().Received(0)
+            .SendPayloadToOrganizationAsync(Arg.Any<string>(), Arg.Any<PushType>(), Arg.Any<object>(),
+                Arg.Any<string>(), Arg.Any<string?>(), Arg.Any<ClientType?>());
+        await sutProvider.GetDependency<IPushNotificationService>().Received(0)
+            .SendPayloadToInstallationAsync(Arg.Any<string>(), Arg.Any<PushType>(), Arg.Any<object>(),
+                Arg.Any<string>(), Arg.Any<string?>(), Arg.Any<ClientType?>());
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task SendAsync_UserIdAndOrganizationIdAndInstallationIdEmpty_NoPushNotificationSent(
+        SutProvider<PushController> sutProvider, Guid installationId)
+    {
+        sutProvider.GetDependency<IGlobalSettings>().SelfHosted = false;
+        sutProvider.GetDependency<ICurrentContext>().InstallationId.Returns(installationId);
+
+        await sutProvider.Sut.SendAsync(new PushSendRequestModel
+        {
+            Type = PushType.Notification,
+            UserId = null,
+            OrganizationId = null,
+            InstallationId = null,
+            Payload = "test-payload"
+        });
+
+        await sutProvider.GetDependency<IPushNotificationService>().Received(0)
+            .SendPayloadToUserAsync(Arg.Any<string>(), Arg.Any<PushType>(), Arg.Any<object>(), Arg.Any<string>(),
+                Arg.Any<string?>(), Arg.Any<ClientType?>());
+        await sutProvider.GetDependency<IPushNotificationService>().Received(0)
+            .SendPayloadToOrganizationAsync(Arg.Any<string>(), Arg.Any<PushType>(), Arg.Any<object>(),
+                Arg.Any<string>(), Arg.Any<string?>(), Arg.Any<ClientType?>());
+        await sutProvider.GetDependency<IPushNotificationService>().Received(0)
+            .SendPayloadToInstallationAsync(Arg.Any<string>(), Arg.Any<PushType>(), Arg.Any<object>(),
+                Arg.Any<string>(), Arg.Any<string?>(), Arg.Any<ClientType?>());
+    }
+
+    [Theory]
+    [RepeatingPatternBitAutoData([false, true], [false, true], [false, true])]
+    public async Task SendAsync_UserIdSet_SendPayloadToUserAsync(bool haveIdentifier, bool haveDeviceId,
+        bool haveOrganizationId, SutProvider<PushController> sutProvider, Guid installationId, Guid userId,
+        Guid identifier, Guid deviceId)
+    {
+        sutProvider.GetDependency<IGlobalSettings>().SelfHosted = false;
+        sutProvider.GetDependency<ICurrentContext>().InstallationId.Returns(installationId);
+
+        var expectedUserId = $"{installationId}_{userId}";
+        var expectedIdentifier = haveIdentifier ? $"{installationId}_{identifier}" : null;
+        var expectedDeviceId = haveDeviceId ? $"{installationId}_{deviceId}" : null;
+
+        await sutProvider.Sut.SendAsync(new PushSendRequestModel
+        {
+            Type = PushType.Notification,
+            UserId = userId.ToString(),
+            OrganizationId = haveOrganizationId ? Guid.NewGuid().ToString() : null,
+            InstallationId = null,
+            Payload = "test-payload",
+            DeviceId = haveDeviceId ? deviceId.ToString() : null,
+            Identifier = haveIdentifier ? identifier.ToString() : null,
+            ClientType = ClientType.All,
+        });
+
+        await sutProvider.GetDependency<IPushNotificationService>().Received(1)
+            .SendPayloadToUserAsync(expectedUserId, PushType.Notification, "test-payload", expectedIdentifier,
+                expectedDeviceId, ClientType.All);
+        await sutProvider.GetDependency<IPushNotificationService>().Received(0)
+            .SendPayloadToOrganizationAsync(Arg.Any<string>(), Arg.Any<PushType>(), Arg.Any<object>(),
+                Arg.Any<string>(), Arg.Any<string?>(), Arg.Any<ClientType?>());
+        await sutProvider.GetDependency<IPushNotificationService>().Received(0)
+            .SendPayloadToInstallationAsync(Arg.Any<string>(), Arg.Any<PushType>(), Arg.Any<object>(),
+                Arg.Any<string>(), Arg.Any<string?>(), Arg.Any<ClientType?>());
+    }
+
+    [Theory]
+    [RepeatingPatternBitAutoData([false, true], [false, true])]
+    public async Task SendAsync_OrganizationIdSet_SendPayloadToOrganizationAsync(bool haveIdentifier, bool haveDeviceId,
+        SutProvider<PushController> sutProvider, Guid installationId, Guid organizationId, Guid identifier,
+        Guid deviceId)
+    {
+        sutProvider.GetDependency<IGlobalSettings>().SelfHosted = false;
+        sutProvider.GetDependency<ICurrentContext>().InstallationId.Returns(installationId);
+
+        var expectedOrganizationId = $"{installationId}_{organizationId}";
+        var expectedIdentifier = haveIdentifier ? $"{installationId}_{identifier}" : null;
+        var expectedDeviceId = haveDeviceId ? $"{installationId}_{deviceId}" : null;
+
+        await sutProvider.Sut.SendAsync(new PushSendRequestModel
+        {
+            Type = PushType.Notification,
+            UserId = null,
+            OrganizationId = organizationId.ToString(),
+            InstallationId = null,
+            Payload = "test-payload",
+            DeviceId = haveDeviceId ? deviceId.ToString() : null,
+            Identifier = haveIdentifier ? identifier.ToString() : null,
+            ClientType = ClientType.All,
+        });
+
+        await sutProvider.GetDependency<IPushNotificationService>().Received(1)
+            .SendPayloadToOrganizationAsync(expectedOrganizationId, PushType.Notification, "test-payload",
+                expectedIdentifier, expectedDeviceId, ClientType.All);
+        await sutProvider.GetDependency<IPushNotificationService>().Received(0)
+            .SendPayloadToUserAsync(Arg.Any<string>(), Arg.Any<PushType>(), Arg.Any<object>(), Arg.Any<string>(),
+                Arg.Any<string?>(), Arg.Any<ClientType?>());
+        await sutProvider.GetDependency<IPushNotificationService>().Received(0)
+            .SendPayloadToInstallationAsync(Arg.Any<string>(), Arg.Any<PushType>(), Arg.Any<object>(),
+                Arg.Any<string>(), Arg.Any<string?>(), Arg.Any<ClientType?>());
+    }
+
+    [Theory]
+    [RepeatingPatternBitAutoData([false, true], [false, true])]
+    public async Task SendAsync_InstallationIdSet_SendPayloadToInstallationAsync(bool haveIdentifier, bool haveDeviceId,
+        SutProvider<PushController> sutProvider, Guid installationId, Guid identifier, Guid deviceId)
+    {
+        sutProvider.GetDependency<IGlobalSettings>().SelfHosted = false;
+        sutProvider.GetDependency<ICurrentContext>().InstallationId.Returns(installationId);
+
+        var expectedIdentifier = haveIdentifier ? $"{installationId}_{identifier}" : null;
+        var expectedDeviceId = haveDeviceId ? $"{installationId}_{deviceId}" : null;
+
+        await sutProvider.Sut.SendAsync(new PushSendRequestModel
+        {
+            Type = PushType.Notification,
+            UserId = null,
+            OrganizationId = null,
+            InstallationId = installationId.ToString(),
+            Payload = "test-payload",
+            DeviceId = haveDeviceId ? deviceId.ToString() : null,
+            Identifier = haveIdentifier ? identifier.ToString() : null,
+            ClientType = ClientType.All,
+        });
+
+        await sutProvider.GetDependency<IPushNotificationService>().Received(1)
+            .SendPayloadToInstallationAsync(installationId.ToString(), PushType.Notification, "test-payload",
+                expectedIdentifier, expectedDeviceId, ClientType.All);
+        await sutProvider.GetDependency<IPushNotificationService>().Received(0)
+            .SendPayloadToOrganizationAsync(Arg.Any<string>(), Arg.Any<PushType>(), Arg.Any<object>(),
+                Arg.Any<string>(), Arg.Any<string?>(), Arg.Any<ClientType?>());
+        await sutProvider.GetDependency<IPushNotificationService>().Received(0)
+            .SendPayloadToUserAsync(Arg.Any<string>(), Arg.Any<PushType>(), Arg.Any<object>(), Arg.Any<string>(),
+                Arg.Any<string?>(), Arg.Any<ClientType?>());
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task SendAsync_InstallationIdNotMatching_BadRequest(SutProvider<PushController> sutProvider,
+        Guid installationId)
+    {
+        sutProvider.GetDependency<IGlobalSettings>().SelfHosted = false;
+        sutProvider.GetDependency<ICurrentContext>().InstallationId.Returns(installationId);
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(() =>
+            sutProvider.Sut.SendAsync(new PushSendRequestModel
+            {
+                Type = PushType.Notification,
+                UserId = null,
+                OrganizationId = null,
+                InstallationId = Guid.NewGuid().ToString(),
+                Payload = "test-payload",
+                DeviceId = null,
+                Identifier = null,
+                ClientType = ClientType.All,
+            }));
+
+        Assert.Equal("InstallationId does not match current context.", exception.Message);
+
+        await sutProvider.GetDependency<IPushNotificationService>().Received(0)
+            .SendPayloadToInstallationAsync(Arg.Any<string>(), Arg.Any<PushType>(), Arg.Any<object>(),
+                Arg.Any<string>(), Arg.Any<string?>(), Arg.Any<ClientType?>());
+        await sutProvider.GetDependency<IPushNotificationService>().Received(0)
+            .SendPayloadToOrganizationAsync(Arg.Any<string>(), Arg.Any<PushType>(), Arg.Any<object>(),
+                Arg.Any<string>(), Arg.Any<string?>(), Arg.Any<ClientType?>());
+        await sutProvider.GetDependency<IPushNotificationService>().Received(0)
+            .SendPayloadToUserAsync(Arg.Any<string>(), Arg.Any<PushType>(), Arg.Any<object>(), Arg.Any<string>(),
+                Arg.Any<string?>(), Arg.Any<ClientType?>());
+    }
+
+    [Theory]
+    [BitAutoData(false, true)]
+    [BitAutoData(false, false)]
+    [BitAutoData(true, true)]
+    public async Task RegisterAsync_InstallationIdNotSetOrSelfHosted_BadRequest(bool haveInstallationId,
+        bool selfHosted,
+        SutProvider<PushController> sutProvider, Guid installationId, Guid userId, Guid identifier, Guid deviceId)
+    {
+        sutProvider.GetDependency<IGlobalSettings>().SelfHosted = selfHosted;
+        if (haveInstallationId)
+        {
+            sutProvider.GetDependency<ICurrentContext>().InstallationId.Returns(installationId);
+        }
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(() =>
+            sutProvider.Sut.RegisterAsync(new PushRegistrationRequestModel
+            {
+                DeviceId = deviceId.ToString(),
+                PushToken = "test-push-token",
+                UserId = userId.ToString(),
+                Type = DeviceType.Android,
+                Identifier = identifier.ToString()
+            }));
+
+        Assert.Equal("Not correctly configured for push relays.", exception.Message);
+
+        await sutProvider.GetDependency<IPushRegistrationService>().Received(0)
+            .CreateOrUpdateRegistrationAsync(Arg.Any<string>(), Arg.Any<string>(), Arg.Any<string>(), Arg.Any<string>(),
+                Arg.Any<DeviceType>(), Arg.Any<IEnumerable<string>>(), Arg.Any<Guid>());
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task? RegisterAsync_ValidModel_CreatedOrUpdatedRegistration(SutProvider<PushController> sutProvider,
+        Guid installationId, Guid userId, Guid identifier, Guid deviceId, Guid organizationId)
+    {
+        sutProvider.GetDependency<IGlobalSettings>().SelfHosted = false;
+        sutProvider.GetDependency<ICurrentContext>().InstallationId.Returns(installationId);
+
+        var expectedUserId = $"{installationId}_{userId}";
+        var expectedIdentifier = $"{installationId}_{identifier}";
+        var expectedDeviceId = $"{installationId}_{deviceId}";
+        var expectedOrganizationId = $"{installationId}_{organizationId}";
+
+        await sutProvider.Sut.RegisterAsync(new PushRegistrationRequestModel
+        {
+            DeviceId = deviceId.ToString(),
+            PushToken = "test-push-token",
+            UserId = userId.ToString(),
+            Type = DeviceType.Android,
+            Identifier = identifier.ToString(),
+            OrganizationIds = [organizationId.ToString()],
+            InstallationId = installationId
+        });
+
+        await sutProvider.GetDependency<IPushRegistrationService>().Received(1)
+            .CreateOrUpdateRegistrationAsync("test-push-token", expectedDeviceId, expectedUserId,
+                expectedIdentifier, DeviceType.Android, Arg.Do<IEnumerable<string>>(organizationIds =>
+                {
+                    var organizationIdsList = organizationIds.ToList();
+                    Assert.Contains(expectedOrganizationId, organizationIdsList);
+                    Assert.Single(organizationIdsList);
+                }), installationId);
+    }
+}
diff --git a/test/Core.Test/Models/Api/Request/PushSendRequestModelTests.cs b/test/Core.Test/Models/Api/Request/PushSendRequestModelTests.cs
index 41a6c25bf2..2d3dbffcf6 100644
--- a/test/Core.Test/Models/Api/Request/PushSendRequestModelTests.cs
+++ b/test/Core.Test/Models/Api/Request/PushSendRequestModelTests.cs
@@ -12,19 +12,15 @@ namespace Bit.Core.Test.Models.Api.Request;
 public class PushSendRequestModelTests
 {
     [Theory]
-    [InlineData(null, null)]
-    [InlineData(null, "")]
-    [InlineData(null, " ")]
-    [InlineData("", null)]
-    [InlineData(" ", null)]
-    [InlineData("", "")]
-    [InlineData(" ", " ")]
-    public void Validate_UserIdOrganizationIdNullOrEmpty_Invalid(string? userId, string? organizationId)
+    [RepeatingPatternBitAutoData([null, "", " "], [null, "", " "], [null, "", " "])]
+    public void Validate_UserIdOrganizationIdInstallationIdNullOrEmpty_Invalid(string? userId, string? organizationId,
+        string? installationId)
     {
         var model = new PushSendRequestModel
         {
             UserId = userId,
             OrganizationId = organizationId,
+            InstallationId = installationId,
             Type = PushType.SyncCiphers,
             Payload = "test"
         };
@@ -32,7 +28,65 @@ public class PushSendRequestModelTests
         var results = Validate(model);
 
         Assert.Single(results);
-        Assert.Contains(results, result => result.ErrorMessage == "UserId or OrganizationId is required.");
+        Assert.Contains(results,
+            result => result.ErrorMessage == "UserId or OrganizationId or InstallationId is required.");
+    }
+
+    [Theory]
+    [RepeatingPatternBitAutoData([null, "", " "], [null, "", " "])]
+    public void Validate_UserIdProvidedOrganizationIdInstallationIdNullOrEmpty_Valid(string? organizationId,
+        string? installationId)
+    {
+        var model = new PushSendRequestModel
+        {
+            UserId = Guid.NewGuid().ToString(),
+            OrganizationId = organizationId,
+            InstallationId = installationId,
+            Type = PushType.SyncCiphers,
+            Payload = "test"
+        };
+
+        var results = Validate(model);
+
+        Assert.Empty(results);
+    }
+
+    [Theory]
+    [RepeatingPatternBitAutoData([null, "", " "], [null, "", " "])]
+    public void Validate_OrganizationIdProvidedUserIdInstallationIdNullOrEmpty_Valid(string? userId,
+        string? installationId)
+    {
+        var model = new PushSendRequestModel
+        {
+            UserId = userId,
+            OrganizationId = Guid.NewGuid().ToString(),
+            InstallationId = installationId,
+            Type = PushType.SyncCiphers,
+            Payload = "test"
+        };
+
+        var results = Validate(model);
+
+        Assert.Empty(results);
+    }
+
+    [Theory]
+    [RepeatingPatternBitAutoData([null, "", " "], [null, "", " "])]
+    public void Validate_InstallationIdProvidedUserIdOrganizationIdNullOrEmpty_Valid(string? userId,
+        string? organizationId)
+    {
+        var model = new PushSendRequestModel
+        {
+            UserId = userId,
+            OrganizationId = organizationId,
+            InstallationId = Guid.NewGuid().ToString(),
+            Type = PushType.SyncCiphers,
+            Payload = "test"
+        };
+
+        var results = Validate(model);
+
+        Assert.Empty(results);
     }
 
     [Theory]
diff --git a/test/Core.Test/NotificationHub/NotificationHubPushNotificationServiceTests.cs b/test/Core.Test/NotificationHub/NotificationHubPushNotificationServiceTests.cs
index 2b8ff88dc1..831d048224 100644
--- a/test/Core.Test/NotificationHub/NotificationHubPushNotificationServiceTests.cs
+++ b/test/Core.Test/NotificationHub/NotificationHubPushNotificationServiceTests.cs
@@ -6,6 +6,7 @@ using Bit.Core.Models.Data;
 using Bit.Core.NotificationCenter.Entities;
 using Bit.Core.NotificationHub;
 using Bit.Core.Repositories;
+using Bit.Core.Settings;
 using Bit.Core.Test.NotificationCenter.AutoFixture;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
@@ -21,9 +22,11 @@ public class NotificationHubPushNotificationServiceTests
     [Theory]
     [BitAutoData]
     [NotificationCustomize]
-    public async Task PushNotificationAsync_Global_NotSent(
+    public async Task PushNotificationAsync_GlobalInstallationIdDefault_NotSent(
         SutProvider<NotificationHubPushNotificationService> sutProvider, Notification notification)
     {
+        sutProvider.GetDependency<IGlobalSettings>().Installation.Id = default;
+
         await sutProvider.Sut.PushNotificationAsync(notification);
 
         await sutProvider.GetDependency<INotificationHubPool>()
@@ -36,6 +39,50 @@ public class NotificationHubPushNotificationServiceTests
             .UpsertAsync(Arg.Any<InstallationDeviceEntity>());
     }
 
+    [Theory]
+    [BitAutoData]
+    [NotificationCustomize]
+    public async Task PushNotificationAsync_GlobalInstallationIdSetClientTypeAll_SentToInstallationId(
+        SutProvider<NotificationHubPushNotificationService> sutProvider, Notification notification, Guid installationId)
+    {
+        sutProvider.GetDependency<IGlobalSettings>().Installation.Id = installationId;
+        notification.ClientType = ClientType.All;
+        var expectedNotification = ToNotificationPushNotification(notification, null, installationId);
+
+        await sutProvider.Sut.PushNotificationAsync(notification);
+
+        await AssertSendTemplateNotificationAsync(sutProvider, PushType.Notification,
+            expectedNotification,
+            $"(template:payload && installationId:{installationId})");
+        await sutProvider.GetDependency<IInstallationDeviceRepository>()
+            .Received(0)
+            .UpsertAsync(Arg.Any<InstallationDeviceEntity>());
+    }
+
+    [Theory]
+    [BitAutoData(ClientType.Browser)]
+    [BitAutoData(ClientType.Desktop)]
+    [BitAutoData(ClientType.Web)]
+    [BitAutoData(ClientType.Mobile)]
+    [NotificationCustomize]
+    public async Task PushNotificationAsync_GlobalInstallationIdSetClientTypeNotAll_SentToInstallationIdAndClientType(
+        ClientType clientType, SutProvider<NotificationHubPushNotificationService> sutProvider,
+        Notification notification, Guid installationId)
+    {
+        sutProvider.GetDependency<IGlobalSettings>().Installation.Id = installationId;
+        notification.ClientType = clientType;
+        var expectedNotification = ToNotificationPushNotification(notification, null, installationId);
+
+        await sutProvider.Sut.PushNotificationAsync(notification);
+
+        await AssertSendTemplateNotificationAsync(sutProvider, PushType.Notification,
+            expectedNotification,
+            $"(template:payload && installationId:{installationId} && clientType:{clientType})");
+        await sutProvider.GetDependency<IInstallationDeviceRepository>()
+            .Received(0)
+            .UpsertAsync(Arg.Any<InstallationDeviceEntity>());
+    }
+
     [Theory]
     [BitAutoData(false)]
     [BitAutoData(true)]
@@ -50,11 +97,11 @@ public class NotificationHubPushNotificationServiceTests
         }
 
         notification.ClientType = ClientType.All;
-        var expectedNotification = ToNotificationPushNotification(notification, null);
+        var expectedNotification = ToNotificationPushNotification(notification, null, null);
 
         await sutProvider.Sut.PushNotificationAsync(notification);
 
-        await AssertSendTemplateNotificationAsync(sutProvider, PushType.SyncNotification,
+        await AssertSendTemplateNotificationAsync(sutProvider, PushType.Notification,
             expectedNotification,
             $"(template:payload_userId:{notification.UserId})");
         await sutProvider.GetDependency<IInstallationDeviceRepository>()
@@ -74,11 +121,11 @@ public class NotificationHubPushNotificationServiceTests
     {
         notification.OrganizationId = null;
         notification.ClientType = clientType;
-        var expectedNotification = ToNotificationPushNotification(notification, null);
+        var expectedNotification = ToNotificationPushNotification(notification, null, null);
 
         await sutProvider.Sut.PushNotificationAsync(notification);
 
-        await AssertSendTemplateNotificationAsync(sutProvider, PushType.SyncNotification,
+        await AssertSendTemplateNotificationAsync(sutProvider, PushType.Notification,
             expectedNotification,
             $"(template:payload_userId:{notification.UserId} && clientType:{clientType})");
         await sutProvider.GetDependency<IInstallationDeviceRepository>()
@@ -97,11 +144,11 @@ public class NotificationHubPushNotificationServiceTests
         Notification notification)
     {
         notification.ClientType = clientType;
-        var expectedNotification = ToNotificationPushNotification(notification, null);
+        var expectedNotification = ToNotificationPushNotification(notification, null, null);
 
         await sutProvider.Sut.PushNotificationAsync(notification);
 
-        await AssertSendTemplateNotificationAsync(sutProvider, PushType.SyncNotification,
+        await AssertSendTemplateNotificationAsync(sutProvider, PushType.Notification,
             expectedNotification,
             $"(template:payload_userId:{notification.UserId} && clientType:{clientType})");
         await sutProvider.GetDependency<IInstallationDeviceRepository>()
@@ -117,11 +164,11 @@ public class NotificationHubPushNotificationServiceTests
     {
         notification.UserId = null;
         notification.ClientType = ClientType.All;
-        var expectedNotification = ToNotificationPushNotification(notification, null);
+        var expectedNotification = ToNotificationPushNotification(notification, null, null);
 
         await sutProvider.Sut.PushNotificationAsync(notification);
 
-        await AssertSendTemplateNotificationAsync(sutProvider, PushType.SyncNotification,
+        await AssertSendTemplateNotificationAsync(sutProvider, PushType.Notification,
             expectedNotification,
             $"(template:payload && organizationId:{notification.OrganizationId})");
         await sutProvider.GetDependency<IInstallationDeviceRepository>()
@@ -141,11 +188,11 @@ public class NotificationHubPushNotificationServiceTests
     {
         notification.UserId = null;
         notification.ClientType = clientType;
-        var expectedNotification = ToNotificationPushNotification(notification, null);
+        var expectedNotification = ToNotificationPushNotification(notification, null, null);
 
         await sutProvider.Sut.PushNotificationAsync(notification);
 
-        await AssertSendTemplateNotificationAsync(sutProvider, PushType.SyncNotification,
+        await AssertSendTemplateNotificationAsync(sutProvider, PushType.Notification,
             expectedNotification,
             $"(template:payload && organizationId:{notification.OrganizationId} && clientType:{clientType})");
         await sutProvider.GetDependency<IInstallationDeviceRepository>()
@@ -156,10 +203,12 @@ public class NotificationHubPushNotificationServiceTests
     [Theory]
     [BitAutoData]
     [NotificationCustomize]
-    public async Task PushNotificationStatusAsync_Global_NotSent(
+    public async Task PushNotificationStatusAsync_GlobalInstallationIdDefault_NotSent(
         SutProvider<NotificationHubPushNotificationService> sutProvider, Notification notification,
         NotificationStatus notificationStatus)
     {
+        sutProvider.GetDependency<IGlobalSettings>().Installation.Id = default;
+
         await sutProvider.Sut.PushNotificationStatusAsync(notification, notificationStatus);
 
         await sutProvider.GetDependency<INotificationHubPool>()
@@ -172,6 +221,54 @@ public class NotificationHubPushNotificationServiceTests
             .UpsertAsync(Arg.Any<InstallationDeviceEntity>());
     }
 
+    [Theory]
+    [BitAutoData]
+    [NotificationCustomize]
+    public async Task PushNotificationStatusAsync_GlobalInstallationIdSetClientTypeAll_SentToInstallationId(
+        SutProvider<NotificationHubPushNotificationService> sutProvider,
+        Notification notification, NotificationStatus notificationStatus, Guid installationId)
+    {
+        sutProvider.GetDependency<IGlobalSettings>().Installation.Id = installationId;
+        notification.ClientType = ClientType.All;
+
+        var expectedNotification = ToNotificationPushNotification(notification, notificationStatus, installationId);
+
+        await sutProvider.Sut.PushNotificationStatusAsync(notification, notificationStatus);
+
+        await AssertSendTemplateNotificationAsync(sutProvider, PushType.NotificationStatus,
+            expectedNotification,
+            $"(template:payload && installationId:{installationId})");
+        await sutProvider.GetDependency<IInstallationDeviceRepository>()
+            .Received(0)
+            .UpsertAsync(Arg.Any<InstallationDeviceEntity>());
+    }
+
+    [Theory]
+    [BitAutoData(ClientType.Browser)]
+    [BitAutoData(ClientType.Desktop)]
+    [BitAutoData(ClientType.Web)]
+    [BitAutoData(ClientType.Mobile)]
+    [NotificationCustomize]
+    public async Task
+        PushNotificationStatusAsync_GlobalInstallationIdSetClientTypeNotAll_SentToInstallationIdAndClientType(
+            ClientType clientType, SutProvider<NotificationHubPushNotificationService> sutProvider,
+            Notification notification, NotificationStatus notificationStatus, Guid installationId)
+    {
+        sutProvider.GetDependency<IGlobalSettings>().Installation.Id = installationId;
+        notification.ClientType = clientType;
+
+        var expectedNotification = ToNotificationPushNotification(notification, notificationStatus, installationId);
+
+        await sutProvider.Sut.PushNotificationStatusAsync(notification, notificationStatus);
+
+        await AssertSendTemplateNotificationAsync(sutProvider, PushType.NotificationStatus,
+            expectedNotification,
+            $"(template:payload && installationId:{installationId} && clientType:{clientType})");
+        await sutProvider.GetDependency<IInstallationDeviceRepository>()
+            .Received(0)
+            .UpsertAsync(Arg.Any<InstallationDeviceEntity>());
+    }
+
     [Theory]
     [BitAutoData(false)]
     [BitAutoData(true)]
@@ -186,11 +283,11 @@ public class NotificationHubPushNotificationServiceTests
         }
 
         notification.ClientType = ClientType.All;
-        var expectedNotification = ToNotificationPushNotification(notification, notificationStatus);
+        var expectedNotification = ToNotificationPushNotification(notification, notificationStatus, null);
 
         await sutProvider.Sut.PushNotificationStatusAsync(notification, notificationStatus);
 
-        await AssertSendTemplateNotificationAsync(sutProvider, PushType.SyncNotificationStatus,
+        await AssertSendTemplateNotificationAsync(sutProvider, PushType.NotificationStatus,
             expectedNotification,
             $"(template:payload_userId:{notification.UserId})");
         await sutProvider.GetDependency<IInstallationDeviceRepository>()
@@ -210,11 +307,11 @@ public class NotificationHubPushNotificationServiceTests
     {
         notification.OrganizationId = null;
         notification.ClientType = clientType;
-        var expectedNotification = ToNotificationPushNotification(notification, notificationStatus);
+        var expectedNotification = ToNotificationPushNotification(notification, notificationStatus, null);
 
         await sutProvider.Sut.PushNotificationStatusAsync(notification, notificationStatus);
 
-        await AssertSendTemplateNotificationAsync(sutProvider, PushType.SyncNotificationStatus,
+        await AssertSendTemplateNotificationAsync(sutProvider, PushType.NotificationStatus,
             expectedNotification,
             $"(template:payload_userId:{notification.UserId} && clientType:{clientType})");
         await sutProvider.GetDependency<IInstallationDeviceRepository>()
@@ -233,11 +330,11 @@ public class NotificationHubPushNotificationServiceTests
         Notification notification, NotificationStatus notificationStatus)
     {
         notification.ClientType = clientType;
-        var expectedNotification = ToNotificationPushNotification(notification, notificationStatus);
+        var expectedNotification = ToNotificationPushNotification(notification, notificationStatus, null);
 
         await sutProvider.Sut.PushNotificationStatusAsync(notification, notificationStatus);
 
-        await AssertSendTemplateNotificationAsync(sutProvider, PushType.SyncNotificationStatus,
+        await AssertSendTemplateNotificationAsync(sutProvider, PushType.NotificationStatus,
             expectedNotification,
             $"(template:payload_userId:{notification.UserId} && clientType:{clientType})");
         await sutProvider.GetDependency<IInstallationDeviceRepository>()
@@ -254,11 +351,11 @@ public class NotificationHubPushNotificationServiceTests
     {
         notification.UserId = null;
         notification.ClientType = ClientType.All;
-        var expectedNotification = ToNotificationPushNotification(notification, notificationStatus);
+        var expectedNotification = ToNotificationPushNotification(notification, notificationStatus, null);
 
         await sutProvider.Sut.PushNotificationStatusAsync(notification, notificationStatus);
 
-        await AssertSendTemplateNotificationAsync(sutProvider, PushType.SyncNotificationStatus,
+        await AssertSendTemplateNotificationAsync(sutProvider, PushType.NotificationStatus,
             expectedNotification,
             $"(template:payload && organizationId:{notification.OrganizationId})");
         await sutProvider.GetDependency<IInstallationDeviceRepository>()
@@ -279,11 +376,11 @@ public class NotificationHubPushNotificationServiceTests
     {
         notification.UserId = null;
         notification.ClientType = clientType;
-        var expectedNotification = ToNotificationPushNotification(notification, notificationStatus);
+        var expectedNotification = ToNotificationPushNotification(notification, notificationStatus, null);
 
         await sutProvider.Sut.PushNotificationStatusAsync(notification, notificationStatus);
 
-        await AssertSendTemplateNotificationAsync(sutProvider, PushType.SyncNotificationStatus,
+        await AssertSendTemplateNotificationAsync(sutProvider, PushType.NotificationStatus,
             expectedNotification,
             $"(template:payload && organizationId:{notification.OrganizationId} && clientType:{clientType})");
         await sutProvider.GetDependency<IInstallationDeviceRepository>()
@@ -363,8 +460,44 @@ public class NotificationHubPushNotificationServiceTests
             .UpsertAsync(Arg.Any<InstallationDeviceEntity>());
     }
 
+    [Theory]
+    [BitAutoData([null])]
+    [BitAutoData(ClientType.All)]
+    public async Task SendPayloadToInstallationAsync_ClientTypeNullOrAll_SentToInstallation(ClientType? clientType,
+        SutProvider<NotificationHubPushNotificationService> sutProvider, Guid installationId, PushType pushType,
+        string payload, string identifier)
+    {
+        await sutProvider.Sut.SendPayloadToInstallationAsync(installationId.ToString(), pushType, payload, identifier,
+            null, clientType);
+
+        await AssertSendTemplateNotificationAsync(sutProvider, pushType, payload,
+            $"(template:payload && installationId:{installationId} && !deviceIdentifier:{identifier})");
+        await sutProvider.GetDependency<IInstallationDeviceRepository>()
+            .Received(0)
+            .UpsertAsync(Arg.Any<InstallationDeviceEntity>());
+    }
+
+    [Theory]
+    [BitAutoData(ClientType.Browser)]
+    [BitAutoData(ClientType.Desktop)]
+    [BitAutoData(ClientType.Mobile)]
+    [BitAutoData(ClientType.Web)]
+    public async Task SendPayloadToInstallationAsync_ClientTypeExplicit_SentToInstallationAndClientType(
+        ClientType clientType, SutProvider<NotificationHubPushNotificationService> sutProvider, Guid installationId,
+        PushType pushType, string payload, string identifier)
+    {
+        await sutProvider.Sut.SendPayloadToInstallationAsync(installationId.ToString(), pushType, payload, identifier,
+            null, clientType);
+
+        await AssertSendTemplateNotificationAsync(sutProvider, pushType, payload,
+            $"(template:payload && installationId:{installationId} && !deviceIdentifier:{identifier} && clientType:{clientType})");
+        await sutProvider.GetDependency<IInstallationDeviceRepository>()
+            .Received(0)
+            .UpsertAsync(Arg.Any<InstallationDeviceEntity>());
+    }
+
     private static NotificationPushNotification ToNotificationPushNotification(Notification notification,
-        NotificationStatus? notificationStatus) =>
+        NotificationStatus? notificationStatus, Guid? installationId) =>
         new()
         {
             Id = notification.Id,
@@ -373,6 +506,7 @@ public class NotificationHubPushNotificationServiceTests
             ClientType = notification.ClientType,
             UserId = notification.UserId,
             OrganizationId = notification.OrganizationId,
+            InstallationId = installationId,
             Title = notification.Title,
             Body = notification.Body,
             CreationDate = notification.CreationDate,
diff --git a/test/Core.Test/NotificationHub/NotificationHubPushRegistrationServiceTests.cs b/test/Core.Test/NotificationHub/NotificationHubPushRegistrationServiceTests.cs
index d51df9c882..77551f53e7 100644
--- a/test/Core.Test/NotificationHub/NotificationHubPushRegistrationServiceTests.cs
+++ b/test/Core.Test/NotificationHub/NotificationHubPushRegistrationServiceTests.cs
@@ -14,15 +14,13 @@ namespace Bit.Core.Test.NotificationHub;
 public class NotificationHubPushRegistrationServiceTests
 {
     [Theory]
-    [BitAutoData([null])]
-    [BitAutoData("")]
-    [BitAutoData(" ")]
+    [RepeatingPatternBitAutoData([null, "", " "])]
     public async Task CreateOrUpdateRegistrationAsync_PushTokenNullOrEmpty_InstallationNotCreated(string? pushToken,
         SutProvider<NotificationHubPushRegistrationService> sutProvider, Guid deviceId, Guid userId, Guid identifier,
-        Guid organizationId)
+        Guid organizationId, Guid installationId)
     {
         await sutProvider.Sut.CreateOrUpdateRegistrationAsync(pushToken, deviceId.ToString(), userId.ToString(),
-            identifier.ToString(), DeviceType.Android, [organizationId.ToString()]);
+            identifier.ToString(), DeviceType.Android, [organizationId.ToString()], installationId);
 
         sutProvider.GetDependency<INotificationHubPool>()
             .Received(0)
@@ -30,13 +28,11 @@ public class NotificationHubPushRegistrationServiceTests
     }
 
     [Theory]
-    [BitAutoData(false, false)]
-    [BitAutoData(false, true)]
-    [BitAutoData(true, false)]
-    [BitAutoData(true, true)]
+    [RepeatingPatternBitAutoData([false, true], [false, true], [false, true])]
     public async Task CreateOrUpdateRegistrationAsync_DeviceTypeAndroid_InstallationCreated(bool identifierNull,
-        bool partOfOrganizationId, SutProvider<NotificationHubPushRegistrationService> sutProvider, Guid deviceId,
-        Guid userId, Guid? identifier, Guid organizationId)
+        bool partOfOrganizationId, bool installationIdNull,
+        SutProvider<NotificationHubPushRegistrationService> sutProvider, Guid deviceId, Guid userId, Guid? identifier,
+        Guid organizationId, Guid installationId)
     {
         var notificationHubClient = Substitute.For<INotificationHubClient>();
         sutProvider.GetDependency<INotificationHubPool>().ClientFor(Arg.Any<Guid>()).Returns(notificationHubClient);
@@ -45,7 +41,8 @@ public class NotificationHubPushRegistrationServiceTests
 
         await sutProvider.Sut.CreateOrUpdateRegistrationAsync(pushToken, deviceId.ToString(), userId.ToString(),
             identifierNull ? null : identifier.ToString(), DeviceType.Android,
-            partOfOrganizationId ? [organizationId.ToString()] : []);
+            partOfOrganizationId ? [organizationId.ToString()] : [],
+            installationIdNull ? Guid.Empty : installationId);
 
         sutProvider.GetDependency<INotificationHubPool>()
             .Received(1)
@@ -60,6 +57,7 @@ public class NotificationHubPushRegistrationServiceTests
                 installation.Tags.Contains("clientType:Mobile") &&
                 (identifierNull || installation.Tags.Contains($"deviceIdentifier:{identifier}")) &&
                 (!partOfOrganizationId || installation.Tags.Contains($"organizationId:{organizationId}")) &&
+                (installationIdNull || installation.Tags.Contains($"installationId:{installationId}")) &&
                 installation.Templates.Count == 3));
         await notificationHubClient
             .Received(1)
@@ -73,6 +71,7 @@ public class NotificationHubPushRegistrationServiceTests
                     "clientType:Mobile",
                     identifierNull ? null : $"template:payload_deviceIdentifier:{identifier}",
                     partOfOrganizationId ? $"organizationId:{organizationId}" : null,
+                    installationIdNull ? null : $"installationId:{installationId}",
                 })));
         await notificationHubClient
             .Received(1)
@@ -86,6 +85,7 @@ public class NotificationHubPushRegistrationServiceTests
                     "clientType:Mobile",
                     identifierNull ? null : $"template:message_deviceIdentifier:{identifier}",
                     partOfOrganizationId ? $"organizationId:{organizationId}" : null,
+                    installationIdNull ? null : $"installationId:{installationId}",
                 })));
         await notificationHubClient
             .Received(1)
@@ -99,17 +99,16 @@ public class NotificationHubPushRegistrationServiceTests
                     "clientType:Mobile",
                     identifierNull ? null : $"template:badgeMessage_deviceIdentifier:{identifier}",
                     partOfOrganizationId ? $"organizationId:{organizationId}" : null,
+                    installationIdNull ? null : $"installationId:{installationId}",
                 })));
     }
 
     [Theory]
-    [BitAutoData(false, false)]
-    [BitAutoData(false, true)]
-    [BitAutoData(true, false)]
-    [BitAutoData(true, true)]
+    [RepeatingPatternBitAutoData([false, true], [false, true], [false, true])]
     public async Task CreateOrUpdateRegistrationAsync_DeviceTypeIOS_InstallationCreated(bool identifierNull,
-        bool partOfOrganizationId, SutProvider<NotificationHubPushRegistrationService> sutProvider, Guid deviceId,
-        Guid userId, Guid identifier, Guid organizationId)
+        bool partOfOrganizationId, bool installationIdNull,
+        SutProvider<NotificationHubPushRegistrationService> sutProvider, Guid deviceId, Guid userId, Guid identifier,
+        Guid organizationId, Guid installationId)
     {
         var notificationHubClient = Substitute.For<INotificationHubClient>();
         sutProvider.GetDependency<INotificationHubPool>().ClientFor(Arg.Any<Guid>()).Returns(notificationHubClient);
@@ -118,7 +117,8 @@ public class NotificationHubPushRegistrationServiceTests
 
         await sutProvider.Sut.CreateOrUpdateRegistrationAsync(pushToken, deviceId.ToString(), userId.ToString(),
             identifierNull ? null : identifier.ToString(), DeviceType.iOS,
-            partOfOrganizationId ? [organizationId.ToString()] : []);
+            partOfOrganizationId ? [organizationId.ToString()] : [],
+            installationIdNull ? Guid.Empty : installationId);
 
         sutProvider.GetDependency<INotificationHubPool>()
             .Received(1)
@@ -133,6 +133,7 @@ public class NotificationHubPushRegistrationServiceTests
                 installation.Tags.Contains("clientType:Mobile") &&
                 (identifierNull || installation.Tags.Contains($"deviceIdentifier:{identifier}")) &&
                 (!partOfOrganizationId || installation.Tags.Contains($"organizationId:{organizationId}")) &&
+                (installationIdNull || installation.Tags.Contains($"installationId:{installationId}")) &&
                 installation.Templates.Count == 3));
         await notificationHubClient
             .Received(1)
@@ -146,6 +147,7 @@ public class NotificationHubPushRegistrationServiceTests
                     "clientType:Mobile",
                     identifierNull ? null : $"template:payload_deviceIdentifier:{identifier}",
                     partOfOrganizationId ? $"organizationId:{organizationId}" : null,
+                    installationIdNull ? null : $"installationId:{installationId}",
                 })));
         await notificationHubClient
             .Received(1)
@@ -159,6 +161,7 @@ public class NotificationHubPushRegistrationServiceTests
                     "clientType:Mobile",
                     identifierNull ? null : $"template:message_deviceIdentifier:{identifier}",
                     partOfOrganizationId ? $"organizationId:{organizationId}" : null,
+                    installationIdNull ? null : $"installationId:{installationId}",
                 })));
         await notificationHubClient
             .Received(1)
@@ -172,17 +175,16 @@ public class NotificationHubPushRegistrationServiceTests
                     "clientType:Mobile",
                     identifierNull ? null : $"template:badgeMessage_deviceIdentifier:{identifier}",
                     partOfOrganizationId ? $"organizationId:{organizationId}" : null,
+                    installationIdNull ? null : $"installationId:{installationId}",
                 })));
     }
 
     [Theory]
-    [BitAutoData(false, false)]
-    [BitAutoData(false, true)]
-    [BitAutoData(true, false)]
-    [BitAutoData(true, true)]
+    [RepeatingPatternBitAutoData([false, true], [false, true], [false, true])]
     public async Task CreateOrUpdateRegistrationAsync_DeviceTypeAndroidAmazon_InstallationCreated(bool identifierNull,
-        bool partOfOrganizationId, SutProvider<NotificationHubPushRegistrationService> sutProvider, Guid deviceId,
-        Guid userId, Guid identifier, Guid organizationId)
+        bool partOfOrganizationId, bool installationIdNull,
+        SutProvider<NotificationHubPushRegistrationService> sutProvider, Guid deviceId,
+        Guid userId, Guid identifier, Guid organizationId, Guid installationId)
     {
         var notificationHubClient = Substitute.For<INotificationHubClient>();
         sutProvider.GetDependency<INotificationHubPool>().ClientFor(Arg.Any<Guid>()).Returns(notificationHubClient);
@@ -191,7 +193,8 @@ public class NotificationHubPushRegistrationServiceTests
 
         await sutProvider.Sut.CreateOrUpdateRegistrationAsync(pushToken, deviceId.ToString(), userId.ToString(),
             identifierNull ? null : identifier.ToString(), DeviceType.AndroidAmazon,
-            partOfOrganizationId ? [organizationId.ToString()] : []);
+            partOfOrganizationId ? [organizationId.ToString()] : [],
+            installationIdNull ? Guid.Empty : installationId);
 
         sutProvider.GetDependency<INotificationHubPool>()
             .Received(1)
@@ -206,6 +209,7 @@ public class NotificationHubPushRegistrationServiceTests
                 installation.Tags.Contains("clientType:Mobile") &&
                 (identifierNull || installation.Tags.Contains($"deviceIdentifier:{identifier}")) &&
                 (!partOfOrganizationId || installation.Tags.Contains($"organizationId:{organizationId}")) &&
+                (installationIdNull || installation.Tags.Contains($"installationId:{installationId}")) &&
                 installation.Templates.Count == 3));
         await notificationHubClient
             .Received(1)
@@ -219,6 +223,7 @@ public class NotificationHubPushRegistrationServiceTests
                     "clientType:Mobile",
                     identifierNull ? null : $"template:payload_deviceIdentifier:{identifier}",
                     partOfOrganizationId ? $"organizationId:{organizationId}" : null,
+                    installationIdNull ? null : $"installationId:{installationId}",
                 })));
         await notificationHubClient
             .Received(1)
@@ -232,6 +237,7 @@ public class NotificationHubPushRegistrationServiceTests
                     "clientType:Mobile",
                     identifierNull ? null : $"template:message_deviceIdentifier:{identifier}",
                     partOfOrganizationId ? $"organizationId:{organizationId}" : null,
+                    installationIdNull ? null : $"installationId:{installationId}",
                 })));
         await notificationHubClient
             .Received(1)
@@ -245,6 +251,7 @@ public class NotificationHubPushRegistrationServiceTests
                     "clientType:Mobile",
                     identifierNull ? null : $"template:badgeMessage_deviceIdentifier:{identifier}",
                     partOfOrganizationId ? $"organizationId:{organizationId}" : null,
+                    installationIdNull ? null : $"installationId:{installationId}",
                 })));
     }
 
@@ -254,7 +261,7 @@ public class NotificationHubPushRegistrationServiceTests
     [BitAutoData(DeviceType.MacOsDesktop)]
     public async Task CreateOrUpdateRegistrationAsync_DeviceTypeNotMobile_InstallationCreated(DeviceType deviceType,
         SutProvider<NotificationHubPushRegistrationService> sutProvider, Guid deviceId, Guid userId, Guid identifier,
-        Guid organizationId)
+        Guid organizationId, Guid installationId)
     {
         var notificationHubClient = Substitute.For<INotificationHubClient>();
         sutProvider.GetDependency<INotificationHubPool>().ClientFor(Arg.Any<Guid>()).Returns(notificationHubClient);
@@ -262,7 +269,7 @@ public class NotificationHubPushRegistrationServiceTests
         var pushToken = "test push token";
 
         await sutProvider.Sut.CreateOrUpdateRegistrationAsync(pushToken, deviceId.ToString(), userId.ToString(),
-            identifier.ToString(), deviceType, [organizationId.ToString()]);
+            identifier.ToString(), deviceType, [organizationId.ToString()], installationId);
 
         sutProvider.GetDependency<INotificationHubPool>()
             .Received(1)
@@ -276,6 +283,7 @@ public class NotificationHubPushRegistrationServiceTests
                 installation.Tags.Contains($"clientType:{DeviceTypes.ToClientType(deviceType)}") &&
                 installation.Tags.Contains($"deviceIdentifier:{identifier}") &&
                 installation.Tags.Contains($"organizationId:{organizationId}") &&
+                installation.Tags.Contains($"installationId:{installationId}") &&
                 installation.Templates.Count == 0));
     }
 
diff --git a/test/Core.Test/Platform/Push/Services/AzureQueuePushNotificationServiceTests.cs b/test/Core.Test/Platform/Push/Services/AzureQueuePushNotificationServiceTests.cs
index 22161924ea..3025197c66 100644
--- a/test/Core.Test/Platform/Push/Services/AzureQueuePushNotificationServiceTests.cs
+++ b/test/Core.Test/Platform/Push/Services/AzureQueuePushNotificationServiceTests.cs
@@ -5,6 +5,8 @@ using Bit.Core.Context;
 using Bit.Core.Enums;
 using Bit.Core.Models;
 using Bit.Core.NotificationCenter.Entities;
+using Bit.Core.Platform.Push.Internal;
+using Bit.Core.Settings;
 using Bit.Core.Test.AutoFixture;
 using Bit.Core.Test.AutoFixture.CurrentContextFixtures;
 using Bit.Core.Test.NotificationCenter.AutoFixture;
@@ -14,7 +16,7 @@ using Microsoft.AspNetCore.Http;
 using NSubstitute;
 using Xunit;
 
-namespace Bit.Core.Platform.Push.Internal.Test;
+namespace Bit.Core.Test.Platform.Push.Services;
 
 [QueueClientCustomize]
 [SutProviderCustomize]
@@ -24,20 +26,43 @@ public class AzureQueuePushNotificationServiceTests
     [BitAutoData]
     [NotificationCustomize]
     [CurrentContextCustomize]
-    public async Task PushNotificationAsync_Notification_Sent(
+    public async Task PushNotificationAsync_NotificationGlobal_Sent(
         SutProvider<AzureQueuePushNotificationService> sutProvider, Notification notification, Guid deviceIdentifier,
-        ICurrentContext currentContext)
+        ICurrentContext currentContext, Guid installationId)
     {
         currentContext.DeviceIdentifier.Returns(deviceIdentifier.ToString());
         sutProvider.GetDependency<IHttpContextAccessor>().HttpContext!.RequestServices
             .GetService(Arg.Any<Type>()).Returns(currentContext);
+        sutProvider.GetDependency<IGlobalSettings>().Installation.Id = installationId;
 
         await sutProvider.Sut.PushNotificationAsync(notification);
 
         await sutProvider.GetDependency<QueueClient>().Received(1)
             .SendMessageAsync(Arg.Is<string>(message =>
-                MatchMessage(PushType.SyncNotification, message,
-                    new NotificationPushNotificationEquals(notification, null),
+                MatchMessage(PushType.Notification, message,
+                    new NotificationPushNotificationEquals(notification, null, installationId),
+                    deviceIdentifier.ToString())));
+    }
+
+    [Theory]
+    [BitAutoData]
+    [NotificationCustomize(false)]
+    [CurrentContextCustomize]
+    public async Task PushNotificationAsync_NotificationNotGlobal_Sent(
+        SutProvider<AzureQueuePushNotificationService> sutProvider, Notification notification, Guid deviceIdentifier,
+        ICurrentContext currentContext, Guid installationId)
+    {
+        currentContext.DeviceIdentifier.Returns(deviceIdentifier.ToString());
+        sutProvider.GetDependency<IHttpContextAccessor>().HttpContext!.RequestServices
+            .GetService(Arg.Any<Type>()).Returns(currentContext);
+        sutProvider.GetDependency<IGlobalSettings>().Installation.Id = installationId;
+
+        await sutProvider.Sut.PushNotificationAsync(notification);
+
+        await sutProvider.GetDependency<QueueClient>().Received(1)
+            .SendMessageAsync(Arg.Is<string>(message =>
+                MatchMessage(PushType.Notification, message,
+                    new NotificationPushNotificationEquals(notification, null, null),
                     deviceIdentifier.ToString())));
     }
 
@@ -46,20 +71,44 @@ public class AzureQueuePushNotificationServiceTests
     [NotificationCustomize]
     [NotificationStatusCustomize]
     [CurrentContextCustomize]
-    public async Task PushNotificationStatusAsync_Notification_Sent(
+    public async Task PushNotificationStatusAsync_NotificationGlobal_Sent(
         SutProvider<AzureQueuePushNotificationService> sutProvider, Notification notification, Guid deviceIdentifier,
-        ICurrentContext currentContext, NotificationStatus notificationStatus)
+        ICurrentContext currentContext, NotificationStatus notificationStatus, Guid installationId)
     {
         currentContext.DeviceIdentifier.Returns(deviceIdentifier.ToString());
         sutProvider.GetDependency<IHttpContextAccessor>().HttpContext!.RequestServices
             .GetService(Arg.Any<Type>()).Returns(currentContext);
+        sutProvider.GetDependency<IGlobalSettings>().Installation.Id = installationId;
 
         await sutProvider.Sut.PushNotificationStatusAsync(notification, notificationStatus);
 
         await sutProvider.GetDependency<QueueClient>().Received(1)
             .SendMessageAsync(Arg.Is<string>(message =>
-                MatchMessage(PushType.SyncNotificationStatus, message,
-                    new NotificationPushNotificationEquals(notification, notificationStatus),
+                MatchMessage(PushType.NotificationStatus, message,
+                    new NotificationPushNotificationEquals(notification, notificationStatus, installationId),
+                    deviceIdentifier.ToString())));
+    }
+
+    [Theory]
+    [BitAutoData]
+    [NotificationCustomize(false)]
+    [NotificationStatusCustomize]
+    [CurrentContextCustomize]
+    public async Task PushNotificationStatusAsync_NotificationNotGlobal_Sent(
+        SutProvider<AzureQueuePushNotificationService> sutProvider, Notification notification, Guid deviceIdentifier,
+        ICurrentContext currentContext, NotificationStatus notificationStatus, Guid installationId)
+    {
+        currentContext.DeviceIdentifier.Returns(deviceIdentifier.ToString());
+        sutProvider.GetDependency<IHttpContextAccessor>().HttpContext!.RequestServices
+            .GetService(Arg.Any<Type>()).Returns(currentContext);
+        sutProvider.GetDependency<IGlobalSettings>().Installation.Id = installationId;
+
+        await sutProvider.Sut.PushNotificationStatusAsync(notification, notificationStatus);
+
+        await sutProvider.GetDependency<QueueClient>().Received(1)
+            .SendMessageAsync(Arg.Is<string>(message =>
+                MatchMessage(PushType.NotificationStatus, message,
+                    new NotificationPushNotificationEquals(notification, notificationStatus, null),
                     deviceIdentifier.ToString())));
     }
 
@@ -73,7 +122,10 @@ public class AzureQueuePushNotificationServiceTests
                pushNotificationData.ContextId == contextId;
     }
 
-    private class NotificationPushNotificationEquals(Notification notification, NotificationStatus? notificationStatus)
+    private class NotificationPushNotificationEquals(
+        Notification notification,
+        NotificationStatus? notificationStatus,
+        Guid? installationId)
         : IEquatable<NotificationPushNotification>
     {
         public bool Equals(NotificationPushNotification? other)
@@ -87,6 +139,8 @@ public class AzureQueuePushNotificationServiceTests
                    other.UserId == notification.UserId &&
                    other.OrganizationId.HasValue == notification.OrganizationId.HasValue &&
                    other.OrganizationId == notification.OrganizationId &&
+                   other.ClientType == notification.ClientType &&
+                   other.InstallationId == installationId &&
                    other.Title == notification.Title &&
                    other.Body == notification.Body &&
                    other.CreationDate == notification.CreationDate &&
diff --git a/test/Core.Test/Platform/Push/Services/MultiServicePushNotificationServiceTests.cs b/test/Core.Test/Platform/Push/Services/MultiServicePushNotificationServiceTests.cs
index 08dfd0a5c0..68acf7ec72 100644
--- a/test/Core.Test/Platform/Push/Services/MultiServicePushNotificationServiceTests.cs
+++ b/test/Core.Test/Platform/Push/Services/MultiServicePushNotificationServiceTests.cs
@@ -1,13 +1,15 @@
 #nullable enable
 using Bit.Core.Enums;
 using Bit.Core.NotificationCenter.Entities;
+using Bit.Core.Platform.Push;
+using Bit.Core.Platform.Push.Internal;
 using Bit.Core.Test.NotificationCenter.AutoFixture;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
 using NSubstitute;
 using Xunit;
 
-namespace Bit.Core.Platform.Push.Internal.Test;
+namespace Bit.Core.Test.Platform.Push.Services;
 
 [SutProviderCustomize]
 public class MultiServicePushNotificationServiceTests
@@ -75,4 +77,22 @@ public class MultiServicePushNotificationServiceTests
             .Received(1)
             .SendPayloadToOrganizationAsync(organizationId, type, payload, identifier, deviceId, clientType);
     }
+
+    [Theory]
+    [BitAutoData([null, null])]
+    [BitAutoData(ClientType.All, null)]
+    [BitAutoData([null, "test device id"])]
+    [BitAutoData(ClientType.All, "test device id")]
+    public async Task SendPayloadToInstallationAsync_Message_Sent(ClientType? clientType, string? deviceId,
+        string installationId, PushType type, object payload, string identifier,
+        SutProvider<MultiServicePushNotificationService> sutProvider)
+    {
+        await sutProvider.Sut.SendPayloadToInstallationAsync(installationId, type, payload, identifier, deviceId,
+            clientType);
+
+        await sutProvider.GetDependency<IEnumerable<IPushNotificationService>>()
+            .First()
+            .Received(1)
+            .SendPayloadToInstallationAsync(installationId, type, payload, identifier, deviceId, clientType);
+    }
 }
diff --git a/test/Core.Test/Platform/Push/Services/NotificationsApiPushNotificationServiceTests.cs b/test/Core.Test/Platform/Push/Services/NotificationsApiPushNotificationServiceTests.cs
index 78f60da359..07f348a5ba 100644
--- a/test/Core.Test/Platform/Push/Services/NotificationsApiPushNotificationServiceTests.cs
+++ b/test/Core.Test/Platform/Push/Services/NotificationsApiPushNotificationServiceTests.cs
@@ -1,10 +1,11 @@
-using Bit.Core.Settings;
+using Bit.Core.Platform.Push;
+using Bit.Core.Settings;
 using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.Logging;
 using NSubstitute;
 using Xunit;
 
-namespace Bit.Core.Platform.Push.Internal.Test;
+namespace Bit.Core.Test.Platform.Push.Services;
 
 public class NotificationsApiPushNotificationServiceTests
 {
diff --git a/test/Core.Test/Platform/Push/Services/RelayPushNotificationServiceTests.cs b/test/Core.Test/Platform/Push/Services/RelayPushNotificationServiceTests.cs
index 61d7f0a788..9ae79f7142 100644
--- a/test/Core.Test/Platform/Push/Services/RelayPushNotificationServiceTests.cs
+++ b/test/Core.Test/Platform/Push/Services/RelayPushNotificationServiceTests.cs
@@ -1,11 +1,12 @@
-using Bit.Core.Repositories;
+using Bit.Core.Platform.Push.Internal;
+using Bit.Core.Repositories;
 using Bit.Core.Settings;
 using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.Logging;
 using NSubstitute;
 using Xunit;
 
-namespace Bit.Core.Platform.Push.Internal.Test;
+namespace Bit.Core.Test.Platform.Push.Services;
 
 public class RelayPushNotificationServiceTests
 {
diff --git a/test/Core.Test/Platform/Push/Services/RelayPushRegistrationServiceTests.cs b/test/Core.Test/Platform/Push/Services/RelayPushRegistrationServiceTests.cs
index cfd843d2eb..062b4a96a8 100644
--- a/test/Core.Test/Platform/Push/Services/RelayPushRegistrationServiceTests.cs
+++ b/test/Core.Test/Platform/Push/Services/RelayPushRegistrationServiceTests.cs
@@ -1,9 +1,10 @@
-using Bit.Core.Settings;
+using Bit.Core.Platform.Push.Internal;
+using Bit.Core.Settings;
 using Microsoft.Extensions.Logging;
 using NSubstitute;
 using Xunit;
 
-namespace Bit.Core.Platform.Push.Internal.Test;
+namespace Bit.Core.Test.Platform.Push.Services;
 
 public class RelayPushRegistrationServiceTests
 {
diff --git a/test/Core.Test/Services/DeviceServiceTests.cs b/test/Core.Test/Services/DeviceServiceTests.cs
index 98b04eb7d3..95a93cf4e8 100644
--- a/test/Core.Test/Services/DeviceServiceTests.cs
+++ b/test/Core.Test/Services/DeviceServiceTests.cs
@@ -7,6 +7,7 @@ using Bit.Core.Models.Data.Organizations.OrganizationUsers;
 using Bit.Core.Platform.Push;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
+using Bit.Core.Settings;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
 using NSubstitute;
@@ -20,7 +21,7 @@ public class DeviceServiceTests
     [Theory]
     [BitAutoData]
     public async Task SaveAsync_IdProvided_UpdatedRevisionDateAndPushRegistration(Guid id, Guid userId,
-        Guid organizationId1, Guid organizationId2,
+        Guid organizationId1, Guid organizationId2, Guid installationId,
         OrganizationUserOrganizationDetails organizationUserOrganizationDetails1,
         OrganizationUserOrganizationDetails organizationUserOrganizationDetails2)
     {
@@ -32,7 +33,9 @@ public class DeviceServiceTests
         var organizationUserRepository = Substitute.For<IOrganizationUserRepository>();
         organizationUserRepository.GetManyDetailsByUserAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType?>())
             .Returns([organizationUserOrganizationDetails1, organizationUserOrganizationDetails2]);
-        var deviceService = new DeviceService(deviceRepo, pushRepo, organizationUserRepository);
+        var globalSettings = Substitute.For<IGlobalSettings>();
+        globalSettings.Installation.Id.Returns(installationId);
+        var deviceService = new DeviceService(deviceRepo, pushRepo, organizationUserRepository, globalSettings);
 
         var device = new Device
         {
@@ -54,13 +57,13 @@ public class DeviceServiceTests
                 Assert.Equal(2, organizationIdsList.Count);
                 Assert.Contains(organizationId1.ToString(), organizationIdsList);
                 Assert.Contains(organizationId2.ToString(), organizationIdsList);
-            }));
+            }), installationId);
     }
 
     [Theory]
     [BitAutoData]
     public async Task SaveAsync_IdNotProvided_CreatedAndPushRegistration(Guid userId, Guid organizationId1,
-        Guid organizationId2,
+        Guid organizationId2, Guid installationId,
         OrganizationUserOrganizationDetails organizationUserOrganizationDetails1,
         OrganizationUserOrganizationDetails organizationUserOrganizationDetails2)
     {
@@ -72,7 +75,9 @@ public class DeviceServiceTests
         var organizationUserRepository = Substitute.For<IOrganizationUserRepository>();
         organizationUserRepository.GetManyDetailsByUserAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType?>())
             .Returns([organizationUserOrganizationDetails1, organizationUserOrganizationDetails2]);
-        var deviceService = new DeviceService(deviceRepo, pushRepo, organizationUserRepository);
+        var globalSettings = Substitute.For<IGlobalSettings>();
+        globalSettings.Installation.Id.Returns(installationId);
+        var deviceService = new DeviceService(deviceRepo, pushRepo, organizationUserRepository, globalSettings);
 
         var device = new Device
         {
@@ -92,7 +97,7 @@ public class DeviceServiceTests
                 Assert.Equal(2, organizationIdsList.Count);
                 Assert.Contains(organizationId1.ToString(), organizationIdsList);
                 Assert.Contains(organizationId2.ToString(), organizationIdsList);
-            }));
+            }), installationId);
     }
 
     /// <summary>

From 4bef2357d59c69eb366229f5d0e60ab7a2af1fa4 Mon Sep 17 00:00:00 2001
From: Jonas Hendrickx <jhendrickx@bitwarden.com>
Date: Thu, 20 Feb 2025 16:01:48 +0100
Subject: [PATCH 294/384] [PM-18028] Enabling automatic tax for customers
 without country or with manual tax rates set (#5376)

---
 .../Implementations/UpcomingInvoiceHandler.cs | 13 +++---
 .../Billing/Extensions/CustomerExtensions.cs  | 16 +++++++
 .../SubscriptionCreateOptionsExtensions.cs    | 26 +++++++++++
 .../SubscriptionUpdateOptionsExtensions.cs    | 35 +++++++++++++++
 .../UpcomingInvoiceOptionsExtensions.cs       | 35 +++++++++++++++
 .../PremiumUserBillingService.cs              |  2 +-
 .../Implementations/SubscriberService.cs      | 20 ++++++---
 .../Implementations/StripePaymentService.cs   | 43 +++++++++----------
 8 files changed, 155 insertions(+), 35 deletions(-)
 create mode 100644 src/Core/Billing/Extensions/CustomerExtensions.cs
 create mode 100644 src/Core/Billing/Extensions/SubscriptionCreateOptionsExtensions.cs
 create mode 100644 src/Core/Billing/Extensions/SubscriptionUpdateOptionsExtensions.cs
 create mode 100644 src/Core/Billing/Extensions/UpcomingInvoiceOptionsExtensions.cs

diff --git a/src/Billing/Services/Implementations/UpcomingInvoiceHandler.cs b/src/Billing/Services/Implementations/UpcomingInvoiceHandler.cs
index c52c03b6aa..409bd0d18b 100644
--- a/src/Billing/Services/Implementations/UpcomingInvoiceHandler.cs
+++ b/src/Billing/Services/Implementations/UpcomingInvoiceHandler.cs
@@ -1,6 +1,7 @@
 using Bit.Billing.Constants;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Repositories;
+using Bit.Core.Billing.Extensions;
 using Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.Interfaces;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
@@ -160,16 +161,16 @@ public class UpcomingInvoiceHandler : IUpcomingInvoiceHandler
 
     private async Task<Subscription> TryEnableAutomaticTaxAsync(Subscription subscription)
     {
-        if (subscription.AutomaticTax.Enabled)
+        var customerGetOptions = new CustomerGetOptions { Expand = ["tax"] };
+        var customer = await _stripeFacade.GetCustomer(subscription.CustomerId, customerGetOptions);
+
+        var subscriptionUpdateOptions = new SubscriptionUpdateOptions();
+
+        if (!subscriptionUpdateOptions.EnableAutomaticTax(customer, subscription))
         {
             return subscription;
         }
 
-        var subscriptionUpdateOptions = new SubscriptionUpdateOptions
-        {
-            AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = true }
-        };
-
         return await _stripeFacade.UpdateSubscription(subscription.Id, subscriptionUpdateOptions);
     }
 
diff --git a/src/Core/Billing/Extensions/CustomerExtensions.cs b/src/Core/Billing/Extensions/CustomerExtensions.cs
new file mode 100644
index 0000000000..62f1a5055c
--- /dev/null
+++ b/src/Core/Billing/Extensions/CustomerExtensions.cs
@@ -0,0 +1,16 @@
+using Bit.Core.Billing.Constants;
+using Stripe;
+
+namespace Bit.Core.Billing.Extensions;
+
+public static class CustomerExtensions
+{
+
+    /// <summary>
+    /// Determines if a Stripe customer supports automatic tax
+    /// </summary>
+    /// <param name="customer"></param>
+    /// <returns></returns>
+    public static bool HasTaxLocationVerified(this Customer customer) =>
+        customer?.Tax?.AutomaticTax == StripeConstants.AutomaticTaxStatus.Supported;
+}
diff --git a/src/Core/Billing/Extensions/SubscriptionCreateOptionsExtensions.cs b/src/Core/Billing/Extensions/SubscriptionCreateOptionsExtensions.cs
new file mode 100644
index 0000000000..d76a0553a3
--- /dev/null
+++ b/src/Core/Billing/Extensions/SubscriptionCreateOptionsExtensions.cs
@@ -0,0 +1,26 @@
+using Stripe;
+
+namespace Bit.Core.Billing.Extensions;
+
+public static class SubscriptionCreateOptionsExtensions
+{
+    /// <summary>
+    /// Attempts to enable automatic tax for given new subscription options.
+    /// </summary>
+    /// <param name="options"></param>
+    /// <param name="customer">The existing customer.</param>
+    /// <returns>Returns true when successful, false when conditions are not met.</returns>
+    public static bool EnableAutomaticTax(this SubscriptionCreateOptions options, Customer customer)
+    {
+        // We might only need to check the automatic tax status.
+        if (!customer.HasTaxLocationVerified() && string.IsNullOrWhiteSpace(customer.Address?.Country))
+        {
+            return false;
+        }
+
+        options.DefaultTaxRates = [];
+        options.AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = true };
+
+        return true;
+    }
+}
diff --git a/src/Core/Billing/Extensions/SubscriptionUpdateOptionsExtensions.cs b/src/Core/Billing/Extensions/SubscriptionUpdateOptionsExtensions.cs
new file mode 100644
index 0000000000..d70af78fa8
--- /dev/null
+++ b/src/Core/Billing/Extensions/SubscriptionUpdateOptionsExtensions.cs
@@ -0,0 +1,35 @@
+using Stripe;
+
+namespace Bit.Core.Billing.Extensions;
+
+public static class SubscriptionUpdateOptionsExtensions
+{
+    /// <summary>
+    /// Attempts to enable automatic tax for given subscription options.
+    /// </summary>
+    /// <param name="options"></param>
+    /// <param name="customer">The existing customer to which the subscription belongs.</param>
+    /// <param name="subscription">The existing subscription.</param>
+    /// <returns>Returns true when successful, false when conditions are not met.</returns>
+    public static bool EnableAutomaticTax(
+        this SubscriptionUpdateOptions options,
+        Customer customer,
+        Subscription subscription)
+    {
+        if (subscription.AutomaticTax.Enabled)
+        {
+            return false;
+        }
+
+        // We might only need to check the automatic tax status.
+        if (!customer.HasTaxLocationVerified() && string.IsNullOrWhiteSpace(customer.Address?.Country))
+        {
+            return false;
+        }
+
+        options.DefaultTaxRates = [];
+        options.AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = true };
+
+        return true;
+    }
+}
diff --git a/src/Core/Billing/Extensions/UpcomingInvoiceOptionsExtensions.cs b/src/Core/Billing/Extensions/UpcomingInvoiceOptionsExtensions.cs
new file mode 100644
index 0000000000..88df5638c9
--- /dev/null
+++ b/src/Core/Billing/Extensions/UpcomingInvoiceOptionsExtensions.cs
@@ -0,0 +1,35 @@
+using Stripe;
+
+namespace Bit.Core.Billing.Extensions;
+
+public static class UpcomingInvoiceOptionsExtensions
+{
+    /// <summary>
+    /// Attempts to enable automatic tax for given upcoming invoice options.
+    /// </summary>
+    /// <param name="options"></param>
+    /// <param name="customer">The existing customer to which the upcoming invoice belongs.</param>
+    /// <param name="subscription">The existing subscription to which the upcoming invoice belongs.</param>
+    /// <returns>Returns true when successful, false when conditions are not met.</returns>
+    public static bool EnableAutomaticTax(
+        this UpcomingInvoiceOptions options,
+        Customer customer,
+        Subscription subscription)
+    {
+        if (subscription != null && subscription.AutomaticTax.Enabled)
+        {
+            return false;
+        }
+
+        // We might only need to check the automatic tax status.
+        if (!customer.HasTaxLocationVerified() && string.IsNullOrWhiteSpace(customer.Address?.Country))
+        {
+            return false;
+        }
+
+        options.AutomaticTax = new InvoiceAutomaticTaxOptions { Enabled = true };
+        options.SubscriptionDefaultTaxRates = [];
+
+        return true;
+    }
+}
diff --git a/src/Core/Billing/Services/Implementations/PremiumUserBillingService.cs b/src/Core/Billing/Services/Implementations/PremiumUserBillingService.cs
index 6b9f32e8f9..57be92ba94 100644
--- a/src/Core/Billing/Services/Implementations/PremiumUserBillingService.cs
+++ b/src/Core/Billing/Services/Implementations/PremiumUserBillingService.cs
@@ -320,7 +320,7 @@ public class PremiumUserBillingService(
         {
             AutomaticTax = new SubscriptionAutomaticTaxOptions
             {
-                Enabled = true
+                Enabled = customer.Tax?.AutomaticTax == StripeConstants.AutomaticTaxStatus.Supported,
             },
             CollectionMethod = StripeConstants.CollectionMethod.ChargeAutomatically,
             Customer = customer.Id,
diff --git a/src/Core/Billing/Services/Implementations/SubscriberService.cs b/src/Core/Billing/Services/Implementations/SubscriberService.cs
index f4cf22ac19..b2dca19e80 100644
--- a/src/Core/Billing/Services/Implementations/SubscriberService.cs
+++ b/src/Core/Billing/Services/Implementations/SubscriberService.cs
@@ -661,11 +661,21 @@ public class SubscriberService(
             }
         }
 
-        await stripeAdapter.SubscriptionUpdateAsync(subscriber.GatewaySubscriptionId,
-            new SubscriptionUpdateOptions
-            {
-                AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = true },
-            });
+        if (SubscriberIsEligibleForAutomaticTax(subscriber, customer))
+        {
+            await stripeAdapter.SubscriptionUpdateAsync(subscriber.GatewaySubscriptionId,
+                new SubscriptionUpdateOptions
+                {
+                    AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = true }
+                });
+        }
+
+        return;
+
+        bool SubscriberIsEligibleForAutomaticTax(ISubscriber localSubscriber, Customer localCustomer)
+            => !string.IsNullOrEmpty(localSubscriber.GatewaySubscriptionId) &&
+               (localCustomer.Subscriptions?.Any(sub => sub.Id == localSubscriber.GatewaySubscriptionId && !sub.AutomaticTax.Enabled) ?? false) &&
+               localCustomer.Tax?.AutomaticTax == StripeConstants.AutomaticTaxStatus.Supported;
     }
 
     public async Task VerifyBankAccount(
diff --git a/src/Core/Services/Implementations/StripePaymentService.cs b/src/Core/Services/Implementations/StripePaymentService.cs
index 4813608fb5..7f2ac36216 100644
--- a/src/Core/Services/Implementations/StripePaymentService.cs
+++ b/src/Core/Services/Implementations/StripePaymentService.cs
@@ -177,7 +177,7 @@ public class StripePaymentService : IPaymentService
             customer = await _stripeAdapter.CustomerCreateAsync(customerCreateOptions);
             subCreateOptions.AddExpand("latest_invoice.payment_intent");
             subCreateOptions.Customer = customer.Id;
-            subCreateOptions.AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = true };
+            subCreateOptions.EnableAutomaticTax(customer);
 
             subscription = await _stripeAdapter.SubscriptionCreateAsync(subCreateOptions);
             if (subscription.Status == "incomplete" && subscription.LatestInvoice?.PaymentIntent != null)
@@ -358,10 +358,9 @@ public class StripePaymentService : IPaymentService
             customer = await _stripeAdapter.CustomerUpdateAsync(org.GatewayCustomerId, customerUpdateOptions);
         }
 
-        var subCreateOptions = new OrganizationUpgradeSubscriptionOptions(customer.Id, org, plan, upgrade)
-        {
-            AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = true }
-        };
+        var subCreateOptions = new OrganizationUpgradeSubscriptionOptions(customer.Id, org, plan, upgrade);
+
+        subCreateOptions.EnableAutomaticTax(customer);
 
         var (stripePaymentMethod, paymentMethodType) = IdentifyPaymentMethod(customer, subCreateOptions);
 
@@ -520,10 +519,6 @@ public class StripePaymentService : IPaymentService
 
             var customerCreateOptions = new CustomerCreateOptions
             {
-                Tax = new CustomerTaxOptions
-                {
-                    ValidateLocation = StripeConstants.ValidateTaxLocationTiming.Immediately
-                },
                 Description = user.Name,
                 Email = user.Email,
                 Metadata = stripeCustomerMetadata,
@@ -561,7 +556,6 @@ public class StripePaymentService : IPaymentService
 
         var subCreateOptions = new SubscriptionCreateOptions
         {
-            AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = true },
             Customer = customer.Id,
             Items = [],
             Metadata = new Dictionary<string, string>
@@ -581,10 +575,12 @@ public class StripePaymentService : IPaymentService
             subCreateOptions.Items.Add(new SubscriptionItemOptions
             {
                 Plan = StoragePlanId,
-                Quantity = additionalStorageGb,
+                Quantity = additionalStorageGb
             });
         }
 
+        subCreateOptions.EnableAutomaticTax(customer);
+
         var subscription = await ChargeForNewSubscriptionAsync(user, customer, createdStripeCustomer,
             stripePaymentMethod, paymentMethodType, subCreateOptions, braintreeCustomer);
 
@@ -622,7 +618,10 @@ public class StripePaymentService : IPaymentService
                     SubscriptionItems = ToInvoiceSubscriptionItemOptions(subCreateOptions.Items)
                 });
 
-                previewInvoice.AutomaticTax = new InvoiceAutomaticTax { Enabled = true };
+                if (customer.HasTaxLocationVerified())
+                {
+                    previewInvoice.AutomaticTax = new InvoiceAutomaticTax { Enabled = true };
+                }
 
                 if (previewInvoice.AmountDue > 0)
                 {
@@ -680,12 +679,10 @@ public class StripePaymentService : IPaymentService
                     Customer = customer.Id,
                     SubscriptionItems = ToInvoiceSubscriptionItemOptions(subCreateOptions.Items),
                     SubscriptionDefaultTaxRates = subCreateOptions.DefaultTaxRates,
-                    AutomaticTax = new InvoiceAutomaticTaxOptions
-                    {
-                        Enabled = true
-                    }
                 };
 
+                upcomingInvoiceOptions.EnableAutomaticTax(customer, null);
+
                 var previewInvoice = await _stripeAdapter.InvoiceUpcomingAsync(upcomingInvoiceOptions);
 
                 if (previewInvoice.AmountDue > 0)
@@ -804,11 +801,7 @@ public class StripePaymentService : IPaymentService
             Items = updatedItemOptions,
             ProrationBehavior = invoiceNow ? Constants.AlwaysInvoice : Constants.CreateProrations,
             DaysUntilDue = daysUntilDue ?? 1,
-            CollectionMethod = "send_invoice",
-            AutomaticTax = new SubscriptionAutomaticTaxOptions
-            {
-                Enabled = true
-            }
+            CollectionMethod = "send_invoice"
         };
         if (!invoiceNow && isAnnualPlan && sub.Status.Trim() != "trialing")
         {
@@ -816,6 +809,8 @@ public class StripePaymentService : IPaymentService
                 new SubscriptionPendingInvoiceItemIntervalOptions { Interval = "month" };
         }
 
+        subUpdateOptions.EnableAutomaticTax(sub.Customer, sub);
+
         if (!subscriptionUpdate.UpdateNeeded(sub))
         {
             // No need to update subscription, quantity matches
@@ -1500,11 +1495,13 @@ public class StripePaymentService : IPaymentService
             if (!string.IsNullOrEmpty(subscriber.GatewaySubscriptionId) &&
                 customer.Subscriptions.Any(sub =>
                     sub.Id == subscriber.GatewaySubscriptionId &&
-                    !sub.AutomaticTax.Enabled))
+                    !sub.AutomaticTax.Enabled) &&
+                customer.HasTaxLocationVerified())
             {
                 var subscriptionUpdateOptions = new SubscriptionUpdateOptions
                 {
-                    AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = true }
+                    AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = true },
+                    DefaultTaxRates = []
                 };
 
                 _ = await _stripeAdapter.SubscriptionUpdateAsync(

From fb74512d27e21a72c20ccf8e7a70cdad2d3db04f Mon Sep 17 00:00:00 2001
From: Jared Snider <116684653+JaredSnider-Bitwarden@users.noreply.github.com>
Date: Thu, 20 Feb 2025 10:10:10 -0500
Subject: [PATCH 295/384] refactor(TwoFactorComponentRefactor Feature Flag):
 [PM-8113] - Deprecate TwoFactorComponentRefactor feature flag in favor of
 UnauthenticatedExtensionUIRefresh feature flag. (#5120)

---
 src/Core/Constants.cs | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index 91637e3893..5023c4b3fc 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -129,7 +129,6 @@ public static class FeatureFlagKeys
     public const string PM4154BulkEncryptionService = "PM-4154-bulk-encryption-service";
     public const string VaultBulkManagementAction = "vault-bulk-management-action";
     public const string InlineMenuFieldQualification = "inline-menu-field-qualification";
-    public const string TwoFactorComponentRefactor = "two-factor-component-refactor";
     public const string InlineMenuPositioningImprovements = "inline-menu-positioning-improvements";
     public const string DeviceTrustLogging = "pm-8285-device-trust-logging";
     public const string SSHKeyItemVaultItem = "ssh-key-vault-item";

From 0b6f0d9fe8968798cb847f5dfeb461def862d06d Mon Sep 17 00:00:00 2001
From: Justin Baur <19896123+justindbaur@users.noreply.github.com>
Date: Thu, 20 Feb 2025 11:19:48 -0500
Subject: [PATCH 296/384] Collect Code Coverage In DB Tests (#5431)

---
 .github/workflows/test-database.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/test-database.yml b/.github/workflows/test-database.yml
index a668ddb37d..81119414ff 100644
--- a/.github/workflows/test-database.yml
+++ b/.github/workflows/test-database.yml
@@ -146,7 +146,7 @@ jobs:
           # Unified MariaDB
           BW_TEST_DATABASES__4__TYPE: "MySql"
           BW_TEST_DATABASES__4__CONNECTIONSTRING: "server=localhost;port=4306;uid=root;pwd=mariadb-password;database=vault_dev;Allow User Variables=true"
-        run: dotnet test --logger "trx;LogFileName=infrastructure-test-results.trx"
+        run: dotnet test --logger "trx;LogFileName=infrastructure-test-results.trx" /p:CoverletOutputFormatter="cobertura" --collect:"XPlat Code Coverage"
         shell: pwsh
 
       - name: Print MySQL Logs
@@ -174,6 +174,9 @@ jobs:
           reporter: dotnet-trx
           fail-on-error: true
 
+      - name: Upload to codecov.io
+        uses: codecov/codecov-action@1e68e06f1dbfde0e4cefc87efeba9e4643565303 # v5.1.2
+
       - name: Docker Compose down
         if: always()
         working-directory: "dev"

From 5bbd9054017850b86c1620e29a0e53e331b00aed Mon Sep 17 00:00:00 2001
From: Conner Turnbull <133619638+cturnbull-bitwarden@users.noreply.github.com>
Date: Thu, 20 Feb 2025 13:03:29 -0500
Subject: [PATCH 297/384] [PM-18436] Only cancel subscriptions when creating or
 renewing (#5423)

* Only cancel subscriptions during creation or cycle renewal

* Resolved possible null reference warning

* Inverted conitional to reduce nesting
---
 .../Jobs/SubscriptionCancellationJob.cs       |  4 +-
 .../SubscriptionUpdatedHandler.cs             | 43 +++++++++++--------
 2 files changed, 26 insertions(+), 21 deletions(-)

diff --git a/src/Billing/Jobs/SubscriptionCancellationJob.cs b/src/Billing/Jobs/SubscriptionCancellationJob.cs
index c46581272e..b59bb10eaf 100644
--- a/src/Billing/Jobs/SubscriptionCancellationJob.cs
+++ b/src/Billing/Jobs/SubscriptionCancellationJob.cs
@@ -23,9 +23,9 @@ public class SubscriptionCancellationJob(
         }
 
         var subscription = await stripeFacade.GetSubscription(subscriptionId);
-        if (subscription?.Status != "unpaid")
+        if (subscription?.Status != "unpaid" ||
+            subscription.LatestInvoice?.BillingReason is not ("subscription_cycle" or "subscription_create"))
         {
-            // Subscription is no longer unpaid, skip cancellation
             return;
         }
 
diff --git a/src/Billing/Services/Implementations/SubscriptionUpdatedHandler.cs b/src/Billing/Services/Implementations/SubscriptionUpdatedHandler.cs
index 10a1d1a186..4e142f8cae 100644
--- a/src/Billing/Services/Implementations/SubscriptionUpdatedHandler.cs
+++ b/src/Billing/Services/Implementations/SubscriptionUpdatedHandler.cs
@@ -59,7 +59,7 @@ public class SubscriptionUpdatedHandler : ISubscriptionUpdatedHandler
     /// <param name="parsedEvent"></param>
     public async Task HandleAsync(Event parsedEvent)
     {
-        var subscription = await _stripeEventService.GetSubscription(parsedEvent, true, ["customer", "discounts"]);
+        var subscription = await _stripeEventService.GetSubscription(parsedEvent, true, ["customer", "discounts", "latest_invoice"]);
         var (organizationId, userId, providerId) = _stripeEventUtilityService.GetIdsFromMetadata(subscription.Metadata);
 
         switch (subscription.Status)
@@ -68,7 +68,8 @@ public class SubscriptionUpdatedHandler : ISubscriptionUpdatedHandler
                 when organizationId.HasValue:
                 {
                     await _organizationService.DisableAsync(organizationId.Value, subscription.CurrentPeriodEnd);
-                    if (subscription.Status == StripeSubscriptionStatus.Unpaid)
+                    if (subscription.Status == StripeSubscriptionStatus.Unpaid &&
+                        subscription.LatestInvoice is { BillingReason: "subscription_cycle" or "subscription_create" })
                     {
                         await ScheduleCancellationJobAsync(subscription.Id, organizationId.Value);
                     }
@@ -96,7 +97,10 @@ public class SubscriptionUpdatedHandler : ISubscriptionUpdatedHandler
                 {
                     await _organizationEnableCommand.EnableAsync(organizationId.Value);
                     var organization = await _organizationRepository.GetByIdAsync(organizationId.Value);
-                    await _pushNotificationService.PushSyncOrganizationStatusAsync(organization);
+                    if (organization != null)
+                    {
+                        await _pushNotificationService.PushSyncOrganizationStatusAsync(organization);
+                    }
                     break;
                 }
             case StripeSubscriptionStatus.Active:
@@ -204,23 +208,24 @@ public class SubscriptionUpdatedHandler : ISubscriptionUpdatedHandler
     private async Task ScheduleCancellationJobAsync(string subscriptionId, Guid organizationId)
     {
         var isResellerManagedOrgAlertEnabled = _featureService.IsEnabled(FeatureFlagKeys.ResellerManagedOrgAlert);
-
-        if (isResellerManagedOrgAlertEnabled)
+        if (!isResellerManagedOrgAlertEnabled)
         {
-            var scheduler = await _schedulerFactory.GetScheduler();
-
-            var job = JobBuilder.Create<SubscriptionCancellationJob>()
-                .WithIdentity($"cancel-sub-{subscriptionId}", "subscription-cancellations")
-                .UsingJobData("subscriptionId", subscriptionId)
-                .UsingJobData("organizationId", organizationId.ToString())
-                .Build();
-
-            var trigger = TriggerBuilder.Create()
-                .WithIdentity($"cancel-trigger-{subscriptionId}", "subscription-cancellations")
-                .StartAt(DateTimeOffset.UtcNow.AddDays(7))
-                .Build();
-
-            await scheduler.ScheduleJob(job, trigger);
+            return;
         }
+
+        var scheduler = await _schedulerFactory.GetScheduler();
+
+        var job = JobBuilder.Create<SubscriptionCancellationJob>()
+            .WithIdentity($"cancel-sub-{subscriptionId}", "subscription-cancellations")
+            .UsingJobData("subscriptionId", subscriptionId)
+            .UsingJobData("organizationId", organizationId.ToString())
+            .Build();
+
+        var trigger = TriggerBuilder.Create()
+            .WithIdentity($"cancel-trigger-{subscriptionId}", "subscription-cancellations")
+            .StartAt(DateTimeOffset.UtcNow.AddDays(7))
+            .Build();
+
+        await scheduler.ScheduleJob(job, trigger);
     }
 }

From 93e5f7d0fe569fdde1c3732cea851193a68f10ac Mon Sep 17 00:00:00 2001
From: Maciej Zieniuk <167752252+mzieniukbw@users.noreply.github.com>
Date: Thu, 20 Feb 2025 20:21:50 +0100
Subject: [PATCH 298/384] Incorrect Read only connection string on development
 self-hosted environment (#5426)

---
 src/Core/Settings/GlobalSettings.cs           |  13 +-
 .../Auth/Services/AuthRequestServiceTests.cs  |  11 +-
 .../Services/SubscriberServiceTests.cs        |   5 +-
 .../LaunchDarklyFeatureServiceTests.cs        |  13 +-
 test/Core.Test/Services/UserServiceTests.cs   |   4 +-
 .../Core.Test/Settings/GlobalSettingsTests.cs | 134 ++++++++++++++++++
 .../Tools/Services/SendServiceTests.cs        |   6 +-
 7 files changed, 168 insertions(+), 18 deletions(-)
 create mode 100644 test/Core.Test/Settings/GlobalSettingsTests.cs

diff --git a/src/Core/Settings/GlobalSettings.cs b/src/Core/Settings/GlobalSettings.cs
index a1c7a4fac6..dbfc8543a3 100644
--- a/src/Core/Settings/GlobalSettings.cs
+++ b/src/Core/Settings/GlobalSettings.cs
@@ -241,7 +241,18 @@ public class GlobalSettings : IGlobalSettings
         public string ConnectionString
         {
             get => _connectionString;
-            set => _connectionString = value.Trim('"');
+            set
+            {
+                // On development environment, the self-hosted overrides would not override the read-only connection string, since it is already set from the non-self-hosted connection string.
+                // This causes a bug, where the read-only connection string is pointing to self-hosted database.
+                if (!string.IsNullOrWhiteSpace(_readOnlyConnectionString) &&
+                    _readOnlyConnectionString == _connectionString)
+                {
+                    _readOnlyConnectionString = null;
+                }
+
+                _connectionString = value.Trim('"');
+            }
         }
 
         public string ReadOnlyConnectionString
diff --git a/test/Core.Test/Auth/Services/AuthRequestServiceTests.cs b/test/Core.Test/Auth/Services/AuthRequestServiceTests.cs
index 8feef2facc..5e99ecf171 100644
--- a/test/Core.Test/Auth/Services/AuthRequestServiceTests.cs
+++ b/test/Core.Test/Auth/Services/AuthRequestServiceTests.cs
@@ -19,6 +19,7 @@ using Bit.Test.Common.AutoFixture.Attributes;
 using Bit.Test.Common.Helpers;
 using NSubstitute;
 using Xunit;
+using GlobalSettings = Bit.Core.Settings.GlobalSettings;
 
 #nullable enable
 
@@ -138,7 +139,7 @@ public class AuthRequestServiceTests
 
         sutProvider.GetDependency<IGlobalSettings>()
             .PasswordlessAuth
-            .Returns(new Settings.GlobalSettings.PasswordlessAuthSettings());
+            .Returns(new GlobalSettings.PasswordlessAuthSettings());
 
         var foundAuthRequest = await sutProvider.Sut.GetValidatedAuthRequestAsync(authRequest.Id, authRequest.AccessCode);
 
@@ -513,7 +514,7 @@ public class AuthRequestServiceTests
 
         sutProvider.GetDependency<IGlobalSettings>()
             .PasswordlessAuth
-            .Returns(new Settings.GlobalSettings.PasswordlessAuthSettings());
+            .Returns(new GlobalSettings.PasswordlessAuthSettings());
 
         var updateModel = new AuthRequestUpdateRequestModel
         {
@@ -582,7 +583,7 @@ public class AuthRequestServiceTests
 
         sutProvider.GetDependency<IGlobalSettings>()
             .PasswordlessAuth
-            .Returns(new Settings.GlobalSettings.PasswordlessAuthSettings());
+            .Returns(new GlobalSettings.PasswordlessAuthSettings());
 
         sutProvider.GetDependency<IDeviceRepository>()
             .GetByIdentifierAsync(device.Identifier, authRequest.UserId)
@@ -736,7 +737,7 @@ public class AuthRequestServiceTests
 
         sutProvider.GetDependency<IGlobalSettings>()
             .PasswordlessAuth
-            .Returns(new Settings.GlobalSettings.PasswordlessAuthSettings());
+            .Returns(new GlobalSettings.PasswordlessAuthSettings());
 
         var updateModel = new AuthRequestUpdateRequestModel
         {
@@ -803,7 +804,7 @@ public class AuthRequestServiceTests
 
         sutProvider.GetDependency<IGlobalSettings>()
             .PasswordlessAuth
-            .Returns(new Settings.GlobalSettings.PasswordlessAuthSettings());
+            .Returns(new GlobalSettings.PasswordlessAuthSettings());
 
         var updateModel = new AuthRequestUpdateRequestModel
         {
diff --git a/test/Core.Test/Billing/Services/SubscriberServiceTests.cs b/test/Core.Test/Billing/Services/SubscriberServiceTests.cs
index 9c25ffdc55..5b7a2cc8bd 100644
--- a/test/Core.Test/Billing/Services/SubscriberServiceTests.cs
+++ b/test/Core.Test/Billing/Services/SubscriberServiceTests.cs
@@ -19,6 +19,7 @@ using Xunit;
 using static Bit.Core.Test.Billing.Utilities;
 using Address = Stripe.Address;
 using Customer = Stripe.Customer;
+using GlobalSettings = Bit.Core.Settings.GlobalSettings;
 using PaymentMethod = Stripe.PaymentMethod;
 using Subscription = Stripe.Subscription;
 
@@ -1446,7 +1447,7 @@ public class SubscriberServiceTests
             });
 
         sutProvider.GetDependency<IGlobalSettings>().BaseServiceUri
-            .Returns(new Settings.GlobalSettings.BaseServiceUriSettings(new Settings.GlobalSettings())
+            .Returns(new GlobalSettings.BaseServiceUriSettings(new GlobalSettings())
             {
                 CloudRegion = "US"
             });
@@ -1488,7 +1489,7 @@ public class SubscriberServiceTests
             });
 
         sutProvider.GetDependency<IGlobalSettings>().BaseServiceUri
-            .Returns(new Settings.GlobalSettings.BaseServiceUriSettings(new Settings.GlobalSettings())
+            .Returns(new GlobalSettings.BaseServiceUriSettings(new GlobalSettings())
             {
                 CloudRegion = "US"
             });
diff --git a/test/Core.Test/Services/LaunchDarklyFeatureServiceTests.cs b/test/Core.Test/Services/LaunchDarklyFeatureServiceTests.cs
index a2c86b5a76..a173566b88 100644
--- a/test/Core.Test/Services/LaunchDarklyFeatureServiceTests.cs
+++ b/test/Core.Test/Services/LaunchDarklyFeatureServiceTests.cs
@@ -8,6 +8,7 @@ using Bit.Test.Common.AutoFixture.Attributes;
 using LaunchDarkly.Sdk.Server.Interfaces;
 using NSubstitute;
 using Xunit;
+using GlobalSettings = Bit.Core.Settings.GlobalSettings;
 
 namespace Bit.Core.Test.Services;
 
@@ -41,7 +42,7 @@ public class LaunchDarklyFeatureServiceTests
     [Theory, BitAutoData]
     public void DefaultFeatureValue_WhenSelfHost(string key)
     {
-        var sutProvider = GetSutProvider(new Settings.GlobalSettings { SelfHosted = true });
+        var sutProvider = GetSutProvider(new GlobalSettings { SelfHosted = true });
 
         Assert.False(sutProvider.Sut.IsEnabled(key));
     }
@@ -49,7 +50,7 @@ public class LaunchDarklyFeatureServiceTests
     [Fact]
     public void DefaultFeatureValue_NoSdkKey()
     {
-        var sutProvider = GetSutProvider(new Settings.GlobalSettings());
+        var sutProvider = GetSutProvider(new GlobalSettings());
 
         Assert.False(sutProvider.Sut.IsEnabled(_fakeFeatureKey));
     }
@@ -57,7 +58,7 @@ public class LaunchDarklyFeatureServiceTests
     [Fact(Skip = "For local development")]
     public void FeatureValue_Boolean()
     {
-        var settings = new Settings.GlobalSettings { LaunchDarkly = { SdkKey = _fakeSdkKey } };
+        var settings = new GlobalSettings { LaunchDarkly = { SdkKey = _fakeSdkKey } };
 
         var sutProvider = GetSutProvider(settings);
 
@@ -67,7 +68,7 @@ public class LaunchDarklyFeatureServiceTests
     [Fact(Skip = "For local development")]
     public void FeatureValue_Int()
     {
-        var settings = new Settings.GlobalSettings { LaunchDarkly = { SdkKey = _fakeSdkKey } };
+        var settings = new GlobalSettings { LaunchDarkly = { SdkKey = _fakeSdkKey } };
 
         var sutProvider = GetSutProvider(settings);
 
@@ -77,7 +78,7 @@ public class LaunchDarklyFeatureServiceTests
     [Fact(Skip = "For local development")]
     public void FeatureValue_String()
     {
-        var settings = new Settings.GlobalSettings { LaunchDarkly = { SdkKey = _fakeSdkKey } };
+        var settings = new GlobalSettings { LaunchDarkly = { SdkKey = _fakeSdkKey } };
 
         var sutProvider = GetSutProvider(settings);
 
@@ -87,7 +88,7 @@ public class LaunchDarklyFeatureServiceTests
     [Fact(Skip = "For local development")]
     public void GetAll()
     {
-        var sutProvider = GetSutProvider(new Settings.GlobalSettings());
+        var sutProvider = GetSutProvider(new GlobalSettings());
 
         var results = sutProvider.Sut.GetAll();
 
diff --git a/test/Core.Test/Services/UserServiceTests.cs b/test/Core.Test/Services/UserServiceTests.cs
index 88c214f471..880e79500d 100644
--- a/test/Core.Test/Services/UserServiceTests.cs
+++ b/test/Core.Test/Services/UserServiceTests.cs
@@ -66,8 +66,8 @@ public class UserServiceTests
         user.EmailVerified = true;
         user.Email = userLicense.Email;
 
-        sutProvider.GetDependency<Settings.IGlobalSettings>().SelfHosted = true;
-        sutProvider.GetDependency<Settings.IGlobalSettings>().LicenseDirectory = tempDir.Directory;
+        sutProvider.GetDependency<IGlobalSettings>().SelfHosted = true;
+        sutProvider.GetDependency<IGlobalSettings>().LicenseDirectory = tempDir.Directory;
         sutProvider.GetDependency<ILicensingService>()
             .VerifyLicense(userLicense)
             .Returns(true);
diff --git a/test/Core.Test/Settings/GlobalSettingsTests.cs b/test/Core.Test/Settings/GlobalSettingsTests.cs
new file mode 100644
index 0000000000..1f5aa494bb
--- /dev/null
+++ b/test/Core.Test/Settings/GlobalSettingsTests.cs
@@ -0,0 +1,134 @@
+using Bit.Core.Settings;
+using Xunit;
+
+namespace Bit.Core.Test.Settings;
+
+public class GlobalSettingsTests
+{
+    public class SqlSettingsTests
+    {
+        private const string _testingConnectionString =
+            "Server=server;Database=database;User Id=user;Password=password;";
+
+        private const string _testingReadOnlyConnectionString =
+            "Server=server_read;Database=database_read;User Id=user_read;Password=password_read;";
+
+        [Fact]
+        public void ConnectionString_ValueInDoubleQuotes_Stripped()
+        {
+            var settings = new GlobalSettings.SqlSettings { ConnectionString = $"\"{_testingConnectionString}\"", };
+
+            Assert.Equal(_testingConnectionString, settings.ConnectionString);
+        }
+
+        [Fact]
+        public void ConnectionString_ValueWithoutDoubleQuotes_TheSameValue()
+        {
+            var settings = new GlobalSettings.SqlSettings { ConnectionString = _testingConnectionString };
+
+            Assert.Equal(_testingConnectionString, settings.ConnectionString);
+        }
+
+        [Fact]
+        public void ConnectionString_SetTwice_ReturnsSecondConnectionString()
+        {
+            var settings = new GlobalSettings.SqlSettings { ConnectionString = _testingConnectionString };
+
+            Assert.Equal(_testingConnectionString, settings.ConnectionString);
+
+            var newConnectionString = $"{_testingConnectionString}_new";
+            settings.ConnectionString = newConnectionString;
+
+            Assert.Equal(newConnectionString, settings.ConnectionString);
+        }
+
+        [Fact]
+        public void ReadOnlyConnectionString_ValueInDoubleQuotes_Stripped()
+        {
+            var settings = new GlobalSettings.SqlSettings
+            {
+                ReadOnlyConnectionString = $"\"{_testingReadOnlyConnectionString}\"",
+            };
+
+            Assert.Equal(_testingReadOnlyConnectionString, settings.ReadOnlyConnectionString);
+        }
+
+        [Fact]
+        public void ReadOnlyConnectionString_ValueWithoutDoubleQuotes_TheSameValue()
+        {
+            var settings = new GlobalSettings.SqlSettings
+            {
+                ReadOnlyConnectionString = _testingReadOnlyConnectionString
+            };
+
+            Assert.Equal(_testingReadOnlyConnectionString, settings.ReadOnlyConnectionString);
+        }
+
+        [Fact]
+        public void ReadOnlyConnectionString_NotSet_DefaultsToConnectionString()
+        {
+            var settings = new GlobalSettings.SqlSettings { ConnectionString = _testingConnectionString };
+
+            Assert.Equal(_testingConnectionString, settings.ReadOnlyConnectionString);
+        }
+
+        [Fact]
+        public void ReadOnlyConnectionString_Set_ReturnsReadOnlyConnectionString()
+        {
+            var settings = new GlobalSettings.SqlSettings
+            {
+                ConnectionString = _testingConnectionString,
+                ReadOnlyConnectionString = _testingReadOnlyConnectionString
+            };
+
+            Assert.Equal(_testingReadOnlyConnectionString, settings.ReadOnlyConnectionString);
+        }
+
+        [Fact]
+        public void ReadOnlyConnectionString_SetTwice_ReturnsSecondReadOnlyConnectionString()
+        {
+            var settings = new GlobalSettings.SqlSettings
+            {
+                ConnectionString = _testingConnectionString,
+                ReadOnlyConnectionString = _testingReadOnlyConnectionString
+            };
+
+            Assert.Equal(_testingReadOnlyConnectionString, settings.ReadOnlyConnectionString);
+
+            var newReadOnlyConnectionString = $"{_testingReadOnlyConnectionString}_new";
+            settings.ReadOnlyConnectionString = newReadOnlyConnectionString;
+
+            Assert.Equal(newReadOnlyConnectionString, settings.ReadOnlyConnectionString);
+        }
+
+        [Fact]
+        public void ReadOnlyConnectionString_NotSetAndConnectionStringSetTwice_ReturnsSecondConnectionString()
+        {
+            var settings = new GlobalSettings.SqlSettings { ConnectionString = _testingConnectionString };
+
+            Assert.Equal(_testingConnectionString, settings.ReadOnlyConnectionString);
+
+            var newConnectionString = $"{_testingConnectionString}_new";
+            settings.ConnectionString = newConnectionString;
+
+            Assert.Equal(newConnectionString, settings.ReadOnlyConnectionString);
+        }
+
+        [Fact]
+        public void ReadOnlyConnectionString_SetAndConnectionStringSetTwice_ReturnsReadOnlyConnectionString()
+        {
+            var settings = new GlobalSettings.SqlSettings
+            {
+                ConnectionString = _testingConnectionString,
+                ReadOnlyConnectionString = _testingReadOnlyConnectionString
+            };
+
+            Assert.Equal(_testingReadOnlyConnectionString, settings.ReadOnlyConnectionString);
+
+            var newConnectionString = $"{_testingConnectionString}_new";
+            settings.ConnectionString = newConnectionString;
+
+            Assert.Equal(_testingReadOnlyConnectionString, settings.ReadOnlyConnectionString);
+        }
+    }
+}
diff --git a/test/Core.Test/Tools/Services/SendServiceTests.cs b/test/Core.Test/Tools/Services/SendServiceTests.cs
index 7ef6f915dd..cabb438b61 100644
--- a/test/Core.Test/Tools/Services/SendServiceTests.cs
+++ b/test/Core.Test/Tools/Services/SendServiceTests.cs
@@ -24,6 +24,8 @@ using Microsoft.AspNetCore.Identity;
 using NSubstitute;
 using Xunit;
 
+using GlobalSettings = Bit.Core.Settings.GlobalSettings;
+
 namespace Bit.Core.Test.Tools.Services;
 
 [SutProviderCustomize]
@@ -309,7 +311,7 @@ public class SendServiceTests
             .CanAccessPremium(user)
             .Returns(true);
 
-        sutProvider.GetDependency<Settings.GlobalSettings>()
+        sutProvider.GetDependency<GlobalSettings>()
             .SelfHosted = true;
 
         var badRequest = await Assert.ThrowsAsync<BadRequestException>(() =>
@@ -342,7 +344,7 @@ public class SendServiceTests
             .CanAccessPremium(user)
             .Returns(true);
 
-        sutProvider.GetDependency<Settings.GlobalSettings>()
+        sutProvider.GetDependency<GlobalSettings>()
             .SelfHosted = false;
 
         var badRequest = await Assert.ThrowsAsync<BadRequestException>(() =>

From 2f4d5283d34ada143efde0463f996bd6c7f3224a Mon Sep 17 00:00:00 2001
From: Jimmy Vo <huynhmaivo82@gmail.com>
Date: Thu, 20 Feb 2025 15:08:06 -0500
Subject: [PATCH 299/384] [PM-17449] Add stored proc, EF query, and an
 integration test for them (#5413)

---
 .../IOrganizationDomainRepository.cs          |  1 +
 .../OrganizationDomainRepository.cs           | 14 ++++
 .../OrganizationDomainRepository.cs           | 21 +++++
 ...ganizationDomain_ReadByOrganizationIds.sql | 14 ++++
 .../OrganizationDomainRepositoryTests.cs      | 77 +++++++++++++++++++
 ...ganizationDomain_ReadByOrganizationIds.sql | 15 ++++
 6 files changed, 142 insertions(+)
 create mode 100644 src/Sql/dbo/Stored Procedures/OrganizationDomain_ReadByOrganizationIds.sql
 create mode 100644 util/Migrator/DbScripts/2025-02-17_00_OrganizationDomain_ReadByOrganizationIds.sql

diff --git a/src/Core/Repositories/IOrganizationDomainRepository.cs b/src/Core/Repositories/IOrganizationDomainRepository.cs
index f8b45574a2..d802fe65df 100644
--- a/src/Core/Repositories/IOrganizationDomainRepository.cs
+++ b/src/Core/Repositories/IOrganizationDomainRepository.cs
@@ -12,6 +12,7 @@ public interface IOrganizationDomainRepository : IRepository<OrganizationDomain,
     Task<ICollection<OrganizationDomain>> GetManyByNextRunDateAsync(DateTime date);
     Task<OrganizationDomainSsoDetailsData?> GetOrganizationDomainSsoDetailsAsync(string email);
     Task<IEnumerable<VerifiedOrganizationDomainSsoDetail>> GetVerifiedOrganizationDomainSsoDetailsAsync(string email);
+    Task<IEnumerable<OrganizationDomain>> GetVerifiedDomainsByOrganizationIdsAsync(IEnumerable<Guid> organizationIds);
     Task<OrganizationDomain?> GetDomainByIdOrganizationIdAsync(Guid id, Guid organizationId);
     Task<OrganizationDomain?> GetDomainByOrgIdAndDomainNameAsync(Guid orgId, string domainName);
     Task<ICollection<OrganizationDomain>> GetExpiredOrganizationDomainsAsync();
diff --git a/src/Infrastructure.Dapper/Repositories/OrganizationDomainRepository.cs b/src/Infrastructure.Dapper/Repositories/OrganizationDomainRepository.cs
index 1a7085eb18..91cbc40ff6 100644
--- a/src/Infrastructure.Dapper/Repositories/OrganizationDomainRepository.cs
+++ b/src/Infrastructure.Dapper/Repositories/OrganizationDomainRepository.cs
@@ -46,6 +46,20 @@ public class OrganizationDomainRepository : Repository<OrganizationDomain, Guid>
         }
     }
 
+    public async Task<IEnumerable<OrganizationDomain>> GetVerifiedDomainsByOrganizationIdsAsync(IEnumerable<Guid> organizationIds)
+    {
+
+        using (var connection = new SqlConnection(ConnectionString))
+        {
+            var results = await connection.QueryAsync<OrganizationDomain>(
+                $"[{Schema}].[OrganizationDomain_ReadByOrganizationIds]",
+                new { OrganizationIds = organizationIds.ToGuidIdArrayTVP() },
+                commandType: CommandType.StoredProcedure);
+
+            return results.ToList();
+        }
+    }
+
     public async Task<ICollection<OrganizationDomain>> GetManyByNextRunDateAsync(DateTime date)
     {
         using var connection = new SqlConnection(ConnectionString);
diff --git a/src/Infrastructure.EntityFramework/Repositories/OrganizationDomainRepository.cs b/src/Infrastructure.EntityFramework/Repositories/OrganizationDomainRepository.cs
index 50d791b81b..e7bee0cdfd 100644
--- a/src/Infrastructure.EntityFramework/Repositories/OrganizationDomainRepository.cs
+++ b/src/Infrastructure.EntityFramework/Repositories/OrganizationDomainRepository.cs
@@ -157,4 +157,25 @@ public class OrganizationDomainRepository : Repository<Core.Entities.Organizatio
         dbContext.OrganizationDomains.RemoveRange(expiredDomains);
         return await dbContext.SaveChangesAsync() > 0;
     }
+
+    public async Task<IEnumerable<Core.Entities.OrganizationDomain>> GetVerifiedDomainsByOrganizationIdsAsync(
+        IEnumerable<Guid> organizationIds)
+    {
+        using var scope = ServiceScopeFactory.CreateScope();
+        var dbContext = GetDatabaseContext(scope);
+
+        var verifiedDomains = await (from d in dbContext.OrganizationDomains
+                                     where organizationIds.Contains(d.OrganizationId) && d.VerifiedDate != null
+                                     select new OrganizationDomain
+                                     {
+                                         OrganizationId = d.OrganizationId,
+                                         DomainName = d.DomainName
+                                     })
+            .AsNoTracking()
+            .ToListAsync();
+
+        return Mapper.Map<List<OrganizationDomain>>(verifiedDomains);
+    }
+
 }
+
diff --git a/src/Sql/dbo/Stored Procedures/OrganizationDomain_ReadByOrganizationIds.sql b/src/Sql/dbo/Stored Procedures/OrganizationDomain_ReadByOrganizationIds.sql
new file mode 100644
index 0000000000..f62544e486
--- /dev/null
+++ b/src/Sql/dbo/Stored Procedures/OrganizationDomain_ReadByOrganizationIds.sql	
@@ -0,0 +1,14 @@
+CREATE PROCEDURE [dbo].[OrganizationDomain_ReadByOrganizationIds]
+    @OrganizationIds AS [dbo].[GuidIdArray] READONLY
+AS
+BEGIN
+
+    SET NOCOUNT ON
+        
+    SELECT
+        d.OrganizationId,
+        d.DomainName
+    FROM dbo.OrganizationDomainView AS d
+    WHERE d.OrganizationId IN (SELECT [Id] FROM @OrganizationIds)
+        AND d.VerifiedDate IS NOT NULL;
+END
\ No newline at end of file
diff --git a/test/Infrastructure.IntegrationTest/AdminConsole/Repositories/OrganizationDomainRepositoryTests.cs b/test/Infrastructure.IntegrationTest/AdminConsole/Repositories/OrganizationDomainRepositoryTests.cs
index a1c5f9bd07..6c1ac00073 100644
--- a/test/Infrastructure.IntegrationTest/AdminConsole/Repositories/OrganizationDomainRepositoryTests.cs
+++ b/test/Infrastructure.IntegrationTest/AdminConsole/Repositories/OrganizationDomainRepositoryTests.cs
@@ -306,4 +306,81 @@ public class OrganizationDomainRepositoryTests
         var expectedDomain = domains.FirstOrDefault(domain => domain.DomainName == organizationDomain.DomainName);
         Assert.Null(expectedDomain);
     }
+
+    [DatabaseTheory, DatabaseData]
+    public async Task GetVerifiedDomainsByOrganizationIdsAsync_ShouldVerifiedDomainsMatchesOrganizationIds(
+        IOrganizationRepository organizationRepository,
+        IOrganizationDomainRepository organizationDomainRepository)
+    {
+        // Arrange
+        var guid1 = Guid.NewGuid();
+        var guid2 = Guid.NewGuid();
+
+        var organization1 = await organizationRepository.CreateAsync(new Organization
+        {
+            Name = $"Test Org {guid1}",
+            BillingEmail = $"test+{guid1}@example.com",
+            Plan = "Test",
+            PrivateKey = "privatekey",
+
+        });
+
+        var organization1Domain1 = new OrganizationDomain
+        {
+            OrganizationId = organization1.Id,
+            DomainName = $"domain1+{guid1}@example.com",
+            Txt = "btw+12345"
+        };
+
+        const int arbitraryNextIteration = 1;
+        organization1Domain1.SetNextRunDate(arbitraryNextIteration);
+        organization1Domain1.SetVerifiedDate();
+
+        await organizationDomainRepository.CreateAsync(organization1Domain1);
+
+        var organization1Domain2 = new OrganizationDomain
+        {
+            OrganizationId = organization1.Id,
+            DomainName = $"domain2+{guid1}@example.com",
+            Txt = "btw+12345"
+        };
+
+        organization1Domain2.SetNextRunDate(arbitraryNextIteration);
+
+        await organizationDomainRepository.CreateAsync(organization1Domain2);
+
+        var organization2 = await organizationRepository.CreateAsync(new Organization
+        {
+            Name = $"Test Org {guid2}",
+            BillingEmail = $"test+{guid2}@example.com",
+            Plan = "Test",
+            PrivateKey = "privatekey",
+
+        });
+
+        var organization2Domain1 = new OrganizationDomain
+        {
+            OrganizationId = organization2.Id,
+            DomainName = $"domain+{guid2}@example.com",
+            Txt = "btw+12345"
+        };
+        organization2Domain1.SetVerifiedDate();
+        organization2Domain1.SetNextRunDate(arbitraryNextIteration);
+
+        await organizationDomainRepository.CreateAsync(organization2Domain1);
+
+
+        // Act
+        var domains = await organizationDomainRepository.GetVerifiedDomainsByOrganizationIdsAsync(new[] { organization1.Id });
+
+        // Assert
+        var expectedDomain = domains.FirstOrDefault(domain => domain.DomainName == organization1Domain1.DomainName);
+        Assert.NotNull(expectedDomain);
+
+        var unverifiedDomain = domains.FirstOrDefault(domain => domain.DomainName == organization1Domain2.DomainName);
+        var otherOrganizationDomain = domains.FirstOrDefault(domain => domain.DomainName == organization2Domain1.DomainName);
+
+        Assert.Null(otherOrganizationDomain);
+        Assert.Null(unverifiedDomain);
+    }
 }
diff --git a/util/Migrator/DbScripts/2025-02-17_00_OrganizationDomain_ReadByOrganizationIds.sql b/util/Migrator/DbScripts/2025-02-17_00_OrganizationDomain_ReadByOrganizationIds.sql
new file mode 100644
index 0000000000..5616aa0ac7
--- /dev/null
+++ b/util/Migrator/DbScripts/2025-02-17_00_OrganizationDomain_ReadByOrganizationIds.sql
@@ -0,0 +1,15 @@
+
+CREATE OR ALTER PROCEDURE [dbo].[OrganizationDomain_ReadByOrganizationIds]
+    @OrganizationIds AS [dbo].[GuidIdArray] READONLY
+AS
+BEGIN
+
+    SET NOCOUNT ON
+        
+    SELECT
+        d.OrganizationId,
+        d.DomainName
+    FROM dbo.OrganizationDomainView AS d
+    WHERE d.OrganizationId IN (SELECT [Id] FROM @OrganizationIds)
+        AND d.VerifiedDate IS NOT NULL;
+END
\ No newline at end of file

From 06c96a96c543b70045c2e96423859588c1db37ce Mon Sep 17 00:00:00 2001
From: Jimmy Vo <huynhmaivo82@gmail.com>
Date: Thu, 20 Feb 2025 15:38:59 -0500
Subject: [PATCH 300/384] [PM-17449] Add logic to handle email updates for
 managed users. (#5422)

---
 .../Auth/Controllers/AccountsController.cs    | 12 ----
 .../Services/Implementations/UserService.cs   | 35 +++++++++++
 .../Controllers/AccountsControllerTest.cs     | 59 +------------------
 .../Controllers/AccountsControllerTests.cs    | 30 ----------
 test/Core.Test/Services/UserServiceTests.cs   |  2 +
 5 files changed, 38 insertions(+), 100 deletions(-)

diff --git a/src/Api/Auth/Controllers/AccountsController.cs b/src/Api/Auth/Controllers/AccountsController.cs
index 1cd9292386..f3af49e6c3 100644
--- a/src/Api/Auth/Controllers/AccountsController.cs
+++ b/src/Api/Auth/Controllers/AccountsController.cs
@@ -149,12 +149,6 @@ public class AccountsController : Controller
             throw new BadRequestException("MasterPasswordHash", "Invalid password.");
         }
 
-        // If Account Deprovisioning is enabled, we need to check if the user is managed by any organization.
-        if (_featureService.IsEnabled(FeatureFlagKeys.AccountDeprovisioning)
-            && await _userService.IsManagedByAnyOrganizationAsync(user.Id))
-        {
-            throw new BadRequestException("Cannot change emails for accounts owned by an organization. Contact your organization administrator for additional details.");
-        }
 
         await _userService.InitiateEmailChangeAsync(user, model.NewEmail);
     }
@@ -173,12 +167,6 @@ public class AccountsController : Controller
             throw new BadRequestException("You cannot change your email when using Key Connector.");
         }
 
-        // If Account Deprovisioning is enabled, we need to check if the user is managed by any organization.
-        if (_featureService.IsEnabled(FeatureFlagKeys.AccountDeprovisioning)
-            && await _userService.IsManagedByAnyOrganizationAsync(user.Id))
-        {
-            throw new BadRequestException("Cannot change emails for accounts owned by an organization. Contact your organization administrator for additional details.");
-        }
 
         var result = await _userService.ChangeEmailAsync(user, model.MasterPasswordHash, model.NewEmail,
             model.NewMasterPasswordHash, model.Token, model.Key);
diff --git a/src/Core/Services/Implementations/UserService.cs b/src/Core/Services/Implementations/UserService.cs
index e04290a686..47637d0f75 100644
--- a/src/Core/Services/Implementations/UserService.cs
+++ b/src/Core/Services/Implementations/UserService.cs
@@ -49,6 +49,7 @@ public class UserService : UserManager<User>, IUserService, IDisposable
     private readonly ICipherRepository _cipherRepository;
     private readonly IOrganizationUserRepository _organizationUserRepository;
     private readonly IOrganizationRepository _organizationRepository;
+    private readonly IOrganizationDomainRepository _organizationDomainRepository;
     private readonly IMailService _mailService;
     private readonly IPushNotificationService _pushService;
     private readonly IdentityErrorDescriber _identityErrorDescriber;
@@ -81,6 +82,7 @@ public class UserService : UserManager<User>, IUserService, IDisposable
         ICipherRepository cipherRepository,
         IOrganizationUserRepository organizationUserRepository,
         IOrganizationRepository organizationRepository,
+        IOrganizationDomainRepository organizationDomainRepository,
         IMailService mailService,
         IPushNotificationService pushService,
         IUserStore<User> store,
@@ -127,6 +129,7 @@ public class UserService : UserManager<User>, IUserService, IDisposable
         _cipherRepository = cipherRepository;
         _organizationUserRepository = organizationUserRepository;
         _organizationRepository = organizationRepository;
+        _organizationDomainRepository = organizationDomainRepository;
         _mailService = mailService;
         _pushService = pushService;
         _identityOptions = optionsAccessor?.Value ?? new IdentityOptions();
@@ -521,6 +524,13 @@ public class UserService : UserManager<User>, IUserService, IDisposable
             return IdentityResult.Failed(_identityErrorDescriber.PasswordMismatch());
         }
 
+        var managedUserValidationResult = await ValidateManagedUserAsync(user, newEmail);
+
+        if (!managedUserValidationResult.Succeeded)
+        {
+            return managedUserValidationResult;
+        }
+
         if (!await base.VerifyUserTokenAsync(user, _identityOptions.Tokens.ChangeEmailTokenProvider,
             GetChangeEmailTokenPurpose(newEmail), token))
         {
@@ -586,6 +596,31 @@ public class UserService : UserManager<User>, IUserService, IDisposable
         return IdentityResult.Success;
     }
 
+    private async Task<IdentityResult> ValidateManagedUserAsync(User user, string newEmail)
+    {
+        var managingOrganizations = await GetOrganizationsManagingUserAsync(user.Id);
+
+        if (!managingOrganizations.Any())
+        {
+            return IdentityResult.Success;
+        }
+
+        var newDomain = CoreHelpers.GetEmailDomain(newEmail);
+
+        var verifiedDomains = await _organizationDomainRepository.GetVerifiedDomainsByOrganizationIdsAsync(managingOrganizations.Select(org => org.Id));
+
+        if (verifiedDomains.Any(verifiedDomain => verifiedDomain.DomainName == newDomain))
+        {
+            return IdentityResult.Success;
+        }
+
+        return IdentityResult.Failed(new IdentityError
+        {
+            Code = "EmailDomainMismatch",
+            Description = "Your new email must match your organization domain."
+        });
+    }
+
     public async Task<IdentityResult> ChangePasswordAsync(User user, string masterPassword, string newMasterPassword, string passwordHint,
         string key)
     {
diff --git a/test/Api.IntegrationTest/Controllers/AccountsControllerTest.cs b/test/Api.IntegrationTest/Controllers/AccountsControllerTest.cs
index 6dd7f42c63..277f558566 100644
--- a/test/Api.IntegrationTest/Controllers/AccountsControllerTest.cs
+++ b/test/Api.IntegrationTest/Controllers/AccountsControllerTest.cs
@@ -1,6 +1,4 @@
-using System.Net;
-using System.Net.Http.Headers;
-using Bit.Api.Auth.Models.Request.Accounts;
+using System.Net.Http.Headers;
 using Bit.Api.IntegrationTest.Factories;
 using Bit.Api.IntegrationTest.Helpers;
 using Bit.Api.Models.Response;
@@ -45,61 +43,6 @@ public class AccountsControllerTest : IClassFixture<ApiApplicationFactory>
         Assert.NotNull(content.SecurityStamp);
     }
 
-    [Fact]
-    public async Task PostEmailToken_WhenAccountDeprovisioningEnabled_WithManagedAccount_ThrowsBadRequest()
-    {
-        var email = await SetupOrganizationManagedAccount();
-
-        var tokens = await _factory.LoginAsync(email);
-        var client = _factory.CreateClient();
-
-        var model = new EmailTokenRequestModel
-        {
-            NewEmail = $"{Guid.NewGuid()}@example.com",
-            MasterPasswordHash = "master_password_hash"
-        };
-
-        using var message = new HttpRequestMessage(HttpMethod.Post, "/accounts/email-token")
-        {
-            Content = JsonContent.Create(model)
-        };
-        message.Headers.Authorization = new AuthenticationHeaderValue("Bearer", tokens.Token);
-        var response = await client.SendAsync(message);
-
-        Assert.Equal(HttpStatusCode.BadRequest, response.StatusCode);
-        var content = await response.Content.ReadAsStringAsync();
-        Assert.Contains("Cannot change emails for accounts owned by an organization", content);
-    }
-
-    [Fact]
-    public async Task PostEmail_WhenAccountDeprovisioningEnabled_WithManagedAccount_ThrowsBadRequest()
-    {
-        var email = await SetupOrganizationManagedAccount();
-
-        var tokens = await _factory.LoginAsync(email);
-        var client = _factory.CreateClient();
-
-        var model = new EmailRequestModel
-        {
-            NewEmail = $"{Guid.NewGuid()}@example.com",
-            MasterPasswordHash = "master_password_hash",
-            NewMasterPasswordHash = "master_password_hash",
-            Token = "validtoken",
-            Key = "key"
-        };
-
-        using var message = new HttpRequestMessage(HttpMethod.Post, "/accounts/email")
-        {
-            Content = JsonContent.Create(model)
-        };
-        message.Headers.Authorization = new AuthenticationHeaderValue("Bearer", tokens.Token);
-        var response = await client.SendAsync(message);
-
-        Assert.Equal(HttpStatusCode.BadRequest, response.StatusCode);
-        var content = await response.Content.ReadAsStringAsync();
-        Assert.Contains("Cannot change emails for accounts owned by an organization", content);
-    }
-
     private async Task<string> SetupOrganizationManagedAccount()
     {
         _factory.SubstituteService<IFeatureService>(featureService =>
diff --git a/test/Api.Test/Auth/Controllers/AccountsControllerTests.cs b/test/Api.Test/Auth/Controllers/AccountsControllerTests.cs
index 33b7e764d4..8bdb14bf78 100644
--- a/test/Api.Test/Auth/Controllers/AccountsControllerTests.cs
+++ b/test/Api.Test/Auth/Controllers/AccountsControllerTests.cs
@@ -181,22 +181,6 @@ public class AccountsControllerTests : IDisposable
         );
     }
 
-    [Fact]
-    public async Task PostEmailToken_WithAccountDeprovisioningEnabled_WhenUserIsManagedByAnOrganization_ShouldThrowBadRequestException()
-    {
-        var user = GenerateExampleUser();
-        ConfigureUserServiceToReturnValidPrincipalFor(user);
-        ConfigureUserServiceToAcceptPasswordFor(user);
-        _featureService.IsEnabled(FeatureFlagKeys.AccountDeprovisioning).Returns(true);
-        _userService.IsManagedByAnyOrganizationAsync(user.Id).Returns(true);
-
-        var result = await Assert.ThrowsAsync<BadRequestException>(
-            () => _sut.PostEmailToken(new EmailTokenRequestModel())
-        );
-
-        Assert.Equal("Cannot change emails for accounts owned by an organization. Contact your organization administrator for additional details.", result.Message);
-    }
-
     [Fact]
     public async Task PostEmail_ShouldChangeUserEmail()
     {
@@ -248,20 +232,6 @@ public class AccountsControllerTests : IDisposable
         );
     }
 
-    [Fact]
-    public async Task PostEmail_WithAccountDeprovisioningEnabled_WhenUserIsManagedByAnOrganization_ShouldThrowBadRequestException()
-    {
-        var user = GenerateExampleUser();
-        ConfigureUserServiceToReturnValidPrincipalFor(user);
-        _featureService.IsEnabled(FeatureFlagKeys.AccountDeprovisioning).Returns(true);
-        _userService.IsManagedByAnyOrganizationAsync(user.Id).Returns(true);
-
-        var result = await Assert.ThrowsAsync<BadRequestException>(
-            () => _sut.PostEmail(new EmailRequestModel())
-        );
-
-        Assert.Equal("Cannot change emails for accounts owned by an organization. Contact your organization administrator for additional details.", result.Message);
-    }
 
     [Fact]
     public async Task PostVerifyEmail_ShouldSendEmailVerification()
diff --git a/test/Core.Test/Services/UserServiceTests.cs b/test/Core.Test/Services/UserServiceTests.cs
index 880e79500d..7f1dd37b6b 100644
--- a/test/Core.Test/Services/UserServiceTests.cs
+++ b/test/Core.Test/Services/UserServiceTests.cs
@@ -248,6 +248,7 @@ public class UserServiceTests
             sutProvider.GetDependency<ICipherRepository>(),
             sutProvider.GetDependency<IOrganizationUserRepository>(),
             sutProvider.GetDependency<IOrganizationRepository>(),
+            sutProvider.GetDependency<IOrganizationDomainRepository>(),
             sutProvider.GetDependency<IMailService>(),
             sutProvider.GetDependency<IPushNotificationService>(),
             sutProvider.GetDependency<IUserStore<User>>(),
@@ -829,6 +830,7 @@ public class UserServiceTests
             sutProvider.GetDependency<ICipherRepository>(),
             sutProvider.GetDependency<IOrganizationUserRepository>(),
             sutProvider.GetDependency<IOrganizationRepository>(),
+            sutProvider.GetDependency<IOrganizationDomainRepository>(),
             sutProvider.GetDependency<IMailService>(),
             sutProvider.GetDependency<IPushNotificationService>(),
             sutProvider.GetDependency<IUserStore<User>>(),

From f6365fa3859c0bca72ef778bf03d988bca1c5d92 Mon Sep 17 00:00:00 2001
From: Jonas Hendrickx <jhendrickx@bitwarden.com>
Date: Fri, 21 Feb 2025 15:35:36 +0100
Subject: [PATCH 301/384] [PM-17593] Remove Multi-Org Enterprise feature flag
 (#5351)

---
 .../Controllers/ProvidersController.cs        | 10 ---
 .../Views/Providers/Create.cshtml             |  5 --
 .../AdminConsole/Views/Providers/Edit.cshtml  | 45 +++++++-------
 src/Core/Constants.cs                         |  2 +-
 .../Controllers/ProvidersControllerTests.cs   | 62 -------------------
 5 files changed, 22 insertions(+), 102 deletions(-)

diff --git a/src/Admin/AdminConsole/Controllers/ProvidersController.cs b/src/Admin/AdminConsole/Controllers/ProvidersController.cs
index 38e25939c4..9e3dc00cd6 100644
--- a/src/Admin/AdminConsole/Controllers/ProvidersController.cs
+++ b/src/Admin/AdminConsole/Controllers/ProvidersController.cs
@@ -3,7 +3,6 @@ using System.Net;
 using Bit.Admin.AdminConsole.Models;
 using Bit.Admin.Enums;
 using Bit.Admin.Utilities;
-using Bit.Core;
 using Bit.Core.AdminConsole.Entities.Provider;
 using Bit.Core.AdminConsole.Enums.Provider;
 using Bit.Core.AdminConsole.Providers.Interfaces;
@@ -133,11 +132,6 @@ public class ProvidersController : Controller
     [HttpGet("providers/create/multi-organization-enterprise")]
     public IActionResult CreateMultiOrganizationEnterprise(int enterpriseMinimumSeats, string ownerEmail = null)
     {
-        if (!_featureService.IsEnabled(FeatureFlagKeys.PM12275_MultiOrganizationEnterprises))
-        {
-            return RedirectToAction("Create");
-        }
-
         return View(new CreateMultiOrganizationEnterpriseProviderModel
         {
             OwnerEmail = ownerEmail,
@@ -211,10 +205,6 @@ public class ProvidersController : Controller
         }
         var provider = model.ToProvider();
 
-        if (!_featureService.IsEnabled(FeatureFlagKeys.PM12275_MultiOrganizationEnterprises))
-        {
-            return RedirectToAction("Create");
-        }
         await _createProviderCommand.CreateMultiOrganizationEnterpriseAsync(
             provider,
             model.OwnerEmail,
diff --git a/src/Admin/AdminConsole/Views/Providers/Create.cshtml b/src/Admin/AdminConsole/Views/Providers/Create.cshtml
index 3c92075991..25574bf6b9 100644
--- a/src/Admin/AdminConsole/Views/Providers/Create.cshtml
+++ b/src/Admin/AdminConsole/Views/Providers/Create.cshtml
@@ -12,11 +12,6 @@
     var providerTypes = Enum.GetValues<ProviderType>()
         .OrderBy(x => x.GetDisplayAttribute().Order)
         .ToList();
-
-    if (!FeatureService.IsEnabled(FeatureFlagKeys.PM12275_MultiOrganizationEnterprises))
-    {
-        providerTypes.Remove(ProviderType.MultiOrganizationEnterprise);
-    }
 }
 
 <h1>Create Provider</h1>
diff --git a/src/Admin/AdminConsole/Views/Providers/Edit.cshtml b/src/Admin/AdminConsole/Views/Providers/Edit.cshtml
index be13a7c740..045109fb36 100644
--- a/src/Admin/AdminConsole/Views/Providers/Edit.cshtml
+++ b/src/Admin/AdminConsole/Views/Providers/Edit.cshtml
@@ -76,32 +76,29 @@
             }
             case ProviderType.MultiOrganizationEnterprise:
             {
-                @if (FeatureService.IsEnabled(FeatureFlagKeys.PM12275_MultiOrganizationEnterprises) && Model.Provider.Type == ProviderType.MultiOrganizationEnterprise)
-                {
-                    <div class="row">
-                        <div class="col-sm">
-                            <div class="mb-3">
-                                @{
-                                    var multiOrgPlans = new List<PlanType>
-                                    {
-                                        PlanType.EnterpriseAnnually,
-                                        PlanType.EnterpriseMonthly
-                                    };
-                                }
-                                <label asp-for="Plan" class="form-label"></label>
-                                <select class="form-control" asp-for="Plan" asp-items="Html.GetEnumSelectList(multiOrgPlans)">
-                                    <option value="">--</option>
-                                </select>
-                            </div>
-                        </div>
-                        <div class="col-sm">
-                            <div class="mb-3">
-                                <label asp-for="EnterpriseMinimumSeats" class="form-label"></label>
-                                <input type="number" class="form-control" asp-for="EnterpriseMinimumSeats">
-                            </div>
+                <div class="row">
+                    <div class="col-sm">
+                        <div class="mb-3">
+                            @{
+                                var multiOrgPlans = new List<PlanType>
+                                {
+                                    PlanType.EnterpriseAnnually,
+                                    PlanType.EnterpriseMonthly
+                                };
+                            }
+                            <label asp-for="Plan" class="form-label"></label>
+                            <select class="form-control" asp-for="Plan" asp-items="Html.GetEnumSelectList(multiOrgPlans)">
+                                <option value="">--</option>
+                            </select>
                         </div>
                     </div>
-                }
+                    <div class="col-sm">
+                        <div class="mb-3">
+                            <label asp-for="EnterpriseMinimumSeats" class="form-label"></label>
+                            <input type="number" class="form-control" asp-for="EnterpriseMinimumSeats">
+                        </div>
+                    </div>
+                </div>
                 break;
             }
         }
diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index 5023c4b3fc..ee48479d5f 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -150,7 +150,7 @@ public static class FeatureFlagKeys
     public const string StorageReseedRefactor = "storage-reseed-refactor";
     public const string TrialPayment = "PM-8163-trial-payment";
     public const string RemoveServerVersionHeader = "remove-server-version-header";
-    public const string PM12275_MultiOrganizationEnterprises = "pm-12275-multi-organization-enterprises";
+    public const string GeneratorToolsModernization = "generator-tools-modernization";
     public const string NewDeviceVerification = "new-device-verification";
     public const string NewDeviceVerificationTemporaryDismiss = "new-device-temporary-dismiss";
     public const string NewDeviceVerificationPermanentDismiss = "new-device-permanent-dismiss";
diff --git a/test/Admin.Test/AdminConsole/Controllers/ProvidersControllerTests.cs b/test/Admin.Test/AdminConsole/Controllers/ProvidersControllerTests.cs
index be9883ba07..e84d4c0ef8 100644
--- a/test/Admin.Test/AdminConsole/Controllers/ProvidersControllerTests.cs
+++ b/test/Admin.Test/AdminConsole/Controllers/ProvidersControllerTests.cs
@@ -1,11 +1,9 @@
 using Bit.Admin.AdminConsole.Controllers;
 using Bit.Admin.AdminConsole.Models;
-using Bit.Core;
 using Bit.Core.AdminConsole.Entities.Provider;
 using Bit.Core.AdminConsole.Enums.Provider;
 using Bit.Core.AdminConsole.Providers.Interfaces;
 using Bit.Core.Billing.Enums;
-using Bit.Core.Services;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
 using Microsoft.AspNetCore.Mvc;
@@ -86,9 +84,6 @@ public class ProvidersControllerTests
         SutProvider<ProvidersController> sutProvider)
     {
         // Arrange
-        sutProvider.GetDependency<IFeatureService>()
-            .IsEnabled(FeatureFlagKeys.PM12275_MultiOrganizationEnterprises)
-            .Returns(true);
 
         // Act
         var actual = await sutProvider.Sut.CreateMultiOrganizationEnterprise(model);
@@ -102,9 +97,6 @@ public class ProvidersControllerTests
                 model.OwnerEmail,
                 Arg.Is<PlanType>(y => y == model.Plan),
                 model.EnterpriseSeatMinimum);
-        sutProvider.GetDependency<IFeatureService>()
-            .Received(Quantity.Exactly(1))
-            .IsEnabled(FeatureFlagKeys.PM12275_MultiOrganizationEnterprises);
     }
 
     [BitAutoData]
@@ -129,10 +121,6 @@ public class ProvidersControllerTests
                 providerArgument.Id = expectedProviderId;
             });
 
-        sutProvider.GetDependency<IFeatureService>()
-            .IsEnabled(FeatureFlagKeys.PM12275_MultiOrganizationEnterprises)
-            .Returns(true);
-
         // Act
         var actual = await sutProvider.Sut.CreateMultiOrganizationEnterprise(model);
 
@@ -144,53 +132,6 @@ public class ProvidersControllerTests
         Assert.Null(actualResult.ControllerName);
         Assert.Equal(expectedProviderId, actualResult.RouteValues["Id"]);
     }
-
-    [BitAutoData]
-    [SutProviderCustomize]
-    [Theory]
-    public async Task CreateMultiOrganizationEnterpriseAsync_ChecksFeatureFlag(
-        CreateMultiOrganizationEnterpriseProviderModel model,
-        SutProvider<ProvidersController> sutProvider)
-    {
-        // Arrange
-        sutProvider.GetDependency<IFeatureService>()
-            .IsEnabled(FeatureFlagKeys.PM12275_MultiOrganizationEnterprises)
-            .Returns(true);
-
-        // Act
-        await sutProvider.Sut.CreateMultiOrganizationEnterprise(model);
-
-        // Assert
-        sutProvider.GetDependency<IFeatureService>()
-            .Received(Quantity.Exactly(1))
-            .IsEnabled(FeatureFlagKeys.PM12275_MultiOrganizationEnterprises);
-    }
-
-    [BitAutoData]
-    [SutProviderCustomize]
-    [Theory]
-    public async Task CreateMultiOrganizationEnterpriseAsync_RedirectsToProviderTypeSelectionPage_WhenFeatureFlagIsDisabled(
-        CreateMultiOrganizationEnterpriseProviderModel model,
-        SutProvider<ProvidersController> sutProvider)
-    {
-        // Arrange
-        sutProvider.GetDependency<IFeatureService>()
-            .IsEnabled(FeatureFlagKeys.PM12275_MultiOrganizationEnterprises)
-            .Returns(false);
-
-        // Act
-        var actual = await sutProvider.Sut.CreateMultiOrganizationEnterprise(model);
-
-        // Assert
-        sutProvider.GetDependency<IFeatureService>()
-            .Received(Quantity.Exactly(1))
-            .IsEnabled(FeatureFlagKeys.PM12275_MultiOrganizationEnterprises);
-
-        Assert.IsType<RedirectToActionResult>(actual);
-        var actualResult = (RedirectToActionResult)actual;
-        Assert.Equal("Create", actualResult.ActionName);
-        Assert.Null(actualResult.ControllerName);
-    }
     #endregion
 
     #region CreateResellerAsync
@@ -202,9 +143,6 @@ public class ProvidersControllerTests
         SutProvider<ProvidersController> sutProvider)
     {
         // Arrange
-        sutProvider.GetDependency<IFeatureService>()
-            .IsEnabled(FeatureFlagKeys.PM12275_MultiOrganizationEnterprises)
-            .Returns(true);
 
         // Act
         var actual = await sutProvider.Sut.CreateReseller(model);

From b66f255c5c6d6e5145fd4feeff7bad199571f115 Mon Sep 17 00:00:00 2001
From: Robyn MacCallum <robyntmaccallum@gmail.com>
Date: Fri, 21 Feb 2025 10:21:31 -0500
Subject: [PATCH 302/384] Add import-logins-flow flag (#5397)

---
 src/Core/Constants.cs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index ee48479d5f..c310674bcc 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -173,6 +173,7 @@ public static class FeatureFlagKeys
     public const string AndroidMutualTls = "mutual-tls";
     public const string RecoveryCodeLogin = "pm-17128-recovery-code-login";
     public const string PM3503_MobileAnonAddySelfHostAlias = "anon-addy-self-host-alias";
+    public const string AndroidImportLoginsFlow = "import-logins-flow";
 
     public static List<string> GetAllKeys()
     {

From b00f11fc43c0d5f20a8e224a8f9e3fc4dc23e60e Mon Sep 17 00:00:00 2001
From: Ike <137194738+ike-kottlowski@users.noreply.github.com>
Date: Fri, 21 Feb 2025 11:12:31 -0500
Subject: [PATCH 303/384] [PM-17645] : update email for new email multi factor
 tokens (#5428)

* feat(newDeviceVerification) : Initial update to email

* fix : email copying over extra whitespace when using keyboard short cuts

* test : Fixing tests for new device verificaiton email format
---
 .../Auth/Controllers/TwoFactorController.cs   |  7 ++-
 .../Handlebars/Auth/TwoFactorEmail.html.hbs   | 46 ++++++++++----
 .../Handlebars/Auth/TwoFactorEmail.text.hbs   | 15 ++++-
 .../Mail/TwoFactorEmailTokenViewModel.cs      | 25 ++++++++
 ...=> UserVerificationEmailTokenViewModel.cs} |  2 +-
 src/Core/Services/IMailService.cs             |  2 +-
 src/Core/Services/IUserService.cs             | 16 ++++-
 .../Implementations/HandlebarsMailService.cs  | 20 ++++--
 .../Services/Implementations/UserService.cs   | 29 +++++++--
 .../NoopImplementations/NoopMailService.cs    |  2 +-
 .../RequestValidators/DeviceValidator.cs      | 10 ++-
 test/Core.Test/Services/UserServiceTests.cs   | 62 +++++++++++++++++--
 .../Endpoints/IdentityServerTwoFactorTests.cs | 14 ++++-
 .../IdentityServer/DeviceValidatorTests.cs    |  2 +-
 14 files changed, 214 insertions(+), 38 deletions(-)
 create mode 100644 src/Core/Models/Mail/TwoFactorEmailTokenViewModel.cs
 rename src/Core/Models/Mail/{EmailTokenViewModel.cs => UserVerificationEmailTokenViewModel.cs} (54%)

diff --git a/src/Api/Auth/Controllers/TwoFactorController.cs b/src/Api/Auth/Controllers/TwoFactorController.cs
index c7d39f64b0..83490f1c2f 100644
--- a/src/Api/Auth/Controllers/TwoFactorController.cs
+++ b/src/Api/Auth/Controllers/TwoFactorController.cs
@@ -288,12 +288,17 @@ public class TwoFactorController : Controller
         return response;
     }
 
+    /// <summary>
+    /// This endpoint is only used to set-up email two factor authentication.
+    /// </summary>
+    /// <param name="model">secret verification model</param>
+    /// <returns>void</returns>
     [HttpPost("send-email")]
     public async Task SendEmail([FromBody] TwoFactorEmailRequestModel model)
     {
         var user = await CheckAsync(model, false, true);
         model.ToUser(user);
-        await _userService.SendTwoFactorEmailAsync(user);
+        await _userService.SendTwoFactorEmailAsync(user, false);
     }
 
     [AllowAnonymous]
diff --git a/src/Core/MailTemplates/Handlebars/Auth/TwoFactorEmail.html.hbs b/src/Core/MailTemplates/Handlebars/Auth/TwoFactorEmail.html.hbs
index be51c4e9f3..27a222f1de 100644
--- a/src/Core/MailTemplates/Handlebars/Auth/TwoFactorEmail.html.hbs
+++ b/src/Core/MailTemplates/Handlebars/Auth/TwoFactorEmail.html.hbs
@@ -1,14 +1,38 @@
 {{#>FullHtmlLayout}}
 <table width="100%" cellpadding="0" cellspacing="0" style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
-    <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
-        <td class="content-block" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0 0 10px; -webkit-text-size-adjust: none;" valign="top">
-            Your two-step verification code is: <b style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">{{Token}}</b>
-        </td>
-    </tr>
-    <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
-        <td class="content-block last" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0; -webkit-text-size-adjust: none;" valign="top">
-            Use this code to complete logging in with Bitwarden.
-        </td>
-    </tr>
+  <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+    <td class="content-block last" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0; -webkit-text-size-adjust: none;" valign="top">
+      To finish {{EmailTotpAction}}, enter this verification code: <b style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">{{Token}}</b>
+    </td>
+  </tr>
+  <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+    <td class="content-block last" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0; -webkit-text-size-adjust: none;" valign="top">
+      <br style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;" />
+      If this was not you, take these immediate steps to secure your account in the <a target="_blank" clicktracking="off" href="{{{WebVaultUrl}}}" style="-webkit-font-smoothing: antialiased;-webkit-text-size-adjust: none;box-sizing: border-box;color: #175ddc;font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif;font-size: 16px;line-height: 25px;margin: 0;text-decoration: none;">web app</a>:
+      <ul>
+        <li>Deauthorize unrecognized devices</li>
+        <li>Change your master password</li>
+        <li>Turn on two-step login</li>
+      </ul>
+    </td>
+  </tr>
+  <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+    <td class="content-block last"  style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0; -webkit-text-size-adjust: none;" valign="top">
+      <br style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;" />
+      <hr />
+      <br style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;" />
+      <b style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">Account:</b>
+      {{AccountEmail}}
+      <br style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;" />
+      <b style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">Date:</b>
+      {{TheDate}} at {{TheTime}} {{TimeZone}}
+      <br style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;" />
+      <b style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">IP:</b>
+      {{DeviceIp}}
+      <br style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;" />
+      <b style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">DeviceType:</b>
+      {{DeviceType}}
+    </td>
+  </tr>
 </table>
-{{/FullHtmlLayout}}
+{{/FullHtmlLayout}}
\ No newline at end of file
diff --git a/src/Core/MailTemplates/Handlebars/Auth/TwoFactorEmail.text.hbs b/src/Core/MailTemplates/Handlebars/Auth/TwoFactorEmail.text.hbs
index c7e64e5da2..211a870d6a 100644
--- a/src/Core/MailTemplates/Handlebars/Auth/TwoFactorEmail.text.hbs
+++ b/src/Core/MailTemplates/Handlebars/Auth/TwoFactorEmail.text.hbs
@@ -1,5 +1,16 @@
 {{#>BasicTextLayout}}
-Your two-step verification code is: {{Token}}
+To finish {{EmailTotpAction}}, enter this verification code: {{Token}}
 
-Use this code to complete logging in with Bitwarden.
+If this was not you, take these immediate steps to secure your account in the web app:
+
+Deauthorize unrecognized devices
+
+Change your master password
+
+Turn on two-step login
+
+Account : {{AccountEmail}}
+Date : {{TheDate}} at {{TheTime}} {{TimeZone}}
+IP : {{DeviceIp}}
+Device Type : {{DeviceType}}
 {{/BasicTextLayout}}
\ No newline at end of file
diff --git a/src/Core/Models/Mail/TwoFactorEmailTokenViewModel.cs b/src/Core/Models/Mail/TwoFactorEmailTokenViewModel.cs
new file mode 100644
index 0000000000..dbd47af35a
--- /dev/null
+++ b/src/Core/Models/Mail/TwoFactorEmailTokenViewModel.cs
@@ -0,0 +1,25 @@
+namespace Bit.Core.Models.Mail;
+
+/// <summary>
+/// This view model is used to set-up email two factor authentication, to log in with email two factor authentication,
+/// and for new device verification.
+/// </summary>
+public class TwoFactorEmailTokenViewModel : BaseMailModel
+{
+    public string Token { get; set; }
+    /// <summary>
+    /// This view model is used to also set-up email two factor authentication. We use this property to communicate
+    /// the purpose of the email, since it can be used for logging in and for setting up.
+    /// </summary>
+    public string EmailTotpAction { get; set; }
+    /// <summary>
+    /// When logging in with email two factor the account email may not be the same as the email used for two factor.
+    /// we want to show the account email in the email, so the user knows which account they are logging into.
+    /// </summary>
+    public string AccountEmail { get; set; }
+    public string TheDate { get; set; }
+    public string TheTime { get; set; }
+    public string TimeZone { get; set; }
+    public string DeviceIp { get; set; }
+    public string DeviceType { get; set; }
+}
diff --git a/src/Core/Models/Mail/EmailTokenViewModel.cs b/src/Core/Models/Mail/UserVerificationEmailTokenViewModel.cs
similarity index 54%
rename from src/Core/Models/Mail/EmailTokenViewModel.cs
rename to src/Core/Models/Mail/UserVerificationEmailTokenViewModel.cs
index 561df580e8..b8850b5f00 100644
--- a/src/Core/Models/Mail/EmailTokenViewModel.cs
+++ b/src/Core/Models/Mail/UserVerificationEmailTokenViewModel.cs
@@ -1,6 +1,6 @@
 namespace Bit.Core.Models.Mail;
 
-public class EmailTokenViewModel : BaseMailModel
+public class UserVerificationEmailTokenViewModel : BaseMailModel
 {
     public string Token { get; set; }
 }
diff --git a/src/Core/Services/IMailService.cs b/src/Core/Services/IMailService.cs
index 92d05ddb7d..3492ada838 100644
--- a/src/Core/Services/IMailService.cs
+++ b/src/Core/Services/IMailService.cs
@@ -23,7 +23,7 @@ public interface IMailService
     Task SendCannotDeleteManagedAccountEmailAsync(string email);
     Task SendChangeEmailAlreadyExistsEmailAsync(string fromEmail, string toEmail);
     Task SendChangeEmailEmailAsync(string newEmailAddress, string token);
-    Task SendTwoFactorEmailAsync(string email, string token);
+    Task SendTwoFactorEmailAsync(string email, string accountEmail, string token, string deviceIp, string deviceType, bool authentication = true);
     Task SendNoMasterPasswordHintEmailAsync(string email);
     Task SendMasterPasswordHintEmailAsync(string email, string hint);
 
diff --git a/src/Core/Services/IUserService.cs b/src/Core/Services/IUserService.cs
index d1c61e4418..2ac7796547 100644
--- a/src/Core/Services/IUserService.cs
+++ b/src/Core/Services/IUserService.cs
@@ -21,7 +21,21 @@ public interface IUserService
     Task<IdentityResult> CreateUserAsync(User user);
     Task<IdentityResult> CreateUserAsync(User user, string masterPasswordHash);
     Task SendMasterPasswordHintAsync(string email);
-    Task SendTwoFactorEmailAsync(User user);
+    /// <summary>
+    /// Used for both email two factor and email two factor setup.
+    /// </summary>
+    /// <param name="user">user requesting the action</param>
+    /// <param name="authentication">this controls if what verbiage is shown in the email</param>
+    /// <returns>void</returns>
+    Task SendTwoFactorEmailAsync(User user, bool authentication = true);
+    /// <summary>
+    /// Calls the same email implementation but instead it sends the token to the account email not the
+    /// email set up for two-factor, since in practice they can be different.
+    /// </summary>
+    /// <param name="user">user attepting to login with a new device</param>
+    /// <returns>void</returns>
+    Task SendNewDeviceVerificationEmailAsync(User user);
+    Task<bool> VerifyTwoFactorEmailAsync(User user, string token);
     Task<CredentialCreateOptions> StartWebAuthnRegistrationAsync(User user);
     Task<bool> DeleteWebAuthnKeyAsync(User user, int id);
     Task<bool> CompleteWebAuthRegistrationAsync(User user, int value, string name, AuthenticatorAttestationRawResponse attestationResponse);
diff --git a/src/Core/Services/Implementations/HandlebarsMailService.cs b/src/Core/Services/Implementations/HandlebarsMailService.cs
index d18a29b13a..44be3bfdf4 100644
--- a/src/Core/Services/Implementations/HandlebarsMailService.cs
+++ b/src/Core/Services/Implementations/HandlebarsMailService.cs
@@ -146,7 +146,7 @@ public class HandlebarsMailService : IMailService
     public async Task SendChangeEmailEmailAsync(string newEmailAddress, string token)
     {
         var message = CreateDefaultMessage("Your Email Change", newEmailAddress);
-        var model = new EmailTokenViewModel
+        var model = new UserVerificationEmailTokenViewModel
         {
             Token = token,
             WebVaultUrl = _globalSettings.BaseServiceUri.VaultWithHash,
@@ -158,14 +158,22 @@ public class HandlebarsMailService : IMailService
         await _mailDeliveryService.SendEmailAsync(message);
     }
 
-    public async Task SendTwoFactorEmailAsync(string email, string token)
+    public async Task SendTwoFactorEmailAsync(string email, string accountEmail, string token, string deviceIp, string deviceType, bool authentication = true)
     {
-        var message = CreateDefaultMessage("Your Two-step Login Verification Code", email);
-        var model = new EmailTokenViewModel
+        var message = CreateDefaultMessage("Your Bitwarden Verification Code", email);
+        var requestDateTime = DateTime.UtcNow;
+        var model = new TwoFactorEmailTokenViewModel
         {
             Token = token,
+            EmailTotpAction = authentication ? "logging in" : "setting up two-step login",
+            AccountEmail = accountEmail,
+            TheDate = requestDateTime.ToLongDateString(),
+            TheTime = requestDateTime.ToShortTimeString(),
+            TimeZone = _utcTimeZoneDisplay,
+            DeviceIp = deviceIp,
+            DeviceType = deviceType,
             WebVaultUrl = _globalSettings.BaseServiceUri.VaultWithHash,
-            SiteName = _globalSettings.SiteName
+            SiteName = _globalSettings.SiteName,
         };
         await AddMessageContentAsync(message, "Auth.TwoFactorEmail", model);
         message.MetaData.Add("SendGridBypassListManagement", true);
@@ -1012,7 +1020,7 @@ public class HandlebarsMailService : IMailService
     public async Task SendOTPEmailAsync(string email, string token)
     {
         var message = CreateDefaultMessage("Your Bitwarden Verification Code", email);
-        var model = new EmailTokenViewModel
+        var model = new UserVerificationEmailTokenViewModel
         {
             Token = token,
             WebVaultUrl = _globalSettings.BaseServiceUri.VaultWithHash,
diff --git a/src/Core/Services/Implementations/UserService.cs b/src/Core/Services/Implementations/UserService.cs
index 47637d0f75..2374d8f4e1 100644
--- a/src/Core/Services/Implementations/UserService.cs
+++ b/src/Core/Services/Implementations/UserService.cs
@@ -1,4 +1,6 @@
-using System.Security.Claims;
+using System.ComponentModel.DataAnnotations;
+using System.Reflection;
+using System.Security.Claims;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Enums;
 using Bit.Core.AdminConsole.Models.Data;
@@ -350,7 +352,7 @@ public class UserService : UserManager<User>, IUserService, IDisposable
         await _mailService.SendMasterPasswordHintEmailAsync(email, user.MasterPasswordHint);
     }
 
-    public async Task SendTwoFactorEmailAsync(User user)
+    public async Task SendTwoFactorEmailAsync(User user, bool authentication = true)
     {
         var provider = user.GetTwoFactorProvider(TwoFactorProviderType.Email);
         if (provider == null || provider.MetaData == null || !provider.MetaData.ContainsKey("Email"))
@@ -361,7 +363,26 @@ public class UserService : UserManager<User>, IUserService, IDisposable
         var email = ((string)provider.MetaData["Email"]).ToLowerInvariant();
         var token = await base.GenerateTwoFactorTokenAsync(user,
             CoreHelpers.CustomProviderName(TwoFactorProviderType.Email));
-        await _mailService.SendTwoFactorEmailAsync(email, token);
+
+        var deviceType = _currentContext.DeviceType?.GetType().GetMember(_currentContext.DeviceType?.ToString())
+            .FirstOrDefault()?.GetCustomAttribute<DisplayAttribute>()?.GetName() ?? "Unknown Browser";
+
+        await _mailService.SendTwoFactorEmailAsync(
+            email, user.Email, token, _currentContext.IpAddress, deviceType, authentication);
+    }
+
+    public async Task SendNewDeviceVerificationEmailAsync(User user)
+    {
+        ArgumentNullException.ThrowIfNull(user);
+
+        var token = await base.GenerateUserTokenAsync(user, TokenOptions.DefaultEmailProvider,
+            "otp:" + user.Email);
+
+        var deviceType = _currentContext.DeviceType?.GetType().GetMember(_currentContext.DeviceType?.ToString())
+            .FirstOrDefault()?.GetCustomAttribute<DisplayAttribute>()?.GetName() ?? "Unknown Browser";
+
+        await _mailService.SendTwoFactorEmailAsync(
+            user.Email, user.Email, token, _currentContext.IpAddress, deviceType);
     }
 
     public async Task<bool> VerifyTwoFactorEmailAsync(User user, string token)
@@ -1519,7 +1540,7 @@ public class UserService : UserManager<User>, IUserService, IDisposable
 
         if (await VerifySecretAsync(user, secret))
         {
-            await SendOTPAsync(user);
+            await SendNewDeviceVerificationEmailAsync(user);
         }
     }
 
diff --git a/src/Core/Services/NoopImplementations/NoopMailService.cs b/src/Core/Services/NoopImplementations/NoopMailService.cs
index d6b330294d..9984f8ee90 100644
--- a/src/Core/Services/NoopImplementations/NoopMailService.cs
+++ b/src/Core/Services/NoopImplementations/NoopMailService.cs
@@ -87,7 +87,7 @@ public class NoopMailService : IMailService
     public Task SendOrganizationUserRevokedForPolicySingleOrgEmailAsync(string organizationName, string email) =>
         Task.CompletedTask;
 
-    public Task SendTwoFactorEmailAsync(string email, string token)
+    public Task SendTwoFactorEmailAsync(string email, string accountEmail, string token, string deviceIp, string deviceType, bool authentication = true)
     {
         return Task.FromResult(0);
     }
diff --git a/src/Identity/IdentityServer/RequestValidators/DeviceValidator.cs b/src/Identity/IdentityServer/RequestValidators/DeviceValidator.cs
index fee10e10ff..17d16f5949 100644
--- a/src/Identity/IdentityServer/RequestValidators/DeviceValidator.cs
+++ b/src/Identity/IdentityServer/RequestValidators/DeviceValidator.cs
@@ -79,7 +79,7 @@ public class DeviceValidator(
                     BuildDeviceErrorResult(validationResult);
                 if (validationResult == DeviceValidationResultType.NewDeviceVerificationRequired)
                 {
-                    await _userService.SendOTPAsync(context.User);
+                    await _userService.SendNewDeviceVerificationEmailAsync(context.User);
                 }
                 return false;
             }
@@ -163,6 +163,14 @@ public class DeviceValidator(
         return DeviceValidationResultType.NewDeviceVerificationRequired;
     }
 
+    /// <summary>
+    /// Sends an email whenever the user logs in from a new device. Will not send to a user who's account
+    /// is less than 10 minutes old. We assume an account that is less than 10 minutes old is new and does
+    /// not need an email stating they just logged in.
+    /// </summary>
+    /// <param name="user">user logging in</param>
+    /// <param name="requestDevice">current device being approved to login</param>
+    /// <returns>void</returns>
     private async Task SendNewDeviceLoginEmail(User user, Device requestDevice)
     {
         // Ensure that the user doesn't receive a "new device" email on the first login
diff --git a/test/Core.Test/Services/UserServiceTests.cs b/test/Core.Test/Services/UserServiceTests.cs
index 7f1dd37b6b..3158c1595c 100644
--- a/test/Core.Test/Services/UserServiceTests.cs
+++ b/test/Core.Test/Services/UserServiceTests.cs
@@ -96,6 +96,9 @@ public class UserServiceTests
     {
         var email = user.Email.ToLowerInvariant();
         var token = "thisisatokentocompare";
+        var authentication = true;
+        var IpAddress = "1.1.1.1";
+        var deviceType = "Android";
 
         var userTwoFactorTokenProvider = Substitute.For<IUserTwoFactorTokenProvider<User>>();
         userTwoFactorTokenProvider
@@ -105,6 +108,10 @@ public class UserServiceTests
             .GenerateAsync("TwoFactor", Arg.Any<UserManager<User>>(), user)
             .Returns(Task.FromResult(token));
 
+        var context = sutProvider.GetDependency<ICurrentContext>();
+        context.DeviceType = DeviceType.Android;
+        context.IpAddress = IpAddress;
+
         sutProvider.Sut.RegisterTokenProvider("Custom_Email", userTwoFactorTokenProvider);
 
         user.SetTwoFactorProviders(new Dictionary<TwoFactorProviderType, TwoFactorProvider>
@@ -119,7 +126,7 @@ public class UserServiceTests
 
         await sutProvider.GetDependency<IMailService>()
             .Received(1)
-            .SendTwoFactorEmailAsync(email, token);
+            .SendTwoFactorEmailAsync(email, user.Email, token, IpAddress, deviceType, authentication);
     }
 
     [Theory, BitAutoData]
@@ -160,6 +167,44 @@ public class UserServiceTests
         await Assert.ThrowsAsync<ArgumentNullException>("No email.", () => sutProvider.Sut.SendTwoFactorEmailAsync(user));
     }
 
+    [Theory, BitAutoData]
+    public async Task SendNewDeviceVerificationEmailAsync_ExceptionBecauseUserNull(SutProvider<UserService> sutProvider)
+    {
+        await Assert.ThrowsAsync<ArgumentNullException>(() => sutProvider.Sut.SendNewDeviceVerificationEmailAsync(null));
+    }
+
+    [Theory]
+    [BitAutoData(DeviceType.UnknownBrowser, "Unknown Browser")]
+    [BitAutoData(DeviceType.Android, "Android")]
+    public async Task SendNewDeviceVerificationEmailAsync_DeviceMatches(DeviceType deviceType, string deviceTypeName, SutProvider<UserService> sutProvider, User user)
+    {
+        SetupFakeTokenProvider(sutProvider, user);
+        var context = sutProvider.GetDependency<ICurrentContext>();
+        context.DeviceType = deviceType;
+        context.IpAddress = "1.1.1.1";
+
+        await sutProvider.Sut.SendNewDeviceVerificationEmailAsync(user);
+
+        await sutProvider.GetDependency<IMailService>()
+            .Received(1)
+            .SendTwoFactorEmailAsync(Arg.Any<string>(), Arg.Any<string>(), Arg.Any<string>(), Arg.Any<string>(), deviceTypeName, Arg.Any<bool>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task SendNewDeviceVerificationEmailAsync_NullDeviceTypeShouldSendUnkownBrowserType(SutProvider<UserService> sutProvider, User user)
+    {
+        SetupFakeTokenProvider(sutProvider, user);
+        var context = sutProvider.GetDependency<ICurrentContext>();
+        context.DeviceType = null;
+        context.IpAddress = "1.1.1.1";
+
+        await sutProvider.Sut.SendNewDeviceVerificationEmailAsync(user);
+
+        await sutProvider.GetDependency<IMailService>()
+            .Received(1)
+            .SendTwoFactorEmailAsync(Arg.Any<string>(), Arg.Any<string>(), Arg.Any<string>(), Arg.Any<string>(), "Unknown Browser", Arg.Any<bool>());
+    }
+
     [Theory, BitAutoData]
     public async Task HasPremiumFromOrganization_Returns_False_If_No_Orgs(SutProvider<UserService> sutProvider, User user)
     {
@@ -577,7 +622,7 @@ public class UserServiceTests
     }
 
     [Theory, BitAutoData]
-    public async Task ResendNewDeviceVerificationEmail_UserNull_SendOTPAsyncNotCalled(
+    public async Task ResendNewDeviceVerificationEmail_UserNull_SendTwoFactorEmailAsyncNotCalled(
         SutProvider<UserService> sutProvider, string email, string secret)
     {
         sutProvider.GetDependency<IUserRepository>()
@@ -588,11 +633,11 @@ public class UserServiceTests
 
         await sutProvider.GetDependency<IMailService>()
             .DidNotReceive()
-            .SendOTPEmailAsync(Arg.Any<string>(), Arg.Any<string>());
+            .SendTwoFactorEmailAsync(Arg.Any<string>(), Arg.Any<string>(), Arg.Any<string>(), Arg.Any<string>(), Arg.Any<string>(), Arg.Any<bool>());
     }
 
     [Theory, BitAutoData]
-    public async Task ResendNewDeviceVerificationEmail_SecretNotValid_SendOTPAsyncNotCalled(
+    public async Task ResendNewDeviceVerificationEmail_SecretNotValid_SendTwoFactorEmailAsyncNotCalled(
     SutProvider<UserService> sutProvider, string email, string secret)
     {
         sutProvider.GetDependency<IUserRepository>()
@@ -603,7 +648,7 @@ public class UserServiceTests
 
         await sutProvider.GetDependency<IMailService>()
             .DidNotReceive()
-            .SendOTPEmailAsync(Arg.Any<string>(), Arg.Any<string>());
+            .SendTwoFactorEmailAsync(Arg.Any<string>(), Arg.Any<string>(), Arg.Any<string>(), Arg.Any<string>(), Arg.Any<string>(), Arg.Any<bool>());
     }
 
     [Theory, BitAutoData]
@@ -637,6 +682,10 @@ public class UserServiceTests
             .GetByEmailAsync(user.Email)
             .Returns(user);
 
+        var context = sutProvider.GetDependency<ICurrentContext>();
+        context.DeviceType = DeviceType.Android;
+        context.IpAddress = "1.1.1.1";
+
         // HACK: SutProvider is being weird about not injecting the IPasswordHasher that I configured
         var sut = RebuildSut(sutProvider);
 
@@ -644,7 +693,8 @@ public class UserServiceTests
 
         await sutProvider.GetDependency<IMailService>()
             .Received(1)
-            .SendOTPEmailAsync(user.Email, Arg.Any<string>());
+            .SendTwoFactorEmailAsync(Arg.Any<string>(), Arg.Any<string>(), Arg.Any<string>(), Arg.Any<string>(), Arg.Any<string>(), Arg.Any<bool>());
+
     }
 
     [Theory]
diff --git a/test/Identity.IntegrationTest/Endpoints/IdentityServerTwoFactorTests.cs b/test/Identity.IntegrationTest/Endpoints/IdentityServerTwoFactorTests.cs
index 4e598c436d..289f321512 100644
--- a/test/Identity.IntegrationTest/Endpoints/IdentityServerTwoFactorTests.cs
+++ b/test/Identity.IntegrationTest/Endpoints/IdentityServerTwoFactorTests.cs
@@ -67,7 +67,12 @@ public class IdentityServerTwoFactorTests : IClassFixture<IdentityApplicationFac
         string emailToken = null;
         factory.SubstituteService<IMailService>(mailService =>
         {
-            mailService.SendTwoFactorEmailAsync(Arg.Any<string>(), Arg.Do<string>(t => emailToken = t))
+            mailService.SendTwoFactorEmailAsync(
+                    Arg.Any<string>(),
+                    Arg.Any<string>(),
+                    Arg.Do<string>(t => emailToken = t),
+                    Arg.Any<string>(),
+                    Arg.Any<string>())
                 .Returns(Task.CompletedTask);
         });
 
@@ -273,7 +278,12 @@ public class IdentityServerTwoFactorTests : IClassFixture<IdentityApplicationFac
         string emailToken = null;
         localFactory.SubstituteService<IMailService>(mailService =>
         {
-            mailService.SendTwoFactorEmailAsync(Arg.Any<string>(), Arg.Do<string>(t => emailToken = t))
+            mailService.SendTwoFactorEmailAsync(
+                    Arg.Any<string>(),
+                    Arg.Any<string>(),
+                    Arg.Do<string>(t => emailToken = t),
+                    Arg.Any<string>(),
+                    Arg.Any<string>())
                 .Returns(Task.CompletedTask);
         });
 
diff --git a/test/Identity.Test/IdentityServer/DeviceValidatorTests.cs b/test/Identity.Test/IdentityServer/DeviceValidatorTests.cs
index 6e6406f16b..fddcf2005d 100644
--- a/test/Identity.Test/IdentityServer/DeviceValidatorTests.cs
+++ b/test/Identity.Test/IdentityServer/DeviceValidatorTests.cs
@@ -574,7 +574,7 @@ public class DeviceValidatorTests
         var result = await _sut.ValidateRequestDeviceAsync(request, context);
 
         // Assert
-        await _userService.Received(1).SendOTPAsync(context.User);
+        await _userService.Received(1).SendNewDeviceVerificationEmailAsync(context.User);
         await _deviceService.Received(0).SaveAsync(Arg.Any<Device>());
 
         Assert.False(result);

From c1ac96814e3a6b689abd3fe5fc60f6fdd2a26330 Mon Sep 17 00:00:00 2001
From: Brandon Treston <btreston@bitwarden.com>
Date: Fri, 21 Feb 2025 13:23:06 -0500
Subject: [PATCH 304/384] remove feature flag (#5432)

---
 src/Core/Constants.cs | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index c310674bcc..879e8365fc 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -105,7 +105,6 @@ public static class FeatureFlagKeys
     public const string ProviderClientVaultPrivacyBanner = "ac-2833-provider-client-vault-privacy-banner";
     public const string AccountDeprovisioning = "pm-10308-account-deprovisioning";
     public const string VerifiedSsoDomainEndpoint = "pm-12337-refactor-sso-details-endpoint";
-    public const string IntegrationPage = "pm-14505-admin-console-integration-page";
     public const string DeviceApprovalRequestAdminNotifications = "pm-15637-device-approval-request-admin-notifications";
     public const string LimitItemDeletion = "pm-15493-restrict-item-deletion-to-can-manage-permission";
     public const string ShortcutDuplicatePatchRequests = "pm-16812-shortcut-duplicate-patch-requests";

From d8cf658207ba3984e2c27f26ec6e43ee5d1ed3b4 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Fri, 21 Feb 2025 19:35:39 +0000
Subject: [PATCH 305/384] [deps] Auth: Update sass to v1.85.0 (#4947)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 bitwarden_license/src/Sso/package-lock.json | 33 ++++++++++++++-------
 bitwarden_license/src/Sso/package.json      |  2 +-
 src/Admin/package-lock.json                 | 33 ++++++++++++++-------
 src/Admin/package.json                      |  2 +-
 4 files changed, 48 insertions(+), 22 deletions(-)

diff --git a/bitwarden_license/src/Sso/package-lock.json b/bitwarden_license/src/Sso/package-lock.json
index f1e23abd60..a0e7b767cc 100644
--- a/bitwarden_license/src/Sso/package-lock.json
+++ b/bitwarden_license/src/Sso/package-lock.json
@@ -17,7 +17,7 @@
         "css-loader": "7.1.2",
         "expose-loader": "5.0.0",
         "mini-css-extract-plugin": "2.9.2",
-        "sass": "1.79.5",
+        "sass": "1.85.0",
         "sass-loader": "16.0.4",
         "webpack": "5.97.1",
         "webpack-cli": "5.1.4"
@@ -104,6 +104,7 @@
       "dev": true,
       "hasInstallScript": true,
       "license": "MIT",
+      "optional": true,
       "dependencies": {
         "detect-libc": "^1.0.3",
         "is-glob": "^4.0.3",
@@ -771,6 +772,7 @@
       "integrity": "sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==",
       "dev": true,
       "license": "MIT",
+      "optional": true,
       "dependencies": {
         "fill-range": "^7.1.1"
       },
@@ -964,6 +966,7 @@
       "integrity": "sha512-pGjwhsmsp4kL2RTz08wcOlGN83otlqHeD/Z5T8GXZB+/YcpQ/dgo+lbU8ZsGxV0HIvqqxo9l7mqYwyYMD9bKDg==",
       "dev": true,
       "license": "Apache-2.0",
+      "optional": true,
       "bin": {
         "detect-libc": "bin/detect-libc.js"
       },
@@ -1133,6 +1136,7 @@
       "integrity": "sha512-YsGpe3WHLK8ZYi4tWDg2Jy3ebRz2rXowDxnld4bkQB00cc/1Zw9AWnC0i9ztDJitivtQvaI9KaLyKrc+hBW0yg==",
       "dev": true,
       "license": "MIT",
+      "optional": true,
       "dependencies": {
         "to-regex-range": "^5.0.1"
       },
@@ -1234,9 +1238,9 @@
       }
     },
     "node_modules/immutable": {
-      "version": "4.3.7",
-      "resolved": "https://registry.npmjs.org/immutable/-/immutable-4.3.7.tgz",
-      "integrity": "sha512-1hqclzwYwjRDFLjcFxOM5AYkkG0rpFPpr1RLPMEuGczoS7YA8gLhy8SWXYRAA/XwfEHpfo3cw5JGioS32fnMRw==",
+      "version": "5.0.3",
+      "resolved": "https://registry.npmjs.org/immutable/-/immutable-5.0.3.tgz",
+      "integrity": "sha512-P8IdPQHq3lA1xVeBRi5VPqUm5HDgKnx0Ru51wZz5mjxHr5n3RWhjIpOFU7ybkUxfB+5IToy+OLaHYDBIWsv+uw==",
       "dev": true,
       "license": "MIT"
     },
@@ -1292,6 +1296,7 @@
       "integrity": "sha512-SbKbANkN603Vi4jEZv49LeVJMn4yGwsbzZworEoyEiutsN3nJYdbO36zfhGJ6QEDpOZIFkDtnq5JRxmvl3jsoQ==",
       "dev": true,
       "license": "MIT",
+      "optional": true,
       "engines": {
         "node": ">=0.10.0"
       }
@@ -1302,6 +1307,7 @@
       "integrity": "sha512-xelSayHH36ZgE7ZWhli7pW34hNbNl8Ojv5KVmkJD4hBdD3th8Tfk9vYasLM+mXWOZhFkgZfxhLSnrwRr4elSSg==",
       "dev": true,
       "license": "MIT",
+      "optional": true,
       "dependencies": {
         "is-extglob": "^2.1.1"
       },
@@ -1315,6 +1321,7 @@
       "integrity": "sha512-41Cifkg6e8TylSpdtTpeLVMqvSBEVzTttHvERD741+pnZ8ANv0004MRL43QKPDlK9cGvNp6NZWZUBlbGXYxxng==",
       "dev": true,
       "license": "MIT",
+      "optional": true,
       "engines": {
         "node": ">=0.12.0"
       }
@@ -1430,6 +1437,7 @@
       "integrity": "sha512-PXwfBhYu0hBCPw8Dn0E+WDYb7af3dSLVWKi3HGv84IdF4TyFoC0ysxFd0Goxw7nSv4T/PzEJQxsYsEiFCKo2BA==",
       "dev": true,
       "license": "MIT",
+      "optional": true,
       "dependencies": {
         "braces": "^3.0.3",
         "picomatch": "^2.3.1"
@@ -1513,7 +1521,8 @@
       "resolved": "https://registry.npmjs.org/node-addon-api/-/node-addon-api-7.1.1.tgz",
       "integrity": "sha512-5m3bsyrjFWE1xf7nz7YXdN4udnVtXK6/Yfgn5qnahL6bCkf2yKt4k3nuTKAtT4r3IG8JNR2ncsIMdZuAzJjHQQ==",
       "dev": true,
-      "license": "MIT"
+      "license": "MIT",
+      "optional": true
     },
     "node_modules/node-releases": {
       "version": "2.0.19",
@@ -1601,6 +1610,7 @@
       "integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==",
       "dev": true,
       "license": "MIT",
+      "optional": true,
       "engines": {
         "node": ">=8.6"
       },
@@ -1857,15 +1867,14 @@
       "license": "MIT"
     },
     "node_modules/sass": {
-      "version": "1.79.5",
-      "resolved": "https://registry.npmjs.org/sass/-/sass-1.79.5.tgz",
-      "integrity": "sha512-W1h5kp6bdhqFh2tk3DsI771MoEJjvrSY/2ihJRJS4pjIyfJCw0nTsxqhnrUzaLMOJjFchj8rOvraI/YUVjtx5g==",
+      "version": "1.85.0",
+      "resolved": "https://registry.npmjs.org/sass/-/sass-1.85.0.tgz",
+      "integrity": "sha512-3ToiC1xZ1Y8aU7+CkgCI/tqyuPXEmYGJXO7H4uqp0xkLXUqp88rQQ4j1HmP37xSJLbCJPaIiv+cT1y+grssrww==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@parcel/watcher": "^2.4.1",
         "chokidar": "^4.0.0",
-        "immutable": "^4.0.0",
+        "immutable": "^5.0.2",
         "source-map-js": ">=0.6.2 <2.0.0"
       },
       "bin": {
@@ -1873,6 +1882,9 @@
       },
       "engines": {
         "node": ">=14.0.0"
+      },
+      "optionalDependencies": {
+        "@parcel/watcher": "^2.4.1"
       }
     },
     "node_modules/sass-loader": {
@@ -2125,6 +2137,7 @@
       "integrity": "sha512-65P7iz6X5yEr1cwcgvQxbbIw7Uk3gOy5dIdtZ4rDveLqhrdJP+Li/Hx6tyK0NEb+2GCyneCMJiGqrADCSNk8sQ==",
       "dev": true,
       "license": "MIT",
+      "optional": true,
       "dependencies": {
         "is-number": "^7.0.0"
       },
diff --git a/bitwarden_license/src/Sso/package.json b/bitwarden_license/src/Sso/package.json
index fa1fac3907..d9aefafef3 100644
--- a/bitwarden_license/src/Sso/package.json
+++ b/bitwarden_license/src/Sso/package.json
@@ -16,7 +16,7 @@
     "css-loader": "7.1.2",
     "expose-loader": "5.0.0",
     "mini-css-extract-plugin": "2.9.2",
-    "sass": "1.79.5",
+    "sass": "1.85.0",
     "sass-loader": "16.0.4",
     "webpack": "5.97.1",
     "webpack-cli": "5.1.4"
diff --git a/src/Admin/package-lock.json b/src/Admin/package-lock.json
index cc2693eae6..152edd6fc9 100644
--- a/src/Admin/package-lock.json
+++ b/src/Admin/package-lock.json
@@ -18,7 +18,7 @@
         "css-loader": "7.1.2",
         "expose-loader": "5.0.0",
         "mini-css-extract-plugin": "2.9.2",
-        "sass": "1.79.5",
+        "sass": "1.85.0",
         "sass-loader": "16.0.4",
         "webpack": "5.97.1",
         "webpack-cli": "5.1.4"
@@ -105,6 +105,7 @@
       "dev": true,
       "hasInstallScript": true,
       "license": "MIT",
+      "optional": true,
       "dependencies": {
         "detect-libc": "^1.0.3",
         "is-glob": "^4.0.3",
@@ -772,6 +773,7 @@
       "integrity": "sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==",
       "dev": true,
       "license": "MIT",
+      "optional": true,
       "dependencies": {
         "fill-range": "^7.1.1"
       },
@@ -965,6 +967,7 @@
       "integrity": "sha512-pGjwhsmsp4kL2RTz08wcOlGN83otlqHeD/Z5T8GXZB+/YcpQ/dgo+lbU8ZsGxV0HIvqqxo9l7mqYwyYMD9bKDg==",
       "dev": true,
       "license": "Apache-2.0",
+      "optional": true,
       "bin": {
         "detect-libc": "bin/detect-libc.js"
       },
@@ -1134,6 +1137,7 @@
       "integrity": "sha512-YsGpe3WHLK8ZYi4tWDg2Jy3ebRz2rXowDxnld4bkQB00cc/1Zw9AWnC0i9ztDJitivtQvaI9KaLyKrc+hBW0yg==",
       "dev": true,
       "license": "MIT",
+      "optional": true,
       "dependencies": {
         "to-regex-range": "^5.0.1"
       },
@@ -1235,9 +1239,9 @@
       }
     },
     "node_modules/immutable": {
-      "version": "4.3.7",
-      "resolved": "https://registry.npmjs.org/immutable/-/immutable-4.3.7.tgz",
-      "integrity": "sha512-1hqclzwYwjRDFLjcFxOM5AYkkG0rpFPpr1RLPMEuGczoS7YA8gLhy8SWXYRAA/XwfEHpfo3cw5JGioS32fnMRw==",
+      "version": "5.0.3",
+      "resolved": "https://registry.npmjs.org/immutable/-/immutable-5.0.3.tgz",
+      "integrity": "sha512-P8IdPQHq3lA1xVeBRi5VPqUm5HDgKnx0Ru51wZz5mjxHr5n3RWhjIpOFU7ybkUxfB+5IToy+OLaHYDBIWsv+uw==",
       "dev": true,
       "license": "MIT"
     },
@@ -1293,6 +1297,7 @@
       "integrity": "sha512-SbKbANkN603Vi4jEZv49LeVJMn4yGwsbzZworEoyEiutsN3nJYdbO36zfhGJ6QEDpOZIFkDtnq5JRxmvl3jsoQ==",
       "dev": true,
       "license": "MIT",
+      "optional": true,
       "engines": {
         "node": ">=0.10.0"
       }
@@ -1303,6 +1308,7 @@
       "integrity": "sha512-xelSayHH36ZgE7ZWhli7pW34hNbNl8Ojv5KVmkJD4hBdD3th8Tfk9vYasLM+mXWOZhFkgZfxhLSnrwRr4elSSg==",
       "dev": true,
       "license": "MIT",
+      "optional": true,
       "dependencies": {
         "is-extglob": "^2.1.1"
       },
@@ -1316,6 +1322,7 @@
       "integrity": "sha512-41Cifkg6e8TylSpdtTpeLVMqvSBEVzTttHvERD741+pnZ8ANv0004MRL43QKPDlK9cGvNp6NZWZUBlbGXYxxng==",
       "dev": true,
       "license": "MIT",
+      "optional": true,
       "engines": {
         "node": ">=0.12.0"
       }
@@ -1431,6 +1438,7 @@
       "integrity": "sha512-PXwfBhYu0hBCPw8Dn0E+WDYb7af3dSLVWKi3HGv84IdF4TyFoC0ysxFd0Goxw7nSv4T/PzEJQxsYsEiFCKo2BA==",
       "dev": true,
       "license": "MIT",
+      "optional": true,
       "dependencies": {
         "braces": "^3.0.3",
         "picomatch": "^2.3.1"
@@ -1514,7 +1522,8 @@
       "resolved": "https://registry.npmjs.org/node-addon-api/-/node-addon-api-7.1.1.tgz",
       "integrity": "sha512-5m3bsyrjFWE1xf7nz7YXdN4udnVtXK6/Yfgn5qnahL6bCkf2yKt4k3nuTKAtT4r3IG8JNR2ncsIMdZuAzJjHQQ==",
       "dev": true,
-      "license": "MIT"
+      "license": "MIT",
+      "optional": true
     },
     "node_modules/node-releases": {
       "version": "2.0.19",
@@ -1602,6 +1611,7 @@
       "integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==",
       "dev": true,
       "license": "MIT",
+      "optional": true,
       "engines": {
         "node": ">=8.6"
       },
@@ -1858,15 +1868,14 @@
       "license": "MIT"
     },
     "node_modules/sass": {
-      "version": "1.79.5",
-      "resolved": "https://registry.npmjs.org/sass/-/sass-1.79.5.tgz",
-      "integrity": "sha512-W1h5kp6bdhqFh2tk3DsI771MoEJjvrSY/2ihJRJS4pjIyfJCw0nTsxqhnrUzaLMOJjFchj8rOvraI/YUVjtx5g==",
+      "version": "1.85.0",
+      "resolved": "https://registry.npmjs.org/sass/-/sass-1.85.0.tgz",
+      "integrity": "sha512-3ToiC1xZ1Y8aU7+CkgCI/tqyuPXEmYGJXO7H4uqp0xkLXUqp88rQQ4j1HmP37xSJLbCJPaIiv+cT1y+grssrww==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@parcel/watcher": "^2.4.1",
         "chokidar": "^4.0.0",
-        "immutable": "^4.0.0",
+        "immutable": "^5.0.2",
         "source-map-js": ">=0.6.2 <2.0.0"
       },
       "bin": {
@@ -1874,6 +1883,9 @@
       },
       "engines": {
         "node": ">=14.0.0"
+      },
+      "optionalDependencies": {
+        "@parcel/watcher": "^2.4.1"
       }
     },
     "node_modules/sass-loader": {
@@ -2126,6 +2138,7 @@
       "integrity": "sha512-65P7iz6X5yEr1cwcgvQxbbIw7Uk3gOy5dIdtZ4rDveLqhrdJP+Li/Hx6tyK0NEb+2GCyneCMJiGqrADCSNk8sQ==",
       "dev": true,
       "license": "MIT",
+      "optional": true,
       "dependencies": {
         "is-number": "^7.0.0"
       },
diff --git a/src/Admin/package.json b/src/Admin/package.json
index 2a8e91f43e..7f3c8046a2 100644
--- a/src/Admin/package.json
+++ b/src/Admin/package.json
@@ -17,7 +17,7 @@
     "css-loader": "7.1.2",
     "expose-loader": "5.0.0",
     "mini-css-extract-plugin": "2.9.2",
-    "sass": "1.79.5",
+    "sass": "1.85.0",
     "sass-loader": "16.0.4",
     "webpack": "5.97.1",
     "webpack-cli": "5.1.4"

From 5241e09c1a29e65c17308d2cdc77f788ccd8da37 Mon Sep 17 00:00:00 2001
From: Maciej Zieniuk <167752252+mzieniukbw@users.noreply.github.com>
Date: Fri, 21 Feb 2025 20:59:37 +0100
Subject: [PATCH 306/384] PM-15882: Added RemoveUnlockWithPin policy (#5388)

---
 src/Core/AdminConsole/Enums/PolicyType.cs | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/Core/AdminConsole/Enums/PolicyType.cs b/src/Core/AdminConsole/Enums/PolicyType.cs
index 80ab18e174..6f3bcd0102 100644
--- a/src/Core/AdminConsole/Enums/PolicyType.cs
+++ b/src/Core/AdminConsole/Enums/PolicyType.cs
@@ -15,7 +15,8 @@ public enum PolicyType : byte
     DisablePersonalVaultExport = 10,
     ActivateAutofill = 11,
     AutomaticAppLogIn = 12,
-    FreeFamiliesSponsorshipPolicy = 13
+    FreeFamiliesSponsorshipPolicy = 13,
+    RemoveUnlockWithPin = 14,
 }
 
 public static class PolicyTypeExtensions
@@ -41,7 +42,8 @@ public static class PolicyTypeExtensions
             PolicyType.DisablePersonalVaultExport => "Remove individual vault export",
             PolicyType.ActivateAutofill => "Active auto-fill",
             PolicyType.AutomaticAppLogIn => "Automatically log in users for allowed applications",
-            PolicyType.FreeFamiliesSponsorshipPolicy => "Remove Free Bitwarden Families sponsorship"
+            PolicyType.FreeFamiliesSponsorshipPolicy => "Remove Free Bitwarden Families sponsorship",
+            PolicyType.RemoveUnlockWithPin => "Remove unlock with PIN"
         };
     }
 }

From b0c6fc9146433c95019e51f64cc38ed1f658293d Mon Sep 17 00:00:00 2001
From: Thomas Rittson <31796059+eliykat@users.noreply.github.com>
Date: Mon, 24 Feb 2025 09:19:52 +1000
Subject: [PATCH 307/384] [PM-18234] Add SendPolicyRequirement (#5409)

---
 .../SendPolicyRequirement.cs                  |  54 +++++++
 .../PolicyServiceCollectionExtensions.cs      |   1 +
 .../Services/Implementations/SendService.cs   |  41 +++++-
 .../AutoFixture/PolicyDetailsFixtures.cs      |  35 +++++
 .../PolicyDetailsTestExtensions.cs            |  10 ++
 .../SendPolicyRequirementTests.cs             | 138 ++++++++++++++++++
 .../Tools/AutoFixture/SendFixtures.cs         |  21 ++-
 .../Tools/Services/SendServiceTests.cs        |  90 ++++++++++++
 8 files changed, 384 insertions(+), 6 deletions(-)
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/SendPolicyRequirement.cs
 create mode 100644 test/Core.Test/AdminConsole/AutoFixture/PolicyDetailsFixtures.cs
 create mode 100644 test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/PolicyDetailsTestExtensions.cs
 create mode 100644 test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/SendPolicyRequirementTests.cs

diff --git a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/SendPolicyRequirement.cs b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/SendPolicyRequirement.cs
new file mode 100644
index 0000000000..c54cc98373
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/SendPolicyRequirement.cs
@@ -0,0 +1,54 @@
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
+using Bit.Core.Enums;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+
+/// <summary>
+/// Policy requirements for the Disable Send and Send Options policies.
+/// </summary>
+public class SendPolicyRequirement : IPolicyRequirement
+{
+    /// <summary>
+    /// Indicates whether Send is disabled for the user. If true, the user should not be able to create or edit Sends.
+    /// They may still delete existing Sends.
+    /// </summary>
+    public bool DisableSend { get; init; }
+    /// <summary>
+    /// Indicates whether the user is prohibited from hiding their email from the recipient of a Send.
+    /// </summary>
+    public bool DisableHideEmail { get; init; }
+
+    /// <summary>
+    /// Create a new SendPolicyRequirement.
+    /// </summary>
+    /// <param name="policyDetails">All PolicyDetails relating to the user.</param>
+    /// <remarks>
+    /// This is a <see cref="RequirementFactory{T}"/> for the SendPolicyRequirement.
+    /// </remarks>
+    public static SendPolicyRequirement Create(IEnumerable<PolicyDetails> policyDetails)
+    {
+        var filteredPolicies = policyDetails
+            .ExemptRoles([OrganizationUserType.Owner, OrganizationUserType.Admin])
+            .ExemptStatus([OrganizationUserStatusType.Invited, OrganizationUserStatusType.Revoked])
+            .ExemptProviders()
+            .ToList();
+
+        var result = filteredPolicies
+            .GetPolicyType(PolicyType.SendOptions)
+            .Select(p => p.GetDataModel<SendOptionsPolicyData>())
+            .Aggregate(
+                new SendPolicyRequirement
+                {
+                    // Set Disable Send requirement in the initial seed
+                    DisableSend = filteredPolicies.GetPolicyType(PolicyType.DisableSend).Any()
+                },
+                (result, data) => new SendPolicyRequirement
+                {
+                    DisableSend = result.DisableSend,
+                    DisableHideEmail = result.DisableHideEmail || data.DisableHideEmail
+                });
+
+        return result;
+    }
+}
diff --git a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyServiceCollectionExtensions.cs b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyServiceCollectionExtensions.cs
index f7b35f2f06..7bc8a7b5a3 100644
--- a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyServiceCollectionExtensions.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyServiceCollectionExtensions.cs
@@ -32,6 +32,7 @@ public static class PolicyServiceCollectionExtensions
     private static void AddPolicyRequirements(this IServiceCollection services)
     {
         // Register policy requirement factories here
+        services.AddPolicyRequirement(SendPolicyRequirement.Create);
     }
 
     /// <summary>
diff --git a/src/Core/Tools/Services/Implementations/SendService.cs b/src/Core/Tools/Services/Implementations/SendService.cs
index 918379d7a5..bddaa93bfc 100644
--- a/src/Core/Tools/Services/Implementations/SendService.cs
+++ b/src/Core/Tools/Services/Implementations/SendService.cs
@@ -1,7 +1,8 @@
 using System.Text.Json;
 using Bit.Core.AdminConsole.Enums;
 using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
-using Bit.Core.AdminConsole.Repositories;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
 using Bit.Core.AdminConsole.Services;
 using Bit.Core.Context;
 using Bit.Core.Entities;
@@ -26,7 +27,6 @@ public class SendService : ISendService
     public const string MAX_FILE_SIZE_READABLE = "500 MB";
     private readonly ISendRepository _sendRepository;
     private readonly IUserRepository _userRepository;
-    private readonly IPolicyRepository _policyRepository;
     private readonly IPolicyService _policyService;
     private readonly IUserService _userService;
     private readonly IOrganizationRepository _organizationRepository;
@@ -36,6 +36,9 @@ public class SendService : ISendService
     private readonly IReferenceEventService _referenceEventService;
     private readonly GlobalSettings _globalSettings;
     private readonly ICurrentContext _currentContext;
+    private readonly IPolicyRequirementQuery _policyRequirementQuery;
+    private readonly IFeatureService _featureService;
+
     private const long _fileSizeLeeway = 1024L * 1024L; // 1MB
 
     public SendService(
@@ -48,14 +51,14 @@ public class SendService : ISendService
         IPushNotificationService pushService,
         IReferenceEventService referenceEventService,
         GlobalSettings globalSettings,
-        IPolicyRepository policyRepository,
         IPolicyService policyService,
-        ICurrentContext currentContext)
+        ICurrentContext currentContext,
+        IPolicyRequirementQuery policyRequirementQuery,
+        IFeatureService featureService)
     {
         _sendRepository = sendRepository;
         _userRepository = userRepository;
         _userService = userService;
-        _policyRepository = policyRepository;
         _policyService = policyService;
         _organizationRepository = organizationRepository;
         _sendFileStorageService = sendFileStorageService;
@@ -64,6 +67,8 @@ public class SendService : ISendService
         _referenceEventService = referenceEventService;
         _globalSettings = globalSettings;
         _currentContext = currentContext;
+        _policyRequirementQuery = policyRequirementQuery;
+        _featureService = featureService;
     }
 
     public async Task SaveSendAsync(Send send)
@@ -286,6 +291,12 @@ public class SendService : ISendService
 
     private async Task ValidateUserCanSaveAsync(Guid? userId, Send send)
     {
+        if (_featureService.IsEnabled(FeatureFlagKeys.PolicyRequirements))
+        {
+            await ValidateUserCanSaveAsync_vNext(userId, send);
+            return;
+        }
+
         if (!userId.HasValue || (!_currentContext.Organizations?.Any() ?? true))
         {
             return;
@@ -308,6 +319,26 @@ public class SendService : ISendService
         }
     }
 
+    private async Task ValidateUserCanSaveAsync_vNext(Guid? userId, Send send)
+    {
+        if (!userId.HasValue)
+        {
+            return;
+        }
+
+        var sendPolicyRequirement = await _policyRequirementQuery.GetAsync<SendPolicyRequirement>(userId.Value);
+
+        if (sendPolicyRequirement.DisableSend)
+        {
+            throw new BadRequestException("Due to an Enterprise Policy, you are only able to delete an existing Send.");
+        }
+
+        if (sendPolicyRequirement.DisableHideEmail && send.HideEmail.GetValueOrDefault())
+        {
+            throw new BadRequestException("Due to an Enterprise Policy, you are not allowed to hide your email address from recipients when creating or editing a Send.");
+        }
+    }
+
     private async Task<long> StorageRemainingForSendAsync(Send send)
     {
         var storageBytesRemaining = 0L;
diff --git a/test/Core.Test/AdminConsole/AutoFixture/PolicyDetailsFixtures.cs b/test/Core.Test/AdminConsole/AutoFixture/PolicyDetailsFixtures.cs
new file mode 100644
index 0000000000..87ea390cb6
--- /dev/null
+++ b/test/Core.Test/AdminConsole/AutoFixture/PolicyDetailsFixtures.cs
@@ -0,0 +1,35 @@
+using System.Reflection;
+using AutoFixture;
+using AutoFixture.Xunit2;
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
+using Bit.Core.Enums;
+
+namespace Bit.Core.Test.AdminConsole.AutoFixture;
+
+internal class PolicyDetailsCustomization(
+    PolicyType policyType,
+    OrganizationUserType userType,
+    bool isProvider,
+    OrganizationUserStatusType userStatus) : ICustomization
+{
+    public void Customize(IFixture fixture)
+    {
+        fixture.Customize<PolicyDetails>(composer => composer
+            .With(o => o.PolicyType, policyType)
+            .With(o => o.OrganizationUserType, userType)
+            .With(o => o.IsProvider, isProvider)
+            .With(o => o.OrganizationUserStatus, userStatus)
+            .Without(o => o.PolicyData)); // avoid autogenerating invalid json data
+    }
+}
+
+public class PolicyDetailsAttribute(
+    PolicyType policyType,
+    OrganizationUserType userType = OrganizationUserType.User,
+    bool isProvider = false,
+    OrganizationUserStatusType userStatus = OrganizationUserStatusType.Confirmed) : CustomizeAttribute
+{
+    public override ICustomization GetCustomization(ParameterInfo parameter)
+        => new PolicyDetailsCustomization(policyType, userType, isProvider, userStatus);
+}
diff --git a/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/PolicyDetailsTestExtensions.cs b/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/PolicyDetailsTestExtensions.cs
new file mode 100644
index 0000000000..3323c9c754
--- /dev/null
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/PolicyDetailsTestExtensions.cs
@@ -0,0 +1,10 @@
+using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
+using Bit.Core.Utilities;
+
+namespace Bit.Core.Test.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+
+public static class PolicyDetailsTestExtensions
+{
+    public static void SetDataModel<T>(this PolicyDetails policyDetails, T data) where T : IPolicyDataModel
+        => policyDetails.PolicyData = CoreHelpers.ClassToJsonData(data);
+}
diff --git a/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/SendPolicyRequirementTests.cs b/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/SendPolicyRequirementTests.cs
new file mode 100644
index 0000000000..4d7bf5db4e
--- /dev/null
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/SendPolicyRequirementTests.cs
@@ -0,0 +1,138 @@
+using AutoFixture.Xunit2;
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+using Bit.Core.Enums;
+using Bit.Core.Test.AdminConsole.AutoFixture;
+using Xunit;
+
+namespace Bit.Core.Test.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+
+public class SendPolicyRequirementTests
+{
+    [Theory, AutoData]
+    public void DisableSend_IsFalse_IfNoDisableSendPolicies(
+        [PolicyDetails(PolicyType.RequireSso)] PolicyDetails otherPolicy1,
+        [PolicyDetails(PolicyType.SendOptions)] PolicyDetails otherPolicy2)
+    {
+        EnableDisableHideEmail(otherPolicy2);
+
+        var actual = SendPolicyRequirement.Create([otherPolicy1, otherPolicy2]);
+
+        Assert.False(actual.DisableSend);
+    }
+
+    [Theory]
+    [InlineAutoData(OrganizationUserType.Owner, false)]
+    [InlineAutoData(OrganizationUserType.Admin, false)]
+    [InlineAutoData(OrganizationUserType.User, true)]
+    [InlineAutoData(OrganizationUserType.Custom, true)]
+    public void DisableSend_TestRoles(
+        OrganizationUserType userType,
+        bool shouldBeEnforced,
+        [PolicyDetails(PolicyType.DisableSend)] PolicyDetails policyDetails)
+    {
+        policyDetails.OrganizationUserType = userType;
+
+        var actual = SendPolicyRequirement.Create([policyDetails]);
+
+        Assert.Equal(shouldBeEnforced, actual.DisableSend);
+    }
+
+    [Theory, AutoData]
+    public void DisableSend_Not_EnforcedAgainstProviders(
+        [PolicyDetails(PolicyType.DisableSend, isProvider: true)] PolicyDetails policyDetails)
+    {
+        var actual = SendPolicyRequirement.Create([policyDetails]);
+
+        Assert.False(actual.DisableSend);
+    }
+
+    [Theory]
+    [InlineAutoData(OrganizationUserStatusType.Confirmed, true)]
+    [InlineAutoData(OrganizationUserStatusType.Accepted, true)]
+    [InlineAutoData(OrganizationUserStatusType.Invited, false)]
+    [InlineAutoData(OrganizationUserStatusType.Revoked, false)]
+    public void DisableSend_TestStatuses(
+        OrganizationUserStatusType userStatus,
+        bool shouldBeEnforced,
+        [PolicyDetails(PolicyType.DisableSend)] PolicyDetails policyDetails)
+    {
+        policyDetails.OrganizationUserStatus = userStatus;
+
+        var actual = SendPolicyRequirement.Create([policyDetails]);
+
+        Assert.Equal(shouldBeEnforced, actual.DisableSend);
+    }
+
+    [Theory, AutoData]
+    public void DisableHideEmail_IsFalse_IfNoSendOptionsPolicies(
+        [PolicyDetails(PolicyType.RequireSso)] PolicyDetails otherPolicy1,
+        [PolicyDetails(PolicyType.DisableSend)] PolicyDetails otherPolicy2)
+    {
+        var actual = SendPolicyRequirement.Create([otherPolicy1, otherPolicy2]);
+
+        Assert.False(actual.DisableHideEmail);
+    }
+
+    [Theory]
+    [InlineAutoData(OrganizationUserType.Owner, false)]
+    [InlineAutoData(OrganizationUserType.Admin, false)]
+    [InlineAutoData(OrganizationUserType.User, true)]
+    [InlineAutoData(OrganizationUserType.Custom, true)]
+    public void DisableHideEmail_TestRoles(
+        OrganizationUserType userType,
+        bool shouldBeEnforced,
+        [PolicyDetails(PolicyType.SendOptions)] PolicyDetails policyDetails)
+    {
+        EnableDisableHideEmail(policyDetails);
+        policyDetails.OrganizationUserType = userType;
+
+        var actual = SendPolicyRequirement.Create([policyDetails]);
+
+        Assert.Equal(shouldBeEnforced, actual.DisableHideEmail);
+    }
+
+    [Theory, AutoData]
+    public void DisableHideEmail_Not_EnforcedAgainstProviders(
+        [PolicyDetails(PolicyType.SendOptions, isProvider: true)] PolicyDetails policyDetails)
+    {
+        EnableDisableHideEmail(policyDetails);
+
+        var actual = SendPolicyRequirement.Create([policyDetails]);
+
+        Assert.False(actual.DisableHideEmail);
+    }
+
+    [Theory]
+    [InlineAutoData(OrganizationUserStatusType.Confirmed, true)]
+    [InlineAutoData(OrganizationUserStatusType.Accepted, true)]
+    [InlineAutoData(OrganizationUserStatusType.Invited, false)]
+    [InlineAutoData(OrganizationUserStatusType.Revoked, false)]
+    public void DisableHideEmail_TestStatuses(
+        OrganizationUserStatusType userStatus,
+        bool shouldBeEnforced,
+        [PolicyDetails(PolicyType.SendOptions)] PolicyDetails policyDetails)
+    {
+        EnableDisableHideEmail(policyDetails);
+        policyDetails.OrganizationUserStatus = userStatus;
+
+        var actual = SendPolicyRequirement.Create([policyDetails]);
+
+        Assert.Equal(shouldBeEnforced, actual.DisableHideEmail);
+    }
+
+    [Theory, AutoData]
+    public void DisableHideEmail_HandlesNullData(
+        [PolicyDetails(PolicyType.SendOptions)] PolicyDetails policyDetails)
+    {
+        policyDetails.PolicyData = null;
+
+        var actual = SendPolicyRequirement.Create([policyDetails]);
+
+        Assert.False(actual.DisableHideEmail);
+    }
+
+    private static void EnableDisableHideEmail(PolicyDetails policyDetails)
+        => policyDetails.SetDataModel(new SendOptionsPolicyData { DisableHideEmail = true });
+}
diff --git a/test/Core.Test/Tools/AutoFixture/SendFixtures.cs b/test/Core.Test/Tools/AutoFixture/SendFixtures.cs
index c8005f4faf..0d58ca1671 100644
--- a/test/Core.Test/Tools/AutoFixture/SendFixtures.cs
+++ b/test/Core.Test/Tools/AutoFixture/SendFixtures.cs
@@ -1,4 +1,6 @@
-using AutoFixture;
+using System.Reflection;
+using AutoFixture;
+using AutoFixture.Xunit2;
 using Bit.Core.Tools.Entities;
 using Bit.Test.Common.AutoFixture.Attributes;
 
@@ -19,3 +21,20 @@ internal class UserSendCustomizeAttribute : BitCustomizeAttribute
 {
     public override ICustomization GetCustomization() => new UserSend();
 }
+
+internal class NewUserSend : ICustomization
+{
+    public void Customize(IFixture fixture)
+    {
+        fixture.Customize<Send>(composer => composer
+            .With(s => s.Id, Guid.Empty)
+            .Without(s => s.OrganizationId));
+    }
+}
+
+internal class NewUserSendCustomizeAttribute : CustomizeAttribute
+{
+    public override ICustomization GetCustomization(ParameterInfo parameterInfo)
+        => new NewUserSend();
+}
+
diff --git a/test/Core.Test/Tools/Services/SendServiceTests.cs b/test/Core.Test/Tools/Services/SendServiceTests.cs
index cabb438b61..ae65ee1388 100644
--- a/test/Core.Test/Tools/Services/SendServiceTests.cs
+++ b/test/Core.Test/Tools/Services/SendServiceTests.cs
@@ -3,6 +3,8 @@ using System.Text.Json;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Enums;
 using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
 using Bit.Core.AdminConsole.Services;
 using Bit.Core.Entities;
 using Bit.Core.Exceptions;
@@ -22,6 +24,7 @@ using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
 using Microsoft.AspNetCore.Identity;
 using NSubstitute;
+using NSubstitute.ExceptionExtensions;
 using Xunit;
 
 using GlobalSettings = Bit.Core.Settings.GlobalSettings;
@@ -118,6 +121,93 @@ public class SendServiceTests
         await sutProvider.GetDependency<ISendRepository>().Received(1).CreateAsync(send);
     }
 
+    // Disable Send policy check - vNext
+    private void SaveSendAsync_Setup_vNext(SutProvider<SendService> sutProvider, Send send,
+        SendPolicyRequirement sendPolicyRequirement)
+    {
+        sutProvider.GetDependency<IPolicyRequirementQuery>().GetAsync<SendPolicyRequirement>(send.UserId!.Value)
+            .Returns(sendPolicyRequirement);
+        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.PolicyRequirements).Returns(true);
+
+        // Should not be called in these tests
+        sutProvider.GetDependency<IPolicyService>().AnyPoliciesApplicableToUserAsync(
+            Arg.Any<Guid>(), Arg.Any<PolicyType>()).ThrowsAsync<Exception>();
+    }
+
+    [Theory]
+    [BitAutoData(SendType.File)]
+    [BitAutoData(SendType.Text)]
+    public async Task SaveSendAsync_DisableSend_Applies_Throws_vNext(SendType sendType,
+        SutProvider<SendService> sutProvider, [NewUserSendCustomize] Send send)
+    {
+        send.Type = sendType;
+        SaveSendAsync_Setup_vNext(sutProvider, send, new SendPolicyRequirement { DisableSend = true });
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.SaveSendAsync(send));
+        Assert.Contains("Due to an Enterprise Policy, you are only able to delete an existing Send.",
+            exception.Message);
+    }
+
+    [Theory]
+    [BitAutoData(SendType.File)]
+    [BitAutoData(SendType.Text)]
+    public async Task SaveSendAsync_DisableSend_DoesntApply_Success_vNext(SendType sendType,
+        SutProvider<SendService> sutProvider, [NewUserSendCustomize] Send send)
+    {
+        send.Type = sendType;
+        SaveSendAsync_Setup_vNext(sutProvider, send, new SendPolicyRequirement());
+
+        await sutProvider.Sut.SaveSendAsync(send);
+
+        await sutProvider.GetDependency<ISendRepository>().Received(1).CreateAsync(send);
+    }
+
+    // Send Options Policy - Disable Hide Email check
+
+    [Theory]
+    [BitAutoData(SendType.File)]
+    [BitAutoData(SendType.Text)]
+    public async Task SaveSendAsync_DisableHideEmail_Applies_Throws_vNext(SendType sendType,
+        SutProvider<SendService> sutProvider, [NewUserSendCustomize] Send send)
+    {
+        send.Type = sendType;
+        SaveSendAsync_Setup_vNext(sutProvider, send, new SendPolicyRequirement { DisableHideEmail = true });
+        send.HideEmail = true;
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.SaveSendAsync(send));
+        Assert.Contains("Due to an Enterprise Policy, you are not allowed to hide your email address from recipients when creating or editing a Send.", exception.Message);
+    }
+
+    [Theory]
+    [BitAutoData(SendType.File)]
+    [BitAutoData(SendType.Text)]
+    public async Task SaveSendAsync_DisableHideEmail_Applies_ButEmailNotHidden_Success_vNext(SendType sendType,
+        SutProvider<SendService> sutProvider, [NewUserSendCustomize] Send send)
+    {
+        send.Type = sendType;
+        SaveSendAsync_Setup_vNext(sutProvider, send, new SendPolicyRequirement { DisableHideEmail = true });
+        send.HideEmail = false;
+
+        await sutProvider.Sut.SaveSendAsync(send);
+
+        await sutProvider.GetDependency<ISendRepository>().Received(1).CreateAsync(send);
+    }
+
+    [Theory]
+    [BitAutoData(SendType.File)]
+    [BitAutoData(SendType.Text)]
+    public async Task SaveSendAsync_DisableHideEmail_DoesntApply_Success_vNext(SendType sendType,
+        SutProvider<SendService> sutProvider, [NewUserSendCustomize] Send send)
+    {
+        send.Type = sendType;
+        SaveSendAsync_Setup_vNext(sutProvider, send, new SendPolicyRequirement());
+        send.HideEmail = true;
+
+        await sutProvider.Sut.SaveSendAsync(send);
+
+        await sutProvider.GetDependency<ISendRepository>().Received(1).CreateAsync(send);
+    }
+
     [Theory]
     [BitAutoData]
     public async Task SaveSendAsync_ExistingSend_Updates(SutProvider<SendService> sutProvider,

From 2b1db97d5c3438b9dd909fa06892248653437295 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rui=20Tom=C3=A9?=
 <108268980+r-tome@users.noreply.github.com>
Date: Mon, 24 Feb 2025 11:40:53 +0000
Subject: [PATCH 308/384] [PM-18085] Add Manage property to UserCipherDetails
 (#5390)

* Add Manage permission to UserCipherDetails and CipherDetails_ReadByIdUserId

* Add Manage property to CipherDetails and UserCipherDetailsQuery

* Add integration test for CipherRepository Manage permission rules

* Update CipherDetails_ReadWithoutOrganizationsByUserId to include Manage permission

* Refactor UserCipherDetailsQuery to include detailed permission and organization properties

* Refactor CipherRepositoryTests to improve test organization and readability

- Split large test method into smaller, focused methods
- Added helper methods for creating test data and performing assertions
- Improved test coverage for cipher permissions in different scenarios
- Maintained existing test logic while enhancing code structure

* Refactor CipherRepositoryTests to consolidate cipher permission tests

- Removed redundant helper methods for permission assertions
- Simplified test methods for GetCipherPermissionsForOrganizationAsync, GetManyByUserIdAsync, and GetByIdAsync
- Maintained existing test coverage for cipher manage permissions
- Improved code readability and reduced code duplication

* Add integration test for CipherRepository group collection manage permissions

- Added new test method GetCipherPermissionsForOrganizationAsync_ManageProperty_RespectsCollectionGroupRules
- Implemented helper method CreateCipherInOrganizationCollectionWithGroup to support group-based collection permission testing
- Verified manage permissions are correctly applied based on group collection access settings

* Add @Manage parameter to Cipher stored procedures

- Updated CipherDetails_Create, CipherDetails_CreateWithCollections, and CipherDetails_Update stored procedures
- Added @Manage parameter with comment "-- not used"
- Included new stored procedure implementations in migration script
- Consistent with previous work on adding Manage property to cipher details

* Update UserCipherDetails functions to reorder Manage and ViewPassword columns

* Reorder Manage and ViewPassword properties in cipher details queries

* Bump date in migration script
---
 src/Core/Vault/Models/Data/CipherDetails.cs   |   2 +
 .../Queries/UserCipherDetailsQuery.cs         |  51 ++-
 .../Vault/Repositories/CipherRepository.cs    |   1 +
 .../Vault/dbo/Functions/UserCipherDetails.sql |   6 +
 .../Cipher/CipherDetails_Create.sql           |   3 +-
 .../CipherDetails_CreateWithCollections.sql   |   5 +-
 .../Cipher/CipherDetails_ReadByIdUserId.sql   |   3 +-
 ...tails_ReadWithoutOrganizationsByUserId.sql |   1 +
 .../Cipher/CipherDetails_Update.sql           |   5 +-
 .../Repositories/CipherRepositoryTests.cs     | 271 +++++++++++++++
 .../2025-02-19_00_UserCipherDetailsManage.sql | 309 ++++++++++++++++++
 11 files changed, 645 insertions(+), 12 deletions(-)
 create mode 100644 util/Migrator/DbScripts/2025-02-19_00_UserCipherDetailsManage.sql

diff --git a/src/Core/Vault/Models/Data/CipherDetails.cs b/src/Core/Vault/Models/Data/CipherDetails.cs
index 716b49ca4f..e0ece1efec 100644
--- a/src/Core/Vault/Models/Data/CipherDetails.cs
+++ b/src/Core/Vault/Models/Data/CipherDetails.cs
@@ -8,6 +8,7 @@ public class CipherDetails : CipherOrganizationDetails
     public bool Favorite { get; set; }
     public bool Edit { get; set; }
     public bool ViewPassword { get; set; }
+    public bool Manage { get; set; }
 
     public CipherDetails() { }
 
@@ -53,6 +54,7 @@ public class CipherDetailsWithCollections : CipherDetails
         Favorite = cipher.Favorite;
         Edit = cipher.Edit;
         ViewPassword = cipher.ViewPassword;
+        Manage = cipher.Manage;
 
         CollectionIds = collectionCiphersGroupDict.TryGetValue(Id, out var value)
             ? value.Select(cc => cc.CollectionId)
diff --git a/src/Infrastructure.EntityFramework/Repositories/Queries/UserCipherDetailsQuery.cs b/src/Infrastructure.EntityFramework/Repositories/Queries/UserCipherDetailsQuery.cs
index fdfb9a1bc9..507849f51b 100644
--- a/src/Infrastructure.EntityFramework/Repositories/Queries/UserCipherDetailsQuery.cs
+++ b/src/Infrastructure.EntityFramework/Repositories/Queries/UserCipherDetailsQuery.cs
@@ -50,11 +50,49 @@ public class UserCipherDetailsQuery : IQuery<CipherDetails>
 
                     where (cu == null ? (Guid?)null : cu.CollectionId) != null || (cg == null ? (Guid?)null : cg.CollectionId) != null
 
-                    select c;
+                    select new
+                    {
+                        c.Id,
+                        c.UserId,
+                        c.OrganizationId,
+                        c.Type,
+                        c.Data,
+                        c.Attachments,
+                        c.CreationDate,
+                        c.RevisionDate,
+                        c.DeletedDate,
+                        c.Favorites,
+                        c.Folders,
+                        Edit = cu == null ? (cg != null && cg.ReadOnly == false) : cu.ReadOnly == false,
+                        ViewPassword = cu == null ? (cg != null && cg.HidePasswords == false) : cu.HidePasswords == false,
+                        Manage = cu == null ? (cg != null && cg.Manage == true) : cu.Manage == true,
+                        OrganizationUseTotp = o.UseTotp,
+                        c.Reprompt,
+                        c.Key
+                    };
 
         var query2 = from c in dbContext.Ciphers
                      where c.UserId == _userId
-                     select c;
+                     select new
+                     {
+                         c.Id,
+                         c.UserId,
+                         c.OrganizationId,
+                         c.Type,
+                         c.Data,
+                         c.Attachments,
+                         c.CreationDate,
+                         c.RevisionDate,
+                         c.DeletedDate,
+                         c.Favorites,
+                         c.Folders,
+                         Edit = true,
+                         ViewPassword = true,
+                         Manage = true,
+                         OrganizationUseTotp = false,
+                         c.Reprompt,
+                         c.Key
+                     };
 
         var union = query.Union(query2).Select(c => new CipherDetails
         {
@@ -68,11 +106,12 @@ public class UserCipherDetailsQuery : IQuery<CipherDetails>
             RevisionDate = c.RevisionDate,
             DeletedDate = c.DeletedDate,
             Favorite = _userId.HasValue && c.Favorites != null && c.Favorites.ToLowerInvariant().Contains($"\"{_userId}\":true"),
-            FolderId = GetFolderId(_userId, c),
-            Edit = true,
+            FolderId = GetFolderId(_userId, new Cipher { Id = c.Id, Folders = c.Folders }),
+            Edit = c.Edit,
             Reprompt = c.Reprompt,
-            ViewPassword = true,
-            OrganizationUseTotp = false,
+            ViewPassword = c.ViewPassword,
+            Manage = c.Manage,
+            OrganizationUseTotp = c.OrganizationUseTotp,
             Key = c.Key
         });
         return union;
diff --git a/src/Infrastructure.EntityFramework/Vault/Repositories/CipherRepository.cs b/src/Infrastructure.EntityFramework/Vault/Repositories/CipherRepository.cs
index 6a4ffb4b35..9c91609b1b 100644
--- a/src/Infrastructure.EntityFramework/Vault/Repositories/CipherRepository.cs
+++ b/src/Infrastructure.EntityFramework/Vault/Repositories/CipherRepository.cs
@@ -432,6 +432,7 @@ public class CipherRepository : Repository<Core.Vault.Entities.Cipher, Cipher, G
                                         Edit = true,
                                         Reprompt = c.Reprompt,
                                         ViewPassword = true,
+                                        Manage = true,
                                         OrganizationUseTotp = false,
                                         Key = c.Key
                                     };
diff --git a/src/Sql/Vault/dbo/Functions/UserCipherDetails.sql b/src/Sql/Vault/dbo/Functions/UserCipherDetails.sql
index 6c8c5f8a32..e7933572cd 100644
--- a/src/Sql/Vault/dbo/Functions/UserCipherDetails.sql
+++ b/src/Sql/Vault/dbo/Functions/UserCipherDetails.sql
@@ -23,6 +23,11 @@ SELECT
     	THEN 1
     	ELSE 0
     END [ViewPassword],
+    CASE
+        WHEN COALESCE(CU.[Manage], CG.[Manage], 0) = 1
+        THEN 1
+        ELSE 0
+    END [Manage],
     CASE
         WHEN O.[UseTotp] = 1
         THEN 1
@@ -54,6 +59,7 @@ SELECT
     *,
     1 [Edit],
     1 [ViewPassword],
+    1 [Manage],
     0 [OrganizationUseTotp]
 FROM
     [dbo].[CipherDetails](@UserId)
diff --git a/src/Sql/Vault/dbo/Stored Procedures/Cipher/CipherDetails_Create.sql b/src/Sql/Vault/dbo/Stored Procedures/Cipher/CipherDetails_Create.sql
index a4450036fd..d0e08fcd08 100644
--- a/src/Sql/Vault/dbo/Stored Procedures/Cipher/CipherDetails_Create.sql	
+++ b/src/Sql/Vault/dbo/Stored Procedures/Cipher/CipherDetails_Create.sql	
@@ -13,6 +13,7 @@
     @Favorite BIT,
     @Edit BIT, -- not used
     @ViewPassword BIT, -- not used
+    @Manage BIT, -- not used
     @OrganizationUseTotp BIT, -- not used
     @DeletedDate DATETIME2(7),
     @Reprompt TINYINT,
@@ -63,4 +64,4 @@ BEGIN
     BEGIN
         EXEC [dbo].[User_BumpAccountRevisionDate] @UserId
     END
-END
\ No newline at end of file
+END
diff --git a/src/Sql/Vault/dbo/Stored Procedures/Cipher/CipherDetails_CreateWithCollections.sql b/src/Sql/Vault/dbo/Stored Procedures/Cipher/CipherDetails_CreateWithCollections.sql
index a88153a71f..6e61d3d385 100644
--- a/src/Sql/Vault/dbo/Stored Procedures/Cipher/CipherDetails_CreateWithCollections.sql	
+++ b/src/Sql/Vault/dbo/Stored Procedures/Cipher/CipherDetails_CreateWithCollections.sql	
@@ -13,6 +13,7 @@
     @Favorite BIT,
     @Edit BIT, -- not used
     @ViewPassword BIT, -- not used
+    @Manage BIT, -- not used
     @OrganizationUseTotp BIT, -- not used
     @DeletedDate DATETIME2(7),
     @Reprompt TINYINT,
@@ -23,9 +24,9 @@ BEGIN
     SET NOCOUNT ON
 
     EXEC [dbo].[CipherDetails_Create] @Id, @UserId, @OrganizationId, @Type, @Data, @Favorites, @Folders,
-        @Attachments, @CreationDate, @RevisionDate, @FolderId, @Favorite, @Edit, @ViewPassword,
+        @Attachments, @CreationDate, @RevisionDate, @FolderId, @Favorite, @Edit, @ViewPassword, @Manage,
         @OrganizationUseTotp, @DeletedDate, @Reprompt, @Key
 
     DECLARE @UpdateCollectionsSuccess INT
     EXEC @UpdateCollectionsSuccess = [dbo].[Cipher_UpdateCollections] @Id, @UserId, @OrganizationId, @CollectionIds
-END
\ No newline at end of file
+END
diff --git a/src/Sql/Vault/dbo/Stored Procedures/Cipher/CipherDetails_ReadByIdUserId.sql b/src/Sql/Vault/dbo/Stored Procedures/Cipher/CipherDetails_ReadByIdUserId.sql
index 189ad0a4a5..7e2c893a41 100644
--- a/src/Sql/Vault/dbo/Stored Procedures/Cipher/CipherDetails_ReadByIdUserId.sql	
+++ b/src/Sql/Vault/dbo/Stored Procedures/Cipher/CipherDetails_ReadByIdUserId.sql	
@@ -21,7 +21,8 @@ SELECT
         [Key],
         [OrganizationUseTotp],
         MAX ([Edit]) AS [Edit],
-        MAX ([ViewPassword]) AS [ViewPassword]
+        MAX ([ViewPassword]) AS [ViewPassword],
+        MAX ([Manage]) AS [Manage]
     FROM
         [dbo].[UserCipherDetails](@UserId)
     WHERE
diff --git a/src/Sql/Vault/dbo/Stored Procedures/Cipher/CipherDetails_ReadWithoutOrganizationsByUserId.sql b/src/Sql/Vault/dbo/Stored Procedures/Cipher/CipherDetails_ReadWithoutOrganizationsByUserId.sql
index ca19c0441e..170fdc895d 100644
--- a/src/Sql/Vault/dbo/Stored Procedures/Cipher/CipherDetails_ReadWithoutOrganizationsByUserId.sql	
+++ b/src/Sql/Vault/dbo/Stored Procedures/Cipher/CipherDetails_ReadWithoutOrganizationsByUserId.sql	
@@ -8,6 +8,7 @@ BEGIN
         *,
         1 [Edit],
         1 [ViewPassword],
+        1 [Manage],
         0 [OrganizationUseTotp]
     FROM
         [dbo].[CipherDetails](@UserId)
diff --git a/src/Sql/Vault/dbo/Stored Procedures/Cipher/CipherDetails_Update.sql b/src/Sql/Vault/dbo/Stored Procedures/Cipher/CipherDetails_Update.sql
index 11113b2a46..8fc95eb302 100644
--- a/src/Sql/Vault/dbo/Stored Procedures/Cipher/CipherDetails_Update.sql	
+++ b/src/Sql/Vault/dbo/Stored Procedures/Cipher/CipherDetails_Update.sql	
@@ -13,6 +13,7 @@
     @Favorite BIT,
     @Edit BIT, -- not used
     @ViewPassword BIT, -- not used
+    @Manage BIT, -- not used
     @OrganizationUseTotp BIT, -- not used
     @DeletedDate DATETIME2(2),
     @Reprompt TINYINT,
@@ -31,7 +32,7 @@ BEGIN
         [OrganizationId] = @OrganizationId,
         [Type] = @Type,
         [Data] = @Data,
-        [Folders] = 
+        [Folders] =
             CASE
             WHEN @FolderId IS NOT NULL AND [Folders] IS NULL THEN
                 CONCAT('{', @UserIdKey, ':"', @FolderId, '"', '}')
@@ -66,4 +67,4 @@ BEGIN
     BEGIN
         EXEC [dbo].[User_BumpAccountRevisionDate] @UserId
     END
-END
\ No newline at end of file
+END
diff --git a/test/Infrastructure.IntegrationTest/Vault/Repositories/CipherRepositoryTests.cs b/test/Infrastructure.IntegrationTest/Vault/Repositories/CipherRepositoryTests.cs
index 97f370bbcd..b64a1ded76 100644
--- a/test/Infrastructure.IntegrationTest/Vault/Repositories/CipherRepositoryTests.cs
+++ b/test/Infrastructure.IntegrationTest/Vault/Repositories/CipherRepositoryTests.cs
@@ -433,4 +433,275 @@ public class CipherRepositoryTests
         Assert.False(unassignedCipherPermission.Read);
         Assert.False(unassignedCipherPermission.ViewPassword);
     }
+
+    [DatabaseTheory, DatabaseData]
+    public async Task GetCipherPermissionsForOrganizationAsync_ManageProperty_RespectsCollectionUserRules(
+        ICipherRepository cipherRepository,
+        IUserRepository userRepository,
+        ICollectionCipherRepository collectionCipherRepository,
+        ICollectionRepository collectionRepository,
+        IOrganizationRepository organizationRepository,
+        IOrganizationUserRepository organizationUserRepository)
+    {
+        var (user, organization, orgUser) = await CreateTestUserAndOrganization(userRepository, organizationRepository, organizationUserRepository);
+
+        var manageCipher = await CreateCipherInOrganizationCollection(
+            organization, orgUser, cipherRepository, collectionRepository, collectionCipherRepository,
+            hasManagePermission: true, "Manage Collection");
+
+        var nonManageCipher = await CreateCipherInOrganizationCollection(
+            organization, orgUser, cipherRepository, collectionRepository, collectionCipherRepository,
+            hasManagePermission: false, "Non-Manage Collection");
+
+        var permissions = await cipherRepository.GetCipherPermissionsForOrganizationAsync(organization.Id, user.Id);
+        Assert.Equal(2, permissions.Count);
+
+        var managePermission = permissions.FirstOrDefault(c => c.Id == manageCipher.Id);
+        Assert.NotNull(managePermission);
+        Assert.True(managePermission.Manage, "Collection with Manage=true should grant Manage permission");
+
+        var nonManagePermission = permissions.FirstOrDefault(c => c.Id == nonManageCipher.Id);
+        Assert.NotNull(nonManagePermission);
+        Assert.False(nonManagePermission.Manage, "Collection with Manage=false should not grant Manage permission");
+    }
+
+    [DatabaseTheory, DatabaseData]
+    public async Task GetCipherPermissionsForOrganizationAsync_ManageProperty_RespectsCollectionGroupRules(
+        ICipherRepository cipherRepository,
+        IUserRepository userRepository,
+        ICollectionCipherRepository collectionCipherRepository,
+        ICollectionRepository collectionRepository,
+        IOrganizationRepository organizationRepository,
+        IOrganizationUserRepository organizationUserRepository,
+        IGroupRepository groupRepository)
+    {
+        var (user, organization, orgUser) = await CreateTestUserAndOrganization(userRepository, organizationRepository, organizationUserRepository);
+
+        var group = await groupRepository.CreateAsync(new Group
+        {
+            OrganizationId = organization.Id,
+            Name = "Test Group",
+        });
+        await groupRepository.UpdateUsersAsync(group.Id, new[] { orgUser.Id });
+
+        var (manageCipher, nonManageCipher) = await CreateCipherInOrganizationCollectionWithGroup(
+            organization, group, cipherRepository, collectionRepository, collectionCipherRepository, groupRepository);
+
+        var permissions = await cipherRepository.GetCipherPermissionsForOrganizationAsync(organization.Id, user.Id);
+        Assert.Equal(2, permissions.Count);
+
+        var managePermission = permissions.FirstOrDefault(c => c.Id == manageCipher.Id);
+        Assert.NotNull(managePermission);
+        Assert.True(managePermission.Manage, "Collection with Group Manage=true should grant Manage permission");
+
+        var nonManagePermission = permissions.FirstOrDefault(c => c.Id == nonManageCipher.Id);
+        Assert.NotNull(nonManagePermission);
+        Assert.False(nonManagePermission.Manage, "Collection with Group Manage=false should not grant Manage permission");
+    }
+
+    [DatabaseTheory, DatabaseData]
+    public async Task GetManyByUserIdAsync_ManageProperty_RespectsCollectionAndOwnershipRules(
+        ICipherRepository cipherRepository,
+        IUserRepository userRepository,
+        ICollectionCipherRepository collectionCipherRepository,
+        ICollectionRepository collectionRepository,
+        IOrganizationRepository organizationRepository,
+        IOrganizationUserRepository organizationUserRepository)
+    {
+        var (user, organization, orgUser) = await CreateTestUserAndOrganization(userRepository, organizationRepository, organizationUserRepository);
+
+        var manageCipher = await CreateCipherInOrganizationCollection(
+            organization, orgUser, cipherRepository, collectionRepository, collectionCipherRepository,
+            hasManagePermission: true, "Manage Collection");
+
+        var nonManageCipher = await CreateCipherInOrganizationCollection(
+            organization, orgUser, cipherRepository, collectionRepository, collectionCipherRepository,
+            hasManagePermission: false, "Non-Manage Collection");
+
+        var personalCipher = await CreatePersonalCipher(user, cipherRepository);
+
+        var userCiphers = await cipherRepository.GetManyByUserIdAsync(user.Id);
+        Assert.Equal(3, userCiphers.Count);
+
+        var managePermission = userCiphers.FirstOrDefault(c => c.Id == manageCipher.Id);
+        Assert.NotNull(managePermission);
+        Assert.True(managePermission.Manage, "Collection with Manage=true should grant Manage permission");
+
+        var nonManagePermission = userCiphers.FirstOrDefault(c => c.Id == nonManageCipher.Id);
+        Assert.NotNull(nonManagePermission);
+        Assert.False(nonManagePermission.Manage, "Collection with Manage=false should not grant Manage permission");
+
+        var personalPermission = userCiphers.FirstOrDefault(c => c.Id == personalCipher.Id);
+        Assert.NotNull(personalPermission);
+        Assert.True(personalPermission.Manage, "Personal ciphers should always have Manage permission");
+    }
+
+    [DatabaseTheory, DatabaseData]
+    public async Task GetByIdAsync_ManageProperty_RespectsCollectionAndOwnershipRules(
+        ICipherRepository cipherRepository,
+        IUserRepository userRepository,
+        ICollectionCipherRepository collectionCipherRepository,
+        ICollectionRepository collectionRepository,
+        IOrganizationRepository organizationRepository,
+        IOrganizationUserRepository organizationUserRepository)
+    {
+        var (user, organization, orgUser) = await CreateTestUserAndOrganization(userRepository, organizationRepository, organizationUserRepository);
+
+        var manageCipher = await CreateCipherInOrganizationCollection(
+            organization, orgUser, cipherRepository, collectionRepository, collectionCipherRepository,
+            hasManagePermission: true, "Manage Collection");
+
+        var nonManageCipher = await CreateCipherInOrganizationCollection(
+            organization, orgUser, cipherRepository, collectionRepository, collectionCipherRepository,
+            hasManagePermission: false, "Non-Manage Collection");
+
+        var personalCipher = await CreatePersonalCipher(user, cipherRepository);
+
+        var manageDetails = await cipherRepository.GetByIdAsync(manageCipher.Id, user.Id);
+        Assert.NotNull(manageDetails);
+        Assert.True(manageDetails.Manage, "Collection with Manage=true should grant Manage permission");
+
+        var nonManageDetails = await cipherRepository.GetByIdAsync(nonManageCipher.Id, user.Id);
+        Assert.NotNull(nonManageDetails);
+        Assert.False(nonManageDetails.Manage, "Collection with Manage=false should not grant Manage permission");
+
+        var personalDetails = await cipherRepository.GetByIdAsync(personalCipher.Id, user.Id);
+        Assert.NotNull(personalDetails);
+        Assert.True(personalDetails.Manage, "Personal ciphers should always have Manage permission");
+    }
+
+    private async Task<(User user, Organization org, OrganizationUser orgUser)> CreateTestUserAndOrganization(
+        IUserRepository userRepository,
+        IOrganizationRepository organizationRepository,
+        IOrganizationUserRepository organizationUserRepository)
+    {
+        var user = await userRepository.CreateAsync(new User
+        {
+            Name = "Test User",
+            Email = $"test+{Guid.NewGuid()}@email.com",
+            ApiKey = "TEST",
+            SecurityStamp = "stamp",
+        });
+
+        var organization = await organizationRepository.CreateAsync(new Organization
+        {
+            Name = "Test Organization",
+            BillingEmail = user.Email,
+            Plan = "Test"
+        });
+
+        var orgUser = await organizationUserRepository.CreateAsync(new OrganizationUser
+        {
+            UserId = user.Id,
+            OrganizationId = organization.Id,
+            Status = OrganizationUserStatusType.Confirmed,
+            Type = OrganizationUserType.Owner,
+        });
+
+        return (user, organization, orgUser);
+    }
+
+    private async Task<Cipher> CreateCipherInOrganizationCollection(
+        Organization organization,
+        OrganizationUser orgUser,
+        ICipherRepository cipherRepository,
+        ICollectionRepository collectionRepository,
+        ICollectionCipherRepository collectionCipherRepository,
+        bool hasManagePermission,
+        string collectionName)
+    {
+        var collection = await collectionRepository.CreateAsync(new Collection
+        {
+            Name = collectionName,
+            OrganizationId = organization.Id,
+        });
+
+        var cipher = await cipherRepository.CreateAsync(new Cipher
+        {
+            Type = CipherType.Login,
+            OrganizationId = organization.Id,
+            Data = ""
+        });
+
+        await collectionCipherRepository.UpdateCollectionsForAdminAsync(cipher.Id, organization.Id,
+            new List<Guid> { collection.Id });
+
+        await collectionRepository.UpdateUsersAsync(collection.Id, new List<CollectionAccessSelection>
+        {
+            new() { Id = orgUser.Id, HidePasswords = false, ReadOnly = false, Manage = hasManagePermission }
+        });
+
+        return cipher;
+    }
+
+    private async Task<(Cipher manageCipher, Cipher nonManageCipher)> CreateCipherInOrganizationCollectionWithGroup(
+        Organization organization,
+        Group group,
+        ICipherRepository cipherRepository,
+        ICollectionRepository collectionRepository,
+        ICollectionCipherRepository collectionCipherRepository,
+        IGroupRepository groupRepository)
+    {
+        var manageCollection = await collectionRepository.CreateAsync(new Collection
+        {
+            Name = "Group Manage Collection",
+            OrganizationId = organization.Id,
+        });
+
+        var nonManageCollection = await collectionRepository.CreateAsync(new Collection
+        {
+            Name = "Group Non-Manage Collection",
+            OrganizationId = organization.Id,
+        });
+
+        var manageCipher = await cipherRepository.CreateAsync(new Cipher
+        {
+            Type = CipherType.Login,
+            OrganizationId = organization.Id,
+            Data = ""
+        });
+
+        var nonManageCipher = await cipherRepository.CreateAsync(new Cipher
+        {
+            Type = CipherType.Login,
+            OrganizationId = organization.Id,
+            Data = ""
+        });
+
+        await collectionCipherRepository.UpdateCollectionsForAdminAsync(manageCipher.Id, organization.Id,
+            new List<Guid> { manageCollection.Id });
+        await collectionCipherRepository.UpdateCollectionsForAdminAsync(nonManageCipher.Id, organization.Id,
+            new List<Guid> { nonManageCollection.Id });
+
+        await groupRepository.ReplaceAsync(group,
+            new[]
+            {
+                new CollectionAccessSelection
+                {
+                    Id = manageCollection.Id,
+                    HidePasswords = false,
+                    ReadOnly = false,
+                    Manage = true
+                },
+                new CollectionAccessSelection
+                {
+                    Id = nonManageCollection.Id,
+                    HidePasswords = false,
+                    ReadOnly = false,
+                    Manage = false
+                }
+            });
+
+        return (manageCipher, nonManageCipher);
+    }
+
+    private async Task<Cipher> CreatePersonalCipher(User user, ICipherRepository cipherRepository)
+    {
+        return await cipherRepository.CreateAsync(new Cipher
+        {
+            Type = CipherType.Login,
+            UserId = user.Id,
+            Data = ""
+        });
+    }
 }
diff --git a/util/Migrator/DbScripts/2025-02-19_00_UserCipherDetailsManage.sql b/util/Migrator/DbScripts/2025-02-19_00_UserCipherDetailsManage.sql
new file mode 100644
index 0000000000..c6420ff13f
--- /dev/null
+++ b/util/Migrator/DbScripts/2025-02-19_00_UserCipherDetailsManage.sql
@@ -0,0 +1,309 @@
+CREATE OR ALTER FUNCTION [dbo].[UserCipherDetails](@UserId UNIQUEIDENTIFIER)
+RETURNS TABLE
+AS RETURN
+WITH [CTE] AS (
+    SELECT
+        [Id],
+        [OrganizationId]
+    FROM
+        [OrganizationUser]
+    WHERE
+        [UserId] = @UserId
+        AND [Status] = 2 -- Confirmed
+)
+SELECT
+    C.*,
+    CASE
+        WHEN COALESCE(CU.[ReadOnly], CG.[ReadOnly], 0) = 0
+        THEN 1
+        ELSE 0
+    END [Edit],
+    CASE
+    	WHEN COALESCE(CU.[HidePasswords], CG.[HidePasswords], 0) = 0
+    	THEN 1
+    	ELSE 0
+    END [ViewPassword],
+    CASE
+        WHEN COALESCE(CU.[Manage], CG.[Manage], 0) = 1
+        THEN 1
+        ELSE 0
+    END [Manage],
+    CASE
+        WHEN O.[UseTotp] = 1
+        THEN 1
+        ELSE 0
+    END [OrganizationUseTotp]
+FROM
+    [dbo].[CipherDetails](@UserId) C
+INNER JOIN
+    [CTE] OU ON C.[UserId] IS NULL AND C.[OrganizationId] IN (SELECT [OrganizationId] FROM [CTE])
+INNER JOIN
+    [dbo].[Organization] O ON O.[Id] = OU.[OrganizationId] AND O.[Id] = C.[OrganizationId] AND O.[Enabled] = 1
+LEFT JOIN
+    [dbo].[CollectionCipher] CC ON CC.[CipherId] = C.[Id]
+LEFT JOIN
+    [dbo].[CollectionUser] CU ON CU.[CollectionId] = CC.[CollectionId] AND CU.[OrganizationUserId] = OU.[Id]
+LEFT JOIN
+    [dbo].[GroupUser] GU ON CU.[CollectionId] IS NULL AND GU.[OrganizationUserId] = OU.[Id]
+LEFT JOIN
+    [dbo].[Group] G ON G.[Id] = GU.[GroupId]
+LEFT JOIN
+    [dbo].[CollectionGroup] CG ON CG.[CollectionId] = CC.[CollectionId] AND CG.[GroupId] = GU.[GroupId]
+WHERE
+    CU.[CollectionId] IS NOT NULL
+    OR CG.[CollectionId] IS NOT NULL
+
+UNION ALL
+
+SELECT
+    *,
+    1 [Edit],
+    1 [ViewPassword],
+    1 [Manage],
+    0 [OrganizationUseTotp]
+FROM
+    [dbo].[CipherDetails](@UserId)
+WHERE
+    [UserId] = @UserId
+GO
+
+CREATE OR ALTER PROCEDURE [dbo].[CipherDetails_ReadByIdUserId]
+    @Id UNIQUEIDENTIFIER,
+    @UserId UNIQUEIDENTIFIER
+AS
+BEGIN
+    SET NOCOUNT ON
+
+SELECT
+        [Id],
+        [UserId],
+        [OrganizationId],
+        [Type],
+        [Data],
+        [Attachments],
+        [CreationDate],
+        [RevisionDate],
+        [Favorite],
+        [FolderId],
+        [DeletedDate],
+        [Reprompt],
+        [Key],
+        [OrganizationUseTotp],
+        MAX ([Edit]) AS [Edit],
+        MAX ([ViewPassword]) AS [ViewPassword],
+        MAX ([Manage]) AS [Manage]
+    FROM
+        [dbo].[UserCipherDetails](@UserId)
+    WHERE
+        [Id] = @Id
+    GROUP BY
+        [Id],
+        [UserId],
+        [OrganizationId],
+        [Type],
+        [Data],
+        [Attachments],
+        [CreationDate],
+        [RevisionDate],
+        [Favorite],
+        [FolderId],
+        [DeletedDate],
+        [Reprompt],
+        [Key],
+        [OrganizationUseTotp]
+END
+GO
+
+CREATE OR ALTER PROCEDURE [dbo].[CipherDetails_ReadWithoutOrganizationsByUserId]
+    @UserId UNIQUEIDENTIFIER
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    SELECT
+        *,
+        1 [Edit],
+        1 [ViewPassword],
+        1 [Manage],
+        0 [OrganizationUseTotp]
+    FROM
+        [dbo].[CipherDetails](@UserId)
+    WHERE
+        [UserId] = @UserId
+END
+GO
+
+CREATE OR ALTER PROCEDURE [dbo].[CipherDetails_Create]
+    @Id UNIQUEIDENTIFIER,
+    @UserId UNIQUEIDENTIFIER,
+    @OrganizationId UNIQUEIDENTIFIER,
+    @Type TINYINT,
+    @Data NVARCHAR(MAX),
+    @Favorites NVARCHAR(MAX), -- not used
+    @Folders NVARCHAR(MAX), -- not used
+    @Attachments NVARCHAR(MAX), -- not used
+    @CreationDate DATETIME2(7),
+    @RevisionDate DATETIME2(7),
+    @FolderId UNIQUEIDENTIFIER,
+    @Favorite BIT,
+    @Edit BIT, -- not used
+    @ViewPassword BIT, -- not used
+    @Manage BIT, -- not used
+    @OrganizationUseTotp BIT, -- not used
+    @DeletedDate DATETIME2(7),
+    @Reprompt TINYINT,
+    @Key VARCHAR(MAX) = NULL
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    DECLARE @UserIdKey VARCHAR(50) = CONCAT('"', @UserId, '"')
+    DECLARE @UserIdPath VARCHAR(50) = CONCAT('$.', @UserIdKey)
+
+    INSERT INTO [dbo].[Cipher]
+    (
+        [Id],
+        [UserId],
+        [OrganizationId],
+        [Type],
+        [Data],
+        [Favorites],
+        [Folders],
+        [CreationDate],
+        [RevisionDate],
+        [DeletedDate],
+        [Reprompt],
+        [Key]
+    )
+    VALUES
+    (
+        @Id,
+        CASE WHEN @OrganizationId IS NULL THEN @UserId ELSE NULL END,
+        @OrganizationId,
+        @Type,
+        @Data,
+        CASE WHEN @Favorite = 1 THEN CONCAT('{', @UserIdKey, ':true}') ELSE NULL END,
+        CASE WHEN @FolderId IS NOT NULL THEN CONCAT('{', @UserIdKey, ':"', @FolderId, '"', '}') ELSE NULL END,
+        @CreationDate,
+        @RevisionDate,
+        @DeletedDate,
+        @Reprompt,
+        @Key
+    )
+
+    IF @OrganizationId IS NOT NULL
+    BEGIN
+        EXEC [dbo].[User_BumpAccountRevisionDateByCipherId] @Id, @OrganizationId
+    END
+    ELSE IF @UserId IS NOT NULL
+    BEGIN
+        EXEC [dbo].[User_BumpAccountRevisionDate] @UserId
+    END
+END
+GO
+
+CREATE OR ALTER PROCEDURE [dbo].[CipherDetails_CreateWithCollections]
+    @Id UNIQUEIDENTIFIER,
+    @UserId UNIQUEIDENTIFIER,
+    @OrganizationId UNIQUEIDENTIFIER,
+    @Type TINYINT,
+    @Data NVARCHAR(MAX),
+    @Favorites NVARCHAR(MAX), -- not used
+    @Folders NVARCHAR(MAX), -- not used
+    @Attachments NVARCHAR(MAX), -- not used
+    @CreationDate DATETIME2(7),
+    @RevisionDate DATETIME2(7),
+    @FolderId UNIQUEIDENTIFIER,
+    @Favorite BIT,
+    @Edit BIT, -- not used
+    @ViewPassword BIT, -- not used
+    @Manage BIT, -- not used
+    @OrganizationUseTotp BIT, -- not used
+    @DeletedDate DATETIME2(7),
+    @Reprompt TINYINT,
+    @Key VARCHAR(MAX) = NULL,
+    @CollectionIds AS [dbo].[GuidIdArray] READONLY
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    EXEC [dbo].[CipherDetails_Create] @Id, @UserId, @OrganizationId, @Type, @Data, @Favorites, @Folders,
+        @Attachments, @CreationDate, @RevisionDate, @FolderId, @Favorite, @Edit, @ViewPassword, @Manage,
+        @OrganizationUseTotp, @DeletedDate, @Reprompt, @Key
+
+    DECLARE @UpdateCollectionsSuccess INT
+    EXEC @UpdateCollectionsSuccess = [dbo].[Cipher_UpdateCollections] @Id, @UserId, @OrganizationId, @CollectionIds
+END
+GO
+
+CREATE OR ALTER PROCEDURE [dbo].[CipherDetails_Update]
+    @Id UNIQUEIDENTIFIER,
+    @UserId UNIQUEIDENTIFIER,
+    @OrganizationId UNIQUEIDENTIFIER,
+    @Type TINYINT,
+    @Data NVARCHAR(MAX),
+    @Favorites NVARCHAR(MAX), -- not used
+    @Folders NVARCHAR(MAX), -- not used
+    @Attachments NVARCHAR(MAX),
+    @CreationDate DATETIME2(7),
+    @RevisionDate DATETIME2(7),
+    @FolderId UNIQUEIDENTIFIER,
+    @Favorite BIT,
+    @Edit BIT, -- not used
+    @ViewPassword BIT, -- not used
+    @Manage BIT, -- not used
+    @OrganizationUseTotp BIT, -- not used
+    @DeletedDate DATETIME2(2),
+    @Reprompt TINYINT,
+    @Key VARCHAR(MAX) = NULL
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    DECLARE @UserIdKey VARCHAR(50) = CONCAT('"', @UserId, '"')
+    DECLARE @UserIdPath VARCHAR(50) = CONCAT('$.', @UserIdKey)
+
+    UPDATE
+        [dbo].[Cipher]
+    SET
+        [UserId] = CASE WHEN @OrganizationId IS NULL THEN @UserId ELSE NULL END,
+        [OrganizationId] = @OrganizationId,
+        [Type] = @Type,
+        [Data] = @Data,
+        [Folders] =
+            CASE
+            WHEN @FolderId IS NOT NULL AND [Folders] IS NULL THEN
+                CONCAT('{', @UserIdKey, ':"', @FolderId, '"', '}')
+            WHEN @FolderId IS NOT NULL THEN
+                JSON_MODIFY([Folders], @UserIdPath, CAST(@FolderId AS VARCHAR(50)))
+            ELSE
+                JSON_MODIFY([Folders], @UserIdPath, NULL)
+            END,
+        [Favorites] =
+            CASE
+            WHEN @Favorite = 1 AND [Favorites] IS NULL THEN
+                CONCAT('{', @UserIdKey, ':true}')
+            WHEN @Favorite = 1 THEN
+                JSON_MODIFY([Favorites], @UserIdPath, CAST(1 AS BIT))
+            ELSE
+                JSON_MODIFY([Favorites], @UserIdPath, NULL)
+            END,
+        [Attachments] = @Attachments,
+        [Reprompt] = @Reprompt,
+        [CreationDate] = @CreationDate,
+        [RevisionDate] = @RevisionDate,
+        [DeletedDate] = @DeletedDate,
+        [Key] = @Key
+    WHERE
+        [Id] = @Id
+
+    IF @OrganizationId IS NOT NULL
+    BEGIN
+        EXEC [dbo].[User_BumpAccountRevisionDateByCipherId] @Id, @OrganizationId
+    END
+    ELSE IF @UserId IS NOT NULL
+    BEGIN
+        EXEC [dbo].[User_BumpAccountRevisionDate] @UserId
+    END
+END
+GO

From 6bc579f51ea3930444981778024abf272c26ba5c Mon Sep 17 00:00:00 2001
From: Github Actions <actions@github.com>
Date: Mon, 24 Feb 2025 12:32:27 +0000
Subject: [PATCH 309/384] Bumped version to 2025.2.1

---
 Directory.Build.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Directory.Build.props b/Directory.Build.props
index c797513c63..4b56322adb 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -3,7 +3,7 @@
   <PropertyGroup>
     <TargetFramework>net8.0</TargetFramework>
 
-    <Version>2025.2.0</Version>
+    <Version>2025.2.1</Version>
 
     <RootNamespace>Bit.$(MSBuildProjectName)</RootNamespace>
     <ImplicitUsings>enable</ImplicitUsings>

From 6ca98df721aacccfe9b79e4855c110d882b74fee Mon Sep 17 00:00:00 2001
From: Jimmy Vo <huynhmaivo82@gmail.com>
Date: Mon, 24 Feb 2025 10:42:04 -0500
Subject: [PATCH 310/384] Ac/pm 17449/add managed user validation to email
 token (#5437)

---
 .../Auth/Controllers/AccountsController.cs    |  7 ++++-
 src/Core/Exceptions/BadRequestException.cs    | 14 +++++++++-
 src/Core/Services/IUserService.cs             | 10 +++++++
 .../Services/Implementations/UserService.cs   |  4 +--
 .../Controllers/AccountsControllerTests.cs    | 28 ++++++++++++++-----
 5 files changed, 52 insertions(+), 11 deletions(-)

diff --git a/src/Api/Auth/Controllers/AccountsController.cs b/src/Api/Auth/Controllers/AccountsController.cs
index f3af49e6c3..176bc183b6 100644
--- a/src/Api/Auth/Controllers/AccountsController.cs
+++ b/src/Api/Auth/Controllers/AccountsController.cs
@@ -149,6 +149,12 @@ public class AccountsController : Controller
             throw new BadRequestException("MasterPasswordHash", "Invalid password.");
         }
 
+        var managedUserValidationResult = await _userService.ValidateManagedUserDomainAsync(user, model.NewEmail);
+
+        if (!managedUserValidationResult.Succeeded)
+        {
+            throw new BadRequestException(managedUserValidationResult.Errors);
+        }
 
         await _userService.InitiateEmailChangeAsync(user, model.NewEmail);
     }
@@ -167,7 +173,6 @@ public class AccountsController : Controller
             throw new BadRequestException("You cannot change your email when using Key Connector.");
         }
 
-
         var result = await _userService.ChangeEmailAsync(user, model.MasterPasswordHash, model.NewEmail,
             model.NewMasterPasswordHash, model.Token, model.Key);
         if (result.Succeeded)
diff --git a/src/Core/Exceptions/BadRequestException.cs b/src/Core/Exceptions/BadRequestException.cs
index e7268b6c55..042f853a57 100644
--- a/src/Core/Exceptions/BadRequestException.cs
+++ b/src/Core/Exceptions/BadRequestException.cs
@@ -1,4 +1,5 @@
-using Microsoft.AspNetCore.Mvc.ModelBinding;
+using Microsoft.AspNetCore.Identity;
+using Microsoft.AspNetCore.Mvc.ModelBinding;
 
 namespace Bit.Core.Exceptions;
 
@@ -29,5 +30,16 @@ public class BadRequestException : Exception
         ModelState = modelState;
     }
 
+    public BadRequestException(IEnumerable<IdentityError> identityErrors)
+    : base("The model state is invalid.")
+    {
+        ModelState = new ModelStateDictionary();
+
+        foreach (var error in identityErrors)
+        {
+            ModelState.AddModelError(error.Code, error.Description);
+        }
+    }
+
     public ModelStateDictionary ModelState { get; set; }
 }
diff --git a/src/Core/Services/IUserService.cs b/src/Core/Services/IUserService.cs
index 2ac7796547..b6a1d1f05b 100644
--- a/src/Core/Services/IUserService.cs
+++ b/src/Core/Services/IUserService.cs
@@ -136,6 +136,16 @@ public interface IUserService
     /// </returns>
     Task<bool> IsManagedByAnyOrganizationAsync(Guid userId);
 
+    /// <summary>
+    /// Verify whether the new email domain meets the requirements for managed users.
+    /// </summary>
+    /// <remarks>
+    /// </remarks>
+    /// <returns>
+    /// IdentityResult 
+    /// </returns>
+    Task<IdentityResult> ValidateManagedUserDomainAsync(User user, string newEmail);
+
     /// <summary>
     /// Gets the organizations that manage the user.
     /// </summary>
diff --git a/src/Core/Services/Implementations/UserService.cs b/src/Core/Services/Implementations/UserService.cs
index 2374d8f4e1..e419b832a7 100644
--- a/src/Core/Services/Implementations/UserService.cs
+++ b/src/Core/Services/Implementations/UserService.cs
@@ -545,7 +545,7 @@ public class UserService : UserManager<User>, IUserService, IDisposable
             return IdentityResult.Failed(_identityErrorDescriber.PasswordMismatch());
         }
 
-        var managedUserValidationResult = await ValidateManagedUserAsync(user, newEmail);
+        var managedUserValidationResult = await ValidateManagedUserDomainAsync(user, newEmail);
 
         if (!managedUserValidationResult.Succeeded)
         {
@@ -617,7 +617,7 @@ public class UserService : UserManager<User>, IUserService, IDisposable
         return IdentityResult.Success;
     }
 
-    private async Task<IdentityResult> ValidateManagedUserAsync(User user, string newEmail)
+    public async Task<IdentityResult> ValidateManagedUserDomainAsync(User user, string newEmail)
     {
         var managingOrganizations = await GetOrganizationsManagingUserAsync(user.Id);
 
diff --git a/test/Api.Test/Auth/Controllers/AccountsControllerTests.cs b/test/Api.Test/Auth/Controllers/AccountsControllerTests.cs
index 8bdb14bf78..6a9862b3d6 100644
--- a/test/Api.Test/Auth/Controllers/AccountsControllerTests.cs
+++ b/test/Api.Test/Auth/Controllers/AccountsControllerTests.cs
@@ -134,29 +134,43 @@ public class AccountsControllerTests : IDisposable
     [Fact]
     public async Task PostEmailToken_ShouldInitiateEmailChange()
     {
+        // Arrange
         var user = GenerateExampleUser();
         ConfigureUserServiceToReturnValidPrincipalFor(user);
         ConfigureUserServiceToAcceptPasswordFor(user);
-        var newEmail = "example@user.com";
+        const string newEmail = "example@user.com";
+        _userService.ValidateManagedUserDomainAsync(user, newEmail).Returns(IdentityResult.Success);
 
+        // Act
         await _sut.PostEmailToken(new EmailTokenRequestModel { NewEmail = newEmail });
 
+        // Assert
         await _userService.Received(1).InitiateEmailChangeAsync(user, newEmail);
     }
 
     [Fact]
-    public async Task PostEmailToken_WithAccountDeprovisioningEnabled_WhenUserIsNotManagedByAnOrganization_ShouldInitiateEmailChange()
+    public async Task PostEmailToken_WhenValidateManagedUserDomainAsyncFails_ShouldReturnError()
     {
+        // Arrange
         var user = GenerateExampleUser();
         ConfigureUserServiceToReturnValidPrincipalFor(user);
         ConfigureUserServiceToAcceptPasswordFor(user);
-        _featureService.IsEnabled(FeatureFlagKeys.AccountDeprovisioning).Returns(true);
-        _userService.IsManagedByAnyOrganizationAsync(user.Id).Returns(false);
-        var newEmail = "example@user.com";
 
-        await _sut.PostEmailToken(new EmailTokenRequestModel { NewEmail = newEmail });
+        const string newEmail = "example@user.com";
 
-        await _userService.Received(1).InitiateEmailChangeAsync(user, newEmail);
+        _userService.ValidateManagedUserDomainAsync(user, newEmail)
+            .Returns(IdentityResult.Failed(new IdentityError
+            {
+                Code = "TestFailure",
+                Description = "This is a test."
+            }));
+
+
+        // Act
+        // Assert
+        await Assert.ThrowsAsync<BadRequestException>(
+            () => _sut.PostEmailToken(new EmailTokenRequestModel { NewEmail = newEmail })
+        );
     }
 
     [Fact]

From 0f10ca52b4886dc1afa3f624ddb5d7f342cb5c1e Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Mon, 24 Feb 2025 15:45:39 -0500
Subject: [PATCH 311/384] [deps] Auth: Lock file maintenance (#5301)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 bitwarden_license/src/Sso/package-lock.json | 204 ++++++++++----------
 src/Admin/package-lock.json                 | 204 ++++++++++----------
 2 files changed, 214 insertions(+), 194 deletions(-)

diff --git a/bitwarden_license/src/Sso/package-lock.json b/bitwarden_license/src/Sso/package-lock.json
index a0e7b767cc..1105d74cf1 100644
--- a/bitwarden_license/src/Sso/package-lock.json
+++ b/bitwarden_license/src/Sso/package-lock.json
@@ -98,9 +98,9 @@
       }
     },
     "node_modules/@parcel/watcher": {
-      "version": "2.5.0",
-      "resolved": "https://registry.npmjs.org/@parcel/watcher/-/watcher-2.5.0.tgz",
-      "integrity": "sha512-i0GV1yJnm2n3Yq1qw6QrUrd/LI9bE8WEBOTtOkpCXHHdyN3TAGgqAK/DAT05z4fq2x04cARXt2pDmjWjL92iTQ==",
+      "version": "2.5.1",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher/-/watcher-2.5.1.tgz",
+      "integrity": "sha512-dfUnCxiN9H4ap84DvD2ubjw+3vUNpstxa0TneY/Paat8a3R4uQZDLSvWjmznAY/DoahqTHl9V46HF/Zs3F29pg==",
       "dev": true,
       "hasInstallScript": true,
       "license": "MIT",
@@ -119,25 +119,25 @@
         "url": "https://opencollective.com/parcel"
       },
       "optionalDependencies": {
-        "@parcel/watcher-android-arm64": "2.5.0",
-        "@parcel/watcher-darwin-arm64": "2.5.0",
-        "@parcel/watcher-darwin-x64": "2.5.0",
-        "@parcel/watcher-freebsd-x64": "2.5.0",
-        "@parcel/watcher-linux-arm-glibc": "2.5.0",
-        "@parcel/watcher-linux-arm-musl": "2.5.0",
-        "@parcel/watcher-linux-arm64-glibc": "2.5.0",
-        "@parcel/watcher-linux-arm64-musl": "2.5.0",
-        "@parcel/watcher-linux-x64-glibc": "2.5.0",
-        "@parcel/watcher-linux-x64-musl": "2.5.0",
-        "@parcel/watcher-win32-arm64": "2.5.0",
-        "@parcel/watcher-win32-ia32": "2.5.0",
-        "@parcel/watcher-win32-x64": "2.5.0"
+        "@parcel/watcher-android-arm64": "2.5.1",
+        "@parcel/watcher-darwin-arm64": "2.5.1",
+        "@parcel/watcher-darwin-x64": "2.5.1",
+        "@parcel/watcher-freebsd-x64": "2.5.1",
+        "@parcel/watcher-linux-arm-glibc": "2.5.1",
+        "@parcel/watcher-linux-arm-musl": "2.5.1",
+        "@parcel/watcher-linux-arm64-glibc": "2.5.1",
+        "@parcel/watcher-linux-arm64-musl": "2.5.1",
+        "@parcel/watcher-linux-x64-glibc": "2.5.1",
+        "@parcel/watcher-linux-x64-musl": "2.5.1",
+        "@parcel/watcher-win32-arm64": "2.5.1",
+        "@parcel/watcher-win32-ia32": "2.5.1",
+        "@parcel/watcher-win32-x64": "2.5.1"
       }
     },
     "node_modules/@parcel/watcher-android-arm64": {
-      "version": "2.5.0",
-      "resolved": "https://registry.npmjs.org/@parcel/watcher-android-arm64/-/watcher-android-arm64-2.5.0.tgz",
-      "integrity": "sha512-qlX4eS28bUcQCdribHkg/herLe+0A9RyYC+mm2PXpncit8z5b3nSqGVzMNR3CmtAOgRutiZ02eIJJgP/b1iEFQ==",
+      "version": "2.5.1",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-android-arm64/-/watcher-android-arm64-2.5.1.tgz",
+      "integrity": "sha512-KF8+j9nNbUN8vzOFDpRMsaKBHZ/mcjEjMToVMJOhTozkDonQFFrRcfdLWn6yWKCmJKmdVxSgHiYvTCef4/qcBA==",
       "cpu": [
         "arm64"
       ],
@@ -156,9 +156,9 @@
       }
     },
     "node_modules/@parcel/watcher-darwin-arm64": {
-      "version": "2.5.0",
-      "resolved": "https://registry.npmjs.org/@parcel/watcher-darwin-arm64/-/watcher-darwin-arm64-2.5.0.tgz",
-      "integrity": "sha512-hyZ3TANnzGfLpRA2s/4U1kbw2ZI4qGxaRJbBH2DCSREFfubMswheh8TeiC1sGZ3z2jUf3s37P0BBlrD3sjVTUw==",
+      "version": "2.5.1",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-darwin-arm64/-/watcher-darwin-arm64-2.5.1.tgz",
+      "integrity": "sha512-eAzPv5osDmZyBhou8PoF4i6RQXAfeKL9tjb3QzYuccXFMQU0ruIc/POh30ePnaOyD1UXdlKguHBmsTs53tVoPw==",
       "cpu": [
         "arm64"
       ],
@@ -177,9 +177,9 @@
       }
     },
     "node_modules/@parcel/watcher-darwin-x64": {
-      "version": "2.5.0",
-      "resolved": "https://registry.npmjs.org/@parcel/watcher-darwin-x64/-/watcher-darwin-x64-2.5.0.tgz",
-      "integrity": "sha512-9rhlwd78saKf18fT869/poydQK8YqlU26TMiNg7AIu7eBp9adqbJZqmdFOsbZ5cnLp5XvRo9wcFmNHgHdWaGYA==",
+      "version": "2.5.1",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-darwin-x64/-/watcher-darwin-x64-2.5.1.tgz",
+      "integrity": "sha512-1ZXDthrnNmwv10A0/3AJNZ9JGlzrF82i3gNQcWOzd7nJ8aj+ILyW1MTxVk35Db0u91oD5Nlk9MBiujMlwmeXZg==",
       "cpu": [
         "x64"
       ],
@@ -198,9 +198,9 @@
       }
     },
     "node_modules/@parcel/watcher-freebsd-x64": {
-      "version": "2.5.0",
-      "resolved": "https://registry.npmjs.org/@parcel/watcher-freebsd-x64/-/watcher-freebsd-x64-2.5.0.tgz",
-      "integrity": "sha512-syvfhZzyM8kErg3VF0xpV8dixJ+RzbUaaGaeb7uDuz0D3FK97/mZ5AJQ3XNnDsXX7KkFNtyQyFrXZzQIcN49Tw==",
+      "version": "2.5.1",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-freebsd-x64/-/watcher-freebsd-x64-2.5.1.tgz",
+      "integrity": "sha512-SI4eljM7Flp9yPuKi8W0ird8TI/JK6CSxju3NojVI6BjHsTyK7zxA9urjVjEKJ5MBYC+bLmMcbAWlZ+rFkLpJQ==",
       "cpu": [
         "x64"
       ],
@@ -219,9 +219,9 @@
       }
     },
     "node_modules/@parcel/watcher-linux-arm-glibc": {
-      "version": "2.5.0",
-      "resolved": "https://registry.npmjs.org/@parcel/watcher-linux-arm-glibc/-/watcher-linux-arm-glibc-2.5.0.tgz",
-      "integrity": "sha512-0VQY1K35DQET3dVYWpOaPFecqOT9dbuCfzjxoQyif1Wc574t3kOSkKevULddcR9znz1TcklCE7Ht6NIxjvTqLA==",
+      "version": "2.5.1",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-linux-arm-glibc/-/watcher-linux-arm-glibc-2.5.1.tgz",
+      "integrity": "sha512-RCdZlEyTs8geyBkkcnPWvtXLY44BCeZKmGYRtSgtwwnHR4dxfHRG3gR99XdMEdQ7KeiDdasJwwvNSF5jKtDwdA==",
       "cpu": [
         "arm"
       ],
@@ -240,9 +240,9 @@
       }
     },
     "node_modules/@parcel/watcher-linux-arm-musl": {
-      "version": "2.5.0",
-      "resolved": "https://registry.npmjs.org/@parcel/watcher-linux-arm-musl/-/watcher-linux-arm-musl-2.5.0.tgz",
-      "integrity": "sha512-6uHywSIzz8+vi2lAzFeltnYbdHsDm3iIB57d4g5oaB9vKwjb6N6dRIgZMujw4nm5r6v9/BQH0noq6DzHrqr2pA==",
+      "version": "2.5.1",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-linux-arm-musl/-/watcher-linux-arm-musl-2.5.1.tgz",
+      "integrity": "sha512-6E+m/Mm1t1yhB8X412stiKFG3XykmgdIOqhjWj+VL8oHkKABfu/gjFj8DvLrYVHSBNC+/u5PeNrujiSQ1zwd1Q==",
       "cpu": [
         "arm"
       ],
@@ -261,9 +261,9 @@
       }
     },
     "node_modules/@parcel/watcher-linux-arm64-glibc": {
-      "version": "2.5.0",
-      "resolved": "https://registry.npmjs.org/@parcel/watcher-linux-arm64-glibc/-/watcher-linux-arm64-glibc-2.5.0.tgz",
-      "integrity": "sha512-BfNjXwZKxBy4WibDb/LDCriWSKLz+jJRL3cM/DllnHH5QUyoiUNEp3GmL80ZqxeumoADfCCP19+qiYiC8gUBjA==",
+      "version": "2.5.1",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-linux-arm64-glibc/-/watcher-linux-arm64-glibc-2.5.1.tgz",
+      "integrity": "sha512-LrGp+f02yU3BN9A+DGuY3v3bmnFUggAITBGriZHUREfNEzZh/GO06FF5u2kx8x+GBEUYfyTGamol4j3m9ANe8w==",
       "cpu": [
         "arm64"
       ],
@@ -282,9 +282,9 @@
       }
     },
     "node_modules/@parcel/watcher-linux-arm64-musl": {
-      "version": "2.5.0",
-      "resolved": "https://registry.npmjs.org/@parcel/watcher-linux-arm64-musl/-/watcher-linux-arm64-musl-2.5.0.tgz",
-      "integrity": "sha512-S1qARKOphxfiBEkwLUbHjCY9BWPdWnW9j7f7Hb2jPplu8UZ3nes7zpPOW9bkLbHRvWM0WDTsjdOTUgW0xLBN1Q==",
+      "version": "2.5.1",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-linux-arm64-musl/-/watcher-linux-arm64-musl-2.5.1.tgz",
+      "integrity": "sha512-cFOjABi92pMYRXS7AcQv9/M1YuKRw8SZniCDw0ssQb/noPkRzA+HBDkwmyOJYp5wXcsTrhxO0zq1U11cK9jsFg==",
       "cpu": [
         "arm64"
       ],
@@ -303,9 +303,9 @@
       }
     },
     "node_modules/@parcel/watcher-linux-x64-glibc": {
-      "version": "2.5.0",
-      "resolved": "https://registry.npmjs.org/@parcel/watcher-linux-x64-glibc/-/watcher-linux-x64-glibc-2.5.0.tgz",
-      "integrity": "sha512-d9AOkusyXARkFD66S6zlGXyzx5RvY+chTP9Jp0ypSTC9d4lzyRs9ovGf/80VCxjKddcUvnsGwCHWuF2EoPgWjw==",
+      "version": "2.5.1",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-linux-x64-glibc/-/watcher-linux-x64-glibc-2.5.1.tgz",
+      "integrity": "sha512-GcESn8NZySmfwlTsIur+49yDqSny2IhPeZfXunQi48DMugKeZ7uy1FX83pO0X22sHntJ4Ub+9k34XQCX+oHt2A==",
       "cpu": [
         "x64"
       ],
@@ -324,9 +324,9 @@
       }
     },
     "node_modules/@parcel/watcher-linux-x64-musl": {
-      "version": "2.5.0",
-      "resolved": "https://registry.npmjs.org/@parcel/watcher-linux-x64-musl/-/watcher-linux-x64-musl-2.5.0.tgz",
-      "integrity": "sha512-iqOC+GoTDoFyk/VYSFHwjHhYrk8bljW6zOhPuhi5t9ulqiYq1togGJB5e3PwYVFFfeVgc6pbz3JdQyDoBszVaA==",
+      "version": "2.5.1",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-linux-x64-musl/-/watcher-linux-x64-musl-2.5.1.tgz",
+      "integrity": "sha512-n0E2EQbatQ3bXhcH2D1XIAANAcTZkQICBPVaxMeaCVBtOpBZpWJuf7LwyWPSBDITb7In8mqQgJ7gH8CILCURXg==",
       "cpu": [
         "x64"
       ],
@@ -345,9 +345,9 @@
       }
     },
     "node_modules/@parcel/watcher-win32-arm64": {
-      "version": "2.5.0",
-      "resolved": "https://registry.npmjs.org/@parcel/watcher-win32-arm64/-/watcher-win32-arm64-2.5.0.tgz",
-      "integrity": "sha512-twtft1d+JRNkM5YbmexfcH/N4znDtjgysFaV9zvZmmJezQsKpkfLYJ+JFV3uygugK6AtIM2oADPkB2AdhBrNig==",
+      "version": "2.5.1",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-win32-arm64/-/watcher-win32-arm64-2.5.1.tgz",
+      "integrity": "sha512-RFzklRvmc3PkjKjry3hLF9wD7ppR4AKcWNzH7kXR7GUe0Igb3Nz8fyPwtZCSquGrhU5HhUNDr/mKBqj7tqA2Vw==",
       "cpu": [
         "arm64"
       ],
@@ -366,9 +366,9 @@
       }
     },
     "node_modules/@parcel/watcher-win32-ia32": {
-      "version": "2.5.0",
-      "resolved": "https://registry.npmjs.org/@parcel/watcher-win32-ia32/-/watcher-win32-ia32-2.5.0.tgz",
-      "integrity": "sha512-+rgpsNRKwo8A53elqbbHXdOMtY/tAtTzManTWShB5Kk54N8Q9mzNWV7tV+IbGueCbcj826MfWGU3mprWtuf1TA==",
+      "version": "2.5.1",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-win32-ia32/-/watcher-win32-ia32-2.5.1.tgz",
+      "integrity": "sha512-c2KkcVN+NJmuA7CGlaGD1qJh1cLfDnQsHjE89E60vUEMlqduHGCdCLJCID5geFVM0dOtA3ZiIO8BoEQmzQVfpQ==",
       "cpu": [
         "ia32"
       ],
@@ -387,9 +387,9 @@
       }
     },
     "node_modules/@parcel/watcher-win32-x64": {
-      "version": "2.5.0",
-      "resolved": "https://registry.npmjs.org/@parcel/watcher-win32-x64/-/watcher-win32-x64-2.5.0.tgz",
-      "integrity": "sha512-lPrxve92zEHdgeff3aiu4gDOIt4u7sJYha6wbdEZDCDUhtjTsOMiaJzG5lMY4GkWH8p0fMmO2Ppq5G5XXG+DQw==",
+      "version": "2.5.1",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-win32-x64/-/watcher-win32-x64-2.5.1.tgz",
+      "integrity": "sha512-9lHBdJITeNR++EvSQVUcaZoWupyHfXe1jZvGZ06O/5MflPcuPLtEphScIBL+AiCWBO46tDSHzWyD0uDmmZqsgA==",
       "cpu": [
         "x64"
       ],
@@ -455,9 +455,9 @@
       "license": "MIT"
     },
     "node_modules/@types/node": {
-      "version": "22.10.2",
-      "resolved": "https://registry.npmjs.org/@types/node/-/node-22.10.2.tgz",
-      "integrity": "sha512-Xxr6BBRCAOQixvonOye19wnzyDiUtTeqldOOmj3CkeblonbccA12PFwlufvRdrpjXxqnmUaeiU5EOA+7s5diUQ==",
+      "version": "22.13.5",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-22.13.5.tgz",
+      "integrity": "sha512-+lTU0PxZXn0Dr1NBtC7Y8cR21AJr87dLLU953CWA6pMxxv/UDc7jYAY90upcrie1nRcD6XNG5HOYEDtgW5TxAg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -781,9 +781,9 @@
       }
     },
     "node_modules/browserslist": {
-      "version": "4.24.3",
-      "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-4.24.3.tgz",
-      "integrity": "sha512-1CPmv8iobE2fyRMV97dAcMVegvvWKxmq94hkLiAkUGwKVTyDLw33K+ZxiFrREKmmps4rIw6grcCFCnTMSZ/YiA==",
+      "version": "4.24.4",
+      "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-4.24.4.tgz",
+      "integrity": "sha512-KDi1Ny1gSePi1vm0q4oxSF8b4DR44GF4BbmS2YdhPLOEqd8pDviZOGH/GsmRwoWJ2+5Lr085X7naowMwKHDG1A==",
       "dev": true,
       "funding": [
         {
@@ -821,9 +821,9 @@
       "license": "MIT"
     },
     "node_modules/caniuse-lite": {
-      "version": "1.0.30001690",
-      "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001690.tgz",
-      "integrity": "sha512-5ExiE3qQN6oF8Clf8ifIDcMRCRE/dMGcETG/XGMD8/XiXm6HXQgQTh1yZYLXXpSOsEUlJm1Xr7kGULZTuGtP/w==",
+      "version": "1.0.30001700",
+      "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001700.tgz",
+      "integrity": "sha512-2S6XIXwaE7K7erT8dY+kLQcpa5ms63XlRkMkReXjle+kf6c5g38vyMl+Z5y8dSxOFDhcFe+nxnn261PLxBSQsQ==",
       "dev": true,
       "funding": [
         {
@@ -975,16 +975,16 @@
       }
     },
     "node_modules/electron-to-chromium": {
-      "version": "1.5.75",
-      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.75.tgz",
-      "integrity": "sha512-Lf3++DumRE/QmweGjU+ZcKqQ+3bKkU/qjaKYhIJKEOhgIO9Xs6IiAQFkfFoj+RhgDk4LUeNsLo6plExHqSyu6Q==",
+      "version": "1.5.103",
+      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.103.tgz",
+      "integrity": "sha512-P6+XzIkfndgsrjROJWfSvVEgNHtPgbhVyTkwLjUM2HU/h7pZRORgaTlHqfAikqxKmdJMLW8fftrdGWbd/Ds0FA==",
       "dev": true,
       "license": "ISC"
     },
     "node_modules/enhanced-resolve": {
-      "version": "5.18.0",
-      "resolved": "https://registry.npmjs.org/enhanced-resolve/-/enhanced-resolve-5.18.0.tgz",
-      "integrity": "sha512-0/r0MySGYG8YqlayBZ6MuCfECmHFdJ5qyPh8s8wa5Hnm6SaFLSK1VYCbj+NKp090Nm1caZhD+QTnmxO7esYGyQ==",
+      "version": "5.18.1",
+      "resolved": "https://registry.npmjs.org/enhanced-resolve/-/enhanced-resolve-5.18.1.tgz",
+      "integrity": "sha512-ZSW3ma5GkcQBIpwZTSRAI8N71Uuwgs93IezB7mf7R60tC8ZbJideoDNKjHn2O9KIlx6rkGTTEk1xUCK2E1Y2Yg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -1009,9 +1009,9 @@
       }
     },
     "node_modules/es-module-lexer": {
-      "version": "1.5.4",
-      "resolved": "https://registry.npmjs.org/es-module-lexer/-/es-module-lexer-1.5.4.tgz",
-      "integrity": "sha512-MVNK56NiMrOwitFB7cqDwq0CQutbw+0BvLshJSse0MUNU+y1FC3bUS/AQg7oUng+/wKrrki7JfmwtVHkVfPLlw==",
+      "version": "1.6.0",
+      "resolved": "https://registry.npmjs.org/es-module-lexer/-/es-module-lexer-1.6.0.tgz",
+      "integrity": "sha512-qqnD1yMU6tk/jnaMosogGySTZP8YtUgAffA9nMN+E/rjxcfRQ6IEk7IiozUjgxKoFHBGjTLnrHB/YC45r/59EQ==",
       "dev": true,
       "license": "MIT"
     },
@@ -1114,10 +1114,20 @@
       "license": "MIT"
     },
     "node_modules/fast-uri": {
-      "version": "3.0.3",
-      "resolved": "https://registry.npmjs.org/fast-uri/-/fast-uri-3.0.3.tgz",
-      "integrity": "sha512-aLrHthzCjH5He4Z2H9YZ+v6Ujb9ocRuW6ZzkJQOrTxleEijANq4v1TsaPaVG1PZcuurEzrLcWRyYBYXD5cEiaw==",
+      "version": "3.0.6",
+      "resolved": "https://registry.npmjs.org/fast-uri/-/fast-uri-3.0.6.tgz",
+      "integrity": "sha512-Atfo14OibSv5wAp4VWNsFYE1AchQRTv9cBGWET4pZWHzYshFSS9NQI6I57rdKn9croWVMbYFbLhJ+yJvmZIIHw==",
       "dev": true,
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/fastify"
+        },
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/fastify"
+        }
+      ],
       "license": "BSD-3-Clause"
     },
     "node_modules/fastest-levenshtein": {
@@ -1632,9 +1642,9 @@
       }
     },
     "node_modules/postcss": {
-      "version": "8.4.49",
-      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.49.tgz",
-      "integrity": "sha512-OCVPnIObs4N29kxTjzLfUryOkvZEq+pf8jTF0lg8E7uETuWHA+v7j3c/xJmiqpX450191LlmZfUKkXxkTry7nA==",
+      "version": "8.5.3",
+      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.3.tgz",
+      "integrity": "sha512-dle9A3yYxlBSrt8Fu+IpjGT8SY8hN0mlaA6GY8t0P5PjIOZemULz/E2Bnm/2dcUOena75OTNkHI76uZBNUUq3A==",
       "dev": true,
       "funding": [
         {
@@ -1652,7 +1662,7 @@
       ],
       "license": "MIT",
       "dependencies": {
-        "nanoid": "^3.3.7",
+        "nanoid": "^3.3.8",
         "picocolors": "^1.1.1",
         "source-map-js": "^1.2.1"
       },
@@ -1724,9 +1734,9 @@
       }
     },
     "node_modules/postcss-selector-parser": {
-      "version": "7.0.0",
-      "resolved": "https://registry.npmjs.org/postcss-selector-parser/-/postcss-selector-parser-7.0.0.tgz",
-      "integrity": "sha512-9RbEr1Y7FFfptd/1eEdntyjMwLeghW1bHX9GWjXo19vx4ytPQhANltvVxDggzJl7mnWM+dX28kb6cyS/4iQjlQ==",
+      "version": "7.1.0",
+      "resolved": "https://registry.npmjs.org/postcss-selector-parser/-/postcss-selector-parser-7.1.0.tgz",
+      "integrity": "sha512-8sLjZwK0R+JlxlYcTuVnyT2v+htpdrjDOKuMcOVdYjt52Lh8hWRYpxBPoKx/Zg+bcjc3wx6fmQevMmUztS/ccA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -1765,13 +1775,13 @@
       }
     },
     "node_modules/readdirp": {
-      "version": "4.0.2",
-      "resolved": "https://registry.npmjs.org/readdirp/-/readdirp-4.0.2.tgz",
-      "integrity": "sha512-yDMz9g+VaZkqBYS/ozoBJwaBhTbZo3UNYQHNRw1D3UFQB8oHB4uS/tAODO+ZLjGWmUbKnIlOWO+aaIiAxrUWHA==",
+      "version": "4.1.2",
+      "resolved": "https://registry.npmjs.org/readdirp/-/readdirp-4.1.2.tgz",
+      "integrity": "sha512-GDhwkLfywWL2s6vEjyhri+eXmfH6j1L7JE27WhqLeYzoh/A3DBaYGEj2H/HFZCn/kMfim73FXxEJTw06WtxQwg==",
       "dev": true,
       "license": "MIT",
       "engines": {
-        "node": ">= 14.16.0"
+        "node": ">= 14.18.0"
       },
       "funding": {
         "type": "individual",
@@ -1949,9 +1959,9 @@
       }
     },
     "node_modules/semver": {
-      "version": "7.6.3",
-      "resolved": "https://registry.npmjs.org/semver/-/semver-7.6.3.tgz",
-      "integrity": "sha512-oVekP1cKtI+CTDvHWYFUcMtsK/00wmAEfyqKfNdARm8u1wNVhSgaX7A8d4UuIlUI5e84iEwOhs7ZPYRmzU9U6A==",
+      "version": "7.7.1",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-7.7.1.tgz",
+      "integrity": "sha512-hlq8tAfn0m/61p4BVRcPzIGr6LKiMwo4VM6dGi6pt4qcRkmNzTcWq6eCEjEh+qXjkMDvPlOFFSGwQjoEa6gyMA==",
       "dev": true,
       "license": "ISC",
       "bin": {
@@ -2078,9 +2088,9 @@
       }
     },
     "node_modules/terser": {
-      "version": "5.37.0",
-      "resolved": "https://registry.npmjs.org/terser/-/terser-5.37.0.tgz",
-      "integrity": "sha512-B8wRRkmre4ERucLM/uXx4MOV5cbnOlVAqUst+1+iLKPI0dOgFO28f84ptoQt9HEI537PMzfYa/d+GEPKTRXmYA==",
+      "version": "5.39.0",
+      "resolved": "https://registry.npmjs.org/terser/-/terser-5.39.0.tgz",
+      "integrity": "sha512-LBAhFyLho16harJoWMg/nZsQYgTrg5jXOn2nCYjRUcZZEdE3qa2zb8QEDRUGVZBW4rlazf2fxkg8tztybTaqWw==",
       "dev": true,
       "license": "BSD-2-Clause",
       "dependencies": {
@@ -2153,9 +2163,9 @@
       "license": "MIT"
     },
     "node_modules/update-browserslist-db": {
-      "version": "1.1.1",
-      "resolved": "https://registry.npmjs.org/update-browserslist-db/-/update-browserslist-db-1.1.1.tgz",
-      "integrity": "sha512-R8UzCaa9Az+38REPiJ1tXlImTJXlVfgHZsglwBD/k6nj76ctsH1E3q4doGrukiLQd3sGQYu56r5+lo5r94l29A==",
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/update-browserslist-db/-/update-browserslist-db-1.1.2.tgz",
+      "integrity": "sha512-PPypAm5qvlD7XMZC3BujecnaOxwhrtoFR+Dqkk5Aa/6DssiH0ibKoketaj9w8LP7Bont1rYeoV5plxD7RTEPRg==",
       "dev": true,
       "funding": [
         {
@@ -2174,7 +2184,7 @@
       "license": "MIT",
       "dependencies": {
         "escalade": "^3.2.0",
-        "picocolors": "^1.1.0"
+        "picocolors": "^1.1.1"
       },
       "bin": {
         "update-browserslist-db": "cli.js"
diff --git a/src/Admin/package-lock.json b/src/Admin/package-lock.json
index 152edd6fc9..6f3298df5b 100644
--- a/src/Admin/package-lock.json
+++ b/src/Admin/package-lock.json
@@ -99,9 +99,9 @@
       }
     },
     "node_modules/@parcel/watcher": {
-      "version": "2.5.0",
-      "resolved": "https://registry.npmjs.org/@parcel/watcher/-/watcher-2.5.0.tgz",
-      "integrity": "sha512-i0GV1yJnm2n3Yq1qw6QrUrd/LI9bE8WEBOTtOkpCXHHdyN3TAGgqAK/DAT05z4fq2x04cARXt2pDmjWjL92iTQ==",
+      "version": "2.5.1",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher/-/watcher-2.5.1.tgz",
+      "integrity": "sha512-dfUnCxiN9H4ap84DvD2ubjw+3vUNpstxa0TneY/Paat8a3R4uQZDLSvWjmznAY/DoahqTHl9V46HF/Zs3F29pg==",
       "dev": true,
       "hasInstallScript": true,
       "license": "MIT",
@@ -120,25 +120,25 @@
         "url": "https://opencollective.com/parcel"
       },
       "optionalDependencies": {
-        "@parcel/watcher-android-arm64": "2.5.0",
-        "@parcel/watcher-darwin-arm64": "2.5.0",
-        "@parcel/watcher-darwin-x64": "2.5.0",
-        "@parcel/watcher-freebsd-x64": "2.5.0",
-        "@parcel/watcher-linux-arm-glibc": "2.5.0",
-        "@parcel/watcher-linux-arm-musl": "2.5.0",
-        "@parcel/watcher-linux-arm64-glibc": "2.5.0",
-        "@parcel/watcher-linux-arm64-musl": "2.5.0",
-        "@parcel/watcher-linux-x64-glibc": "2.5.0",
-        "@parcel/watcher-linux-x64-musl": "2.5.0",
-        "@parcel/watcher-win32-arm64": "2.5.0",
-        "@parcel/watcher-win32-ia32": "2.5.0",
-        "@parcel/watcher-win32-x64": "2.5.0"
+        "@parcel/watcher-android-arm64": "2.5.1",
+        "@parcel/watcher-darwin-arm64": "2.5.1",
+        "@parcel/watcher-darwin-x64": "2.5.1",
+        "@parcel/watcher-freebsd-x64": "2.5.1",
+        "@parcel/watcher-linux-arm-glibc": "2.5.1",
+        "@parcel/watcher-linux-arm-musl": "2.5.1",
+        "@parcel/watcher-linux-arm64-glibc": "2.5.1",
+        "@parcel/watcher-linux-arm64-musl": "2.5.1",
+        "@parcel/watcher-linux-x64-glibc": "2.5.1",
+        "@parcel/watcher-linux-x64-musl": "2.5.1",
+        "@parcel/watcher-win32-arm64": "2.5.1",
+        "@parcel/watcher-win32-ia32": "2.5.1",
+        "@parcel/watcher-win32-x64": "2.5.1"
       }
     },
     "node_modules/@parcel/watcher-android-arm64": {
-      "version": "2.5.0",
-      "resolved": "https://registry.npmjs.org/@parcel/watcher-android-arm64/-/watcher-android-arm64-2.5.0.tgz",
-      "integrity": "sha512-qlX4eS28bUcQCdribHkg/herLe+0A9RyYC+mm2PXpncit8z5b3nSqGVzMNR3CmtAOgRutiZ02eIJJgP/b1iEFQ==",
+      "version": "2.5.1",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-android-arm64/-/watcher-android-arm64-2.5.1.tgz",
+      "integrity": "sha512-KF8+j9nNbUN8vzOFDpRMsaKBHZ/mcjEjMToVMJOhTozkDonQFFrRcfdLWn6yWKCmJKmdVxSgHiYvTCef4/qcBA==",
       "cpu": [
         "arm64"
       ],
@@ -157,9 +157,9 @@
       }
     },
     "node_modules/@parcel/watcher-darwin-arm64": {
-      "version": "2.5.0",
-      "resolved": "https://registry.npmjs.org/@parcel/watcher-darwin-arm64/-/watcher-darwin-arm64-2.5.0.tgz",
-      "integrity": "sha512-hyZ3TANnzGfLpRA2s/4U1kbw2ZI4qGxaRJbBH2DCSREFfubMswheh8TeiC1sGZ3z2jUf3s37P0BBlrD3sjVTUw==",
+      "version": "2.5.1",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-darwin-arm64/-/watcher-darwin-arm64-2.5.1.tgz",
+      "integrity": "sha512-eAzPv5osDmZyBhou8PoF4i6RQXAfeKL9tjb3QzYuccXFMQU0ruIc/POh30ePnaOyD1UXdlKguHBmsTs53tVoPw==",
       "cpu": [
         "arm64"
       ],
@@ -178,9 +178,9 @@
       }
     },
     "node_modules/@parcel/watcher-darwin-x64": {
-      "version": "2.5.0",
-      "resolved": "https://registry.npmjs.org/@parcel/watcher-darwin-x64/-/watcher-darwin-x64-2.5.0.tgz",
-      "integrity": "sha512-9rhlwd78saKf18fT869/poydQK8YqlU26TMiNg7AIu7eBp9adqbJZqmdFOsbZ5cnLp5XvRo9wcFmNHgHdWaGYA==",
+      "version": "2.5.1",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-darwin-x64/-/watcher-darwin-x64-2.5.1.tgz",
+      "integrity": "sha512-1ZXDthrnNmwv10A0/3AJNZ9JGlzrF82i3gNQcWOzd7nJ8aj+ILyW1MTxVk35Db0u91oD5Nlk9MBiujMlwmeXZg==",
       "cpu": [
         "x64"
       ],
@@ -199,9 +199,9 @@
       }
     },
     "node_modules/@parcel/watcher-freebsd-x64": {
-      "version": "2.5.0",
-      "resolved": "https://registry.npmjs.org/@parcel/watcher-freebsd-x64/-/watcher-freebsd-x64-2.5.0.tgz",
-      "integrity": "sha512-syvfhZzyM8kErg3VF0xpV8dixJ+RzbUaaGaeb7uDuz0D3FK97/mZ5AJQ3XNnDsXX7KkFNtyQyFrXZzQIcN49Tw==",
+      "version": "2.5.1",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-freebsd-x64/-/watcher-freebsd-x64-2.5.1.tgz",
+      "integrity": "sha512-SI4eljM7Flp9yPuKi8W0ird8TI/JK6CSxju3NojVI6BjHsTyK7zxA9urjVjEKJ5MBYC+bLmMcbAWlZ+rFkLpJQ==",
       "cpu": [
         "x64"
       ],
@@ -220,9 +220,9 @@
       }
     },
     "node_modules/@parcel/watcher-linux-arm-glibc": {
-      "version": "2.5.0",
-      "resolved": "https://registry.npmjs.org/@parcel/watcher-linux-arm-glibc/-/watcher-linux-arm-glibc-2.5.0.tgz",
-      "integrity": "sha512-0VQY1K35DQET3dVYWpOaPFecqOT9dbuCfzjxoQyif1Wc574t3kOSkKevULddcR9znz1TcklCE7Ht6NIxjvTqLA==",
+      "version": "2.5.1",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-linux-arm-glibc/-/watcher-linux-arm-glibc-2.5.1.tgz",
+      "integrity": "sha512-RCdZlEyTs8geyBkkcnPWvtXLY44BCeZKmGYRtSgtwwnHR4dxfHRG3gR99XdMEdQ7KeiDdasJwwvNSF5jKtDwdA==",
       "cpu": [
         "arm"
       ],
@@ -241,9 +241,9 @@
       }
     },
     "node_modules/@parcel/watcher-linux-arm-musl": {
-      "version": "2.5.0",
-      "resolved": "https://registry.npmjs.org/@parcel/watcher-linux-arm-musl/-/watcher-linux-arm-musl-2.5.0.tgz",
-      "integrity": "sha512-6uHywSIzz8+vi2lAzFeltnYbdHsDm3iIB57d4g5oaB9vKwjb6N6dRIgZMujw4nm5r6v9/BQH0noq6DzHrqr2pA==",
+      "version": "2.5.1",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-linux-arm-musl/-/watcher-linux-arm-musl-2.5.1.tgz",
+      "integrity": "sha512-6E+m/Mm1t1yhB8X412stiKFG3XykmgdIOqhjWj+VL8oHkKABfu/gjFj8DvLrYVHSBNC+/u5PeNrujiSQ1zwd1Q==",
       "cpu": [
         "arm"
       ],
@@ -262,9 +262,9 @@
       }
     },
     "node_modules/@parcel/watcher-linux-arm64-glibc": {
-      "version": "2.5.0",
-      "resolved": "https://registry.npmjs.org/@parcel/watcher-linux-arm64-glibc/-/watcher-linux-arm64-glibc-2.5.0.tgz",
-      "integrity": "sha512-BfNjXwZKxBy4WibDb/LDCriWSKLz+jJRL3cM/DllnHH5QUyoiUNEp3GmL80ZqxeumoADfCCP19+qiYiC8gUBjA==",
+      "version": "2.5.1",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-linux-arm64-glibc/-/watcher-linux-arm64-glibc-2.5.1.tgz",
+      "integrity": "sha512-LrGp+f02yU3BN9A+DGuY3v3bmnFUggAITBGriZHUREfNEzZh/GO06FF5u2kx8x+GBEUYfyTGamol4j3m9ANe8w==",
       "cpu": [
         "arm64"
       ],
@@ -283,9 +283,9 @@
       }
     },
     "node_modules/@parcel/watcher-linux-arm64-musl": {
-      "version": "2.5.0",
-      "resolved": "https://registry.npmjs.org/@parcel/watcher-linux-arm64-musl/-/watcher-linux-arm64-musl-2.5.0.tgz",
-      "integrity": "sha512-S1qARKOphxfiBEkwLUbHjCY9BWPdWnW9j7f7Hb2jPplu8UZ3nes7zpPOW9bkLbHRvWM0WDTsjdOTUgW0xLBN1Q==",
+      "version": "2.5.1",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-linux-arm64-musl/-/watcher-linux-arm64-musl-2.5.1.tgz",
+      "integrity": "sha512-cFOjABi92pMYRXS7AcQv9/M1YuKRw8SZniCDw0ssQb/noPkRzA+HBDkwmyOJYp5wXcsTrhxO0zq1U11cK9jsFg==",
       "cpu": [
         "arm64"
       ],
@@ -304,9 +304,9 @@
       }
     },
     "node_modules/@parcel/watcher-linux-x64-glibc": {
-      "version": "2.5.0",
-      "resolved": "https://registry.npmjs.org/@parcel/watcher-linux-x64-glibc/-/watcher-linux-x64-glibc-2.5.0.tgz",
-      "integrity": "sha512-d9AOkusyXARkFD66S6zlGXyzx5RvY+chTP9Jp0ypSTC9d4lzyRs9ovGf/80VCxjKddcUvnsGwCHWuF2EoPgWjw==",
+      "version": "2.5.1",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-linux-x64-glibc/-/watcher-linux-x64-glibc-2.5.1.tgz",
+      "integrity": "sha512-GcESn8NZySmfwlTsIur+49yDqSny2IhPeZfXunQi48DMugKeZ7uy1FX83pO0X22sHntJ4Ub+9k34XQCX+oHt2A==",
       "cpu": [
         "x64"
       ],
@@ -325,9 +325,9 @@
       }
     },
     "node_modules/@parcel/watcher-linux-x64-musl": {
-      "version": "2.5.0",
-      "resolved": "https://registry.npmjs.org/@parcel/watcher-linux-x64-musl/-/watcher-linux-x64-musl-2.5.0.tgz",
-      "integrity": "sha512-iqOC+GoTDoFyk/VYSFHwjHhYrk8bljW6zOhPuhi5t9ulqiYq1togGJB5e3PwYVFFfeVgc6pbz3JdQyDoBszVaA==",
+      "version": "2.5.1",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-linux-x64-musl/-/watcher-linux-x64-musl-2.5.1.tgz",
+      "integrity": "sha512-n0E2EQbatQ3bXhcH2D1XIAANAcTZkQICBPVaxMeaCVBtOpBZpWJuf7LwyWPSBDITb7In8mqQgJ7gH8CILCURXg==",
       "cpu": [
         "x64"
       ],
@@ -346,9 +346,9 @@
       }
     },
     "node_modules/@parcel/watcher-win32-arm64": {
-      "version": "2.5.0",
-      "resolved": "https://registry.npmjs.org/@parcel/watcher-win32-arm64/-/watcher-win32-arm64-2.5.0.tgz",
-      "integrity": "sha512-twtft1d+JRNkM5YbmexfcH/N4znDtjgysFaV9zvZmmJezQsKpkfLYJ+JFV3uygugK6AtIM2oADPkB2AdhBrNig==",
+      "version": "2.5.1",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-win32-arm64/-/watcher-win32-arm64-2.5.1.tgz",
+      "integrity": "sha512-RFzklRvmc3PkjKjry3hLF9wD7ppR4AKcWNzH7kXR7GUe0Igb3Nz8fyPwtZCSquGrhU5HhUNDr/mKBqj7tqA2Vw==",
       "cpu": [
         "arm64"
       ],
@@ -367,9 +367,9 @@
       }
     },
     "node_modules/@parcel/watcher-win32-ia32": {
-      "version": "2.5.0",
-      "resolved": "https://registry.npmjs.org/@parcel/watcher-win32-ia32/-/watcher-win32-ia32-2.5.0.tgz",
-      "integrity": "sha512-+rgpsNRKwo8A53elqbbHXdOMtY/tAtTzManTWShB5Kk54N8Q9mzNWV7tV+IbGueCbcj826MfWGU3mprWtuf1TA==",
+      "version": "2.5.1",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-win32-ia32/-/watcher-win32-ia32-2.5.1.tgz",
+      "integrity": "sha512-c2KkcVN+NJmuA7CGlaGD1qJh1cLfDnQsHjE89E60vUEMlqduHGCdCLJCID5geFVM0dOtA3ZiIO8BoEQmzQVfpQ==",
       "cpu": [
         "ia32"
       ],
@@ -388,9 +388,9 @@
       }
     },
     "node_modules/@parcel/watcher-win32-x64": {
-      "version": "2.5.0",
-      "resolved": "https://registry.npmjs.org/@parcel/watcher-win32-x64/-/watcher-win32-x64-2.5.0.tgz",
-      "integrity": "sha512-lPrxve92zEHdgeff3aiu4gDOIt4u7sJYha6wbdEZDCDUhtjTsOMiaJzG5lMY4GkWH8p0fMmO2Ppq5G5XXG+DQw==",
+      "version": "2.5.1",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-win32-x64/-/watcher-win32-x64-2.5.1.tgz",
+      "integrity": "sha512-9lHBdJITeNR++EvSQVUcaZoWupyHfXe1jZvGZ06O/5MflPcuPLtEphScIBL+AiCWBO46tDSHzWyD0uDmmZqsgA==",
       "cpu": [
         "x64"
       ],
@@ -456,9 +456,9 @@
       "license": "MIT"
     },
     "node_modules/@types/node": {
-      "version": "22.10.2",
-      "resolved": "https://registry.npmjs.org/@types/node/-/node-22.10.2.tgz",
-      "integrity": "sha512-Xxr6BBRCAOQixvonOye19wnzyDiUtTeqldOOmj3CkeblonbccA12PFwlufvRdrpjXxqnmUaeiU5EOA+7s5diUQ==",
+      "version": "22.13.5",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-22.13.5.tgz",
+      "integrity": "sha512-+lTU0PxZXn0Dr1NBtC7Y8cR21AJr87dLLU953CWA6pMxxv/UDc7jYAY90upcrie1nRcD6XNG5HOYEDtgW5TxAg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -782,9 +782,9 @@
       }
     },
     "node_modules/browserslist": {
-      "version": "4.24.3",
-      "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-4.24.3.tgz",
-      "integrity": "sha512-1CPmv8iobE2fyRMV97dAcMVegvvWKxmq94hkLiAkUGwKVTyDLw33K+ZxiFrREKmmps4rIw6grcCFCnTMSZ/YiA==",
+      "version": "4.24.4",
+      "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-4.24.4.tgz",
+      "integrity": "sha512-KDi1Ny1gSePi1vm0q4oxSF8b4DR44GF4BbmS2YdhPLOEqd8pDviZOGH/GsmRwoWJ2+5Lr085X7naowMwKHDG1A==",
       "dev": true,
       "funding": [
         {
@@ -822,9 +822,9 @@
       "license": "MIT"
     },
     "node_modules/caniuse-lite": {
-      "version": "1.0.30001690",
-      "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001690.tgz",
-      "integrity": "sha512-5ExiE3qQN6oF8Clf8ifIDcMRCRE/dMGcETG/XGMD8/XiXm6HXQgQTh1yZYLXXpSOsEUlJm1Xr7kGULZTuGtP/w==",
+      "version": "1.0.30001700",
+      "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001700.tgz",
+      "integrity": "sha512-2S6XIXwaE7K7erT8dY+kLQcpa5ms63XlRkMkReXjle+kf6c5g38vyMl+Z5y8dSxOFDhcFe+nxnn261PLxBSQsQ==",
       "dev": true,
       "funding": [
         {
@@ -976,16 +976,16 @@
       }
     },
     "node_modules/electron-to-chromium": {
-      "version": "1.5.75",
-      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.75.tgz",
-      "integrity": "sha512-Lf3++DumRE/QmweGjU+ZcKqQ+3bKkU/qjaKYhIJKEOhgIO9Xs6IiAQFkfFoj+RhgDk4LUeNsLo6plExHqSyu6Q==",
+      "version": "1.5.103",
+      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.103.tgz",
+      "integrity": "sha512-P6+XzIkfndgsrjROJWfSvVEgNHtPgbhVyTkwLjUM2HU/h7pZRORgaTlHqfAikqxKmdJMLW8fftrdGWbd/Ds0FA==",
       "dev": true,
       "license": "ISC"
     },
     "node_modules/enhanced-resolve": {
-      "version": "5.18.0",
-      "resolved": "https://registry.npmjs.org/enhanced-resolve/-/enhanced-resolve-5.18.0.tgz",
-      "integrity": "sha512-0/r0MySGYG8YqlayBZ6MuCfECmHFdJ5qyPh8s8wa5Hnm6SaFLSK1VYCbj+NKp090Nm1caZhD+QTnmxO7esYGyQ==",
+      "version": "5.18.1",
+      "resolved": "https://registry.npmjs.org/enhanced-resolve/-/enhanced-resolve-5.18.1.tgz",
+      "integrity": "sha512-ZSW3ma5GkcQBIpwZTSRAI8N71Uuwgs93IezB7mf7R60tC8ZbJideoDNKjHn2O9KIlx6rkGTTEk1xUCK2E1Y2Yg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -1010,9 +1010,9 @@
       }
     },
     "node_modules/es-module-lexer": {
-      "version": "1.5.4",
-      "resolved": "https://registry.npmjs.org/es-module-lexer/-/es-module-lexer-1.5.4.tgz",
-      "integrity": "sha512-MVNK56NiMrOwitFB7cqDwq0CQutbw+0BvLshJSse0MUNU+y1FC3bUS/AQg7oUng+/wKrrki7JfmwtVHkVfPLlw==",
+      "version": "1.6.0",
+      "resolved": "https://registry.npmjs.org/es-module-lexer/-/es-module-lexer-1.6.0.tgz",
+      "integrity": "sha512-qqnD1yMU6tk/jnaMosogGySTZP8YtUgAffA9nMN+E/rjxcfRQ6IEk7IiozUjgxKoFHBGjTLnrHB/YC45r/59EQ==",
       "dev": true,
       "license": "MIT"
     },
@@ -1115,10 +1115,20 @@
       "license": "MIT"
     },
     "node_modules/fast-uri": {
-      "version": "3.0.3",
-      "resolved": "https://registry.npmjs.org/fast-uri/-/fast-uri-3.0.3.tgz",
-      "integrity": "sha512-aLrHthzCjH5He4Z2H9YZ+v6Ujb9ocRuW6ZzkJQOrTxleEijANq4v1TsaPaVG1PZcuurEzrLcWRyYBYXD5cEiaw==",
+      "version": "3.0.6",
+      "resolved": "https://registry.npmjs.org/fast-uri/-/fast-uri-3.0.6.tgz",
+      "integrity": "sha512-Atfo14OibSv5wAp4VWNsFYE1AchQRTv9cBGWET4pZWHzYshFSS9NQI6I57rdKn9croWVMbYFbLhJ+yJvmZIIHw==",
       "dev": true,
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/fastify"
+        },
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/fastify"
+        }
+      ],
       "license": "BSD-3-Clause"
     },
     "node_modules/fastest-levenshtein": {
@@ -1633,9 +1643,9 @@
       }
     },
     "node_modules/postcss": {
-      "version": "8.4.49",
-      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.49.tgz",
-      "integrity": "sha512-OCVPnIObs4N29kxTjzLfUryOkvZEq+pf8jTF0lg8E7uETuWHA+v7j3c/xJmiqpX450191LlmZfUKkXxkTry7nA==",
+      "version": "8.5.3",
+      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.3.tgz",
+      "integrity": "sha512-dle9A3yYxlBSrt8Fu+IpjGT8SY8hN0mlaA6GY8t0P5PjIOZemULz/E2Bnm/2dcUOena75OTNkHI76uZBNUUq3A==",
       "dev": true,
       "funding": [
         {
@@ -1653,7 +1663,7 @@
       ],
       "license": "MIT",
       "dependencies": {
-        "nanoid": "^3.3.7",
+        "nanoid": "^3.3.8",
         "picocolors": "^1.1.1",
         "source-map-js": "^1.2.1"
       },
@@ -1725,9 +1735,9 @@
       }
     },
     "node_modules/postcss-selector-parser": {
-      "version": "7.0.0",
-      "resolved": "https://registry.npmjs.org/postcss-selector-parser/-/postcss-selector-parser-7.0.0.tgz",
-      "integrity": "sha512-9RbEr1Y7FFfptd/1eEdntyjMwLeghW1bHX9GWjXo19vx4ytPQhANltvVxDggzJl7mnWM+dX28kb6cyS/4iQjlQ==",
+      "version": "7.1.0",
+      "resolved": "https://registry.npmjs.org/postcss-selector-parser/-/postcss-selector-parser-7.1.0.tgz",
+      "integrity": "sha512-8sLjZwK0R+JlxlYcTuVnyT2v+htpdrjDOKuMcOVdYjt52Lh8hWRYpxBPoKx/Zg+bcjc3wx6fmQevMmUztS/ccA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -1766,13 +1776,13 @@
       }
     },
     "node_modules/readdirp": {
-      "version": "4.0.2",
-      "resolved": "https://registry.npmjs.org/readdirp/-/readdirp-4.0.2.tgz",
-      "integrity": "sha512-yDMz9g+VaZkqBYS/ozoBJwaBhTbZo3UNYQHNRw1D3UFQB8oHB4uS/tAODO+ZLjGWmUbKnIlOWO+aaIiAxrUWHA==",
+      "version": "4.1.2",
+      "resolved": "https://registry.npmjs.org/readdirp/-/readdirp-4.1.2.tgz",
+      "integrity": "sha512-GDhwkLfywWL2s6vEjyhri+eXmfH6j1L7JE27WhqLeYzoh/A3DBaYGEj2H/HFZCn/kMfim73FXxEJTw06WtxQwg==",
       "dev": true,
       "license": "MIT",
       "engines": {
-        "node": ">= 14.16.0"
+        "node": ">= 14.18.0"
       },
       "funding": {
         "type": "individual",
@@ -1950,9 +1960,9 @@
       }
     },
     "node_modules/semver": {
-      "version": "7.6.3",
-      "resolved": "https://registry.npmjs.org/semver/-/semver-7.6.3.tgz",
-      "integrity": "sha512-oVekP1cKtI+CTDvHWYFUcMtsK/00wmAEfyqKfNdARm8u1wNVhSgaX7A8d4UuIlUI5e84iEwOhs7ZPYRmzU9U6A==",
+      "version": "7.7.1",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-7.7.1.tgz",
+      "integrity": "sha512-hlq8tAfn0m/61p4BVRcPzIGr6LKiMwo4VM6dGi6pt4qcRkmNzTcWq6eCEjEh+qXjkMDvPlOFFSGwQjoEa6gyMA==",
       "dev": true,
       "license": "ISC",
       "bin": {
@@ -2079,9 +2089,9 @@
       }
     },
     "node_modules/terser": {
-      "version": "5.37.0",
-      "resolved": "https://registry.npmjs.org/terser/-/terser-5.37.0.tgz",
-      "integrity": "sha512-B8wRRkmre4ERucLM/uXx4MOV5cbnOlVAqUst+1+iLKPI0dOgFO28f84ptoQt9HEI537PMzfYa/d+GEPKTRXmYA==",
+      "version": "5.39.0",
+      "resolved": "https://registry.npmjs.org/terser/-/terser-5.39.0.tgz",
+      "integrity": "sha512-LBAhFyLho16harJoWMg/nZsQYgTrg5jXOn2nCYjRUcZZEdE3qa2zb8QEDRUGVZBW4rlazf2fxkg8tztybTaqWw==",
       "dev": true,
       "license": "BSD-2-Clause",
       "dependencies": {
@@ -2162,9 +2172,9 @@
       "license": "MIT"
     },
     "node_modules/update-browserslist-db": {
-      "version": "1.1.1",
-      "resolved": "https://registry.npmjs.org/update-browserslist-db/-/update-browserslist-db-1.1.1.tgz",
-      "integrity": "sha512-R8UzCaa9Az+38REPiJ1tXlImTJXlVfgHZsglwBD/k6nj76ctsH1E3q4doGrukiLQd3sGQYu56r5+lo5r94l29A==",
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/update-browserslist-db/-/update-browserslist-db-1.1.2.tgz",
+      "integrity": "sha512-PPypAm5qvlD7XMZC3BujecnaOxwhrtoFR+Dqkk5Aa/6DssiH0ibKoketaj9w8LP7Bont1rYeoV5plxD7RTEPRg==",
       "dev": true,
       "funding": [
         {
@@ -2183,7 +2193,7 @@
       "license": "MIT",
       "dependencies": {
         "escalade": "^3.2.0",
-        "picocolors": "^1.1.0"
+        "picocolors": "^1.1.1"
       },
       "bin": {
         "update-browserslist-db": "cli.js"

From d15c1faa74ff5151e02b6c4ffe0254c385783eea Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rui=20Tom=C3=A9?=
 <108268980+r-tome@users.noreply.github.com>
Date: Tue, 25 Feb 2025 14:57:30 +0000
Subject: [PATCH 312/384] [PM-12491] Create Organization disable command
 (#5348)

* Add command interface and implementation for disabling organizations

* Register organization disable command for dependency injection

* Add unit tests for OrganizationDisableCommand

* Refactor subscription handlers to use IOrganizationDisableCommand for disabling organizations

* Remove DisableAsync method from IOrganizationService and its implementation in OrganizationService

* Remove IOrganizationService dependency from SubscriptionDeletedHandler

* Remove commented TODO for sending email to owners in OrganizationDisableCommand
---
 .../SubscriptionDeletedHandler.cs             | 11 +--
 .../SubscriptionUpdatedHandler.cs             |  7 +-
 .../Interfaces/IOrganizationDisableCommand.cs | 14 ++++
 .../OrganizationDisableCommand.cs             | 33 ++++++++
 .../Services/IOrganizationService.cs          |  1 -
 .../Implementations/OrganizationService.cs    | 14 ----
 ...OrganizationServiceCollectionExtensions.cs |  4 +
 .../OrganizationDisableCommandTests.cs        | 79 +++++++++++++++++++
 8 files changed, 141 insertions(+), 22 deletions(-)
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/Organizations/Interfaces/IOrganizationDisableCommand.cs
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/Organizations/OrganizationDisableCommand.cs
 create mode 100644 test/Core.Test/AdminConsole/OrganizationFeatures/Organizations/OrganizationDisableCommandTests.cs

diff --git a/src/Billing/Services/Implementations/SubscriptionDeletedHandler.cs b/src/Billing/Services/Implementations/SubscriptionDeletedHandler.cs
index 26a1c30c14..8155928453 100644
--- a/src/Billing/Services/Implementations/SubscriptionDeletedHandler.cs
+++ b/src/Billing/Services/Implementations/SubscriptionDeletedHandler.cs
@@ -1,4 +1,5 @@
 using Bit.Billing.Constants;
+using Bit.Core.AdminConsole.OrganizationFeatures.Organizations.Interfaces;
 using Bit.Core.Services;
 using Event = Stripe.Event;
 namespace Bit.Billing.Services.Implementations;
@@ -6,20 +7,20 @@ namespace Bit.Billing.Services.Implementations;
 public class SubscriptionDeletedHandler : ISubscriptionDeletedHandler
 {
     private readonly IStripeEventService _stripeEventService;
-    private readonly IOrganizationService _organizationService;
     private readonly IUserService _userService;
     private readonly IStripeEventUtilityService _stripeEventUtilityService;
+    private readonly IOrganizationDisableCommand _organizationDisableCommand;
 
     public SubscriptionDeletedHandler(
         IStripeEventService stripeEventService,
-        IOrganizationService organizationService,
         IUserService userService,
-        IStripeEventUtilityService stripeEventUtilityService)
+        IStripeEventUtilityService stripeEventUtilityService,
+        IOrganizationDisableCommand organizationDisableCommand)
     {
         _stripeEventService = stripeEventService;
-        _organizationService = organizationService;
         _userService = userService;
         _stripeEventUtilityService = stripeEventUtilityService;
+        _organizationDisableCommand = organizationDisableCommand;
     }
 
     /// <summary>
@@ -44,7 +45,7 @@ public class SubscriptionDeletedHandler : ISubscriptionDeletedHandler
             subscription.CancellationDetails.Comment != providerMigrationCancellationComment &&
             !subscription.CancellationDetails.Comment.Contains(addedToProviderCancellationComment))
         {
-            await _organizationService.DisableAsync(organizationId.Value, subscription.CurrentPeriodEnd);
+            await _organizationDisableCommand.DisableAsync(organizationId.Value, subscription.CurrentPeriodEnd);
         }
         else if (userId.HasValue)
         {
diff --git a/src/Billing/Services/Implementations/SubscriptionUpdatedHandler.cs b/src/Billing/Services/Implementations/SubscriptionUpdatedHandler.cs
index 4e142f8cae..35a16ae74f 100644
--- a/src/Billing/Services/Implementations/SubscriptionUpdatedHandler.cs
+++ b/src/Billing/Services/Implementations/SubscriptionUpdatedHandler.cs
@@ -26,6 +26,7 @@ public class SubscriptionUpdatedHandler : ISubscriptionUpdatedHandler
     private readonly ISchedulerFactory _schedulerFactory;
     private readonly IFeatureService _featureService;
     private readonly IOrganizationEnableCommand _organizationEnableCommand;
+    private readonly IOrganizationDisableCommand _organizationDisableCommand;
 
     public SubscriptionUpdatedHandler(
         IStripeEventService stripeEventService,
@@ -38,7 +39,8 @@ public class SubscriptionUpdatedHandler : ISubscriptionUpdatedHandler
         IOrganizationRepository organizationRepository,
         ISchedulerFactory schedulerFactory,
         IFeatureService featureService,
-        IOrganizationEnableCommand organizationEnableCommand)
+        IOrganizationEnableCommand organizationEnableCommand,
+        IOrganizationDisableCommand organizationDisableCommand)
     {
         _stripeEventService = stripeEventService;
         _stripeEventUtilityService = stripeEventUtilityService;
@@ -51,6 +53,7 @@ public class SubscriptionUpdatedHandler : ISubscriptionUpdatedHandler
         _schedulerFactory = schedulerFactory;
         _featureService = featureService;
         _organizationEnableCommand = organizationEnableCommand;
+        _organizationDisableCommand = organizationDisableCommand;
     }
 
     /// <summary>
@@ -67,7 +70,7 @@ public class SubscriptionUpdatedHandler : ISubscriptionUpdatedHandler
             case StripeSubscriptionStatus.Unpaid or StripeSubscriptionStatus.IncompleteExpired
                 when organizationId.HasValue:
                 {
-                    await _organizationService.DisableAsync(organizationId.Value, subscription.CurrentPeriodEnd);
+                    await _organizationDisableCommand.DisableAsync(organizationId.Value, subscription.CurrentPeriodEnd);
                     if (subscription.Status == StripeSubscriptionStatus.Unpaid &&
                         subscription.LatestInvoice is { BillingReason: "subscription_cycle" or "subscription_create" })
                     {
diff --git a/src/Core/AdminConsole/OrganizationFeatures/Organizations/Interfaces/IOrganizationDisableCommand.cs b/src/Core/AdminConsole/OrganizationFeatures/Organizations/Interfaces/IOrganizationDisableCommand.cs
new file mode 100644
index 0000000000..d15e9537e6
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/Organizations/Interfaces/IOrganizationDisableCommand.cs
@@ -0,0 +1,14 @@
+namespace Bit.Core.AdminConsole.OrganizationFeatures.Organizations.Interfaces;
+
+/// <summary>
+/// Command interface for disabling organizations.
+/// </summary>
+public interface IOrganizationDisableCommand
+{
+    /// <summary>
+    /// Disables an organization with an optional expiration date.
+    /// </summary>
+    /// <param name="organizationId">The unique identifier of the organization to disable.</param>
+    /// <param name="expirationDate">Optional date when the disable status should expire.</param>
+    Task DisableAsync(Guid organizationId, DateTime? expirationDate);
+}
diff --git a/src/Core/AdminConsole/OrganizationFeatures/Organizations/OrganizationDisableCommand.cs b/src/Core/AdminConsole/OrganizationFeatures/Organizations/OrganizationDisableCommand.cs
new file mode 100644
index 0000000000..63f80032b8
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/Organizations/OrganizationDisableCommand.cs
@@ -0,0 +1,33 @@
+using Bit.Core.AdminConsole.OrganizationFeatures.Organizations.Interfaces;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.Organizations;
+
+public class OrganizationDisableCommand : IOrganizationDisableCommand
+{
+    private readonly IOrganizationRepository _organizationRepository;
+    private readonly IApplicationCacheService _applicationCacheService;
+
+    public OrganizationDisableCommand(
+        IOrganizationRepository organizationRepository,
+        IApplicationCacheService applicationCacheService)
+    {
+        _organizationRepository = organizationRepository;
+        _applicationCacheService = applicationCacheService;
+    }
+
+    public async Task DisableAsync(Guid organizationId, DateTime? expirationDate)
+    {
+        var organization = await _organizationRepository.GetByIdAsync(organizationId);
+        if (organization is { Enabled: true })
+        {
+            organization.Enabled = false;
+            organization.ExpirationDate = expirationDate;
+            organization.RevisionDate = DateTime.UtcNow;
+
+            await _organizationRepository.ReplaceAsync(organization);
+            await _applicationCacheService.UpsertOrganizationAbilityAsync(organization);
+        }
+    }
+}
diff --git a/src/Core/AdminConsole/Services/IOrganizationService.cs b/src/Core/AdminConsole/Services/IOrganizationService.cs
index 683fbe9902..dacb2ab162 100644
--- a/src/Core/AdminConsole/Services/IOrganizationService.cs
+++ b/src/Core/AdminConsole/Services/IOrganizationService.cs
@@ -28,7 +28,6 @@ public interface IOrganizationService
     /// </summary>
     Task<(Organization organization, OrganizationUser organizationUser)> SignUpAsync(OrganizationLicense license, User owner,
         string ownerKey, string collectionName, string publicKey, string privateKey);
-    Task DisableAsync(Guid organizationId, DateTime? expirationDate);
     Task UpdateExpirationDateAsync(Guid organizationId, DateTime? expirationDate);
     Task UpdateAsync(Organization organization, bool updateBilling = false, EventType eventType = EventType.Organization_Updated);
     Task UpdateTwoFactorProviderAsync(Organization organization, TwoFactorProviderType type);
diff --git a/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs b/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
index 284c11cc78..14cf89a246 100644
--- a/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
+++ b/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
@@ -686,20 +686,6 @@ public class OrganizationService : IOrganizationService
         }
     }
 
-    public async Task DisableAsync(Guid organizationId, DateTime? expirationDate)
-    {
-        var org = await GetOrgById(organizationId);
-        if (org != null && org.Enabled)
-        {
-            org.Enabled = false;
-            org.ExpirationDate = expirationDate;
-            org.RevisionDate = DateTime.UtcNow;
-            await ReplaceAndUpdateCacheAsync(org);
-
-            // TODO: send email to owners?
-        }
-    }
-
     public async Task UpdateExpirationDateAsync(Guid organizationId, DateTime? expirationDate)
     {
         var org = await GetOrgById(organizationId);
diff --git a/src/Core/OrganizationFeatures/OrganizationServiceCollectionExtensions.cs b/src/Core/OrganizationFeatures/OrganizationServiceCollectionExtensions.cs
index 7db514887c..232e04fbd0 100644
--- a/src/Core/OrganizationFeatures/OrganizationServiceCollectionExtensions.cs
+++ b/src/Core/OrganizationFeatures/OrganizationServiceCollectionExtensions.cs
@@ -55,6 +55,7 @@ public static class OrganizationServiceCollectionExtensions
         services.AddOrganizationSignUpCommands();
         services.AddOrganizationDeleteCommands();
         services.AddOrganizationEnableCommands();
+        services.AddOrganizationDisableCommands();
         services.AddOrganizationAuthCommands();
         services.AddOrganizationUserCommands();
         services.AddOrganizationUserCommandsQueries();
@@ -73,6 +74,9 @@ public static class OrganizationServiceCollectionExtensions
     private static void AddOrganizationEnableCommands(this IServiceCollection services) =>
         services.AddScoped<IOrganizationEnableCommand, OrganizationEnableCommand>();
 
+    private static void AddOrganizationDisableCommands(this IServiceCollection services) =>
+        services.AddScoped<IOrganizationDisableCommand, OrganizationDisableCommand>();
+
     private static void AddOrganizationConnectionCommands(this IServiceCollection services)
     {
         services.AddScoped<ICreateOrganizationConnectionCommand, CreateOrganizationConnectionCommand>();
diff --git a/test/Core.Test/AdminConsole/OrganizationFeatures/Organizations/OrganizationDisableCommandTests.cs b/test/Core.Test/AdminConsole/OrganizationFeatures/Organizations/OrganizationDisableCommandTests.cs
new file mode 100644
index 0000000000..9e77a56b93
--- /dev/null
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/Organizations/OrganizationDisableCommandTests.cs
@@ -0,0 +1,79 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.OrganizationFeatures.Organizations;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Core.Test.AdminConsole.OrganizationFeatures.Organizations;
+
+[SutProviderCustomize]
+public class OrganizationDisableCommandTests
+{
+    [Theory, BitAutoData]
+    public async Task DisableAsync_WhenOrganizationEnabled_DisablesSuccessfully(
+        Organization organization,
+        DateTime expirationDate,
+        SutProvider<OrganizationDisableCommand> sutProvider)
+    {
+        organization.Enabled = true;
+        sutProvider.GetDependency<IOrganizationRepository>()
+            .GetByIdAsync(organization.Id)
+            .Returns(organization);
+
+        await sutProvider.Sut.DisableAsync(organization.Id, expirationDate);
+
+        Assert.False(organization.Enabled);
+        Assert.Equal(expirationDate, organization.ExpirationDate);
+
+        await sutProvider.GetDependency<IOrganizationRepository>()
+            .Received(1)
+            .ReplaceAsync(organization);
+        await sutProvider.GetDependency<IApplicationCacheService>()
+            .Received(1)
+            .UpsertOrganizationAbilityAsync(organization);
+    }
+
+    [Theory, BitAutoData]
+    public async Task DisableAsync_WhenOrganizationNotFound_DoesNothing(
+        Guid organizationId,
+        DateTime expirationDate,
+        SutProvider<OrganizationDisableCommand> sutProvider)
+    {
+        sutProvider.GetDependency<IOrganizationRepository>()
+            .GetByIdAsync(organizationId)
+            .Returns((Organization)null);
+
+        await sutProvider.Sut.DisableAsync(organizationId, expirationDate);
+
+        await sutProvider.GetDependency<IOrganizationRepository>()
+            .DidNotReceive()
+            .ReplaceAsync(Arg.Any<Organization>());
+        await sutProvider.GetDependency<IApplicationCacheService>()
+            .DidNotReceive()
+            .UpsertOrganizationAbilityAsync(Arg.Any<Organization>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task DisableAsync_WhenOrganizationAlreadyDisabled_DoesNothing(
+        Organization organization,
+        DateTime expirationDate,
+        SutProvider<OrganizationDisableCommand> sutProvider)
+    {
+        organization.Enabled = false;
+        sutProvider.GetDependency<IOrganizationRepository>()
+            .GetByIdAsync(organization.Id)
+            .Returns(organization);
+
+        await sutProvider.Sut.DisableAsync(organization.Id, expirationDate);
+
+        await sutProvider.GetDependency<IOrganizationRepository>()
+            .DidNotReceive()
+            .ReplaceAsync(Arg.Any<Organization>());
+        await sutProvider.GetDependency<IApplicationCacheService>()
+            .DidNotReceive()
+            .UpsertOrganizationAbilityAsync(Arg.Any<Organization>());
+    }
+}

From 66feebd35833e622d56ccbf09dcff3b61e869b4f Mon Sep 17 00:00:00 2001
From: cyprain-okeke <108260115+cyprain-okeke@users.noreply.github.com>
Date: Tue, 25 Feb 2025 16:32:19 +0100
Subject: [PATCH 313/384] [PM-13127]Breadcrumb event logs (#5430)

* Rename the feature flag to lowercase

* Rename the feature flag to epic

---------

Signed-off-by: Cy Okeke <cokeke@bitwarden.com>
---
 src/Core/Constants.cs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index 879e8365fc..a862978722 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -173,6 +173,7 @@ public static class FeatureFlagKeys
     public const string RecoveryCodeLogin = "pm-17128-recovery-code-login";
     public const string PM3503_MobileAnonAddySelfHostAlias = "anon-addy-self-host-alias";
     public const string AndroidImportLoginsFlow = "import-logins-flow";
+    public const string PM12276Breadcrumbing = "pm-12276-breadcrumbing-for-business-features";
 
     public static List<string> GetAllKeys()
     {

From 622ef902ed882ffd62ccce21e7eae73e2a71350d Mon Sep 17 00:00:00 2001
From: Alex Morask <144709477+amorask-bitwarden@users.noreply.github.com>
Date: Tue, 25 Feb 2025 13:36:12 -0500
Subject: [PATCH 314/384] [PM-18578] Don't enable automatic tax for non-taxable
 non-US businesses during `invoice.upcoming` (#5443)

* Only enable automatic tax for US subscriptions or EU subscriptions that are taxable.

* Run dotnet format
---
 .../Implementations/UpcomingInvoiceHandler.cs | 216 +++++++++---------
 .../Billing/Extensions/CustomerExtensions.cs  |   9 +
 2 files changed, 113 insertions(+), 112 deletions(-)

diff --git a/src/Billing/Services/Implementations/UpcomingInvoiceHandler.cs b/src/Billing/Services/Implementations/UpcomingInvoiceHandler.cs
index 409bd0d18b..5315195c59 100644
--- a/src/Billing/Services/Implementations/UpcomingInvoiceHandler.cs
+++ b/src/Billing/Services/Implementations/UpcomingInvoiceHandler.cs
@@ -1,6 +1,7 @@
-using Bit.Billing.Constants;
-using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Repositories;
+using Bit.Core.Billing.Constants;
+using Bit.Core.Billing.Enums;
 using Bit.Core.Billing.Extensions;
 using Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.Interfaces;
 using Bit.Core.Repositories;
@@ -11,94 +12,66 @@ using Event = Stripe.Event;
 
 namespace Bit.Billing.Services.Implementations;
 
-public class UpcomingInvoiceHandler : IUpcomingInvoiceHandler
+public class UpcomingInvoiceHandler(
+    ILogger<StripeEventProcessor> logger,
+    IMailService mailService,
+    IOrganizationRepository organizationRepository,
+    IProviderRepository providerRepository,
+    IStripeFacade stripeFacade,
+    IStripeEventService stripeEventService,
+    IStripeEventUtilityService stripeEventUtilityService,
+    IUserRepository userRepository,
+    IValidateSponsorshipCommand validateSponsorshipCommand)
+    : IUpcomingInvoiceHandler
 {
-    private readonly ILogger<StripeEventProcessor> _logger;
-    private readonly IStripeEventService _stripeEventService;
-    private readonly IUserService _userService;
-    private readonly IStripeFacade _stripeFacade;
-    private readonly IMailService _mailService;
-    private readonly IProviderRepository _providerRepository;
-    private readonly IValidateSponsorshipCommand _validateSponsorshipCommand;
-    private readonly IOrganizationRepository _organizationRepository;
-    private readonly IStripeEventUtilityService _stripeEventUtilityService;
-
-    public UpcomingInvoiceHandler(
-        ILogger<StripeEventProcessor> logger,
-        IStripeEventService stripeEventService,
-        IUserService userService,
-        IStripeFacade stripeFacade,
-        IMailService mailService,
-        IProviderRepository providerRepository,
-        IValidateSponsorshipCommand validateSponsorshipCommand,
-        IOrganizationRepository organizationRepository,
-        IStripeEventUtilityService stripeEventUtilityService)
-    {
-        _logger = logger;
-        _stripeEventService = stripeEventService;
-        _userService = userService;
-        _stripeFacade = stripeFacade;
-        _mailService = mailService;
-        _providerRepository = providerRepository;
-        _validateSponsorshipCommand = validateSponsorshipCommand;
-        _organizationRepository = organizationRepository;
-        _stripeEventUtilityService = stripeEventUtilityService;
-    }
-
-    /// <summary>
-    /// Handles the <see cref="HandledStripeWebhook.UpcomingInvoice"/> event type from Stripe.
-    /// </summary>
-    /// <param name="parsedEvent"></param>
-    /// <exception cref="Exception"></exception>
     public async Task HandleAsync(Event parsedEvent)
     {
-        var invoice = await _stripeEventService.GetInvoice(parsedEvent);
+        var invoice = await stripeEventService.GetInvoice(parsedEvent);
+
         if (string.IsNullOrEmpty(invoice.SubscriptionId))
         {
-            _logger.LogWarning("Received 'invoice.upcoming' Event with ID '{eventId}' that did not include a Subscription ID", parsedEvent.Id);
+            logger.LogInformation("Received 'invoice.upcoming' Event with ID '{eventId}' that did not include a Subscription ID", parsedEvent.Id);
             return;
         }
 
-        var subscription = await _stripeFacade.GetSubscription(invoice.SubscriptionId);
-
-        if (subscription == null)
+        var subscription = await stripeFacade.GetSubscription(invoice.SubscriptionId, new SubscriptionGetOptions
         {
-            throw new Exception(
-                $"Received null Subscription from Stripe for ID '{invoice.SubscriptionId}' while processing Event with ID '{parsedEvent.Id}'");
-        }
+            Expand = ["customer.tax", "customer.tax_ids"]
+        });
 
-        var updatedSubscription = await TryEnableAutomaticTaxAsync(subscription);
-
-        var (organizationId, userId, providerId) = _stripeEventUtilityService.GetIdsFromMetadata(updatedSubscription.Metadata);
-
-        var invoiceLineItemDescriptions = invoice.Lines.Select(i => i.Description).ToList();
+        var (organizationId, userId, providerId) = stripeEventUtilityService.GetIdsFromMetadata(subscription.Metadata);
 
         if (organizationId.HasValue)
         {
-            if (_stripeEventUtilityService.IsSponsoredSubscription(updatedSubscription))
-            {
-                var sponsorshipIsValid =
-                    await _validateSponsorshipCommand.ValidateSponsorshipAsync(organizationId.Value);
-                if (!sponsorshipIsValid)
-                {
-                    // If the sponsorship is invalid, then the subscription was updated to use the regular families plan
-                    // price. Given that this is the case, we need the new invoice amount
-                    subscription = await _stripeFacade.GetSubscription(subscription.Id,
-                        new SubscriptionGetOptions { Expand = ["latest_invoice"] });
+            var organization = await organizationRepository.GetByIdAsync(organizationId.Value);
 
-                    invoice = subscription.LatestInvoice;
-                    invoiceLineItemDescriptions = invoice.Lines.Select(i => i.Description).ToList();
-                }
-            }
-
-            var organization = await _organizationRepository.GetByIdAsync(organizationId.Value);
-
-            if (organization == null || !OrgPlanForInvoiceNotifications(organization))
+            if (organization == null)
             {
                 return;
             }
 
-            await SendEmails(new List<string> { organization.BillingEmail });
+            await TryEnableAutomaticTaxAsync(subscription);
+
+            if (!HasAnnualPlan(organization))
+            {
+                return;
+            }
+
+            if (stripeEventUtilityService.IsSponsoredSubscription(subscription))
+            {
+                var sponsorshipIsValid = await validateSponsorshipCommand.ValidateSponsorshipAsync(organizationId.Value);
+
+                if (!sponsorshipIsValid)
+                {
+                    /*
+                     * If the sponsorship is invalid, then the subscription was updated to use the regular families plan
+                     * price. Given that this is the case, we need the new invoice amount
+                     */
+                    invoice = await stripeFacade.GetInvoice(subscription.LatestInvoiceId);
+                }
+            }
+
+            await SendUpcomingInvoiceEmailsAsync(new List<string> { organization.BillingEmail }, invoice);
 
             /*
              * TODO: https://bitwarden.atlassian.net/browse/PM-4862
@@ -113,66 +86,85 @@ public class UpcomingInvoiceHandler : IUpcomingInvoiceHandler
         }
         else if (userId.HasValue)
         {
-            var user = await _userService.GetUserByIdAsync(userId.Value);
+            var user = await userRepository.GetByIdAsync(userId.Value);
 
-            if (user?.Premium == true)
+            if (user == null)
             {
-                await SendEmails(new List<string> { user.Email });
+                return;
+            }
+
+            await TryEnableAutomaticTaxAsync(subscription);
+
+            if (user.Premium)
+            {
+                await SendUpcomingInvoiceEmailsAsync(new List<string> { user.Email }, invoice);
             }
         }
         else if (providerId.HasValue)
         {
-            var provider = await _providerRepository.GetByIdAsync(providerId.Value);
+            var provider = await providerRepository.GetByIdAsync(providerId.Value);
 
             if (provider == null)
             {
-                _logger.LogError(
-                    "Received invoice.Upcoming webhook ({EventID}) for Provider ({ProviderID}) that does not exist",
-                    parsedEvent.Id,
-                    providerId.Value);
-
                 return;
             }
 
-            await SendEmails(new List<string> { provider.BillingEmail });
+            await TryEnableAutomaticTaxAsync(subscription);
 
+            await SendUpcomingInvoiceEmailsAsync(new List<string> { provider.BillingEmail }, invoice);
         }
+    }
+
+    private async Task SendUpcomingInvoiceEmailsAsync(IEnumerable<string> emails, Invoice invoice)
+    {
+        var validEmails = emails.Where(e => !string.IsNullOrEmpty(e));
+
+        var items = invoice.Lines.Select(i => i.Description).ToList();
+
+        if (invoice.NextPaymentAttempt.HasValue && invoice.AmountDue > 0)
+        {
+            await mailService.SendInvoiceUpcoming(
+                validEmails,
+                invoice.AmountDue / 100M,
+                invoice.NextPaymentAttempt.Value,
+                items,
+                true);
+        }
+    }
+
+    private async Task TryEnableAutomaticTaxAsync(Subscription subscription)
+    {
+        if (subscription.AutomaticTax.Enabled ||
+            !subscription.Customer.HasBillingLocation() ||
+            IsNonTaxableNonUSBusinessUseSubscription(subscription))
+        {
+            return;
+        }
+
+        await stripeFacade.UpdateSubscription(subscription.Id,
+            new SubscriptionUpdateOptions
+            {
+                DefaultTaxRates = [],
+                AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = true }
+            });
 
         return;
 
-        /*
-         * Sends emails to the given email addresses.
-         */
-        async Task SendEmails(IEnumerable<string> emails)
+        bool IsNonTaxableNonUSBusinessUseSubscription(Subscription localSubscription)
         {
-            var validEmails = emails.Where(e => !string.IsNullOrEmpty(e));
-
-            if (invoice.NextPaymentAttempt.HasValue && invoice.AmountDue > 0)
+            var familyPriceIds = new List<string>
             {
-                await _mailService.SendInvoiceUpcoming(
-                    validEmails,
-                    invoice.AmountDue / 100M,
-                    invoice.NextPaymentAttempt.Value,
-                    invoiceLineItemDescriptions,
-                    true);
-            }
+                // TODO: Replace with the PricingClient
+                StaticStore.GetPlan(PlanType.FamiliesAnnually2019).PasswordManager.StripePlanId,
+                StaticStore.GetPlan(PlanType.FamiliesAnnually).PasswordManager.StripePlanId
+            };
+
+            return localSubscription.Customer.Address.Country != "US" &&
+                   localSubscription.Metadata.ContainsKey(StripeConstants.MetadataKeys.OrganizationId) &&
+                   !localSubscription.Items.Select(item => item.Price.Id).Intersect(familyPriceIds).Any() &&
+                   !localSubscription.Customer.TaxIds.Any();
         }
     }
 
-    private async Task<Subscription> TryEnableAutomaticTaxAsync(Subscription subscription)
-    {
-        var customerGetOptions = new CustomerGetOptions { Expand = ["tax"] };
-        var customer = await _stripeFacade.GetCustomer(subscription.CustomerId, customerGetOptions);
-
-        var subscriptionUpdateOptions = new SubscriptionUpdateOptions();
-
-        if (!subscriptionUpdateOptions.EnableAutomaticTax(customer, subscription))
-        {
-            return subscription;
-        }
-
-        return await _stripeFacade.UpdateSubscription(subscription.Id, subscriptionUpdateOptions);
-    }
-
-    private static bool OrgPlanForInvoiceNotifications(Organization org) => StaticStore.GetPlan(org.PlanType).IsAnnual;
+    private static bool HasAnnualPlan(Organization org) => StaticStore.GetPlan(org.PlanType).IsAnnual;
 }
diff --git a/src/Core/Billing/Extensions/CustomerExtensions.cs b/src/Core/Billing/Extensions/CustomerExtensions.cs
index 62f1a5055c..1847abb0ad 100644
--- a/src/Core/Billing/Extensions/CustomerExtensions.cs
+++ b/src/Core/Billing/Extensions/CustomerExtensions.cs
@@ -5,6 +5,15 @@ namespace Bit.Core.Billing.Extensions;
 
 public static class CustomerExtensions
 {
+    public static bool HasBillingLocation(this Customer customer)
+        => customer is
+        {
+            Address:
+            {
+                Country: not null and not "",
+                PostalCode: not null and not ""
+            }
+        };
 
     /// <summary>
     /// Determines if a Stripe customer supports automatic tax

From 492a3d64843b7c37796113ebb7228130c0d03a64 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Tue, 25 Feb 2025 21:42:40 -0500
Subject: [PATCH 315/384] [deps] Platform: Update azure azure-sdk-for-net
 monorepo (#4815)

* [deps] Platform: Update azure azure-sdk-for-net monorepo

* fix: fixing tests for package downgrade

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Ike Kottlowski <ikottlowski@bitwarden.com>
---
 src/Api/Api.csproj   |  3 ++-
 src/Core/Core.csproj | 12 ++++++------
 2 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/src/Api/Api.csproj b/src/Api/Api.csproj
index 6505fdab5b..44b0c7e969 100644
--- a/src/Api/Api.csproj
+++ b/src/Api/Api.csproj
@@ -35,7 +35,8 @@
   <ItemGroup>
     <PackageReference Include="AspNetCore.HealthChecks.SqlServer" Version="8.0.2" />
     <PackageReference Include="AspNetCore.HealthChecks.Uris" Version="8.0.1" />
-    <PackageReference Include="Azure.Messaging.EventGrid" Version="4.25.0" />
+    <PackageReference Include="Azure.Messaging.EventGrid" Version="4.30.0" />
+    <PackageReference Include="Microsoft.AspNetCore.DataProtection" Version="8.0.11" />
     <PackageReference Include="Swashbuckle.AspNetCore" Version="7.2.0" />
   </ItemGroup>
 
diff --git a/src/Core/Core.csproj b/src/Core/Core.csproj
index 860cf33298..6d681a3638 100644
--- a/src/Core/Core.csproj
+++ b/src/Core/Core.csproj
@@ -25,18 +25,18 @@
     <PackageReference Include="AspNetCoreRateLimit.Redis" Version="2.0.0" />
     <PackageReference Include="AWSSDK.SimpleEmail" Version="3.7.402.28" />
     <PackageReference Include="AWSSDK.SQS" Version="3.7.400.85" />
-    <PackageReference Include="Azure.Data.Tables" Version="12.9.0" />
-    <PackageReference Include="Azure.Extensions.AspNetCore.DataProtection.Blobs" Version="1.3.4" />
+    <PackageReference Include="Azure.Data.Tables" Version="12.10.0" />
+    <PackageReference Include="Azure.Extensions.AspNetCore.DataProtection.Blobs" Version="1.5.0" />
     <PackageReference Include="Google.Protobuf" Version="3.29.2" />
     <PackageReference Include="Grpc.Net.Client" Version="2.67.0" />
     <PackageReference Include="Grpc.Tools" Version="2.68.1">
       <PrivateAssets>all</PrivateAssets>
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
     </PackageReference>
-    <PackageReference Include="Microsoft.AspNetCore.DataProtection" Version="8.0.10" />
-    <PackageReference Include="Azure.Messaging.ServiceBus" Version="7.18.1" />
-    <PackageReference Include="Azure.Storage.Blobs" Version="12.21.2" />
-    <PackageReference Include="Azure.Storage.Queues" Version="12.19.1" />
+    <PackageReference Include="Microsoft.AspNetCore.DataProtection" Version="8.0.11" />
+    <PackageReference Include="Azure.Messaging.ServiceBus" Version="7.18.4" />
+    <PackageReference Include="Azure.Storage.Blobs" Version="12.23.0" />
+    <PackageReference Include="Azure.Storage.Queues" Version="12.21.0" />
     <PackageReference Include="BitPay.Light" Version="1.0.1907" />
     <PackageReference Include="DuoUniversal" Version="1.2.5" />
     <PackageReference Include="DnsClient" Version="1.8.0" />

From dd78361aa49f59a772d58e830d8c4b8e2fa148c2 Mon Sep 17 00:00:00 2001
From: Ike <137194738+ike-kottlowski@users.noreply.github.com>
Date: Wed, 26 Feb 2025 09:44:35 -0500
Subject: [PATCH 316/384] Revert "[deps] Platform: Update azure
 azure-sdk-for-net monorepo (#4815)" (#5447)

This reverts commit 492a3d64843b7c37796113ebb7228130c0d03a64.
---
 src/Api/Api.csproj   |  3 +--
 src/Core/Core.csproj | 12 ++++++------
 2 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/src/Api/Api.csproj b/src/Api/Api.csproj
index 44b0c7e969..6505fdab5b 100644
--- a/src/Api/Api.csproj
+++ b/src/Api/Api.csproj
@@ -35,8 +35,7 @@
   <ItemGroup>
     <PackageReference Include="AspNetCore.HealthChecks.SqlServer" Version="8.0.2" />
     <PackageReference Include="AspNetCore.HealthChecks.Uris" Version="8.0.1" />
-    <PackageReference Include="Azure.Messaging.EventGrid" Version="4.30.0" />
-    <PackageReference Include="Microsoft.AspNetCore.DataProtection" Version="8.0.11" />
+    <PackageReference Include="Azure.Messaging.EventGrid" Version="4.25.0" />
     <PackageReference Include="Swashbuckle.AspNetCore" Version="7.2.0" />
   </ItemGroup>
 
diff --git a/src/Core/Core.csproj b/src/Core/Core.csproj
index 6d681a3638..860cf33298 100644
--- a/src/Core/Core.csproj
+++ b/src/Core/Core.csproj
@@ -25,18 +25,18 @@
     <PackageReference Include="AspNetCoreRateLimit.Redis" Version="2.0.0" />
     <PackageReference Include="AWSSDK.SimpleEmail" Version="3.7.402.28" />
     <PackageReference Include="AWSSDK.SQS" Version="3.7.400.85" />
-    <PackageReference Include="Azure.Data.Tables" Version="12.10.0" />
-    <PackageReference Include="Azure.Extensions.AspNetCore.DataProtection.Blobs" Version="1.5.0" />
+    <PackageReference Include="Azure.Data.Tables" Version="12.9.0" />
+    <PackageReference Include="Azure.Extensions.AspNetCore.DataProtection.Blobs" Version="1.3.4" />
     <PackageReference Include="Google.Protobuf" Version="3.29.2" />
     <PackageReference Include="Grpc.Net.Client" Version="2.67.0" />
     <PackageReference Include="Grpc.Tools" Version="2.68.1">
       <PrivateAssets>all</PrivateAssets>
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
     </PackageReference>
-    <PackageReference Include="Microsoft.AspNetCore.DataProtection" Version="8.0.11" />
-    <PackageReference Include="Azure.Messaging.ServiceBus" Version="7.18.4" />
-    <PackageReference Include="Azure.Storage.Blobs" Version="12.23.0" />
-    <PackageReference Include="Azure.Storage.Queues" Version="12.21.0" />
+    <PackageReference Include="Microsoft.AspNetCore.DataProtection" Version="8.0.10" />
+    <PackageReference Include="Azure.Messaging.ServiceBus" Version="7.18.1" />
+    <PackageReference Include="Azure.Storage.Blobs" Version="12.21.2" />
+    <PackageReference Include="Azure.Storage.Queues" Version="12.19.1" />
     <PackageReference Include="BitPay.Light" Version="1.0.1907" />
     <PackageReference Include="DuoUniversal" Version="1.2.5" />
     <PackageReference Include="DnsClient" Version="1.8.0" />

From 4a4d256fd9bdbb00e9f3bb786f785d28706e1d7b Mon Sep 17 00:00:00 2001
From: Matt Gibson <mgibson@bitwarden.com>
Date: Wed, 26 Feb 2025 13:48:51 -0800
Subject: [PATCH 317/384] [PM-16787] Web push enablement for server (#5395)

* Allow for binning of comb IDs by date and value

* Introduce notification hub pool

* Replace device type sharding with comb + range sharding

* Fix proxy interface

* Use enumerable services for multiServiceNotificationHub

* Fix push interface usage

* Fix push notification service dependencies

* Fix push notification keys

* Fixup documentation

* Remove deprecated settings

* Fix tests

* PascalCase method names

* Remove unused request model properties

* Remove unused setting

* Improve DateFromComb precision

* Prefer readonly service enumerable

* Pascal case template holes

* Name TryParse methods TryParse

* Apply suggestions from code review

Co-authored-by: Justin Baur <19896123+justindbaur@users.noreply.github.com>

* Include preferred push technology in config response

SignalR will be the fallback, but clients should attempt web push first if offered and available to the client.

* Register web push devices

* Working signing and content encrypting

* update to RFC-8291 and RFC-8188

* Notification hub is now working, no need to create our own

* Fix body

* Flip Success Check

* use nifty json attribute

* Remove vapid private key

This is only needed to encrypt data for transmission along webpush -- it's handled by NotificationHub for us

* Add web push feature flag to control config response

* Update src/Core/NotificationHub/NotificationHubConnection.cs

Co-authored-by: Justin Baur <19896123+justindbaur@users.noreply.github.com>

* Update src/Core/NotificationHub/NotificationHubConnection.cs

Co-authored-by: Justin Baur <19896123+justindbaur@users.noreply.github.com>

* fixup! Update src/Core/NotificationHub/NotificationHubConnection.cs

* Move to platform ownership

* Remove debugging extension

* Remove unused dependencies

* Set json content directly

* Name web push registration data

* Fix FCM type typo

* Determine specific feature flag from set of flags

* Fixup merged tests

* Fixup tests

* Code quality suggestions

* Fix merged tests

* Fix test

---------

Co-authored-by: Justin Baur <19896123+justindbaur@users.noreply.github.com>
---
 src/Api/Controllers/ConfigController.cs       |   2 +-
 src/Api/Controllers/DevicesController.cs      |  13 ++
 src/Api/Models/Request/DeviceRequestModels.cs |  21 ++
 .../Models/Response/ConfigResponseModel.cs    |  32 ++-
 .../Push/Controllers/PushController.cs        |   6 +-
 src/Api/Platform/Push/PushTechnologyType.cs   |  11 ++
 src/Core/Constants.cs                         |   1 +
 .../NotificationHub/INotificationHubPool.cs   |   1 +
 .../NotificationHubConnection.cs              |  46 ++++-
 .../NotificationHub/NotificationHubPool.cs    |  15 +-
 .../NotificationHubPushRegistrationService.cs | 184 +++++++++++++-----
 .../NotificationHub/PushRegistrationData.cs   |  50 +++++
 .../Push/Services/IPushRegistrationService.cs |   4 +-
 .../Services/NoopPushRegistrationService.cs   |   3 +-
 .../Services/RelayPushRegistrationService.cs  |   5 +-
 src/Core/Services/IDeviceService.cs           |   2 +
 .../Services/Implementations/DeviceService.cs |  19 +-
 src/Core/Settings/GlobalSettings.cs           |   7 +
 src/Core/Settings/IGlobalSettings.cs          |   1 +
 src/Core/Settings/IWebPushSettings.cs         |   6 +
 .../Push/Controllers/PushControllerTests.cs   |  11 +-
 .../NotificationHubConnectionTests.cs         |   3 +-
 ...ficationHubPushRegistrationServiceTests.cs |  10 +-
 test/Core.Test/Services/DeviceServiceTests.cs |   9 +-
 .../Factories/WebApplicationFactoryBase.cs    |   4 +
 25 files changed, 383 insertions(+), 83 deletions(-)
 create mode 100644 src/Api/Platform/Push/PushTechnologyType.cs
 create mode 100644 src/Core/NotificationHub/PushRegistrationData.cs
 create mode 100644 src/Core/Settings/IWebPushSettings.cs

diff --git a/src/Api/Controllers/ConfigController.cs b/src/Api/Controllers/ConfigController.cs
index 7699c6b115..9f38a644c2 100644
--- a/src/Api/Controllers/ConfigController.cs
+++ b/src/Api/Controllers/ConfigController.cs
@@ -23,6 +23,6 @@ public class ConfigController : Controller
     [HttpGet("")]
     public ConfigResponseModel GetConfigs()
     {
-        return new ConfigResponseModel(_globalSettings, _featureService.GetAll());
+        return new ConfigResponseModel(_featureService, _globalSettings);
     }
 }
diff --git a/src/Api/Controllers/DevicesController.cs b/src/Api/Controllers/DevicesController.cs
index aab898cd62..02eb2d36d5 100644
--- a/src/Api/Controllers/DevicesController.cs
+++ b/src/Api/Controllers/DevicesController.cs
@@ -186,6 +186,19 @@ public class DevicesController : Controller
         await _deviceService.SaveAsync(model.ToDevice(device));
     }
 
+    [HttpPut("identifier/{identifier}/web-push-auth")]
+    [HttpPost("identifier/{identifier}/web-push-auth")]
+    public async Task PutWebPushAuth(string identifier, [FromBody] WebPushAuthRequestModel model)
+    {
+        var device = await _deviceRepository.GetByIdentifierAsync(identifier, _userService.GetProperUserId(User).Value);
+        if (device == null)
+        {
+            throw new NotFoundException();
+        }
+
+        await _deviceService.SaveAsync(model.ToData(), device);
+    }
+
     [AllowAnonymous]
     [HttpPut("identifier/{identifier}/clear-token")]
     [HttpPost("identifier/{identifier}/clear-token")]
diff --git a/src/Api/Models/Request/DeviceRequestModels.cs b/src/Api/Models/Request/DeviceRequestModels.cs
index 60f17bd0ee..99465501d9 100644
--- a/src/Api/Models/Request/DeviceRequestModels.cs
+++ b/src/Api/Models/Request/DeviceRequestModels.cs
@@ -1,6 +1,7 @@
 using System.ComponentModel.DataAnnotations;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
+using Bit.Core.NotificationHub;
 using Bit.Core.Utilities;
 
 namespace Bit.Api.Models.Request;
@@ -37,6 +38,26 @@ public class DeviceRequestModel
     }
 }
 
+public class WebPushAuthRequestModel
+{
+    [Required]
+    public string Endpoint { get; set; }
+    [Required]
+    public string P256dh { get; set; }
+    [Required]
+    public string Auth { get; set; }
+
+    public WebPushRegistrationData ToData()
+    {
+        return new WebPushRegistrationData
+        {
+            Endpoint = Endpoint,
+            P256dh = P256dh,
+            Auth = Auth
+        };
+    }
+}
+
 public class DeviceTokenRequestModel
 {
     [StringLength(255)]
diff --git a/src/Api/Models/Response/ConfigResponseModel.cs b/src/Api/Models/Response/ConfigResponseModel.cs
index 7328f1d164..4571089295 100644
--- a/src/Api/Models/Response/ConfigResponseModel.cs
+++ b/src/Api/Models/Response/ConfigResponseModel.cs
@@ -1,4 +1,7 @@
-using Bit.Core.Models.Api;
+using Bit.Core;
+using Bit.Core.Enums;
+using Bit.Core.Models.Api;
+using Bit.Core.Services;
 using Bit.Core.Settings;
 using Bit.Core.Utilities;
 
@@ -11,6 +14,7 @@ public class ConfigResponseModel : ResponseModel
     public ServerConfigResponseModel Server { get; set; }
     public EnvironmentConfigResponseModel Environment { get; set; }
     public IDictionary<string, object> FeatureStates { get; set; }
+    public PushSettings Push { get; set; }
     public ServerSettingsResponseModel Settings { get; set; }
 
     public ConfigResponseModel() : base("config")
@@ -23,8 +27,9 @@ public class ConfigResponseModel : ResponseModel
     }
 
     public ConfigResponseModel(
-        IGlobalSettings globalSettings,
-        IDictionary<string, object> featureStates) : base("config")
+        IFeatureService featureService,
+        IGlobalSettings globalSettings
+        ) : base("config")
     {
         Version = AssemblyHelpers.GetVersion();
         GitHash = AssemblyHelpers.GetGitHash();
@@ -37,7 +42,9 @@ public class ConfigResponseModel : ResponseModel
             Notifications = globalSettings.BaseServiceUri.Notifications,
             Sso = globalSettings.BaseServiceUri.Sso
         };
-        FeatureStates = featureStates;
+        FeatureStates = featureService.GetAll();
+        var webPushEnabled = FeatureStates.TryGetValue(FeatureFlagKeys.WebPush, out var webPushEnabledValue) ? (bool)webPushEnabledValue : false;
+        Push = PushSettings.Build(webPushEnabled, globalSettings);
         Settings = new ServerSettingsResponseModel
         {
             DisableUserRegistration = globalSettings.DisableUserRegistration
@@ -61,6 +68,23 @@ public class EnvironmentConfigResponseModel
     public string Sso { get; set; }
 }
 
+public class PushSettings
+{
+    public PushTechnologyType PushTechnology { get; private init; }
+    public string VapidPublicKey { get; private init; }
+
+    public static PushSettings Build(bool webPushEnabled, IGlobalSettings globalSettings)
+    {
+        var vapidPublicKey = webPushEnabled ? globalSettings.WebPush.VapidPublicKey : null;
+        var pushTechnology = vapidPublicKey != null ? PushTechnologyType.WebPush : PushTechnologyType.SignalR;
+        return new()
+        {
+            VapidPublicKey = vapidPublicKey,
+            PushTechnology = pushTechnology
+        };
+    }
+}
+
 public class ServerSettingsResponseModel
 {
     public bool DisableUserRegistration { get; set; }
diff --git a/src/Api/Platform/Push/Controllers/PushController.cs b/src/Api/Platform/Push/Controllers/PushController.cs
index f88fa4aa9e..28641a86cf 100644
--- a/src/Api/Platform/Push/Controllers/PushController.cs
+++ b/src/Api/Platform/Push/Controllers/PushController.cs
@@ -1,6 +1,7 @@
 using Bit.Core.Context;
 using Bit.Core.Exceptions;
 using Bit.Core.Models.Api;
+using Bit.Core.NotificationHub;
 using Bit.Core.Platform.Push;
 using Bit.Core.Settings;
 using Bit.Core.Utilities;
@@ -42,9 +43,8 @@ public class PushController : Controller
     public async Task RegisterAsync([FromBody] PushRegistrationRequestModel model)
     {
         CheckUsage();
-        await _pushRegistrationService.CreateOrUpdateRegistrationAsync(model.PushToken, Prefix(model.DeviceId),
-            Prefix(model.UserId), Prefix(model.Identifier), model.Type, model.OrganizationIds.Select(Prefix),
-            model.InstallationId);
+        await _pushRegistrationService.CreateOrUpdateRegistrationAsync(new PushRegistrationData(model.PushToken), Prefix(model.DeviceId),
+            Prefix(model.UserId), Prefix(model.Identifier), model.Type, model.OrganizationIds.Select(Prefix), model.InstallationId);
     }
 
     [HttpPost("delete")]
diff --git a/src/Api/Platform/Push/PushTechnologyType.cs b/src/Api/Platform/Push/PushTechnologyType.cs
new file mode 100644
index 0000000000..cc89abacaa
--- /dev/null
+++ b/src/Api/Platform/Push/PushTechnologyType.cs
@@ -0,0 +1,11 @@
+using System.ComponentModel.DataAnnotations;
+
+namespace Bit.Core.Enums;
+
+public enum PushTechnologyType
+{
+    [Display(Name = "SignalR")]
+    SignalR = 0,
+    [Display(Name = "WebPush")]
+    WebPush = 1,
+}
diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index a862978722..82ceb817e3 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -172,6 +172,7 @@ public static class FeatureFlagKeys
     public const string AndroidMutualTls = "mutual-tls";
     public const string RecoveryCodeLogin = "pm-17128-recovery-code-login";
     public const string PM3503_MobileAnonAddySelfHostAlias = "anon-addy-self-host-alias";
+    public const string WebPush = "web-push";
     public const string AndroidImportLoginsFlow = "import-logins-flow";
     public const string PM12276Breadcrumbing = "pm-12276-breadcrumbing-for-business-features";
 
diff --git a/src/Core/NotificationHub/INotificationHubPool.cs b/src/Core/NotificationHub/INotificationHubPool.cs
index 18bae98bc6..3981598118 100644
--- a/src/Core/NotificationHub/INotificationHubPool.cs
+++ b/src/Core/NotificationHub/INotificationHubPool.cs
@@ -4,6 +4,7 @@ namespace Bit.Core.NotificationHub;
 
 public interface INotificationHubPool
 {
+    NotificationHubConnection ConnectionFor(Guid comb);
     INotificationHubClient ClientFor(Guid comb);
     INotificationHubProxy AllClients { get; }
 }
diff --git a/src/Core/NotificationHub/NotificationHubConnection.cs b/src/Core/NotificationHub/NotificationHubConnection.cs
index 3a1437f70c..a68134450e 100644
--- a/src/Core/NotificationHub/NotificationHubConnection.cs
+++ b/src/Core/NotificationHub/NotificationHubConnection.cs
@@ -1,11 +1,20 @@
-using Bit.Core.Settings;
+using System.Security.Cryptography;
+using System.Text;
+using System.Web;
+using Bit.Core.Settings;
 using Bit.Core.Utilities;
 using Microsoft.Azure.NotificationHubs;
 
-class NotificationHubConnection
+namespace Bit.Core.NotificationHub;
+
+public class NotificationHubConnection
 {
     public string HubName { get; init; }
     public string ConnectionString { get; init; }
+    private Lazy<NotificationHubConnectionStringBuilder> _parsedConnectionString;
+    public Uri Endpoint => _parsedConnectionString.Value.Endpoint;
+    private string SasKey => _parsedConnectionString.Value.SharedAccessKey;
+    private string SasKeyName => _parsedConnectionString.Value.SharedAccessKeyName;
     public bool EnableSendTracing { get; init; }
     private NotificationHubClient _hubClient;
     /// <summary>
@@ -95,7 +104,38 @@ class NotificationHubConnection
         return RegistrationStartDate < queryTime;
     }
 
-    private NotificationHubConnection() { }
+    public HttpRequestMessage CreateRequest(HttpMethod method, string pathUri, params string[] queryParameters)
+    {
+        var uriBuilder = new UriBuilder(Endpoint)
+        {
+            Scheme = "https",
+            Path = $"{HubName}/{pathUri.TrimStart('/')}",
+            Query = string.Join('&', [.. queryParameters, "api-version=2015-01"]),
+        };
+
+        var result = new HttpRequestMessage(method, uriBuilder.Uri);
+        result.Headers.Add("Authorization", GenerateSasToken(uriBuilder.Uri));
+        result.Headers.Add("TrackingId", Guid.NewGuid().ToString());
+        return result;
+    }
+
+    private string GenerateSasToken(Uri uri)
+    {
+        string targetUri = Uri.EscapeDataString(uri.ToString().ToLower()).ToLower();
+        long expires = DateTime.UtcNow.AddMinutes(1).Ticks / TimeSpan.TicksPerSecond;
+        string stringToSign = targetUri + "\n" + expires;
+
+        using (var hmac = new HMACSHA256(Encoding.UTF8.GetBytes(SasKey)))
+        {
+            var signature = Convert.ToBase64String(hmac.ComputeHash(Encoding.UTF8.GetBytes(stringToSign)));
+            return $"SharedAccessSignature sr={targetUri}&sig={HttpUtility.UrlEncode(signature)}&se={expires}&skn={SasKeyName}";
+        }
+    }
+
+    private NotificationHubConnection()
+    {
+        _parsedConnectionString = new(() => new NotificationHubConnectionStringBuilder(ConnectionString));
+    }
 
     /// <summary>
     /// Creates a new NotificationHubConnection from the given settings.
diff --git a/src/Core/NotificationHub/NotificationHubPool.cs b/src/Core/NotificationHub/NotificationHubPool.cs
index 8993ee2b8e..6b48e82f88 100644
--- a/src/Core/NotificationHub/NotificationHubPool.cs
+++ b/src/Core/NotificationHub/NotificationHubPool.cs
@@ -44,6 +44,18 @@ public class NotificationHubPool : INotificationHubPool
     /// <returns></returns>
     /// <exception cref="InvalidOperationException">Thrown when no notification hub is found for a given comb.</exception>
     public INotificationHubClient ClientFor(Guid comb)
+    {
+        var resolvedConnection = ConnectionFor(comb);
+        return resolvedConnection.HubClient;
+    }
+
+    /// <summary>
+    /// Gets the NotificationHubConnection for the given comb ID.
+    /// </summary>
+    /// <param name="comb"></param>
+    /// <returns></returns>
+    /// <exception cref="InvalidOperationException">Thrown when no notification hub is found for a given comb.</exception>
+    public NotificationHubConnection ConnectionFor(Guid comb)
     {
         var possibleConnections = _connections.Where(c => c.RegistrationEnabled(comb)).ToArray();
         if (possibleConnections.Length == 0)
@@ -55,7 +67,8 @@ public class NotificationHubPool : INotificationHubPool
         }
         var resolvedConnection = possibleConnections[CoreHelpers.BinForComb(comb, possibleConnections.Length)];
         _logger.LogTrace("Resolved notification hub for comb {Comb} out of {HubCount} hubs.\n{ConnectionInfo}", comb, possibleConnections.Length, resolvedConnection.LogString);
-        return resolvedConnection.HubClient;
+        return resolvedConnection;
+
     }
 
     public INotificationHubProxy AllClients { get { return new NotificationHubClientProxy(_clients); } }
diff --git a/src/Core/NotificationHub/NotificationHubPushRegistrationService.cs b/src/Core/NotificationHub/NotificationHubPushRegistrationService.cs
index 9793c8198a..f44fcf91a0 100644
--- a/src/Core/NotificationHub/NotificationHubPushRegistrationService.cs
+++ b/src/Core/NotificationHub/NotificationHubPushRegistrationService.cs
@@ -1,82 +1,131 @@
-using Bit.Core.Enums;
+using System.Diagnostics.CodeAnalysis;
+using System.Net.Http.Headers;
+using System.Net.Http.Json;
+using System.Text.Encodings.Web;
+using System.Text.Json;
+using Bit.Core.Enums;
 using Bit.Core.Models.Data;
 using Bit.Core.Platform.Push;
 using Bit.Core.Repositories;
 using Bit.Core.Utilities;
 using Microsoft.Azure.NotificationHubs;
+using Microsoft.Extensions.Logging;
 
 namespace Bit.Core.NotificationHub;
 
 public class NotificationHubPushRegistrationService : IPushRegistrationService
 {
+    private static readonly JsonSerializerOptions webPushSerializationOptions = new()
+    {
+        Encoder = JavaScriptEncoder.UnsafeRelaxedJsonEscaping
+    };
     private readonly IInstallationDeviceRepository _installationDeviceRepository;
     private readonly INotificationHubPool _notificationHubPool;
+    private readonly IHttpClientFactory _httpClientFactory;
+    private readonly ILogger<NotificationHubPushRegistrationService> _logger;
 
     public NotificationHubPushRegistrationService(
         IInstallationDeviceRepository installationDeviceRepository,
-        INotificationHubPool notificationHubPool)
+        INotificationHubPool notificationHubPool,
+        IHttpClientFactory httpClientFactory,
+        ILogger<NotificationHubPushRegistrationService> logger)
     {
         _installationDeviceRepository = installationDeviceRepository;
         _notificationHubPool = notificationHubPool;
+        _httpClientFactory = httpClientFactory;
+        _logger = logger;
     }
 
-    public async Task CreateOrUpdateRegistrationAsync(string pushToken, string deviceId, string userId,
+    public async Task CreateOrUpdateRegistrationAsync(PushRegistrationData data, string deviceId, string userId,
         string identifier, DeviceType type, IEnumerable<string> organizationIds, Guid installationId)
     {
-        if (string.IsNullOrWhiteSpace(pushToken))
-        {
-            return;
-        }
-
+        var orgIds = organizationIds.ToList();
+        var clientType = DeviceTypes.ToClientType(type);
         var installation = new Installation
         {
             InstallationId = deviceId,
-            PushChannel = pushToken,
+            PushChannel = data.Token,
+            Tags = new List<string>
+            {
+                $"userId:{userId}",
+                $"clientType:{clientType}"
+            }.Concat(orgIds.Select(organizationId => $"organizationId:{organizationId}")).ToList(),
             Templates = new Dictionary<string, InstallationTemplate>()
         };
 
-        var clientType = DeviceTypes.ToClientType(type);
-
-        installation.Tags = new List<string> { $"userId:{userId}", $"clientType:{clientType}" };
-
         if (!string.IsNullOrWhiteSpace(identifier))
         {
             installation.Tags.Add("deviceIdentifier:" + identifier);
         }
 
-        var organizationIdsList = organizationIds.ToList();
-        foreach (var organizationId in organizationIdsList)
-        {
-            installation.Tags.Add($"organizationId:{organizationId}");
-        }
-
         if (installationId != Guid.Empty)
         {
             installation.Tags.Add($"installationId:{installationId}");
         }
 
-        string payloadTemplate = null, messageTemplate = null, badgeMessageTemplate = null;
+        if (data.Token != null)
+        {
+            await CreateOrUpdateMobileRegistrationAsync(installation, userId, identifier, clientType, orgIds, type, installationId);
+        }
+        else if (data.WebPush != null)
+        {
+            await CreateOrUpdateWebRegistrationAsync(data.WebPush.Value.Endpoint, data.WebPush.Value.P256dh, data.WebPush.Value.Auth, installation, userId, identifier, clientType, orgIds, installationId);
+        }
+
+        if (InstallationDeviceEntity.IsInstallationDeviceId(deviceId))
+        {
+            await _installationDeviceRepository.UpsertAsync(new InstallationDeviceEntity(deviceId));
+        }
+    }
+
+    private async Task CreateOrUpdateMobileRegistrationAsync(Installation installation, string userId,
+        string identifier, ClientType clientType, List<string> organizationIds, DeviceType type, Guid installationId)
+    {
+        if (string.IsNullOrWhiteSpace(installation.PushChannel))
+        {
+            return;
+        }
+
         switch (type)
         {
             case DeviceType.Android:
-                payloadTemplate = "{\"message\":{\"data\":{\"type\":\"$(type)\",\"payload\":\"$(payload)\"}}}";
-                messageTemplate = "{\"message\":{\"data\":{\"type\":\"$(type)\"}," +
-                    "\"notification\":{\"title\":\"$(title)\",\"body\":\"$(message)\"}}}";
+                installation.Templates.Add(BuildInstallationTemplate("payload",
+                    "{\"message\":{\"data\":{\"type\":\"$(type)\",\"payload\":\"$(payload)\"}}}",
+                    userId, identifier, clientType, organizationIds, installationId));
+                installation.Templates.Add(BuildInstallationTemplate("message",
+                    "{\"message\":{\"data\":{\"type\":\"$(type)\"}," +
+                    "\"notification\":{\"title\":\"$(title)\",\"body\":\"$(message)\"}}}",
+                    userId, identifier, clientType, organizationIds, installationId));
+                installation.Templates.Add(BuildInstallationTemplate("badgeMessage",
+                    "{\"message\":{\"data\":{\"type\":\"$(type)\"}," +
+                    "\"notification\":{\"title\":\"$(title)\",\"body\":\"$(message)\"}}}",
+                    userId, identifier, clientType, organizationIds, installationId));
                 installation.Platform = NotificationPlatform.FcmV1;
                 break;
             case DeviceType.iOS:
-                payloadTemplate = "{\"data\":{\"type\":\"#(type)\",\"payload\":\"$(payload)\"}," +
-                    "\"aps\":{\"content-available\":1}}";
-                messageTemplate = "{\"data\":{\"type\":\"#(type)\"}," +
-                    "\"aps\":{\"alert\":\"$(message)\",\"badge\":null,\"content-available\":1}}";
-                badgeMessageTemplate = "{\"data\":{\"type\":\"#(type)\"}," +
-                    "\"aps\":{\"alert\":\"$(message)\",\"badge\":\"#(badge)\",\"content-available\":1}}";
-
+                installation.Templates.Add(BuildInstallationTemplate("payload",
+                    "{\"data\":{\"type\":\"#(type)\",\"payload\":\"$(payload)\"}," +
+                    "\"aps\":{\"content-available\":1}}",
+                    userId, identifier, clientType, organizationIds, installationId));
+                installation.Templates.Add(BuildInstallationTemplate("message",
+                    "{\"data\":{\"type\":\"#(type)\"}," +
+                    "\"aps\":{\"alert\":\"$(message)\",\"badge\":null,\"content-available\":1}}", userId, identifier, clientType, organizationIds, installationId));
+                installation.Templates.Add(BuildInstallationTemplate("badgeMessage",
+                    "{\"data\":{\"type\":\"#(type)\"}," +
+                    "\"aps\":{\"alert\":\"$(message)\",\"badge\":\"#(badge)\",\"content-available\":1}}",
+                    userId, identifier, clientType, organizationIds, installationId));
                 installation.Platform = NotificationPlatform.Apns;
                 break;
             case DeviceType.AndroidAmazon:
-                payloadTemplate = "{\"data\":{\"type\":\"#(type)\",\"payload\":\"$(payload)\"}}";
-                messageTemplate = "{\"data\":{\"type\":\"#(type)\",\"message\":\"$(message)\"}}";
+                installation.Templates.Add(BuildInstallationTemplate("payload",
+                    "{\"data\":{\"type\":\"#(type)\",\"payload\":\"$(payload)\"}}",
+                    userId, identifier, clientType, organizationIds, installationId));
+                installation.Templates.Add(BuildInstallationTemplate("message",
+                    "{\"data\":{\"type\":\"#(type)\",\"message\":\"$(message)\"}}",
+                    userId, identifier, clientType, organizationIds, installationId));
+                installation.Templates.Add(BuildInstallationTemplate("badgeMessage",
+                    "{\"data\":{\"type\":\"#(type)\",\"message\":\"$(message)\"}}",
+                    userId, identifier, clientType, organizationIds, installationId));
 
                 installation.Platform = NotificationPlatform.Adm;
                 break;
@@ -84,28 +133,62 @@ public class NotificationHubPushRegistrationService : IPushRegistrationService
                 break;
         }
 
-        BuildInstallationTemplate(installation, "payload", payloadTemplate, userId, identifier, clientType,
-            organizationIdsList, installationId);
-        BuildInstallationTemplate(installation, "message", messageTemplate, userId, identifier, clientType,
-            organizationIdsList, installationId);
-        BuildInstallationTemplate(installation, "badgeMessage", badgeMessageTemplate ?? messageTemplate,
-            userId, identifier, clientType, organizationIdsList, installationId);
-
-        await ClientFor(GetComb(deviceId)).CreateOrUpdateInstallationAsync(installation);
-        if (InstallationDeviceEntity.IsInstallationDeviceId(deviceId))
-        {
-            await _installationDeviceRepository.UpsertAsync(new InstallationDeviceEntity(deviceId));
-        }
+        await ClientFor(GetComb(installation.InstallationId)).CreateOrUpdateInstallationAsync(installation);
     }
 
-    private void BuildInstallationTemplate(Installation installation, string templateId, string templateBody,
-        string userId, string identifier, ClientType clientType, List<string> organizationIds, Guid installationId)
+    private async Task CreateOrUpdateWebRegistrationAsync(string endpoint, string p256dh, string auth, Installation installation, string userId,
+        string identifier, ClientType clientType, List<string> organizationIds, Guid installationId)
     {
-        if (templateBody == null)
+        // The Azure SDK is currently lacking support for web push registrations.
+        // We need to use the REST API directly.
+
+        if (string.IsNullOrWhiteSpace(endpoint) || string.IsNullOrWhiteSpace(p256dh) || string.IsNullOrWhiteSpace(auth))
         {
             return;
         }
 
+        installation.Templates.Add(BuildInstallationTemplate("payload",
+            "{\"data\":{\"type\":\"#(type)\",\"payload\":\"$(payload)\"}}",
+            userId, identifier, clientType, organizationIds, installationId));
+        installation.Templates.Add(BuildInstallationTemplate("message",
+            "{\"data\":{\"type\":\"#(type)\",\"message\":\"$(message)\"}}",
+                userId, identifier, clientType, organizationIds, installationId));
+        installation.Templates.Add(BuildInstallationTemplate("badgeMessage",
+            "{\"data\":{\"type\":\"#(type)\",\"message\":\"$(message)\"}}",
+            userId, identifier, clientType, organizationIds, installationId));
+
+        var content = new
+        {
+            installationId = installation.InstallationId,
+            pushChannel = new
+            {
+                endpoint,
+                p256dh,
+                auth
+            },
+            platform = "browser",
+            tags = installation.Tags,
+            templates = installation.Templates
+        };
+
+        var client = _httpClientFactory.CreateClient("NotificationHub");
+        var request = ConnectionFor(GetComb(installation.InstallationId)).CreateRequest(HttpMethod.Put, $"installations/{installation.InstallationId}");
+        request.Content = JsonContent.Create(content, new MediaTypeHeaderValue("application/json"), webPushSerializationOptions);
+        var response = await client.SendAsync(request);
+        var body = await response.Content.ReadAsStringAsync();
+        if (!response.IsSuccessStatusCode)
+        {
+            _logger.LogWarning("Web push registration failed: {Response}", body);
+        }
+        else
+        {
+            _logger.LogInformation("Web push registration success: {Response}", body);
+        }
+    }
+
+    private static KeyValuePair<string, InstallationTemplate> BuildInstallationTemplate(string templateId, [StringSyntax(StringSyntaxAttribute.Json)] string templateBody,
+        string userId, string identifier, ClientType clientType, List<string> organizationIds, Guid installationId)
+    {
         var fullTemplateId = $"template:{templateId}";
 
         var template = new InstallationTemplate
@@ -132,7 +215,7 @@ public class NotificationHubPushRegistrationService : IPushRegistrationService
             template.Tags.Add($"installationId:{installationId}");
         }
 
-        installation.Templates.Add(fullTemplateId, template);
+        return new KeyValuePair<string, InstallationTemplate>(fullTemplateId, template);
     }
 
     public async Task DeleteRegistrationAsync(string deviceId)
@@ -213,6 +296,11 @@ public class NotificationHubPushRegistrationService : IPushRegistrationService
         return _notificationHubPool.ClientFor(deviceId);
     }
 
+    private NotificationHubConnection ConnectionFor(Guid deviceId)
+    {
+        return _notificationHubPool.ConnectionFor(deviceId);
+    }
+
     private Guid GetComb(string deviceId)
     {
         var deviceIdString = deviceId;
diff --git a/src/Core/NotificationHub/PushRegistrationData.cs b/src/Core/NotificationHub/PushRegistrationData.cs
new file mode 100644
index 0000000000..0cdf981ee2
--- /dev/null
+++ b/src/Core/NotificationHub/PushRegistrationData.cs
@@ -0,0 +1,50 @@
+namespace Bit.Core.NotificationHub;
+
+public struct WebPushRegistrationData : IEquatable<WebPushRegistrationData>
+{
+    public string Endpoint { get; init; }
+    public string P256dh { get; init; }
+    public string Auth { get; init; }
+
+    public bool Equals(WebPushRegistrationData other)
+    {
+        return Endpoint == other.Endpoint && P256dh == other.P256dh && Auth == other.Auth;
+    }
+
+    public override int GetHashCode()
+    {
+        return HashCode.Combine(Endpoint, P256dh, Auth);
+    }
+}
+
+public class PushRegistrationData : IEquatable<PushRegistrationData>
+{
+    public string Token { get; set; }
+    public WebPushRegistrationData? WebPush { get; set; }
+    public PushRegistrationData(string token)
+    {
+        Token = token;
+    }
+
+    public PushRegistrationData(string Endpoint, string P256dh, string Auth) : this(new WebPushRegistrationData
+    {
+        Endpoint = Endpoint,
+        P256dh = P256dh,
+        Auth = Auth
+    })
+    { }
+
+    public PushRegistrationData(WebPushRegistrationData webPush)
+    {
+        WebPush = webPush;
+    }
+    public bool Equals(PushRegistrationData other)
+    {
+        return Token == other.Token && WebPush.Equals(other.WebPush);
+    }
+
+    public override int GetHashCode()
+    {
+        return HashCode.Combine(Token, WebPush.GetHashCode());
+    }
+}
diff --git a/src/Core/Platform/Push/Services/IPushRegistrationService.cs b/src/Core/Platform/Push/Services/IPushRegistrationService.cs
index 0f2a28700b..469cd2577b 100644
--- a/src/Core/Platform/Push/Services/IPushRegistrationService.cs
+++ b/src/Core/Platform/Push/Services/IPushRegistrationService.cs
@@ -1,11 +1,11 @@
 using Bit.Core.Enums;
+using Bit.Core.NotificationHub;
 
 namespace Bit.Core.Platform.Push;
 
 public interface IPushRegistrationService
 {
-    Task CreateOrUpdateRegistrationAsync(string pushToken, string deviceId, string userId,
-        string identifier, DeviceType type, IEnumerable<string> organizationIds, Guid installationId);
+    Task CreateOrUpdateRegistrationAsync(PushRegistrationData data, string deviceId, string userId, string identifier, DeviceType type, IEnumerable<string> organizationIds, Guid installationId);
     Task DeleteRegistrationAsync(string deviceId);
     Task AddUserRegistrationOrganizationAsync(IEnumerable<string> deviceIds, string organizationId);
     Task DeleteUserRegistrationOrganizationAsync(IEnumerable<string> deviceIds, string organizationId);
diff --git a/src/Core/Platform/Push/Services/NoopPushRegistrationService.cs b/src/Core/Platform/Push/Services/NoopPushRegistrationService.cs
index ac6f8a814b..9a7674232a 100644
--- a/src/Core/Platform/Push/Services/NoopPushRegistrationService.cs
+++ b/src/Core/Platform/Push/Services/NoopPushRegistrationService.cs
@@ -1,4 +1,5 @@
 using Bit.Core.Enums;
+using Bit.Core.NotificationHub;
 
 namespace Bit.Core.Platform.Push.Internal;
 
@@ -9,7 +10,7 @@ public class NoopPushRegistrationService : IPushRegistrationService
         return Task.FromResult(0);
     }
 
-    public Task CreateOrUpdateRegistrationAsync(string pushToken, string deviceId, string userId,
+    public Task CreateOrUpdateRegistrationAsync(PushRegistrationData pushRegistrationData, string deviceId, string userId,
         string identifier, DeviceType type, IEnumerable<string> organizationIds, Guid installationId)
     {
         return Task.FromResult(0);
diff --git a/src/Core/Platform/Push/Services/RelayPushRegistrationService.cs b/src/Core/Platform/Push/Services/RelayPushRegistrationService.cs
index 58a34c15c5..1a3843d05a 100644
--- a/src/Core/Platform/Push/Services/RelayPushRegistrationService.cs
+++ b/src/Core/Platform/Push/Services/RelayPushRegistrationService.cs
@@ -1,6 +1,7 @@
 using Bit.Core.Enums;
 using Bit.Core.IdentityServer;
 using Bit.Core.Models.Api;
+using Bit.Core.NotificationHub;
 using Bit.Core.Services;
 using Bit.Core.Settings;
 using Microsoft.Extensions.Logging;
@@ -24,14 +25,14 @@ public class RelayPushRegistrationService : BaseIdentityClientService, IPushRegi
     {
     }
 
-    public async Task CreateOrUpdateRegistrationAsync(string pushToken, string deviceId, string userId,
+    public async Task CreateOrUpdateRegistrationAsync(PushRegistrationData pushData, string deviceId, string userId,
         string identifier, DeviceType type, IEnumerable<string> organizationIds, Guid installationId)
     {
         var requestModel = new PushRegistrationRequestModel
         {
             DeviceId = deviceId,
             Identifier = identifier,
-            PushToken = pushToken,
+            PushToken = pushData.Token,
             Type = type,
             UserId = userId,
             OrganizationIds = organizationIds,
diff --git a/src/Core/Services/IDeviceService.cs b/src/Core/Services/IDeviceService.cs
index b5f3a0b8f1..cd055f8b46 100644
--- a/src/Core/Services/IDeviceService.cs
+++ b/src/Core/Services/IDeviceService.cs
@@ -1,10 +1,12 @@
 using Bit.Core.Auth.Models.Api.Request;
 using Bit.Core.Entities;
+using Bit.Core.NotificationHub;
 
 namespace Bit.Core.Services;
 
 public interface IDeviceService
 {
+    Task SaveAsync(WebPushRegistrationData webPush, Device device);
     Task SaveAsync(Device device);
     Task ClearTokenAsync(Device device);
     Task DeactivateAsync(Device device);
diff --git a/src/Core/Services/Implementations/DeviceService.cs b/src/Core/Services/Implementations/DeviceService.cs
index c8b0134932..99523d8e5e 100644
--- a/src/Core/Services/Implementations/DeviceService.cs
+++ b/src/Core/Services/Implementations/DeviceService.cs
@@ -3,6 +3,7 @@ using Bit.Core.Auth.Utilities;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
+using Bit.Core.NotificationHub;
 using Bit.Core.Platform.Push;
 using Bit.Core.Repositories;
 using Bit.Core.Settings;
@@ -28,9 +29,19 @@ public class DeviceService : IDeviceService
         _globalSettings = globalSettings;
     }
 
+    public async Task SaveAsync(WebPushRegistrationData webPush, Device device)
+    {
+        await SaveAsync(new PushRegistrationData(webPush.Endpoint, webPush.P256dh, webPush.Auth), device);
+    }
+
     public async Task SaveAsync(Device device)
     {
-        if (device.Id == default(Guid))
+        await SaveAsync(new PushRegistrationData(device.PushToken), device);
+    }
+
+    private async Task SaveAsync(PushRegistrationData data, Device device)
+    {
+        if (device.Id == default)
         {
             await _deviceRepository.CreateAsync(device);
         }
@@ -45,9 +56,9 @@ public class DeviceService : IDeviceService
                 OrganizationUserStatusType.Confirmed))
             .Select(ou => ou.OrganizationId.ToString());
 
-        await _pushRegistrationService.CreateOrUpdateRegistrationAsync(device.PushToken, device.Id.ToString(),
-            device.UserId.ToString(), device.Identifier, device.Type, organizationIdsString,
-            _globalSettings.Installation.Id);
+        await _pushRegistrationService.CreateOrUpdateRegistrationAsync(data, device.Id.ToString(),
+            device.UserId.ToString(), device.Identifier, device.Type, organizationIdsString, _globalSettings.Installation.Id);
+
     }
 
     public async Task ClearTokenAsync(Device device)
diff --git a/src/Core/Settings/GlobalSettings.cs b/src/Core/Settings/GlobalSettings.cs
index dbfc8543a3..6bb76eb50a 100644
--- a/src/Core/Settings/GlobalSettings.cs
+++ b/src/Core/Settings/GlobalSettings.cs
@@ -83,6 +83,8 @@ public class GlobalSettings : IGlobalSettings
     public virtual IDomainVerificationSettings DomainVerification { get; set; } = new DomainVerificationSettings();
     public virtual ILaunchDarklySettings LaunchDarkly { get; set; } = new LaunchDarklySettings();
     public virtual string DevelopmentDirectory { get; set; }
+    public virtual IWebPushSettings WebPush { get; set; } = new WebPushSettings();
+
     public virtual bool EnableEmailVerification { get; set; }
     public virtual string KdfDefaultHashKey { get; set; }
     public virtual string PricingUri { get; set; }
@@ -677,4 +679,9 @@ public class GlobalSettings : IGlobalSettings
         public virtual IConnectionStringSettings Redis { get; set; } = new ConnectionStringSettings();
         public virtual IConnectionStringSettings Cosmos { get; set; } = new ConnectionStringSettings();
     }
+
+    public class WebPushSettings : IWebPushSettings
+    {
+        public string VapidPublicKey { get; set; }
+    }
 }
diff --git a/src/Core/Settings/IGlobalSettings.cs b/src/Core/Settings/IGlobalSettings.cs
index b89df8abf5..411014ea32 100644
--- a/src/Core/Settings/IGlobalSettings.cs
+++ b/src/Core/Settings/IGlobalSettings.cs
@@ -27,5 +27,6 @@ public interface IGlobalSettings
     string DatabaseProvider { get; set; }
     GlobalSettings.SqlSettings SqlServer { get; set; }
     string DevelopmentDirectory { get; set; }
+    IWebPushSettings WebPush { get; set; }
     GlobalSettings.EventLoggingSettings EventLogging { get; set; }
 }
diff --git a/src/Core/Settings/IWebPushSettings.cs b/src/Core/Settings/IWebPushSettings.cs
new file mode 100644
index 0000000000..d63bec23f5
--- /dev/null
+++ b/src/Core/Settings/IWebPushSettings.cs
@@ -0,0 +1,6 @@
+namespace Bit.Core.Settings;
+
+public interface IWebPushSettings
+{
+    public string VapidPublicKey { get; set; }
+}
diff --git a/test/Api.Test/Platform/Push/Controllers/PushControllerTests.cs b/test/Api.Test/Platform/Push/Controllers/PushControllerTests.cs
index 70e1e83edb..b796a445ae 100644
--- a/test/Api.Test/Platform/Push/Controllers/PushControllerTests.cs
+++ b/test/Api.Test/Platform/Push/Controllers/PushControllerTests.cs
@@ -4,6 +4,7 @@ using Bit.Core.Context;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Models.Api;
+using Bit.Core.NotificationHub;
 using Bit.Core.Platform.Push;
 using Bit.Core.Settings;
 using Bit.Test.Common.AutoFixture;
@@ -248,7 +249,7 @@ public class PushControllerTests
         Assert.Equal("Not correctly configured for push relays.", exception.Message);
 
         await sutProvider.GetDependency<IPushRegistrationService>().Received(0)
-            .CreateOrUpdateRegistrationAsync(Arg.Any<string>(), Arg.Any<string>(), Arg.Any<string>(), Arg.Any<string>(),
+            .CreateOrUpdateRegistrationAsync(Arg.Any<PushRegistrationData>(), Arg.Any<string>(), Arg.Any<string>(), Arg.Any<string>(),
                 Arg.Any<DeviceType>(), Arg.Any<IEnumerable<string>>(), Arg.Any<Guid>());
     }
 
@@ -265,7 +266,7 @@ public class PushControllerTests
         var expectedDeviceId = $"{installationId}_{deviceId}";
         var expectedOrganizationId = $"{installationId}_{organizationId}";
 
-        await sutProvider.Sut.RegisterAsync(new PushRegistrationRequestModel
+        var model = new PushRegistrationRequestModel
         {
             DeviceId = deviceId.ToString(),
             PushToken = "test-push-token",
@@ -274,10 +275,12 @@ public class PushControllerTests
             Identifier = identifier.ToString(),
             OrganizationIds = [organizationId.ToString()],
             InstallationId = installationId
-        });
+        };
+
+        await sutProvider.Sut.RegisterAsync(model);
 
         await sutProvider.GetDependency<IPushRegistrationService>().Received(1)
-            .CreateOrUpdateRegistrationAsync("test-push-token", expectedDeviceId, expectedUserId,
+            .CreateOrUpdateRegistrationAsync(Arg.Is<PushRegistrationData>(data => data.Equals(new PushRegistrationData(model.PushToken))), expectedDeviceId, expectedUserId,
                 expectedIdentifier, DeviceType.Android, Arg.Do<IEnumerable<string>>(organizationIds =>
                 {
                     var organizationIdsList = organizationIds.ToList();
diff --git a/test/Core.Test/NotificationHub/NotificationHubConnectionTests.cs b/test/Core.Test/NotificationHub/NotificationHubConnectionTests.cs
index 0d7382b3cc..fc76e5c1b7 100644
--- a/test/Core.Test/NotificationHub/NotificationHubConnectionTests.cs
+++ b/test/Core.Test/NotificationHub/NotificationHubConnectionTests.cs
@@ -1,4 +1,5 @@
-using Bit.Core.Settings;
+using Bit.Core.NotificationHub;
+using Bit.Core.Settings;
 using Bit.Core.Utilities;
 using Xunit;
 
diff --git a/test/Core.Test/NotificationHub/NotificationHubPushRegistrationServiceTests.cs b/test/Core.Test/NotificationHub/NotificationHubPushRegistrationServiceTests.cs
index 77551f53e7..b30cd3dda8 100644
--- a/test/Core.Test/NotificationHub/NotificationHubPushRegistrationServiceTests.cs
+++ b/test/Core.Test/NotificationHub/NotificationHubPushRegistrationServiceTests.cs
@@ -19,7 +19,7 @@ public class NotificationHubPushRegistrationServiceTests
         SutProvider<NotificationHubPushRegistrationService> sutProvider, Guid deviceId, Guid userId, Guid identifier,
         Guid organizationId, Guid installationId)
     {
-        await sutProvider.Sut.CreateOrUpdateRegistrationAsync(pushToken, deviceId.ToString(), userId.ToString(),
+        await sutProvider.Sut.CreateOrUpdateRegistrationAsync(new PushRegistrationData(pushToken), deviceId.ToString(), userId.ToString(),
             identifier.ToString(), DeviceType.Android, [organizationId.ToString()], installationId);
 
         sutProvider.GetDependency<INotificationHubPool>()
@@ -39,7 +39,7 @@ public class NotificationHubPushRegistrationServiceTests
 
         var pushToken = "test push token";
 
-        await sutProvider.Sut.CreateOrUpdateRegistrationAsync(pushToken, deviceId.ToString(), userId.ToString(),
+        await sutProvider.Sut.CreateOrUpdateRegistrationAsync(new PushRegistrationData(pushToken), deviceId.ToString(), userId.ToString(),
             identifierNull ? null : identifier.ToString(), DeviceType.Android,
             partOfOrganizationId ? [organizationId.ToString()] : [],
             installationIdNull ? Guid.Empty : installationId);
@@ -115,7 +115,7 @@ public class NotificationHubPushRegistrationServiceTests
 
         var pushToken = "test push token";
 
-        await sutProvider.Sut.CreateOrUpdateRegistrationAsync(pushToken, deviceId.ToString(), userId.ToString(),
+        await sutProvider.Sut.CreateOrUpdateRegistrationAsync(new PushRegistrationData(pushToken), deviceId.ToString(), userId.ToString(),
             identifierNull ? null : identifier.ToString(), DeviceType.iOS,
             partOfOrganizationId ? [organizationId.ToString()] : [],
             installationIdNull ? Guid.Empty : installationId);
@@ -191,7 +191,7 @@ public class NotificationHubPushRegistrationServiceTests
 
         var pushToken = "test push token";
 
-        await sutProvider.Sut.CreateOrUpdateRegistrationAsync(pushToken, deviceId.ToString(), userId.ToString(),
+        await sutProvider.Sut.CreateOrUpdateRegistrationAsync(new PushRegistrationData(pushToken), deviceId.ToString(), userId.ToString(),
             identifierNull ? null : identifier.ToString(), DeviceType.AndroidAmazon,
             partOfOrganizationId ? [organizationId.ToString()] : [],
             installationIdNull ? Guid.Empty : installationId);
@@ -268,7 +268,7 @@ public class NotificationHubPushRegistrationServiceTests
 
         var pushToken = "test push token";
 
-        await sutProvider.Sut.CreateOrUpdateRegistrationAsync(pushToken, deviceId.ToString(), userId.ToString(),
+        await sutProvider.Sut.CreateOrUpdateRegistrationAsync(new PushRegistrationData(pushToken), deviceId.ToString(), userId.ToString(),
             identifier.ToString(), deviceType, [organizationId.ToString()], installationId);
 
         sutProvider.GetDependency<INotificationHubPool>()
diff --git a/test/Core.Test/Services/DeviceServiceTests.cs b/test/Core.Test/Services/DeviceServiceTests.cs
index 95a93cf4e8..b454a0c04b 100644
--- a/test/Core.Test/Services/DeviceServiceTests.cs
+++ b/test/Core.Test/Services/DeviceServiceTests.cs
@@ -4,6 +4,7 @@ using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Models.Data.Organizations.OrganizationUsers;
+using Bit.Core.NotificationHub;
 using Bit.Core.Platform.Push;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
@@ -43,13 +44,13 @@ public class DeviceServiceTests
             Name = "test device",
             Type = DeviceType.Android,
             UserId = userId,
-            PushToken = "testtoken",
+            PushToken = "testToken",
             Identifier = "testid"
         };
         await deviceService.SaveAsync(device);
 
         Assert.True(device.RevisionDate - DateTime.UtcNow < TimeSpan.FromSeconds(1));
-        await pushRepo.Received(1).CreateOrUpdateRegistrationAsync("testtoken", id.ToString(),
+        await pushRepo.Received(1).CreateOrUpdateRegistrationAsync(Arg.Is<PushRegistrationData>(v => v.Token == "testToken"), id.ToString(),
             userId.ToString(), "testid", DeviceType.Android,
             Arg.Do<IEnumerable<string>>(organizationIds =>
             {
@@ -84,12 +85,12 @@ public class DeviceServiceTests
             Name = "test device",
             Type = DeviceType.Android,
             UserId = userId,
-            PushToken = "testtoken",
+            PushToken = "testToken",
             Identifier = "testid"
         };
         await deviceService.SaveAsync(device);
 
-        await pushRepo.Received(1).CreateOrUpdateRegistrationAsync("testtoken",
+        await pushRepo.Received(1).CreateOrUpdateRegistrationAsync(Arg.Is<PushRegistrationData>(v => v.Token == "testToken"),
             Arg.Do<string>(id => Guid.TryParse(id, out var _)), userId.ToString(), "testid", DeviceType.Android,
             Arg.Do<IEnumerable<string>>(organizationIds =>
             {
diff --git a/test/IntegrationTestCommon/Factories/WebApplicationFactoryBase.cs b/test/IntegrationTestCommon/Factories/WebApplicationFactoryBase.cs
index 7c7f790cdc..c1089608da 100644
--- a/test/IntegrationTestCommon/Factories/WebApplicationFactoryBase.cs
+++ b/test/IntegrationTestCommon/Factories/WebApplicationFactoryBase.cs
@@ -163,6 +163,10 @@ public abstract class WebApplicationFactoryBase<T> : WebApplicationFactory<T>
 
                 // New Device Verification
                 { "globalSettings:disableEmailNewDevice", "false" },
+
+                // Web push notifications
+                { "globalSettings:webPush:vapidPublicKey", "BGBtAM0bU3b5jsB14IjBYarvJZ6rWHilASLudTTYDDBi7a-3kebo24Yus_xYeOMZ863flAXhFAbkL6GVSrxgErg" },
+                { "globalSettings:launchDarkly:flagValues:web-push", "true" },
             });
         });
 

From bd66f06bd99856985e4587e6cd8094e4bb9ae392 Mon Sep 17 00:00:00 2001
From: Matt Gibson <mgibson@bitwarden.com>
Date: Wed, 26 Feb 2025 14:41:24 -0800
Subject: [PATCH 318/384] Prefer record to implementing IEquatable (#5449)

---
 .../NotificationHub/PushRegistrationData.cs   | 23 ++-----------------
 .../Push/Controllers/PushControllerTests.cs   |  2 +-
 2 files changed, 3 insertions(+), 22 deletions(-)

diff --git a/src/Core/NotificationHub/PushRegistrationData.cs b/src/Core/NotificationHub/PushRegistrationData.cs
index 0cdf981ee2..20e1cf0936 100644
--- a/src/Core/NotificationHub/PushRegistrationData.cs
+++ b/src/Core/NotificationHub/PushRegistrationData.cs
@@ -1,23 +1,13 @@
 namespace Bit.Core.NotificationHub;
 
-public struct WebPushRegistrationData : IEquatable<WebPushRegistrationData>
+public record struct WebPushRegistrationData
 {
     public string Endpoint { get; init; }
     public string P256dh { get; init; }
     public string Auth { get; init; }
-
-    public bool Equals(WebPushRegistrationData other)
-    {
-        return Endpoint == other.Endpoint && P256dh == other.P256dh && Auth == other.Auth;
-    }
-
-    public override int GetHashCode()
-    {
-        return HashCode.Combine(Endpoint, P256dh, Auth);
-    }
 }
 
-public class PushRegistrationData : IEquatable<PushRegistrationData>
+public record class PushRegistrationData
 {
     public string Token { get; set; }
     public WebPushRegistrationData? WebPush { get; set; }
@@ -38,13 +28,4 @@ public class PushRegistrationData : IEquatable<PushRegistrationData>
     {
         WebPush = webPush;
     }
-    public bool Equals(PushRegistrationData other)
-    {
-        return Token == other.Token && WebPush.Equals(other.WebPush);
-    }
-
-    public override int GetHashCode()
-    {
-        return HashCode.Combine(Token, WebPush.GetHashCode());
-    }
 }
diff --git a/test/Api.Test/Platform/Push/Controllers/PushControllerTests.cs b/test/Api.Test/Platform/Push/Controllers/PushControllerTests.cs
index b796a445ae..399913a0c4 100644
--- a/test/Api.Test/Platform/Push/Controllers/PushControllerTests.cs
+++ b/test/Api.Test/Platform/Push/Controllers/PushControllerTests.cs
@@ -280,7 +280,7 @@ public class PushControllerTests
         await sutProvider.Sut.RegisterAsync(model);
 
         await sutProvider.GetDependency<IPushRegistrationService>().Received(1)
-            .CreateOrUpdateRegistrationAsync(Arg.Is<PushRegistrationData>(data => data.Equals(new PushRegistrationData(model.PushToken))), expectedDeviceId, expectedUserId,
+            .CreateOrUpdateRegistrationAsync(Arg.Is<PushRegistrationData>(data => data == new PushRegistrationData(model.PushToken)), expectedDeviceId, expectedUserId,
                 expectedIdentifier, DeviceType.Android, Arg.Do<IEnumerable<string>>(organizationIds =>
                 {
                     var organizationIdsList = organizationIds.ToList();

From a2e665cb96c883e7eba7a2568b9811913615df32 Mon Sep 17 00:00:00 2001
From: Alex Morask <144709477+amorask-bitwarden@users.noreply.github.com>
Date: Thu, 27 Feb 2025 07:55:46 -0500
Subject: [PATCH 319/384] [PM-16684] Integrate Pricing Service behind FF
 (#5276)

* Remove gRPC and convert PricingClient to HttpClient wrapper

* Add PlanType.GetProductTier extension

Many instances of StaticStore use are just to get the ProductTierType of a PlanType, but this can be derived from the PlanType itself without having to fetch the entire plan.

* Remove invocations of the StaticStore in non-Test code

* Deprecate StaticStore entry points

* Run dotnet format

* Matt's feedback

* Run dotnet format

* Rui's feedback

* Run dotnet format

* Replacements since approval

* Run dotnet format
---
 .../RemoveOrganizationFromProviderCommand.cs  |  11 +-
 .../AdminConsole/Services/ProviderService.cs  |  26 ++-
 .../Billing/ProviderBillingService.cs         |  31 +--
 .../Queries/Projects/MaxProjectsQuery.cs      |   1 +
 ...oveOrganizationFromProviderCommandTests.cs |   3 +
 .../Services/ProviderServiceTests.cs          |   7 +
 .../Billing/ProviderBillingServiceTests.cs    |  83 +++++++
 .../Controllers/OrganizationsController.cs    |  17 +-
 .../Models/OrganizationEditModel.cs           |   8 +-
 .../OrganizationUsersController.cs            |  10 +-
 .../Controllers/OrganizationsController.cs    |  25 +-
 .../OrganizationResponseModel.cs              |  23 +-
 .../ProfileOrganizationResponseModel.cs       |   5 +-
 ...rofileProviderOrganizationResponseModel.cs |   6 +-
 .../OrganizationBillingController.cs          |   4 +-
 .../Controllers/OrganizationsController.cs    |  37 +--
 .../Controllers/ProviderBillingController.cs  |  16 +-
 .../Responses/ProviderSubscriptionResponse.cs |  18 +-
 .../Controllers/OrganizationController.cs     |   9 +-
 ...anizationSubscriptionUpdateRequestModel.cs |   9 +-
 src/Api/Controllers/PlansController.cs        |  10 +-
 ...elfHostedOrganizationLicensesController.cs |   3 +-
 ...tsManagerSubscriptionUpdateRequestModel.cs |   5 +-
 src/Api/Models/Response/PlanResponseModel.cs  |  11 +-
 .../Controllers/ServiceAccountsController.cs  |  10 +-
 .../PaymentSucceededHandler.cs                |  24 +-
 .../Implementations/ProviderEventService.cs   |  17 +-
 .../SubscriptionUpdatedHandler.cs             |  43 ++--
 .../Implementations/UpcomingInvoiceHandler.cs |  26 +--
 .../UpdateOrganizationUserCommand.cs          |  12 +-
 .../CloudOrganizationSignUpCommand.cs         |   6 +-
 .../Implementations/OrganizationService.cs    |  46 ++--
 src/Core/Billing/Constants/StripeConstants.cs |   1 +
 .../Billing/Extensions/BillingExtensions.cs   |  11 +
 .../Extensions/ServiceCollectionExtensions.cs |   3 +-
 .../Implementations/OrganizationMigrator.cs   |   9 +-
 .../Billing/Models/ConfiguredProviderPlan.cs  |  19 +-
 .../Billing/Models/OrganizationMetadata.cs    |  15 +-
 .../Billing/Models/Sales/OrganizationSale.cs  |   4 +-
 .../Billing/Models/Sales/SubscriptionSetup.cs |   4 +-
 src/Core/Billing/Pricing/IPricingClient.cs    |  26 +++
 .../JSON/FreeOrScalableDTOJsonConverter.cs    |  35 +++
 .../JSON/PurchasableDTOJsonConverter.cs       |  40 ++++
 .../Pricing/JSON/TypeReadingJsonConverter.cs  |  28 +++
 src/Core/Billing/Pricing/Models/FeatureDTO.cs |   9 +
 src/Core/Billing/Pricing/Models/PlanDTO.cs    |  27 +++
 .../Billing/Pricing/Models/PurchasableDTO.cs  |  73 ++++++
 src/Core/Billing/Pricing/PlanAdapter.cs       | 153 ++++++------
 src/Core/Billing/Pricing/PricingClient.cs     |  88 +++++--
 .../Pricing/Protos/password-manager.proto     |  92 --------
 .../Pricing/ServiceCollectionExtensions.cs    |  21 ++
 .../OrganizationBillingService.cs             |  88 +++----
 src/Core/Core.csproj                          |  12 +-
 .../Business/CompleteSubscriptionUpdate.cs    |  23 +-
 .../Business/ProviderSubscriptionUpdate.cs    |   7 +-
 .../SecretsManagerSubscriptionUpdate.cs       |  12 +-
 src/Core/Models/Business/SubscriptionInfo.cs  |   1 -
 .../Cloud/CloudSyncSponsorshipsCommand.cs     |   4 +-
 .../Cloud/SetUpSponsorshipCommand.cs          |   6 +-
 .../Cloud/ValidateSponsorshipCommand.cs       |   7 +-
 .../CreateSponsorshipCommand.cs               |   6 +-
 .../AddSecretsManagerSubscriptionCommand.cs   |  17 +-
 .../UpgradeOrganizationPlanCommand.cs         |  18 +-
 .../Implementations/StripePaymentService.cs   |  22 +-
 src/Core/Utilities/StaticStore.cs             |   6 +-
 .../OrganizationsControllerTests.cs           |   6 +-
 .../OrganizationsControllerTests.cs           |   6 +-
 .../ProviderBillingControllerTests.cs         |   6 +
 .../ServiceAccountsControllerTests.cs         |   4 +
 .../Services/ProviderEventServiceTests.cs     |  24 +-
 .../CloudOrganizationSignUpCommandTests.cs    |  20 +-
 .../Services/OrganizationServiceTests.cs      |  18 +-
 .../OrganizationBillingServiceTests.cs        |  47 +---
 .../CompleteSubscriptionUpdateTests.cs        |  12 +-
 .../SecretsManagerSubscriptionUpdateTests.cs  |  55 +++--
 ...dSecretsManagerSubscriptionCommandTests.cs |  10 +-
 ...eSecretsManagerSubscriptionCommandTests.cs | 217 +++++++++---------
 .../UpgradeOrganizationPlanCommandTests.cs    |  16 ++
 78 files changed, 1178 insertions(+), 712 deletions(-)
 create mode 100644 src/Core/Billing/Pricing/JSON/FreeOrScalableDTOJsonConverter.cs
 create mode 100644 src/Core/Billing/Pricing/JSON/PurchasableDTOJsonConverter.cs
 create mode 100644 src/Core/Billing/Pricing/JSON/TypeReadingJsonConverter.cs
 create mode 100644 src/Core/Billing/Pricing/Models/FeatureDTO.cs
 create mode 100644 src/Core/Billing/Pricing/Models/PlanDTO.cs
 create mode 100644 src/Core/Billing/Pricing/Models/PurchasableDTO.cs
 delete mode 100644 src/Core/Billing/Pricing/Protos/password-manager.proto
 create mode 100644 src/Core/Billing/Pricing/ServiceCollectionExtensions.cs

diff --git a/bitwarden_license/src/Commercial.Core/AdminConsole/Providers/RemoveOrganizationFromProviderCommand.cs b/bitwarden_license/src/Commercial.Core/AdminConsole/Providers/RemoveOrganizationFromProviderCommand.cs
index ce0c0c9335..d2acdac079 100644
--- a/bitwarden_license/src/Commercial.Core/AdminConsole/Providers/RemoveOrganizationFromProviderCommand.cs
+++ b/bitwarden_license/src/Commercial.Core/AdminConsole/Providers/RemoveOrganizationFromProviderCommand.cs
@@ -5,12 +5,12 @@ using Bit.Core.AdminConsole.Providers.Interfaces;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Billing.Constants;
 using Bit.Core.Billing.Extensions;
+using Bit.Core.Billing.Pricing;
 using Bit.Core.Billing.Services;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
-using Bit.Core.Utilities;
 using Stripe;
 
 namespace Bit.Commercial.Core.AdminConsole.Providers;
@@ -27,6 +27,7 @@ public class RemoveOrganizationFromProviderCommand : IRemoveOrganizationFromProv
     private readonly IProviderBillingService _providerBillingService;
     private readonly ISubscriberService _subscriberService;
     private readonly IHasConfirmedOwnersExceptQuery _hasConfirmedOwnersExceptQuery;
+    private readonly IPricingClient _pricingClient;
 
     public RemoveOrganizationFromProviderCommand(
         IEventService eventService,
@@ -38,7 +39,8 @@ public class RemoveOrganizationFromProviderCommand : IRemoveOrganizationFromProv
         IFeatureService featureService,
         IProviderBillingService providerBillingService,
         ISubscriberService subscriberService,
-        IHasConfirmedOwnersExceptQuery hasConfirmedOwnersExceptQuery)
+        IHasConfirmedOwnersExceptQuery hasConfirmedOwnersExceptQuery,
+        IPricingClient pricingClient)
     {
         _eventService = eventService;
         _mailService = mailService;
@@ -50,6 +52,7 @@ public class RemoveOrganizationFromProviderCommand : IRemoveOrganizationFromProv
         _providerBillingService = providerBillingService;
         _subscriberService = subscriberService;
         _hasConfirmedOwnersExceptQuery = hasConfirmedOwnersExceptQuery;
+        _pricingClient = pricingClient;
     }
 
     public async Task RemoveOrganizationFromProvider(
@@ -110,7 +113,7 @@ public class RemoveOrganizationFromProviderCommand : IRemoveOrganizationFromProv
                 Email = organization.BillingEmail
             });
 
-            var plan = StaticStore.GetPlan(organization.PlanType).PasswordManager;
+            var plan = await _pricingClient.GetPlanOrThrow(organization.PlanType);
 
             var subscriptionCreateOptions = new SubscriptionCreateOptions
             {
@@ -124,7 +127,7 @@ public class RemoveOrganizationFromProviderCommand : IRemoveOrganizationFromProv
                 },
                 OffSession = true,
                 ProrationBehavior = StripeConstants.ProrationBehavior.CreateProrations,
-                Items = [new SubscriptionItemOptions { Price = plan.StripeSeatPlanId, Quantity = organization.Seats }]
+                Items = [new SubscriptionItemOptions { Price = plan.PasswordManager.StripeSeatPlanId, Quantity = organization.Seats }]
             };
 
             var subscription = await _stripeAdapter.SubscriptionCreateAsync(subscriptionCreateOptions);
diff --git a/bitwarden_license/src/Commercial.Core/AdminConsole/Services/ProviderService.cs b/bitwarden_license/src/Commercial.Core/AdminConsole/Services/ProviderService.cs
index 864466ad45..799b57dc5a 100644
--- a/bitwarden_license/src/Commercial.Core/AdminConsole/Services/ProviderService.cs
+++ b/bitwarden_license/src/Commercial.Core/AdminConsole/Services/ProviderService.cs
@@ -8,6 +8,7 @@ using Bit.Core.AdminConsole.Models.Business.Tokenables;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.AdminConsole.Services;
 using Bit.Core.Billing.Enums;
+using Bit.Core.Billing.Pricing;
 using Bit.Core.Billing.Services;
 using Bit.Core.Context;
 using Bit.Core.Entities;
@@ -50,6 +51,7 @@ public class ProviderService : IProviderService
     private readonly IDataProtectorTokenFactory<ProviderDeleteTokenable> _providerDeleteTokenDataFactory;
     private readonly IApplicationCacheService _applicationCacheService;
     private readonly IProviderBillingService _providerBillingService;
+    private readonly IPricingClient _pricingClient;
 
     public ProviderService(IProviderRepository providerRepository, IProviderUserRepository providerUserRepository,
         IProviderOrganizationRepository providerOrganizationRepository, IUserRepository userRepository,
@@ -58,7 +60,7 @@ public class ProviderService : IProviderService
         IOrganizationRepository organizationRepository, GlobalSettings globalSettings,
         ICurrentContext currentContext, IStripeAdapter stripeAdapter, IFeatureService featureService,
         IDataProtectorTokenFactory<ProviderDeleteTokenable> providerDeleteTokenDataFactory,
-        IApplicationCacheService applicationCacheService, IProviderBillingService providerBillingService)
+        IApplicationCacheService applicationCacheService, IProviderBillingService providerBillingService, IPricingClient pricingClient)
     {
         _providerRepository = providerRepository;
         _providerUserRepository = providerUserRepository;
@@ -77,6 +79,7 @@ public class ProviderService : IProviderService
         _providerDeleteTokenDataFactory = providerDeleteTokenDataFactory;
         _applicationCacheService = applicationCacheService;
         _providerBillingService = providerBillingService;
+        _pricingClient = pricingClient;
     }
 
     public async Task<Provider> CompleteSetupAsync(Provider provider, Guid ownerUserId, string token, string key, TaxInfo taxInfo = null)
@@ -452,30 +455,31 @@ public class ProviderService : IProviderService
 
         if (!string.IsNullOrWhiteSpace(organization.GatewaySubscriptionId))
         {
-            var subscriptionItem = await GetSubscriptionItemAsync(organization.GatewaySubscriptionId,
-                GetStripeSeatPlanId(organization.PlanType));
+            var plan = await _pricingClient.GetPlanOrThrow(organization.PlanType);
+
+            var subscriptionItem = await GetSubscriptionItemAsync(
+                organization.GatewaySubscriptionId,
+                plan.PasswordManager.StripeSeatPlanId);
+
             var extractedPlanType = PlanTypeMappings(organization);
+            var extractedPlan = await _pricingClient.GetPlanOrThrow(extractedPlanType);
+
             if (subscriptionItem != null)
             {
-                await UpdateSubscriptionAsync(subscriptionItem, GetStripeSeatPlanId(extractedPlanType), organization);
+                await UpdateSubscriptionAsync(subscriptionItem, extractedPlan.PasswordManager.StripeSeatPlanId, organization);
             }
         }
 
         await _organizationRepository.UpsertAsync(organization);
     }
 
-    private async Task<Stripe.SubscriptionItem> GetSubscriptionItemAsync(string subscriptionId, string oldPlanId)
+    private async Task<SubscriptionItem> GetSubscriptionItemAsync(string subscriptionId, string oldPlanId)
     {
         var subscriptionDetails = await _stripeAdapter.SubscriptionGetAsync(subscriptionId);
         return subscriptionDetails.Items.Data.FirstOrDefault(item => item.Price.Id == oldPlanId);
     }
 
-    private static string GetStripeSeatPlanId(PlanType planType)
-    {
-        return StaticStore.GetPlan(planType).PasswordManager.StripeSeatPlanId;
-    }
-
-    private async Task UpdateSubscriptionAsync(Stripe.SubscriptionItem subscriptionItem, string extractedPlanType, Organization organization)
+    private async Task UpdateSubscriptionAsync(SubscriptionItem subscriptionItem, string extractedPlanType, Organization organization)
     {
         try
         {
diff --git a/bitwarden_license/src/Commercial.Core/Billing/ProviderBillingService.cs b/bitwarden_license/src/Commercial.Core/Billing/ProviderBillingService.cs
index 7b10793283..b637cf37ef 100644
--- a/bitwarden_license/src/Commercial.Core/Billing/ProviderBillingService.cs
+++ b/bitwarden_license/src/Commercial.Core/Billing/ProviderBillingService.cs
@@ -10,6 +10,7 @@ using Bit.Core.Billing.Constants;
 using Bit.Core.Billing.Entities;
 using Bit.Core.Billing.Enums;
 using Bit.Core.Billing.Models;
+using Bit.Core.Billing.Pricing;
 using Bit.Core.Billing.Repositories;
 using Bit.Core.Billing.Services;
 using Bit.Core.Billing.Services.Contracts;
@@ -32,6 +33,7 @@ public class ProviderBillingService(
     ILogger<ProviderBillingService> logger,
     IOrganizationRepository organizationRepository,
     IPaymentService paymentService,
+    IPricingClient pricingClient,
     IProviderInvoiceItemRepository providerInvoiceItemRepository,
     IProviderOrganizationRepository providerOrganizationRepository,
     IProviderPlanRepository providerPlanRepository,
@@ -77,8 +79,7 @@ public class ProviderBillingService(
 
         var managedPlanType = await GetManagedPlanTypeAsync(provider, organization);
 
-        // TODO: Replace with PricingClient
-        var plan = StaticStore.GetPlan(managedPlanType);
+        var plan = await pricingClient.GetPlanOrThrow(managedPlanType);
         organization.Plan = plan.Name;
         organization.PlanType = plan.Type;
         organization.MaxCollections = plan.PasswordManager.MaxCollections;
@@ -154,7 +155,8 @@ public class ProviderBillingService(
             return;
         }
 
-        var oldPlanConfiguration = StaticStore.GetPlan(plan.PlanType);
+        var oldPlanConfiguration = await pricingClient.GetPlanOrThrow(plan.PlanType);
+        var newPlanConfiguration = await pricingClient.GetPlanOrThrow(command.NewPlan);
 
         plan.PlanType = command.NewPlan;
         await providerPlanRepository.ReplaceAsync(plan);
@@ -178,7 +180,7 @@ public class ProviderBillingService(
             [
                 new SubscriptionItemOptions
                 {
-                    Price = StaticStore.GetPlan(command.NewPlan).PasswordManager.StripeProviderPortalSeatPlanId,
+                    Price = newPlanConfiguration.PasswordManager.StripeProviderPortalSeatPlanId,
                     Quantity = oldSubscriptionItem!.Quantity
                 },
                 new SubscriptionItemOptions
@@ -204,7 +206,7 @@ public class ProviderBillingService(
                 throw new ConflictException($"Organization '{providerOrganization.Id}' not found.");
             }
             organization.PlanType = command.NewPlan;
-            organization.Plan = StaticStore.GetPlan(command.NewPlan).Name;
+            organization.Plan = newPlanConfiguration.Name;
             await organizationRepository.ReplaceAsync(organization);
         }
     }
@@ -347,7 +349,7 @@ public class ProviderBillingService(
         {
             var (organization, _) = pair;
 
-            var planName = DerivePlanName(provider, organization);
+            var planName = await DerivePlanName(provider, organization);
 
             var addable = new AddableOrganization(
                 organization.Id,
@@ -368,7 +370,7 @@ public class ProviderBillingService(
             return addable with { Disabled = requiresPurchase };
         }));
 
-        string DerivePlanName(Provider localProvider, Organization localOrganization)
+        async Task<string> DerivePlanName(Provider localProvider, Organization localOrganization)
         {
             if (localProvider.Type == ProviderType.Msp)
             {
@@ -380,8 +382,7 @@ public class ProviderBillingService(
                 };
             }
 
-            // TODO: Replace with PricingClient
-            var plan = StaticStore.GetPlan(localOrganization.PlanType);
+            var plan = await pricingClient.GetPlanOrThrow(localOrganization.PlanType);
             return plan.Name;
         }
     }
@@ -568,7 +569,7 @@ public class ProviderBillingService(
 
         foreach (var providerPlan in providerPlans)
         {
-            var plan = StaticStore.GetPlan(providerPlan.PlanType);
+            var plan = await pricingClient.GetPlanOrThrow(providerPlan.PlanType);
 
             if (!providerPlan.IsConfigured())
             {
@@ -652,8 +653,10 @@ public class ProviderBillingService(
 
             if (providerPlan.SeatMinimum != newPlanConfiguration.SeatsMinimum)
             {
-                var priceId = StaticStore.GetPlan(newPlanConfiguration.Plan).PasswordManager
-                    .StripeProviderPortalSeatPlanId;
+                var newPlan = await pricingClient.GetPlanOrThrow(newPlanConfiguration.Plan);
+
+                var priceId = newPlan.PasswordManager.StripeProviderPortalSeatPlanId;
+
                 var subscriptionItem = subscription.Items.First(item => item.Price.Id == priceId);
 
                 if (providerPlan.PurchasedSeats == 0)
@@ -717,7 +720,7 @@ public class ProviderBillingService(
         ProviderPlan providerPlan,
         int newlyAssignedSeats) => async (currentlySubscribedSeats, newlySubscribedSeats) =>
     {
-        var plan = StaticStore.GetPlan(providerPlan.PlanType);
+        var plan = await pricingClient.GetPlanOrThrow(providerPlan.PlanType);
 
         await paymentService.AdjustSeats(
             provider,
@@ -741,7 +744,7 @@ public class ProviderBillingService(
         var providerOrganizations =
             await providerOrganizationRepository.GetManyDetailsByProviderAsync(provider.Id);
 
-        var plan = StaticStore.GetPlan(planType);
+        var plan = await pricingClient.GetPlanOrThrow(planType);
 
         return providerOrganizations
             .Where(providerOrganization => providerOrganization.Plan == plan.Name && providerOrganization.Status == OrganizationStatusType.Managed)
diff --git a/bitwarden_license/src/Commercial.Core/SecretsManager/Queries/Projects/MaxProjectsQuery.cs b/bitwarden_license/src/Commercial.Core/SecretsManager/Queries/Projects/MaxProjectsQuery.cs
index ee7bc398fe..d9a7d4a2ce 100644
--- a/bitwarden_license/src/Commercial.Core/SecretsManager/Queries/Projects/MaxProjectsQuery.cs
+++ b/bitwarden_license/src/Commercial.Core/SecretsManager/Queries/Projects/MaxProjectsQuery.cs
@@ -28,6 +28,7 @@ public class MaxProjectsQuery : IMaxProjectsQuery
             throw new NotFoundException();
         }
 
+        // TODO: PRICING -> https://bitwarden.atlassian.net/browse/PM-17122
         var plan = StaticStore.GetPlan(org.PlanType);
         if (plan?.SecretsManager == null)
         {
diff --git a/bitwarden_license/test/Commercial.Core.Test/AdminConsole/ProviderFeatures/RemoveOrganizationFromProviderCommandTests.cs b/bitwarden_license/test/Commercial.Core.Test/AdminConsole/ProviderFeatures/RemoveOrganizationFromProviderCommandTests.cs
index f45ab75046..2debd521a5 100644
--- a/bitwarden_license/test/Commercial.Core.Test/AdminConsole/ProviderFeatures/RemoveOrganizationFromProviderCommandTests.cs
+++ b/bitwarden_license/test/Commercial.Core.Test/AdminConsole/ProviderFeatures/RemoveOrganizationFromProviderCommandTests.cs
@@ -6,6 +6,7 @@ using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Billing.Constants;
 using Bit.Core.Billing.Enums;
+using Bit.Core.Billing.Pricing;
 using Bit.Core.Billing.Services;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
@@ -205,6 +206,8 @@ public class RemoveOrganizationFromProviderCommandTests
 
         var teamsMonthlyPlan = StaticStore.GetPlan(PlanType.TeamsMonthly);
 
+        sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(PlanType.TeamsMonthly).Returns(teamsMonthlyPlan);
+
         sutProvider.GetDependency<IHasConfirmedOwnersExceptQuery>().HasConfirmedOwnersExceptAsync(
                 providerOrganization.OrganizationId,
                 [],
diff --git a/bitwarden_license/test/Commercial.Core.Test/AdminConsole/Services/ProviderServiceTests.cs b/bitwarden_license/test/Commercial.Core.Test/AdminConsole/Services/ProviderServiceTests.cs
index 2883c9d7e3..d2d82f47de 100644
--- a/bitwarden_license/test/Commercial.Core.Test/AdminConsole/Services/ProviderServiceTests.cs
+++ b/bitwarden_license/test/Commercial.Core.Test/AdminConsole/Services/ProviderServiceTests.cs
@@ -7,6 +7,7 @@ using Bit.Core.AdminConsole.Models.Business.Provider;
 using Bit.Core.AdminConsole.Models.Business.Tokenables;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Billing.Enums;
+using Bit.Core.Billing.Pricing;
 using Bit.Core.Billing.Services;
 using Bit.Core.Context;
 using Bit.Core.Entities;
@@ -550,8 +551,14 @@ public class ProviderServiceTests
         organization.PlanType = PlanType.EnterpriseMonthly;
         organization.Plan = "Enterprise (Monthly)";
 
+        sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(organization.PlanType)
+            .Returns(StaticStore.GetPlan(organization.PlanType));
+
         var expectedPlanType = PlanType.EnterpriseMonthly2020;
 
+        sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(expectedPlanType)
+            .Returns(StaticStore.GetPlan(expectedPlanType));
+
         var expectedPlanId = "2020-enterprise-org-seat-monthly";
 
         sutProvider.GetDependency<IProviderRepository>().GetByIdAsync(provider.Id).Returns(provider);
diff --git a/bitwarden_license/test/Commercial.Core.Test/Billing/ProviderBillingServiceTests.cs b/bitwarden_license/test/Commercial.Core.Test/Billing/ProviderBillingServiceTests.cs
index 3739603a2d..2fbd09a213 100644
--- a/bitwarden_license/test/Commercial.Core.Test/Billing/ProviderBillingServiceTests.cs
+++ b/bitwarden_license/test/Commercial.Core.Test/Billing/ProviderBillingServiceTests.cs
@@ -9,6 +9,7 @@ using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Billing.Constants;
 using Bit.Core.Billing.Entities;
 using Bit.Core.Billing.Enums;
+using Bit.Core.Billing.Pricing;
 using Bit.Core.Billing.Repositories;
 using Bit.Core.Billing.Services;
 using Bit.Core.Billing.Services.Contracts;
@@ -128,6 +129,9 @@ public class ProviderBillingServiceTests
             .GetByIdAsync(Arg.Is<Guid>(p => p == providerPlanId))
             .Returns(existingPlan);
 
+        sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(existingPlan.PlanType)
+            .Returns(StaticStore.GetPlan(existingPlan.PlanType));
+
         var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
         stripeAdapter.ProviderSubscriptionGetAsync(
                 Arg.Is(provider.GatewaySubscriptionId),
@@ -156,6 +160,9 @@ public class ProviderBillingServiceTests
         var command =
             new ChangeProviderPlanCommand(providerPlanId, PlanType.EnterpriseMonthly, provider.GatewaySubscriptionId);
 
+        sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(command.NewPlan)
+            .Returns(StaticStore.GetPlan(command.NewPlan));
+
         // Act
         await sutProvider.Sut.ChangePlan(command);
 
@@ -390,6 +397,12 @@ public class ProviderBillingServiceTests
             }
         };
 
+        foreach (var plan in providerPlans)
+        {
+            sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(plan.PlanType)
+                .Returns(StaticStore.GetPlan(plan.PlanType));
+        }
+
         sutProvider.GetDependency<IProviderPlanRepository>().GetByProviderId(provider.Id).Returns(providerPlans);
 
         // 50 seats currently assigned with a seat minimum of 100
@@ -451,6 +464,12 @@ public class ProviderBillingServiceTests
             }
         };
 
+        foreach (var plan in providerPlans)
+        {
+            sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(plan.PlanType)
+                .Returns(StaticStore.GetPlan(plan.PlanType));
+        }
+
         var providerPlan = providerPlans.First();
 
         sutProvider.GetDependency<IProviderPlanRepository>().GetByProviderId(provider.Id).Returns(providerPlans);
@@ -515,6 +534,12 @@ public class ProviderBillingServiceTests
             }
         };
 
+        foreach (var plan in providerPlans)
+        {
+            sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(plan.PlanType)
+                .Returns(StaticStore.GetPlan(plan.PlanType));
+        }
+
         var providerPlan = providerPlans.First();
 
         sutProvider.GetDependency<IProviderPlanRepository>().GetByProviderId(provider.Id).Returns(providerPlans);
@@ -579,6 +604,12 @@ public class ProviderBillingServiceTests
             }
         };
 
+        foreach (var plan in providerPlans)
+        {
+            sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(plan.PlanType)
+                .Returns(StaticStore.GetPlan(plan.PlanType));
+        }
+
         var providerPlan = providerPlans.First();
 
         sutProvider.GetDependency<IProviderPlanRepository>().GetByProviderId(provider.Id).Returns(providerPlans);
@@ -636,6 +667,8 @@ public class ProviderBillingServiceTests
             }
         ]);
 
+        sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(planType).Returns(StaticStore.GetPlan(planType));
+
         sutProvider.GetDependency<IProviderOrganizationRepository>().GetManyDetailsByProviderAsync(provider.Id).Returns(
         [
             new ProviderOrganizationOrganizationDetails
@@ -672,6 +705,8 @@ public class ProviderBillingServiceTests
             }
         ]);
 
+        sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(planType).Returns(StaticStore.GetPlan(planType));
+
         sutProvider.GetDependency<IProviderOrganizationRepository>().GetManyDetailsByProviderAsync(provider.Id).Returns(
         [
             new ProviderOrganizationOrganizationDetails
@@ -856,6 +891,9 @@ public class ProviderBillingServiceTests
         sutProvider.GetDependency<IProviderPlanRepository>().GetByProviderId(provider.Id)
             .Returns(providerPlans);
 
+        sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(PlanType.EnterpriseMonthly)
+            .Returns(StaticStore.GetPlan(PlanType.EnterpriseMonthly));
+
         await ThrowsBillingExceptionAsync(() => sutProvider.Sut.SetupSubscription(provider));
 
         await sutProvider.GetDependency<IStripeAdapter>()
@@ -881,6 +919,9 @@ public class ProviderBillingServiceTests
         sutProvider.GetDependency<IProviderPlanRepository>().GetByProviderId(provider.Id)
             .Returns(providerPlans);
 
+        sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(PlanType.TeamsMonthly)
+            .Returns(StaticStore.GetPlan(PlanType.TeamsMonthly));
+
         await ThrowsBillingExceptionAsync(() => sutProvider.Sut.SetupSubscription(provider));
 
         await sutProvider.GetDependency<IStripeAdapter>()
@@ -923,6 +964,12 @@ public class ProviderBillingServiceTests
             }
         };
 
+        foreach (var plan in providerPlans)
+        {
+            sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(plan.PlanType)
+                .Returns(StaticStore.GetPlan(plan.PlanType));
+        }
+
         sutProvider.GetDependency<IProviderPlanRepository>().GetByProviderId(provider.Id)
             .Returns(providerPlans);
 
@@ -968,6 +1015,12 @@ public class ProviderBillingServiceTests
             }
         };
 
+        foreach (var plan in providerPlans)
+        {
+            sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(plan.PlanType)
+                .Returns(StaticStore.GetPlan(plan.PlanType));
+        }
+
         sutProvider.GetDependency<IProviderPlanRepository>().GetByProviderId(provider.Id)
             .Returns(providerPlans);
 
@@ -1066,6 +1119,12 @@ public class ProviderBillingServiceTests
             new() { PlanType = PlanType.TeamsMonthly, SeatMinimum = 30, PurchasedSeats = 0, AllocatedSeats = 25 }
         };
 
+        foreach (var plan in providerPlans)
+        {
+            sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(plan.PlanType)
+                .Returns(StaticStore.GetPlan(plan.PlanType));
+        }
+
         providerPlanRepository.GetByProviderId(provider.Id).Returns(providerPlans);
 
         var command = new UpdateProviderSeatMinimumsCommand(
@@ -1139,6 +1198,12 @@ public class ProviderBillingServiceTests
             new() { PlanType = PlanType.TeamsMonthly, SeatMinimum = 30, PurchasedSeats = 0, AllocatedSeats = 15 }
         };
 
+        foreach (var plan in providerPlans)
+        {
+            sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(plan.PlanType)
+                .Returns(StaticStore.GetPlan(plan.PlanType));
+        }
+
         providerPlanRepository.GetByProviderId(provider.Id).Returns(providerPlans);
 
         var command = new UpdateProviderSeatMinimumsCommand(
@@ -1212,6 +1277,12 @@ public class ProviderBillingServiceTests
             new() { PlanType = PlanType.TeamsMonthly, SeatMinimum = 50, PurchasedSeats = 20 }
         };
 
+        foreach (var plan in providerPlans)
+        {
+            sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(plan.PlanType)
+                .Returns(StaticStore.GetPlan(plan.PlanType));
+        }
+
         providerPlanRepository.GetByProviderId(provider.Id).Returns(providerPlans);
 
         var command = new UpdateProviderSeatMinimumsCommand(
@@ -1279,6 +1350,12 @@ public class ProviderBillingServiceTests
             new() { PlanType = PlanType.TeamsMonthly, SeatMinimum = 50, PurchasedSeats = 20 }
         };
 
+        foreach (var plan in providerPlans)
+        {
+            sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(plan.PlanType)
+                .Returns(StaticStore.GetPlan(plan.PlanType));
+        }
+
         providerPlanRepository.GetByProviderId(provider.Id).Returns(providerPlans);
 
         var command = new UpdateProviderSeatMinimumsCommand(
@@ -1352,6 +1429,12 @@ public class ProviderBillingServiceTests
             new() { PlanType = PlanType.TeamsMonthly, SeatMinimum = 30, PurchasedSeats = 0 }
         };
 
+        foreach (var plan in providerPlans)
+        {
+            sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(plan.PlanType)
+                .Returns(StaticStore.GetPlan(plan.PlanType));
+        }
+
         providerPlanRepository.GetByProviderId(provider.Id).Returns(providerPlans);
 
         var command = new UpdateProviderSeatMinimumsCommand(
diff --git a/src/Admin/AdminConsole/Controllers/OrganizationsController.cs b/src/Admin/AdminConsole/Controllers/OrganizationsController.cs
index 60a5a39612..fdb4961d9b 100644
--- a/src/Admin/AdminConsole/Controllers/OrganizationsController.cs
+++ b/src/Admin/AdminConsole/Controllers/OrganizationsController.cs
@@ -10,6 +10,7 @@ using Bit.Core.AdminConsole.Providers.Interfaces;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Billing.Enums;
 using Bit.Core.Billing.Extensions;
+using Bit.Core.Billing.Pricing;
 using Bit.Core.Billing.Services;
 using Bit.Core.Context;
 using Bit.Core.Enums;
@@ -56,8 +57,8 @@ public class OrganizationsController : Controller
     private readonly IProviderOrganizationRepository _providerOrganizationRepository;
     private readonly IRemoveOrganizationFromProviderCommand _removeOrganizationFromProviderCommand;
     private readonly IProviderBillingService _providerBillingService;
-    private readonly IFeatureService _featureService;
     private readonly IOrganizationInitiateDeleteCommand _organizationInitiateDeleteCommand;
+    private readonly IPricingClient _pricingClient;
 
     public OrganizationsController(
         IOrganizationService organizationService,
@@ -84,8 +85,8 @@ public class OrganizationsController : Controller
         IProviderOrganizationRepository providerOrganizationRepository,
         IRemoveOrganizationFromProviderCommand removeOrganizationFromProviderCommand,
         IProviderBillingService providerBillingService,
-        IFeatureService featureService,
-        IOrganizationInitiateDeleteCommand organizationInitiateDeleteCommand)
+        IOrganizationInitiateDeleteCommand organizationInitiateDeleteCommand,
+        IPricingClient pricingClient)
     {
         _organizationService = organizationService;
         _organizationRepository = organizationRepository;
@@ -111,8 +112,8 @@ public class OrganizationsController : Controller
         _providerOrganizationRepository = providerOrganizationRepository;
         _removeOrganizationFromProviderCommand = removeOrganizationFromProviderCommand;
         _providerBillingService = providerBillingService;
-        _featureService = featureService;
         _organizationInitiateDeleteCommand = organizationInitiateDeleteCommand;
+        _pricingClient = pricingClient;
     }
 
     [RequirePermission(Permission.Org_List_View)]
@@ -212,6 +213,8 @@ public class OrganizationsController : Controller
             ? await _organizationUserRepository.GetOccupiedSmSeatCountByOrganizationIdAsync(organization.Id)
             : -1;
 
+        var plans = await _pricingClient.ListPlans();
+
         return View(new OrganizationEditModel(
             organization,
             provider,
@@ -224,6 +227,7 @@ public class OrganizationsController : Controller
             billingHistoryInfo,
             billingSyncConnection,
             _globalSettings,
+            plans,
             secrets,
             projects,
             serviceAccounts,
@@ -253,8 +257,9 @@ public class OrganizationsController : Controller
 
         UpdateOrganization(organization, model);
 
-        if (organization.UseSecretsManager &&
-            !StaticStore.GetPlan(organization.PlanType).SupportsSecretsManager)
+        var plan = await _pricingClient.GetPlanOrThrow(organization.PlanType);
+
+        if (organization.UseSecretsManager && !plan.SupportsSecretsManager)
         {
             TempData["Error"] = "Plan does not support Secrets Manager";
             return RedirectToAction("Edit", new { id });
diff --git a/src/Admin/AdminConsole/Models/OrganizationEditModel.cs b/src/Admin/AdminConsole/Models/OrganizationEditModel.cs
index be191ddb8d..729b4f7990 100644
--- a/src/Admin/AdminConsole/Models/OrganizationEditModel.cs
+++ b/src/Admin/AdminConsole/Models/OrganizationEditModel.cs
@@ -8,6 +8,7 @@ using Bit.Core.Billing.Models;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Models.Data.Organizations.OrganizationUsers;
+using Bit.Core.Models.StaticStore;
 using Bit.Core.Settings;
 using Bit.Core.Utilities;
 using Bit.Core.Vault.Entities;
@@ -17,6 +18,8 @@ namespace Bit.Admin.AdminConsole.Models;
 
 public class OrganizationEditModel : OrganizationViewModel
 {
+    private readonly List<Plan> _plans;
+
     public OrganizationEditModel() { }
 
     public OrganizationEditModel(Provider provider)
@@ -40,6 +43,7 @@ public class OrganizationEditModel : OrganizationViewModel
         BillingHistoryInfo billingHistoryInfo,
         IEnumerable<OrganizationConnection> connections,
         GlobalSettings globalSettings,
+        List<Plan> plans,
         int secrets,
         int projects,
         int serviceAccounts,
@@ -96,6 +100,8 @@ public class OrganizationEditModel : OrganizationViewModel
         MaxAutoscaleSmSeats = org.MaxAutoscaleSmSeats;
         SmServiceAccounts = org.SmServiceAccounts;
         MaxAutoscaleSmServiceAccounts = org.MaxAutoscaleSmServiceAccounts;
+
+        _plans = plans;
     }
 
     public BillingInfo BillingInfo { get; set; }
@@ -183,7 +189,7 @@ public class OrganizationEditModel : OrganizationViewModel
      * Add mappings for individual properties as you need them
      */
     public object GetPlansHelper() =>
-        StaticStore.Plans
+        _plans
             .Select(p =>
             {
                 var plan = new
diff --git a/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs b/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs
index 265aefc4ca..5a73e57204 100644
--- a/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs
+++ b/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs
@@ -13,6 +13,7 @@ using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Repositories;
 using Bit.Core.Auth.UserFeatures.TwoFactorAuth.Interfaces;
+using Bit.Core.Billing.Pricing;
 using Bit.Core.Context;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
@@ -55,6 +56,7 @@ public class OrganizationUsersController : Controller
     private readonly IDeleteManagedOrganizationUserAccountCommand _deleteManagedOrganizationUserAccountCommand;
     private readonly IGetOrganizationUsersManagementStatusQuery _getOrganizationUsersManagementStatusQuery;
     private readonly IFeatureService _featureService;
+    private readonly IPricingClient _pricingClient;
 
     public OrganizationUsersController(
         IOrganizationRepository organizationRepository,
@@ -77,7 +79,8 @@ public class OrganizationUsersController : Controller
         IRemoveOrganizationUserCommand removeOrganizationUserCommand,
         IDeleteManagedOrganizationUserAccountCommand deleteManagedOrganizationUserAccountCommand,
         IGetOrganizationUsersManagementStatusQuery getOrganizationUsersManagementStatusQuery,
-        IFeatureService featureService)
+        IFeatureService featureService,
+        IPricingClient pricingClient)
     {
         _organizationRepository = organizationRepository;
         _organizationUserRepository = organizationUserRepository;
@@ -100,6 +103,7 @@ public class OrganizationUsersController : Controller
         _deleteManagedOrganizationUserAccountCommand = deleteManagedOrganizationUserAccountCommand;
         _getOrganizationUsersManagementStatusQuery = getOrganizationUsersManagementStatusQuery;
         _featureService = featureService;
+        _pricingClient = pricingClient;
     }
 
     [HttpGet("{id}")]
@@ -648,7 +652,9 @@ public class OrganizationUsersController : Controller
         if (additionalSmSeatsRequired > 0)
         {
             var organization = await _organizationRepository.GetByIdAsync(orgId);
-            var update = new SecretsManagerSubscriptionUpdate(organization, true)
+            // TODO: https://bitwarden.atlassian.net/browse/PM-17000
+            var plan = await _pricingClient.GetPlanOrThrow(organization!.PlanType);
+            var update = new SecretsManagerSubscriptionUpdate(organization, plan, true)
                 .AdjustSeats(additionalSmSeatsRequired);
             await _updateSecretsManagerSubscriptionCommand.UpdateSubscriptionAsync(update);
         }
diff --git a/src/Api/AdminConsole/Controllers/OrganizationsController.cs b/src/Api/AdminConsole/Controllers/OrganizationsController.cs
index 85e8e990a6..34da3de10c 100644
--- a/src/Api/AdminConsole/Controllers/OrganizationsController.cs
+++ b/src/Api/AdminConsole/Controllers/OrganizationsController.cs
@@ -22,6 +22,7 @@ using Bit.Core.Auth.Repositories;
 using Bit.Core.Auth.Services;
 using Bit.Core.Billing.Enums;
 using Bit.Core.Billing.Extensions;
+using Bit.Core.Billing.Pricing;
 using Bit.Core.Billing.Services;
 using Bit.Core.Context;
 using Bit.Core.Enums;
@@ -60,6 +61,7 @@ public class OrganizationsController : Controller
     private readonly IRemoveOrganizationUserCommand _removeOrganizationUserCommand;
     private readonly ICloudOrganizationSignUpCommand _cloudOrganizationSignUpCommand;
     private readonly IOrganizationDeleteCommand _organizationDeleteCommand;
+    private readonly IPricingClient _pricingClient;
 
     public OrganizationsController(
         IOrganizationRepository organizationRepository,
@@ -81,7 +83,8 @@ public class OrganizationsController : Controller
         IDataProtectorTokenFactory<OrgDeleteTokenable> orgDeleteTokenDataFactory,
         IRemoveOrganizationUserCommand removeOrganizationUserCommand,
         ICloudOrganizationSignUpCommand cloudOrganizationSignUpCommand,
-        IOrganizationDeleteCommand organizationDeleteCommand)
+        IOrganizationDeleteCommand organizationDeleteCommand,
+        IPricingClient pricingClient)
     {
         _organizationRepository = organizationRepository;
         _organizationUserRepository = organizationUserRepository;
@@ -103,6 +106,7 @@ public class OrganizationsController : Controller
         _removeOrganizationUserCommand = removeOrganizationUserCommand;
         _cloudOrganizationSignUpCommand = cloudOrganizationSignUpCommand;
         _organizationDeleteCommand = organizationDeleteCommand;
+        _pricingClient = pricingClient;
     }
 
     [HttpGet("{id}")]
@@ -120,7 +124,8 @@ public class OrganizationsController : Controller
             throw new NotFoundException();
         }
 
-        return new OrganizationResponseModel(organization);
+        var plan = await _pricingClient.GetPlan(organization.PlanType);
+        return new OrganizationResponseModel(organization, plan);
     }
 
     [HttpGet("")]
@@ -181,7 +186,8 @@ public class OrganizationsController : Controller
 
         var organizationSignup = model.ToOrganizationSignup(user);
         var result = await _cloudOrganizationSignUpCommand.SignUpOrganizationAsync(organizationSignup);
-        return new OrganizationResponseModel(result.Organization);
+        var plan = await _pricingClient.GetPlanOrThrow(result.Organization.PlanType);
+        return new OrganizationResponseModel(result.Organization, plan);
     }
 
     [HttpPost("create-without-payment")]
@@ -196,7 +202,8 @@ public class OrganizationsController : Controller
 
         var organizationSignup = model.ToOrganizationSignup(user);
         var result = await _cloudOrganizationSignUpCommand.SignUpOrganizationAsync(organizationSignup);
-        return new OrganizationResponseModel(result.Organization);
+        var plan = await _pricingClient.GetPlanOrThrow(result.Organization.PlanType);
+        return new OrganizationResponseModel(result.Organization, plan);
     }
 
     [HttpPut("{id}")]
@@ -224,7 +231,8 @@ public class OrganizationsController : Controller
         }
 
         await _organizationService.UpdateAsync(model.ToOrganization(organization, _globalSettings), updateBilling);
-        return new OrganizationResponseModel(organization);
+        var plan = await _pricingClient.GetPlan(organization.PlanType);
+        return new OrganizationResponseModel(organization, plan);
     }
 
     [HttpPost("{id}/storage")]
@@ -358,8 +366,8 @@ public class OrganizationsController : Controller
         if (model.Type == OrganizationApiKeyType.BillingSync || model.Type == OrganizationApiKeyType.Scim)
         {
             // Non-enterprise orgs should not be able to create or view an apikey of billing sync/scim key types
-            var plan = StaticStore.GetPlan(organization.PlanType);
-            if (plan.ProductTier is not ProductTierType.Enterprise and not ProductTierType.Teams)
+            var productTier = organization.PlanType.GetProductTier();
+            if (productTier is not ProductTierType.Enterprise and not ProductTierType.Teams)
             {
                 throw new NotFoundException();
             }
@@ -542,7 +550,8 @@ public class OrganizationsController : Controller
         }
 
         await _organizationService.UpdateAsync(model.ToOrganization(organization, _featureService), eventType: EventType.Organization_CollectionManagement_Updated);
-        return new OrganizationResponseModel(organization);
+        var plan = await _pricingClient.GetPlan(organization.PlanType);
+        return new OrganizationResponseModel(organization, plan);
     }
 
     [HttpGet("{id}/plan-type")]
diff --git a/src/Api/AdminConsole/Models/Response/Organizations/OrganizationResponseModel.cs b/src/Api/AdminConsole/Models/Response/Organizations/OrganizationResponseModel.cs
index 272aaf6f9c..4dc4a4ec55 100644
--- a/src/Api/AdminConsole/Models/Response/Organizations/OrganizationResponseModel.cs
+++ b/src/Api/AdminConsole/Models/Response/Organizations/OrganizationResponseModel.cs
@@ -4,6 +4,7 @@ using Bit.Core.AdminConsole.Entities;
 using Bit.Core.Billing.Enums;
 using Bit.Core.Models.Api;
 using Bit.Core.Models.Business;
+using Bit.Core.Models.StaticStore;
 using Bit.Core.Utilities;
 using Constants = Bit.Core.Constants;
 
@@ -11,8 +12,10 @@ namespace Bit.Api.AdminConsole.Models.Response.Organizations;
 
 public class OrganizationResponseModel : ResponseModel
 {
-    public OrganizationResponseModel(Organization organization, string obj = "organization")
-        : base(obj)
+    public OrganizationResponseModel(
+        Organization organization,
+        Plan plan,
+        string obj = "organization") : base(obj)
     {
         if (organization == null)
         {
@@ -28,7 +31,8 @@ public class OrganizationResponseModel : ResponseModel
         BusinessCountry = organization.BusinessCountry;
         BusinessTaxNumber = organization.BusinessTaxNumber;
         BillingEmail = organization.BillingEmail;
-        Plan = new PlanResponseModel(StaticStore.GetPlan(organization.PlanType));
+        // Self-Host instances only require plan information that can be derived from the Organization record.
+        Plan = plan != null ? new PlanResponseModel(plan) : new PlanResponseModel(organization);
         PlanType = organization.PlanType;
         Seats = organization.Seats;
         MaxAutoscaleSeats = organization.MaxAutoscaleSeats;
@@ -110,7 +114,9 @@ public class OrganizationResponseModel : ResponseModel
 
 public class OrganizationSubscriptionResponseModel : OrganizationResponseModel
 {
-    public OrganizationSubscriptionResponseModel(Organization organization) : base(organization, "organizationSubscription")
+    public OrganizationSubscriptionResponseModel(
+        Organization organization,
+        Plan plan) : base(organization, plan, "organizationSubscription")
     {
         Expiration = organization.ExpirationDate;
         StorageName = organization.Storage.HasValue ?
@@ -119,8 +125,11 @@ public class OrganizationSubscriptionResponseModel : OrganizationResponseModel
             Math.Round(organization.Storage.Value / 1073741824D, 2) : 0; // 1 GB
     }
 
-    public OrganizationSubscriptionResponseModel(Organization organization, SubscriptionInfo subscription, bool hideSensitiveData)
-        : this(organization)
+    public OrganizationSubscriptionResponseModel(
+        Organization organization,
+        SubscriptionInfo subscription,
+        Plan plan,
+        bool hideSensitiveData) : this(organization, plan)
     {
         Subscription = subscription.Subscription != null ? new BillingSubscription(subscription.Subscription) : null;
         UpcomingInvoice = subscription.UpcomingInvoice != null ? new BillingSubscriptionUpcomingInvoice(subscription.UpcomingInvoice) : null;
@@ -142,7 +151,7 @@ public class OrganizationSubscriptionResponseModel : OrganizationResponseModel
     }
 
     public OrganizationSubscriptionResponseModel(Organization organization, OrganizationLicense license) :
-        this(organization)
+        this(organization, (Plan)null)
     {
         if (license != null)
         {
diff --git a/src/Api/AdminConsole/Models/Response/ProfileOrganizationResponseModel.cs b/src/Api/AdminConsole/Models/Response/ProfileOrganizationResponseModel.cs
index d08298de6e..3a901f11c4 100644
--- a/src/Api/AdminConsole/Models/Response/ProfileOrganizationResponseModel.cs
+++ b/src/Api/AdminConsole/Models/Response/ProfileOrganizationResponseModel.cs
@@ -3,6 +3,7 @@ using Bit.Core.AdminConsole.Enums.Provider;
 using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Models.Data;
 using Bit.Core.Billing.Enums;
+using Bit.Core.Billing.Extensions;
 using Bit.Core.Enums;
 using Bit.Core.Models.Api;
 using Bit.Core.Models.Data;
@@ -37,7 +38,7 @@ public class ProfileOrganizationResponseModel : ResponseModel
         UsePasswordManager = organization.UsePasswordManager;
         UsersGetPremium = organization.UsersGetPremium;
         UseCustomPermissions = organization.UseCustomPermissions;
-        UseActivateAutofillPolicy = StaticStore.GetPlan(organization.PlanType).ProductTier == ProductTierType.Enterprise;
+        UseActivateAutofillPolicy = organization.PlanType.GetProductTier() == ProductTierType.Enterprise;
         SelfHost = organization.SelfHost;
         Seats = organization.Seats;
         MaxCollections = organization.MaxCollections;
@@ -60,7 +61,7 @@ public class ProfileOrganizationResponseModel : ResponseModel
         FamilySponsorshipAvailable = FamilySponsorshipFriendlyName == null &&
             StaticStore.GetSponsoredPlan(PlanSponsorshipType.FamiliesForEnterprise)
             .UsersCanSponsor(organization);
-        ProductTierType = StaticStore.GetPlan(organization.PlanType).ProductTier;
+        ProductTierType = organization.PlanType.GetProductTier();
         FamilySponsorshipLastSyncDate = organization.FamilySponsorshipLastSyncDate;
         FamilySponsorshipToDelete = organization.FamilySponsorshipToDelete;
         FamilySponsorshipValidUntil = organization.FamilySponsorshipValidUntil;
diff --git a/src/Api/AdminConsole/Models/Response/ProfileProviderOrganizationResponseModel.cs b/src/Api/AdminConsole/Models/Response/ProfileProviderOrganizationResponseModel.cs
index 589744c7df..d31cb5a77a 100644
--- a/src/Api/AdminConsole/Models/Response/ProfileProviderOrganizationResponseModel.cs
+++ b/src/Api/AdminConsole/Models/Response/ProfileProviderOrganizationResponseModel.cs
@@ -1,8 +1,8 @@
 using Bit.Core.AdminConsole.Models.Data.Provider;
 using Bit.Core.Billing.Enums;
+using Bit.Core.Billing.Extensions;
 using Bit.Core.Enums;
 using Bit.Core.Models.Data;
-using Bit.Core.Utilities;
 
 namespace Bit.Api.AdminConsole.Models.Response;
 
@@ -26,7 +26,7 @@ public class ProfileProviderOrganizationResponseModel : ProfileOrganizationRespo
         UseResetPassword = organization.UseResetPassword;
         UsersGetPremium = organization.UsersGetPremium;
         UseCustomPermissions = organization.UseCustomPermissions;
-        UseActivateAutofillPolicy = StaticStore.GetPlan(organization.PlanType).ProductTier == ProductTierType.Enterprise;
+        UseActivateAutofillPolicy = organization.PlanType.GetProductTier() == ProductTierType.Enterprise;
         SelfHost = organization.SelfHost;
         Seats = organization.Seats;
         MaxCollections = organization.MaxCollections;
@@ -44,7 +44,7 @@ public class ProfileProviderOrganizationResponseModel : ProfileOrganizationRespo
         ProviderId = organization.ProviderId;
         ProviderName = organization.ProviderName;
         ProviderType = organization.ProviderType;
-        ProductTierType = StaticStore.GetPlan(organization.PlanType).ProductTier;
+        ProductTierType = organization.PlanType.GetProductTier();
         LimitCollectionCreation = organization.LimitCollectionCreation;
         LimitCollectionDeletion = organization.LimitCollectionDeletion;
         LimitItemDeletion = organization.LimitItemDeletion;
diff --git a/src/Api/Billing/Controllers/OrganizationBillingController.cs b/src/Api/Billing/Controllers/OrganizationBillingController.cs
index 3ceeaf3c47..2ec503281e 100644
--- a/src/Api/Billing/Controllers/OrganizationBillingController.cs
+++ b/src/Api/Billing/Controllers/OrganizationBillingController.cs
@@ -4,6 +4,7 @@ using Bit.Api.Billing.Models.Requests;
 using Bit.Api.Billing.Models.Responses;
 using Bit.Core.Billing.Models;
 using Bit.Core.Billing.Models.Sales;
+using Bit.Core.Billing.Pricing;
 using Bit.Core.Billing.Services;
 using Bit.Core.Context;
 using Bit.Core.Repositories;
@@ -21,6 +22,7 @@ public class OrganizationBillingController(
     IOrganizationBillingService organizationBillingService,
     IOrganizationRepository organizationRepository,
     IPaymentService paymentService,
+    IPricingClient pricingClient,
     ISubscriberService subscriberService,
     IPaymentHistoryService paymentHistoryService,
     IUserService userService) : BaseBillingController
@@ -279,7 +281,7 @@ public class OrganizationBillingController(
         }
         var organizationSignup = model.ToOrganizationSignup(user);
         var sale = OrganizationSale.From(organization, organizationSignup);
-        var plan = StaticStore.GetPlan(model.PlanType);
+        var plan = await pricingClient.GetPlanOrThrow(model.PlanType);
         sale.Organization.PlanType = plan.Type;
         sale.Organization.Plan = plan.Name;
         sale.SubscriptionSetup.SkipTrial = true;
diff --git a/src/Api/Billing/Controllers/OrganizationsController.cs b/src/Api/Billing/Controllers/OrganizationsController.cs
index 7b25114a44..de14a8d798 100644
--- a/src/Api/Billing/Controllers/OrganizationsController.cs
+++ b/src/Api/Billing/Controllers/OrganizationsController.cs
@@ -8,6 +8,7 @@ using Bit.Core.AdminConsole.Entities;
 using Bit.Core.Billing.Constants;
 using Bit.Core.Billing.Entities;
 using Bit.Core.Billing.Models;
+using Bit.Core.Billing.Pricing;
 using Bit.Core.Billing.Repositories;
 using Bit.Core.Billing.Services;
 using Bit.Core.Context;
@@ -45,7 +46,8 @@ public class OrganizationsController(
     IAddSecretsManagerSubscriptionCommand addSecretsManagerSubscriptionCommand,
     IReferenceEventService referenceEventService,
     ISubscriberService subscriberService,
-    IOrganizationInstallationRepository organizationInstallationRepository)
+    IOrganizationInstallationRepository organizationInstallationRepository,
+    IPricingClient pricingClient)
     : Controller
 {
     [HttpGet("{id:guid}/subscription")]
@@ -62,26 +64,28 @@ public class OrganizationsController(
             throw new NotFoundException();
         }
 
-        if (!globalSettings.SelfHosted && organization.Gateway != null)
-        {
-            var subscriptionInfo = await paymentService.GetSubscriptionAsync(organization);
-            if (subscriptionInfo == null)
-            {
-                throw new NotFoundException();
-            }
-
-            var hideSensitiveData = !await currentContext.EditSubscription(id);
-
-            return new OrganizationSubscriptionResponseModel(organization, subscriptionInfo, hideSensitiveData);
-        }
-
         if (globalSettings.SelfHosted)
         {
             var orgLicense = await licensingService.ReadOrganizationLicenseAsync(organization);
             return new OrganizationSubscriptionResponseModel(organization, orgLicense);
         }
 
-        return new OrganizationSubscriptionResponseModel(organization);
+        var plan = await pricingClient.GetPlanOrThrow(organization.PlanType);
+
+        if (string.IsNullOrEmpty(organization.GatewaySubscriptionId))
+        {
+            return new OrganizationSubscriptionResponseModel(organization, plan);
+        }
+
+        var subscriptionInfo = await paymentService.GetSubscriptionAsync(organization);
+        if (subscriptionInfo == null)
+        {
+            throw new NotFoundException();
+        }
+
+        var hideSensitiveData = !await currentContext.EditSubscription(id);
+
+        return new OrganizationSubscriptionResponseModel(organization, subscriptionInfo, plan, hideSensitiveData);
     }
 
     [HttpGet("{id:guid}/license")]
@@ -165,7 +169,8 @@ public class OrganizationsController(
 
         organization = await AdjustOrganizationSeatsForSmTrialAsync(id, organization, model);
 
-        var organizationUpdate = model.ToSecretsManagerSubscriptionUpdate(organization);
+        var plan = await pricingClient.GetPlanOrThrow(organization.PlanType);
+        var organizationUpdate = model.ToSecretsManagerSubscriptionUpdate(organization, plan);
 
         await updateSecretsManagerSubscriptionCommand.UpdateSubscriptionAsync(organizationUpdate);
 
diff --git a/src/Api/Billing/Controllers/ProviderBillingController.cs b/src/Api/Billing/Controllers/ProviderBillingController.cs
index c5de63c69b..73c992040c 100644
--- a/src/Api/Billing/Controllers/ProviderBillingController.cs
+++ b/src/Api/Billing/Controllers/ProviderBillingController.cs
@@ -2,6 +2,7 @@
 using Bit.Api.Billing.Models.Responses;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Billing.Models;
+using Bit.Core.Billing.Pricing;
 using Bit.Core.Billing.Repositories;
 using Bit.Core.Billing.Services;
 using Bit.Core.Context;
@@ -20,6 +21,7 @@ namespace Bit.Api.Billing.Controllers;
 public class ProviderBillingController(
     ICurrentContext currentContext,
     ILogger<BaseProviderController> logger,
+    IPricingClient pricingClient,
     IProviderBillingService providerBillingService,
     IProviderPlanRepository providerPlanRepository,
     IProviderRepository providerRepository,
@@ -84,13 +86,25 @@ public class ProviderBillingController(
 
         var providerPlans = await providerPlanRepository.GetByProviderId(provider.Id);
 
+        var configuredProviderPlans = await Task.WhenAll(providerPlans.Select(async providerPlan =>
+        {
+            var plan = await pricingClient.GetPlanOrThrow(providerPlan.PlanType);
+            return new ConfiguredProviderPlan(
+                providerPlan.Id,
+                providerPlan.ProviderId,
+                plan,
+                providerPlan.SeatMinimum ?? 0,
+                providerPlan.PurchasedSeats ?? 0,
+                providerPlan.AllocatedSeats ?? 0);
+        }));
+
         var taxInformation = GetTaxInformation(subscription.Customer);
 
         var subscriptionSuspension = await GetSubscriptionSuspensionAsync(stripeAdapter, subscription);
 
         var response = ProviderSubscriptionResponse.From(
             subscription,
-            providerPlans,
+            configuredProviderPlans,
             taxInformation,
             subscriptionSuspension,
             provider);
diff --git a/src/Api/Billing/Models/Responses/ProviderSubscriptionResponse.cs b/src/Api/Billing/Models/Responses/ProviderSubscriptionResponse.cs
index 2b0592f0e3..34c3817e51 100644
--- a/src/Api/Billing/Models/Responses/ProviderSubscriptionResponse.cs
+++ b/src/Api/Billing/Models/Responses/ProviderSubscriptionResponse.cs
@@ -1,9 +1,7 @@
 using Bit.Core.AdminConsole.Entities.Provider;
 using Bit.Core.AdminConsole.Enums.Provider;
-using Bit.Core.Billing.Entities;
 using Bit.Core.Billing.Enums;
 using Bit.Core.Billing.Models;
-using Bit.Core.Utilities;
 using Stripe;
 
 namespace Bit.Api.Billing.Models.Responses;
@@ -25,26 +23,24 @@ public record ProviderSubscriptionResponse(
 
     public static ProviderSubscriptionResponse From(
         Subscription subscription,
-        ICollection<ProviderPlan> providerPlans,
+        ICollection<ConfiguredProviderPlan> providerPlans,
         TaxInformation taxInformation,
         SubscriptionSuspension subscriptionSuspension,
         Provider provider)
     {
         var providerPlanResponses = providerPlans
-            .Where(providerPlan => providerPlan.IsConfigured())
-            .Select(ConfiguredProviderPlan.From)
-            .Select(configuredProviderPlan =>
+            .Select(providerPlan =>
             {
-                var plan = StaticStore.GetPlan(configuredProviderPlan.PlanType);
-                var cost = (configuredProviderPlan.SeatMinimum + configuredProviderPlan.PurchasedSeats) * plan.PasswordManager.ProviderPortalSeatPrice;
+                var plan = providerPlan.Plan;
+                var cost = (providerPlan.SeatMinimum + providerPlan.PurchasedSeats) * plan.PasswordManager.ProviderPortalSeatPrice;
                 var cadence = plan.IsAnnual ? _annualCadence : _monthlyCadence;
                 return new ProviderPlanResponse(
                     plan.Name,
                     plan.Type,
                     plan.ProductTier,
-                    configuredProviderPlan.SeatMinimum,
-                    configuredProviderPlan.PurchasedSeats,
-                    configuredProviderPlan.AssignedSeats,
+                    providerPlan.SeatMinimum,
+                    providerPlan.PurchasedSeats,
+                    providerPlan.AssignedSeats,
                     cost,
                     cadence);
             });
diff --git a/src/Api/Billing/Public/Controllers/OrganizationController.cs b/src/Api/Billing/Public/Controllers/OrganizationController.cs
index 7fcd94acd3..b0a0537ed8 100644
--- a/src/Api/Billing/Public/Controllers/OrganizationController.cs
+++ b/src/Api/Billing/Public/Controllers/OrganizationController.cs
@@ -1,6 +1,7 @@
 using System.Net;
 using Bit.Api.Billing.Public.Models;
 using Bit.Api.Models.Public.Response;
+using Bit.Core.Billing.Pricing;
 using Bit.Core.Context;
 using Bit.Core.OrganizationFeatures.OrganizationSubscriptions.Interface;
 using Bit.Core.Repositories;
@@ -21,19 +22,22 @@ public class OrganizationController : Controller
     private readonly IOrganizationRepository _organizationRepository;
     private readonly IUpdateSecretsManagerSubscriptionCommand _updateSecretsManagerSubscriptionCommand;
     private readonly ILogger<OrganizationController> _logger;
+    private readonly IPricingClient _pricingClient;
 
     public OrganizationController(
         IOrganizationService organizationService,
         ICurrentContext currentContext,
         IOrganizationRepository organizationRepository,
         IUpdateSecretsManagerSubscriptionCommand updateSecretsManagerSubscriptionCommand,
-        ILogger<OrganizationController> logger)
+        ILogger<OrganizationController> logger,
+        IPricingClient pricingClient)
     {
         _organizationService = organizationService;
         _currentContext = currentContext;
         _organizationRepository = organizationRepository;
         _updateSecretsManagerSubscriptionCommand = updateSecretsManagerSubscriptionCommand;
         _logger = logger;
+        _pricingClient = pricingClient;
     }
 
     /// <summary>
@@ -140,7 +144,8 @@ public class OrganizationController : Controller
             return "Organization has no access to Secrets Manager.";
         }
 
-        var secretsManagerUpdate = model.SecretsManager.ToSecretsManagerSubscriptionUpdate(organization);
+        var plan = await _pricingClient.GetPlanOrThrow(organization.PlanType);
+        var secretsManagerUpdate = model.SecretsManager.ToSecretsManagerSubscriptionUpdate(organization, plan);
         await _updateSecretsManagerSubscriptionCommand.UpdateSubscriptionAsync(secretsManagerUpdate);
 
         return string.Empty;
diff --git a/src/Api/Billing/Public/Models/Request/OrganizationSubscriptionUpdateRequestModel.cs b/src/Api/Billing/Public/Models/Request/OrganizationSubscriptionUpdateRequestModel.cs
index 781ad3ca53..5c75db5924 100644
--- a/src/Api/Billing/Public/Models/Request/OrganizationSubscriptionUpdateRequestModel.cs
+++ b/src/Api/Billing/Public/Models/Request/OrganizationSubscriptionUpdateRequestModel.cs
@@ -1,6 +1,7 @@
 using System.ComponentModel.DataAnnotations;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.Models.Business;
+using Bit.Core.Models.StaticStore;
 
 namespace Bit.Api.Billing.Public.Models;
 
@@ -93,17 +94,17 @@ public class SecretsManagerSubscriptionUpdateModel
         set { _maxAutoScaleServiceAccounts = value < 0 ? null : value; }
     }
 
-    public virtual SecretsManagerSubscriptionUpdate ToSecretsManagerSubscriptionUpdate(Organization organization)
+    public virtual SecretsManagerSubscriptionUpdate ToSecretsManagerSubscriptionUpdate(Organization organization, Plan plan)
     {
-        var update = UpdateUpdateMaxAutoScale(organization);
+        var update = UpdateUpdateMaxAutoScale(organization, plan);
         UpdateSeats(organization, update);
         UpdateServiceAccounts(organization, update);
         return update;
     }
 
-    private SecretsManagerSubscriptionUpdate UpdateUpdateMaxAutoScale(Organization organization)
+    private SecretsManagerSubscriptionUpdate UpdateUpdateMaxAutoScale(Organization organization, Plan plan)
     {
-        var update = new SecretsManagerSubscriptionUpdate(organization, false)
+        var update = new SecretsManagerSubscriptionUpdate(organization, plan, false)
         {
             MaxAutoscaleSmSeats = MaxAutoScaleSeats ?? organization.MaxAutoscaleSmSeats,
             MaxAutoscaleSmServiceAccounts = MaxAutoScaleServiceAccounts ?? organization.MaxAutoscaleSmServiceAccounts
diff --git a/src/Api/Controllers/PlansController.cs b/src/Api/Controllers/PlansController.cs
index c2ee494322..11b070fb66 100644
--- a/src/Api/Controllers/PlansController.cs
+++ b/src/Api/Controllers/PlansController.cs
@@ -1,5 +1,5 @@
 using Bit.Api.Models.Response;
-using Bit.Core.Utilities;
+using Bit.Core.Billing.Pricing;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 
@@ -7,13 +7,15 @@ namespace Bit.Api.Controllers;
 
 [Route("plans")]
 [Authorize("Web")]
-public class PlansController : Controller
+public class PlansController(
+    IPricingClient pricingClient) : Controller
 {
     [HttpGet("")]
     [AllowAnonymous]
-    public ListResponseModel<PlanResponseModel> Get()
+    public async Task<ListResponseModel<PlanResponseModel>> Get()
     {
-        var responses = StaticStore.Plans.Select(plan => new PlanResponseModel(plan));
+        var plans = await pricingClient.ListPlans();
+        var responses = plans.Select(plan => new PlanResponseModel(plan));
         return new ListResponseModel<PlanResponseModel>(responses);
     }
 }
diff --git a/src/Api/Controllers/SelfHosted/SelfHostedOrganizationLicensesController.cs b/src/Api/Controllers/SelfHosted/SelfHostedOrganizationLicensesController.cs
index 783c4b71f4..ed501c41da 100644
--- a/src/Api/Controllers/SelfHosted/SelfHostedOrganizationLicensesController.cs
+++ b/src/Api/Controllers/SelfHosted/SelfHostedOrganizationLicensesController.cs
@@ -64,7 +64,8 @@ public class SelfHostedOrganizationLicensesController : Controller
 
         var result = await _organizationService.SignUpAsync(license, user, model.Key,
             model.CollectionName, model.Keys?.PublicKey, model.Keys?.EncryptedPrivateKey);
-        return new OrganizationResponseModel(result.Item1);
+
+        return new OrganizationResponseModel(result.Item1, null);
     }
 
     [HttpPost("{id}")]
diff --git a/src/Api/Models/Request/Organizations/SecretsManagerSubscriptionUpdateRequestModel.cs b/src/Api/Models/Request/Organizations/SecretsManagerSubscriptionUpdateRequestModel.cs
index 18bc66a0b6..6ddc1af486 100644
--- a/src/Api/Models/Request/Organizations/SecretsManagerSubscriptionUpdateRequestModel.cs
+++ b/src/Api/Models/Request/Organizations/SecretsManagerSubscriptionUpdateRequestModel.cs
@@ -1,6 +1,7 @@
 using System.ComponentModel.DataAnnotations;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.Models.Business;
+using Bit.Core.Models.StaticStore;
 
 namespace Bit.Api.Models.Request.Organizations;
 
@@ -12,9 +13,9 @@ public class SecretsManagerSubscriptionUpdateRequestModel
     public int ServiceAccountAdjustment { get; set; }
     public int? MaxAutoscaleServiceAccounts { get; set; }
 
-    public virtual SecretsManagerSubscriptionUpdate ToSecretsManagerSubscriptionUpdate(Organization organization)
+    public virtual SecretsManagerSubscriptionUpdate ToSecretsManagerSubscriptionUpdate(Organization organization, Plan plan)
     {
-        return new SecretsManagerSubscriptionUpdate(organization, false)
+        return new SecretsManagerSubscriptionUpdate(organization, plan, false)
         {
             MaxAutoscaleSmSeats = MaxAutoscaleSeats,
             MaxAutoscaleSmServiceAccounts = MaxAutoscaleServiceAccounts
diff --git a/src/Api/Models/Response/PlanResponseModel.cs b/src/Api/Models/Response/PlanResponseModel.cs
index b6ca9b62d2..74bcb59661 100644
--- a/src/Api/Models/Response/PlanResponseModel.cs
+++ b/src/Api/Models/Response/PlanResponseModel.cs
@@ -1,4 +1,6 @@
-using Bit.Core.Billing.Enums;
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.Billing.Enums;
+using Bit.Core.Billing.Extensions;
 using Bit.Core.Models.Api;
 using Bit.Core.Models.StaticStore;
 
@@ -44,6 +46,13 @@ public class PlanResponseModel : ResponseModel
         PasswordManager = new PasswordManagerPlanFeaturesResponseModel(plan.PasswordManager);
     }
 
+    public PlanResponseModel(Organization organization, string obj = "plan") : base(obj)
+    {
+        Type = organization.PlanType;
+        ProductTier = organization.PlanType.GetProductTier();
+        Name = organization.Plan;
+    }
+
     public PlanType Type { get; set; }
     public ProductTierType ProductTier { get; set; }
     public string Name { get; set; }
diff --git a/src/Api/SecretsManager/Controllers/ServiceAccountsController.cs b/src/Api/SecretsManager/Controllers/ServiceAccountsController.cs
index 8de53bc1e4..96c6c60528 100644
--- a/src/Api/SecretsManager/Controllers/ServiceAccountsController.cs
+++ b/src/Api/SecretsManager/Controllers/ServiceAccountsController.cs
@@ -1,6 +1,7 @@
 using Bit.Api.Models.Response;
 using Bit.Api.SecretsManager.Models.Request;
 using Bit.Api.SecretsManager.Models.Response;
+using Bit.Core.Billing.Pricing;
 using Bit.Core.Context;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
@@ -37,6 +38,7 @@ public class ServiceAccountsController : Controller
     private readonly IUpdateServiceAccountCommand _updateServiceAccountCommand;
     private readonly IDeleteServiceAccountsCommand _deleteServiceAccountsCommand;
     private readonly IRevokeAccessTokensCommand _revokeAccessTokensCommand;
+    private readonly IPricingClient _pricingClient;
 
     public ServiceAccountsController(
         ICurrentContext currentContext,
@@ -52,7 +54,8 @@ public class ServiceAccountsController : Controller
         ICreateServiceAccountCommand createServiceAccountCommand,
         IUpdateServiceAccountCommand updateServiceAccountCommand,
         IDeleteServiceAccountsCommand deleteServiceAccountsCommand,
-        IRevokeAccessTokensCommand revokeAccessTokensCommand)
+        IRevokeAccessTokensCommand revokeAccessTokensCommand,
+        IPricingClient pricingClient)
     {
         _currentContext = currentContext;
         _userService = userService;
@@ -66,6 +69,7 @@ public class ServiceAccountsController : Controller
         _updateServiceAccountCommand = updateServiceAccountCommand;
         _deleteServiceAccountsCommand = deleteServiceAccountsCommand;
         _revokeAccessTokensCommand = revokeAccessTokensCommand;
+        _pricingClient = pricingClient;
         _createAccessTokenCommand = createAccessTokenCommand;
         _updateSecretsManagerSubscriptionCommand = updateSecretsManagerSubscriptionCommand;
     }
@@ -124,7 +128,9 @@ public class ServiceAccountsController : Controller
         if (newServiceAccountSlotsRequired > 0)
         {
             var org = await _organizationRepository.GetByIdAsync(organizationId);
-            var update = new SecretsManagerSubscriptionUpdate(org, true)
+            // TODO: https://bitwarden.atlassian.net/browse/PM-17002
+            var plan = await _pricingClient.GetPlanOrThrow(org!.PlanType);
+            var update = new SecretsManagerSubscriptionUpdate(org, plan, true)
                 .AdjustServiceAccounts(newServiceAccountSlotsRequired);
             await _updateSecretsManagerSubscriptionCommand.UpdateSubscriptionAsync(update);
         }
diff --git a/src/Billing/Services/Implementations/PaymentSucceededHandler.cs b/src/Billing/Services/Implementations/PaymentSucceededHandler.cs
index 1577e77c9e..40d8c8349d 100644
--- a/src/Billing/Services/Implementations/PaymentSucceededHandler.cs
+++ b/src/Billing/Services/Implementations/PaymentSucceededHandler.cs
@@ -2,6 +2,7 @@
 using Bit.Core.AdminConsole.OrganizationFeatures.Organizations.Interfaces;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Billing.Enums;
+using Bit.Core.Billing.Pricing;
 using Bit.Core.Context;
 using Bit.Core.Platform.Push;
 using Bit.Core.Repositories;
@@ -9,7 +10,6 @@ using Bit.Core.Services;
 using Bit.Core.Tools.Enums;
 using Bit.Core.Tools.Models.Business;
 using Bit.Core.Tools.Services;
-using Bit.Core.Utilities;
 using Event = Stripe.Event;
 
 namespace Bit.Billing.Services.Implementations;
@@ -28,6 +28,7 @@ public class PaymentSucceededHandler : IPaymentSucceededHandler
     private readonly IStripeEventUtilityService _stripeEventUtilityService;
     private readonly IPushNotificationService _pushNotificationService;
     private readonly IOrganizationEnableCommand _organizationEnableCommand;
+    private readonly IPricingClient _pricingClient;
 
     public PaymentSucceededHandler(
         ILogger<PaymentSucceededHandler> logger,
@@ -41,7 +42,8 @@ public class PaymentSucceededHandler : IPaymentSucceededHandler
         IStripeEventUtilityService stripeEventUtilityService,
         IUserService userService,
         IPushNotificationService pushNotificationService,
-        IOrganizationEnableCommand organizationEnableCommand)
+        IOrganizationEnableCommand organizationEnableCommand,
+        IPricingClient pricingClient)
     {
         _logger = logger;
         _stripeEventService = stripeEventService;
@@ -55,6 +57,7 @@ public class PaymentSucceededHandler : IPaymentSucceededHandler
         _userService = userService;
         _pushNotificationService = pushNotificationService;
         _organizationEnableCommand = organizationEnableCommand;
+        _pricingClient = pricingClient;
     }
 
     /// <summary>
@@ -96,9 +99,9 @@ public class PaymentSucceededHandler : IPaymentSucceededHandler
                 return;
             }
 
-            var teamsMonthly = StaticStore.GetPlan(PlanType.TeamsMonthly);
+            var teamsMonthly = await _pricingClient.GetPlanOrThrow(PlanType.TeamsMonthly);
 
-            var enterpriseMonthly = StaticStore.GetPlan(PlanType.EnterpriseMonthly);
+            var enterpriseMonthly = await _pricingClient.GetPlanOrThrow(PlanType.EnterpriseMonthly);
 
             var teamsMonthlyLineItem =
                 subscription.Items.Data.FirstOrDefault(item =>
@@ -137,14 +140,21 @@ public class PaymentSucceededHandler : IPaymentSucceededHandler
         }
         else if (organizationId.HasValue)
         {
-            if (!subscription.Items.Any(i =>
-                    StaticStore.Plans.Any(p => p.PasswordManager.StripePlanId == i.Plan.Id)))
+            var organization = await _organizationRepository.GetByIdAsync(organizationId.Value);
+
+            if (organization == null)
+            {
+                return;
+            }
+
+            var plan = await _pricingClient.GetPlanOrThrow(organization.PlanType);
+
+            if (subscription.Items.All(item => plan.PasswordManager.StripePlanId != item.Plan.Id))
             {
                 return;
             }
 
             await _organizationEnableCommand.EnableAsync(organizationId.Value, subscription.CurrentPeriodEnd);
-            var organization = await _organizationRepository.GetByIdAsync(organizationId.Value);
             await _pushNotificationService.PushSyncOrganizationStatusAsync(organization);
 
             await _referenceEventService.RaiseEventAsync(
diff --git a/src/Billing/Services/Implementations/ProviderEventService.cs b/src/Billing/Services/Implementations/ProviderEventService.cs
index 548ed9f547..4e35a6c894 100644
--- a/src/Billing/Services/Implementations/ProviderEventService.cs
+++ b/src/Billing/Services/Implementations/ProviderEventService.cs
@@ -1,15 +1,17 @@
 using Bit.Billing.Constants;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Billing.Entities;
+using Bit.Core.Billing.Pricing;
 using Bit.Core.Billing.Repositories;
 using Bit.Core.Enums;
-using Bit.Core.Utilities;
+using Bit.Core.Repositories;
 using Stripe;
 
 namespace Bit.Billing.Services.Implementations;
 
 public class ProviderEventService(
-    ILogger<ProviderEventService> logger,
+    IOrganizationRepository organizationRepository,
+    IPricingClient pricingClient,
     IProviderInvoiceItemRepository providerInvoiceItemRepository,
     IProviderOrganizationRepository providerOrganizationRepository,
     IProviderPlanRepository providerPlanRepository,
@@ -54,7 +56,14 @@ public class ProviderEventService(
                             continue;
                         }
 
-                        var plan = StaticStore.Plans.Single(x => x.Name == client.Plan && providerPlans.Any(y => y.PlanType == x.Type));
+                        var organization = await organizationRepository.GetByIdAsync(client.OrganizationId);
+
+                        if (organization == null)
+                        {
+                            return;
+                        }
+
+                        var plan = await pricingClient.GetPlanOrThrow(organization.PlanType);
 
                         var discountedPercentage = (100 - (invoice.Discount?.Coupon?.PercentOff ?? 0)) / 100;
 
@@ -76,7 +85,7 @@ public class ProviderEventService(
 
                     foreach (var providerPlan in providerPlans.Where(x => x.PurchasedSeats is null or 0))
                     {
-                        var plan = StaticStore.GetPlan(providerPlan.PlanType);
+                        var plan = await pricingClient.GetPlanOrThrow(providerPlan.PlanType);
 
                         var clientSeats = invoiceItems
                             .Where(item => item.PlanName == plan.Name)
diff --git a/src/Billing/Services/Implementations/SubscriptionUpdatedHandler.cs b/src/Billing/Services/Implementations/SubscriptionUpdatedHandler.cs
index 35a16ae74f..d2ca7fa9bf 100644
--- a/src/Billing/Services/Implementations/SubscriptionUpdatedHandler.cs
+++ b/src/Billing/Services/Implementations/SubscriptionUpdatedHandler.cs
@@ -2,11 +2,11 @@
 using Bit.Billing.Jobs;
 using Bit.Core;
 using Bit.Core.AdminConsole.OrganizationFeatures.Organizations.Interfaces;
+using Bit.Core.Billing.Pricing;
 using Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.Interfaces;
 using Bit.Core.Platform.Push;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
-using Bit.Core.Utilities;
 using Quartz;
 using Stripe;
 using Event = Stripe.Event;
@@ -27,6 +27,7 @@ public class SubscriptionUpdatedHandler : ISubscriptionUpdatedHandler
     private readonly IFeatureService _featureService;
     private readonly IOrganizationEnableCommand _organizationEnableCommand;
     private readonly IOrganizationDisableCommand _organizationDisableCommand;
+    private readonly IPricingClient _pricingClient;
 
     public SubscriptionUpdatedHandler(
         IStripeEventService stripeEventService,
@@ -40,7 +41,8 @@ public class SubscriptionUpdatedHandler : ISubscriptionUpdatedHandler
         ISchedulerFactory schedulerFactory,
         IFeatureService featureService,
         IOrganizationEnableCommand organizationEnableCommand,
-        IOrganizationDisableCommand organizationDisableCommand)
+        IOrganizationDisableCommand organizationDisableCommand,
+        IPricingClient pricingClient)
     {
         _stripeEventService = stripeEventService;
         _stripeEventUtilityService = stripeEventUtilityService;
@@ -54,6 +56,7 @@ public class SubscriptionUpdatedHandler : ISubscriptionUpdatedHandler
         _featureService = featureService;
         _organizationEnableCommand = organizationEnableCommand;
         _organizationDisableCommand = organizationDisableCommand;
+        _pricingClient = pricingClient;
     }
 
     /// <summary>
@@ -156,7 +159,8 @@ public class SubscriptionUpdatedHandler : ISubscriptionUpdatedHandler
     /// </summary>
     /// <param name="parsedEvent"></param>
     /// <param name="subscription"></param>
-    private async Task RemovePasswordManagerCouponIfRemovingSecretsManagerTrialAsync(Event parsedEvent,
+    private async Task RemovePasswordManagerCouponIfRemovingSecretsManagerTrialAsync(
+        Event parsedEvent,
         Subscription subscription)
     {
         if (parsedEvent.Data.PreviousAttributes?.items is null)
@@ -164,6 +168,22 @@ public class SubscriptionUpdatedHandler : ISubscriptionUpdatedHandler
             return;
         }
 
+        var organization = subscription.Metadata.TryGetValue("organizationId", out var organizationId)
+            ? await _organizationRepository.GetByIdAsync(Guid.Parse(organizationId))
+            : null;
+
+        if (organization == null)
+        {
+            return;
+        }
+
+        var plan = await _pricingClient.GetPlanOrThrow(organization.PlanType);
+
+        if (!plan.SupportsSecretsManager)
+        {
+            return;
+        }
+
         var previousSubscription = parsedEvent.Data
             .PreviousAttributes
             .ToObject<Subscription>() as Subscription;
@@ -171,17 +191,14 @@ public class SubscriptionUpdatedHandler : ISubscriptionUpdatedHandler
         // This being false doesn't necessarily mean that the organization doesn't subscribe to Secrets Manager.
         // If there are changes to any subscription item, Stripe sends every item in the subscription, both
         // changed and unchanged.
-        var previousSubscriptionHasSecretsManager = previousSubscription?.Items is not null &&
-                                                    previousSubscription.Items.Any(previousItem =>
-                                                        StaticStore.Plans.Any(p =>
-                                                            p.SecretsManager is not null &&
-                                                            p.SecretsManager.StripeSeatPlanId ==
-                                                            previousItem.Plan.Id));
+        var previousSubscriptionHasSecretsManager =
+            previousSubscription?.Items is not null &&
+            previousSubscription.Items.Any(
+                previousSubscriptionItem => previousSubscriptionItem.Plan.Id == plan.SecretsManager.StripeSeatPlanId);
 
-        var currentSubscriptionHasSecretsManager = subscription.Items.Any(i =>
-            StaticStore.Plans.Any(p =>
-                p.SecretsManager is not null &&
-                p.SecretsManager.StripeSeatPlanId == i.Plan.Id));
+        var currentSubscriptionHasSecretsManager =
+            subscription.Items.Any(
+                currentSubscriptionItem => currentSubscriptionItem.Plan.Id == plan.SecretsManager.StripeSeatPlanId);
 
         if (!previousSubscriptionHasSecretsManager || currentSubscriptionHasSecretsManager)
         {
diff --git a/src/Billing/Services/Implementations/UpcomingInvoiceHandler.cs b/src/Billing/Services/Implementations/UpcomingInvoiceHandler.cs
index 5315195c59..d37bf41428 100644
--- a/src/Billing/Services/Implementations/UpcomingInvoiceHandler.cs
+++ b/src/Billing/Services/Implementations/UpcomingInvoiceHandler.cs
@@ -1,12 +1,11 @@
-using Bit.Core.AdminConsole.Entities;
-using Bit.Core.AdminConsole.Repositories;
+using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Billing.Constants;
 using Bit.Core.Billing.Enums;
 using Bit.Core.Billing.Extensions;
+using Bit.Core.Billing.Pricing;
 using Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.Interfaces;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
-using Bit.Core.Utilities;
 using Stripe;
 using Event = Stripe.Event;
 
@@ -16,6 +15,7 @@ public class UpcomingInvoiceHandler(
     ILogger<StripeEventProcessor> logger,
     IMailService mailService,
     IOrganizationRepository organizationRepository,
+    IPricingClient pricingClient,
     IProviderRepository providerRepository,
     IStripeFacade stripeFacade,
     IStripeEventService stripeEventService,
@@ -52,7 +52,9 @@ public class UpcomingInvoiceHandler(
 
             await TryEnableAutomaticTaxAsync(subscription);
 
-            if (!HasAnnualPlan(organization))
+            var plan = await pricingClient.GetPlanOrThrow(organization.PlanType);
+
+            if (!plan.IsAnnual)
             {
                 return;
             }
@@ -136,7 +138,7 @@ public class UpcomingInvoiceHandler(
     {
         if (subscription.AutomaticTax.Enabled ||
             !subscription.Customer.HasBillingLocation() ||
-            IsNonTaxableNonUSBusinessUseSubscription(subscription))
+            await IsNonTaxableNonUSBusinessUseSubscription(subscription))
         {
             return;
         }
@@ -150,14 +152,12 @@ public class UpcomingInvoiceHandler(
 
         return;
 
-        bool IsNonTaxableNonUSBusinessUseSubscription(Subscription localSubscription)
+        async Task<bool> IsNonTaxableNonUSBusinessUseSubscription(Subscription localSubscription)
         {
-            var familyPriceIds = new List<string>
-            {
-                // TODO: Replace with the PricingClient
-                StaticStore.GetPlan(PlanType.FamiliesAnnually2019).PasswordManager.StripePlanId,
-                StaticStore.GetPlan(PlanType.FamiliesAnnually).PasswordManager.StripePlanId
-            };
+            var familyPriceIds = (await Task.WhenAll(
+                    pricingClient.GetPlanOrThrow(PlanType.FamiliesAnnually2019),
+                    pricingClient.GetPlanOrThrow(PlanType.FamiliesAnnually)))
+                .Select(plan => plan.PasswordManager.StripePlanId);
 
             return localSubscription.Customer.Address.Country != "US" &&
                    localSubscription.Metadata.ContainsKey(StripeConstants.MetadataKeys.OrganizationId) &&
@@ -165,6 +165,4 @@ public class UpcomingInvoiceHandler(
                    !localSubscription.Customer.TaxIds.Any();
         }
     }
-
-    private static bool HasAnnualPlan(Organization org) => StaticStore.GetPlan(org.PlanType).IsAnnual;
 }
diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/UpdateOrganizationUserCommand.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/UpdateOrganizationUserCommand.cs
index 3dd55f9893..657cc6c54d 100644
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/UpdateOrganizationUserCommand.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/UpdateOrganizationUserCommand.cs
@@ -2,6 +2,7 @@
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Billing.Enums;
+using Bit.Core.Billing.Pricing;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
@@ -24,6 +25,7 @@ public class UpdateOrganizationUserCommand : IUpdateOrganizationUserCommand
     private readonly ICollectionRepository _collectionRepository;
     private readonly IGroupRepository _groupRepository;
     private readonly IHasConfirmedOwnersExceptQuery _hasConfirmedOwnersExceptQuery;
+    private readonly IPricingClient _pricingClient;
 
     public UpdateOrganizationUserCommand(
         IEventService eventService,
@@ -34,7 +36,8 @@ public class UpdateOrganizationUserCommand : IUpdateOrganizationUserCommand
         IUpdateSecretsManagerSubscriptionCommand updateSecretsManagerSubscriptionCommand,
         ICollectionRepository collectionRepository,
         IGroupRepository groupRepository,
-        IHasConfirmedOwnersExceptQuery hasConfirmedOwnersExceptQuery)
+        IHasConfirmedOwnersExceptQuery hasConfirmedOwnersExceptQuery,
+        IPricingClient pricingClient)
     {
         _eventService = eventService;
         _organizationService = organizationService;
@@ -45,6 +48,7 @@ public class UpdateOrganizationUserCommand : IUpdateOrganizationUserCommand
         _collectionRepository = collectionRepository;
         _groupRepository = groupRepository;
         _hasConfirmedOwnersExceptQuery = hasConfirmedOwnersExceptQuery;
+        _pricingClient = pricingClient;
     }
 
     /// <summary>
@@ -128,8 +132,10 @@ public class UpdateOrganizationUserCommand : IUpdateOrganizationUserCommand
             var additionalSmSeatsRequired = await _countNewSmSeatsRequiredQuery.CountNewSmSeatsRequiredAsync(organizationUser.OrganizationId, 1);
             if (additionalSmSeatsRequired > 0)
             {
-                var update = new SecretsManagerSubscriptionUpdate(organization, true)
-                   .AdjustSeats(additionalSmSeatsRequired);
+                // TODO: https://bitwarden.atlassian.net/browse/PM-17012
+                var plan = await _pricingClient.GetPlanOrThrow(organization.PlanType);
+                var update = new SecretsManagerSubscriptionUpdate(organization, plan, true)
+                    .AdjustSeats(additionalSmSeatsRequired);
                 await _updateSecretsManagerSubscriptionCommand.UpdateSubscriptionAsync(update);
             }
         }
diff --git a/src/Core/AdminConsole/OrganizationFeatures/Organizations/CloudOrganizationSignUpCommand.cs b/src/Core/AdminConsole/OrganizationFeatures/Organizations/CloudOrganizationSignUpCommand.cs
index 94ff3c0059..57cfd1e60f 100644
--- a/src/Core/AdminConsole/OrganizationFeatures/Organizations/CloudOrganizationSignUpCommand.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Organizations/CloudOrganizationSignUpCommand.cs
@@ -3,6 +3,7 @@ using Bit.Core.AdminConsole.Enums;
 using Bit.Core.AdminConsole.Services;
 using Bit.Core.Billing.Enums;
 using Bit.Core.Billing.Models.Sales;
+using Bit.Core.Billing.Pricing;
 using Bit.Core.Billing.Services;
 using Bit.Core.Context;
 using Bit.Core.Entities;
@@ -45,11 +46,12 @@ public class CloudOrganizationSignUpCommand(
     IPushRegistrationService pushRegistrationService,
     IPushNotificationService pushNotificationService,
     ICollectionRepository collectionRepository,
-    IDeviceRepository deviceRepository) : ICloudOrganizationSignUpCommand
+    IDeviceRepository deviceRepository,
+    IPricingClient pricingClient) : ICloudOrganizationSignUpCommand
 {
     public async Task<SignUpOrganizationResponse> SignUpOrganizationAsync(OrganizationSignup signup)
     {
-        var plan = StaticStore.GetPlan(signup.Plan);
+        var plan = await pricingClient.GetPlanOrThrow(signup.Plan);
 
         ValidatePasswordManagerPlan(plan, signup);
 
diff --git a/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs b/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
index 14cf89a246..1b44eea496 100644
--- a/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
+++ b/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
@@ -16,6 +16,7 @@ using Bit.Core.Auth.UserFeatures.TwoFactorAuth.Interfaces;
 using Bit.Core.Billing.Constants;
 using Bit.Core.Billing.Enums;
 using Bit.Core.Billing.Extensions;
+using Bit.Core.Billing.Pricing;
 using Bit.Core.Billing.Services;
 using Bit.Core.Context;
 using Bit.Core.Entities;
@@ -74,6 +75,7 @@ public class OrganizationService : IOrganizationService
     private readonly ITwoFactorIsEnabledQuery _twoFactorIsEnabledQuery;
     private readonly IOrganizationBillingService _organizationBillingService;
     private readonly IHasConfirmedOwnersExceptQuery _hasConfirmedOwnersExceptQuery;
+    private readonly IPricingClient _pricingClient;
 
     public OrganizationService(
         IOrganizationRepository organizationRepository,
@@ -108,7 +110,8 @@ public class OrganizationService : IOrganizationService
         IFeatureService featureService,
         ITwoFactorIsEnabledQuery twoFactorIsEnabledQuery,
         IOrganizationBillingService organizationBillingService,
-        IHasConfirmedOwnersExceptQuery hasConfirmedOwnersExceptQuery)
+        IHasConfirmedOwnersExceptQuery hasConfirmedOwnersExceptQuery,
+        IPricingClient pricingClient)
     {
         _organizationRepository = organizationRepository;
         _organizationUserRepository = organizationUserRepository;
@@ -143,6 +146,7 @@ public class OrganizationService : IOrganizationService
         _twoFactorIsEnabledQuery = twoFactorIsEnabledQuery;
         _organizationBillingService = organizationBillingService;
         _hasConfirmedOwnersExceptQuery = hasConfirmedOwnersExceptQuery;
+        _pricingClient = pricingClient;
     }
 
     public async Task ReplacePaymentMethodAsync(Guid organizationId, string paymentToken,
@@ -210,11 +214,7 @@ public class OrganizationService : IOrganizationService
             throw new NotFoundException();
         }
 
-        var plan = StaticStore.Plans.FirstOrDefault(p => p.Type == organization.PlanType);
-        if (plan == null)
-        {
-            throw new BadRequestException("Existing plan not found.");
-        }
+        var plan = await _pricingClient.GetPlanOrThrow(organization.PlanType);
 
         if (!plan.PasswordManager.HasAdditionalStorageOption)
         {
@@ -268,7 +268,7 @@ public class OrganizationService : IOrganizationService
             throw new BadRequestException($"Cannot set max seat autoscaling below current seat count.");
         }
 
-        var plan = StaticStore.GetPlan(organization.PlanType);
+        var plan = await _pricingClient.GetPlanOrThrow(organization.PlanType);
         if (plan == null)
         {
             throw new BadRequestException("Existing plan not found.");
@@ -320,11 +320,7 @@ public class OrganizationService : IOrganizationService
             throw new BadRequestException("No subscription found.");
         }
 
-        var plan = StaticStore.Plans.FirstOrDefault(p => p.Type == organization.PlanType);
-        if (plan == null)
-        {
-            throw new BadRequestException("Existing plan not found.");
-        }
+        var plan = await _pricingClient.GetPlanOrThrow(organization.PlanType);
 
         if (!plan.PasswordManager.HasAdditionalSeatsOption)
         {
@@ -442,7 +438,7 @@ public class OrganizationService : IOrganizationService
 
     public async Task<(Organization organization, OrganizationUser organizationUser, Collection defaultCollection)> SignupClientAsync(OrganizationSignup signup)
     {
-        var plan = StaticStore.GetPlan(signup.Plan);
+        var plan = await _pricingClient.GetPlanOrThrow(signup.Plan);
 
         ValidatePlan(plan, signup.AdditionalSeats, "Password Manager");
 
@@ -530,17 +526,6 @@ public class OrganizationService : IOrganizationService
             throw new BadRequestException(exception);
         }
 
-        var plan = StaticStore.Plans.FirstOrDefault(p => p.Type == license.PlanType);
-        if (plan is null)
-        {
-            throw new BadRequestException($"Server must be updated to support {license.Plan}.");
-        }
-
-        if (license.PlanType != PlanType.Custom && plan.Disabled)
-        {
-            throw new BadRequestException($"Plan {plan.Name} is disabled.");
-        }
-
         var enabledOrgs = await _organizationRepository.GetManyByEnabledAsync();
         if (enabledOrgs.Any(o => string.Equals(o.LicenseKey, license.LicenseKey)))
         {
@@ -882,7 +867,8 @@ public class OrganizationService : IOrganizationService
         var additionalSmSeatsRequired = await _countNewSmSeatsRequiredQuery.CountNewSmSeatsRequiredAsync(organization.Id, inviteWithSmAccessCount);
         if (additionalSmSeatsRequired > 0)
         {
-            smSubscriptionUpdate = new SecretsManagerSubscriptionUpdate(organization, true)
+            var plan = await _pricingClient.GetPlanOrThrow(organization.PlanType);
+            smSubscriptionUpdate = new SecretsManagerSubscriptionUpdate(organization, plan, true)
                 .AdjustSeats(additionalSmSeatsRequired);
         }
 
@@ -1008,7 +994,8 @@ public class OrganizationService : IOrganizationService
             if (initialSmSeatCount.HasValue && currentOrganization.SmSeats.HasValue &&
                 currentOrganization.SmSeats.Value != initialSmSeatCount.Value)
             {
-                var smSubscriptionUpdateRevert = new SecretsManagerSubscriptionUpdate(currentOrganization, false)
+                var plan = await _pricingClient.GetPlanOrThrow(currentOrganization.PlanType);
+                var smSubscriptionUpdateRevert = new SecretsManagerSubscriptionUpdate(currentOrganization, plan, false)
                 {
                     SmSeats = initialSmSeatCount.Value
                 };
@@ -2237,13 +2224,6 @@ public class OrganizationService : IOrganizationService
 
     public async Task CreatePendingOrganization(Organization organization, string ownerEmail, ClaimsPrincipal user, IUserService userService, bool salesAssistedTrialStarted)
     {
-        var plan = StaticStore.Plans.FirstOrDefault(p => p.Type == organization.PlanType);
-
-        if (plan!.Disabled)
-        {
-            throw new BadRequestException("Plan not found.");
-        }
-
         organization.Id = CoreHelpers.GenerateComb();
         organization.Enabled = false;
         organization.Status = OrganizationStatusType.Pending;
diff --git a/src/Core/Billing/Constants/StripeConstants.cs b/src/Core/Billing/Constants/StripeConstants.cs
index e3c2b7245e..0a5faae947 100644
--- a/src/Core/Billing/Constants/StripeConstants.cs
+++ b/src/Core/Billing/Constants/StripeConstants.cs
@@ -34,6 +34,7 @@ public static class StripeConstants
     public static class InvoiceStatus
     {
         public const string Draft = "draft";
+        public const string Open = "open";
     }
 
     public static class MetadataKeys
diff --git a/src/Core/Billing/Extensions/BillingExtensions.cs b/src/Core/Billing/Extensions/BillingExtensions.cs
index 39b92e95a2..f6e65861cd 100644
--- a/src/Core/Billing/Extensions/BillingExtensions.cs
+++ b/src/Core/Billing/Extensions/BillingExtensions.cs
@@ -10,6 +10,17 @@ namespace Bit.Core.Billing.Extensions;
 
 public static class BillingExtensions
 {
+    public static ProductTierType GetProductTier(this PlanType planType)
+        => planType switch
+        {
+            PlanType.Custom or PlanType.Free => ProductTierType.Free,
+            PlanType.FamiliesAnnually or PlanType.FamiliesAnnually2019 => ProductTierType.Families,
+            PlanType.TeamsStarter or PlanType.TeamsStarter2023 => ProductTierType.TeamsStarter,
+            _ when planType.ToString().Contains("Teams") => ProductTierType.Teams,
+            _ when planType.ToString().Contains("Enterprise") => ProductTierType.Enterprise,
+            _ => throw new BillingException($"PlanType {planType} could not be matched to a ProductTierType")
+        };
+
     public static bool IsBillable(this Provider provider) =>
         provider is
         {
diff --git a/src/Core/Billing/Extensions/ServiceCollectionExtensions.cs b/src/Core/Billing/Extensions/ServiceCollectionExtensions.cs
index 9a7a4107ae..26815d7df0 100644
--- a/src/Core/Billing/Extensions/ServiceCollectionExtensions.cs
+++ b/src/Core/Billing/Extensions/ServiceCollectionExtensions.cs
@@ -1,6 +1,7 @@
 using Bit.Core.Billing.Caches;
 using Bit.Core.Billing.Caches.Implementations;
 using Bit.Core.Billing.Licenses.Extensions;
+using Bit.Core.Billing.Pricing;
 using Bit.Core.Billing.Services;
 using Bit.Core.Billing.Services.Implementations;
 
@@ -17,7 +18,7 @@ public static class ServiceCollectionExtensions
         services.AddTransient<IPremiumUserBillingService, PremiumUserBillingService>();
         services.AddTransient<ISetupIntentCache, SetupIntentDistributedCache>();
         services.AddTransient<ISubscriberService, SubscriberService>();
-        // services.AddSingleton<IPricingClient, PricingClient>();
         services.AddLicenseServices();
+        services.AddPricingClient();
     }
 }
diff --git a/src/Core/Billing/Migration/Services/Implementations/OrganizationMigrator.cs b/src/Core/Billing/Migration/Services/Implementations/OrganizationMigrator.cs
index a24193f133..4d93c0119a 100644
--- a/src/Core/Billing/Migration/Services/Implementations/OrganizationMigrator.cs
+++ b/src/Core/Billing/Migration/Services/Implementations/OrganizationMigrator.cs
@@ -3,11 +3,11 @@ using Bit.Core.Billing.Constants;
 using Bit.Core.Billing.Entities;
 using Bit.Core.Billing.Enums;
 using Bit.Core.Billing.Migration.Models;
+using Bit.Core.Billing.Pricing;
 using Bit.Core.Billing.Repositories;
 using Bit.Core.Enums;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
-using Bit.Core.Utilities;
 using Microsoft.Extensions.Logging;
 using Stripe;
 using Plan = Bit.Core.Models.StaticStore.Plan;
@@ -19,6 +19,7 @@ public class OrganizationMigrator(
     ILogger<OrganizationMigrator> logger,
     IMigrationTrackerCache migrationTrackerCache,
     IOrganizationRepository organizationRepository,
+    IPricingClient pricingClient,
     IStripeAdapter stripeAdapter) : IOrganizationMigrator
 {
     private const string _cancellationComment = "Cancelled as part of provider migration to Consolidated Billing";
@@ -137,7 +138,7 @@ public class OrganizationMigrator(
         logger.LogInformation("CB: Bringing organization ({OrganizationID}) under provider management",
             organization.Id);
 
-        var plan = StaticStore.GetPlan(organization.Plan.Contains("Teams") ? PlanType.TeamsMonthly : PlanType.EnterpriseMonthly);
+        var plan = await pricingClient.GetPlanOrThrow(organization.Plan.Contains("Teams") ? PlanType.TeamsMonthly : PlanType.EnterpriseMonthly);
 
         ResetOrganizationPlan(organization, plan);
         organization.MaxStorageGb = plan.PasswordManager.BaseStorageGb;
@@ -206,7 +207,7 @@ public class OrganizationMigrator(
                     ? StripeConstants.CollectionMethod.ChargeAutomatically
                     : StripeConstants.CollectionMethod.SendInvoice;
 
-            var plan = StaticStore.GetPlan(organization.PlanType);
+            var plan = await pricingClient.GetPlanOrThrow(organization.PlanType);
 
             var items = new List<SubscriptionItemOptions>
             {
@@ -279,7 +280,7 @@ public class OrganizationMigrator(
             throw new Exception();
         }
 
-        var plan = StaticStore.GetPlan(migrationRecord.PlanType);
+        var plan = await pricingClient.GetPlanOrThrow(migrationRecord.PlanType);
 
         ResetOrganizationPlan(organization, plan);
         organization.MaxStorageGb = migrationRecord.MaxStorageGb;
diff --git a/src/Core/Billing/Models/ConfiguredProviderPlan.cs b/src/Core/Billing/Models/ConfiguredProviderPlan.cs
index dadb176533..72c1ec5b07 100644
--- a/src/Core/Billing/Models/ConfiguredProviderPlan.cs
+++ b/src/Core/Billing/Models/ConfiguredProviderPlan.cs
@@ -1,24 +1,11 @@
-using Bit.Core.Billing.Entities;
-using Bit.Core.Billing.Enums;
+using Bit.Core.Models.StaticStore;
 
 namespace Bit.Core.Billing.Models;
 
 public record ConfiguredProviderPlan(
     Guid Id,
     Guid ProviderId,
-    PlanType PlanType,
+    Plan Plan,
     int SeatMinimum,
     int PurchasedSeats,
-    int AssignedSeats)
-{
-    public static ConfiguredProviderPlan From(ProviderPlan providerPlan) =>
-        providerPlan.IsConfigured()
-            ? new ConfiguredProviderPlan(
-                providerPlan.Id,
-                providerPlan.ProviderId,
-                providerPlan.PlanType,
-                providerPlan.SeatMinimum.GetValueOrDefault(0),
-                providerPlan.PurchasedSeats.GetValueOrDefault(0),
-                providerPlan.AllocatedSeats.GetValueOrDefault(0))
-            : null;
-}
+    int AssignedSeats);
diff --git a/src/Core/Billing/Models/OrganizationMetadata.cs b/src/Core/Billing/Models/OrganizationMetadata.cs
index 4bb9a85825..41666949bf 100644
--- a/src/Core/Billing/Models/OrganizationMetadata.cs
+++ b/src/Core/Billing/Models/OrganizationMetadata.cs
@@ -10,4 +10,17 @@ public record OrganizationMetadata(
     bool IsSubscriptionCanceled,
     DateTime? InvoiceDueDate,
     DateTime? InvoiceCreatedDate,
-    DateTime? SubPeriodEndDate);
+    DateTime? SubPeriodEndDate)
+{
+    public static OrganizationMetadata Default => new OrganizationMetadata(
+        false,
+        false,
+        false,
+        false,
+        false,
+        false,
+        false,
+        null,
+        null,
+        null);
+}
diff --git a/src/Core/Billing/Models/Sales/OrganizationSale.cs b/src/Core/Billing/Models/Sales/OrganizationSale.cs
index 43852bb320..f0ad7894e6 100644
--- a/src/Core/Billing/Models/Sales/OrganizationSale.cs
+++ b/src/Core/Billing/Models/Sales/OrganizationSale.cs
@@ -76,8 +76,6 @@ public class OrganizationSale
 
     private static SubscriptionSetup GetSubscriptionSetup(OrganizationUpgrade upgrade)
     {
-        var plan = Core.Utilities.StaticStore.GetPlan(upgrade.Plan);
-
         var passwordManagerOptions = new SubscriptionSetup.PasswordManager
         {
             Seats = upgrade.AdditionalSeats,
@@ -95,7 +93,7 @@ public class OrganizationSale
 
         return new SubscriptionSetup
         {
-            Plan = plan,
+            PlanType = upgrade.Plan,
             PasswordManagerOptions = passwordManagerOptions,
             SecretsManagerOptions = secretsManagerOptions
         };
diff --git a/src/Core/Billing/Models/Sales/SubscriptionSetup.cs b/src/Core/Billing/Models/Sales/SubscriptionSetup.cs
index 39a80a776a..871a2920b1 100644
--- a/src/Core/Billing/Models/Sales/SubscriptionSetup.cs
+++ b/src/Core/Billing/Models/Sales/SubscriptionSetup.cs
@@ -1,4 +1,4 @@
-using Bit.Core.Models.StaticStore;
+using Bit.Core.Billing.Enums;
 
 namespace Bit.Core.Billing.Models.Sales;
 
@@ -6,7 +6,7 @@ namespace Bit.Core.Billing.Models.Sales;
 
 public class SubscriptionSetup
 {
-    public required Plan Plan { get; set; }
+    public required PlanType PlanType { get; set; }
     public required PasswordManager PasswordManagerOptions { get; set; }
     public SecretsManager? SecretsManagerOptions { get; set; }
     public bool SkipTrial = false;
diff --git a/src/Core/Billing/Pricing/IPricingClient.cs b/src/Core/Billing/Pricing/IPricingClient.cs
index 68577f1db3..bc3f142dda 100644
--- a/src/Core/Billing/Pricing/IPricingClient.cs
+++ b/src/Core/Billing/Pricing/IPricingClient.cs
@@ -1,5 +1,7 @@
 using Bit.Core.Billing.Enums;
+using Bit.Core.Exceptions;
 using Bit.Core.Models.StaticStore;
+using Bit.Core.Utilities;
 
 #nullable enable
 
@@ -7,6 +9,30 @@ namespace Bit.Core.Billing.Pricing;
 
 public interface IPricingClient
 {
+    /// <summary>
+    /// Retrieve a Bitwarden plan by its <paramref name="planType"/>. If the feature flag 'use-pricing-service' is enabled,
+    /// this will trigger a request to the Bitwarden Pricing Service. Otherwise, it will use the existing <see cref="StaticStore"/>.
+    /// </summary>
+    /// <param name="planType">The type of plan to retrieve.</param>
+    /// <returns>A Bitwarden <see cref="Plan"/> record or null in the case the plan could not be found or the method was executed from a self-hosted instance.</returns>
+    /// <exception cref="BillingException">Thrown when the request to the Pricing Service fails unexpectedly.</exception>
     Task<Plan?> GetPlan(PlanType planType);
+
+    /// <summary>
+    /// Retrieve a Bitwarden plan by its <paramref name="planType"/>. If the feature flag 'use-pricing-service' is enabled,
+    /// this will trigger a request to the Bitwarden Pricing Service. Otherwise, it will use the existing <see cref="StaticStore"/>.
+    /// </summary>
+    /// <param name="planType">The type of plan to retrieve.</param>
+    /// <returns>A Bitwarden <see cref="Plan"/> record.</returns>
+    /// <exception cref="NotFoundException">Thrown when the <see cref="Plan"/> for the provided <paramref name="planType"/> could not be found or the method was executed from a self-hosted instance.</exception>
+    /// <exception cref="BillingException">Thrown when the request to the Pricing Service fails unexpectedly.</exception>
+    Task<Plan> GetPlanOrThrow(PlanType planType);
+
+    /// <summary>
+    /// Retrieve all the Bitwarden plans. If the feature flag 'use-pricing-service' is enabled,
+    /// this will trigger a request to the Bitwarden Pricing Service. Otherwise, it will use the existing <see cref="StaticStore"/>.
+    /// </summary>
+    /// <returns>A list of Bitwarden <see cref="Plan"/> records or an empty list in the case the method is executed from a self-hosted instance.</returns>
+    /// <exception cref="BillingException">Thrown when the request to the Pricing Service fails unexpectedly.</exception>
     Task<List<Plan>> ListPlans();
 }
diff --git a/src/Core/Billing/Pricing/JSON/FreeOrScalableDTOJsonConverter.cs b/src/Core/Billing/Pricing/JSON/FreeOrScalableDTOJsonConverter.cs
new file mode 100644
index 0000000000..37a8a4234d
--- /dev/null
+++ b/src/Core/Billing/Pricing/JSON/FreeOrScalableDTOJsonConverter.cs
@@ -0,0 +1,35 @@
+using System.Text.Json;
+using Bit.Core.Billing.Pricing.Models;
+
+namespace Bit.Core.Billing.Pricing.JSON;
+
+#nullable enable
+
+public class FreeOrScalableDTOJsonConverter : TypeReadingJsonConverter<FreeOrScalableDTO>
+{
+    public override FreeOrScalableDTO? Read(ref Utf8JsonReader reader, Type typeToConvert, JsonSerializerOptions options)
+    {
+        var type = ReadType(reader);
+
+        return type switch
+        {
+            "free" => JsonSerializer.Deserialize<FreeDTO>(ref reader, options) switch
+            {
+                null => null,
+                var free => new FreeOrScalableDTO(free)
+            },
+            "scalable" => JsonSerializer.Deserialize<ScalableDTO>(ref reader, options) switch
+            {
+                null => null,
+                var scalable => new FreeOrScalableDTO(scalable)
+            },
+            _ => null
+        };
+    }
+
+    public override void Write(Utf8JsonWriter writer, FreeOrScalableDTO value, JsonSerializerOptions options)
+        => value.Switch(
+            free => JsonSerializer.Serialize(writer, free, options),
+            scalable => JsonSerializer.Serialize(writer, scalable, options)
+        );
+}
diff --git a/src/Core/Billing/Pricing/JSON/PurchasableDTOJsonConverter.cs b/src/Core/Billing/Pricing/JSON/PurchasableDTOJsonConverter.cs
new file mode 100644
index 0000000000..f7ae9dc472
--- /dev/null
+++ b/src/Core/Billing/Pricing/JSON/PurchasableDTOJsonConverter.cs
@@ -0,0 +1,40 @@
+using System.Text.Json;
+using Bit.Core.Billing.Pricing.Models;
+
+namespace Bit.Core.Billing.Pricing.JSON;
+
+#nullable enable
+internal class PurchasableDTOJsonConverter : TypeReadingJsonConverter<PurchasableDTO>
+{
+    public override PurchasableDTO? Read(ref Utf8JsonReader reader, Type typeToConvert, JsonSerializerOptions options)
+    {
+        var type = ReadType(reader);
+
+        return type switch
+        {
+            "free" => JsonSerializer.Deserialize<FreeDTO>(ref reader, options) switch
+            {
+                null => null,
+                var free => new PurchasableDTO(free)
+            },
+            "packaged" => JsonSerializer.Deserialize<PackagedDTO>(ref reader, options) switch
+            {
+                null => null,
+                var packaged => new PurchasableDTO(packaged)
+            },
+            "scalable" => JsonSerializer.Deserialize<ScalableDTO>(ref reader, options) switch
+            {
+                null => null,
+                var scalable => new PurchasableDTO(scalable)
+            },
+            _ => null
+        };
+    }
+
+    public override void Write(Utf8JsonWriter writer, PurchasableDTO value, JsonSerializerOptions options)
+        => value.Switch(
+            free => JsonSerializer.Serialize(writer, free, options),
+            packaged => JsonSerializer.Serialize(writer, packaged, options),
+            scalable => JsonSerializer.Serialize(writer, scalable, options)
+        );
+}
diff --git a/src/Core/Billing/Pricing/JSON/TypeReadingJsonConverter.cs b/src/Core/Billing/Pricing/JSON/TypeReadingJsonConverter.cs
new file mode 100644
index 0000000000..ef8d33304e
--- /dev/null
+++ b/src/Core/Billing/Pricing/JSON/TypeReadingJsonConverter.cs
@@ -0,0 +1,28 @@
+using System.Text.Json;
+using System.Text.Json.Serialization;
+using Bit.Core.Billing.Pricing.Models;
+
+namespace Bit.Core.Billing.Pricing.JSON;
+
+#nullable enable
+
+public abstract class TypeReadingJsonConverter<T> : JsonConverter<T>
+{
+    protected virtual string TypePropertyName => nameof(ScalableDTO.Type).ToLower();
+
+    protected string? ReadType(Utf8JsonReader reader)
+    {
+        while (reader.Read())
+        {
+            if (reader.TokenType != JsonTokenType.PropertyName || reader.GetString()?.ToLower() != TypePropertyName)
+            {
+                continue;
+            }
+
+            reader.Read();
+            return reader.GetString();
+        }
+
+        return null;
+    }
+}
diff --git a/src/Core/Billing/Pricing/Models/FeatureDTO.cs b/src/Core/Billing/Pricing/Models/FeatureDTO.cs
new file mode 100644
index 0000000000..a96ac019e3
--- /dev/null
+++ b/src/Core/Billing/Pricing/Models/FeatureDTO.cs
@@ -0,0 +1,9 @@
+namespace Bit.Core.Billing.Pricing.Models;
+
+#nullable enable
+
+public class FeatureDTO
+{
+    public string Name { get; set; } = null!;
+    public string LookupKey { get; set; } = null!;
+}
diff --git a/src/Core/Billing/Pricing/Models/PlanDTO.cs b/src/Core/Billing/Pricing/Models/PlanDTO.cs
new file mode 100644
index 0000000000..4ae82b3efe
--- /dev/null
+++ b/src/Core/Billing/Pricing/Models/PlanDTO.cs
@@ -0,0 +1,27 @@
+namespace Bit.Core.Billing.Pricing.Models;
+
+#nullable enable
+
+public class PlanDTO
+{
+    public string LookupKey { get; set; } = null!;
+    public string Name { get; set; } = null!;
+    public string Tier { get; set; } = null!;
+    public string? Cadence { get; set; }
+    public int? LegacyYear { get; set; }
+    public bool Available { get; set; }
+    public FeatureDTO[] Features { get; set; } = null!;
+    public PurchasableDTO Seats { get; set; } = null!;
+    public ScalableDTO? ManagedSeats { get; set; }
+    public ScalableDTO? Storage { get; set; }
+    public SecretsManagerPurchasablesDTO? SecretsManager { get; set; }
+    public int? TrialPeriodDays { get; set; }
+    public string[] CanUpgradeTo { get; set; } = null!;
+    public Dictionary<string, string> AdditionalData { get; set; } = null!;
+}
+
+public class SecretsManagerPurchasablesDTO
+{
+    public FreeOrScalableDTO Seats { get; set; } = null!;
+    public FreeOrScalableDTO ServiceAccounts { get; set; } = null!;
+}
diff --git a/src/Core/Billing/Pricing/Models/PurchasableDTO.cs b/src/Core/Billing/Pricing/Models/PurchasableDTO.cs
new file mode 100644
index 0000000000..8ba1c7b731
--- /dev/null
+++ b/src/Core/Billing/Pricing/Models/PurchasableDTO.cs
@@ -0,0 +1,73 @@
+using System.Text.Json.Serialization;
+using Bit.Core.Billing.Pricing.JSON;
+using OneOf;
+
+namespace Bit.Core.Billing.Pricing.Models;
+
+#nullable enable
+
+[JsonConverter(typeof(PurchasableDTOJsonConverter))]
+public class PurchasableDTO(OneOf<FreeDTO, PackagedDTO, ScalableDTO> input) : OneOfBase<FreeDTO, PackagedDTO, ScalableDTO>(input)
+{
+    public static implicit operator PurchasableDTO(FreeDTO free) => new(free);
+    public static implicit operator PurchasableDTO(PackagedDTO packaged) => new(packaged);
+    public static implicit operator PurchasableDTO(ScalableDTO scalable) => new(scalable);
+
+    public T? FromFree<T>(Func<FreeDTO, T> select, Func<PurchasableDTO, T>? fallback = null) =>
+        IsT0 ? select(AsT0) : fallback != null ? fallback(this) : default;
+
+    public T? FromPackaged<T>(Func<PackagedDTO, T> select, Func<PurchasableDTO, T>? fallback = null) =>
+        IsT1 ? select(AsT1) : fallback != null ? fallback(this) : default;
+
+    public T? FromScalable<T>(Func<ScalableDTO, T> select, Func<PurchasableDTO, T>? fallback = null) =>
+        IsT2 ? select(AsT2) : fallback != null ? fallback(this) : default;
+
+    public bool IsFree => IsT0;
+    public bool IsPackaged => IsT1;
+    public bool IsScalable => IsT2;
+}
+
+[JsonConverter(typeof(FreeOrScalableDTOJsonConverter))]
+public class FreeOrScalableDTO(OneOf<FreeDTO, ScalableDTO> input) : OneOfBase<FreeDTO, ScalableDTO>(input)
+{
+    public static implicit operator FreeOrScalableDTO(FreeDTO freeDTO) => new(freeDTO);
+    public static implicit operator FreeOrScalableDTO(ScalableDTO scalableDTO) => new(scalableDTO);
+
+    public T? FromFree<T>(Func<FreeDTO, T> select, Func<FreeOrScalableDTO, T>? fallback = null) =>
+        IsT0 ? select(AsT0) : fallback != null ? fallback(this) : default;
+
+    public T? FromScalable<T>(Func<ScalableDTO, T> select, Func<FreeOrScalableDTO, T>? fallback = null) =>
+        IsT1 ? select(AsT1) : fallback != null ? fallback(this) : default;
+
+    public bool IsFree => IsT0;
+    public bool IsScalable => IsT1;
+}
+
+public class FreeDTO
+{
+    public int Quantity { get; set; }
+    public string Type => "free";
+}
+
+public class PackagedDTO
+{
+    public int Quantity { get; set; }
+    public string StripePriceId { get; set; } = null!;
+    public decimal Price { get; set; }
+    public AdditionalSeats? Additional { get; set; }
+    public string Type => "packaged";
+
+    public class AdditionalSeats
+    {
+        public string StripePriceId { get; set; } = null!;
+        public decimal Price { get; set; }
+    }
+}
+
+public class ScalableDTO
+{
+    public int Provided { get; set; }
+    public string StripePriceId { get; set; } = null!;
+    public decimal Price { get; set; }
+    public string Type => "scalable";
+}
diff --git a/src/Core/Billing/Pricing/PlanAdapter.cs b/src/Core/Billing/Pricing/PlanAdapter.cs
index b2b24d4cf9..c38eb0501d 100644
--- a/src/Core/Billing/Pricing/PlanAdapter.cs
+++ b/src/Core/Billing/Pricing/PlanAdapter.cs
@@ -1,6 +1,6 @@
 using Bit.Core.Billing.Enums;
+using Bit.Core.Billing.Pricing.Models;
 using Bit.Core.Models.StaticStore;
-using Proto.Billing.Pricing;
 
 #nullable enable
 
@@ -8,15 +8,15 @@ namespace Bit.Core.Billing.Pricing;
 
 public record PlanAdapter : Plan
 {
-    public PlanAdapter(PlanResponse planResponse)
+    public PlanAdapter(PlanDTO plan)
     {
-        Type = ToPlanType(planResponse.LookupKey);
+        Type = ToPlanType(plan.LookupKey);
         ProductTier = ToProductTierType(Type);
-        Name = planResponse.Name;
-        IsAnnual = !string.IsNullOrEmpty(planResponse.Cadence) && planResponse.Cadence == "annually";
-        NameLocalizationKey = planResponse.AdditionalData?["nameLocalizationKey"];
-        DescriptionLocalizationKey = planResponse.AdditionalData?["descriptionLocalizationKey"];
-        TrialPeriodDays = planResponse.TrialPeriodDays;
+        Name = plan.Name;
+        IsAnnual = plan.Cadence is "annually";
+        NameLocalizationKey = plan.AdditionalData["nameLocalizationKey"];
+        DescriptionLocalizationKey = plan.AdditionalData["descriptionLocalizationKey"];
+        TrialPeriodDays = plan.TrialPeriodDays;
         HasSelfHost = HasFeature("selfHost");
         HasPolicies = HasFeature("policies");
         HasGroups = HasFeature("groups");
@@ -30,20 +30,20 @@ public record PlanAdapter : Plan
         HasScim = HasFeature("scim");
         HasResetPassword = HasFeature("resetPassword");
         UsersGetPremium = HasFeature("usersGetPremium");
-        UpgradeSortOrder = planResponse.AdditionalData != null
-            ? int.Parse(planResponse.AdditionalData["upgradeSortOrder"])
+        UpgradeSortOrder = plan.AdditionalData.TryGetValue("upgradeSortOrder", out var upgradeSortOrder)
+            ? int.Parse(upgradeSortOrder)
             : 0;
-        DisplaySortOrder = planResponse.AdditionalData != null
-            ? int.Parse(planResponse.AdditionalData["displaySortOrder"])
+        DisplaySortOrder = plan.AdditionalData.TryGetValue("displaySortOrder", out var displaySortOrder)
+            ? int.Parse(displaySortOrder)
             : 0;
-        HasCustomPermissions = HasFeature("customPermissions");
-        Disabled = !planResponse.Available;
-        PasswordManager = ToPasswordManagerPlanFeatures(planResponse);
-        SecretsManager = planResponse.SecretsManager != null ? ToSecretsManagerPlanFeatures(planResponse) : null;
+        Disabled = !plan.Available;
+        LegacyYear = plan.LegacyYear;
+        PasswordManager = ToPasswordManagerPlanFeatures(plan);
+        SecretsManager = plan.SecretsManager != null ? ToSecretsManagerPlanFeatures(plan) : null;
 
         return;
 
-        bool HasFeature(string lookupKey) => planResponse.Features.Any(feature => feature.LookupKey == lookupKey);
+        bool HasFeature(string lookupKey) => plan.Features.Any(feature => feature.LookupKey == lookupKey);
     }
 
     #region Mappings
@@ -86,29 +86,25 @@ public record PlanAdapter : Plan
             _ => throw new BillingException() // TODO: Flesh out
         };
 
-    private static PasswordManagerPlanFeatures ToPasswordManagerPlanFeatures(PlanResponse planResponse)
+    private static PasswordManagerPlanFeatures ToPasswordManagerPlanFeatures(PlanDTO plan)
     {
-        var stripePlanId = GetStripePlanId(planResponse.Seats);
-        var stripeSeatPlanId = GetStripeSeatPlanId(planResponse.Seats);
-        var stripeProviderPortalSeatPlanId = planResponse.ManagedSeats?.StripePriceId;
-        var basePrice = GetBasePrice(planResponse.Seats);
-        var seatPrice = GetSeatPrice(planResponse.Seats);
-        var providerPortalSeatPrice =
-            planResponse.ManagedSeats != null ? decimal.Parse(planResponse.ManagedSeats.Price) : 0;
-        var scales = planResponse.Seats.KindCase switch
-        {
-            PurchasableDTO.KindOneofCase.Scalable => true,
-            PurchasableDTO.KindOneofCase.Packaged => planResponse.Seats.Packaged.Additional != null,
-            _ => false
-        };
-        var baseSeats = GetBaseSeats(planResponse.Seats);
-        var maxSeats = GetMaxSeats(planResponse.Seats);
-        var baseStorageGb = (short?)planResponse.Storage?.Provided;
-        var hasAdditionalStorageOption = planResponse.Storage != null;
-        var stripeStoragePlanId = planResponse.Storage?.StripePriceId;
-        short? maxCollections =
-            planResponse.AdditionalData != null &&
-            planResponse.AdditionalData.TryGetValue("passwordManager.maxCollections", out var value) ? short.Parse(value) : null;
+        var stripePlanId = GetStripePlanId(plan.Seats);
+        var stripeSeatPlanId = GetStripeSeatPlanId(plan.Seats);
+        var stripeProviderPortalSeatPlanId = plan.ManagedSeats?.StripePriceId;
+        var basePrice = GetBasePrice(plan.Seats);
+        var seatPrice = GetSeatPrice(plan.Seats);
+        var providerPortalSeatPrice = plan.ManagedSeats?.Price ?? 0;
+        var scales = plan.Seats.Match(
+            _ => false,
+            packaged => packaged.Additional != null,
+            _ => true);
+        var baseSeats = GetBaseSeats(plan.Seats);
+        var maxSeats = GetMaxSeats(plan.Seats);
+        var baseStorageGb = (short?)plan.Storage?.Provided;
+        var hasAdditionalStorageOption = plan.Storage != null;
+        var additionalStoragePricePerGb = plan.Storage?.Price ?? 0;
+        var stripeStoragePlanId = plan.Storage?.StripePriceId;
+        short? maxCollections = plan.AdditionalData.TryGetValue("passwordManager.maxCollections", out var value) ? short.Parse(value) : null;
 
         return new PasswordManagerPlanFeatures
         {
@@ -124,30 +120,29 @@ public record PlanAdapter : Plan
             MaxSeats = maxSeats,
             BaseStorageGb = baseStorageGb,
             HasAdditionalStorageOption = hasAdditionalStorageOption,
+            AdditionalStoragePricePerGb = additionalStoragePricePerGb,
             StripeStoragePlanId = stripeStoragePlanId,
             MaxCollections = maxCollections
         };
     }
 
-    private static SecretsManagerPlanFeatures ToSecretsManagerPlanFeatures(PlanResponse planResponse)
+    private static SecretsManagerPlanFeatures ToSecretsManagerPlanFeatures(PlanDTO plan)
     {
-        var seats = planResponse.SecretsManager.Seats;
-        var serviceAccounts = planResponse.SecretsManager.ServiceAccounts;
+        var seats = plan.SecretsManager!.Seats;
+        var serviceAccounts = plan.SecretsManager.ServiceAccounts;
 
         var maxServiceAccounts = GetMaxServiceAccounts(serviceAccounts);
-        var allowServiceAccountsAutoscale = serviceAccounts.KindCase == FreeOrScalableDTO.KindOneofCase.Scalable;
+        var allowServiceAccountsAutoscale = serviceAccounts.IsScalable;
         var stripeServiceAccountPlanId = GetStripeServiceAccountPlanId(serviceAccounts);
         var additionalPricePerServiceAccount = GetAdditionalPricePerServiceAccount(serviceAccounts);
         var baseServiceAccount = GetBaseServiceAccount(serviceAccounts);
-        var hasAdditionalServiceAccountOption = serviceAccounts.KindCase == FreeOrScalableDTO.KindOneofCase.Scalable;
+        var hasAdditionalServiceAccountOption = serviceAccounts.IsScalable;
         var stripeSeatPlanId = GetStripeSeatPlanId(seats);
-        var hasAdditionalSeatsOption = seats.KindCase == FreeOrScalableDTO.KindOneofCase.Scalable;
+        var hasAdditionalSeatsOption = seats.IsScalable;
         var seatPrice = GetSeatPrice(seats);
         var maxSeats = GetMaxSeats(seats);
-        var allowSeatAutoscale = seats.KindCase == FreeOrScalableDTO.KindOneofCase.Scalable;
-        var maxProjects =
-            planResponse.AdditionalData != null &&
-            planResponse.AdditionalData.TryGetValue("secretsManager.maxProjects", out var value) ? short.Parse(value) : 0;
+        var allowSeatAutoscale = seats.IsScalable;
+        var maxProjects = plan.AdditionalData.TryGetValue("secretsManager.maxProjects", out var value) ? short.Parse(value) : 0;
 
         return new SecretsManagerPlanFeatures
         {
@@ -167,66 +162,54 @@ public record PlanAdapter : Plan
     }
 
     private static decimal? GetAdditionalPricePerServiceAccount(FreeOrScalableDTO freeOrScalable)
-        => freeOrScalable.KindCase != FreeOrScalableDTO.KindOneofCase.Scalable
-            ? null
-            : decimal.Parse(freeOrScalable.Scalable.Price);
+        => freeOrScalable.FromScalable(x => x.Price);
 
     private static decimal GetBasePrice(PurchasableDTO purchasable)
-        => purchasable.KindCase != PurchasableDTO.KindOneofCase.Packaged ? 0 : decimal.Parse(purchasable.Packaged.Price);
+        => purchasable.FromPackaged(x => x.Price);
 
     private static int GetBaseSeats(PurchasableDTO purchasable)
-        => purchasable.KindCase != PurchasableDTO.KindOneofCase.Packaged ? 0 : purchasable.Packaged.Quantity;
+        => purchasable.FromPackaged(x => x.Quantity);
 
     private static short GetBaseServiceAccount(FreeOrScalableDTO freeOrScalable)
-        => freeOrScalable.KindCase switch
-        {
-            FreeOrScalableDTO.KindOneofCase.Free => (short)freeOrScalable.Free.Quantity,
-            FreeOrScalableDTO.KindOneofCase.Scalable => (short)freeOrScalable.Scalable.Provided,
-            _ => 0
-        };
+        => freeOrScalable.Match(
+            free => (short)free.Quantity,
+            scalable => (short)scalable.Provided);
 
     private static short? GetMaxSeats(PurchasableDTO purchasable)
-        => purchasable.KindCase != PurchasableDTO.KindOneofCase.Free ? null : (short)purchasable.Free.Quantity;
+        => purchasable.Match<short?>(
+            free => (short)free.Quantity,
+            packaged => (short)packaged.Quantity,
+            _ => null);
 
     private static short? GetMaxSeats(FreeOrScalableDTO freeOrScalable)
-        => freeOrScalable.KindCase != FreeOrScalableDTO.KindOneofCase.Free ? null : (short)freeOrScalable.Free.Quantity;
+        => freeOrScalable.FromFree(x => (short)x.Quantity);
 
     private static short? GetMaxServiceAccounts(FreeOrScalableDTO freeOrScalable)
-        => freeOrScalable.KindCase != FreeOrScalableDTO.KindOneofCase.Free ? null : (short)freeOrScalable.Free.Quantity;
+        => freeOrScalable.FromFree(x => (short)x.Quantity);
 
     private static decimal GetSeatPrice(PurchasableDTO purchasable)
-        => purchasable.KindCase switch
-        {
-            PurchasableDTO.KindOneofCase.Packaged => purchasable.Packaged.Additional != null ? decimal.Parse(purchasable.Packaged.Additional.Price) : 0,
-            PurchasableDTO.KindOneofCase.Scalable => decimal.Parse(purchasable.Scalable.Price),
-            _ => 0
-        };
+        => purchasable.Match(
+            _ => 0,
+            packaged => packaged.Additional?.Price ?? 0,
+            scalable => scalable.Price);
 
     private static decimal GetSeatPrice(FreeOrScalableDTO freeOrScalable)
-        => freeOrScalable.KindCase != FreeOrScalableDTO.KindOneofCase.Scalable
-            ? 0
-            : decimal.Parse(freeOrScalable.Scalable.Price);
+        => freeOrScalable.FromScalable(x => x.Price);
 
     private static string? GetStripePlanId(PurchasableDTO purchasable)
-        => purchasable.KindCase != PurchasableDTO.KindOneofCase.Packaged ? null : purchasable.Packaged.StripePriceId;
+        => purchasable.FromPackaged(x => x.StripePriceId);
 
     private static string? GetStripeSeatPlanId(PurchasableDTO purchasable)
-        => purchasable.KindCase switch
-        {
-            PurchasableDTO.KindOneofCase.Packaged => purchasable.Packaged.Additional?.StripePriceId,
-            PurchasableDTO.KindOneofCase.Scalable => purchasable.Scalable.StripePriceId,
-            _ => null
-        };
+        => purchasable.Match(
+            _ => null,
+            packaged => packaged.Additional?.StripePriceId,
+            scalable => scalable.StripePriceId);
 
     private static string? GetStripeSeatPlanId(FreeOrScalableDTO freeOrScalable)
-        => freeOrScalable.KindCase != FreeOrScalableDTO.KindOneofCase.Scalable
-            ? null
-            : freeOrScalable.Scalable.StripePriceId;
+        => freeOrScalable.FromScalable(x => x.StripePriceId);
 
     private static string? GetStripeServiceAccountPlanId(FreeOrScalableDTO freeOrScalable)
-        => freeOrScalable.KindCase != FreeOrScalableDTO.KindOneofCase.Scalable
-            ? null
-            : freeOrScalable.Scalable.StripePriceId;
+        => freeOrScalable.FromScalable(x => x.StripePriceId);
 
     #endregion
 }
diff --git a/src/Core/Billing/Pricing/PricingClient.cs b/src/Core/Billing/Pricing/PricingClient.cs
index 65fc1761ad..14caa54eb4 100644
--- a/src/Core/Billing/Pricing/PricingClient.cs
+++ b/src/Core/Billing/Pricing/PricingClient.cs
@@ -1,12 +1,13 @@
-using Bit.Core.Billing.Enums;
-using Bit.Core.Models.StaticStore;
+using System.Net;
+using System.Net.Http.Json;
+using Bit.Core.Billing.Enums;
+using Bit.Core.Billing.Pricing.Models;
+using Bit.Core.Exceptions;
 using Bit.Core.Services;
 using Bit.Core.Settings;
 using Bit.Core.Utilities;
-using Google.Protobuf.WellKnownTypes;
-using Grpc.Core;
-using Grpc.Net.Client;
-using Proto.Billing.Pricing;
+using Microsoft.Extensions.Logging;
+using Plan = Bit.Core.Models.StaticStore.Plan;
 
 #nullable enable
 
@@ -14,10 +15,17 @@ namespace Bit.Core.Billing.Pricing;
 
 public class PricingClient(
     IFeatureService featureService,
-    GlobalSettings globalSettings) : IPricingClient
+    GlobalSettings globalSettings,
+    HttpClient httpClient,
+    ILogger<PricingClient> logger) : IPricingClient
 {
     public async Task<Plan?> GetPlan(PlanType planType)
     {
+        if (globalSettings.SelfHosted)
+        {
+            return null;
+        }
+
         var usePricingService = featureService.IsEnabled(FeatureFlagKeys.UsePricingService);
 
         if (!usePricingService)
@@ -25,30 +33,55 @@ public class PricingClient(
             return StaticStore.GetPlan(planType);
         }
 
-        using var channel = GrpcChannel.ForAddress(globalSettings.PricingUri);
-        var client = new PasswordManager.PasswordManagerClient(channel);
+        var lookupKey = GetLookupKey(planType);
 
-        var lookupKey = ToLookupKey(planType);
-        if (string.IsNullOrEmpty(lookupKey))
+        if (lookupKey == null)
         {
+            logger.LogError("Could not find Pricing Service lookup key for PlanType {PlanType}", planType);
             return null;
         }
 
-        try
-        {
-            var response =
-                await client.GetPlanByLookupKeyAsync(new GetPlanByLookupKeyRequest { LookupKey = lookupKey });
+        var response = await httpClient.GetAsync($"plans/lookup/{lookupKey}");
 
-            return new PlanAdapter(response);
-        }
-        catch (RpcException rpcException) when (rpcException.StatusCode == StatusCode.NotFound)
+        if (response.IsSuccessStatusCode)
         {
+            var plan = await response.Content.ReadFromJsonAsync<PlanDTO>();
+            if (plan == null)
+            {
+                throw new BillingException(message: "Deserialization of Pricing Service response resulted in null");
+            }
+            return new PlanAdapter(plan);
+        }
+
+        if (response.StatusCode == HttpStatusCode.NotFound)
+        {
+            logger.LogError("Pricing Service plan for PlanType {PlanType} was not found", planType);
             return null;
         }
+
+        throw new BillingException(
+            message: $"Request to the Pricing Service failed with status code {response.StatusCode}");
+    }
+
+    public async Task<Plan> GetPlanOrThrow(PlanType planType)
+    {
+        var plan = await GetPlan(planType);
+
+        if (plan == null)
+        {
+            throw new NotFoundException();
+        }
+
+        return plan;
     }
 
     public async Task<List<Plan>> ListPlans()
     {
+        if (globalSettings.SelfHosted)
+        {
+            return [];
+        }
+
         var usePricingService = featureService.IsEnabled(FeatureFlagKeys.UsePricingService);
 
         if (!usePricingService)
@@ -56,14 +89,23 @@ public class PricingClient(
             return StaticStore.Plans.ToList();
         }
 
-        using var channel = GrpcChannel.ForAddress(globalSettings.PricingUri);
-        var client = new PasswordManager.PasswordManagerClient(channel);
+        var response = await httpClient.GetAsync("plans");
 
-        var response = await client.ListPlansAsync(new Empty());
-        return response.Plans.Select(Plan (plan) => new PlanAdapter(plan)).ToList();
+        if (response.IsSuccessStatusCode)
+        {
+            var plans = await response.Content.ReadFromJsonAsync<List<PlanDTO>>();
+            if (plans == null)
+            {
+                throw new BillingException(message: "Deserialization of Pricing Service response resulted in null");
+            }
+            return plans.Select(Plan (plan) => new PlanAdapter(plan)).ToList();
+        }
+
+        throw new BillingException(
+            message: $"Request to the Pricing Service failed with status {response.StatusCode}");
     }
 
-    private static string? ToLookupKey(PlanType planType)
+    private static string? GetLookupKey(PlanType planType)
         => planType switch
         {
             PlanType.EnterpriseAnnually => "enterprise-annually",
diff --git a/src/Core/Billing/Pricing/Protos/password-manager.proto b/src/Core/Billing/Pricing/Protos/password-manager.proto
deleted file mode 100644
index 69a4c51bd1..0000000000
--- a/src/Core/Billing/Pricing/Protos/password-manager.proto
+++ /dev/null
@@ -1,92 +0,0 @@
-syntax = "proto3";
-
-option csharp_namespace = "Proto.Billing.Pricing";
-
-package plans;
-
-import "google/protobuf/empty.proto";
-import "google/protobuf/struct.proto";
-import "google/protobuf/wrappers.proto";
-
-service PasswordManager {
-  rpc GetPlanByLookupKey (GetPlanByLookupKeyRequest) returns (PlanResponse);
-  rpc ListPlans (google.protobuf.Empty) returns (ListPlansResponse);
-}
-
-// Requests
-message GetPlanByLookupKeyRequest {
-  string lookupKey = 1;
-}
-
-// Responses
-message PlanResponse {
-  string name = 1;
-  string lookupKey = 2;
-  string tier = 4;
-  optional string cadence = 6;
-  optional google.protobuf.Int32Value legacyYear = 8;
-  bool available = 9;
-  repeated FeatureDTO features = 10;
-  PurchasableDTO seats = 11;
-  optional ScalableDTO managedSeats = 12;
-  optional ScalableDTO storage = 13;
-  optional SecretsManagerPurchasablesDTO secretsManager = 14;
-  optional google.protobuf.Int32Value trialPeriodDays = 15;
-  repeated string canUpgradeTo = 16;
-  map<string, string> additionalData = 17;
-}
-
-message ListPlansResponse {
-  repeated PlanResponse plans = 1;
-}
-
-// DTOs
-message FeatureDTO {
-  string name = 1;
-  string lookupKey = 2;
-}
-
-message FreeDTO {
-  int32 quantity = 2;
-  string type = 4;
-}
-
-message PackagedDTO {
-  message AdditionalSeats {
-    string stripePriceId = 1;
-    string price = 2;
-  }
-
-  int32 quantity = 2;
-  string stripePriceId = 3;
-  string price = 4;
-  optional AdditionalSeats additional = 5;
-  string type = 6;
-}
-
-message ScalableDTO {
-  int32 provided = 2;
-  string stripePriceId = 6;
-  string price = 7;
-  string type = 9;
-}
-
-message PurchasableDTO {
-  oneof kind {
-    FreeDTO free = 1;
-    PackagedDTO packaged = 2;
-    ScalableDTO scalable = 3;
-  }
-}
-
-message FreeOrScalableDTO {
-  oneof kind {
-    FreeDTO free = 1;
-    ScalableDTO scalable = 2;
-  }
-}
-
-message SecretsManagerPurchasablesDTO {
-  FreeOrScalableDTO seats = 1;
-  FreeOrScalableDTO serviceAccounts = 2;
-}
diff --git a/src/Core/Billing/Pricing/ServiceCollectionExtensions.cs b/src/Core/Billing/Pricing/ServiceCollectionExtensions.cs
new file mode 100644
index 0000000000..465a12de14
--- /dev/null
+++ b/src/Core/Billing/Pricing/ServiceCollectionExtensions.cs
@@ -0,0 +1,21 @@
+using Bit.Core.Settings;
+using Microsoft.Extensions.DependencyInjection;
+
+namespace Bit.Core.Billing.Pricing;
+
+public static class ServiceCollectionExtensions
+{
+    public static void AddPricingClient(this IServiceCollection services)
+    {
+        services.AddHttpClient<IPricingClient, PricingClient>((serviceProvider, httpClient) =>
+        {
+            var globalSettings = serviceProvider.GetRequiredService<GlobalSettings>();
+            if (string.IsNullOrEmpty(globalSettings.PricingUri))
+            {
+                return;
+            }
+            httpClient.BaseAddress = new Uri(globalSettings.PricingUri);
+            httpClient.DefaultRequestHeaders.Add("Accept", "application/json");
+        });
+    }
+}
diff --git a/src/Core/Billing/Services/Implementations/OrganizationBillingService.cs b/src/Core/Billing/Services/Implementations/OrganizationBillingService.cs
index 57a4b1781b..8b773f1cef 100644
--- a/src/Core/Billing/Services/Implementations/OrganizationBillingService.cs
+++ b/src/Core/Billing/Services/Implementations/OrganizationBillingService.cs
@@ -3,12 +3,12 @@ using Bit.Core.Billing.Caches;
 using Bit.Core.Billing.Constants;
 using Bit.Core.Billing.Models;
 using Bit.Core.Billing.Models.Sales;
+using Bit.Core.Billing.Pricing;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Settings;
-using Bit.Core.Utilities;
 using Braintree;
 using Microsoft.Extensions.Logging;
 using Stripe;
@@ -26,6 +26,7 @@ public class OrganizationBillingService(
     IGlobalSettings globalSettings,
     ILogger<OrganizationBillingService> logger,
     IOrganizationRepository organizationRepository,
+    IPricingClient pricingClient,
     ISetupIntentCache setupIntentCache,
     IStripeAdapter stripeAdapter,
     ISubscriberService subscriberService,
@@ -63,13 +64,22 @@ public class OrganizationBillingService(
             return null;
         }
 
-        var isEligibleForSelfHost = IsEligibleForSelfHost(organization);
+        if (globalSettings.SelfHosted)
+        {
+            return OrganizationMetadata.Default;
+        }
+
+        var isEligibleForSelfHost = await IsEligibleForSelfHostAsync(organization);
+
         var isManaged = organization.Status == OrganizationStatusType.Managed;
 
         if (string.IsNullOrWhiteSpace(organization.GatewaySubscriptionId))
         {
-            return new OrganizationMetadata(isEligibleForSelfHost, isManaged, false,
-                false, false, false, false, null, null, null);
+            return OrganizationMetadata.Default with
+            {
+                IsEligibleForSelfHost = isEligibleForSelfHost,
+                IsManaged = isManaged
+            };
         }
 
         var customer = await subscriberService.GetCustomer(organization,
@@ -77,18 +87,21 @@ public class OrganizationBillingService(
 
         var subscription = await subscriberService.GetSubscription(organization);
 
-        var isOnSecretsManagerStandalone = IsOnSecretsManagerStandalone(organization, customer, subscription);
-        var isSubscriptionUnpaid = IsSubscriptionUnpaid(subscription);
-        var isSubscriptionCanceled = IsSubscriptionCanceled(subscription);
-        var hasSubscription = true;
-        var openInvoice = await HasOpenInvoiceAsync(subscription);
-        var hasOpenInvoice = openInvoice.HasOpenInvoice;
-        var invoiceDueDate = openInvoice.DueDate;
-        var invoiceCreatedDate = openInvoice.CreatedDate;
-        var subPeriodEndDate = subscription?.CurrentPeriodEnd;
+        var isOnSecretsManagerStandalone = await IsOnSecretsManagerStandalone(organization, customer, subscription);
 
-        return new OrganizationMetadata(isEligibleForSelfHost, isManaged, isOnSecretsManagerStandalone,
-            isSubscriptionUnpaid, hasSubscription, hasOpenInvoice, isSubscriptionCanceled, invoiceDueDate, invoiceCreatedDate, subPeriodEndDate);
+        var invoice = await stripeAdapter.InvoiceGetAsync(subscription.LatestInvoiceId, new InvoiceGetOptions());
+
+        return new OrganizationMetadata(
+            isEligibleForSelfHost,
+            isManaged,
+            isOnSecretsManagerStandalone,
+            subscription.Status == StripeConstants.SubscriptionStatus.Unpaid,
+            true,
+            invoice?.Status == StripeConstants.InvoiceStatus.Open,
+            subscription.Status == StripeConstants.SubscriptionStatus.Canceled,
+            invoice?.DueDate,
+            invoice?.Created,
+            subscription.CurrentPeriodEnd);
     }
 
     public async Task UpdatePaymentMethod(
@@ -299,7 +312,7 @@ public class OrganizationBillingService(
         Customer customer,
         SubscriptionSetup subscriptionSetup)
     {
-        var plan = subscriptionSetup.Plan;
+        var plan = await pricingClient.GetPlanOrThrow(subscriptionSetup.PlanType);
 
         var passwordManagerOptions = subscriptionSetup.PasswordManagerOptions;
 
@@ -385,15 +398,17 @@ public class OrganizationBillingService(
         return await stripeAdapter.SubscriptionCreateAsync(subscriptionCreateOptions);
     }
 
-    private static bool IsEligibleForSelfHost(
+    private async Task<bool> IsEligibleForSelfHostAsync(
         Organization organization)
     {
-        var eligibleSelfHostPlans = StaticStore.Plans.Where(plan => plan.HasSelfHost).Select(plan => plan.Type);
+        var plans = await pricingClient.ListPlans();
+
+        var eligibleSelfHostPlans = plans.Where(plan => plan.HasSelfHost).Select(plan => plan.Type);
 
         return eligibleSelfHostPlans.Contains(organization.PlanType);
     }
 
-    private static bool IsOnSecretsManagerStandalone(
+    private async Task<bool> IsOnSecretsManagerStandalone(
         Organization organization,
         Customer? customer,
         Subscription? subscription)
@@ -403,7 +418,7 @@ public class OrganizationBillingService(
             return false;
         }
 
-        var plan = StaticStore.GetPlan(organization.PlanType);
+        var plan = await pricingClient.GetPlanOrThrow(organization.PlanType);
 
         if (!plan.SupportsSecretsManager)
         {
@@ -424,38 +439,5 @@ public class OrganizationBillingService(
         return subscriptionProductIds.Intersect(couponAppliesTo ?? []).Any();
     }
 
-    private static bool IsSubscriptionUnpaid(Subscription subscription)
-    {
-        if (subscription == null)
-        {
-            return false;
-        }
-
-        return subscription.Status == "unpaid";
-    }
-
-    private async Task<(bool HasOpenInvoice, DateTime? CreatedDate, DateTime? DueDate)> HasOpenInvoiceAsync(Subscription subscription)
-    {
-        if (subscription?.LatestInvoiceId == null)
-        {
-            return (false, null, null);
-        }
-
-        var invoice = await stripeAdapter.InvoiceGetAsync(subscription.LatestInvoiceId, new InvoiceGetOptions());
-
-        return invoice?.Status == "open"
-            ? (true, invoice.Created, invoice.DueDate)
-            : (false, null, null);
-    }
-
-    private static bool IsSubscriptionCanceled(Subscription subscription)
-    {
-        if (subscription == null)
-        {
-            return false;
-        }
-
-        return subscription.Status == "canceled";
-    }
     #endregion
 }
diff --git a/src/Core/Core.csproj b/src/Core/Core.csproj
index 860cf33298..ff5e929f18 100644
--- a/src/Core/Core.csproj
+++ b/src/Core/Core.csproj
@@ -27,12 +27,6 @@
     <PackageReference Include="AWSSDK.SQS" Version="3.7.400.85" />
     <PackageReference Include="Azure.Data.Tables" Version="12.9.0" />
     <PackageReference Include="Azure.Extensions.AspNetCore.DataProtection.Blobs" Version="1.3.4" />
-    <PackageReference Include="Google.Protobuf" Version="3.29.2" />
-    <PackageReference Include="Grpc.Net.Client" Version="2.67.0" />
-    <PackageReference Include="Grpc.Tools" Version="2.68.1">
-      <PrivateAssets>all</PrivateAssets>
-      <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
-    </PackageReference>
     <PackageReference Include="Microsoft.AspNetCore.DataProtection" Version="8.0.10" />
     <PackageReference Include="Azure.Messaging.ServiceBus" Version="7.18.1" />
     <PackageReference Include="Azure.Storage.Blobs" Version="12.21.2" />
@@ -78,11 +72,7 @@
     <PackageReference Include="System.Text.Json" Version="8.0.5" />
     <PackageReference Include="Microsoft.Extensions.Caching.Memory" Version="8.0.1" />
   </ItemGroup>
-
-  <ItemGroup>
-    <Protobuf Include="Billing\Pricing\Protos\password-manager.proto" GrpcServices="Client" />
-  </ItemGroup>
-
+  
   <ItemGroup>
     <Folder Include="Resources\" />
     <Folder Include="Properties\" />
diff --git a/src/Core/Models/Business/CompleteSubscriptionUpdate.cs b/src/Core/Models/Business/CompleteSubscriptionUpdate.cs
index aa1c92dc2e..1d983404af 100644
--- a/src/Core/Models/Business/CompleteSubscriptionUpdate.cs
+++ b/src/Core/Models/Business/CompleteSubscriptionUpdate.cs
@@ -1,6 +1,7 @@
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.Exceptions;
 using Stripe;
+using Plan = Bit.Core.Models.StaticStore.Plan;
 
 namespace Bit.Core.Models.Business;
 
@@ -9,7 +10,7 @@ namespace Bit.Core.Models.Business;
 /// </summary>
 public class SubscriptionData
 {
-    public StaticStore.Plan Plan { get; init; }
+    public Plan Plan { get; init; }
     public int PurchasedPasswordManagerSeats { get; init; }
     public bool SubscribedToSecretsManager { get; set; }
     public int? PurchasedSecretsManagerSeats { get; init; }
@@ -38,22 +39,24 @@ public class CompleteSubscriptionUpdate : SubscriptionUpdate
     /// in the case of an error.
     /// </summary>
     /// <param name="organization">The <see cref="Organization"/> to upgrade.</param>
+    /// <param name="plan">The organization's plan.</param>
     /// <param name="updatedSubscription">The updates you want to apply to the organization's subscription.</param>
     public CompleteSubscriptionUpdate(
         Organization organization,
+        Plan plan,
         SubscriptionData updatedSubscription)
     {
-        _currentSubscription = GetSubscriptionDataFor(organization);
+        _currentSubscription = GetSubscriptionDataFor(organization, plan);
         _updatedSubscription = updatedSubscription;
     }
 
-    protected override List<string> PlanIds => new()
-    {
+    protected override List<string> PlanIds =>
+    [
         GetPasswordManagerPlanId(_updatedSubscription.Plan),
         _updatedSubscription.Plan.SecretsManager.StripeSeatPlanId,
         _updatedSubscription.Plan.SecretsManager.StripeServiceAccountPlanId,
         _updatedSubscription.Plan.PasswordManager.StripeStoragePlanId
-    };
+    ];
 
     /// <summary>
     /// Generates the <see cref="SubscriptionItemOptions"/> necessary to revert an <see cref="Organization"/>'s
@@ -94,7 +97,7 @@ public class CompleteSubscriptionUpdate : SubscriptionUpdate
      */
     /// <summary>
     /// Checks whether the updates provided in the <see cref="CompleteSubscriptionUpdate"/>'s constructor
-    /// are actually different than the organization's current <see cref="Subscription"/>.
+    /// are actually different from the organization's current <see cref="Subscription"/>.
     /// </summary>
     /// <param name="subscription">The organization's <see cref="Subscription"/>.</param>
     public override bool UpdateNeeded(Subscription subscription)
@@ -278,11 +281,8 @@ public class CompleteSubscriptionUpdate : SubscriptionUpdate
         };
     }
 
-    private static SubscriptionData GetSubscriptionDataFor(Organization organization)
-    {
-        var plan = Utilities.StaticStore.GetPlan(organization.PlanType);
-
-        return new SubscriptionData
+    private static SubscriptionData GetSubscriptionDataFor(Organization organization, Plan plan)
+        => new()
         {
             Plan = plan,
             PurchasedPasswordManagerSeats = organization.Seats.HasValue
@@ -299,5 +299,4 @@ public class CompleteSubscriptionUpdate : SubscriptionUpdate
                 ? organization.MaxStorageGb.Value - (plan.PasswordManager.BaseStorageGb ?? 0) :
                 0
         };
-    }
 }
diff --git a/src/Core/Models/Business/ProviderSubscriptionUpdate.cs b/src/Core/Models/Business/ProviderSubscriptionUpdate.cs
index d66013ad14..1fd833ca1f 100644
--- a/src/Core/Models/Business/ProviderSubscriptionUpdate.cs
+++ b/src/Core/Models/Business/ProviderSubscriptionUpdate.cs
@@ -2,6 +2,7 @@
 using Bit.Core.Billing.Enums;
 using Bit.Core.Billing.Extensions;
 using Stripe;
+using Plan = Bit.Core.Models.StaticStore.Plan;
 
 namespace Bit.Core.Models.Business;
 
@@ -14,18 +15,16 @@ public class ProviderSubscriptionUpdate : SubscriptionUpdate
     protected override List<string> PlanIds => [_planId];
 
     public ProviderSubscriptionUpdate(
-        PlanType planType,
+        Plan plan,
         int previouslyPurchasedSeats,
         int newlyPurchasedSeats)
     {
-        if (!planType.SupportsConsolidatedBilling())
+        if (!plan.Type.SupportsConsolidatedBilling())
         {
             throw new BillingException(
                 message: $"Cannot create a {nameof(ProviderSubscriptionUpdate)} for {nameof(PlanType)} that doesn't support consolidated billing");
         }
 
-        var plan = Utilities.StaticStore.GetPlan(planType);
-
         _planId = plan.PasswordManager.StripeProviderPortalSeatPlanId;
         _previouslyPurchasedSeats = previouslyPurchasedSeats;
         _newlyPurchasedSeats = newlyPurchasedSeats;
diff --git a/src/Core/Models/Business/SecretsManagerSubscriptionUpdate.cs b/src/Core/Models/Business/SecretsManagerSubscriptionUpdate.cs
index 9a4fcac034..d85925db34 100644
--- a/src/Core/Models/Business/SecretsManagerSubscriptionUpdate.cs
+++ b/src/Core/Models/Business/SecretsManagerSubscriptionUpdate.cs
@@ -7,6 +7,7 @@ namespace Bit.Core.Models.Business;
 public class SecretsManagerSubscriptionUpdate
 {
     public Organization Organization { get; }
+    public Plan Plan { get; }
 
     /// <summary>
     /// The total seats the organization will have after the update, including any base seats included in the plan
@@ -49,21 +50,16 @@ public class SecretsManagerSubscriptionUpdate
     public bool MaxAutoscaleSmSeatsChanged => MaxAutoscaleSmSeats != Organization.MaxAutoscaleSmSeats;
     public bool MaxAutoscaleSmServiceAccountsChanged =>
         MaxAutoscaleSmServiceAccounts != Organization.MaxAutoscaleSmServiceAccounts;
-    public Plan Plan => Utilities.StaticStore.GetPlan(Organization.PlanType);
     public bool SmSeatAutoscaleLimitReached => SmSeats.HasValue && MaxAutoscaleSmSeats.HasValue && SmSeats == MaxAutoscaleSmSeats;
 
     public bool SmServiceAccountAutoscaleLimitReached => SmServiceAccounts.HasValue &&
                                                          MaxAutoscaleSmServiceAccounts.HasValue &&
                                                          SmServiceAccounts == MaxAutoscaleSmServiceAccounts;
 
-    public SecretsManagerSubscriptionUpdate(Organization organization, bool autoscaling)
+    public SecretsManagerSubscriptionUpdate(Organization organization, Plan plan, bool autoscaling)
     {
-        if (organization == null)
-        {
-            throw new NotFoundException("Organization is not found.");
-        }
-
-        Organization = organization;
+        Organization = organization ?? throw new NotFoundException("Organization is not found.");
+        Plan = plan;
 
         if (!Plan.SupportsSecretsManager)
         {
diff --git a/src/Core/Models/Business/SubscriptionInfo.cs b/src/Core/Models/Business/SubscriptionInfo.cs
index 5294097613..c9c3b31c7f 100644
--- a/src/Core/Models/Business/SubscriptionInfo.cs
+++ b/src/Core/Models/Business/SubscriptionInfo.cs
@@ -82,7 +82,6 @@ public class SubscriptionInfo
             }
 
             public bool AddonSubscriptionItem { get; set; }
-
             public string ProductId { get; set; }
             public string Name { get; set; }
             public decimal Amount { get; set; }
diff --git a/src/Core/OrganizationFeatures/OrganizationSponsorships/FamiliesForEnterprise/Cloud/CloudSyncSponsorshipsCommand.cs b/src/Core/OrganizationFeatures/OrganizationSponsorships/FamiliesForEnterprise/Cloud/CloudSyncSponsorshipsCommand.cs
index f817ef7d2e..2756f8930b 100644
--- a/src/Core/OrganizationFeatures/OrganizationSponsorships/FamiliesForEnterprise/Cloud/CloudSyncSponsorshipsCommand.cs
+++ b/src/Core/OrganizationFeatures/OrganizationSponsorships/FamiliesForEnterprise/Cloud/CloudSyncSponsorshipsCommand.cs
@@ -1,4 +1,5 @@
 using Bit.Core.AdminConsole.Entities;
+using Bit.Core.Billing.Extensions;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
@@ -54,8 +55,9 @@ public class CloudSyncSponsorshipsCommand : ICloudSyncSponsorshipsCommand
         foreach (var selfHostedSponsorship in sponsorshipsData)
         {
             var requiredSponsoringProductType = StaticStore.GetSponsoredPlan(selfHostedSponsorship.PlanSponsorshipType)?.SponsoringProductTierType;
+            var sponsoringOrgProductTier = sponsoringOrg.PlanType.GetProductTier();
             if (requiredSponsoringProductType == null
-                || StaticStore.GetPlan(sponsoringOrg.PlanType).ProductTier != requiredSponsoringProductType.Value)
+                || sponsoringOrgProductTier != requiredSponsoringProductType.Value)
             {
                 continue; // prevent unsupported sponsorships
             }
diff --git a/src/Core/OrganizationFeatures/OrganizationSponsorships/FamiliesForEnterprise/Cloud/SetUpSponsorshipCommand.cs b/src/Core/OrganizationFeatures/OrganizationSponsorships/FamiliesForEnterprise/Cloud/SetUpSponsorshipCommand.cs
index e8d43fd6a9..a54106481c 100644
--- a/src/Core/OrganizationFeatures/OrganizationSponsorships/FamiliesForEnterprise/Cloud/SetUpSponsorshipCommand.cs
+++ b/src/Core/OrganizationFeatures/OrganizationSponsorships/FamiliesForEnterprise/Cloud/SetUpSponsorshipCommand.cs
@@ -1,4 +1,5 @@
 using Bit.Core.AdminConsole.Entities;
+using Bit.Core.Billing.Extensions;
 using Bit.Core.Entities;
 using Bit.Core.Exceptions;
 using Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.Interfaces;
@@ -50,9 +51,10 @@ public class SetUpSponsorshipCommand : ISetUpSponsorshipCommand
 
         // Check org to sponsor's product type
         var requiredSponsoredProductType = StaticStore.GetSponsoredPlan(sponsorship.PlanSponsorshipType.Value)?.SponsoredProductTierType;
+        var sponsoredOrganizationProductTier = sponsoredOrganization.PlanType.GetProductTier();
+
         if (requiredSponsoredProductType == null ||
-            sponsoredOrganization == null ||
-            StaticStore.GetPlan(sponsoredOrganization.PlanType).ProductTier != requiredSponsoredProductType.Value)
+            sponsoredOrganizationProductTier != requiredSponsoredProductType.Value)
         {
             throw new BadRequestException("Can only redeem sponsorship offer on families organizations.");
         }
diff --git a/src/Core/OrganizationFeatures/OrganizationSponsorships/FamiliesForEnterprise/Cloud/ValidateSponsorshipCommand.cs b/src/Core/OrganizationFeatures/OrganizationSponsorships/FamiliesForEnterprise/Cloud/ValidateSponsorshipCommand.cs
index 214786c0ae..a7423b067e 100644
--- a/src/Core/OrganizationFeatures/OrganizationSponsorships/FamiliesForEnterprise/Cloud/ValidateSponsorshipCommand.cs
+++ b/src/Core/OrganizationFeatures/OrganizationSponsorships/FamiliesForEnterprise/Cloud/ValidateSponsorshipCommand.cs
@@ -1,4 +1,5 @@
 using Bit.Core.AdminConsole.Entities;
+using Bit.Core.Billing.Extensions;
 using Bit.Core.Entities;
 using Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.Interfaces;
 using Bit.Core.Repositories;
@@ -103,8 +104,6 @@ public class ValidateSponsorshipCommand : CancelSponsorshipCommand, IValidateSpo
             return false;
         }
 
-        var sponsoringOrgPlan = Utilities.StaticStore.GetPlan(sponsoringOrganization.PlanType);
-
         if (OrgDisabledForMoreThanGracePeriod(sponsoringOrganization))
         {
             _logger.LogWarning("Sponsoring Organization {SponsoringOrganizationId} is disabled for more than 3 months.", sponsoringOrganization.Id);
@@ -113,7 +112,9 @@ public class ValidateSponsorshipCommand : CancelSponsorshipCommand, IValidateSpo
             return false;
         }
 
-        if (sponsoredPlan.SponsoringProductTierType != sponsoringOrgPlan.ProductTier)
+        var sponsoringOrgProductTier = sponsoringOrganization.PlanType.GetProductTier();
+
+        if (sponsoredPlan.SponsoringProductTierType != sponsoringOrgProductTier)
         {
             _logger.LogWarning("Sponsoring Organization {SponsoringOrganizationId} is not on the required product type.", sponsoringOrganization.Id);
             await CancelSponsorshipAsync(sponsoredOrganization, existingSponsorship);
diff --git a/src/Core/OrganizationFeatures/OrganizationSponsorships/FamiliesForEnterprise/CreateSponsorshipCommand.cs b/src/Core/OrganizationFeatures/OrganizationSponsorships/FamiliesForEnterprise/CreateSponsorshipCommand.cs
index a00dae2a9d..ac65d3b897 100644
--- a/src/Core/OrganizationFeatures/OrganizationSponsorships/FamiliesForEnterprise/CreateSponsorshipCommand.cs
+++ b/src/Core/OrganizationFeatures/OrganizationSponsorships/FamiliesForEnterprise/CreateSponsorshipCommand.cs
@@ -1,4 +1,5 @@
 using Bit.Core.AdminConsole.Entities;
+using Bit.Core.Billing.Extensions;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
@@ -31,9 +32,10 @@ public class CreateSponsorshipCommand : ICreateSponsorshipCommand
         }
 
         var requiredSponsoringProductType = StaticStore.GetSponsoredPlan(sponsorshipType)?.SponsoringProductTierType;
+        var sponsoringOrgProductTier = sponsoringOrg.PlanType.GetProductTier();
+
         if (requiredSponsoringProductType == null ||
-            sponsoringOrg == null ||
-            StaticStore.GetPlan(sponsoringOrg.PlanType).ProductTier != requiredSponsoringProductType.Value)
+            sponsoringOrgProductTier != requiredSponsoringProductType.Value)
         {
             throw new BadRequestException("Specified Organization cannot sponsor other organizations.");
         }
diff --git a/src/Core/OrganizationFeatures/OrganizationSubscriptions/AddSecretsManagerSubscriptionCommand.cs b/src/Core/OrganizationFeatures/OrganizationSubscriptions/AddSecretsManagerSubscriptionCommand.cs
index 08cd09e5c3..a0ce7c03b9 100644
--- a/src/Core/OrganizationFeatures/OrganizationSubscriptions/AddSecretsManagerSubscriptionCommand.cs
+++ b/src/Core/OrganizationFeatures/OrganizationSubscriptions/AddSecretsManagerSubscriptionCommand.cs
@@ -2,11 +2,11 @@
 using Bit.Core.AdminConsole.Enums.Provider;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Billing.Enums;
+using Bit.Core.Billing.Pricing;
 using Bit.Core.Exceptions;
 using Bit.Core.Models.Business;
 using Bit.Core.OrganizationFeatures.OrganizationSubscriptions.Interface;
 using Bit.Core.Services;
-using Bit.Core.Utilities;
 
 namespace Bit.Core.OrganizationFeatures.OrganizationSubscriptions;
 
@@ -15,22 +15,25 @@ public class AddSecretsManagerSubscriptionCommand : IAddSecretsManagerSubscripti
     private readonly IPaymentService _paymentService;
     private readonly IOrganizationService _organizationService;
     private readonly IProviderRepository _providerRepository;
+    private readonly IPricingClient _pricingClient;
 
     public AddSecretsManagerSubscriptionCommand(
         IPaymentService paymentService,
         IOrganizationService organizationService,
-        IProviderRepository providerRepository)
+        IProviderRepository providerRepository,
+        IPricingClient pricingClient)
     {
         _paymentService = paymentService;
         _organizationService = organizationService;
         _providerRepository = providerRepository;
+        _pricingClient = pricingClient;
     }
     public async Task SignUpAsync(Organization organization, int additionalSmSeats,
         int additionalServiceAccounts)
     {
         await ValidateOrganization(organization);
 
-        var plan = StaticStore.GetPlan(organization.PlanType);
+        var plan = await _pricingClient.GetPlanOrThrow(organization.PlanType);
         var signup = SetOrganizationUpgrade(organization, additionalSmSeats, additionalServiceAccounts);
         _organizationService.ValidateSecretsManagerPlan(plan, signup);
 
@@ -73,7 +76,13 @@ public class AddSecretsManagerSubscriptionCommand : IAddSecretsManagerSubscripti
             throw new BadRequestException("Organization already uses Secrets Manager.");
         }
 
-        var plan = StaticStore.Plans.FirstOrDefault(p => p.Type == organization.PlanType && p.SupportsSecretsManager);
+        var plan = await _pricingClient.GetPlanOrThrow(organization.PlanType);
+
+        if (!plan.SupportsSecretsManager)
+        {
+            throw new BadRequestException("Organization's plan does not support Secrets Manager.");
+        }
+
         if (string.IsNullOrWhiteSpace(organization.GatewayCustomerId) && plan.ProductTier != ProductTierType.Free)
         {
             throw new BadRequestException("No payment method found.");
diff --git a/src/Core/OrganizationFeatures/OrganizationSubscriptions/UpgradeOrganizationPlanCommand.cs b/src/Core/OrganizationFeatures/OrganizationSubscriptions/UpgradeOrganizationPlanCommand.cs
index 19af8121e7..09b766e885 100644
--- a/src/Core/OrganizationFeatures/OrganizationSubscriptions/UpgradeOrganizationPlanCommand.cs
+++ b/src/Core/OrganizationFeatures/OrganizationSubscriptions/UpgradeOrganizationPlanCommand.cs
@@ -6,6 +6,7 @@ using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Repositories;
 using Bit.Core.Billing.Enums;
 using Bit.Core.Billing.Models.Sales;
+using Bit.Core.Billing.Pricing;
 using Bit.Core.Billing.Services;
 using Bit.Core.Context;
 using Bit.Core.Enums;
@@ -18,7 +19,6 @@ using Bit.Core.Services;
 using Bit.Core.Tools.Enums;
 using Bit.Core.Tools.Models.Business;
 using Bit.Core.Tools.Services;
-using Bit.Core.Utilities;
 
 namespace Bit.Core.OrganizationFeatures.OrganizationSubscriptions;
 
@@ -38,6 +38,7 @@ public class UpgradeOrganizationPlanCommand : IUpgradeOrganizationPlanCommand
     private readonly IOrganizationService _organizationService;
     private readonly IFeatureService _featureService;
     private readonly IOrganizationBillingService _organizationBillingService;
+    private readonly IPricingClient _pricingClient;
 
     public UpgradeOrganizationPlanCommand(
         IOrganizationUserRepository organizationUserRepository,
@@ -53,7 +54,8 @@ public class UpgradeOrganizationPlanCommand : IUpgradeOrganizationPlanCommand
         IOrganizationRepository organizationRepository,
         IOrganizationService organizationService,
         IFeatureService featureService,
-        IOrganizationBillingService organizationBillingService)
+        IOrganizationBillingService organizationBillingService,
+        IPricingClient pricingClient)
     {
         _organizationUserRepository = organizationUserRepository;
         _collectionRepository = collectionRepository;
@@ -69,6 +71,7 @@ public class UpgradeOrganizationPlanCommand : IUpgradeOrganizationPlanCommand
         _organizationService = organizationService;
         _featureService = featureService;
         _organizationBillingService = organizationBillingService;
+        _pricingClient = pricingClient;
     }
 
     public async Task<Tuple<bool, string>> UpgradePlanAsync(Guid organizationId, OrganizationUpgrade upgrade)
@@ -84,14 +87,11 @@ public class UpgradeOrganizationPlanCommand : IUpgradeOrganizationPlanCommand
             throw new BadRequestException("Your account has no payment method available.");
         }
 
-        var existingPlan = StaticStore.GetPlan(organization.PlanType);
-        if (existingPlan == null)
-        {
-            throw new BadRequestException("Existing plan not found.");
-        }
+        var existingPlan = await _pricingClient.GetPlanOrThrow(organization.PlanType);
 
-        var newPlan = StaticStore.Plans.FirstOrDefault(p => p.Type == upgrade.Plan && !p.Disabled);
-        if (newPlan == null)
+        var newPlan = await _pricingClient.GetPlanOrThrow(upgrade.Plan);
+
+        if (newPlan.Disabled)
         {
             throw new BadRequestException("Plan not found.");
         }
diff --git a/src/Core/Services/Implementations/StripePaymentService.cs b/src/Core/Services/Implementations/StripePaymentService.cs
index 7f2ac36216..1a8fe2085d 100644
--- a/src/Core/Services/Implementations/StripePaymentService.cs
+++ b/src/Core/Services/Implementations/StripePaymentService.cs
@@ -7,6 +7,7 @@ using Bit.Core.Billing.Models.Api.Requests.Accounts;
 using Bit.Core.Billing.Models.Api.Requests.Organizations;
 using Bit.Core.Billing.Models.Api.Responses;
 using Bit.Core.Billing.Models.Business;
+using Bit.Core.Billing.Pricing;
 using Bit.Core.Billing.Services;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
@@ -37,6 +38,7 @@ public class StripePaymentService : IPaymentService
     private readonly IFeatureService _featureService;
     private readonly ITaxService _taxService;
     private readonly ISubscriberService _subscriberService;
+    private readonly IPricingClient _pricingClient;
 
     public StripePaymentService(
         ITransactionRepository transactionRepository,
@@ -46,7 +48,8 @@ public class StripePaymentService : IPaymentService
         IGlobalSettings globalSettings,
         IFeatureService featureService,
         ITaxService taxService,
-        ISubscriberService subscriberService)
+        ISubscriberService subscriberService,
+        IPricingClient pricingClient)
     {
         _transactionRepository = transactionRepository;
         _logger = logger;
@@ -56,6 +59,7 @@ public class StripePaymentService : IPaymentService
         _featureService = featureService;
         _taxService = taxService;
         _subscriberService = subscriberService;
+        _pricingClient = pricingClient;
     }
 
     public async Task<string> PurchaseOrganizationAsync(Organization org, PaymentMethodType paymentMethodType,
@@ -297,7 +301,7 @@ public class StripePaymentService : IPaymentService
         OrganizationSponsorship sponsorship,
         bool applySponsorship)
     {
-        var existingPlan = Utilities.StaticStore.GetPlan(org.PlanType);
+        var existingPlan = await _pricingClient.GetPlanOrThrow(org.PlanType);
         var sponsoredPlan = sponsorship?.PlanSponsorshipType != null ?
             Utilities.StaticStore.GetSponsoredPlan(sponsorship.PlanSponsorshipType.Value) :
             null;
@@ -887,18 +891,21 @@ public class StripePaymentService : IPaymentService
         return paymentIntentClientSecret;
     }
 
-    public Task<string> AdjustSubscription(
+    public async Task<string> AdjustSubscription(
         Organization organization,
         StaticStore.Plan updatedPlan,
         int newlyPurchasedPasswordManagerSeats,
         bool subscribedToSecretsManager,
         int? newlyPurchasedSecretsManagerSeats,
         int? newlyPurchasedAdditionalSecretsManagerServiceAccounts,
-        int newlyPurchasedAdditionalStorage) =>
-        FinalizeSubscriptionChangeAsync(
+        int newlyPurchasedAdditionalStorage)
+    {
+        var plan = await _pricingClient.GetPlanOrThrow(organization.PlanType);
+        return await FinalizeSubscriptionChangeAsync(
             organization,
             new CompleteSubscriptionUpdate(
                 organization,
+                plan,
                 new SubscriptionData
                 {
                     Plan = updatedPlan,
@@ -909,6 +916,7 @@ public class StripePaymentService : IPaymentService
                         newlyPurchasedAdditionalSecretsManagerServiceAccounts,
                     PurchasedAdditionalStorage = newlyPurchasedAdditionalStorage
                 }), true);
+    }
 
     public Task<string> AdjustSeatsAsync(Organization organization, StaticStore.Plan plan, int additionalSeats) =>
         FinalizeSubscriptionChangeAsync(organization, new SeatSubscriptionUpdate(organization, plan, additionalSeats));
@@ -921,7 +929,7 @@ public class StripePaymentService : IPaymentService
         => FinalizeSubscriptionChangeAsync(
             provider,
             new ProviderSubscriptionUpdate(
-                plan.Type,
+                plan,
                 currentlySubscribedSeats,
                 newlySubscribedSeats));
 
@@ -1957,7 +1965,7 @@ public class StripePaymentService : IPaymentService
         string gatewayCustomerId,
         string gatewaySubscriptionId)
     {
-        var plan = Utilities.StaticStore.GetPlan(parameters.PasswordManager.Plan);
+        var plan = await _pricingClient.GetPlanOrThrow(parameters.PasswordManager.Plan);
 
         var options = new InvoiceCreatePreviewOptions
         {
diff --git a/src/Core/Utilities/StaticStore.cs b/src/Core/Utilities/StaticStore.cs
index 78fcd0d99f..24e9ccd7bd 100644
--- a/src/Core/Utilities/StaticStore.cs
+++ b/src/Core/Utilities/StaticStore.cs
@@ -1,5 +1,6 @@
 using System.Collections.Immutable;
 using Bit.Core.Billing.Enums;
+using Bit.Core.Billing.Extensions;
 using Bit.Core.Billing.Models.StaticStore.Plans;
 using Bit.Core.Enums;
 using Bit.Core.Models.Data.Organizations.OrganizationUsers;
@@ -137,6 +138,7 @@ public static class StaticStore
     }
 
     public static IDictionary<GlobalEquivalentDomainsType, IEnumerable<string>> GlobalDomains { get; set; }
+    [Obsolete("Use PricingClient.ListPlans to retrieve all plans.")]
     public static IEnumerable<Plan> Plans { get; }
     public static IEnumerable<SponsoredPlan> SponsoredPlans { get; set; } = new[]
         {
@@ -147,10 +149,11 @@ public static class StaticStore
                 SponsoringProductTierType = ProductTierType.Enterprise,
                 StripePlanId = "2021-family-for-enterprise-annually",
                 UsersCanSponsor = (OrganizationUserOrganizationDetails org) =>
-                    GetPlan(org.PlanType).ProductTier == ProductTierType.Enterprise,
+                    org.PlanType.GetProductTier() == ProductTierType.Enterprise,
             }
         };
 
+    [Obsolete("Use PricingClient.GetPlan to retrieve a plan.")]
     public static Plan GetPlan(PlanType planType) => Plans.SingleOrDefault(p => p.Type == planType);
 
     public static SponsoredPlan GetSponsoredPlan(PlanSponsorshipType planSponsorshipType) =>
@@ -167,6 +170,7 @@ public static class StaticStore
     /// </returns>
     public static bool IsAddonSubscriptionItem(string stripePlanId)
     {
+        // TODO: PRICING -> https://bitwarden.atlassian.net/browse/PM-16844
         return Plans.Any(p =>
                 p.PasswordManager.StripeStoragePlanId == stripePlanId ||
                 (p.SecretsManager?.StripeServiceAccountPlanId == stripePlanId));
diff --git a/test/Api.Test/AdminConsole/Controllers/OrganizationsControllerTests.cs b/test/Api.Test/AdminConsole/Controllers/OrganizationsControllerTests.cs
index b739469c78..b0906ddc43 100644
--- a/test/Api.Test/AdminConsole/Controllers/OrganizationsControllerTests.cs
+++ b/test/Api.Test/AdminConsole/Controllers/OrganizationsControllerTests.cs
@@ -17,6 +17,7 @@ using Bit.Core.Auth.Models.Data;
 using Bit.Core.Auth.Repositories;
 using Bit.Core.Auth.Services;
 using Bit.Core.Billing.Enums;
+using Bit.Core.Billing.Pricing;
 using Bit.Core.Billing.Services;
 using Bit.Core.Context;
 using Bit.Core.Entities;
@@ -54,6 +55,7 @@ public class OrganizationsControllerTests : IDisposable
     private readonly IRemoveOrganizationUserCommand _removeOrganizationUserCommand;
     private readonly ICloudOrganizationSignUpCommand _cloudOrganizationSignUpCommand;
     private readonly IOrganizationDeleteCommand _organizationDeleteCommand;
+    private readonly IPricingClient _pricingClient;
     private readonly OrganizationsController _sut;
 
     public OrganizationsControllerTests()
@@ -78,6 +80,7 @@ public class OrganizationsControllerTests : IDisposable
         _removeOrganizationUserCommand = Substitute.For<IRemoveOrganizationUserCommand>();
         _cloudOrganizationSignUpCommand = Substitute.For<ICloudOrganizationSignUpCommand>();
         _organizationDeleteCommand = Substitute.For<IOrganizationDeleteCommand>();
+        _pricingClient = Substitute.For<IPricingClient>();
 
         _sut = new OrganizationsController(
             _organizationRepository,
@@ -99,7 +102,8 @@ public class OrganizationsControllerTests : IDisposable
             _orgDeleteTokenDataFactory,
             _removeOrganizationUserCommand,
             _cloudOrganizationSignUpCommand,
-            _organizationDeleteCommand);
+            _organizationDeleteCommand,
+            _pricingClient);
     }
 
     public void Dispose()
diff --git a/test/Api.Test/Billing/Controllers/OrganizationsControllerTests.cs b/test/Api.Test/Billing/Controllers/OrganizationsControllerTests.cs
index 483d962830..16e32870ad 100644
--- a/test/Api.Test/Billing/Controllers/OrganizationsControllerTests.cs
+++ b/test/Api.Test/Billing/Controllers/OrganizationsControllerTests.cs
@@ -10,6 +10,7 @@ using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Models.Data;
 using Bit.Core.Auth.Repositories;
 using Bit.Core.Auth.Services;
+using Bit.Core.Billing.Pricing;
 using Bit.Core.Billing.Repositories;
 using Bit.Core.Billing.Services;
 using Bit.Core.Context;
@@ -49,6 +50,7 @@ public class OrganizationsControllerTests : IDisposable
     private readonly ISubscriberService _subscriberService;
     private readonly IRemoveOrganizationUserCommand _removeOrganizationUserCommand;
     private readonly IOrganizationInstallationRepository _organizationInstallationRepository;
+    private readonly IPricingClient _pricingClient;
 
     private readonly OrganizationsController _sut;
 
@@ -73,6 +75,7 @@ public class OrganizationsControllerTests : IDisposable
         _subscriberService = Substitute.For<ISubscriberService>();
         _removeOrganizationUserCommand = Substitute.For<IRemoveOrganizationUserCommand>();
         _organizationInstallationRepository = Substitute.For<IOrganizationInstallationRepository>();
+        _pricingClient = Substitute.For<IPricingClient>();
 
         _sut = new OrganizationsController(
             _organizationRepository,
@@ -89,7 +92,8 @@ public class OrganizationsControllerTests : IDisposable
             _addSecretsManagerSubscriptionCommand,
             _referenceEventService,
             _subscriberService,
-            _organizationInstallationRepository);
+            _organizationInstallationRepository,
+            _pricingClient);
     }
 
     public void Dispose()
diff --git a/test/Api.Test/Billing/Controllers/ProviderBillingControllerTests.cs b/test/Api.Test/Billing/Controllers/ProviderBillingControllerTests.cs
index 644303c873..df84f74d11 100644
--- a/test/Api.Test/Billing/Controllers/ProviderBillingControllerTests.cs
+++ b/test/Api.Test/Billing/Controllers/ProviderBillingControllerTests.cs
@@ -8,6 +8,7 @@ using Bit.Core.Billing.Constants;
 using Bit.Core.Billing.Entities;
 using Bit.Core.Billing.Enums;
 using Bit.Core.Billing.Models;
+using Bit.Core.Billing.Pricing;
 using Bit.Core.Billing.Repositories;
 using Bit.Core.Billing.Services;
 using Bit.Core.Context;
@@ -331,6 +332,11 @@ public class ProviderBillingControllerTests
 
         sutProvider.GetDependency<IProviderPlanRepository>().GetByProviderId(provider.Id).Returns(providerPlans);
 
+        foreach (var providerPlan in providerPlans)
+        {
+            sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(providerPlan.PlanType).Returns(StaticStore.GetPlan(providerPlan.PlanType));
+        }
+
         var result = await sutProvider.Sut.GetSubscriptionAsync(provider.Id);
 
         Assert.IsType<Ok<ProviderSubscriptionResponse>>(result);
diff --git a/test/Api.Test/SecretsManager/Controllers/ServiceAccountsControllerTests.cs b/test/Api.Test/SecretsManager/Controllers/ServiceAccountsControllerTests.cs
index 731494a846..8147b81240 100644
--- a/test/Api.Test/SecretsManager/Controllers/ServiceAccountsControllerTests.cs
+++ b/test/Api.Test/SecretsManager/Controllers/ServiceAccountsControllerTests.cs
@@ -2,6 +2,7 @@
 using Bit.Api.SecretsManager.Controllers;
 using Bit.Api.SecretsManager.Models.Request;
 using Bit.Core.AdminConsole.Entities;
+using Bit.Core.Billing.Pricing;
 using Bit.Core.Context;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
@@ -15,6 +16,7 @@ using Bit.Core.SecretsManager.Models.Data;
 using Bit.Core.SecretsManager.Queries.ServiceAccounts.Interfaces;
 using Bit.Core.SecretsManager.Repositories;
 using Bit.Core.Services;
+using Bit.Core.Utilities;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
 using Bit.Test.Common.Helpers;
@@ -119,6 +121,8 @@ public class ServiceAccountsControllerTests
     {
         ArrangeCreateServiceAccountAutoScalingTest(newSlotsRequired, sutProvider, data, organization);
 
+        sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(organization.PlanType).Returns(StaticStore.GetPlan(organization.PlanType));
+
         await sutProvider.Sut.CreateAsync(organization.Id, data);
 
         await sutProvider.GetDependency<ICreateServiceAccountCommand>().Received(1)
diff --git a/test/Billing.Test/Services/ProviderEventServiceTests.cs b/test/Billing.Test/Services/ProviderEventServiceTests.cs
index 31f4ec8969..e080dd8288 100644
--- a/test/Billing.Test/Services/ProviderEventServiceTests.cs
+++ b/test/Billing.Test/Services/ProviderEventServiceTests.cs
@@ -1,14 +1,16 @@
 using Bit.Billing.Services;
 using Bit.Billing.Services.Implementations;
 using Bit.Billing.Test.Utilities;
+using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Models.Data.Provider;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Billing.Entities;
 using Bit.Core.Billing.Enums;
+using Bit.Core.Billing.Pricing;
 using Bit.Core.Billing.Repositories;
 using Bit.Core.Enums;
+using Bit.Core.Repositories;
 using Bit.Core.Utilities;
-using Microsoft.Extensions.Logging;
 using NSubstitute;
 using Stripe;
 using Xunit;
@@ -17,6 +19,12 @@ namespace Bit.Billing.Test.Services;
 
 public class ProviderEventServiceTests
 {
+    private readonly IOrganizationRepository _organizationRepository =
+        Substitute.For<IOrganizationRepository>();
+
+    private readonly IPricingClient _pricingClient =
+        Substitute.For<IPricingClient>();
+
     private readonly IProviderInvoiceItemRepository _providerInvoiceItemRepository =
         Substitute.For<IProviderInvoiceItemRepository>();
 
@@ -37,7 +45,8 @@ public class ProviderEventServiceTests
     public ProviderEventServiceTests()
     {
         _providerEventService = new ProviderEventService(
-            Substitute.For<ILogger<ProviderEventService>>(),
+            _organizationRepository,
+            _pricingClient,
             _providerInvoiceItemRepository,
             _providerOrganizationRepository,
             _providerPlanRepository,
@@ -147,6 +156,12 @@ public class ProviderEventServiceTests
 
         _providerOrganizationRepository.GetManyDetailsByProviderAsync(providerId).Returns(clients);
 
+        _organizationRepository.GetByIdAsync(client1Id)
+            .Returns(new Organization { PlanType = PlanType.TeamsMonthly });
+
+        _organizationRepository.GetByIdAsync(client2Id)
+            .Returns(new Organization { PlanType = PlanType.EnterpriseMonthly });
+
         var providerPlans = new List<ProviderPlan>
         {
             new ()
@@ -169,6 +184,11 @@ public class ProviderEventServiceTests
             }
         };
 
+        foreach (var providerPlan in providerPlans)
+        {
+            _pricingClient.GetPlanOrThrow(providerPlan.PlanType).Returns(StaticStore.GetPlan(providerPlan.PlanType));
+        }
+
         _providerPlanRepository.GetByProviderId(providerId).Returns(providerPlans);
 
         // Act
diff --git a/test/Core.Test/AdminConsole/OrganizationFeatures/Organizations/OrganizationSignUp/CloudOrganizationSignUpCommandTests.cs b/test/Core.Test/AdminConsole/OrganizationFeatures/Organizations/OrganizationSignUp/CloudOrganizationSignUpCommandTests.cs
index 859c74f3d0..544c97d166 100644
--- a/test/Core.Test/AdminConsole/OrganizationFeatures/Organizations/OrganizationSignUp/CloudOrganizationSignUpCommandTests.cs
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/Organizations/OrganizationSignUp/CloudOrganizationSignUpCommandTests.cs
@@ -2,6 +2,7 @@
 using Bit.Core.AdminConsole.OrganizationFeatures.Organizations;
 using Bit.Core.Billing.Enums;
 using Bit.Core.Billing.Models.Sales;
+using Bit.Core.Billing.Pricing;
 using Bit.Core.Billing.Services;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
@@ -38,6 +39,8 @@ public class CloudICloudOrganizationSignUpCommandTests
         signup.IsFromSecretsManagerTrial = false;
         signup.IsFromProvider = false;
 
+        sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(signup.Plan).Returns(StaticStore.GetPlan(signup.Plan));
+
         var result = await sutProvider.Sut.SignUpOrganizationAsync(signup);
 
         await sutProvider.GetDependency<IOrganizationRepository>().Received(1).CreateAsync(
@@ -66,7 +69,7 @@ public class CloudICloudOrganizationSignUpCommandTests
                 sale.CustomerSetup.TokenizedPaymentSource.Token == signup.PaymentToken &&
                 sale.CustomerSetup.TaxInformation.Country == signup.TaxInfo.BillingAddressCountry &&
                 sale.CustomerSetup.TaxInformation.PostalCode == signup.TaxInfo.BillingAddressPostalCode &&
-                sale.SubscriptionSetup.Plan == plan &&
+                sale.SubscriptionSetup.PlanType == plan.Type &&
                 sale.SubscriptionSetup.PasswordManagerOptions.Seats == signup.AdditionalSeats &&
                 sale.SubscriptionSetup.PasswordManagerOptions.Storage == signup.AdditionalStorageGb &&
                 sale.SubscriptionSetup.SecretsManagerOptions == null));
@@ -84,6 +87,8 @@ public class CloudICloudOrganizationSignUpCommandTests
         signup.UseSecretsManager = false;
         signup.IsFromProvider = false;
 
+        sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(signup.Plan).Returns(StaticStore.GetPlan(signup.Plan));
+
         // Extract orgUserId when created
         Guid? orgUserId = null;
         await sutProvider.GetDependency<IOrganizationUserRepository>()
@@ -128,6 +133,7 @@ public class CloudICloudOrganizationSignUpCommandTests
         signup.IsFromSecretsManagerTrial = false;
         signup.IsFromProvider = false;
 
+        sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(signup.Plan).Returns(StaticStore.GetPlan(signup.Plan));
 
         var result = await sutProvider.Sut.SignUpOrganizationAsync(signup);
 
@@ -157,7 +163,7 @@ public class CloudICloudOrganizationSignUpCommandTests
                 sale.CustomerSetup.TokenizedPaymentSource.Token == signup.PaymentToken &&
                 sale.CustomerSetup.TaxInformation.Country == signup.TaxInfo.BillingAddressCountry &&
                 sale.CustomerSetup.TaxInformation.PostalCode == signup.TaxInfo.BillingAddressPostalCode &&
-                sale.SubscriptionSetup.Plan == plan &&
+                sale.SubscriptionSetup.PlanType == plan.Type &&
                 sale.SubscriptionSetup.PasswordManagerOptions.Seats == signup.AdditionalSeats &&
                 sale.SubscriptionSetup.PasswordManagerOptions.Storage == signup.AdditionalStorageGb &&
                 sale.SubscriptionSetup.SecretsManagerOptions.Seats == signup.AdditionalSmSeats &&
@@ -177,6 +183,8 @@ public class CloudICloudOrganizationSignUpCommandTests
         signup.PremiumAccessAddon = false;
         signup.IsFromProvider = true;
 
+        sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(signup.Plan).Returns(StaticStore.GetPlan(signup.Plan));
+
         var exception = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.SignUpOrganizationAsync(signup));
         Assert.Contains("Organizations with a Managed Service Provider do not support Secrets Manager.", exception.Message);
     }
@@ -195,6 +203,8 @@ public class CloudICloudOrganizationSignUpCommandTests
         signup.AdditionalStorageGb = 0;
         signup.IsFromProvider = false;
 
+        sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(signup.Plan).Returns(StaticStore.GetPlan(signup.Plan));
+
         var exception = await Assert.ThrowsAsync<BadRequestException>(
             () => sutProvider.Sut.SignUpOrganizationAsync(signup));
         Assert.Contains("Plan does not allow additional Machine Accounts.", exception.Message);
@@ -213,6 +223,8 @@ public class CloudICloudOrganizationSignUpCommandTests
         signup.AdditionalServiceAccounts = 10;
         signup.IsFromProvider = false;
 
+        sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(signup.Plan).Returns(StaticStore.GetPlan(signup.Plan));
+
         var exception = await Assert.ThrowsAsync<BadRequestException>(
            () => sutProvider.Sut.SignUpOrganizationAsync(signup));
         Assert.Contains("You cannot have more Secrets Manager seats than Password Manager seats", exception.Message);
@@ -231,6 +243,8 @@ public class CloudICloudOrganizationSignUpCommandTests
         signup.AdditionalServiceAccounts = -10;
         signup.IsFromProvider = false;
 
+        sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(signup.Plan).Returns(StaticStore.GetPlan(signup.Plan));
+
         var exception = await Assert.ThrowsAsync<BadRequestException>(
             () => sutProvider.Sut.SignUpOrganizationAsync(signup));
         Assert.Contains("You can't subtract Machine Accounts!", exception.Message);
@@ -249,6 +263,8 @@ public class CloudICloudOrganizationSignUpCommandTests
             Owner = new User { Id = Guid.NewGuid() }
         };
 
+        sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(signup.Plan).Returns(StaticStore.GetPlan(signup.Plan));
+
         sutProvider.GetDependency<IOrganizationUserRepository>()
             .GetCountByFreeOrganizationAdminUserAsync(signup.Owner.Id)
             .Returns(1);
diff --git a/test/Core.Test/AdminConsole/Services/OrganizationServiceTests.cs b/test/Core.Test/AdminConsole/Services/OrganizationServiceTests.cs
index 52dd39e182..4c42fdfeb9 100644
--- a/test/Core.Test/AdminConsole/Services/OrganizationServiceTests.cs
+++ b/test/Core.Test/AdminConsole/Services/OrganizationServiceTests.cs
@@ -10,6 +10,7 @@ using Bit.Core.Auth.Models.Business.Tokenables;
 using Bit.Core.Auth.Repositories;
 using Bit.Core.Auth.UserFeatures.TwoFactorAuth.Interfaces;
 using Bit.Core.Billing.Enums;
+using Bit.Core.Billing.Pricing;
 using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
@@ -203,10 +204,12 @@ public class OrganizationServiceTests
     {
         signup.Plan = PlanType.TeamsMonthly;
 
-        var (organization, _, _) = await sutProvider.Sut.SignupClientAsync(signup);
-
         var plan = StaticStore.GetPlan(signup.Plan);
 
+        sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(signup.Plan).Returns(plan);
+
+        var (organization, _, _) = await sutProvider.Sut.SignupClientAsync(signup);
+
         await sutProvider.GetDependency<IOrganizationRepository>().Received(1).CreateAsync(Arg.Is<Organization>(org =>
             org.Id == organization.Id &&
             org.Name == signup.Name &&
@@ -894,6 +897,8 @@ OrganizationUserInvite invite, SutProvider<OrganizationService> sutProvider)
         SetupOrgUserRepositoryCreateManyAsyncMock(organizationUserRepository);
         SetupOrgUserRepositoryCreateAsyncMock(organizationUserRepository);
 
+        sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(organization.PlanType).Returns(StaticStore.GetPlan(organization.PlanType));
+
         await sutProvider.Sut.InviteUsersAsync(organization.Id, savingUser.Id, systemUser: null, invites);
 
         await sutProvider.GetDependency<IUpdateSecretsManagerSubscriptionCommand>().Received(1)
@@ -933,6 +938,9 @@ OrganizationUserInvite invite, SutProvider<OrganizationService> sutProvider)
         sutProvider.GetDependency<IReferenceEventService>().RaiseEventAsync(default)
             .ThrowsForAnyArgs<BadRequestException>();
 
+        sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(organization.PlanType)
+            .Returns(StaticStore.GetPlan(organization.PlanType));
+
         await Assert.ThrowsAsync<AggregateException>(async () =>
             await sutProvider.Sut.InviteUsersAsync(organization.Id, savingUser.Id, systemUser: null, invites));
 
@@ -1338,6 +1346,9 @@ OrganizationUserInvite invite, SutProvider<OrganizationService> sutProvider)
         organization.MaxAutoscaleSeats = currentMaxAutoscaleSeats;
         sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
 
+        sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(organization.PlanType)
+            .Returns(StaticStore.GetPlan(organization.PlanType));
+
         var exception = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.UpdateSubscription(organization.Id,
             seatAdjustment, maxAutoscaleSeats));
 
@@ -1360,6 +1371,9 @@ OrganizationUserInvite invite, SutProvider<OrganizationService> sutProvider)
         organization.Seats = 100;
         organization.SmSeats = 100;
 
+        sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(organization.PlanType)
+            .Returns(StaticStore.GetPlan(organization.PlanType));
+
         sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
 
         var actual = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.UpdateSubscription(organization.Id, seatAdjustment, null));
diff --git a/test/Core.Test/Billing/Services/OrganizationBillingServiceTests.cs b/test/Core.Test/Billing/Services/OrganizationBillingServiceTests.cs
index 2e1782f5c8..1f15c5f7fd 100644
--- a/test/Core.Test/Billing/Services/OrganizationBillingServiceTests.cs
+++ b/test/Core.Test/Billing/Services/OrganizationBillingServiceTests.cs
@@ -1,8 +1,10 @@
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.Billing.Constants;
+using Bit.Core.Billing.Pricing;
 using Bit.Core.Billing.Services;
 using Bit.Core.Billing.Services.Implementations;
 using Bit.Core.Repositories;
+using Bit.Core.Utilities;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
 using NSubstitute;
@@ -15,43 +17,6 @@ namespace Bit.Core.Test.Billing.Services;
 public class OrganizationBillingServiceTests
 {
     #region GetMetadata
-    [Theory, BitAutoData]
-    public async Task GetMetadata_OrganizationNull_ReturnsNull(
-        Guid organizationId,
-        SutProvider<OrganizationBillingService> sutProvider)
-    {
-        var metadata = await sutProvider.Sut.GetMetadata(organizationId);
-
-        Assert.Null(metadata);
-    }
-
-    [Theory, BitAutoData]
-    public async Task GetMetadata_CustomerNull_ReturnsNull(
-        Guid organizationId,
-        Organization organization,
-        SutProvider<OrganizationBillingService> sutProvider)
-    {
-        sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organizationId).Returns(organization);
-
-        var metadata = await sutProvider.Sut.GetMetadata(organizationId);
-
-        Assert.False(metadata.IsOnSecretsManagerStandalone);
-    }
-
-    [Theory, BitAutoData]
-    public async Task GetMetadata_SubscriptionNull_ReturnsNull(
-        Guid organizationId,
-        Organization organization,
-        SutProvider<OrganizationBillingService> sutProvider)
-    {
-        sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organizationId).Returns(organization);
-
-        sutProvider.GetDependency<ISubscriberService>().GetCustomer(organization).Returns(new Customer());
-
-        var metadata = await sutProvider.Sut.GetMetadata(organizationId);
-
-        Assert.False(metadata.IsOnSecretsManagerStandalone);
-    }
 
     [Theory, BitAutoData]
     public async Task GetMetadata_Succeeds(
@@ -61,6 +26,11 @@ public class OrganizationBillingServiceTests
     {
         sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organizationId).Returns(organization);
 
+        sutProvider.GetDependency<IPricingClient>().ListPlans().Returns(StaticStore.Plans.ToList());
+
+        sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(organization.PlanType)
+            .Returns(StaticStore.GetPlan(organization.PlanType));
+
         var subscriberService = sutProvider.GetDependency<ISubscriberService>();
 
         subscriberService
@@ -99,7 +69,8 @@ public class OrganizationBillingServiceTests
 
         var metadata = await sutProvider.Sut.GetMetadata(organizationId);
 
-        Assert.True(metadata.IsOnSecretsManagerStandalone);
+        Assert.True(metadata!.IsOnSecretsManagerStandalone);
     }
+
     #endregion
 }
diff --git a/test/Core.Test/Models/Business/CompleteSubscriptionUpdateTests.cs b/test/Core.Test/Models/Business/CompleteSubscriptionUpdateTests.cs
index ceb4735684..dee805033a 100644
--- a/test/Core.Test/Models/Business/CompleteSubscriptionUpdateTests.cs
+++ b/test/Core.Test/Models/Business/CompleteSubscriptionUpdateTests.cs
@@ -43,7 +43,7 @@ public class CompleteSubscriptionUpdateTests
             PurchasedPasswordManagerSeats = 20
         };
 
-        var subscriptionUpdate = new CompleteSubscriptionUpdate(organization, updatedSubscriptionData);
+        var subscriptionUpdate = new CompleteSubscriptionUpdate(organization, teamsStarterPlan, updatedSubscriptionData);
 
         var upgradeItemOptions = subscriptionUpdate.UpgradeItemsOptions(subscription);
 
@@ -114,7 +114,7 @@ public class CompleteSubscriptionUpdateTests
             PurchasedAdditionalStorage = 10
         };
 
-        var subscriptionUpdate = new CompleteSubscriptionUpdate(organization, updatedSubscriptionData);
+        var subscriptionUpdate = new CompleteSubscriptionUpdate(organization, teamsMonthlyPlan, updatedSubscriptionData);
 
         var upgradeItemOptions = subscriptionUpdate.UpgradeItemsOptions(subscription);
 
@@ -221,7 +221,7 @@ public class CompleteSubscriptionUpdateTests
             PurchasedAdditionalStorage = 10
         };
 
-        var subscriptionUpdate = new CompleteSubscriptionUpdate(organization, updatedSubscriptionData);
+        var subscriptionUpdate = new CompleteSubscriptionUpdate(organization, teamsMonthlyPlan, updatedSubscriptionData);
 
         var upgradeItemOptions = subscriptionUpdate.UpgradeItemsOptions(subscription);
 
@@ -302,7 +302,7 @@ public class CompleteSubscriptionUpdateTests
             PurchasedPasswordManagerSeats = 20
         };
 
-        var subscriptionUpdate = new CompleteSubscriptionUpdate(organization, updatedSubscriptionData);
+        var subscriptionUpdate = new CompleteSubscriptionUpdate(organization, teamsStarterPlan, updatedSubscriptionData);
 
         var revertItemOptions = subscriptionUpdate.RevertItemsOptions(subscription);
 
@@ -372,7 +372,7 @@ public class CompleteSubscriptionUpdateTests
             PurchasedAdditionalStorage = 10
         };
 
-        var subscriptionUpdate = new CompleteSubscriptionUpdate(organization, updatedSubscriptionData);
+        var subscriptionUpdate = new CompleteSubscriptionUpdate(organization, teamsMonthlyPlan, updatedSubscriptionData);
 
         var revertItemOptions = subscriptionUpdate.RevertItemsOptions(subscription);
 
@@ -478,7 +478,7 @@ public class CompleteSubscriptionUpdateTests
             PurchasedAdditionalStorage = 10
         };
 
-        var subscriptionUpdate = new CompleteSubscriptionUpdate(organization, updatedSubscriptionData);
+        var subscriptionUpdate = new CompleteSubscriptionUpdate(organization, teamsMonthlyPlan, updatedSubscriptionData);
 
         var revertItemOptions = subscriptionUpdate.RevertItemsOptions(subscription);
 
diff --git a/test/Core.Test/Models/Business/SecretsManagerSubscriptionUpdateTests.cs b/test/Core.Test/Models/Business/SecretsManagerSubscriptionUpdateTests.cs
index faf20eb6dc..6a411363a0 100644
--- a/test/Core.Test/Models/Business/SecretsManagerSubscriptionUpdateTests.cs
+++ b/test/Core.Test/Models/Business/SecretsManagerSubscriptionUpdateTests.cs
@@ -2,7 +2,9 @@
 using Bit.Core.Billing.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Models.Business;
+using Bit.Core.Models.StaticStore;
 using Bit.Core.Test.AutoFixture.OrganizationFixtures;
+using Bit.Core.Utilities;
 using Bit.Test.Common.AutoFixture.Attributes;
 using Xunit;
 
@@ -11,19 +13,40 @@ namespace Bit.Core.Test.Models.Business;
 [SecretsManagerOrganizationCustomize]
 public class SecretsManagerSubscriptionUpdateTests
 {
+    private static TheoryData<Plan> ToPlanTheory(List<PlanType> types)
+    {
+        var theoryData = new TheoryData<Plan>();
+        var plans = types.Select(StaticStore.GetPlan).ToArray();
+        theoryData.AddRange(plans);
+        return theoryData;
+    }
+
+    public static TheoryData<Plan> NonSmPlans =>
+        ToPlanTheory([PlanType.Custom, PlanType.FamiliesAnnually, PlanType.FamiliesAnnually2019]);
+
+    public static TheoryData<Plan> SmPlans => ToPlanTheory([
+        PlanType.EnterpriseAnnually2019,
+        PlanType.EnterpriseAnnually,
+        PlanType.TeamsMonthly2019,
+        PlanType.TeamsAnnually2020,
+        PlanType.TeamsMonthly,
+        PlanType.TeamsAnnually2019,
+        PlanType.TeamsAnnually2020,
+        PlanType.TeamsAnnually,
+        PlanType.TeamsStarter
+    ]);
+
     [Theory]
-    [BitAutoData(PlanType.Custom)]
-    [BitAutoData(PlanType.FamiliesAnnually)]
-    [BitAutoData(PlanType.FamiliesAnnually2019)]
+    [BitMemberAutoData(nameof(NonSmPlans))]
     public Task UpdateSubscriptionAsync_WithNonSecretsManagerPlanType_ThrowsBadRequestException(
-        PlanType planType,
+        Plan plan,
         Organization organization)
     {
         // Arrange
-        organization.PlanType = planType;
+        organization.PlanType = plan.Type;
 
         // Act
-        var exception = Assert.Throws<NotFoundException>(() => new SecretsManagerSubscriptionUpdate(organization, false));
+        var exception = Assert.Throws<NotFoundException>(() => new SecretsManagerSubscriptionUpdate(organization, plan, false));
 
         // Assert
         Assert.Contains("Invalid Secrets Manager plan", exception.Message, StringComparison.InvariantCultureIgnoreCase);
@@ -31,28 +54,16 @@ public class SecretsManagerSubscriptionUpdateTests
     }
 
     [Theory]
-    [BitAutoData(PlanType.EnterpriseMonthly2019)]
-    [BitAutoData(PlanType.EnterpriseMonthly2020)]
-    [BitAutoData(PlanType.EnterpriseMonthly)]
-    [BitAutoData(PlanType.EnterpriseAnnually2019)]
-    [BitAutoData(PlanType.EnterpriseAnnually2020)]
-    [BitAutoData(PlanType.EnterpriseAnnually)]
-    [BitAutoData(PlanType.TeamsMonthly2019)]
-    [BitAutoData(PlanType.TeamsMonthly2020)]
-    [BitAutoData(PlanType.TeamsMonthly)]
-    [BitAutoData(PlanType.TeamsAnnually2019)]
-    [BitAutoData(PlanType.TeamsAnnually2020)]
-    [BitAutoData(PlanType.TeamsAnnually)]
-    [BitAutoData(PlanType.TeamsStarter)]
+    [BitMemberAutoData(nameof(SmPlans))]
     public void UpdateSubscription_WithNonSecretsManagerPlanType_DoesNotThrowException(
-        PlanType planType,
+        Plan plan,
         Organization organization)
     {
         // Arrange
-        organization.PlanType = planType;
+        organization.PlanType = plan.Type;
 
         // Act
-        var ex = Record.Exception(() => new SecretsManagerSubscriptionUpdate(organization, false));
+        var ex = Record.Exception(() => new SecretsManagerSubscriptionUpdate(organization, plan, false));
 
         // Assert
         Assert.Null(ex);
diff --git a/test/Core.Test/OrganizationFeatures/OrganizationSubscriptionUpdate/AddSecretsManagerSubscriptionCommandTests.cs b/test/Core.Test/OrganizationFeatures/OrganizationSubscriptionUpdate/AddSecretsManagerSubscriptionCommandTests.cs
index 8dcfb198b6..02ae40798b 100644
--- a/test/Core.Test/OrganizationFeatures/OrganizationSubscriptionUpdate/AddSecretsManagerSubscriptionCommandTests.cs
+++ b/test/Core.Test/OrganizationFeatures/OrganizationSubscriptionUpdate/AddSecretsManagerSubscriptionCommandTests.cs
@@ -3,6 +3,7 @@ using Bit.Core.AdminConsole.Entities.Provider;
 using Bit.Core.AdminConsole.Enums.Provider;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Billing.Enums;
+using Bit.Core.Billing.Pricing;
 using Bit.Core.Exceptions;
 using Bit.Core.Models.Business;
 using Bit.Core.Models.StaticStore;
@@ -41,7 +42,8 @@ public class AddSecretsManagerSubscriptionCommandTests
     {
         organization.PlanType = planType;
 
-        var plan = StaticStore.Plans.FirstOrDefault(p => p.Type == organization.PlanType);
+        var plan = StaticStore.GetPlan(organization.PlanType);
+        sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(organization.PlanType).Returns(plan);
 
         await sutProvider.Sut.SignUpAsync(organization, additionalSmSeats, additionalServiceAccounts);
 
@@ -85,6 +87,8 @@ public class AddSecretsManagerSubscriptionCommandTests
     {
         organization.GatewayCustomerId = null;
         organization.PlanType = PlanType.EnterpriseAnnually;
+        sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(organization.PlanType)
+            .Returns(StaticStore.GetPlan(organization.PlanType));
         var exception = await Assert.ThrowsAsync<BadRequestException>(() =>
             sutProvider.Sut.SignUpAsync(organization, additionalSmSeats, additionalServiceAccounts));
         Assert.Contains("No payment method found.", exception.Message);
@@ -101,6 +105,8 @@ public class AddSecretsManagerSubscriptionCommandTests
     {
         organization.GatewaySubscriptionId = null;
         organization.PlanType = PlanType.EnterpriseAnnually;
+        sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(organization.PlanType)
+            .Returns(StaticStore.GetPlan(organization.PlanType));
         var exception = await Assert.ThrowsAsync<BadRequestException>(() =>
             sutProvider.Sut.SignUpAsync(organization, additionalSmSeats, additionalServiceAccounts));
         Assert.Contains("No subscription found.", exception.Message);
@@ -132,6 +138,8 @@ public class AddSecretsManagerSubscriptionCommandTests
         organization.UseSecretsManager = false;
         provider.Type = ProviderType.Msp;
         sutProvider.GetDependency<IProviderRepository>().GetByOrganizationIdAsync(organization.Id).Returns(provider);
+        sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(organization.PlanType)
+            .Returns(StaticStore.GetPlan(organization.PlanType));
 
         var exception = await Assert.ThrowsAsync<BadRequestException>(
             () => sutProvider.Sut.SignUpAsync(organization, 10, 10));
diff --git a/test/Core.Test/OrganizationFeatures/OrganizationSubscriptionUpdate/UpdateSecretsManagerSubscriptionCommandTests.cs b/test/Core.Test/OrganizationFeatures/OrganizationSubscriptionUpdate/UpdateSecretsManagerSubscriptionCommandTests.cs
index 546ea7770c..50f51da7d0 100644
--- a/test/Core.Test/OrganizationFeatures/OrganizationSubscriptionUpdate/UpdateSecretsManagerSubscriptionCommandTests.cs
+++ b/test/Core.Test/OrganizationFeatures/OrganizationSubscriptionUpdate/UpdateSecretsManagerSubscriptionCommandTests.cs
@@ -21,26 +21,48 @@ namespace Bit.Core.Test.OrganizationFeatures.OrganizationSubscriptionUpdate;
 [SecretsManagerOrganizationCustomize]
 public class UpdateSecretsManagerSubscriptionCommandTests
 {
+    private static TheoryData<Plan> ToPlanTheory(List<PlanType> types)
+    {
+        var theoryData = new TheoryData<Plan>();
+        var plans = types.Select(StaticStore.GetPlan).ToArray();
+        theoryData.AddRange(plans);
+        return theoryData;
+    }
+
+    public static TheoryData<Plan> AllTeamsAndEnterprise
+        => ToPlanTheory([
+            PlanType.EnterpriseAnnually2019,
+            PlanType.EnterpriseAnnually2020,
+            PlanType.EnterpriseAnnually,
+            PlanType.EnterpriseMonthly2019,
+            PlanType.EnterpriseMonthly2020,
+            PlanType.EnterpriseMonthly,
+            PlanType.TeamsMonthly2019,
+            PlanType.TeamsMonthly2020,
+            PlanType.TeamsMonthly,
+            PlanType.TeamsAnnually2019,
+            PlanType.TeamsAnnually2020,
+            PlanType.TeamsAnnually,
+            PlanType.TeamsStarter
+        ]);
+
+    public static TheoryData<Plan> CurrentTeamsAndEnterprise
+        => ToPlanTheory([
+            PlanType.EnterpriseAnnually,
+            PlanType.EnterpriseMonthly,
+            PlanType.TeamsMonthly,
+            PlanType.TeamsAnnually,
+            PlanType.TeamsStarter
+        ]);
+
     [Theory]
-    [BitAutoData(PlanType.EnterpriseAnnually2019)]
-    [BitAutoData(PlanType.EnterpriseAnnually2020)]
-    [BitAutoData(PlanType.EnterpriseAnnually)]
-    [BitAutoData(PlanType.EnterpriseMonthly2019)]
-    [BitAutoData(PlanType.EnterpriseMonthly2020)]
-    [BitAutoData(PlanType.EnterpriseMonthly)]
-    [BitAutoData(PlanType.TeamsMonthly2019)]
-    [BitAutoData(PlanType.TeamsMonthly2020)]
-    [BitAutoData(PlanType.TeamsMonthly)]
-    [BitAutoData(PlanType.TeamsAnnually2019)]
-    [BitAutoData(PlanType.TeamsAnnually2020)]
-    [BitAutoData(PlanType.TeamsAnnually)]
-    [BitAutoData(PlanType.TeamsStarter)]
+    [BitMemberAutoData(nameof(AllTeamsAndEnterprise))]
     public async Task UpdateSubscriptionAsync_UpdateEverything_ValidInput_Passes(
-        PlanType planType,
+        Plan plan,
         Organization organization,
         SutProvider<UpdateSecretsManagerSubscriptionCommand> sutProvider)
     {
-        organization.PlanType = planType;
+        organization.PlanType = plan.Type;
         organization.Seats = 400;
         organization.SmSeats = 10;
         organization.MaxAutoscaleSmSeats = 20;
@@ -52,7 +74,7 @@ public class UpdateSecretsManagerSubscriptionCommandTests
         var updateMaxAutoscaleSmSeats = 16;
         var updateMaxAutoscaleSmServiceAccounts = 301;
 
-        var update = new SecretsManagerSubscriptionUpdate(organization, false)
+        var update = new SecretsManagerSubscriptionUpdate(organization, plan, false)
         {
             SmSeats = updateSmSeats,
             SmServiceAccounts = updateSmServiceAccounts,
@@ -62,7 +84,6 @@ public class UpdateSecretsManagerSubscriptionCommandTests
 
         await sutProvider.Sut.UpdateSubscriptionAsync(update);
 
-        var plan = StaticStore.GetPlan(organization.PlanType);
         await sutProvider.GetDependency<IPaymentService>().Received(1)
             .AdjustSmSeatsAsync(organization, plan, update.SmSeatsExcludingBase);
         await sutProvider.GetDependency<IPaymentService>().Received(1)
@@ -83,17 +104,13 @@ public class UpdateSecretsManagerSubscriptionCommandTests
     }
 
     [Theory]
-    [BitAutoData(PlanType.EnterpriseAnnually)]
-    [BitAutoData(PlanType.EnterpriseMonthly)]
-    [BitAutoData(PlanType.TeamsMonthly)]
-    [BitAutoData(PlanType.TeamsAnnually)]
-    [BitAutoData(PlanType.TeamsStarter)]
+    [BitMemberAutoData(nameof(CurrentTeamsAndEnterprise))]
     public async Task UpdateSubscriptionAsync_ValidInput_WithNullMaxAutoscale_Passes(
-        PlanType planType,
+        Plan plan,
         Organization organization,
         SutProvider<UpdateSecretsManagerSubscriptionCommand> sutProvider)
     {
-        organization.PlanType = planType;
+        organization.PlanType = plan.Type;
         organization.Seats = 20;
 
         const int updateSmSeats = 15;
@@ -102,7 +119,7 @@ public class UpdateSecretsManagerSubscriptionCommandTests
         // Ensure that SmSeats is different from the original organization.SmSeats
         organization.SmSeats = updateSmSeats + 5;
 
-        var update = new SecretsManagerSubscriptionUpdate(organization, false)
+        var update = new SecretsManagerSubscriptionUpdate(organization, plan, false)
         {
             SmSeats = updateSmSeats,
             MaxAutoscaleSmSeats = null,
@@ -112,7 +129,6 @@ public class UpdateSecretsManagerSubscriptionCommandTests
 
         await sutProvider.Sut.UpdateSubscriptionAsync(update);
 
-        var plan = StaticStore.GetPlan(organization.PlanType);
         await sutProvider.GetDependency<IPaymentService>().Received(1)
             .AdjustSmSeatsAsync(organization, plan, update.SmSeatsExcludingBase);
         await sutProvider.GetDependency<IPaymentService>().Received(1)
@@ -141,7 +157,8 @@ public class UpdateSecretsManagerSubscriptionCommandTests
         Organization organization,
         SutProvider<UpdateSecretsManagerSubscriptionCommand> sutProvider)
     {
-        var update = new SecretsManagerSubscriptionUpdate(organization, autoscaling).AdjustSeats(2);
+        var plan = StaticStore.GetPlan(organization.PlanType);
+        var update = new SecretsManagerSubscriptionUpdate(organization, plan, autoscaling).AdjustSeats(2);
 
         sutProvider.GetDependency<IGlobalSettings>().SelfHosted.Returns(true);
 
@@ -156,8 +173,10 @@ public class UpdateSecretsManagerSubscriptionCommandTests
         SutProvider<UpdateSecretsManagerSubscriptionCommand> sutProvider,
         Organization organization)
     {
+        var plan = StaticStore.GetPlan(organization.PlanType);
+
         organization.UseSecretsManager = false;
-        var update = new SecretsManagerSubscriptionUpdate(organization, false);
+        var update = new SecretsManagerSubscriptionUpdate(organization, plan, false);
 
         var exception = await Assert.ThrowsAsync<BadRequestException>(
              () => sutProvider.Sut.UpdateSubscriptionAsync(update));
@@ -167,27 +186,16 @@ public class UpdateSecretsManagerSubscriptionCommandTests
     }
 
     [Theory]
-    [BitAutoData(PlanType.EnterpriseAnnually2019)]
-    [BitAutoData(PlanType.EnterpriseAnnually2020)]
-    [BitAutoData(PlanType.EnterpriseAnnually)]
-    [BitAutoData(PlanType.EnterpriseMonthly2019)]
-    [BitAutoData(PlanType.EnterpriseMonthly2020)]
-    [BitAutoData(PlanType.EnterpriseMonthly)]
-    [BitAutoData(PlanType.TeamsMonthly2019)]
-    [BitAutoData(PlanType.TeamsMonthly2020)]
-    [BitAutoData(PlanType.TeamsMonthly)]
-    [BitAutoData(PlanType.TeamsAnnually2019)]
-    [BitAutoData(PlanType.TeamsAnnually2020)]
-    [BitAutoData(PlanType.TeamsAnnually)]
-    [BitAutoData(PlanType.TeamsStarter)]
+    [BitMemberAutoData(nameof(AllTeamsAndEnterprise))]
     public async Task UpdateSubscriptionAsync_PaidPlan_NullGatewayCustomerId_ThrowsException(
-        PlanType planType,
+        Plan plan,
         Organization organization,
         SutProvider<UpdateSecretsManagerSubscriptionCommand> sutProvider)
     {
-        organization.PlanType = planType;
+        organization.PlanType = plan.Type;
         organization.GatewayCustomerId = null;
-        var update = new SecretsManagerSubscriptionUpdate(organization, false).AdjustSeats(1);
+
+        var update = new SecretsManagerSubscriptionUpdate(organization, plan, false).AdjustSeats(1);
 
         var exception = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.UpdateSubscriptionAsync(update));
         Assert.Contains("No payment method found.", exception.Message);
@@ -195,27 +203,15 @@ public class UpdateSecretsManagerSubscriptionCommandTests
     }
 
     [Theory]
-    [BitAutoData(PlanType.EnterpriseAnnually2019)]
-    [BitAutoData(PlanType.EnterpriseAnnually2020)]
-    [BitAutoData(PlanType.EnterpriseAnnually)]
-    [BitAutoData(PlanType.EnterpriseMonthly2019)]
-    [BitAutoData(PlanType.EnterpriseMonthly2020)]
-    [BitAutoData(PlanType.EnterpriseMonthly)]
-    [BitAutoData(PlanType.TeamsMonthly2019)]
-    [BitAutoData(PlanType.TeamsMonthly2020)]
-    [BitAutoData(PlanType.TeamsMonthly)]
-    [BitAutoData(PlanType.TeamsAnnually2019)]
-    [BitAutoData(PlanType.TeamsAnnually2020)]
-    [BitAutoData(PlanType.TeamsAnnually)]
-    [BitAutoData(PlanType.TeamsStarter)]
+    [BitMemberAutoData(nameof(AllTeamsAndEnterprise))]
     public async Task UpdateSubscriptionAsync_PaidPlan_NullGatewaySubscriptionId_ThrowsException(
-        PlanType planType,
+        Plan plan,
         Organization organization,
         SutProvider<UpdateSecretsManagerSubscriptionCommand> sutProvider)
     {
-        organization.PlanType = planType;
+        organization.PlanType = plan.Type;
         organization.GatewaySubscriptionId = null;
-        var update = new SecretsManagerSubscriptionUpdate(organization, false).AdjustSeats(1);
+        var update = new SecretsManagerSubscriptionUpdate(organization, plan, false).AdjustSeats(1);
 
         var exception = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.UpdateSubscriptionAsync(update));
         Assert.Contains("No subscription found.", exception.Message);
@@ -223,24 +219,12 @@ public class UpdateSecretsManagerSubscriptionCommandTests
     }
 
     [Theory]
-    [BitAutoData(PlanType.EnterpriseAnnually2019)]
-    [BitAutoData(PlanType.EnterpriseAnnually2020)]
-    [BitAutoData(PlanType.EnterpriseAnnually)]
-    [BitAutoData(PlanType.EnterpriseMonthly2019)]
-    [BitAutoData(PlanType.EnterpriseMonthly2020)]
-    [BitAutoData(PlanType.EnterpriseMonthly)]
-    [BitAutoData(PlanType.TeamsMonthly2019)]
-    [BitAutoData(PlanType.TeamsMonthly2020)]
-    [BitAutoData(PlanType.TeamsMonthly)]
-    [BitAutoData(PlanType.TeamsAnnually2019)]
-    [BitAutoData(PlanType.TeamsAnnually2020)]
-    [BitAutoData(PlanType.TeamsAnnually)]
-    [BitAutoData(PlanType.TeamsStarter)]
-    public async Task AdjustServiceAccountsAsync_WithEnterpriseOrTeamsPlans_Success(PlanType planType, Guid organizationId,
+    [BitMemberAutoData(nameof(AllTeamsAndEnterprise))]
+    public async Task AdjustServiceAccountsAsync_WithEnterpriseOrTeamsPlans_Success(
+        Plan plan,
+        Guid organizationId,
         SutProvider<UpdateSecretsManagerSubscriptionCommand> sutProvider)
     {
-        var plan = StaticStore.GetPlan(planType);
-
         var organizationSeats = plan.SecretsManager.BaseSeats + 10;
         var organizationMaxAutoscaleSeats = 20;
         var organizationServiceAccounts = plan.SecretsManager.BaseServiceAccount + 10;
@@ -249,7 +233,7 @@ public class UpdateSecretsManagerSubscriptionCommandTests
         var organization = new Organization
         {
             Id = organizationId,
-            PlanType = planType,
+            PlanType = plan.Type,
             GatewayCustomerId = "1",
             GatewaySubscriptionId = "2",
             UseSecretsManager = true,
@@ -263,7 +247,7 @@ public class UpdateSecretsManagerSubscriptionCommandTests
         var expectedSmServiceAccounts = organizationServiceAccounts + smServiceAccountsAdjustment;
         var expectedSmServiceAccountsExcludingBase = expectedSmServiceAccounts - plan.SecretsManager.BaseServiceAccount;
 
-        var update = new SecretsManagerSubscriptionUpdate(organization, false).AdjustServiceAccounts(10);
+        var update = new SecretsManagerSubscriptionUpdate(organization, plan, false).AdjustServiceAccounts(10);
 
         await sutProvider.Sut.UpdateSubscriptionAsync(update);
 
@@ -290,8 +274,9 @@ public class UpdateSecretsManagerSubscriptionCommandTests
 
         // Make sure Password Manager seats is greater or equal to Secrets Manager seats
         organization.Seats = seatCount;
+        var plan = StaticStore.GetPlan(organization.PlanType);
 
-        var update = new SecretsManagerSubscriptionUpdate(organization, false)
+        var update = new SecretsManagerSubscriptionUpdate(organization, plan, false)
         {
             SmSeats = seatCount,
             MaxAutoscaleSmSeats = seatCount
@@ -310,7 +295,8 @@ public class UpdateSecretsManagerSubscriptionCommandTests
         SutProvider<UpdateSecretsManagerSubscriptionCommand> sutProvider)
     {
         organization.SmSeats = null;
-        var update = new SecretsManagerSubscriptionUpdate(organization, false).AdjustSeats(1);
+        var plan = StaticStore.GetPlan(organization.PlanType);
+        var update = new SecretsManagerSubscriptionUpdate(organization, plan, false).AdjustSeats(1);
 
         var exception = await Assert.ThrowsAsync<BadRequestException>(
             () => sutProvider.Sut.UpdateSubscriptionAsync(update));
@@ -325,7 +311,8 @@ public class UpdateSecretsManagerSubscriptionCommandTests
         Organization organization,
         SutProvider<UpdateSecretsManagerSubscriptionCommand> sutProvider)
     {
-        var update = new SecretsManagerSubscriptionUpdate(organization, true).AdjustSeats(-2);
+        var plan = StaticStore.GetPlan(organization.PlanType);
+        var update = new SecretsManagerSubscriptionUpdate(organization, plan, true).AdjustSeats(-2);
 
         var exception = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.UpdateSubscriptionAsync(update));
         Assert.Contains("Cannot use autoscaling to subtract seats.", exception.Message);
@@ -340,7 +327,8 @@ public class UpdateSecretsManagerSubscriptionCommandTests
         SutProvider<UpdateSecretsManagerSubscriptionCommand> sutProvider)
     {
         organization.PlanType = planType;
-        var update = new SecretsManagerSubscriptionUpdate(organization, false).AdjustSeats(1);
+        var plan = StaticStore.GetPlan(organization.PlanType);
+        var update = new SecretsManagerSubscriptionUpdate(organization, plan, false).AdjustSeats(1);
 
         var exception = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.UpdateSubscriptionAsync(update));
         Assert.Contains("You have reached the maximum number of Secrets Manager seats (2) for this plan",
@@ -357,7 +345,8 @@ public class UpdateSecretsManagerSubscriptionCommandTests
         organization.SmSeats = 9;
         organization.MaxAutoscaleSmSeats = 10;
 
-        var update = new SecretsManagerSubscriptionUpdate(organization, true).AdjustSeats(2);
+        var plan = StaticStore.GetPlan(organization.PlanType);
+        var update = new SecretsManagerSubscriptionUpdate(organization, plan, true).AdjustSeats(2);
 
         var exception = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.UpdateSubscriptionAsync(update));
         Assert.Contains("Secrets Manager seat limit has been reached.", exception.Message);
@@ -370,7 +359,8 @@ public class UpdateSecretsManagerSubscriptionCommandTests
         Organization organization,
         SutProvider<UpdateSecretsManagerSubscriptionCommand> sutProvider)
     {
-        var update = new SecretsManagerSubscriptionUpdate(organization, false)
+        var plan = StaticStore.GetPlan(organization.PlanType);
+        var update = new SecretsManagerSubscriptionUpdate(organization, plan, false)
         {
             SmSeats = organization.SmSeats + 10,
             MaxAutoscaleSmSeats = organization.SmSeats + 5
@@ -388,7 +378,8 @@ public class UpdateSecretsManagerSubscriptionCommandTests
         Organization organization,
         SutProvider<UpdateSecretsManagerSubscriptionCommand> sutProvider)
     {
-        var update = new SecretsManagerSubscriptionUpdate(organization, false)
+        var plan = StaticStore.GetPlan(organization.PlanType);
+        var update = new SecretsManagerSubscriptionUpdate(organization, plan, false)
         {
             SmSeats = 0,
         };
@@ -407,7 +398,8 @@ public class UpdateSecretsManagerSubscriptionCommandTests
         SutProvider<UpdateSecretsManagerSubscriptionCommand> sutProvider)
     {
         organization.SmSeats = 8;
-        var update = new SecretsManagerSubscriptionUpdate(organization, false)
+        var plan = StaticStore.GetPlan(organization.PlanType);
+        var update = new SecretsManagerSubscriptionUpdate(organization, plan, false)
         {
             SmSeats = 7,
         };
@@ -425,7 +417,8 @@ public class UpdateSecretsManagerSubscriptionCommandTests
         Organization organization,
         SutProvider<UpdateSecretsManagerSubscriptionCommand> sutProvider)
     {
-        var update = new SecretsManagerSubscriptionUpdate(organization, false)
+        var plan = StaticStore.GetPlan(organization.PlanType);
+        var update = new SecretsManagerSubscriptionUpdate(organization, plan, false)
         {
             SmServiceAccounts = 300,
             MaxAutoscaleSmServiceAccounts = 300
@@ -444,7 +437,8 @@ public class UpdateSecretsManagerSubscriptionCommandTests
         SutProvider<UpdateSecretsManagerSubscriptionCommand> sutProvider)
     {
         organization.SmServiceAccounts = null;
-        var update = new SecretsManagerSubscriptionUpdate(organization, false).AdjustServiceAccounts(1);
+        var plan = StaticStore.GetPlan(organization.PlanType);
+        var update = new SecretsManagerSubscriptionUpdate(organization, plan, false).AdjustServiceAccounts(1);
 
         var exception = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.UpdateSubscriptionAsync(update));
         Assert.Contains("Organization has no machine accounts limit, no need to adjust machine accounts", exception.Message);
@@ -457,7 +451,8 @@ public class UpdateSecretsManagerSubscriptionCommandTests
         Organization organization,
         SutProvider<UpdateSecretsManagerSubscriptionCommand> sutProvider)
     {
-        var update = new SecretsManagerSubscriptionUpdate(organization, true).AdjustServiceAccounts(-2);
+        var plan = StaticStore.GetPlan(organization.PlanType);
+        var update = new SecretsManagerSubscriptionUpdate(organization, plan, true).AdjustServiceAccounts(-2);
 
         var exception = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.UpdateSubscriptionAsync(update));
         Assert.Contains("Cannot use autoscaling to subtract machine accounts.", exception.Message);
@@ -472,7 +467,8 @@ public class UpdateSecretsManagerSubscriptionCommandTests
         SutProvider<UpdateSecretsManagerSubscriptionCommand> sutProvider)
     {
         organization.PlanType = planType;
-        var update = new SecretsManagerSubscriptionUpdate(organization, false).AdjustServiceAccounts(1);
+        var plan = StaticStore.GetPlan(organization.PlanType);
+        var update = new SecretsManagerSubscriptionUpdate(organization, plan, false).AdjustServiceAccounts(1);
 
         var exception = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.UpdateSubscriptionAsync(update));
         Assert.Contains("You have reached the maximum number of machine accounts (3) for this plan",
@@ -489,7 +485,8 @@ public class UpdateSecretsManagerSubscriptionCommandTests
         organization.SmServiceAccounts = 9;
         organization.MaxAutoscaleSmServiceAccounts = 10;
 
-        var update = new SecretsManagerSubscriptionUpdate(organization, true).AdjustServiceAccounts(2);
+        var plan = StaticStore.GetPlan(organization.PlanType);
+        var update = new SecretsManagerSubscriptionUpdate(organization, plan, true).AdjustServiceAccounts(2);
 
         var exception = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.UpdateSubscriptionAsync(update));
         Assert.Contains("Secrets Manager machine account limit has been reached.", exception.Message);
@@ -508,7 +505,8 @@ public class UpdateSecretsManagerSubscriptionCommandTests
         organization.SmServiceAccounts = smServiceAccount - 5;
         organization.MaxAutoscaleSmServiceAccounts = 2 * smServiceAccount;
 
-        var update = new SecretsManagerSubscriptionUpdate(organization, false)
+        var plan = StaticStore.GetPlan(organization.PlanType);
+        var update = new SecretsManagerSubscriptionUpdate(organization, plan, false)
         {
             SmServiceAccounts = smServiceAccount,
             MaxAutoscaleSmServiceAccounts = maxAutoscaleSmServiceAccounts
@@ -530,7 +528,8 @@ public class UpdateSecretsManagerSubscriptionCommandTests
 
         organization.SmServiceAccounts = newSmServiceAccounts - 10;
 
-        var update = new SecretsManagerSubscriptionUpdate(organization, false)
+        var plan = StaticStore.GetPlan(organization.PlanType);
+        var update = new SecretsManagerSubscriptionUpdate(organization, plan, false)
         {
             SmServiceAccounts = newSmServiceAccounts,
         };
@@ -542,28 +541,16 @@ public class UpdateSecretsManagerSubscriptionCommandTests
     }
 
     [Theory]
-    [BitAutoData(PlanType.EnterpriseAnnually2019)]
-    [BitAutoData(PlanType.EnterpriseAnnually2020)]
-    [BitAutoData(PlanType.EnterpriseAnnually)]
-    [BitAutoData(PlanType.EnterpriseMonthly2019)]
-    [BitAutoData(PlanType.EnterpriseMonthly2020)]
-    [BitAutoData(PlanType.EnterpriseMonthly)]
-    [BitAutoData(PlanType.TeamsMonthly2019)]
-    [BitAutoData(PlanType.TeamsMonthly2020)]
-    [BitAutoData(PlanType.TeamsMonthly)]
-    [BitAutoData(PlanType.TeamsAnnually2019)]
-    [BitAutoData(PlanType.TeamsAnnually2020)]
-    [BitAutoData(PlanType.TeamsAnnually)]
-    [BitAutoData(PlanType.TeamsStarter)]
+    [BitMemberAutoData(nameof(AllTeamsAndEnterprise))]
     public async Task UpdateSmServiceAccounts_WhenCurrentServiceAccountsIsGreaterThanNew_ThrowsBadRequestException(
-        PlanType planType,
+        Plan plan,
         Organization organization,
         SutProvider<UpdateSecretsManagerSubscriptionCommand> sutProvider)
     {
         var currentServiceAccounts = 301;
-        organization.PlanType = planType;
+        organization.PlanType = plan.Type;
         organization.SmServiceAccounts = currentServiceAccounts;
-        var update = new SecretsManagerSubscriptionUpdate(organization, false) { SmServiceAccounts = 201 };
+        var update = new SecretsManagerSubscriptionUpdate(organization, plan, false) { SmServiceAccounts = 201 };
 
         sutProvider.GetDependency<IServiceAccountRepository>()
             .GetServiceAccountCountByOrganizationIdAsync(organization.Id)
@@ -586,7 +573,8 @@ public class UpdateSecretsManagerSubscriptionCommandTests
         organization.SmSeats = smSeats - 1;
         organization.MaxAutoscaleSmSeats = smSeats * 2;
 
-        var update = new SecretsManagerSubscriptionUpdate(organization, false)
+        var plan = StaticStore.GetPlan(organization.PlanType);
+        var update = new SecretsManagerSubscriptionUpdate(organization, plan, false)
         {
             SmSeats = smSeats,
             MaxAutoscaleSmSeats = maxAutoscaleSmSeats
@@ -606,7 +594,8 @@ public class UpdateSecretsManagerSubscriptionCommandTests
     {
         organization.PlanType = planType;
         organization.SmSeats = 2;
-        var update = new SecretsManagerSubscriptionUpdate(organization, false)
+        var plan = StaticStore.GetPlan(organization.PlanType);
+        var update = new SecretsManagerSubscriptionUpdate(organization, plan, false)
         {
             MaxAutoscaleSmSeats = 3
         };
@@ -625,7 +614,8 @@ public class UpdateSecretsManagerSubscriptionCommandTests
     {
         organization.PlanType = planType;
         organization.SmSeats = 2;
-        var update = new SecretsManagerSubscriptionUpdate(organization, false)
+        var plan = StaticStore.GetPlan(organization.PlanType);
+        var update = new SecretsManagerSubscriptionUpdate(organization, plan, false)
         {
             MaxAutoscaleSmSeats = 2
         };
@@ -645,7 +635,8 @@ public class UpdateSecretsManagerSubscriptionCommandTests
         organization.PlanType = planType;
         organization.SmServiceAccounts = 3;
 
-        var update = new SecretsManagerSubscriptionUpdate(organization, false) { MaxAutoscaleSmServiceAccounts = 3 };
+        var plan = StaticStore.GetPlan(organization.PlanType);
+        var update = new SecretsManagerSubscriptionUpdate(organization, plan, false) { MaxAutoscaleSmServiceAccounts = 3 };
 
         var exception = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.UpdateSubscriptionAsync(update));
         Assert.Contains("Your plan does not allow machine accounts autoscaling.", exception.Message);
diff --git a/test/Core.Test/OrganizationFeatures/OrganizationSubscriptionUpdate/UpgradeOrganizationPlanCommandTests.cs b/test/Core.Test/OrganizationFeatures/OrganizationSubscriptionUpdate/UpgradeOrganizationPlanCommandTests.cs
index 2965a2f03d..8bcee1e8c6 100644
--- a/test/Core.Test/OrganizationFeatures/OrganizationSubscriptionUpdate/UpgradeOrganizationPlanCommandTests.cs
+++ b/test/Core.Test/OrganizationFeatures/OrganizationSubscriptionUpdate/UpgradeOrganizationPlanCommandTests.cs
@@ -1,4 +1,5 @@
 using Bit.Core.Billing.Enums;
+using Bit.Core.Billing.Pricing;
 using Bit.Core.Exceptions;
 using Bit.Core.Models.Business;
 using Bit.Core.OrganizationFeatures.OrganizationSubscriptions;
@@ -43,6 +44,7 @@ public class UpgradeOrganizationPlanCommandTests
             SutProvider<UpgradeOrganizationPlanCommand> sutProvider)
     {
         upgrade.Plan = organization.PlanType;
+        sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(organization.PlanType).Returns(StaticStore.GetPlan(organization.PlanType));
         sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
         var exception = await Assert.ThrowsAsync<BadRequestException>(
             () => sutProvider.Sut.UpgradePlanAsync(organization.Id, upgrade));
@@ -58,6 +60,7 @@ public class UpgradeOrganizationPlanCommandTests
         upgrade.AdditionalSmSeats = 10;
         upgrade.AdditionalServiceAccounts = 10;
         sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
+        sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(organization.PlanType).Returns(StaticStore.GetPlan(organization.PlanType));
         var exception = await Assert.ThrowsAsync<BadRequestException>(
             () => sutProvider.Sut.UpgradePlanAsync(organization.Id, upgrade));
         Assert.Contains("already on this plan", exception.Message);
@@ -69,9 +72,11 @@ public class UpgradeOrganizationPlanCommandTests
             SutProvider<UpgradeOrganizationPlanCommand> sutProvider)
     {
         sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
+        sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(organization.PlanType).Returns(StaticStore.GetPlan(organization.PlanType));
         upgrade.AdditionalSmSeats = 10;
         upgrade.AdditionalSeats = 10;
         upgrade.Plan = PlanType.TeamsAnnually;
+        sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(upgrade.Plan).Returns(StaticStore.GetPlan(upgrade.Plan));
         await sutProvider.Sut.UpgradePlanAsync(organization.Id, upgrade);
         await sutProvider.GetDependency<IOrganizationService>().Received(1).ReplaceAndUpdateCacheAsync(organization);
     }
@@ -92,6 +97,8 @@ public class UpgradeOrganizationPlanCommandTests
 
         organization.PlanType = PlanType.FamiliesAnnually;
 
+        sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(organization.PlanType).Returns(StaticStore.GetPlan(organization.PlanType));
+
         organizationUpgrade.AdditionalSeats = 30;
         organizationUpgrade.UseSecretsManager = true;
         organizationUpgrade.AdditionalSmSeats = 20;
@@ -99,6 +106,8 @@ public class UpgradeOrganizationPlanCommandTests
         organizationUpgrade.AdditionalStorageGb = 3;
         organizationUpgrade.Plan = planType;
 
+        sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(organizationUpgrade.Plan).Returns(StaticStore.GetPlan(organizationUpgrade.Plan));
+
         await sutProvider.Sut.UpgradePlanAsync(organization.Id, organizationUpgrade);
         await sutProvider.GetDependency<IPaymentService>().Received(1).AdjustSubscription(
             organization,
@@ -120,7 +129,10 @@ public class UpgradeOrganizationPlanCommandTests
     public async Task UpgradePlan_SM_Passes(PlanType planType, Organization organization, OrganizationUpgrade upgrade,
         SutProvider<UpgradeOrganizationPlanCommand> sutProvider)
     {
+        sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(organization.PlanType).Returns(StaticStore.GetPlan(organization.PlanType));
+
         upgrade.Plan = planType;
+        sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(upgrade.Plan).Returns(StaticStore.GetPlan(upgrade.Plan));
 
         var plan = StaticStore.GetPlan(upgrade.Plan);
 
@@ -155,8 +167,10 @@ public class UpgradeOrganizationPlanCommandTests
         upgrade.AdditionalSeats = 15;
         upgrade.AdditionalSmSeats = 1;
         upgrade.AdditionalServiceAccounts = 0;
+        sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(upgrade.Plan).Returns(StaticStore.GetPlan(upgrade.Plan));
 
         organization.SmSeats = 2;
+        sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(organization.PlanType).Returns(StaticStore.GetPlan(organization.PlanType));
 
         sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
         sutProvider.GetDependency<IOrganizationUserRepository>()
@@ -181,9 +195,11 @@ public class UpgradeOrganizationPlanCommandTests
         upgrade.AdditionalSeats = 15;
         upgrade.AdditionalSmSeats = 1;
         upgrade.AdditionalServiceAccounts = 0;
+        sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(upgrade.Plan).Returns(StaticStore.GetPlan(upgrade.Plan));
 
         organization.SmSeats = 1;
         organization.SmServiceAccounts = currentServiceAccounts;
+        sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(organization.PlanType).Returns(StaticStore.GetPlan(organization.PlanType));
 
         sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
         sutProvider.GetDependency<IOrganizationUserRepository>()

From 1267332b5b589104058de2338818ac9b68db0df9 Mon Sep 17 00:00:00 2001
From: Nick Krantz <125900171+nick-livefront@users.noreply.github.com>
Date: Thu, 27 Feb 2025 08:34:42 -0600
Subject: [PATCH 320/384] [PM-14406] Security Task Notifications (#5344)

* initial commit of `CipherOrganizationPermission_GetManyByUserId`

* create queries to get all of the security tasks that are actionable by a user

- A task is "actionable" when the user has manage permissions for that cipher

* rename query

* return the user's email from the query as well

* Add email notification for at-risk passwords

- Added email layouts for security tasks

* add push notification for security tasks

* update entity framework to match stored procedure plus testing

* update date of migration and remove orderby

* add push service to security task controller

* rename `SyncSecurityTasksCreated` to `SyncNotification`

* remove duplicate return

* remove unused directive

* remove unneeded new notification type

* use `createNotificationCommand` to alert all platforms

* return the cipher id that is associated with the security task and store the security task id on the notification entry

* Add `TaskId` to the output model of `GetUserSecurityTasksByCipherIdsAsync`

* move notification logic to command

* use TaskId from `_getSecurityTasksNotificationDetailsQuery`

* add service

* only push last notification for each user

* formatting

* refactor `CreateNotificationCommand` parameter to `sendPush`

* flip boolean in test

* update interface to match usage

* do not push any of the security related notifications to the user

* add `PendingSecurityTasks` push type

* add push notification for pending security tasks
---
 .../Controllers/SecurityTaskController.cs     |   8 +-
 src/Core/Enums/PushType.cs                    |   4 +-
 .../Handlebars/Layouts/SecurityTasks.html.hbs |  61 ++++++
 .../Handlebars/Layouts/SecurityTasks.text.hbs |  12 ++
 .../SecurityTasksNotification.html.hbs        |  28 +++
 .../SecurityTasksNotification.text.hbs        |   8 +
 .../Mail/SecurityTaskNotificationViewModel.cs |  12 ++
 .../Commands/CreateNotificationCommand.cs     |   7 +-
 .../Interfaces/ICreateNotificationCommand.cs  |   2 +-
 .../NotificationHubPushNotificationService.cs |   5 +
 .../AzureQueuePushNotificationService.cs      |   5 +
 .../Push/Services/IPushNotificationService.cs |   1 +
 .../MultiServicePushNotificationService.cs    |   6 +
 .../Services/NoopPushNotificationService.cs   |   5 +
 ...NotificationsApiPushNotificationService.cs |   5 +
 .../Services/RelayPushNotificationService.cs  |   5 +
 src/Core/Services/IMailService.cs             |   3 +-
 .../Implementations/HandlebarsMailService.cs  |  24 ++-
 .../NoopImplementations/NoopMailService.cs    |   7 +-
 .../CreateManyTaskNotificationsCommand.cs     |  82 ++++++++
 .../ICreateManyTaskNotificationsCommand.cs    |  13 ++
 .../Vault/Models/Data/UserCipherForTask.cs    |  23 +++
 .../Models/Data/UserSecurityTaskCipher.cs     |  27 +++
 .../Models/Data/UserSecurityTasksCount.cs     |  22 +++
 ...etSecurityTasksNotificationDetailsQuery.cs |  33 ++++
 ...etSecurityTasksNotificationDetailsQuery.cs |  16 ++
 .../Vault/Repositories/ICipherRepository.cs   |   8 +
 .../Vault/VaultServiceCollectionExtensions.cs |   2 +
 .../Vault/Repositories/CipherRepository.cs    |  22 +++
 .../Vault/Repositories/CipherRepository.cs    |  45 +++++
 .../UserSecurityTasksByCipherIdsQuery.cs      |  71 +++++++
 .../UserSecurityTasks_GetManyByCipherIds.sql  |  67 +++++++
 .../Commands/CreateNotificationCommandTest.cs |  15 ++
 .../Repositories/CipherRepositoryTests.cs     | 179 ++++++++++++++++++
 ...0_UserSecurityTasks_GetManyByCipherIds.sql |  68 +++++++
 35 files changed, 893 insertions(+), 8 deletions(-)
 create mode 100644 src/Core/MailTemplates/Handlebars/Layouts/SecurityTasks.html.hbs
 create mode 100644 src/Core/MailTemplates/Handlebars/Layouts/SecurityTasks.text.hbs
 create mode 100644 src/Core/MailTemplates/Handlebars/SecurityTasksNotification.html.hbs
 create mode 100644 src/Core/MailTemplates/Handlebars/SecurityTasksNotification.text.hbs
 create mode 100644 src/Core/Models/Mail/SecurityTaskNotificationViewModel.cs
 create mode 100644 src/Core/Vault/Commands/CreateManyTaskNotificationsCommand.cs
 create mode 100644 src/Core/Vault/Commands/Interfaces/ICreateManyTaskNotificationsCommand.cs
 create mode 100644 src/Core/Vault/Models/Data/UserCipherForTask.cs
 create mode 100644 src/Core/Vault/Models/Data/UserSecurityTaskCipher.cs
 create mode 100644 src/Core/Vault/Models/Data/UserSecurityTasksCount.cs
 create mode 100644 src/Core/Vault/Queries/GetSecurityTasksNotificationDetailsQuery.cs
 create mode 100644 src/Core/Vault/Queries/IGetSecurityTasksNotificationDetailsQuery.cs
 create mode 100644 src/Infrastructure.EntityFramework/Vault/Repositories/Queries/UserSecurityTasksByCipherIdsQuery.cs
 create mode 100644 src/Sql/Vault/dbo/Stored Procedures/Cipher/UserSecurityTasks_GetManyByCipherIds.sql
 create mode 100644 util/Migrator/DbScripts/2025-02-11_00_UserSecurityTasks_GetManyByCipherIds.sql

diff --git a/src/Api/Vault/Controllers/SecurityTaskController.cs b/src/Api/Vault/Controllers/SecurityTaskController.cs
index 88b7aed9c6..2693d60825 100644
--- a/src/Api/Vault/Controllers/SecurityTaskController.cs
+++ b/src/Api/Vault/Controllers/SecurityTaskController.cs
@@ -22,19 +22,22 @@ public class SecurityTaskController : Controller
     private readonly IMarkTaskAsCompleteCommand _markTaskAsCompleteCommand;
     private readonly IGetTasksForOrganizationQuery _getTasksForOrganizationQuery;
     private readonly ICreateManyTasksCommand _createManyTasksCommand;
+    private readonly ICreateManyTaskNotificationsCommand _createManyTaskNotificationsCommand;
 
     public SecurityTaskController(
         IUserService userService,
         IGetTaskDetailsForUserQuery getTaskDetailsForUserQuery,
         IMarkTaskAsCompleteCommand markTaskAsCompleteCommand,
         IGetTasksForOrganizationQuery getTasksForOrganizationQuery,
-        ICreateManyTasksCommand createManyTasksCommand)
+        ICreateManyTasksCommand createManyTasksCommand,
+        ICreateManyTaskNotificationsCommand createManyTaskNotificationsCommand)
     {
         _userService = userService;
         _getTaskDetailsForUserQuery = getTaskDetailsForUserQuery;
         _markTaskAsCompleteCommand = markTaskAsCompleteCommand;
         _getTasksForOrganizationQuery = getTasksForOrganizationQuery;
         _createManyTasksCommand = createManyTasksCommand;
+        _createManyTaskNotificationsCommand = createManyTaskNotificationsCommand;
     }
 
     /// <summary>
@@ -87,6 +90,9 @@ public class SecurityTaskController : Controller
         [FromBody] BulkCreateSecurityTasksRequestModel model)
     {
         var securityTasks = await _createManyTasksCommand.CreateAsync(orgId, model.Tasks);
+
+        await _createManyTaskNotificationsCommand.CreateAsync(orgId, securityTasks);
+
         var response = securityTasks.Select(x => new SecurityTasksResponseModel(x)).ToList();
         return new ListResponseModel<SecurityTasksResponseModel>(response);
     }
diff --git a/src/Core/Enums/PushType.cs b/src/Core/Enums/PushType.cs
index 6d0dd9393c..96a1192478 100644
--- a/src/Core/Enums/PushType.cs
+++ b/src/Core/Enums/PushType.cs
@@ -29,5 +29,7 @@ public enum PushType : byte
     SyncOrganizationCollectionSettingChanged = 19,
 
     Notification = 20,
-    NotificationStatus = 21
+    NotificationStatus = 21,
+
+    PendingSecurityTasks = 22
 }
diff --git a/src/Core/MailTemplates/Handlebars/Layouts/SecurityTasks.html.hbs b/src/Core/MailTemplates/Handlebars/Layouts/SecurityTasks.html.hbs
new file mode 100644
index 0000000000..930d39eeee
--- /dev/null
+++ b/src/Core/MailTemplates/Handlebars/Layouts/SecurityTasks.html.hbs
@@ -0,0 +1,61 @@
+{{#>FullUpdatedHtmlLayout}}
+<table border="0" cellpadding="0" cellspacing="0" width="100%"
+  style="background-color: #175DDC;padding-top:25px;padding-bottom:15px;">
+  <tr>
+    <td align="center" valign="top" width="70%" class="templateColumnContainer">
+      <table border="0" cellpadding="0" cellspacing="0" width="100%"
+        style="padding-left:30px; padding-right: 5px; padding-top: 20px;">
+        <tr>
+          <td
+            style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 24px; color: #ffffff; line-height: 32px; font-weight: 500; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+            {{OrgName}} has identified {{TaskCount}} critical login{{#if TaskCountPlural}}s{{/if}} that require{{#unless
+            TaskCountPlural}}s{{/unless}} a
+            password change
+          </td>
+        </tr>
+      </table>
+    </td>
+    <td align="right" valign="bottom" class="templateColumnContainer" style="padding-right: 15px;">
+      <img width="140" height="140" align="right" valign="bottom"
+        style="width: 140px; height:140px; font-size: 0; vertical-align: bottom; text-align: right;" alt=''
+        src='https://assets.bitwarden.com/email/v1/business-warning.png' />
+    </td>
+  </tr>
+</table>
+
+{{>@partial-block}}
+
+<table width="100%" style="display:table; background-color: #FBFBFB; vertical-align: middle; padding:30px" border="0"
+  cellpadding="0" cellspacing="0" valign="middle">
+  <tr>
+    <td width="70%" class="footer-text" style="padding-right: 20px;">
+      <table align="left" border="0" cellpadding="0" cellspacing="0">
+        <tr>
+          <td
+            style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-style: normal; font-weight: 400; font-size: 16px; line-height: 24px;">
+            <p
+              style="margin: 0; padding: 0; margin-bottom: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-style: normal; font-weight: 600; font-size: 20px; line-height: 28px;">
+              We’re here for you!</p>
+            If you have any questions, search the Bitwarden <a
+              style="text-decoration: none; color: #175DDC; font-weight: 600;"
+              href="https://bitwarden.com/help/">Help</a> site or <a
+              style="text-decoration: none; color: #175DDC; font-weight: 600;"
+              href="https://bitwarden.com/contact/">contact us</a>.
+          </td>
+        </tr>
+      </table>
+    </td>
+    <td width="30%">
+      <table align="right" valign="bottom" class="footer-image" border="0" cellpadding="0" cellspacing="0"
+        style="padding-left: 40px;">
+        <tr>
+          <td>
+            <img width="94" height="77" src="https://assets.bitwarden.com/email/v1/chat.png"
+              style="width: 94px; height: 77px;" alt="" />
+          </td>
+        </tr>
+      </table>
+    </td>
+  </tr>
+</table>
+{{/FullUpdatedHtmlLayout}}
diff --git a/src/Core/MailTemplates/Handlebars/Layouts/SecurityTasks.text.hbs b/src/Core/MailTemplates/Handlebars/Layouts/SecurityTasks.text.hbs
new file mode 100644
index 0000000000..f9befac46c
--- /dev/null
+++ b/src/Core/MailTemplates/Handlebars/Layouts/SecurityTasks.text.hbs
@@ -0,0 +1,12 @@
+{{#>FullTextLayout}}
+{{OrgName}} has identified {{TaskCount}} critical login{{#if TaskCountPlural}}s{{/if}} that require{{#unless
+TaskCountPlural}}s{{/unless}} a
+password change
+
+{{>@partial-block}}
+
+We’re here for you!
+If you have any questions, search the Bitwarden Help site or contact us.
+- https://bitwarden.com/help/
+- https://bitwarden.com/contact/
+{{/FullTextLayout}}
diff --git a/src/Core/MailTemplates/Handlebars/SecurityTasksNotification.html.hbs b/src/Core/MailTemplates/Handlebars/SecurityTasksNotification.html.hbs
new file mode 100644
index 0000000000..039806f44b
--- /dev/null
+++ b/src/Core/MailTemplates/Handlebars/SecurityTasksNotification.html.hbs
@@ -0,0 +1,28 @@
+{{#>SecurityTasksHtmlLayout}}
+<table width="100%" border="0" style="display: block; padding: 30px;" align="center" cellpadding="0" cellspacing="0">
+  <tr>
+    <td
+      style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-style: normal; font-weight: 400; font-size: 16px; line-height: 24px;">
+      Keep you and your organization's data safe by changing passwords that are weak, reused, or have been exposed in a
+      data breach.
+    </td>
+  </tr>
+  <tr>
+    <td
+      style="padding-top: 24px; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-style: normal; font-weight: 400; font-size: 16px; line-height: 24px;">
+      Launch the Bitwarden extension to review your at-risk passwords.
+    </td>
+  </tr>
+</table>
+<table width="100%" border="0" cellpadding="0" cellspacing="0"
+  style="display: table; width:100%; padding-bottom: 35px; text-align: center;" align="center">
+  <tr>
+    <td display="display: table-cell">
+      <a href="{{ReviewPasswordsUrl}}" clicktracking=off target="_blank"
+        style="display: inline-block; color: #ffffff; text-decoration: none; text-align: center; cursor: pointer; border-radius: 999px; background-color: #175DDC; border-color: #175DDC; border-style: solid; border-width: 10px 20px; margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+        Review at-risk passwords
+      </a>
+    </td>
+  </tr>
+</table>
+{{/SecurityTasksHtmlLayout}}
diff --git a/src/Core/MailTemplates/Handlebars/SecurityTasksNotification.text.hbs b/src/Core/MailTemplates/Handlebars/SecurityTasksNotification.text.hbs
new file mode 100644
index 0000000000..ba8650ad10
--- /dev/null
+++ b/src/Core/MailTemplates/Handlebars/SecurityTasksNotification.text.hbs
@@ -0,0 +1,8 @@
+{{#>SecurityTasksHtmlLayout}}
+Keep you and your organization's data safe by changing passwords that are weak, reused, or have been exposed in a data
+breach.
+
+Launch the Bitwarden extension to review your at-risk passwords.
+
+Review at-risk passwords ({{{ReviewPasswordsUrl}}})
+{{/SecurityTasksHtmlLayout}}
diff --git a/src/Core/Models/Mail/SecurityTaskNotificationViewModel.cs b/src/Core/Models/Mail/SecurityTaskNotificationViewModel.cs
new file mode 100644
index 0000000000..7f93ac2439
--- /dev/null
+++ b/src/Core/Models/Mail/SecurityTaskNotificationViewModel.cs
@@ -0,0 +1,12 @@
+namespace Bit.Core.Models.Mail;
+
+public class SecurityTaskNotificationViewModel : BaseMailModel
+{
+    public string OrgName { get; set; }
+
+    public int TaskCount { get; set; }
+
+    public bool TaskCountPlural => TaskCount != 1;
+
+    public string ReviewPasswordsUrl => $"{WebVaultUrl}/browser-extension-prompt";
+}
diff --git a/src/Core/NotificationCenter/Commands/CreateNotificationCommand.cs b/src/Core/NotificationCenter/Commands/CreateNotificationCommand.cs
index 3fddafcdc7..e6eec3f4a8 100644
--- a/src/Core/NotificationCenter/Commands/CreateNotificationCommand.cs
+++ b/src/Core/NotificationCenter/Commands/CreateNotificationCommand.cs
@@ -28,7 +28,7 @@ public class CreateNotificationCommand : ICreateNotificationCommand
         _pushNotificationService = pushNotificationService;
     }
 
-    public async Task<Notification> CreateAsync(Notification notification)
+    public async Task<Notification> CreateAsync(Notification notification, bool sendPush = true)
     {
         notification.CreationDate = notification.RevisionDate = DateTime.UtcNow;
 
@@ -37,7 +37,10 @@ public class CreateNotificationCommand : ICreateNotificationCommand
 
         var newNotification = await _notificationRepository.CreateAsync(notification);
 
-        await _pushNotificationService.PushNotificationAsync(newNotification);
+        if (sendPush)
+        {
+            await _pushNotificationService.PushNotificationAsync(newNotification);
+        }
 
         return newNotification;
     }
diff --git a/src/Core/NotificationCenter/Commands/Interfaces/ICreateNotificationCommand.cs b/src/Core/NotificationCenter/Commands/Interfaces/ICreateNotificationCommand.cs
index a3b4d894e6..cacd69c8ad 100644
--- a/src/Core/NotificationCenter/Commands/Interfaces/ICreateNotificationCommand.cs
+++ b/src/Core/NotificationCenter/Commands/Interfaces/ICreateNotificationCommand.cs
@@ -5,5 +5,5 @@ namespace Bit.Core.NotificationCenter.Commands.Interfaces;
 
 public interface ICreateNotificationCommand
 {
-    Task<Notification> CreateAsync(Notification notification);
+    Task<Notification> CreateAsync(Notification notification, bool sendPush = true);
 }
diff --git a/src/Core/NotificationHub/NotificationHubPushNotificationService.cs b/src/Core/NotificationHub/NotificationHubPushNotificationService.cs
index 6bc5b0db6b..a28b21f465 100644
--- a/src/Core/NotificationHub/NotificationHubPushNotificationService.cs
+++ b/src/Core/NotificationHub/NotificationHubPushNotificationService.cs
@@ -329,6 +329,11 @@ public class NotificationHubPushNotificationService : IPushNotificationService
             GetContextIdentifier(excludeCurrentContext), clientType: clientType);
     }
 
+    public async Task PushPendingSecurityTasksAsync(Guid userId)
+    {
+        await PushUserAsync(userId, PushType.PendingSecurityTasks);
+    }
+
     public async Task SendPayloadToInstallationAsync(string installationId, PushType type, object payload,
         string? identifier, string? deviceId = null, ClientType? clientType = null)
     {
diff --git a/src/Core/Platform/Push/Services/AzureQueuePushNotificationService.cs b/src/Core/Platform/Push/Services/AzureQueuePushNotificationService.cs
index f88c0641c5..e61dd15f0d 100644
--- a/src/Core/Platform/Push/Services/AzureQueuePushNotificationService.cs
+++ b/src/Core/Platform/Push/Services/AzureQueuePushNotificationService.cs
@@ -219,6 +219,11 @@ public class AzureQueuePushNotificationService : IPushNotificationService
         await SendMessageAsync(PushType.NotificationStatus, message, true);
     }
 
+    public async Task PushPendingSecurityTasksAsync(Guid userId)
+    {
+        await PushUserAsync(userId, PushType.PendingSecurityTasks);
+    }
+
     private async Task PushSendAsync(Send send, PushType type)
     {
         if (send.UserId.HasValue)
diff --git a/src/Core/Platform/Push/Services/IPushNotificationService.cs b/src/Core/Platform/Push/Services/IPushNotificationService.cs
index d0f18cd8ac..60f3c35089 100644
--- a/src/Core/Platform/Push/Services/IPushNotificationService.cs
+++ b/src/Core/Platform/Push/Services/IPushNotificationService.cs
@@ -38,4 +38,5 @@ public interface IPushNotificationService
         string? deviceId = null, ClientType? clientType = null);
     Task SendPayloadToOrganizationAsync(string orgId, PushType type, object payload, string? identifier,
         string? deviceId = null, ClientType? clientType = null);
+    Task PushPendingSecurityTasksAsync(Guid userId);
 }
diff --git a/src/Core/Platform/Push/Services/MultiServicePushNotificationService.cs b/src/Core/Platform/Push/Services/MultiServicePushNotificationService.cs
index 1f88f5dcc6..490b690a3b 100644
--- a/src/Core/Platform/Push/Services/MultiServicePushNotificationService.cs
+++ b/src/Core/Platform/Push/Services/MultiServicePushNotificationService.cs
@@ -179,6 +179,12 @@ public class MultiServicePushNotificationService : IPushNotificationService
         return Task.FromResult(0);
     }
 
+    public Task PushPendingSecurityTasksAsync(Guid userId)
+    {
+        PushToServices((s) => s.PushPendingSecurityTasksAsync(userId));
+        return Task.CompletedTask;
+    }
+
     private void PushToServices(Func<IPushNotificationService, Task> pushFunc)
     {
         if (!_services.Any())
diff --git a/src/Core/Platform/Push/Services/NoopPushNotificationService.cs b/src/Core/Platform/Push/Services/NoopPushNotificationService.cs
index e005f9d7af..6e7278cf94 100644
--- a/src/Core/Platform/Push/Services/NoopPushNotificationService.cs
+++ b/src/Core/Platform/Push/Services/NoopPushNotificationService.cs
@@ -121,4 +121,9 @@ public class NoopPushNotificationService : IPushNotificationService
     {
         return Task.FromResult(0);
     }
+
+    public Task PushPendingSecurityTasksAsync(Guid userId)
+    {
+        return Task.FromResult(0);
+    }
 }
diff --git a/src/Core/Platform/Push/Services/NotificationsApiPushNotificationService.cs b/src/Core/Platform/Push/Services/NotificationsApiPushNotificationService.cs
index 2833c43985..53a0de9a27 100644
--- a/src/Core/Platform/Push/Services/NotificationsApiPushNotificationService.cs
+++ b/src/Core/Platform/Push/Services/NotificationsApiPushNotificationService.cs
@@ -232,6 +232,11 @@ public class NotificationsApiPushNotificationService : BaseIdentityClientService
         await SendMessageAsync(PushType.NotificationStatus, message, true);
     }
 
+    public async Task PushPendingSecurityTasksAsync(Guid userId)
+    {
+        await PushUserAsync(userId, PushType.PendingSecurityTasks);
+    }
+
     private async Task PushSendAsync(Send send, PushType type)
     {
         if (send.UserId.HasValue)
diff --git a/src/Core/Platform/Push/Services/RelayPushNotificationService.cs b/src/Core/Platform/Push/Services/RelayPushNotificationService.cs
index d111efa2a8..53f5835322 100644
--- a/src/Core/Platform/Push/Services/RelayPushNotificationService.cs
+++ b/src/Core/Platform/Push/Services/RelayPushNotificationService.cs
@@ -300,6 +300,11 @@ public class RelayPushNotificationService : BaseIdentityClientService, IPushNoti
             false
         );
 
+    public async Task PushPendingSecurityTasksAsync(Guid userId)
+    {
+        await PushUserAsync(userId, PushType.PendingSecurityTasks);
+    }
+
     private async Task SendPayloadToInstallationAsync(PushType type, object payload, bool excludeCurrentContext,
         ClientType? clientType = null)
     {
diff --git a/src/Core/Services/IMailService.cs b/src/Core/Services/IMailService.cs
index 3492ada838..b0b884eb3e 100644
--- a/src/Core/Services/IMailService.cs
+++ b/src/Core/Services/IMailService.cs
@@ -5,6 +5,7 @@ using Bit.Core.Billing.Enums;
 using Bit.Core.Entities;
 using Bit.Core.Models.Data.Organizations;
 using Bit.Core.Models.Mail;
+using Bit.Core.Vault.Models.Data;
 
 namespace Bit.Core.Services;
 
@@ -98,5 +99,5 @@ public interface IMailService
         string organizationName);
     Task SendClaimedDomainUserEmailAsync(ManagedUserDomainClaimedEmails emailList);
     Task SendDeviceApprovalRequestedNotificationEmailAsync(IEnumerable<string> adminEmails, Guid organizationId, string email, string userName);
+    Task SendBulkSecurityTaskNotificationsAsync(string orgName, IEnumerable<UserSecurityTasksCount> securityTaskNotificaitons);
 }
-
diff --git a/src/Core/Services/Implementations/HandlebarsMailService.cs b/src/Core/Services/Implementations/HandlebarsMailService.cs
index 44be3bfdf4..c598a9d432 100644
--- a/src/Core/Services/Implementations/HandlebarsMailService.cs
+++ b/src/Core/Services/Implementations/HandlebarsMailService.cs
@@ -15,6 +15,7 @@ using Bit.Core.Models.Mail.Provider;
 using Bit.Core.SecretsManager.Models.Mail;
 using Bit.Core.Settings;
 using Bit.Core.Utilities;
+using Bit.Core.Vault.Models.Data;
 using HandlebarsDotNet;
 
 namespace Bit.Core.Services;
@@ -654,6 +655,10 @@ public class HandlebarsMailService : IMailService
         Handlebars.RegisterTemplate("TitleContactUsHtmlLayout", titleContactUsHtmlLayoutSource);
         var titleContactUsTextLayoutSource = await ReadSourceAsync("Layouts.TitleContactUs.text");
         Handlebars.RegisterTemplate("TitleContactUsTextLayout", titleContactUsTextLayoutSource);
+        var securityTasksHtmlLayoutSource = await ReadSourceAsync("Layouts.SecurityTasks.html");
+        Handlebars.RegisterTemplate("SecurityTasksHtmlLayout", securityTasksHtmlLayoutSource);
+        var securityTasksTextLayoutSource = await ReadSourceAsync("Layouts.SecurityTasks.text");
+        Handlebars.RegisterTemplate("SecurityTasksTextLayout", securityTasksTextLayoutSource);
 
         Handlebars.RegisterHelper("date", (writer, context, parameters) =>
         {
@@ -1196,9 +1201,26 @@ public class HandlebarsMailService : IMailService
         await _mailDeliveryService.SendEmailAsync(message);
     }
 
+    public async Task SendBulkSecurityTaskNotificationsAsync(string orgName, IEnumerable<UserSecurityTasksCount> securityTaskNotificaitons)
+    {
+        MailQueueMessage CreateMessage(UserSecurityTasksCount notification)
+        {
+            var message = CreateDefaultMessage($"{orgName} has identified {notification.TaskCount} at-risk password{(notification.TaskCount.Equals(1) ? "" : "s")}", notification.Email);
+            var model = new SecurityTaskNotificationViewModel
+            {
+                OrgName = orgName,
+                TaskCount = notification.TaskCount,
+                WebVaultUrl = _globalSettings.BaseServiceUri.VaultWithHash,
+            };
+            message.Category = "SecurityTasksNotification";
+            return new MailQueueMessage(message, "SecurityTasksNotification", model);
+        }
+        var messageModels = securityTaskNotificaitons.Select(CreateMessage);
+        await EnqueueMailAsync(messageModels.ToList());
+    }
+
     private static string GetUserIdentifier(string email, string userName)
     {
         return string.IsNullOrEmpty(userName) ? email : CoreHelpers.SanitizeForEmail(userName, false);
     }
 }
-
diff --git a/src/Core/Services/NoopImplementations/NoopMailService.cs b/src/Core/Services/NoopImplementations/NoopMailService.cs
index 9984f8ee90..5fba545903 100644
--- a/src/Core/Services/NoopImplementations/NoopMailService.cs
+++ b/src/Core/Services/NoopImplementations/NoopMailService.cs
@@ -5,6 +5,7 @@ using Bit.Core.Billing.Enums;
 using Bit.Core.Entities;
 using Bit.Core.Models.Data.Organizations;
 using Bit.Core.Models.Mail;
+using Bit.Core.Vault.Models.Data;
 
 namespace Bit.Core.Services;
 
@@ -322,5 +323,9 @@ public class NoopMailService : IMailService
     {
         return Task.FromResult(0);
     }
-}
 
+    public Task SendBulkSecurityTaskNotificationsAsync(string orgName, IEnumerable<UserSecurityTasksCount> securityTaskNotificaitons)
+    {
+        return Task.FromResult(0);
+    }
+}
diff --git a/src/Core/Vault/Commands/CreateManyTaskNotificationsCommand.cs b/src/Core/Vault/Commands/CreateManyTaskNotificationsCommand.cs
new file mode 100644
index 0000000000..58b5f65e0f
--- /dev/null
+++ b/src/Core/Vault/Commands/CreateManyTaskNotificationsCommand.cs
@@ -0,0 +1,82 @@
+using Bit.Core.Enums;
+using Bit.Core.NotificationCenter.Commands.Interfaces;
+using Bit.Core.NotificationCenter.Entities;
+using Bit.Core.NotificationCenter.Enums;
+using Bit.Core.Platform.Push;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.Core.Vault.Commands.Interfaces;
+using Bit.Core.Vault.Entities;
+using Bit.Core.Vault.Models.Data;
+using Bit.Core.Vault.Queries;
+
+public class CreateManyTaskNotificationsCommand : ICreateManyTaskNotificationsCommand
+{
+    private readonly IGetSecurityTasksNotificationDetailsQuery _getSecurityTasksNotificationDetailsQuery;
+    private readonly IOrganizationRepository _organizationRepository;
+    private readonly IMailService _mailService;
+    private readonly ICreateNotificationCommand _createNotificationCommand;
+    private readonly IPushNotificationService _pushNotificationService;
+
+    public CreateManyTaskNotificationsCommand(
+        IGetSecurityTasksNotificationDetailsQuery getSecurityTasksNotificationDetailsQuery,
+        IOrganizationRepository organizationRepository,
+        IMailService mailService,
+        ICreateNotificationCommand createNotificationCommand,
+        IPushNotificationService pushNotificationService)
+    {
+        _getSecurityTasksNotificationDetailsQuery = getSecurityTasksNotificationDetailsQuery;
+        _organizationRepository = organizationRepository;
+        _mailService = mailService;
+        _createNotificationCommand = createNotificationCommand;
+        _pushNotificationService = pushNotificationService;
+    }
+
+    public async Task CreateAsync(Guid orgId, IEnumerable<SecurityTask> securityTasks)
+    {
+        var securityTaskCiphers = await _getSecurityTasksNotificationDetailsQuery.GetNotificationDetailsByManyIds(orgId, securityTasks);
+
+        // Get the number of tasks for each user
+        var userTaskCount = securityTaskCiphers.GroupBy(x => x.UserId).Select(x => new UserSecurityTasksCount
+        {
+            UserId = x.Key,
+            Email = x.First().Email,
+            TaskCount = x.Count()
+        }).ToList();
+
+        var organization = await _organizationRepository.GetByIdAsync(orgId);
+
+        await _mailService.SendBulkSecurityTaskNotificationsAsync(organization.Name, userTaskCount);
+
+        // Break securityTaskCiphers into separate lists by user Id
+        var securityTaskCiphersByUser = securityTaskCiphers.GroupBy(x => x.UserId)
+                                   .ToDictionary(g => g.Key, g => g.ToList());
+
+        foreach (var userId in securityTaskCiphersByUser.Keys)
+        {
+            // Get the security tasks by the user Id
+            var userSecurityTaskCiphers = securityTaskCiphersByUser[userId];
+
+            // Process each user's security task ciphers
+            for (int i = 0; i < userSecurityTaskCiphers.Count; i++)
+            {
+                var userSecurityTaskCipher = userSecurityTaskCiphers[i];
+
+                // Create a notification for the user with the associated task
+                var notification = new Notification
+                {
+                    UserId = userSecurityTaskCipher.UserId,
+                    OrganizationId = orgId,
+                    Priority = Priority.Informational,
+                    ClientType = ClientType.Browser,
+                    TaskId = userSecurityTaskCipher.TaskId
+                };
+
+                await _createNotificationCommand.CreateAsync(notification, false);
+            }
+
+            // Notify the user that they have pending security tasks
+            await _pushNotificationService.PushPendingSecurityTasksAsync(userId);
+        }
+    }
+}
diff --git a/src/Core/Vault/Commands/Interfaces/ICreateManyTaskNotificationsCommand.cs b/src/Core/Vault/Commands/Interfaces/ICreateManyTaskNotificationsCommand.cs
new file mode 100644
index 0000000000..465d9c6fee
--- /dev/null
+++ b/src/Core/Vault/Commands/Interfaces/ICreateManyTaskNotificationsCommand.cs
@@ -0,0 +1,13 @@
+using Bit.Core.Vault.Entities;
+
+namespace Bit.Core.Vault.Commands.Interfaces;
+
+public interface ICreateManyTaskNotificationsCommand
+{
+    /// <summary>
+    /// Creates email and push notifications for the given security tasks.
+    /// </summary>
+    /// <param name="organizationId">The organization Id </param>
+    /// <param name="securityTasks">All applicable security tasks</param>
+    Task CreateAsync(Guid organizationId, IEnumerable<SecurityTask> securityTasks);
+}
diff --git a/src/Core/Vault/Models/Data/UserCipherForTask.cs b/src/Core/Vault/Models/Data/UserCipherForTask.cs
new file mode 100644
index 0000000000..3ddaa141b1
--- /dev/null
+++ b/src/Core/Vault/Models/Data/UserCipherForTask.cs
@@ -0,0 +1,23 @@
+namespace Bit.Core.Vault.Models.Data;
+
+/// <summary>
+/// Minimal data model that represents a User and the associated cipher for a security task.
+/// Only to be used for query responses. For full data model, <see cref="UserSecurityTaskCipher"/>.
+/// </summary>
+public class UserCipherForTask
+{
+    /// <summary>
+    /// The user's Id.
+    /// </summary>
+    public Guid UserId { get; set; }
+
+    /// <summary>
+    /// The user's email.
+    /// </summary>
+    public string Email { get; set; }
+
+    /// <summary>
+    /// The cipher Id of the security task.
+    /// </summary>
+    public Guid CipherId { get; set; }
+}
diff --git a/src/Core/Vault/Models/Data/UserSecurityTaskCipher.cs b/src/Core/Vault/Models/Data/UserSecurityTaskCipher.cs
new file mode 100644
index 0000000000..20e59ec4f7
--- /dev/null
+++ b/src/Core/Vault/Models/Data/UserSecurityTaskCipher.cs
@@ -0,0 +1,27 @@
+namespace Bit.Core.Vault.Models.Data;
+
+/// <summary>
+/// Data model that represents a User and the associated cipher for a security task.
+/// </summary>
+public class UserSecurityTaskCipher
+{
+    /// <summary>
+    /// The user's Id.
+    /// </summary>
+    public Guid UserId { get; set; }
+
+    /// <summary>
+    /// The user's email.
+    /// </summary>
+    public string Email { get; set; }
+
+    /// <summary>
+    /// The cipher Id of the security task.
+    /// </summary>
+    public Guid CipherId { get; set; }
+
+    /// <summary>
+    /// The Id of the security task.
+    /// </summary>
+    public Guid TaskId { get; set; }
+}
diff --git a/src/Core/Vault/Models/Data/UserSecurityTasksCount.cs b/src/Core/Vault/Models/Data/UserSecurityTasksCount.cs
new file mode 100644
index 0000000000..c8d2707db6
--- /dev/null
+++ b/src/Core/Vault/Models/Data/UserSecurityTasksCount.cs
@@ -0,0 +1,22 @@
+namespace Bit.Core.Vault.Models.Data;
+
+/// <summary>
+/// Data model that represents a User and the amount of actionable security tasks.
+/// </summary>
+public class UserSecurityTasksCount
+{
+    /// <summary>
+    /// The user's Id.
+    /// </summary>
+    public Guid UserId { get; set; }
+
+    /// <summary>
+    /// The user's email.
+    /// </summary>
+    public string Email { get; set; }
+
+    /// <summary>
+    /// The number of actionable security tasks for the respective users.
+    /// </summary>
+    public int TaskCount { get; set; }
+}
diff --git a/src/Core/Vault/Queries/GetSecurityTasksNotificationDetailsQuery.cs b/src/Core/Vault/Queries/GetSecurityTasksNotificationDetailsQuery.cs
new file mode 100644
index 0000000000..00104f1919
--- /dev/null
+++ b/src/Core/Vault/Queries/GetSecurityTasksNotificationDetailsQuery.cs
@@ -0,0 +1,33 @@
+using Bit.Core.Context;
+using Bit.Core.Exceptions;
+using Bit.Core.Vault.Entities;
+using Bit.Core.Vault.Models.Data;
+using Bit.Core.Vault.Repositories;
+
+namespace Bit.Core.Vault.Queries;
+
+public class GetSecurityTasksNotificationDetailsQuery : IGetSecurityTasksNotificationDetailsQuery
+{
+    private readonly ICurrentContext _currentContext;
+    private readonly ICipherRepository _cipherRepository;
+
+    public GetSecurityTasksNotificationDetailsQuery(ICurrentContext currentContext, ICipherRepository cipherRepository)
+    {
+        _currentContext = currentContext;
+        _cipherRepository = cipherRepository;
+    }
+
+    public async Task<ICollection<UserSecurityTaskCipher>> GetNotificationDetailsByManyIds(Guid organizationId, IEnumerable<SecurityTask> tasks)
+    {
+        var org = _currentContext.GetOrganization(organizationId);
+
+        if (org == null)
+        {
+            throw new NotFoundException();
+        }
+
+        var userSecurityTaskCiphers = await _cipherRepository.GetUserSecurityTasksByCipherIdsAsync(organizationId, tasks);
+
+        return userSecurityTaskCiphers;
+    }
+}
diff --git a/src/Core/Vault/Queries/IGetSecurityTasksNotificationDetailsQuery.cs b/src/Core/Vault/Queries/IGetSecurityTasksNotificationDetailsQuery.cs
new file mode 100644
index 0000000000..df81765817
--- /dev/null
+++ b/src/Core/Vault/Queries/IGetSecurityTasksNotificationDetailsQuery.cs
@@ -0,0 +1,16 @@
+using Bit.Core.Vault.Entities;
+using Bit.Core.Vault.Models.Data;
+
+namespace Bit.Core.Vault.Queries;
+
+public interface IGetSecurityTasksNotificationDetailsQuery
+{
+    /// <summary>
+    /// Retrieves all users within the given organization that are applicable to the given security tasks.
+    ///
+    /// <param name="organizationId"></param>
+    /// <param name="tasks"></param>
+    /// <returns>A dictionary of UserIds and the corresponding amount of security tasks applicable to them.</returns>
+    /// </summary>
+    public Task<ICollection<UserSecurityTaskCipher>> GetNotificationDetailsByManyIds(Guid organizationId, IEnumerable<SecurityTask> tasks);
+}
diff --git a/src/Core/Vault/Repositories/ICipherRepository.cs b/src/Core/Vault/Repositories/ICipherRepository.cs
index 2950cb99c2..b094b42044 100644
--- a/src/Core/Vault/Repositories/ICipherRepository.cs
+++ b/src/Core/Vault/Repositories/ICipherRepository.cs
@@ -4,6 +4,7 @@ using Bit.Core.Repositories;
 using Bit.Core.Vault.Entities;
 using Bit.Core.Vault.Models.Data;
 
+
 namespace Bit.Core.Vault.Repositories;
 
 public interface ICipherRepository : IRepository<Cipher, Guid>
@@ -49,6 +50,13 @@ public interface ICipherRepository : IRepository<Cipher, Guid>
     Task<ICollection<OrganizationCipherPermission>> GetCipherPermissionsForOrganizationAsync(Guid organizationId,
         Guid userId);
 
+    /// <summary>
+    /// Returns the users and the cipher ids for security tawsks that are applicable to them.
+    ///
+    /// Security tasks are actionable when a user has manage access to the associated cipher.
+    /// </summary>
+    Task<ICollection<UserSecurityTaskCipher>> GetUserSecurityTasksByCipherIdsAsync(Guid organizationId, IEnumerable<SecurityTask> tasks);
+
     /// <summary>
     /// Updates encrypted data for ciphers during a key rotation
     /// </summary>
diff --git a/src/Core/Vault/VaultServiceCollectionExtensions.cs b/src/Core/Vault/VaultServiceCollectionExtensions.cs
index fcb9259135..1f361cb613 100644
--- a/src/Core/Vault/VaultServiceCollectionExtensions.cs
+++ b/src/Core/Vault/VaultServiceCollectionExtensions.cs
@@ -21,6 +21,8 @@ public static class VaultServiceCollectionExtensions
         services.AddScoped<IMarkTaskAsCompleteCommand, MarkTaskAsCompletedCommand>();
         services.AddScoped<IGetCipherPermissionsForUserQuery, GetCipherPermissionsForUserQuery>();
         services.AddScoped<IGetTasksForOrganizationQuery, GetTasksForOrganizationQuery>();
+        services.AddScoped<IGetSecurityTasksNotificationDetailsQuery, GetSecurityTasksNotificationDetailsQuery>();
+        services.AddScoped<ICreateManyTaskNotificationsCommand, CreateManyTaskNotificationsCommand>();
         services.AddScoped<ICreateManyTasksCommand, CreateManyTasksCommand>();
     }
 }
diff --git a/src/Infrastructure.Dapper/Vault/Repositories/CipherRepository.cs b/src/Infrastructure.Dapper/Vault/Repositories/CipherRepository.cs
index b8304fbbb0..b85f1991f7 100644
--- a/src/Infrastructure.Dapper/Vault/Repositories/CipherRepository.cs
+++ b/src/Infrastructure.Dapper/Vault/Repositories/CipherRepository.cs
@@ -323,6 +323,28 @@ public class CipherRepository : Repository<Cipher, Guid>, ICipherRepository
         }
     }
 
+    public async Task<ICollection<UserSecurityTaskCipher>> GetUserSecurityTasksByCipherIdsAsync(
+        Guid organizationId, IEnumerable<SecurityTask> tasks)
+    {
+        var cipherIds = tasks.Where(t => t.CipherId.HasValue).Select(t => t.CipherId.Value).Distinct().ToList();
+        using (var connection = new SqlConnection(ConnectionString))
+        {
+
+            var results = await connection.QueryAsync<UserCipherForTask>(
+                $"[{Schema}].[UserSecurityTasks_GetManyByCipherIds]",
+                new { OrganizationId = organizationId, CipherIds = cipherIds.ToGuidIdArrayTVP() },
+                commandType: CommandType.StoredProcedure);
+
+            return results.Select(r => new UserSecurityTaskCipher
+            {
+                UserId = r.UserId,
+                Email = r.Email,
+                CipherId = r.CipherId,
+                TaskId = tasks.First(t => t.CipherId == r.CipherId).Id
+            }).ToList();
+        }
+    }
+
     /// <inheritdoc />
     public UpdateEncryptedDataForKeyRotation UpdateForKeyRotation(
         Guid userId, IEnumerable<Cipher> ciphers)
diff --git a/src/Infrastructure.EntityFramework/Vault/Repositories/CipherRepository.cs b/src/Infrastructure.EntityFramework/Vault/Repositories/CipherRepository.cs
index 9c91609b1b..e4930cb795 100644
--- a/src/Infrastructure.EntityFramework/Vault/Repositories/CipherRepository.cs
+++ b/src/Infrastructure.EntityFramework/Vault/Repositories/CipherRepository.cs
@@ -348,6 +348,51 @@ public class CipherRepository : Repository<Core.Vault.Entities.Cipher, Cipher, G
         }
     }
 
+    public async Task<ICollection<UserSecurityTaskCipher>> GetUserSecurityTasksByCipherIdsAsync(Guid organizationId, IEnumerable<Core.Vault.Entities.SecurityTask> tasks)
+    {
+        using (var scope = ServiceScopeFactory.CreateScope())
+        {
+            var cipherIds = tasks.Where(t => t.CipherId.HasValue).Select(t => t.CipherId.Value);
+            var dbContext = GetDatabaseContext(scope);
+            var query = new UserSecurityTasksByCipherIdsQuery(organizationId, cipherIds).Run(dbContext);
+
+            ICollection<UserSecurityTaskCipher> userTaskCiphers;
+
+            // SQLite does not support the GROUP BY clause
+            if (dbContext.Database.IsSqlite())
+            {
+                userTaskCiphers = (await query.ToListAsync())
+                    .GroupBy(c => new { c.UserId, c.Email, c.CipherId })
+                    .Select(g => new UserSecurityTaskCipher
+                    {
+                        UserId = g.Key.UserId,
+                        Email = g.Key.Email,
+                        CipherId = g.Key.CipherId,
+                    }).ToList();
+            }
+            else
+            {
+                var groupByQuery = from p in query
+                                   group p by new { p.UserId, p.Email, p.CipherId }
+                    into g
+                                   select new UserSecurityTaskCipher
+                                   {
+                                       UserId = g.Key.UserId,
+                                       CipherId = g.Key.CipherId,
+                                       Email = g.Key.Email,
+                                   };
+                userTaskCiphers = await groupByQuery.ToListAsync();
+            }
+
+            foreach (var userTaskCipher in userTaskCiphers)
+            {
+                userTaskCipher.TaskId = tasks.First(t => t.CipherId == userTaskCipher.CipherId).Id;
+            }
+
+            return userTaskCiphers;
+        }
+    }
+
     public async Task<CipherDetails> GetByIdAsync(Guid id, Guid userId)
     {
         using (var scope = ServiceScopeFactory.CreateScope())
diff --git a/src/Infrastructure.EntityFramework/Vault/Repositories/Queries/UserSecurityTasksByCipherIdsQuery.cs b/src/Infrastructure.EntityFramework/Vault/Repositories/Queries/UserSecurityTasksByCipherIdsQuery.cs
new file mode 100644
index 0000000000..c36c0d87c4
--- /dev/null
+++ b/src/Infrastructure.EntityFramework/Vault/Repositories/Queries/UserSecurityTasksByCipherIdsQuery.cs
@@ -0,0 +1,71 @@
+using Bit.Core.Vault.Models.Data;
+using Bit.Infrastructure.EntityFramework.Repositories;
+using Bit.Infrastructure.EntityFramework.Repositories.Queries;
+
+namespace Bit.Infrastructure.EntityFramework.Vault.Repositories.Queries;
+
+public class UserSecurityTasksByCipherIdsQuery : IQuery<UserCipherForTask>
+{
+    private readonly Guid _organizationId;
+    private readonly IEnumerable<Guid> _cipherIds;
+
+    public UserSecurityTasksByCipherIdsQuery(Guid organizationId, IEnumerable<Guid> cipherIds)
+    {
+        _organizationId = organizationId;
+        _cipherIds = cipherIds;
+    }
+
+    public IQueryable<UserCipherForTask> Run(DatabaseContext dbContext)
+    {
+        var baseCiphers =
+            from c in dbContext.Ciphers
+            where _cipherIds.Contains(c.Id)
+            join o in dbContext.Organizations
+                on c.OrganizationId equals o.Id
+            where o.Id == _organizationId && o.Enabled
+            select c;
+
+        var userPermissions =
+            from c in baseCiphers
+            join cc in dbContext.CollectionCiphers
+                on c.Id equals cc.CipherId
+            join cu in dbContext.CollectionUsers
+                on cc.CollectionId equals cu.CollectionId
+            join ou in dbContext.OrganizationUsers
+                on cu.OrganizationUserId equals ou.Id
+            where ou.OrganizationId == _organizationId
+                && cu.Manage == true
+            select new { ou.UserId, c.Id };
+
+        var groupPermissions =
+            from c in baseCiphers
+            join cc in dbContext.CollectionCiphers
+                on c.Id equals cc.CipherId
+            join cg in dbContext.CollectionGroups
+                on cc.CollectionId equals cg.CollectionId
+            join gu in dbContext.GroupUsers
+                on cg.GroupId equals gu.GroupId
+            join ou in dbContext.OrganizationUsers
+                on gu.OrganizationUserId equals ou.Id
+            where ou.OrganizationId == _organizationId
+                && cg.Manage == true
+                && !userPermissions.Any(up => up.Id == c.Id && up.UserId == ou.UserId)
+            select new { ou.UserId, c.Id };
+
+        return userPermissions.Union(groupPermissions)
+            .Join(
+                dbContext.Users,
+                p => p.UserId,
+                u => u.Id,
+                (p, u) => new { p.UserId, p.Id, u.Email }
+            )
+            .GroupBy(x => new { x.UserId, x.Email, x.Id })
+            .Select(g => new UserCipherForTask
+            {
+                UserId = (Guid)g.Key.UserId,
+                Email = g.Key.Email,
+                CipherId = g.Key.Id
+            })
+            .OrderByDescending(x => x.Email);
+    }
+}
diff --git a/src/Sql/Vault/dbo/Stored Procedures/Cipher/UserSecurityTasks_GetManyByCipherIds.sql b/src/Sql/Vault/dbo/Stored Procedures/Cipher/UserSecurityTasks_GetManyByCipherIds.sql
new file mode 100644
index 0000000000..be39ee9eb6
--- /dev/null
+++ b/src/Sql/Vault/dbo/Stored Procedures/Cipher/UserSecurityTasks_GetManyByCipherIds.sql	
@@ -0,0 +1,67 @@
+CREATE PROCEDURE [dbo].[UserSecurityTasks_GetManyByCipherIds]
+    @OrganizationId UNIQUEIDENTIFIER,
+    @CipherIds AS [dbo].[GuidIdArray] READONLY
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    ;WITH BaseCiphers AS (
+        SELECT C.[Id], C.[OrganizationId]
+        FROM [dbo].[Cipher] C
+        INNER JOIN @CipherIds CI ON C.[Id] = CI.[Id]
+        INNER JOIN [dbo].[Organization] O ON
+            O.[Id] = C.[OrganizationId]
+            AND O.[Id] = @OrganizationId
+            AND O.[Enabled] = 1
+    ),
+    UserPermissions AS (
+        SELECT DISTINCT
+            CC.[CipherId],
+            OU.[UserId],
+            COALESCE(CU.[Manage], 0) as [Manage]
+        FROM [dbo].[CollectionCipher] CC
+        INNER JOIN [dbo].[CollectionUser] CU ON
+            CU.[CollectionId] = CC.[CollectionId]
+        INNER JOIN [dbo].[OrganizationUser] OU ON
+            CU.[OrganizationUserId] = OU.[Id]
+            AND OU.[OrganizationId] = @OrganizationId
+        WHERE COALESCE(CU.[Manage], 0) = 1
+    ),
+    GroupPermissions AS (
+        SELECT DISTINCT
+            CC.[CipherId],
+            OU.[UserId],
+            COALESCE(CG.[Manage], 0) as [Manage]
+        FROM [dbo].[CollectionCipher] CC
+        INNER JOIN [dbo].[CollectionGroup] CG ON
+            CG.[CollectionId] = CC.[CollectionId]
+        INNER JOIN [dbo].[GroupUser] GU ON
+            GU.[GroupId] = CG.[GroupId]
+        INNER JOIN [dbo].[OrganizationUser] OU ON
+            GU.[OrganizationUserId] = OU.[Id]
+            AND OU.[OrganizationId] = @OrganizationId
+        WHERE COALESCE(CG.[Manage], 0) = 1
+            AND NOT EXISTS (
+                SELECT 1
+                FROM UserPermissions UP
+                WHERE UP.[CipherId] = CC.[CipherId]
+                AND UP.[UserId] = OU.[UserId]
+            )
+    ),
+    CombinedPermissions AS (
+        SELECT CipherId, UserId, [Manage]
+        FROM UserPermissions
+        UNION
+        SELECT CipherId, UserId, [Manage]
+        FROM GroupPermissions
+    )
+    SELECT
+        P.[UserId],
+        U.[Email],
+        C.[Id] as CipherId
+    FROM BaseCiphers C
+    INNER JOIN CombinedPermissions P ON P.CipherId = C.[Id]
+    INNER JOIN [dbo].[User] U ON U.[Id] = P.[UserId]
+    WHERE P.[Manage] = 1
+    ORDER BY U.[Email], C.[Id]
+END
diff --git a/test/Core.Test/NotificationCenter/Commands/CreateNotificationCommandTest.cs b/test/Core.Test/NotificationCenter/Commands/CreateNotificationCommandTest.cs
index 3256f2f9cb..3c67cceb2e 100644
--- a/test/Core.Test/NotificationCenter/Commands/CreateNotificationCommandTest.cs
+++ b/test/Core.Test/NotificationCenter/Commands/CreateNotificationCommandTest.cs
@@ -69,4 +69,19 @@ public class CreateNotificationCommandTest
             .Received(0)
             .PushNotificationStatusAsync(Arg.Any<Notification>(), Arg.Any<NotificationStatus>());
     }
+
+    [Theory]
+    [BitAutoData]
+    public async Task CreateAsync_Authorized_NotificationPushSkipped(
+        SutProvider<CreateNotificationCommand> sutProvider,
+        Notification notification)
+    {
+        Setup(sutProvider, notification, true);
+
+        var newNotification = await sutProvider.Sut.CreateAsync(notification, false);
+
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(0)
+            .PushNotificationAsync(newNotification);
+    }
 }
diff --git a/test/Infrastructure.IntegrationTest/Vault/Repositories/CipherRepositoryTests.cs b/test/Infrastructure.IntegrationTest/Vault/Repositories/CipherRepositoryTests.cs
index b64a1ded76..6f02740cf5 100644
--- a/test/Infrastructure.IntegrationTest/Vault/Repositories/CipherRepositoryTests.cs
+++ b/test/Infrastructure.IntegrationTest/Vault/Repositories/CipherRepositoryTests.cs
@@ -704,4 +704,183 @@ public class CipherRepositoryTests
             Data = ""
         });
     }
+
+    [DatabaseTheory, DatabaseData]
+    public async Task GetUserSecurityTasksByCipherIdsAsync_Works(
+        ICipherRepository cipherRepository,
+        IUserRepository userRepository,
+        ICollectionCipherRepository collectionCipherRepository,
+        ICollectionRepository collectionRepository,
+        IOrganizationRepository organizationRepository,
+        IOrganizationUserRepository organizationUserRepository,
+        IGroupRepository groupRepository
+        )
+    {
+        // Users
+        var user1 = await userRepository.CreateAsync(new User
+        {
+            Name = "Test User 1",
+            Email = $"test+{Guid.NewGuid()}@email.com",
+            ApiKey = "TEST",
+            SecurityStamp = "stamp",
+        });
+
+        var user2 = await userRepository.CreateAsync(new User
+        {
+            Name = "Test User 2",
+            Email = $"test+{Guid.NewGuid()}@email.com",
+            ApiKey = "TEST",
+            SecurityStamp = "stamp",
+        });
+
+        // Organization
+        var organization = await organizationRepository.CreateAsync(new Organization
+        {
+            Name = "Test Organization",
+            BillingEmail = user1.Email,
+            Plan = "Test"
+        });
+
+        // Org Users
+        var orgUser1 = await organizationUserRepository.CreateAsync(new OrganizationUser
+        {
+            UserId = user1.Id,
+            OrganizationId = organization.Id,
+            Status = OrganizationUserStatusType.Confirmed,
+            Type = OrganizationUserType.Owner,
+        });
+
+        var orgUser2 = await organizationUserRepository.CreateAsync(new OrganizationUser
+        {
+            UserId = user2.Id,
+            OrganizationId = organization.Id,
+            Status = OrganizationUserStatusType.Confirmed,
+            Type = OrganizationUserType.User,
+        });
+
+        // A group that will be assigned Edit permissions to any collections
+        var editGroup = await groupRepository.CreateAsync(new Group
+        {
+            OrganizationId = organization.Id,
+            Name = "Edit Group",
+        });
+        await groupRepository.UpdateUsersAsync(editGroup.Id, new[] { orgUser1.Id });
+
+        // Add collections to Org
+        var manageCollection = await collectionRepository.CreateAsync(new Collection
+        {
+            Name = "Manage Collection",
+            OrganizationId = organization.Id
+        });
+
+        // Use a 2nd collection to differentiate between the two users
+        var manageCollection2 = await collectionRepository.CreateAsync(new Collection
+        {
+            Name = "Manage Collection 2",
+            OrganizationId = organization.Id
+        });
+        var viewOnlyCollection = await collectionRepository.CreateAsync(new Collection
+        {
+            Name = "View Only Collection",
+            OrganizationId = organization.Id
+        });
+
+        // Ciphers
+        var manageCipher1 = await cipherRepository.CreateAsync(new Cipher
+        {
+            Type = CipherType.Login,
+            OrganizationId = organization.Id,
+            Data = ""
+        });
+
+        var manageCipher2 = await cipherRepository.CreateAsync(new Cipher
+        {
+            Type = CipherType.Login,
+            OrganizationId = organization.Id,
+            Data = ""
+        });
+
+        var viewOnlyCipher = await cipherRepository.CreateAsync(new Cipher
+        {
+            Type = CipherType.Login,
+            OrganizationId = organization.Id,
+            Data = ""
+        });
+
+        await collectionCipherRepository.UpdateCollectionsForAdminAsync(manageCipher1.Id, organization.Id,
+            new List<Guid> { manageCollection.Id });
+
+        await collectionCipherRepository.UpdateCollectionsForAdminAsync(manageCipher2.Id, organization.Id,
+            new List<Guid> { manageCollection2.Id });
+
+        await collectionCipherRepository.UpdateCollectionsForAdminAsync(viewOnlyCipher.Id, organization.Id,
+            new List<Guid> { viewOnlyCollection.Id });
+
+        await collectionRepository.UpdateUsersAsync(manageCollection.Id, new List<CollectionAccessSelection>
+        {
+            new()
+            {
+                Id = orgUser1.Id,
+                HidePasswords = false,
+                ReadOnly = false,
+                Manage = true
+            },
+             new()
+            {
+                Id = orgUser2.Id,
+                HidePasswords = false,
+                ReadOnly = false,
+                Manage = true
+            }
+        });
+
+        // Only add second user to the second manage collection
+        await collectionRepository.UpdateUsersAsync(manageCollection2.Id, new List<CollectionAccessSelection>
+        {
+            new()
+            {
+                Id = orgUser2.Id,
+                HidePasswords = false,
+                ReadOnly = false,
+                Manage = true
+            },
+        });
+
+        await collectionRepository.UpdateUsersAsync(viewOnlyCollection.Id, new List<CollectionAccessSelection>
+        {
+            new()
+            {
+                Id = orgUser1.Id,
+                HidePasswords = false,
+                ReadOnly = false,
+                Manage = false
+            }
+        });
+
+        var securityTasks = new List<SecurityTask>
+        {
+            new SecurityTask { CipherId = manageCipher1.Id, Id = Guid.NewGuid() },
+            new SecurityTask { CipherId = manageCipher2.Id, Id = Guid.NewGuid() },
+            new SecurityTask { CipherId = viewOnlyCipher.Id, Id = Guid.NewGuid() }
+        };
+
+        var userSecurityTaskCiphers = await cipherRepository.GetUserSecurityTasksByCipherIdsAsync(organization.Id, securityTasks);
+
+        Assert.NotEmpty(userSecurityTaskCiphers);
+        Assert.Equal(3, userSecurityTaskCiphers.Count);
+
+        var user1TaskCiphers = userSecurityTaskCiphers.Where(t => t.UserId == user1.Id);
+        Assert.Single(user1TaskCiphers);
+        Assert.Equal(user1.Email, user1TaskCiphers.First().Email);
+        Assert.Equal(user1.Id, user1TaskCiphers.First().UserId);
+        Assert.Equal(manageCipher1.Id, user1TaskCiphers.First().CipherId);
+
+        var user2TaskCiphers = userSecurityTaskCiphers.Where(t => t.UserId == user2.Id);
+        Assert.NotNull(user2TaskCiphers);
+        Assert.Equal(2, user2TaskCiphers.Count());
+        Assert.Equal(user2.Email, user2TaskCiphers.Last().Email);
+        Assert.Equal(user2.Id, user2TaskCiphers.Last().UserId);
+        Assert.Contains(user2TaskCiphers, t => t.CipherId == manageCipher1.Id && t.TaskId == securityTasks[0].Id);
+        Assert.Contains(user2TaskCiphers, t => t.CipherId == manageCipher2.Id && t.TaskId == securityTasks[1].Id);
+    }
 }
diff --git a/util/Migrator/DbScripts/2025-02-11_00_UserSecurityTasks_GetManyByCipherIds.sql b/util/Migrator/DbScripts/2025-02-11_00_UserSecurityTasks_GetManyByCipherIds.sql
new file mode 100644
index 0000000000..6d16f77161
--- /dev/null
+++ b/util/Migrator/DbScripts/2025-02-11_00_UserSecurityTasks_GetManyByCipherIds.sql
@@ -0,0 +1,68 @@
+CREATE OR ALTER PROCEDURE [dbo].[UserSecurityTasks_GetManyByCipherIds]
+    @OrganizationId UNIQUEIDENTIFIER,
+    @CipherIds AS [dbo].[GuidIdArray] READONLY
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    ;WITH BaseCiphers AS (
+        SELECT C.[Id], C.[OrganizationId]
+        FROM [dbo].[Cipher] C
+        INNER JOIN @CipherIds CI ON C.[Id] = CI.[Id]
+        INNER JOIN [dbo].[Organization] O ON
+            O.[Id] = C.[OrganizationId]
+            AND O.[Id] = @OrganizationId
+            AND O.[Enabled] = 1
+    ),
+    UserPermissions AS (
+        SELECT DISTINCT
+            CC.[CipherId],
+            OU.[UserId],
+            COALESCE(CU.[Manage], 0) as [Manage]
+        FROM [dbo].[CollectionCipher] CC
+        INNER JOIN [dbo].[CollectionUser] CU ON
+            CU.[CollectionId] = CC.[CollectionId]
+        INNER JOIN [dbo].[OrganizationUser] OU ON
+            CU.[OrganizationUserId] = OU.[Id]
+            AND OU.[OrganizationId] = @OrganizationId
+        WHERE COALESCE(CU.[Manage], 0) = 1
+    ),
+    GroupPermissions AS (
+        SELECT DISTINCT
+            CC.[CipherId],
+            OU.[UserId],
+            COALESCE(CG.[Manage], 0) as [Manage]
+        FROM [dbo].[CollectionCipher] CC
+        INNER JOIN [dbo].[CollectionGroup] CG ON
+            CG.[CollectionId] = CC.[CollectionId]
+        INNER JOIN [dbo].[GroupUser] GU ON
+            GU.[GroupId] = CG.[GroupId]
+        INNER JOIN [dbo].[OrganizationUser] OU ON
+            GU.[OrganizationUserId] = OU.[Id]
+            AND OU.[OrganizationId] = @OrganizationId
+        WHERE COALESCE(CG.[Manage], 0) = 1
+            AND NOT EXISTS (
+                SELECT 1
+                FROM UserPermissions UP
+                WHERE UP.[CipherId] = CC.[CipherId]
+                AND UP.[UserId] = OU.[UserId]
+            )
+    ),
+    CombinedPermissions AS (
+        SELECT CipherId, UserId, [Manage]
+        FROM UserPermissions
+        UNION
+        SELECT CipherId, UserId, [Manage]
+        FROM GroupPermissions
+    )
+    SELECT
+        P.[UserId],
+        U.[Email],
+        C.[Id] as CipherId
+    FROM BaseCiphers C
+    INNER JOIN CombinedPermissions P ON P.CipherId = C.[Id]
+    INNER JOIN [dbo].[User] U ON U.[Id] = P.[UserId]
+    WHERE P.[Manage] = 1
+    ORDER BY U.[Email], C.[Id]
+END
+GO

From 4c5bf495f31f42036d492b088535b28590037aa1 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Thu, 27 Feb 2025 09:54:28 -0500
Subject: [PATCH 321/384] [deps] Auth: Update Duende.IdentityServer to 7.1.0
 (#5293)

* [deps] Auth: Update Duende.IdentityServer to 7.1.0

* fix(identity): fixing name space for Identity 7.1.0 update

* fix: formatting

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Ike Kottlowski <ikottlowski@bitwarden.com>
---
 bitwarden_license/src/Scim/Startup.cs                           | 2 +-
 .../src/Scim/Utilities/ApiKeyAuthenticationHandler.cs           | 2 +-
 bitwarden_license/src/Sso/Controllers/AccountController.cs      | 2 +-
 .../src/Sso/Utilities/DynamicAuthenticationSchemeProvider.cs    | 2 +-
 src/Api/Startup.cs                                              | 2 +-
 src/Core/Core.csproj                                            | 2 +-
 src/Core/Services/Implementations/LicensingService.cs           | 2 +-
 src/Core/Utilities/CoreHelpers.cs                               | 2 +-
 src/Events/Startup.cs                                           | 2 +-
 src/Identity/Controllers/SsoController.cs                       | 2 +-
 src/Identity/IdentityServer/ApiResources.cs                     | 2 +-
 src/Identity/IdentityServer/ClientStore.cs                      | 2 +-
 .../RequestValidators/CustomTokenRequestValidator.cs            | 2 +-
 src/Notifications/Startup.cs                                    | 2 +-
 src/Notifications/SubjectUserIdProvider.cs                      | 2 +-
 src/SharedWeb/Utilities/ServiceCollectionExtensions.cs          | 2 +-
 test/Core.Test/Utilities/CoreHelpersTests.cs                    | 2 +-
 .../Endpoints/IdentityServerSsoTests.cs                         | 2 +-
 .../Endpoints/IdentityServerTwoFactorTests.cs                   | 2 +-
 19 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/bitwarden_license/src/Scim/Startup.cs b/bitwarden_license/src/Scim/Startup.cs
index 3fac669eda..edbbf34aea 100644
--- a/bitwarden_license/src/Scim/Startup.cs
+++ b/bitwarden_license/src/Scim/Startup.cs
@@ -8,7 +8,7 @@ using Bit.Core.Utilities;
 using Bit.Scim.Context;
 using Bit.Scim.Utilities;
 using Bit.SharedWeb.Utilities;
-using IdentityModel;
+using Duende.IdentityModel;
 using Microsoft.Extensions.DependencyInjection.Extensions;
 using Stripe;
 
diff --git a/bitwarden_license/src/Scim/Utilities/ApiKeyAuthenticationHandler.cs b/bitwarden_license/src/Scim/Utilities/ApiKeyAuthenticationHandler.cs
index 4e7e7ceb7a..6ebffb73cd 100644
--- a/bitwarden_license/src/Scim/Utilities/ApiKeyAuthenticationHandler.cs
+++ b/bitwarden_license/src/Scim/Utilities/ApiKeyAuthenticationHandler.cs
@@ -3,7 +3,7 @@ using System.Text.Encodings.Web;
 using Bit.Core.Enums;
 using Bit.Core.Repositories;
 using Bit.Scim.Context;
-using IdentityModel;
+using Duende.IdentityModel;
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.Extensions.Options;
diff --git a/bitwarden_license/src/Sso/Controllers/AccountController.cs b/bitwarden_license/src/Sso/Controllers/AccountController.cs
index f41d2d3c65..ada6b20c29 100644
--- a/bitwarden_license/src/Sso/Controllers/AccountController.cs
+++ b/bitwarden_license/src/Sso/Controllers/AccountController.cs
@@ -19,10 +19,10 @@ using Bit.Core.Tokens;
 using Bit.Core.Utilities;
 using Bit.Sso.Models;
 using Bit.Sso.Utilities;
+using Duende.IdentityModel;
 using Duende.IdentityServer;
 using Duende.IdentityServer.Services;
 using Duende.IdentityServer.Stores;
-using IdentityModel;
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Mvc;
diff --git a/bitwarden_license/src/Sso/Utilities/DynamicAuthenticationSchemeProvider.cs b/bitwarden_license/src/Sso/Utilities/DynamicAuthenticationSchemeProvider.cs
index 8bde8f84a1..804a323109 100644
--- a/bitwarden_license/src/Sso/Utilities/DynamicAuthenticationSchemeProvider.cs
+++ b/bitwarden_license/src/Sso/Utilities/DynamicAuthenticationSchemeProvider.cs
@@ -7,9 +7,9 @@ using Bit.Core.Settings;
 using Bit.Core.Utilities;
 using Bit.Sso.Models;
 using Bit.Sso.Utilities;
+using Duende.IdentityModel;
 using Duende.IdentityServer;
 using Duende.IdentityServer.Infrastructure;
-using IdentityModel;
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Authentication.OpenIdConnect;
 using Microsoft.Extensions.Options;
diff --git a/src/Api/Startup.cs b/src/Api/Startup.cs
index a341257259..5849bfb634 100644
--- a/src/Api/Startup.cs
+++ b/src/Api/Startup.cs
@@ -5,7 +5,7 @@ using Bit.Core.Settings;
 using AspNetCoreRateLimit;
 using Stripe;
 using Bit.Core.Utilities;
-using IdentityModel;
+using Duende.IdentityModel;
 using System.Globalization;
 using Bit.Api.AdminConsole.Models.Request.Organizations;
 using Bit.Api.Auth.Models.Request;
diff --git a/src/Core/Core.csproj b/src/Core/Core.csproj
index ff5e929f18..8a8de3d77d 100644
--- a/src/Core/Core.csproj
+++ b/src/Core/Core.csproj
@@ -52,7 +52,7 @@
     <PackageReference Include="Serilog.Extensions.Logging" Version="8.0.0" />
     <PackageReference Include="Serilog.Extensions.Logging.File" Version="3.0.0" />
     <PackageReference Include="Sentry.Serilog" Version="5.0.0" />
-    <PackageReference Include="Duende.IdentityServer" Version="7.0.8" />
+    <PackageReference Include="Duende.IdentityServer" Version="7.1.0" />
     <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
     <PackageReference Include="Serilog.Sinks.SyslogMessages" Version="4.0.0" />
     <PackageReference Include="AspNetCoreRateLimit" Version="5.0.0" />
diff --git a/src/Core/Services/Implementations/LicensingService.cs b/src/Core/Services/Implementations/LicensingService.cs
index dd603b4b63..8ecd337a16 100644
--- a/src/Core/Services/Implementations/LicensingService.cs
+++ b/src/Core/Services/Implementations/LicensingService.cs
@@ -12,7 +12,7 @@ using Bit.Core.Models.Business;
 using Bit.Core.Repositories;
 using Bit.Core.Settings;
 using Bit.Core.Utilities;
-using IdentityModel;
+using Duende.IdentityModel;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.Extensions.Hosting;
 using Microsoft.Extensions.Logging;
diff --git a/src/Core/Utilities/CoreHelpers.cs b/src/Core/Utilities/CoreHelpers.cs
index af985914c6..d7fe51cfb6 100644
--- a/src/Core/Utilities/CoreHelpers.cs
+++ b/src/Core/Utilities/CoreHelpers.cs
@@ -18,7 +18,7 @@ using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.Identity;
 using Bit.Core.Settings;
-using IdentityModel;
+using Duende.IdentityModel;
 using Microsoft.AspNetCore.DataProtection;
 using MimeKit;
 
diff --git a/src/Events/Startup.cs b/src/Events/Startup.cs
index 57af285b03..a9be60ce8a 100644
--- a/src/Events/Startup.cs
+++ b/src/Events/Startup.cs
@@ -6,7 +6,7 @@ using Bit.Core.Services;
 using Bit.Core.Settings;
 using Bit.Core.Utilities;
 using Bit.SharedWeb.Utilities;
-using IdentityModel;
+using Duende.IdentityModel;
 
 namespace Bit.Events;
 
diff --git a/src/Identity/Controllers/SsoController.cs b/src/Identity/Controllers/SsoController.cs
index f3dc301a61..d377573c7e 100644
--- a/src/Identity/Controllers/SsoController.cs
+++ b/src/Identity/Controllers/SsoController.cs
@@ -5,9 +5,9 @@ using Bit.Core.Entities;
 using Bit.Core.Models.Api;
 using Bit.Core.Repositories;
 using Bit.Identity.Models;
+using Duende.IdentityModel;
 using Duende.IdentityServer;
 using Duende.IdentityServer.Services;
-using IdentityModel;
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Localization;
 using Microsoft.AspNetCore.Mvc;
diff --git a/src/Identity/IdentityServer/ApiResources.cs b/src/Identity/IdentityServer/ApiResources.cs
index f969d67908..364cbf8619 100644
--- a/src/Identity/IdentityServer/ApiResources.cs
+++ b/src/Identity/IdentityServer/ApiResources.cs
@@ -1,7 +1,7 @@
 using Bit.Core.Identity;
 using Bit.Core.IdentityServer;
+using Duende.IdentityModel;
 using Duende.IdentityServer.Models;
-using IdentityModel;
 
 namespace Bit.Identity.IdentityServer;
 
diff --git a/src/Identity/IdentityServer/ClientStore.cs b/src/Identity/IdentityServer/ClientStore.cs
index c204e364ce..23942e6cd2 100644
--- a/src/Identity/IdentityServer/ClientStore.cs
+++ b/src/Identity/IdentityServer/ClientStore.cs
@@ -12,9 +12,9 @@ using Bit.Core.SecretsManager.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Settings;
 using Bit.Core.Utilities;
+using Duende.IdentityModel;
 using Duende.IdentityServer.Models;
 using Duende.IdentityServer.Stores;
-using IdentityModel;
 
 namespace Bit.Identity.IdentityServer;
 
diff --git a/src/Identity/IdentityServer/RequestValidators/CustomTokenRequestValidator.cs b/src/Identity/IdentityServer/RequestValidators/CustomTokenRequestValidator.cs
index 597d5257e2..a7c6449ff6 100644
--- a/src/Identity/IdentityServer/RequestValidators/CustomTokenRequestValidator.cs
+++ b/src/Identity/IdentityServer/RequestValidators/CustomTokenRequestValidator.cs
@@ -11,10 +11,10 @@ using Bit.Core.Platform.Installations;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Settings;
+using Duende.IdentityModel;
 using Duende.IdentityServer.Extensions;
 using Duende.IdentityServer.Validation;
 using HandlebarsDotNet;
-using IdentityModel;
 using Microsoft.AspNetCore.Identity;
 
 #nullable enable
diff --git a/src/Notifications/Startup.cs b/src/Notifications/Startup.cs
index 440808b78b..c939d0d2fd 100644
--- a/src/Notifications/Startup.cs
+++ b/src/Notifications/Startup.cs
@@ -3,7 +3,7 @@ using Bit.Core.IdentityServer;
 using Bit.Core.Settings;
 using Bit.Core.Utilities;
 using Bit.SharedWeb.Utilities;
-using IdentityModel;
+using Duende.IdentityModel;
 using Microsoft.AspNetCore.SignalR;
 using Microsoft.IdentityModel.Logging;
 
diff --git a/src/Notifications/SubjectUserIdProvider.cs b/src/Notifications/SubjectUserIdProvider.cs
index 261394d06c..6f8e15cc3c 100644
--- a/src/Notifications/SubjectUserIdProvider.cs
+++ b/src/Notifications/SubjectUserIdProvider.cs
@@ -1,4 +1,4 @@
-using IdentityModel;
+using Duende.IdentityModel;
 using Microsoft.AspNetCore.SignalR;
 
 namespace Bit.Notifications;
diff --git a/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs b/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
index 85bd014c91..144ea1f036 100644
--- a/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
+++ b/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
@@ -50,7 +50,7 @@ using Bit.Core.Vault.Services;
 using Bit.Infrastructure.Dapper;
 using Bit.Infrastructure.EntityFramework;
 using DnsClient;
-using IdentityModel;
+using Duende.IdentityModel;
 using LaunchDarkly.Sdk.Server;
 using LaunchDarkly.Sdk.Server.Interfaces;
 using Microsoft.AspNetCore.Authentication.Cookies;
diff --git a/test/Core.Test/Utilities/CoreHelpersTests.cs b/test/Core.Test/Utilities/CoreHelpersTests.cs
index 264a55b6ee..d006df536b 100644
--- a/test/Core.Test/Utilities/CoreHelpersTests.cs
+++ b/test/Core.Test/Utilities/CoreHelpersTests.cs
@@ -9,7 +9,7 @@ using Bit.Core.Test.AutoFixture.UserFixtures;
 using Bit.Core.Utilities;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
-using IdentityModel;
+using Duende.IdentityModel;
 using Microsoft.AspNetCore.DataProtection;
 using Xunit;
 
diff --git a/test/Identity.IntegrationTest/Endpoints/IdentityServerSsoTests.cs b/test/Identity.IntegrationTest/Endpoints/IdentityServerSsoTests.cs
index 0189032c24..602d5cfe48 100644
--- a/test/Identity.IntegrationTest/Endpoints/IdentityServerSsoTests.cs
+++ b/test/Identity.IntegrationTest/Endpoints/IdentityServerSsoTests.cs
@@ -16,9 +16,9 @@ using Bit.Core.Utilities;
 using Bit.Identity.Models.Request.Accounts;
 using Bit.IntegrationTestCommon.Factories;
 using Bit.Test.Common.Helpers;
+using Duende.IdentityModel;
 using Duende.IdentityServer.Models;
 using Duende.IdentityServer.Stores;
-using IdentityModel;
 using Microsoft.EntityFrameworkCore;
 using NSubstitute;
 using Xunit;
diff --git a/test/Identity.IntegrationTest/Endpoints/IdentityServerTwoFactorTests.cs b/test/Identity.IntegrationTest/Endpoints/IdentityServerTwoFactorTests.cs
index 289f321512..6f0ef20295 100644
--- a/test/Identity.IntegrationTest/Endpoints/IdentityServerTwoFactorTests.cs
+++ b/test/Identity.IntegrationTest/Endpoints/IdentityServerTwoFactorTests.cs
@@ -15,9 +15,9 @@ using Bit.Identity.Models.Request.Accounts;
 using Bit.IntegrationTestCommon.Factories;
 using Bit.Test.Common.AutoFixture.Attributes;
 using Bit.Test.Common.Helpers;
+using Duende.IdentityModel;
 using Duende.IdentityServer.Models;
 using Duende.IdentityServer.Stores;
-using IdentityModel;
 using LinqToDB;
 using NSubstitute;
 using Xunit;

From 546b5a08498c7d5bf2398f871c8efbb0430a2f18 Mon Sep 17 00:00:00 2001
From: Brandon Treston <btreston@bitwarden.com>
Date: Thu, 27 Feb 2025 10:21:01 -0500
Subject: [PATCH 322/384] [pm-17804] Fix deferred execution issue in EF
 CreateManyAsync (#5425)

* Add failing repository tests

* test

* clean up comments

---------

Co-authored-by: Thomas Rittson <trittson@bitwarden.com>
---
 .../OrganizationUserRepository.cs             |  1 +
 .../OrganizationUserRepositoryTests.cs        | 70 +++++++++++++++++++
 2 files changed, 71 insertions(+)

diff --git a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationUserRepository.cs b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationUserRepository.cs
index ef6460df0e..0165360099 100644
--- a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationUserRepository.cs
+++ b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationUserRepository.cs
@@ -46,6 +46,7 @@ public class OrganizationUserRepository : Repository<Core.Entities.OrganizationU
 
     public async Task<ICollection<Guid>> CreateManyAsync(IEnumerable<Core.Entities.OrganizationUser> organizationUsers)
     {
+        organizationUsers = organizationUsers.ToList();
         if (!organizationUsers.Any())
         {
             return new List<Guid>();
diff --git a/test/Infrastructure.IntegrationTest/AdminConsole/Repositories/OrganizationUserRepositoryTests.cs b/test/Infrastructure.IntegrationTest/AdminConsole/Repositories/OrganizationUserRepositoryTests.cs
index e82be49173..092ab95a14 100644
--- a/test/Infrastructure.IntegrationTest/AdminConsole/Repositories/OrganizationUserRepositoryTests.cs
+++ b/test/Infrastructure.IntegrationTest/AdminConsole/Repositories/OrganizationUserRepositoryTests.cs
@@ -2,6 +2,7 @@
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Repositories;
+using Bit.Core.Utilities;
 using Xunit;
 
 namespace Bit.Infrastructure.IntegrationTest.AdminConsole.Repositories;
@@ -354,4 +355,73 @@ public class OrganizationUserRepositoryTests
         Assert.Single(responseModel);
         Assert.Equal(orgUser1.Id, responseModel.Single().Id);
     }
+
+    [DatabaseTheory, DatabaseData]
+    public async Task CreateManyAsync_NoId_Works(IOrganizationRepository organizationRepository,
+        IUserRepository userRepository,
+        IOrganizationUserRepository organizationUserRepository)
+    {
+        // Arrange
+        var user1 = await userRepository.CreateTestUserAsync("user1");
+        var user2 = await userRepository.CreateTestUserAsync("user2");
+        var user3 = await userRepository.CreateTestUserAsync("user3");
+        List<User> users = [user1, user2, user3];
+
+        var org = await organizationRepository.CreateAsync(new Organization
+        {
+            Name = $"test-{Guid.NewGuid()}",
+            BillingEmail = "billing@example.com", // TODO: EF does not enforce this being NOT NULL
+            Plan = "Test", // TODO: EF does not enforce this being NOT NULl
+        });
+
+        var orgUsers = users.Select(u => new OrganizationUser
+        {
+            OrganizationId = org.Id,
+            UserId = u.Id,
+            Status = OrganizationUserStatusType.Confirmed,
+            Type = OrganizationUserType.Owner
+        });
+
+        var createdOrgUserIds = await organizationUserRepository.CreateManyAsync(orgUsers);
+
+        var readOrgUsers = await organizationUserRepository.GetManyByOrganizationAsync(org.Id, null);
+        var readOrgUserIds = readOrgUsers.Select(ou => ou.Id);
+
+        Assert.Equal(createdOrgUserIds.ToHashSet(), readOrgUserIds.ToHashSet());
+    }
+
+    [DatabaseTheory, DatabaseData]
+    public async Task CreateManyAsync_WithId_Works(IOrganizationRepository organizationRepository,
+        IUserRepository userRepository,
+        IOrganizationUserRepository organizationUserRepository)
+    {
+        // Arrange
+        var user1 = await userRepository.CreateTestUserAsync("user1");
+        var user2 = await userRepository.CreateTestUserAsync("user2");
+        var user3 = await userRepository.CreateTestUserAsync("user3");
+        List<User> users = [user1, user2, user3];
+
+        var org = await organizationRepository.CreateAsync(new Organization
+        {
+            Name = $"test-{Guid.NewGuid()}",
+            BillingEmail = "billing@example.com", // TODO: EF does not enforce this being NOT NULL
+            Plan = "Test", // TODO: EF does not enforce this being NOT NULl
+        });
+
+        var orgUsers = users.Select(u => new OrganizationUser
+        {
+            Id = CoreHelpers.GenerateComb(),    // generate ID ahead of time
+            OrganizationId = org.Id,
+            UserId = u.Id,
+            Status = OrganizationUserStatusType.Confirmed,
+            Type = OrganizationUserType.Owner
+        });
+
+        var createdOrgUserIds = await organizationUserRepository.CreateManyAsync(orgUsers);
+
+        var readOrgUsers = await organizationUserRepository.GetManyByOrganizationAsync(org.Id, null);
+        var readOrgUserIds = readOrgUsers.Select(ou => ou.Id);
+
+        Assert.Equal(createdOrgUserIds.ToHashSet(), readOrgUserIds.ToHashSet());
+    }
 }

From 3533f82d0ff8da19b6b3587ae3fafea585c08c71 Mon Sep 17 00:00:00 2001
From: Graham Walker <ghwtx@icloud.com>
Date: Thu, 27 Feb 2025 09:53:26 -0600
Subject: [PATCH 323/384] Tools/import cipher controller tests (#5436)

* initial commit

* PM-17954 adding unit tests for ImportCiphersController.PostImport
---
 .../ImportCiphersControllerTests.cs           | 363 ++++++++++++++++++
 1 file changed, 363 insertions(+)
 create mode 100644 test/Api.Test/Tools/Controllers/ImportCiphersControllerTests.cs

diff --git a/test/Api.Test/Tools/Controllers/ImportCiphersControllerTests.cs b/test/Api.Test/Tools/Controllers/ImportCiphersControllerTests.cs
new file mode 100644
index 0000000000..c07f9791a3
--- /dev/null
+++ b/test/Api.Test/Tools/Controllers/ImportCiphersControllerTests.cs
@@ -0,0 +1,363 @@
+using System.Security.Claims;
+using AutoFixture;
+using Bit.Api.Models.Request;
+using Bit.Api.Tools.Controllers;
+using Bit.Api.Tools.Models.Request.Accounts;
+using Bit.Api.Tools.Models.Request.Organizations;
+using Bit.Api.Vault.AuthorizationHandlers.Collections;
+using Bit.Api.Vault.Models.Request;
+using Bit.Core.Context;
+using Bit.Core.Entities;
+using Bit.Core.Exceptions;
+using Bit.Core.Repositories;
+using Bit.Core.Tools.ImportFeatures.Interfaces;
+using Bit.Core.Vault.Entities;
+using Bit.Core.Vault.Models.Data;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using Microsoft.AspNetCore.Authorization;
+using NSubstitute;
+using Xunit;
+using GlobalSettings = Bit.Core.Settings.GlobalSettings;
+
+namespace Bit.Api.Test.Tools.Controllers;
+
+[ControllerCustomize(typeof(ImportCiphersController))]
+[SutProviderCustomize]
+public class ImportCiphersControllerTests
+{
+
+    /*************************
+     * PostImport - Individual
+     *************************/
+    [Theory, BitAutoData]
+    public async Task PostImportIndividual_ImportCiphersRequestModel_BadRequestException(SutProvider<ImportCiphersController> sutProvider, IFixture fixture)
+    {
+        // Arrange
+        sutProvider.GetDependency<Core.Settings.GlobalSettings>()
+            .SelfHosted = false;
+        var ciphers = fixture.CreateMany<CipherRequestModel>(7001).ToArray();
+        var model = new ImportCiphersRequestModel
+        {
+            Ciphers = ciphers,
+            FolderRelationships = null,
+            Folders = null
+        };
+
+        // Act
+        var exception = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.PostImport(model));
+
+        // Assert
+        Assert.Equal("You cannot import this much data at once.", exception.Message);
+    }
+
+    [Theory, BitAutoData]
+    public async Task PostImportIndividual_ImportCiphersRequestModel_Success(User user,
+        IFixture fixture, SutProvider<ImportCiphersController> sutProvider)
+    {
+        // Arrange
+        sutProvider.GetDependency<GlobalSettings>()
+            .SelfHosted = false;
+
+        sutProvider.GetDependency<Bit.Core.Services.IUserService>()
+            .GetProperUserId(Arg.Any<ClaimsPrincipal>())
+            .Returns(user.Id);
+
+        var request = fixture.Build<ImportCiphersRequestModel>()
+            .With(x => x.Ciphers, fixture.Build<CipherRequestModel>()
+                .With(c => c.OrganizationId, Guid.NewGuid().ToString())
+                .With(c => c.FolderId, Guid.NewGuid().ToString())
+                .CreateMany(1).ToArray())
+            .Create();
+
+        // Act
+        await sutProvider.Sut.PostImport(request);
+
+        // Assert
+        await sutProvider.GetDependency<IImportCiphersCommand>()
+            .Received()
+            .ImportIntoIndividualVaultAsync(
+            Arg.Any<List<Folder>>(),
+            Arg.Any<List<CipherDetails>>(),
+            Arg.Any<IEnumerable<KeyValuePair<int, int>>>()
+            );
+    }
+
+    /****************************
+     * PostImport - Organization
+     ****************************/
+
+    [Theory, BitAutoData]
+    public async Task PostImportOrganization_ImportOrganizationCiphersRequestModel_BadRequestException(SutProvider<ImportCiphersController> sutProvider, IFixture fixture)
+    {
+        // Arrange
+        var globalSettings = sutProvider.GetDependency<Core.Settings.GlobalSettings>();
+        globalSettings.SelfHosted = false;
+        globalSettings.ImportCiphersLimitation = new GlobalSettings.ImportCiphersLimitationSettings()
+        { // limits are set in appsettings.json, making values small for test to run faster.
+            CiphersLimit = 200,
+            CollectionsLimit = 400,
+            CollectionRelationshipsLimit = 20
+        };
+
+        var ciphers = fixture.CreateMany<CipherRequestModel>(201).ToArray();
+        var model = new ImportOrganizationCiphersRequestModel
+        {
+            Collections = null,
+            Ciphers = ciphers,
+            CollectionRelationships = null
+        };
+
+        // Act
+        var exception = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.PostImport(Arg.Any<string>(), model));
+
+        // Assert
+        Assert.Equal("You cannot import this much data at once.", exception.Message);
+    }
+
+    [Theory, BitAutoData]
+    public async Task PostImportOrganization_ImportOrganizationCiphersRequestModel_Succeeds(
+        SutProvider<ImportCiphersController> sutProvider,
+        IFixture fixture,
+        User user)
+    {
+        // Arrange
+        var orgId = "AD89E6F8-4E84-4CFE-A978-256CC0DBF974";
+        var orgIdGuid = Guid.Parse(orgId);
+        var existingCollections = fixture.CreateMany<CollectionWithIdRequestModel>(2).ToArray();
+
+        sutProvider.GetDependency<GlobalSettings>().SelfHosted = false;
+
+        sutProvider.GetDependency<Bit.Core.Services.IUserService>()
+            .GetProperUserId(Arg.Any<ClaimsPrincipal>())
+            .Returns(user.Id);
+
+        var request = fixture.Build<ImportOrganizationCiphersRequestModel>()
+            .With(x => x.Ciphers, fixture.Build<CipherRequestModel>()
+                .With(c => c.OrganizationId, Guid.NewGuid().ToString())
+                .With(c => c.FolderId, Guid.NewGuid().ToString())
+                .CreateMany(1).ToArray())
+            .With(y => y.Collections, fixture.Build<CollectionWithIdRequestModel>()
+                .With(c => c.Id, orgIdGuid)
+                .CreateMany(1).ToArray())
+            .Create();
+
+        // AccessImportExport permission setup
+        sutProvider.GetDependency<ICurrentContext>()
+            .AccessImportExport(Arg.Any<Guid>())
+            .Returns(false);
+
+        // BulkCollectionOperations.ImportCiphers permission setup
+        sutProvider.GetDependency<IAuthorizationService>()
+            .AuthorizeAsync(Arg.Any<ClaimsPrincipal>(),
+                Arg.Any<IEnumerable<Collection>>(),
+                Arg.Is<IEnumerable<IAuthorizationRequirement>>(reqs => reqs.Contains(BulkCollectionOperations.ImportCiphers)))
+            .Returns(AuthorizationResult.Success());
+
+        // BulkCollectionOperations.Create permission setup
+        sutProvider.GetDependency<IAuthorizationService>()
+            .AuthorizeAsync(Arg.Any<ClaimsPrincipal>(),
+                Arg.Any<IEnumerable<Collection>>(),
+                Arg.Is<IEnumerable<IAuthorizationRequirement>>(reqs => reqs.Contains(BulkCollectionOperations.Create)))
+            .Returns(AuthorizationResult.Success());
+
+        sutProvider.GetDependency<ICollectionRepository>()
+            .GetManyByOrganizationIdAsync(orgIdGuid)
+            .Returns(existingCollections.Select(c => new Collection { Id = orgIdGuid }).ToList());
+
+        // Act
+        await sutProvider.Sut.PostImport(orgId, request);
+
+        // Assert
+        await sutProvider.GetDependency<IImportCiphersCommand>()
+            .Received(1)
+            .ImportIntoOrganizationalVaultAsync(
+                Arg.Any<List<Collection>>(),
+                Arg.Any<List<CipherDetails>>(),
+                Arg.Any<IEnumerable<KeyValuePair<int, int>>>(),
+                Arg.Any<Guid>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task PostImportOrganization_WithAccessImportExport_Succeeds(
+    SutProvider<ImportCiphersController> sutProvider,
+    IFixture fixture,
+    User user)
+    {
+        // Arrange
+        var orgId = "AD89E6F8-4E84-4CFE-A978-256CC0DBF974";
+        var orgIdGuid = Guid.Parse(orgId);
+        var existingCollections = fixture.CreateMany<CollectionWithIdRequestModel>(2).ToArray();
+
+        sutProvider.GetDependency<GlobalSettings>().SelfHosted = false;
+
+        sutProvider.GetDependency<Bit.Core.Services.IUserService>()
+            .GetProperUserId(Arg.Any<ClaimsPrincipal>())
+            .Returns(user.Id);
+
+        var request = fixture.Build<ImportOrganizationCiphersRequestModel>()
+            .With(x => x.Ciphers, fixture.Build<CipherRequestModel>()
+                .With(c => c.OrganizationId, Guid.NewGuid().ToString())
+                .With(c => c.FolderId, Guid.NewGuid().ToString())
+                .CreateMany(1).ToArray())
+            .With(y => y.Collections, fixture.Build<CollectionWithIdRequestModel>()
+                .With(c => c.Id, orgIdGuid)
+                .CreateMany(1).ToArray())
+            .Create();
+
+        // AccessImportExport permission setup
+        sutProvider.GetDependency<ICurrentContext>()
+            .AccessImportExport(Arg.Any<Guid>())
+            .Returns(false);
+
+        // BulkCollectionOperations.ImportCiphers permission setup
+        sutProvider.GetDependency<IAuthorizationService>()
+            .AuthorizeAsync(Arg.Any<ClaimsPrincipal>(),
+                Arg.Any<IEnumerable<Collection>>(),
+                Arg.Is<IEnumerable<IAuthorizationRequirement>>(reqs => reqs.Contains(BulkCollectionOperations.ImportCiphers)))
+            .Returns(AuthorizationResult.Success());
+
+        // BulkCollectionOperations.Create permission setup
+        sutProvider.GetDependency<IAuthorizationService>()
+            .AuthorizeAsync(Arg.Any<ClaimsPrincipal>(),
+                Arg.Any<IEnumerable<Collection>>(),
+                Arg.Is<IEnumerable<IAuthorizationRequirement>>(reqs => reqs.Contains(BulkCollectionOperations.Create)))
+            .Returns(AuthorizationResult.Success());
+
+        sutProvider.GetDependency<ICollectionRepository>()
+            .GetManyByOrganizationIdAsync(orgIdGuid)
+            .Returns(existingCollections.Select(c => new Collection { Id = orgIdGuid }).ToList());
+
+        // Act
+        await sutProvider.Sut.PostImport(orgId, request);
+
+        // Assert
+        await sutProvider.GetDependency<IImportCiphersCommand>()
+            .Received(1)
+            .ImportIntoOrganizationalVaultAsync(
+                Arg.Any<List<Collection>>(),
+                Arg.Any<List<CipherDetails>>(),
+                Arg.Any<IEnumerable<KeyValuePair<int, int>>>(),
+                Arg.Any<Guid>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task PostImportOrganization_WithExistingCollectionsAndWithoutImportCiphersPermissions_NotFoundException(
+        SutProvider<ImportCiphersController> sutProvider,
+        IFixture fixture,
+        User user)
+    {
+        // Arrange
+        var orgId = "AD89E6F8-4E84-4CFE-A978-256CC0DBF974";
+        var orgIdGuid = Guid.Parse(orgId);
+        var existingCollections = fixture.CreateMany<CollectionWithIdRequestModel>(2).ToArray();
+
+        sutProvider.GetDependency<GlobalSettings>().SelfHosted = false;
+
+        sutProvider.GetDependency<Bit.Core.Services.IUserService>()
+            .GetProperUserId(Arg.Any<ClaimsPrincipal>())
+            .Returns(user.Id);
+
+        var request = fixture.Build<ImportOrganizationCiphersRequestModel>()
+            .With(x => x.Ciphers, fixture.Build<CipherRequestModel>()
+                .With(c => c.OrganizationId, Guid.NewGuid().ToString())
+                .With(c => c.FolderId, Guid.NewGuid().ToString())
+                .CreateMany(1).ToArray())
+            .With(y => y.Collections, fixture.Build<CollectionWithIdRequestModel>()
+                .With(c => c.Id, orgIdGuid)
+                .CreateMany(1).ToArray())
+            .Create();
+
+        // AccessImportExport permission setup
+        sutProvider.GetDependency<ICurrentContext>()
+            .AccessImportExport(Arg.Any<Guid>())
+            .Returns(false);
+
+        // BulkCollectionOperations.ImportCiphers permission setup
+        sutProvider.GetDependency<IAuthorizationService>()
+            .AuthorizeAsync(Arg.Any<ClaimsPrincipal>(),
+                Arg.Any<IEnumerable<Collection>>(),
+                Arg.Is<IEnumerable<IAuthorizationRequirement>>(reqs =>
+                    reqs.Contains(BulkCollectionOperations.ImportCiphers)))
+            .Returns(AuthorizationResult.Failed());
+
+        // BulkCollectionOperations.Create permission setup
+        sutProvider.GetDependency<IAuthorizationService>()
+            .AuthorizeAsync(Arg.Any<ClaimsPrincipal>(),
+                Arg.Any<IEnumerable<Collection>>(),
+                Arg.Is<IEnumerable<IAuthorizationRequirement>>(reqs =>
+                    reqs.Contains(BulkCollectionOperations.Create)))
+            .Returns(AuthorizationResult.Success());
+
+        sutProvider.GetDependency<ICollectionRepository>()
+            .GetManyByOrganizationIdAsync(orgIdGuid)
+            .Returns(existingCollections.Select(c => new Collection { Id = orgIdGuid }).ToList());
+
+        // Act
+        var exception = await Assert.ThrowsAsync<Bit.Core.Exceptions.NotFoundException>(() =>
+            sutProvider.Sut.PostImport(orgId, request));
+
+        // Assert
+        Assert.IsType<Bit.Core.Exceptions.NotFoundException>(exception);
+    }
+
+    [Theory, BitAutoData]
+    public async Task PostImportOrganization_WithoutCreatePermissions_NotFoundException(
+        SutProvider<ImportCiphersController> sutProvider,
+        IFixture fixture,
+        User user)
+    {
+        // Arrange
+        var orgId = "AD89E6F8-4E84-4CFE-A978-256CC0DBF974";
+        var orgIdGuid = Guid.Parse(orgId);
+        var existingCollections = fixture.CreateMany<CollectionWithIdRequestModel>(2).ToArray();
+
+        sutProvider.GetDependency<GlobalSettings>().SelfHosted = false;
+
+        sutProvider.GetDependency<Bit.Core.Services.IUserService>()
+            .GetProperUserId(Arg.Any<ClaimsPrincipal>())
+            .Returns(user.Id);
+
+        var request = fixture.Build<ImportOrganizationCiphersRequestModel>()
+            .With(x => x.Ciphers, fixture.Build<CipherRequestModel>()
+                .With(c => c.OrganizationId, Guid.NewGuid().ToString())
+                .With(c => c.FolderId, Guid.NewGuid().ToString())
+                .CreateMany(1).ToArray())
+            .With(y => y.Collections, fixture.Build<CollectionWithIdRequestModel>()
+                .With(c => c.Id, orgIdGuid)
+                .CreateMany(1).ToArray())
+            .Create();
+
+        // AccessImportExport permission setup
+        sutProvider.GetDependency<ICurrentContext>()
+            .AccessImportExport(Arg.Any<Guid>())
+            .Returns(false);
+
+        // BulkCollectionOperations.ImportCiphers permission setup
+        sutProvider.GetDependency<IAuthorizationService>()
+            .AuthorizeAsync(Arg.Any<ClaimsPrincipal>(),
+                Arg.Any<IEnumerable<Collection>>(),
+                Arg.Is<IEnumerable<IAuthorizationRequirement>>(reqs =>
+                    reqs.Contains(BulkCollectionOperations.ImportCiphers)))
+            .Returns(AuthorizationResult.Success());
+
+        // BulkCollectionOperations.Create permission setup
+        sutProvider.GetDependency<IAuthorizationService>()
+            .AuthorizeAsync(Arg.Any<ClaimsPrincipal>(),
+                Arg.Any<IEnumerable<Collection>>(),
+                Arg.Is<IEnumerable<IAuthorizationRequirement>>(reqs =>
+                    reqs.Contains(BulkCollectionOperations.Create)))
+            .Returns(AuthorizationResult.Failed());
+
+        sutProvider.GetDependency<ICollectionRepository>()
+            .GetManyByOrganizationIdAsync(orgIdGuid)
+            .Returns(existingCollections.Select(c => new Collection { Id = orgIdGuid }).ToList());
+
+        // Act
+        var exception = await Assert.ThrowsAsync<Bit.Core.Exceptions.NotFoundException>(() =>
+            sutProvider.Sut.PostImport(orgId, request));
+
+        // Assert
+        Assert.IsType<Bit.Core.Exceptions.NotFoundException>(exception);
+    }
+}

From 8354929ff16b51643f2bcfd9b9c2842c9aa3f286 Mon Sep 17 00:00:00 2001
From: Kyle Spearrin <kspearrin@users.noreply.github.com>
Date: Thu, 27 Feb 2025 11:01:40 -0500
Subject: [PATCH 324/384] [PM-18608] Don't require new device verification on
 newly created accounts (#5440)

* Limit new device verification to aged accounts

* set user creation date context for test

* formatting
---
 .../RequestValidators/DeviceValidator.cs      |  7 +++++
 .../IdentityServer/DeviceValidatorTests.cs    | 29 +++++++++++++++++++
 2 files changed, 36 insertions(+)

diff --git a/src/Identity/IdentityServer/RequestValidators/DeviceValidator.cs b/src/Identity/IdentityServer/RequestValidators/DeviceValidator.cs
index 17d16f5949..3ddc28c0e1 100644
--- a/src/Identity/IdentityServer/RequestValidators/DeviceValidator.cs
+++ b/src/Identity/IdentityServer/RequestValidators/DeviceValidator.cs
@@ -120,6 +120,13 @@ public class DeviceValidator(
             return DeviceValidationResultType.Success;
         }
 
+        // User is newly registered, so don't require new device verification
+        var createdSpan = DateTime.UtcNow - user.CreationDate;
+        if (createdSpan < TimeSpan.FromHours(24))
+        {
+            return DeviceValidationResultType.Success;
+        }
+
         // CS exception flow
         // Check cache for user information
         var cacheKey = string.Format(AuthConstants.NewDeviceVerificationExceptionCacheKeyFormat, user.Id.ToString());
diff --git a/test/Identity.Test/IdentityServer/DeviceValidatorTests.cs b/test/Identity.Test/IdentityServer/DeviceValidatorTests.cs
index fddcf2005d..b71dd6c230 100644
--- a/test/Identity.Test/IdentityServer/DeviceValidatorTests.cs
+++ b/test/Identity.Test/IdentityServer/DeviceValidatorTests.cs
@@ -447,6 +447,31 @@ public class DeviceValidatorTests
         Assert.NotNull(context.Device);
     }
 
+    [Theory, BitAutoData]
+    public async void HandleNewDeviceVerificationAsync_NewlyCreated_ReturnsSuccess(
+        CustomValidatorRequestContext context,
+        [AuthFixtures.ValidatedTokenRequest] ValidatedTokenRequest request)
+    {
+        // Arrange
+        ArrangeForHandleNewDeviceVerificationTest(context, request);
+        _featureService.IsEnabled(FeatureFlagKeys.NewDeviceVerification).Returns(true);
+        _globalSettings.EnableNewDeviceVerification = true;
+        _distributedCache.GetAsync(Arg.Any<string>()).Returns(null as byte[]);
+        context.User.CreationDate = DateTime.UtcNow - TimeSpan.FromHours(23);
+
+        // Act
+        var result = await _sut.ValidateRequestDeviceAsync(request, context);
+
+        // Assert
+        await _userService.Received(0).SendOTPAsync(context.User);
+        await _deviceService.Received(1).SaveAsync(Arg.Any<Device>());
+
+        Assert.True(result);
+        Assert.False(context.CustomResponse.ContainsKey("ErrorModel"));
+        Assert.Equal(context.User.Id, context.Device.UserId);
+        Assert.NotNull(context.Device);
+    }
+
     [Theory, BitAutoData]
     public async void HandleNewDeviceVerificationAsync_UserHasCacheValue_ReturnsSuccess(
         CustomValidatorRequestContext context,
@@ -633,5 +658,9 @@ public class DeviceValidatorTests
         request.GrantType = "password";
         context.TwoFactorRequired = false;
         context.SsoRequired = false;
+        if (context.User != null)
+        {
+            context.User.CreationDate = DateTime.UtcNow - TimeSpan.FromDays(365);
+        }
     }
 }

From 326ecebba1756001fd7522f645f7795fea2c7c12 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20Garc=C3=ADa?=
 <dani-garcia@users.noreply.github.com>
Date: Thu, 27 Feb 2025 17:43:07 +0100
Subject: [PATCH 325/384] Fix SDK bindings generation (#5450)

---
 src/Api/Utilities/ServiceCollectionExtensions.cs              | 2 --
 .../Requests/Accounts/PreviewIndividualInvoiceRequestModel.cs | 4 ++--
 .../Organizations/PreviewOrganizationInvoiceRequestModel.cs   | 4 ++--
 3 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/src/Api/Utilities/ServiceCollectionExtensions.cs b/src/Api/Utilities/ServiceCollectionExtensions.cs
index be106786e8..feeac03e54 100644
--- a/src/Api/Utilities/ServiceCollectionExtensions.cs
+++ b/src/Api/Utilities/ServiceCollectionExtensions.cs
@@ -36,8 +36,6 @@ public static class ServiceCollectionExtensions
                 }
             });
 
-            config.CustomSchemaIds(type => type.FullName);
-
             config.SwaggerDoc("internal", new OpenApiInfo { Title = "Bitwarden Internal API", Version = "latest" });
 
             config.AddSecurityDefinition("oauth2-client-credentials", new OpenApiSecurityScheme
diff --git a/src/Core/Billing/Models/Api/Requests/Accounts/PreviewIndividualInvoiceRequestModel.cs b/src/Core/Billing/Models/Api/Requests/Accounts/PreviewIndividualInvoiceRequestModel.cs
index 6dfb9894d5..8597cea09b 100644
--- a/src/Core/Billing/Models/Api/Requests/Accounts/PreviewIndividualInvoiceRequestModel.cs
+++ b/src/Core/Billing/Models/Api/Requests/Accounts/PreviewIndividualInvoiceRequestModel.cs
@@ -5,13 +5,13 @@ namespace Bit.Core.Billing.Models.Api.Requests.Accounts;
 public class PreviewIndividualInvoiceRequestBody
 {
     [Required]
-    public PasswordManagerRequestModel PasswordManager { get; set; }
+    public IndividualPasswordManagerRequestModel PasswordManager { get; set; }
 
     [Required]
     public TaxInformationRequestModel TaxInformation { get; set; }
 }
 
-public class PasswordManagerRequestModel
+public class IndividualPasswordManagerRequestModel
 {
     [Range(0, int.MaxValue)]
     public int AdditionalStorage { get; set; }
diff --git a/src/Core/Billing/Models/Api/Requests/Organizations/PreviewOrganizationInvoiceRequestModel.cs b/src/Core/Billing/Models/Api/Requests/Organizations/PreviewOrganizationInvoiceRequestModel.cs
index 18d9c352d7..466c32f42d 100644
--- a/src/Core/Billing/Models/Api/Requests/Organizations/PreviewOrganizationInvoiceRequestModel.cs
+++ b/src/Core/Billing/Models/Api/Requests/Organizations/PreviewOrganizationInvoiceRequestModel.cs
@@ -8,7 +8,7 @@ public class PreviewOrganizationInvoiceRequestBody
     public Guid OrganizationId { get; set; }
 
     [Required]
-    public PasswordManagerRequestModel PasswordManager { get; set; }
+    public OrganizationPasswordManagerRequestModel PasswordManager { get; set; }
 
     public SecretsManagerRequestModel SecretsManager { get; set; }
 
@@ -16,7 +16,7 @@ public class PreviewOrganizationInvoiceRequestBody
     public TaxInformationRequestModel TaxInformation { get; set; }
 }
 
-public class PasswordManagerRequestModel
+public class OrganizationPasswordManagerRequestModel
 {
     public PlanType Plan { get; set; }
 

From 63f1c3cee3a4ee4232e90a82ad6460e0171e1d5c Mon Sep 17 00:00:00 2001
From: Jimmy Vo <huynhmaivo82@gmail.com>
Date: Thu, 27 Feb 2025 16:30:25 -0500
Subject: [PATCH 326/384] [PM-18086] Add CanRestore and CanDelete authorization
 methods. (#5407)

---
 .../Permissions/NormalCipherPermissions.cs    |  38 +++++
 .../NormalCipherPermissionTests.cs            | 150 ++++++++++++++++++
 2 files changed, 188 insertions(+)
 create mode 100644 src/Core/Vault/Authorization/Permissions/NormalCipherPermissions.cs
 create mode 100644 test/Core.Test/Vault/Authorization/Permissions/NormalCipherPermissionTests.cs

diff --git a/src/Core/Vault/Authorization/Permissions/NormalCipherPermissions.cs b/src/Core/Vault/Authorization/Permissions/NormalCipherPermissions.cs
new file mode 100644
index 0000000000..fbd553d772
--- /dev/null
+++ b/src/Core/Vault/Authorization/Permissions/NormalCipherPermissions.cs
@@ -0,0 +1,38 @@
+#nullable enable
+using Bit.Core.Entities;
+using Bit.Core.Models.Data.Organizations;
+using Bit.Core.Vault.Models.Data;
+
+namespace Bit.Core.Vault.Authorization.Permissions;
+
+public class NormalCipherPermissions
+{
+    public static bool CanDelete(User user, CipherDetails cipherDetails, OrganizationAbility? organizationAbility)
+    {
+        if (cipherDetails.OrganizationId == null && cipherDetails.UserId == null)
+        {
+            throw new Exception("Cipher needs to belong to a user or an organization.");
+        }
+
+        if (user.Id == cipherDetails.UserId)
+        {
+            return true;
+        }
+
+        if (organizationAbility?.Id != cipherDetails.OrganizationId)
+        {
+            throw new Exception("Cipher does not belong to the input organization.");
+        }
+
+        if (organizationAbility is { LimitItemDeletion: true })
+        {
+            return cipherDetails.Manage;
+        }
+        return cipherDetails.Manage || cipherDetails.Edit;
+    }
+
+    public static bool CanRestore(User user, CipherDetails cipherDetails, OrganizationAbility? organizationAbility)
+    {
+        return CanDelete(user, cipherDetails, organizationAbility);
+    }
+}
diff --git a/test/Core.Test/Vault/Authorization/Permissions/NormalCipherPermissionTests.cs b/test/Core.Test/Vault/Authorization/Permissions/NormalCipherPermissionTests.cs
new file mode 100644
index 0000000000..9d18adc3a6
--- /dev/null
+++ b/test/Core.Test/Vault/Authorization/Permissions/NormalCipherPermissionTests.cs
@@ -0,0 +1,150 @@
+using Bit.Core.Entities;
+using Bit.Core.Models.Data.Organizations;
+using Bit.Core.Vault.Authorization.Permissions;
+using Bit.Core.Vault.Models.Data;
+using Xunit;
+
+namespace Bit.Core.Test.Vault.Authorization.Permissions;
+
+public class NormalCipherPermissionTests
+{
+    [Theory]
+    [InlineData(true, true, true, true)]
+    [InlineData(true, false, false, false)]
+    [InlineData(false, true, false, true)]
+    [InlineData(false, false, true, true)]
+    [InlineData(false, false, false, false)]
+    public void CanRestore_WhenCipherIsOwnedByOrganization(
+        bool limitItemDeletion, bool manage, bool edit, bool expectedResult)
+    {
+        // Arrange
+        var user = new User { Id = Guid.Empty };
+        var organizationId = Guid.NewGuid();
+        var cipherDetails = new CipherDetails { Manage = manage, Edit = edit, UserId = null, OrganizationId = organizationId };
+        var organizationAbility = new OrganizationAbility { Id = organizationId, LimitItemDeletion = limitItemDeletion };
+
+        // Act
+        var result = NormalCipherPermissions.CanRestore(user, cipherDetails, organizationAbility);
+
+        // Assert
+        Assert.Equal(result, expectedResult);
+    }
+
+    [Fact]
+    public void CanRestore_WhenCipherIsOwnedByUser()
+    {
+        // Arrange
+        var userId = Guid.NewGuid();
+        var user = new User { Id = userId };
+        var cipherDetails = new CipherDetails { UserId = userId };
+        var organizationAbility = new OrganizationAbility { };
+
+        // Act
+        var result = NormalCipherPermissions.CanRestore(user, cipherDetails, organizationAbility);
+
+        // Assert
+        Assert.True(result);
+    }
+
+    [Fact]
+    public void CanRestore_WhenCipherHasNoOwner_ShouldThrowException()
+    {
+        // Arrange
+        var user = new User { Id = Guid.NewGuid() };
+        var cipherDetails = new CipherDetails { UserId = null };
+
+
+        // Act
+        // Assert
+        Assert.Throws<Exception>(() => NormalCipherPermissions.CanRestore(user, cipherDetails, null));
+    }
+
+    public static List<object[]> TestCases =>
+    [
+        new object[] { new OrganizationAbility { Id = Guid.Empty } },
+        new object[] { null },
+    ];
+
+    [Theory]
+    [MemberData(nameof(TestCases))]
+    public void CanRestore_WhenCipherDoesNotBelongToInputOrganization_ShouldThrowException(OrganizationAbility? organizationAbility)
+    {
+        // Arrange
+        var user = new User { Id = Guid.NewGuid() };
+        var cipherDetails = new CipherDetails { UserId = null, OrganizationId = Guid.NewGuid() };
+
+        // Act
+        var exception = Assert.Throws<Exception>(() => NormalCipherPermissions.CanDelete(user, cipherDetails, organizationAbility));
+
+        // Assert
+        Assert.Equal("Cipher does not belong to the input organization.", exception.Message);
+    }
+
+    [Theory]
+    [InlineData(true, true, true, true)]
+    [InlineData(true, false, false, false)]
+    [InlineData(false, true, false, true)]
+    [InlineData(false, false, true, true)]
+    [InlineData(false, false, false, false)]
+    public void CanDelete_WhenCipherIsOwnedByOrganization(
+        bool limitItemDeletion, bool manage, bool edit, bool expectedResult)
+    {
+        // Arrange
+        var user = new User { Id = Guid.Empty };
+        var organizationId = Guid.NewGuid();
+        var cipherDetails = new CipherDetails { Manage = manage, Edit = edit, UserId = null, OrganizationId = organizationId };
+        var organizationAbility = new OrganizationAbility { Id = organizationId, LimitItemDeletion = limitItemDeletion };
+
+        // Act
+        var result = NormalCipherPermissions.CanRestore(user, cipherDetails, organizationAbility);
+
+        // Assert
+        Assert.Equal(result, expectedResult);
+    }
+
+    [Fact]
+    public void CanDelete_WhenCipherIsOwnedByUser()
+    {
+        // Arrange
+        var userId = Guid.NewGuid();
+        var user = new User { Id = userId };
+        var cipherDetails = new CipherDetails { UserId = userId };
+        var organizationAbility = new OrganizationAbility { };
+
+        // Act
+        var result = NormalCipherPermissions.CanDelete(user, cipherDetails, organizationAbility);
+
+        // Assert
+        Assert.True(result);
+    }
+
+    [Fact]
+    public void CanDelete_WhenCipherHasNoOwner_ShouldThrowException()
+    {
+        // Arrange
+        var user = new User { Id = Guid.NewGuid() };
+        var cipherDetails = new CipherDetails { UserId = null };
+
+
+        // Act
+        var exception = Assert.Throws<Exception>(() => NormalCipherPermissions.CanDelete(user, cipherDetails, null));
+
+        // Assert
+        Assert.Equal("Cipher needs to belong to a user or an organization.", exception.Message);
+    }
+
+    [Theory]
+    [MemberData(nameof(TestCases))]
+    public void CanDelete_WhenCipherDoesNotBelongToInputOrganization_ShouldThrowException(OrganizationAbility? organizationAbility)
+    {
+        // Arrange
+        var user = new User { Id = Guid.NewGuid() };
+        var cipherDetails = new CipherDetails { UserId = null, OrganizationId = Guid.NewGuid() };
+
+        // Act
+        var exception = Assert.Throws<Exception>(() => NormalCipherPermissions.CanDelete(user, cipherDetails, organizationAbility));
+
+        // Assert
+        Assert.Equal("Cipher does not belong to the input organization.", exception.Message);
+    }
+}

From 0d89409abd7adde0d26158a44f2fd2394c43b4eb Mon Sep 17 00:00:00 2001
From: Jared McCannon <jmccannon@bitwarden.com>
Date: Fri, 28 Feb 2025 09:21:30 -0600
Subject: [PATCH 327/384] [PM-18076] - Fix compiler warnings (#5451)

* fixed warnings in UpdateOrganizationUserCommand.cs

* Removed null dereference and multiple enumeration warning.

* Removed unused param. Imported type for xml docs

* imported missing type.

* Added nullable block around method.
---
 .../UpdateOrganizationUserCommand.cs            | 17 +++++++++--------
 .../CloudOrganizationSignUpCommand.cs           |  6 ++----
 .../Interfaces/IOrganizationDeleteCommand.cs    |  1 +
 .../IOrganizationInitiateDeleteCommand.cs       |  1 +
 .../TwoFactorAuthenticationPolicyValidator.cs   | 11 +++++++++--
 .../Repositories/OrganizationUserRepository.cs  |  2 ++
 6 files changed, 24 insertions(+), 14 deletions(-)

diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/UpdateOrganizationUserCommand.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/UpdateOrganizationUserCommand.cs
index 657cc6c54d..4aaecef29f 100644
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/UpdateOrganizationUserCommand.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/UpdateOrganizationUserCommand.cs
@@ -63,10 +63,10 @@ public class UpdateOrganizationUserCommand : IUpdateOrganizationUserCommand
         List<CollectionAccessSelection>? collectionAccess, IEnumerable<Guid>? groupAccess)
     {
         // Avoid multiple enumeration
-        collectionAccess = collectionAccess?.ToList();
+        var collectionAccessList = collectionAccess?.ToList() ?? [];
         groupAccess = groupAccess?.ToList();
 
-        if (organizationUser.Id.Equals(default(Guid)))
+        if (organizationUser.Id.Equals(Guid.Empty))
         {
             throw new BadRequestException("Invite the user first.");
         }
@@ -93,9 +93,9 @@ public class UpdateOrganizationUserCommand : IUpdateOrganizationUserCommand
             }
         }
 
-        if (collectionAccess?.Any() == true)
+        if (collectionAccessList.Count != 0)
         {
-            await ValidateCollectionAccessAsync(originalOrganizationUser, collectionAccess.ToList());
+            await ValidateCollectionAccessAsync(originalOrganizationUser, collectionAccessList);
         }
 
         if (groupAccess?.Any() == true)
@@ -111,14 +111,15 @@ public class UpdateOrganizationUserCommand : IUpdateOrganizationUserCommand
         await _organizationService.ValidateOrganizationCustomPermissionsEnabledAsync(organizationUser.OrganizationId, organizationUser.Type);
 
         if (organizationUser.Type != OrganizationUserType.Owner &&
-            !await _hasConfirmedOwnersExceptQuery.HasConfirmedOwnersExceptAsync(organizationUser.OrganizationId, new[] { organizationUser.Id }))
+            !await _hasConfirmedOwnersExceptQuery.HasConfirmedOwnersExceptAsync(organizationUser.OrganizationId,
+                [organizationUser.Id]))
         {
             throw new BadRequestException("Organization must have at least one confirmed owner.");
         }
 
-        if (collectionAccess?.Count > 0)
+        if (collectionAccessList?.Count > 0)
         {
-            var invalidAssociations = collectionAccess.Where(cas => cas.Manage && (cas.ReadOnly || cas.HidePasswords));
+            var invalidAssociations = collectionAccessList.Where(cas => cas.Manage && (cas.ReadOnly || cas.HidePasswords));
             if (invalidAssociations.Any())
             {
                 throw new BadRequestException("The Manage property is mutually exclusive and cannot be true while the ReadOnly or HidePasswords properties are also true.");
@@ -140,7 +141,7 @@ public class UpdateOrganizationUserCommand : IUpdateOrganizationUserCommand
             }
         }
 
-        await _organizationUserRepository.ReplaceAsync(organizationUser, collectionAccess);
+        await _organizationUserRepository.ReplaceAsync(organizationUser, collectionAccessList);
 
         if (groupAccess != null)
         {
diff --git a/src/Core/AdminConsole/OrganizationFeatures/Organizations/CloudOrganizationSignUpCommand.cs b/src/Core/AdminConsole/OrganizationFeatures/Organizations/CloudOrganizationSignUpCommand.cs
index 57cfd1e60f..60e090de2a 100644
--- a/src/Core/AdminConsole/OrganizationFeatures/Organizations/CloudOrganizationSignUpCommand.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Organizations/CloudOrganizationSignUpCommand.cs
@@ -24,8 +24,7 @@ namespace Bit.Core.AdminConsole.OrganizationFeatures.Organizations;
 
 public record SignUpOrganizationResponse(
     Organization Organization,
-    OrganizationUser OrganizationUser,
-    Collection DefaultCollection);
+    OrganizationUser OrganizationUser);
 
 public interface ICloudOrganizationSignUpCommand
 {
@@ -34,7 +33,6 @@ public interface ICloudOrganizationSignUpCommand
 
 public class CloudOrganizationSignUpCommand(
     IOrganizationUserRepository organizationUserRepository,
-    IFeatureService featureService,
     IOrganizationBillingService organizationBillingService,
     IPaymentService paymentService,
     IPolicyService policyService,
@@ -144,7 +142,7 @@ public class CloudOrganizationSignUpCommand(
                 // TODO: add reference events for SmSeats and Service Accounts - see AC-1481
             });
 
-        return new SignUpOrganizationResponse(returnValue.organization, returnValue.organizationUser, returnValue.defaultCollection);
+        return new SignUpOrganizationResponse(returnValue.organization, returnValue.organizationUser);
     }
 
     public void ValidatePasswordManagerPlan(Plan plan, OrganizationUpgrade upgrade)
diff --git a/src/Core/AdminConsole/OrganizationFeatures/Organizations/Interfaces/IOrganizationDeleteCommand.cs b/src/Core/AdminConsole/OrganizationFeatures/Organizations/Interfaces/IOrganizationDeleteCommand.cs
index fc4de42bed..8153a10958 100644
--- a/src/Core/AdminConsole/OrganizationFeatures/Organizations/Interfaces/IOrganizationDeleteCommand.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Organizations/Interfaces/IOrganizationDeleteCommand.cs
@@ -1,4 +1,5 @@
 using Bit.Core.AdminConsole.Entities;
+using Bit.Core.Exceptions;
 
 namespace Bit.Core.AdminConsole.OrganizationFeatures.Organizations.Interfaces;
 
diff --git a/src/Core/AdminConsole/OrganizationFeatures/Organizations/Interfaces/IOrganizationInitiateDeleteCommand.cs b/src/Core/AdminConsole/OrganizationFeatures/Organizations/Interfaces/IOrganizationInitiateDeleteCommand.cs
index a8d211f245..867d41e7db 100644
--- a/src/Core/AdminConsole/OrganizationFeatures/Organizations/Interfaces/IOrganizationInitiateDeleteCommand.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Organizations/Interfaces/IOrganizationInitiateDeleteCommand.cs
@@ -1,4 +1,5 @@
 using Bit.Core.AdminConsole.Entities;
+using Bit.Core.Exceptions;
 
 namespace Bit.Core.AdminConsole.OrganizationFeatures.Organizations.Interfaces;
 
diff --git a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/TwoFactorAuthenticationPolicyValidator.cs b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/TwoFactorAuthenticationPolicyValidator.cs
index 04984b17be..c757a65913 100644
--- a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/TwoFactorAuthenticationPolicyValidator.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/TwoFactorAuthenticationPolicyValidator.cs
@@ -73,6 +73,11 @@ public class TwoFactorAuthenticationPolicyValidator : IPolicyValidator
     {
         var organization = await _organizationRepository.GetByIdAsync(organizationId);
 
+        if (organization is null)
+        {
+            return;
+        }
+
         var currentActiveRevocableOrganizationUsers =
             (await _organizationUserRepository.GetManyDetailsByOrganizationAsync(organizationId))
             .Where(ou => ou.Status != OrganizationUserStatusType.Invited &&
@@ -90,9 +95,11 @@ public class TwoFactorAuthenticationPolicyValidator : IPolicyValidator
         var revocableUsersWithTwoFactorStatus =
             await _twoFactorIsEnabledQuery.TwoFactorIsEnabledAsync(currentActiveRevocableOrganizationUsers);
 
-        var nonCompliantUsers = revocableUsersWithTwoFactorStatus.Where(x => !x.twoFactorIsEnabled);
+        var nonCompliantUsers = revocableUsersWithTwoFactorStatus
+            .Where(x => !x.twoFactorIsEnabled)
+            .ToArray();
 
-        if (!nonCompliantUsers.Any())
+        if (nonCompliantUsers.Length == 0)
         {
             return;
         }
diff --git a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationUserRepository.cs b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationUserRepository.cs
index 0165360099..28e2f1a9e4 100644
--- a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationUserRepository.cs
+++ b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationUserRepository.cs
@@ -249,6 +249,7 @@ public class OrganizationUserRepository : Repository<Core.Entities.OrganizationU
         }
     }
 
+#nullable enable
     public async Task<(OrganizationUserUserDetails? OrganizationUser, ICollection<CollectionAccessSelection> Collections)> GetDetailsByIdWithCollectionsAsync(Guid id)
     {
         var organizationUserUserDetails = await GetDetailsByIdAsync(id);
@@ -269,6 +270,7 @@ public class OrganizationUserRepository : Repository<Core.Entities.OrganizationU
             return (organizationUserUserDetails, collections);
         }
     }
+#nullable disable
 
     public async Task<OrganizationUserOrganizationDetails> GetDetailsByUserAsync(Guid userId, Guid organizationId, OrganizationUserStatusType? status = null)
     {

From cb68ef711a3273680f2e21f58f1f586d1ed1e4b0 Mon Sep 17 00:00:00 2001
From: Jared McCannon <jmccannon@bitwarden.com>
Date: Tue, 4 Mar 2025 08:21:02 -0600
Subject: [PATCH 328/384] Added optional param to exclude orgs from cipher
 list. (#5455)

---
 src/Admin/Controllers/UsersController.cs | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/Admin/Controllers/UsersController.cs b/src/Admin/Controllers/UsersController.cs
index 38e863aae7..cebb7d4b1e 100644
--- a/src/Admin/Controllers/UsersController.cs
+++ b/src/Admin/Controllers/UsersController.cs
@@ -102,12 +102,13 @@ public class UsersController : Controller
             return RedirectToAction("Index");
         }
 
-        var ciphers = await _cipherRepository.GetManyByUserIdAsync(id);
+        var ciphers = await _cipherRepository.GetManyByUserIdAsync(id, withOrganizations: false);
         var billingInfo = await _paymentService.GetBillingAsync(user);
         var billingHistoryInfo = await _paymentService.GetBillingHistoryAsync(user);
         var isTwoFactorEnabled = await _twoFactorIsEnabledQuery.TwoFactorIsEnabledAsync(user);
         var verifiedDomain = await AccountDeprovisioningEnabled(user.Id);
         var deviceVerificationRequired = await _userService.ActiveNewDeviceVerificationException(user.Id);
+
         return View(new UserEditModel(user, isTwoFactorEnabled, ciphers, billingInfo, billingHistoryInfo, _globalSettings, verifiedDomain, deviceVerificationRequired));
     }
 

From 356ae1063a1d49467f45afd8830bbd1d4c659afb Mon Sep 17 00:00:00 2001
From: Jared McCannon <jmccannon@bitwarden.com>
Date: Tue, 4 Mar 2025 13:52:07 -0600
Subject: [PATCH 329/384] Fixed last dereference. (#5457)

---
 .../OrganizationUsers/UpdateOrganizationUserCommand.cs          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/UpdateOrganizationUserCommand.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/UpdateOrganizationUserCommand.cs
index 4aaecef29f..bad7b14b87 100644
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/UpdateOrganizationUserCommand.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/UpdateOrganizationUserCommand.cs
@@ -117,7 +117,7 @@ public class UpdateOrganizationUserCommand : IUpdateOrganizationUserCommand
             throw new BadRequestException("Organization must have at least one confirmed owner.");
         }
 
-        if (collectionAccessList?.Count > 0)
+        if (collectionAccessList.Count > 0)
         {
             var invalidAssociations = collectionAccessList.Where(cas => cas.Manage && (cas.ReadOnly || cas.HidePasswords));
             if (invalidAssociations.Any())

From a9739c2b9488db8aaa1c8f77b67fb40fdf2dedf1 Mon Sep 17 00:00:00 2001
From: Github Actions <actions@github.com>
Date: Wed, 5 Mar 2025 04:57:09 +0000
Subject: [PATCH 330/384] Bumped version to 2025.3.0

---
 Directory.Build.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Directory.Build.props b/Directory.Build.props
index 4b56322adb..a994b2196e 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -3,7 +3,7 @@
   <PropertyGroup>
     <TargetFramework>net8.0</TargetFramework>
 
-    <Version>2025.2.1</Version>
+    <Version>2025.3.0</Version>
 
     <RootNamespace>Bit.$(MSBuildProjectName)</RootNamespace>
     <ImplicitUsings>enable</ImplicitUsings>

From 1efc105028d45a31b2e342fa9c7815594411be94 Mon Sep 17 00:00:00 2001
From: Todd Martin <106564991+trmartin4@users.noreply.github.com>
Date: Wed, 5 Mar 2025 08:31:43 -0500
Subject: [PATCH 331/384] fix(New Device Verification): [PM-18906] Removed
 flagging from BW Portal

---
 src/Admin/Views/Users/Edit.cshtml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/Admin/Views/Users/Edit.cshtml b/src/Admin/Views/Users/Edit.cshtml
index 8169b72b3c..dd80889110 100644
--- a/src/Admin/Views/Users/Edit.cshtml
+++ b/src/Admin/Views/Users/Edit.cshtml
@@ -9,8 +9,7 @@
 
     var canViewUserInformation = AccessControlService.UserHasPermission(Permission.User_UserInformation_View);
     var canViewNewDeviceException = AccessControlService.UserHasPermission(Permission.User_NewDeviceException_Edit) &&
-                                    GlobalSettings.EnableNewDeviceVerification &&
-                                    FeatureService.IsEnabled(Bit.Core.FeatureFlagKeys.NewDeviceVerification);
+                                    GlobalSettings.EnableNewDeviceVerification;
     var canViewBillingInformation = AccessControlService.UserHasPermission(Permission.User_BillingInformation_View);
     var canViewGeneral = AccessControlService.UserHasPermission(Permission.User_GeneralDetails_View);
     var canViewPremium = AccessControlService.UserHasPermission(Permission.User_Premium_View);

From 3c0f72340311d810f07dba8531106df9e4f0bcb8 Mon Sep 17 00:00:00 2001
From: Brandon Treston <btreston@bitwarden.com>
Date: Wed, 5 Mar 2025 09:42:39 -0500
Subject: [PATCH 332/384] remove feature flag (#5462)

---
 src/Core/Constants.cs | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index 82ceb817e3..d5e815b4e7 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -102,7 +102,6 @@ public static class AuthenticationSchemes
 public static class FeatureFlagKeys
 {
     /* Admin Console Team */
-    public const string ProviderClientVaultPrivacyBanner = "ac-2833-provider-client-vault-privacy-banner";
     public const string AccountDeprovisioning = "pm-10308-account-deprovisioning";
     public const string VerifiedSsoDomainEndpoint = "pm-12337-refactor-sso-details-endpoint";
     public const string DeviceApprovalRequestAdminNotifications = "pm-15637-device-approval-request-admin-notifications";

From 267f306c850ce3c993e396de6fd7b7a2d71c8743 Mon Sep 17 00:00:00 2001
From: Todd Martin <106564991+trmartin4@users.noreply.github.com>
Date: Wed, 5 Mar 2025 09:55:12 -0500
Subject: [PATCH 333/384] Updated server version to 2025.2.2 (#5466)

---
 Directory.Build.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Directory.Build.props b/Directory.Build.props
index a994b2196e..131de6320a 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -3,7 +3,7 @@
   <PropertyGroup>
     <TargetFramework>net8.0</TargetFramework>
 
-    <Version>2025.3.0</Version>
+    <Version>2025.2.2</Version>
 
     <RootNamespace>Bit.$(MSBuildProjectName)</RootNamespace>
     <ImplicitUsings>enable</ImplicitUsings>

From 10756ca35e9c5ae0da34374e91d24ce4986fb883 Mon Sep 17 00:00:00 2001
From: Jonas Hendrickx <jhendrickx@bitwarden.com>
Date: Wed, 5 Mar 2025 16:22:16 +0100
Subject: [PATCH 334/384] [PM-5872] Credit load intermittently fails (#5424)

---
 src/Billing/Constants/BitPayInvoiceStatus.cs    |  7 +++++++
 src/Billing/Constants/BitPayNotificationCode.cs |  6 ++++++
 src/Billing/Controllers/BitPayController.cs     | 11 ++++++-----
 3 files changed, 19 insertions(+), 5 deletions(-)
 create mode 100644 src/Billing/Constants/BitPayInvoiceStatus.cs
 create mode 100644 src/Billing/Constants/BitPayNotificationCode.cs

diff --git a/src/Billing/Constants/BitPayInvoiceStatus.cs b/src/Billing/Constants/BitPayInvoiceStatus.cs
new file mode 100644
index 0000000000..b9c1e5834d
--- /dev/null
+++ b/src/Billing/Constants/BitPayInvoiceStatus.cs
@@ -0,0 +1,7 @@
+namespace Bit.Billing.Constants;
+
+public static class BitPayInvoiceStatus
+{
+    public const string Confirmed = "confirmed";
+    public const string Complete = "complete";
+}
diff --git a/src/Billing/Constants/BitPayNotificationCode.cs b/src/Billing/Constants/BitPayNotificationCode.cs
new file mode 100644
index 0000000000..f1ace14b81
--- /dev/null
+++ b/src/Billing/Constants/BitPayNotificationCode.cs
@@ -0,0 +1,6 @@
+namespace Bit.Billing.Constants;
+
+public static class BitPayNotificationCode
+{
+    public const string InvoiceConfirmed = "invoice_confirmed";
+}
diff --git a/src/Billing/Controllers/BitPayController.cs b/src/Billing/Controllers/BitPayController.cs
index 3747631bd0..a8d1742fcb 100644
--- a/src/Billing/Controllers/BitPayController.cs
+++ b/src/Billing/Controllers/BitPayController.cs
@@ -1,4 +1,5 @@
 using System.Globalization;
+using Bit.Billing.Constants;
 using Bit.Billing.Models;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Billing.Services;
@@ -65,7 +66,7 @@ public class BitPayController : Controller
             return new BadRequestResult();
         }
 
-        if (model.Event.Name != "invoice_confirmed")
+        if (model.Event.Name != BitPayNotificationCode.InvoiceConfirmed)
         {
             // Only processing confirmed invoice events for now.
             return new OkResult();
@@ -75,20 +76,20 @@ public class BitPayController : Controller
         if (invoice == null)
         {
             // Request forged...?
-            _logger.LogWarning("Invoice not found. #" + model.Data.Id);
+            _logger.LogWarning("Invoice not found. #{InvoiceId}", model.Data.Id);
             return new BadRequestResult();
         }
 
-        if (invoice.Status != "confirmed" && invoice.Status != "completed")
+        if (invoice.Status != BitPayInvoiceStatus.Confirmed && invoice.Status != BitPayInvoiceStatus.Complete)
         {
-            _logger.LogWarning("Invoice status of '" + invoice.Status + "' is not acceptable. #" + invoice.Id);
+            _logger.LogWarning("Invoice status of '{InvoiceStatus}' is not acceptable. #{InvoiceId}", invoice.Status, invoice.Id);
             return new BadRequestResult();
         }
 
         if (invoice.Currency != "USD")
         {
             // Only process USD payments
-            _logger.LogWarning("Non USD payment received. #" + invoice.Id);
+            _logger.LogWarning("Non USD payment received. #{InvoiceId}", invoice.Id);
             return new OkResult();
         }
 

From fa9099127007db4552a39a954afeec444d9a4835 Mon Sep 17 00:00:00 2001
From: Alex Morask <144709477+amorask-bitwarden@users.noreply.github.com>
Date: Wed, 5 Mar 2025 14:59:15 -0500
Subject: [PATCH 335/384] [PM-12601] Add discount to MSP during creation in
 Admin Portal (#5391)

* Add Provider DiscountId to database and Stripe customer

* Fix tests

* Add missing EF migrations

* Run dotnet format
---
 .../Billing/ProviderBillingService.cs         |   33 +-
 .../Billing/ProviderBillingServiceTests.cs    |   12 -
 .../Models/CreateMspProviderModel.cs          |    6 +-
 .../Views/Providers/CreateMsp.cshtml          |   14 +
 .../Entities/Provider/Provider.cs             |    1 +
 src/Core/Billing/Constants/StripeConstants.cs |    9 +-
 .../Implementations/ProviderMigrator.cs       |    2 +-
 .../Billing/Models/Sales/OrganizationSale.cs  |    3 +-
 .../dbo/Stored Procedures/Provider_Create.sql |    9 +-
 .../dbo/Stored Procedures/Provider_Update.sql |    6 +-
 src/Sql/dbo/Tables/Provider.sql               |    1 +
 ...-02-11_00_AddColumn_ProviderDiscountId.sql |  171 +
 ...7_AddColumn_ProviderDiscountId.Designer.cs | 3013 ++++++++++++++++
 ...0213140357_AddColumn_ProviderDiscountId.cs |   28 +
 .../DatabaseContextModelSnapshot.cs           |    3 +
 ...6_AddColumn_ProviderDiscountId.Designer.cs | 3019 +++++++++++++++++
 ...0213140406_AddColumn_ProviderDiscountId.cs |   27 +
 .../DatabaseContextModelSnapshot.cs           |    3 +
 ...1_AddColumn_ProviderDiscountId.Designer.cs | 3002 ++++++++++++++++
 ...0213140401_AddColumn_ProviderDiscountId.cs |   27 +
 .../DatabaseContextModelSnapshot.cs           |    3 +
 21 files changed, 9356 insertions(+), 36 deletions(-)
 create mode 100644 util/Migrator/DbScripts/2025-02-11_00_AddColumn_ProviderDiscountId.sql
 create mode 100644 util/MySqlMigrations/Migrations/20250213140357_AddColumn_ProviderDiscountId.Designer.cs
 create mode 100644 util/MySqlMigrations/Migrations/20250213140357_AddColumn_ProviderDiscountId.cs
 create mode 100644 util/PostgresMigrations/Migrations/20250213140406_AddColumn_ProviderDiscountId.Designer.cs
 create mode 100644 util/PostgresMigrations/Migrations/20250213140406_AddColumn_ProviderDiscountId.cs
 create mode 100644 util/SqliteMigrations/Migrations/20250213140401_AddColumn_ProviderDiscountId.Designer.cs
 create mode 100644 util/SqliteMigrations/Migrations/20250213140401_AddColumn_ProviderDiscountId.cs

diff --git a/bitwarden_license/src/Commercial.Core/Billing/ProviderBillingService.cs b/bitwarden_license/src/Commercial.Core/Billing/ProviderBillingService.cs
index b637cf37ef..294a926022 100644
--- a/bitwarden_license/src/Commercial.Core/Billing/ProviderBillingService.cs
+++ b/bitwarden_license/src/Commercial.Core/Billing/ProviderBillingService.cs
@@ -475,20 +475,17 @@ public class ProviderBillingService(
         Provider provider,
         TaxInfo taxInfo)
     {
-        ArgumentNullException.ThrowIfNull(provider);
-        ArgumentNullException.ThrowIfNull(taxInfo);
-
-        if (string.IsNullOrEmpty(taxInfo.BillingAddressCountry) ||
-            string.IsNullOrEmpty(taxInfo.BillingAddressPostalCode))
+        if (taxInfo is not
+            {
+                BillingAddressCountry: not null and not "",
+                BillingAddressPostalCode: not null and not ""
+            })
         {
             logger.LogError("Cannot create customer for provider ({ProviderID}) without both a country and postal code", provider.Id);
-
             throw new BillingException();
         }
 
-        var providerDisplayName = provider.DisplayName();
-
-        var customerCreateOptions = new CustomerCreateOptions
+        var options = new CustomerCreateOptions
         {
             Address = new AddressOptions
             {
@@ -508,9 +505,9 @@ public class ProviderBillingService(
                     new CustomerInvoiceSettingsCustomFieldOptions
                     {
                         Name = provider.SubscriberType(),
-                        Value = providerDisplayName?.Length <= 30
-                            ? providerDisplayName
-                            : providerDisplayName?[..30]
+                        Value = provider.DisplayName()?.Length <= 30
+                            ? provider.DisplayName()
+                            : provider.DisplayName()?[..30]
                     }
                 ]
             },
@@ -522,7 +519,8 @@ public class ProviderBillingService(
 
         if (!string.IsNullOrEmpty(taxInfo.TaxIdNumber))
         {
-            var taxIdType = taxService.GetStripeTaxCode(taxInfo.BillingAddressCountry,
+            var taxIdType = taxService.GetStripeTaxCode(
+                taxInfo.BillingAddressCountry,
                 taxInfo.TaxIdNumber);
 
             if (taxIdType == null)
@@ -533,15 +531,20 @@ public class ProviderBillingService(
                 throw new BadRequestException("billingTaxIdTypeInferenceError");
             }
 
-            customerCreateOptions.TaxIdData =
+            options.TaxIdData =
             [
                 new CustomerTaxIdDataOptions { Type = taxIdType, Value = taxInfo.TaxIdNumber }
             ];
         }
 
+        if (!string.IsNullOrEmpty(provider.DiscountId))
+        {
+            options.Coupon = provider.DiscountId;
+        }
+
         try
         {
-            return await stripeAdapter.CustomerCreateAsync(customerCreateOptions);
+            return await stripeAdapter.CustomerCreateAsync(options);
         }
         catch (StripeException stripeException) when (stripeException.StripeError?.Code == StripeConstants.ErrorCodes.TaxIdInvalid)
         {
diff --git a/bitwarden_license/test/Commercial.Core.Test/Billing/ProviderBillingServiceTests.cs b/bitwarden_license/test/Commercial.Core.Test/Billing/ProviderBillingServiceTests.cs
index 2fbd09a213..c1da732d60 100644
--- a/bitwarden_license/test/Commercial.Core.Test/Billing/ProviderBillingServiceTests.cs
+++ b/bitwarden_license/test/Commercial.Core.Test/Billing/ProviderBillingServiceTests.cs
@@ -731,18 +731,6 @@ public class ProviderBillingServiceTests
 
     #region SetupCustomer
 
-    [Theory, BitAutoData]
-    public async Task SetupCustomer_NullProvider_ThrowsArgumentNullException(
-        SutProvider<ProviderBillingService> sutProvider,
-        TaxInfo taxInfo) =>
-        await Assert.ThrowsAsync<ArgumentNullException>(() => sutProvider.Sut.SetupCustomer(null, taxInfo));
-
-    [Theory, BitAutoData]
-    public async Task SetupCustomer_NullTaxInfo_ThrowsArgumentNullException(
-        SutProvider<ProviderBillingService> sutProvider,
-        Provider provider) =>
-        await Assert.ThrowsAsync<ArgumentNullException>(() => sutProvider.Sut.SetupCustomer(provider, null));
-
     [Theory, BitAutoData]
     public async Task SetupCustomer_MissingCountry_ContactSupport(
         SutProvider<ProviderBillingService> sutProvider,
diff --git a/src/Admin/AdminConsole/Models/CreateMspProviderModel.cs b/src/Admin/AdminConsole/Models/CreateMspProviderModel.cs
index f48cf21767..4ada2d4a5f 100644
--- a/src/Admin/AdminConsole/Models/CreateMspProviderModel.cs
+++ b/src/Admin/AdminConsole/Models/CreateMspProviderModel.cs
@@ -10,6 +10,9 @@ public class CreateMspProviderModel : IValidatableObject
     [Display(Name = "Owner Email")]
     public string OwnerEmail { get; set; }
 
+    [Display(Name = "Subscription Discount")]
+    public string DiscountId { get; set; }
+
     [Display(Name = "Teams (Monthly) Seat Minimum")]
     public int TeamsMonthlySeatMinimum { get; set; }
 
@@ -20,7 +23,8 @@ public class CreateMspProviderModel : IValidatableObject
     {
         return new Provider
         {
-            Type = ProviderType.Msp
+            Type = ProviderType.Msp,
+            DiscountId = DiscountId
         };
     }
 
diff --git a/src/Admin/AdminConsole/Views/Providers/CreateMsp.cshtml b/src/Admin/AdminConsole/Views/Providers/CreateMsp.cshtml
index 38ae542355..fffe21d5fe 100644
--- a/src/Admin/AdminConsole/Views/Providers/CreateMsp.cshtml
+++ b/src/Admin/AdminConsole/Views/Providers/CreateMsp.cshtml
@@ -1,3 +1,4 @@
+@using Bit.Core.Billing.Constants
 @model CreateMspProviderModel
 
 @{
@@ -12,6 +13,19 @@
             <label asp-for="OwnerEmail" class="form-label"></label>
             <input type="text" class="form-control" asp-for="OwnerEmail">
         </div>
+        <div class="mb-3">
+            @{
+                var selectList = new List<SelectListItem>
+                {
+                    new ("No discount", string.Empty, true),
+                    new ("20% - Open", StripeConstants.CouponIDs.MSPDiscounts.Open),
+                    new ("35% - Silver", StripeConstants.CouponIDs.MSPDiscounts.Silver),
+                    new ("50% - Gold", StripeConstants.CouponIDs.MSPDiscounts.Gold)
+                };
+            }
+            <label asp-for="DiscountId" class="form-label"></label>
+            <select class="form-select" asp-for="DiscountId" asp-items="selectList"></select>
+        </div>
         <div class="row">
             <div class="col-sm">
                 <div class="mb-3">
diff --git a/src/Core/AdminConsole/Entities/Provider/Provider.cs b/src/Core/AdminConsole/Entities/Provider/Provider.cs
index 266e3498ff..3872ed22e4 100644
--- a/src/Core/AdminConsole/Entities/Provider/Provider.cs
+++ b/src/Core/AdminConsole/Entities/Provider/Provider.cs
@@ -35,6 +35,7 @@ public class Provider : ITableObject<Guid>, ISubscriber
     public GatewayType? Gateway { get; set; }
     public string? GatewayCustomerId { get; set; }
     public string? GatewaySubscriptionId { get; set; }
+    public string? DiscountId { get; set; }
 
     public string? BillingEmailAddress() => BillingEmail?.ToLowerInvariant().Trim();
 
diff --git a/src/Core/Billing/Constants/StripeConstants.cs b/src/Core/Billing/Constants/StripeConstants.cs
index 0a5faae947..080416e2bb 100644
--- a/src/Core/Billing/Constants/StripeConstants.cs
+++ b/src/Core/Billing/Constants/StripeConstants.cs
@@ -18,8 +18,15 @@ public static class StripeConstants
 
     public static class CouponIDs
     {
-        public const string MSPDiscount35 = "msp-discount-35";
+        public const string LegacyMSPDiscount = "msp-discount-35";
         public const string SecretsManagerStandalone = "sm-standalone";
+
+        public static class MSPDiscounts
+        {
+            public const string Open = "msp-open-discount";
+            public const string Silver = "msp-silver-discount";
+            public const string Gold = "msp-gold-discount";
+        }
     }
 
     public static class ErrorCodes
diff --git a/src/Core/Billing/Migration/Services/Implementations/ProviderMigrator.cs b/src/Core/Billing/Migration/Services/Implementations/ProviderMigrator.cs
index ea490d0d66..b5c4383556 100644
--- a/src/Core/Billing/Migration/Services/Implementations/ProviderMigrator.cs
+++ b/src/Core/Billing/Migration/Services/Implementations/ProviderMigrator.cs
@@ -254,7 +254,7 @@ public class ProviderMigrator(
 
             await stripeAdapter.CustomerUpdateAsync(customer.Id, new CustomerUpdateOptions
             {
-                Coupon = StripeConstants.CouponIDs.MSPDiscount35
+                Coupon = StripeConstants.CouponIDs.LegacyMSPDiscount
             });
 
             provider.GatewayCustomerId = customer.Id;
diff --git a/src/Core/Billing/Models/Sales/OrganizationSale.cs b/src/Core/Billing/Models/Sales/OrganizationSale.cs
index f0ad7894e6..0602cf1dd9 100644
--- a/src/Core/Billing/Models/Sales/OrganizationSale.cs
+++ b/src/Core/Billing/Models/Sales/OrganizationSale.cs
@@ -46,7 +46,8 @@ public class OrganizationSale
         var customerSetup = new CustomerSetup
         {
             Coupon = signup.IsFromProvider
-            ? StripeConstants.CouponIDs.MSPDiscount35
+            // TODO: Remove when last of the legacy providers has been migrated.
+            ? StripeConstants.CouponIDs.LegacyMSPDiscount
             : signup.IsFromSecretsManagerTrial
                 ? StripeConstants.CouponIDs.SecretsManagerStandalone
                 : null
diff --git a/src/Sql/dbo/Stored Procedures/Provider_Create.sql b/src/Sql/dbo/Stored Procedures/Provider_Create.sql
index 63baa1789c..da1f3ad9a7 100644
--- a/src/Sql/dbo/Stored Procedures/Provider_Create.sql	
+++ b/src/Sql/dbo/Stored Procedures/Provider_Create.sql	
@@ -17,7 +17,8 @@
     @RevisionDate DATETIME2(7),
     @Gateway TINYINT = 0,
     @GatewayCustomerId VARCHAR(50) = NULL,
-    @GatewaySubscriptionId VARCHAR(50) = NULL
+    @GatewaySubscriptionId VARCHAR(50) = NULL,
+    @DiscountId VARCHAR(50) = NULL
 AS
 BEGIN
     SET NOCOUNT ON
@@ -42,7 +43,8 @@ BEGIN
         [RevisionDate],
         [Gateway],
         [GatewayCustomerId],
-        [GatewaySubscriptionId]
+        [GatewaySubscriptionId],
+        [DiscountId]
     )
     VALUES
     (
@@ -64,6 +66,7 @@ BEGIN
         @RevisionDate,
         @Gateway,
         @GatewayCustomerId,
-        @GatewaySubscriptionId
+        @GatewaySubscriptionId,
+        @DiscountId
     )
 END
diff --git a/src/Sql/dbo/Stored Procedures/Provider_Update.sql b/src/Sql/dbo/Stored Procedures/Provider_Update.sql
index 39bdd2d613..639f40a2ac 100644
--- a/src/Sql/dbo/Stored Procedures/Provider_Update.sql	
+++ b/src/Sql/dbo/Stored Procedures/Provider_Update.sql	
@@ -17,7 +17,8 @@
     @RevisionDate DATETIME2(7),
     @Gateway TINYINT = 0,
     @GatewayCustomerId VARCHAR(50) = NULL,
-    @GatewaySubscriptionId VARCHAR(50) = NULL
+    @GatewaySubscriptionId VARCHAR(50) = NULL,
+    @DiscountId VARCHAR(50) = NULL
 AS
 BEGIN
     SET NOCOUNT ON
@@ -42,7 +43,8 @@ BEGIN
         [RevisionDate] = @RevisionDate,
         [Gateway] = @Gateway,
         [GatewayCustomerId] = @GatewayCustomerId,
-        [GatewaySubscriptionId] = @GatewaySubscriptionId
+        [GatewaySubscriptionId] = @GatewaySubscriptionId,
+        [DiscountId] = @DiscountId
     WHERE
         [Id] = @Id
 END
diff --git a/src/Sql/dbo/Tables/Provider.sql b/src/Sql/dbo/Tables/Provider.sql
index fa64c01ec0..4b14730eb4 100644
--- a/src/Sql/dbo/Tables/Provider.sql
+++ b/src/Sql/dbo/Tables/Provider.sql
@@ -18,5 +18,6 @@
     [Gateway]               TINYINT          NULL,
     [GatewayCustomerId]     VARCHAR (50)     NULL,
     [GatewaySubscriptionId] VARCHAR (50)     NULL,
+    [DiscountId]            VARCHAR (50)     NULL,
     CONSTRAINT [PK_Provider] PRIMARY KEY CLUSTERED ([Id] ASC)
 );
diff --git a/util/Migrator/DbScripts/2025-02-11_00_AddColumn_ProviderDiscountId.sql b/util/Migrator/DbScripts/2025-02-11_00_AddColumn_ProviderDiscountId.sql
new file mode 100644
index 0000000000..02add59069
--- /dev/null
+++ b/util/Migrator/DbScripts/2025-02-11_00_AddColumn_ProviderDiscountId.sql
@@ -0,0 +1,171 @@
+-- Add 'DiscountId' column to 'Provider' table.
+IF COL_LENGTH('[dbo].[Provider]', 'DiscountId') IS NULL
+    BEGIN
+        ALTER TABLE
+            [dbo].[Provider]
+            ADD
+                [DiscountId] VARCHAR(50) NULL;
+    END
+GO
+
+-- Recreate 'ProviderView' so that it includes the 'DiscountId' column.
+CREATE OR ALTER VIEW [dbo].[ProviderView]
+AS
+SELECT
+    *
+FROM
+    [dbo].[Provider]
+GO
+
+-- Alter 'Provider_Create' SPROC to add 'DiscountId' column.
+CREATE OR ALTER PROCEDURE [dbo].[Provider_Create]
+    @Id UNIQUEIDENTIFIER OUTPUT,
+    @Name NVARCHAR(50),
+    @BusinessName NVARCHAR(50),
+    @BusinessAddress1 NVARCHAR(50),
+    @BusinessAddress2 NVARCHAR(50),
+    @BusinessAddress3 NVARCHAR(50),
+    @BusinessCountry VARCHAR(2),
+    @BusinessTaxNumber NVARCHAR(30),
+    @BillingEmail NVARCHAR(256),
+    @BillingPhone NVARCHAR(50) = NULL,
+    @Status TINYINT,
+    @Type TINYINT = 0,
+    @UseEvents BIT,
+    @Enabled BIT,
+    @CreationDate DATETIME2(7),
+    @RevisionDate DATETIME2(7),
+    @Gateway TINYINT = 0,
+    @GatewayCustomerId VARCHAR(50) = NULL,
+    @GatewaySubscriptionId VARCHAR(50) = NULL,
+    @DiscountId VARCHAR(50) = NULL
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    INSERT INTO [dbo].[Provider]
+    (
+        [Id],
+        [Name],
+        [BusinessName],
+        [BusinessAddress1],
+        [BusinessAddress2],
+        [BusinessAddress3],
+        [BusinessCountry],
+        [BusinessTaxNumber],
+        [BillingEmail],
+        [BillingPhone],
+        [Status],
+        [Type],
+        [UseEvents],
+        [Enabled],
+        [CreationDate],
+        [RevisionDate],
+        [Gateway],
+        [GatewayCustomerId],
+        [GatewaySubscriptionId],
+        [DiscountId]
+    )
+    VALUES
+        (
+         @Id,
+         @Name,
+         @BusinessName,
+         @BusinessAddress1,
+         @BusinessAddress2,
+         @BusinessAddress3,
+         @BusinessCountry,
+         @BusinessTaxNumber,
+         @BillingEmail,
+         @BillingPhone,
+         @Status,
+         @Type,
+         @UseEvents,
+         @Enabled,
+         @CreationDate,
+         @RevisionDate,
+         @Gateway,
+         @GatewayCustomerId,
+         @GatewaySubscriptionId,
+         @DiscountId
+        )
+END
+GO
+
+-- Alter 'Provider_Update' SPROC to add 'DiscountId' column.
+CREATE OR ALTER PROCEDURE [dbo].[Provider_Update]
+    @Id UNIQUEIDENTIFIER,
+    @Name NVARCHAR(50),
+    @BusinessName NVARCHAR(50),
+    @BusinessAddress1 NVARCHAR(50),
+    @BusinessAddress2 NVARCHAR(50),
+    @BusinessAddress3 NVARCHAR(50),
+    @BusinessCountry VARCHAR(2),
+    @BusinessTaxNumber NVARCHAR(30),
+    @BillingEmail NVARCHAR(256),
+    @BillingPhone NVARCHAR(50) = NULL,
+    @Status TINYINT,
+    @Type TINYINT = 0,
+    @UseEvents BIT,
+    @Enabled BIT,
+    @CreationDate DATETIME2(7),
+    @RevisionDate DATETIME2(7),
+    @Gateway TINYINT = 0,
+    @GatewayCustomerId VARCHAR(50) = NULL,
+    @GatewaySubscriptionId VARCHAR(50) = NULL,
+    @DiscountId VARCHAR(50) = NULL
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    UPDATE
+        [dbo].[Provider]
+    SET
+        [Name] = @Name,
+        [BusinessName] = @BusinessName,
+        [BusinessAddress1] = @BusinessAddress1,
+        [BusinessAddress2] = @BusinessAddress2,
+        [BusinessAddress3] = @BusinessAddress3,
+        [BusinessCountry] = @BusinessCountry,
+        [BusinessTaxNumber] = @BusinessTaxNumber,
+        [BillingEmail] = @BillingEmail,
+        [BillingPhone] = @BillingPhone,
+        [Status] = @Status,
+        [Type] = @Type,
+        [UseEvents] = @UseEvents,
+        [Enabled] = @Enabled,
+        [CreationDate] = @CreationDate,
+        [RevisionDate] = @RevisionDate,
+        [Gateway] = @Gateway,
+        [GatewayCustomerId] = @GatewayCustomerId,
+        [GatewaySubscriptionId] = @GatewaySubscriptionId,
+        [DiscountId] = @DiscountId
+    WHERE
+        [Id] = @Id
+END
+GO
+
+-- Refresh modules for SPROCs reliant on 'Provider' table/view.
+IF OBJECT_ID('[dbo].[Provider_ReadAbilities]') IS NOT NULL
+    BEGIN
+        EXECUTE sp_refreshsqlmodule N'[dbo].[Provider_ReadAbilities]';
+    END
+GO
+
+IF OBJECT_ID('[dbo].[Provider_ReadById]') IS NOT NULL
+    BEGIN
+        EXECUTE sp_refreshsqlmodule N'[dbo].[Provider_ReadById]';
+    END
+GO
+
+IF OBJECT_ID('[dbo].[Provider_ReadByOrganizationId]') IS NOT NULL
+    BEGIN
+        EXECUTE sp_refreshsqlmodule N'[dbo].[Provider_ReadByOrganizationId]';
+    END
+GO
+
+IF OBJECT_ID('[dbo].[Provider_Search]') IS NOT NULL
+    BEGIN
+        EXECUTE sp_refreshsqlmodule N'[dbo].[Provider_Search]';
+    END
+GO
diff --git a/util/MySqlMigrations/Migrations/20250213140357_AddColumn_ProviderDiscountId.Designer.cs b/util/MySqlMigrations/Migrations/20250213140357_AddColumn_ProviderDiscountId.Designer.cs
new file mode 100644
index 0000000000..947483d796
--- /dev/null
+++ b/util/MySqlMigrations/Migrations/20250213140357_AddColumn_ProviderDiscountId.Designer.cs
@@ -0,0 +1,3013 @@
+// <auto-generated />
+using System;
+using Bit.Infrastructure.EntityFramework.Repositories;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Metadata;
+using Microsoft.EntityFrameworkCore.Migrations;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
+
+#nullable disable
+
+namespace Bit.MySqlMigrations.Migrations
+{
+    [DbContext(typeof(DatabaseContext))]
+    [Migration("20250213140357_AddColumn_ProviderDiscountId")]
+    partial class AddColumn_ProviderDiscountId
+    {
+        /// <inheritdoc />
+        protected override void BuildTargetModel(ModelBuilder modelBuilder)
+        {
+#pragma warning disable 612, 618
+            modelBuilder
+                .HasAnnotation("ProductVersion", "8.0.8")
+                .HasAnnotation("Relational:MaxIdentifierLength", 64);
+
+            MySqlModelBuilderExtensions.AutoIncrementColumns(modelBuilder);
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("AllowAdminAccessToAllCollectionItems")
+                        .HasColumnType("tinyint(1)")
+                        .HasDefaultValue(true);
+
+                    b.Property<string>("BillingEmail")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasMaxLength(2)
+                        .HasColumnType("varchar(2)");
+
+                    b.Property<string>("BusinessName")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasMaxLength(30)
+                        .HasColumnType("varchar(30)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("Identifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("varchar(100)");
+
+                    b.Property<bool>("LimitCollectionCreation")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("LimitCollectionDeletion")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("LimitItemDeletion")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("MaxAutoscaleSmSeats")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("MaxAutoscaleSmServiceAccounts")
+                        .HasColumnType("int");
+
+                    b.Property<short?>("MaxCollections")
+                        .HasColumnType("smallint");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<DateTime?>("OwnersNotifiedOfAutoscaling")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Plan")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<int?>("Seats")
+                        .HasColumnType("int");
+
+                    b.Property<bool>("SelfHost")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<int?>("SmSeats")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("SmServiceAccounts")
+                        .HasColumnType("int");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("bigint");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("longtext");
+
+                    b.Property<bool>("Use2fa")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseApi")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseCustomPermissions")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseDirectory")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseGroups")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseKeyConnector")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UsePasswordManager")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UsePolicies")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseResetPassword")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseRiskInsights")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseScim")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseSecretsManager")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseSso")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseTotp")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UsersGetPremium")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id", "Enabled")
+                        .HasAnnotation("Npgsql:IndexInclude", new[] { "UseTotp" });
+
+                    b.ToTable("Organization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("longtext");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "Type")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Policy", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("BillingEmail")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BillingPhone")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessName")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("DiscountId")
+                        .HasColumnType("longtext");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Provider", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Settings")
+                        .HasColumnType("longtext");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderOrganization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Email")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("ProviderUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("AccessCode")
+                        .HasMaxLength(25)
+                        .HasColumnType("varchar(25)");
+
+                    b.Property<bool?>("Approved")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime?>("AuthenticationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("MasterPasswordHash")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("RequestDeviceIdentifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<byte>("RequestDeviceType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("RequestIpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<DateTime?>("ResponseDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid?>("ResponseDeviceId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ResponseDeviceId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("AuthRequest", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<Guid?>("GranteeId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("GrantorId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("KeyEncrypted")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime?>("LastNotificationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("RecoveryInitiatedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<int>("WaitTimeDays")
+                        .HasColumnType("int");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("GranteeId");
+
+                    b.HasIndex("GrantorId");
+
+                    b.ToTable("EmergencyAccess", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.Grant", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("int");
+
+                    MySqlPropertyBuilderExtensions.UseMySqlIdentityColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("ClientId")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("varchar(200)");
+
+                    b.Property<DateTime?>("ConsumedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Data")
+                        .IsRequired()
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Description")
+                        .HasMaxLength(200)
+                        .HasColumnType("varchar(200)");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("varchar(200)");
+
+                    b.Property<string>("SessionId")
+                        .HasMaxLength(100)
+                        .HasColumnType("varchar(100)");
+
+                    b.Property<string>("SubjectId")
+                        .HasMaxLength(200)
+                        .HasColumnType("varchar(200)");
+
+                    b.Property<string>("Type")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.HasKey("Id")
+                        .HasName("PK_Grant")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpirationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Key")
+                        .IsUnique();
+
+                    b.ToTable("Grant", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    MySqlPropertyBuilderExtensions.UseMySqlIdentityColumn(b.Property<long>("Id"));
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("longtext");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("SsoConfig", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    MySqlPropertyBuilderExtensions.UseMySqlIdentityColumn(b.Property<long>("Id"));
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId");
+
+                    b.HasIndex("OrganizationId", "ExternalId")
+                        .IsUnique()
+                        .HasAnnotation("Npgsql:IndexInclude", new[] { "UserId" })
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "UserId")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SsoUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("AaGuid")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int>("Counter")
+                        .HasColumnType("int");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("CredentialId")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("varchar(2000)");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("varchar(2000)");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("varchar(2000)");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("PublicKey")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("SupportsPrf")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<string>("Type")
+                        .HasMaxLength(20)
+                        .HasColumnType("varchar(20)");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("WebAuthnCredential", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ClientOrganizationMigrationRecord", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("int");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int>("Seats")
+                        .HasColumnType("int");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId", "OrganizationId")
+                        .IsUnique();
+
+                    b.ToTable("ClientOrganizationMigrationRecord", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid>("InstallationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime?>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("InstallationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationInstallation", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int>("AssignedSeats")
+                        .HasColumnType("int");
+
+                    b.Property<Guid?>("ClientId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("ClientName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<DateTime>("Created")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("InvoiceId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("InvoiceNumber")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("PlanName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<decimal>("Total")
+                        .HasColumnType("decimal(65,30)");
+
+                    b.Property<int>("UsedSeats")
+                        .HasColumnType("int");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderInvoiceItem", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int?>("AllocatedSeats")
+                        .HasColumnType("int");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int?>("PurchasedSeats")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("SeatMinimum")
+                        .HasColumnType("int");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("Id", "PlanType")
+                        .IsUnique();
+
+                    b.ToTable("ProviderPlan", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Cache", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(449)
+                        .HasColumnType("varchar(449)");
+
+                    b.Property<DateTime?>("AbsoluteExpiration")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("ExpiresAtTime")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<long?>("SlidingExpirationInSeconds")
+                        .HasColumnType("bigint");
+
+                    b.Property<byte[]>("Value")
+                        .IsRequired()
+                        .HasColumnType("longblob");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpiresAtTime")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Cache", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("varchar(300)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Collection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("CipherId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("CollectionId", "CipherId");
+
+                    b.HasIndex("CipherId");
+
+                    b.ToTable("CollectionCipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("CollectionId", "GroupId");
+
+                    b.HasIndex("GroupId");
+
+                    b.ToTable("CollectionGroups");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("CollectionId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("tinyint(1)")
+                        .HasDefaultValue(true);
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Identifier")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("PushToken")
+                        .HasMaxLength(255)
+                        .HasColumnType("varchar(255)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Identifier")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "Identifier")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Device", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Event", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("ActingUserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("CollectionId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("Date")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte?>("DeviceType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("DomainName")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid?>("GroupId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("InstallationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("IpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("PolicyId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("ProviderOrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("ProviderUserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("SecretId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte?>("SystemUser")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<int>("Type")
+                        .HasColumnType("int");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Date", "OrganizationId", "ActingUserId", "CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Event", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("varchar(300)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(100)
+                        .HasColumnType("varchar(100)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Group", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("GroupId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("GroupUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("varchar(30)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Config")
+                        .HasColumnType("longtext");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationConnection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("DomainName")
+                        .IsRequired()
+                        .HasMaxLength(255)
+                        .HasColumnType("varchar(255)");
+
+                    b.Property<int>("JobRunCount")
+                        .HasColumnType("int");
+
+                    b.Property<DateTime?>("LastCheckedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("NextRunDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Txt")
+                        .IsRequired()
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime?>("VerifiedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationDomain", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("FriendlyName")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<DateTime?>("LastSyncDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("OfferedToEmail")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<byte?>("PlanSponsorshipType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("SponsoredOrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("SponsoringOrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("SponsoringOrganizationUserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("ToDelete")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime?>("ValidUntil")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SponsoredOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationUserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationSponsorship", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("AccessSecretsManager")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("varchar(300)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("ResetPasswordKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<short>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int>("AccessCount")
+                        .HasColumnType("int");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("DeletionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("Disabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool?>("HideEmail")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<int?>("MaxAccessCount")
+                        .HasColumnType("int");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Password")
+                        .HasMaxLength(300)
+                        .HasColumnType("varchar(300)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("DeletionDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Send", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.TaxRate", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(40)
+                        .HasColumnType("varchar(40)");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<string>("Country")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("PostalCode")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("varchar(10)");
+
+                    b.Property<decimal>("Rate")
+                        .HasColumnType("decimal(65,30)");
+
+                    b.Property<string>("State")
+                        .HasMaxLength(2)
+                        .HasColumnType("varchar(2)");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("TaxRate", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<decimal>("Amount")
+                        .HasColumnType("decimal(65,30)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Details")
+                        .HasMaxLength(100)
+                        .HasColumnType("varchar(100)");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("GatewayId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte?>("PaymentMethodType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool?>("Refunded")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<decimal?>("RefundedAmount")
+                        .HasColumnType("decimal(65,30)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId", "CreationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Transaction", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("AccountRevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("varchar(30)");
+
+                    b.Property<string>("AvatarColor")
+                        .HasMaxLength(7)
+                        .HasColumnType("varchar(7)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Culture")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("varchar(10)");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<bool>("EmailVerified")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<string>("EquivalentDomains")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("ExcludedGlobalEquivalentDomains")
+                        .HasColumnType("longtext");
+
+                    b.Property<int>("FailedLoginCount")
+                        .HasColumnType("int");
+
+                    b.Property<bool>("ForcePasswordReset")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<byte>("Kdf")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<int>("KdfIterations")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("KdfMemory")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("KdfParallelism")
+                        .HasColumnType("int");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime?>("LastEmailChangeDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("LastFailedLoginDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("LastKdfChangeDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("LastKeyRotationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("LastPasswordChangeDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("varchar(100)");
+
+                    b.Property<string>("MasterPassword")
+                        .HasMaxLength(300)
+                        .HasColumnType("varchar(300)");
+
+                    b.Property<string>("MasterPasswordHint")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<bool>("Premium")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime?>("PremiumExpirationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime?>("RenewalReminderDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("SecurityStamp")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("bigint");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("TwoFactorRecoveryCode")
+                        .HasMaxLength(32)
+                        .HasColumnType("varchar(32)");
+
+                    b.Property<bool>("UsesKeyConnector")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("VerifyDevices")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Email")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Premium", "PremiumExpirationDate", "RenewalReminderDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("User", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Body")
+                        .HasMaxLength(3000)
+                        .HasColumnType("varchar(3000)");
+
+                    b.Property<byte>("ClientType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("Global")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte>("Priority")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid?>("TaskId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Title")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("TaskId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("ClientType", "Global", "UserId", "OrganizationId", "Priority", "CreationDate")
+                        .IsDescending(false, false, false, false, true, true)
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Notification", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("NotificationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("ReadDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("UserId", "NotificationId")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("NotificationId");
+
+                    b.ToTable("NotificationStatus", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Platform.Installation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(150)
+                        .HasColumnType("varchar(150)");
+
+                    b.Property<DateTime?>("LastActivityDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Installation", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Discriminator")
+                        .IsRequired()
+                        .HasMaxLength(34)
+                        .HasColumnType("varchar(34)");
+
+                    b.Property<bool>("Read")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("Write")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.ToTable("AccessPolicy", (string)null);
+
+                    b.HasDiscriminator().HasValue("AccessPolicy");
+
+                    b.UseTphMappingStrategy();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("ClientSecretHash")
+                        .HasMaxLength(128)
+                        .HasColumnType("varchar(128)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("EncryptedPayload")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("varchar(4000)");
+
+                    b.Property<DateTime?>("ExpireAt")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("varchar(200)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Scope")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("varchar(4000)");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ServiceAccountId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Project", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Note")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Value")
+                        .HasColumnType("longtext");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Secret", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ServiceAccount", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Uri")
+                        .HasColumnType("longtext");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("PasswordHealthReportApplication", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Attachments")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Favorites")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Folders")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte?>("Reprompt")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Cipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Folder", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SecurityTask", (string)null);
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.Property<Guid>("ProjectsId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("SecretsId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("ProjectsId", "SecretsId");
+
+                    b.HasIndex("SecretsId");
+
+                    b.ToTable("ProjectSecret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Policies")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Device", "ResponseDevice")
+                        .WithMany()
+                        .HasForeignKey("ResponseDeviceId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("ResponseDevice");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantee")
+                        .WithMany()
+                        .HasForeignKey("GranteeId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantor")
+                        .WithMany()
+                        .HasForeignKey("GrantorId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Grantee");
+
+                    b.Navigation("Grantor");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoConfigs")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Platform.Installation", "Installation")
+                        .WithMany()
+                        .HasForeignKey("InstallationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Installation");
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Collections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CipherId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Collection");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionGroups")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Groups")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Group");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Connections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Domains")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoredOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoredOrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoringOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoringOrganizationId");
+
+                    b.Navigation("SponsoredOrganization");
+
+                    b.Navigation("SponsoringOrganization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Transactions")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Transactions")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", "Task")
+                        .WithMany()
+                        .HasForeignKey("TaskId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Task");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", "Notification")
+                        .WithMany()
+                        .HasForeignKey("NotificationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Notification");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Folders")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany()
+                        .HasForeignKey("CipherId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", null)
+                        .WithMany()
+                        .HasForeignKey("ProjectsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", null)
+                        .WithMany()
+                        .HasForeignKey("SecretsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ProjectAccessPolicies")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany()
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Collections");
+
+                    b.Navigation("Connections");
+
+                    b.Navigation("Domains");
+
+                    b.Navigation("Groups");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("Policies");
+
+                    b.Navigation("SsoConfigs");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+
+                    b.Navigation("CollectionGroups");
+
+                    b.Navigation("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Navigation("CollectionUsers");
+
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Folders");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ProjectAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+                });
+#pragma warning restore 612, 618
+        }
+    }
+}
diff --git a/util/MySqlMigrations/Migrations/20250213140357_AddColumn_ProviderDiscountId.cs b/util/MySqlMigrations/Migrations/20250213140357_AddColumn_ProviderDiscountId.cs
new file mode 100644
index 0000000000..53eb2350e8
--- /dev/null
+++ b/util/MySqlMigrations/Migrations/20250213140357_AddColumn_ProviderDiscountId.cs
@@ -0,0 +1,28 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace Bit.MySqlMigrations.Migrations;
+
+/// <inheritdoc />
+public partial class AddColumn_ProviderDiscountId : Migration
+{
+    /// <inheritdoc />
+    protected override void Up(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.AddColumn<string>(
+            name: "DiscountId",
+            table: "Provider",
+            type: "longtext",
+            nullable: true)
+            .Annotation("MySql:CharSet", "utf8mb4");
+    }
+
+    /// <inheritdoc />
+    protected override void Down(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.DropColumn(
+            name: "DiscountId",
+            table: "Provider");
+    }
+}
diff --git a/util/MySqlMigrations/Migrations/DatabaseContextModelSnapshot.cs b/util/MySqlMigrations/Migrations/DatabaseContextModelSnapshot.cs
index 73ed8e0c6b..bd04151035 100644
--- a/util/MySqlMigrations/Migrations/DatabaseContextModelSnapshot.cs
+++ b/util/MySqlMigrations/Migrations/DatabaseContextModelSnapshot.cs
@@ -284,6 +284,9 @@ namespace Bit.MySqlMigrations.Migrations
                     b.Property<DateTime>("CreationDate")
                         .HasColumnType("datetime(6)");
 
+                    b.Property<string>("DiscountId")
+                        .HasColumnType("longtext");
+
                     b.Property<bool>("Enabled")
                         .HasColumnType("tinyint(1)");
 
diff --git a/util/PostgresMigrations/Migrations/20250213140406_AddColumn_ProviderDiscountId.Designer.cs b/util/PostgresMigrations/Migrations/20250213140406_AddColumn_ProviderDiscountId.Designer.cs
new file mode 100644
index 0000000000..79533f72ae
--- /dev/null
+++ b/util/PostgresMigrations/Migrations/20250213140406_AddColumn_ProviderDiscountId.Designer.cs
@@ -0,0 +1,3019 @@
+// <auto-generated />
+using System;
+using Bit.Infrastructure.EntityFramework.Repositories;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Migrations;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
+using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata;
+
+#nullable disable
+
+namespace Bit.PostgresMigrations.Migrations
+{
+    [DbContext(typeof(DatabaseContext))]
+    [Migration("20250213140406_AddColumn_ProviderDiscountId")]
+    partial class AddColumn_ProviderDiscountId
+    {
+        /// <inheritdoc />
+        protected override void BuildTargetModel(ModelBuilder modelBuilder)
+        {
+#pragma warning disable 612, 618
+            modelBuilder
+                .HasAnnotation("Npgsql:CollationDefinition:postgresIndetermanisticCollation", "en-u-ks-primary,en-u-ks-primary,icu,False")
+                .HasAnnotation("ProductVersion", "8.0.8")
+                .HasAnnotation("Relational:MaxIdentifierLength", 63);
+
+            NpgsqlModelBuilderExtensions.UseIdentityByDefaultColumns(modelBuilder);
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("AllowAdminAccessToAllCollectionItems")
+                        .HasColumnType("boolean")
+                        .HasDefaultValue(true);
+
+                    b.Property<string>("BillingEmail")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasMaxLength(2)
+                        .HasColumnType("character varying(2)");
+
+                    b.Property<string>("BusinessName")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasMaxLength(30)
+                        .HasColumnType("character varying(30)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("Identifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)")
+                        .UseCollation("postgresIndetermanisticCollation");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<bool>("LimitCollectionCreation")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("LimitCollectionDeletion")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("LimitItemDeletion")
+                        .HasColumnType("boolean");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("MaxAutoscaleSmSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("MaxAutoscaleSmServiceAccounts")
+                        .HasColumnType("integer");
+
+                    b.Property<short?>("MaxCollections")
+                        .HasColumnType("smallint");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<DateTime?>("OwnersNotifiedOfAutoscaling")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Plan")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<int?>("Seats")
+                        .HasColumnType("integer");
+
+                    b.Property<bool>("SelfHost")
+                        .HasColumnType("boolean");
+
+                    b.Property<int?>("SmSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("SmServiceAccounts")
+                        .HasColumnType("integer");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("bigint");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("text");
+
+                    b.Property<bool>("Use2fa")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseApi")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseCustomPermissions")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseDirectory")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseGroups")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseKeyConnector")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UsePasswordManager")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UsePolicies")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseResetPassword")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseRiskInsights")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseScim")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseSecretsManager")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseSso")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseTotp")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UsersGetPremium")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id", "Enabled");
+
+                    NpgsqlIndexBuilderExtensions.IncludeProperties(b.HasIndex("Id", "Enabled"), new[] { "UseTotp" });
+
+                    b.ToTable("Organization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("text");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "Type")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Policy", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("BillingEmail")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BillingPhone")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessName")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("DiscountId")
+                        .HasColumnType("text");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasColumnType("text");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Provider", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Settings")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderOrganization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Email")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("ProviderUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("AccessCode")
+                        .HasMaxLength(25)
+                        .HasColumnType("character varying(25)");
+
+                    b.Property<bool?>("Approved")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("AuthenticationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<string>("MasterPasswordHash")
+                        .HasColumnType("text");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("RequestDeviceIdentifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<byte>("RequestDeviceType")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("RequestIpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<DateTime?>("ResponseDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid?>("ResponseDeviceId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ResponseDeviceId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("AuthRequest", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<Guid?>("GranteeId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("GrantorId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("KeyEncrypted")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("LastNotificationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("RecoveryInitiatedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<int>("WaitTimeDays")
+                        .HasColumnType("integer");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("GranteeId");
+
+                    b.HasIndex("GrantorId");
+
+                    b.ToTable("EmergencyAccess", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.Grant", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("ClientId")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<DateTime?>("ConsumedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Data")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("Description")
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<string>("SessionId")
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<string>("SubjectId")
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<string>("Type")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.HasKey("Id")
+                        .HasName("PK_Grant")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpirationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Key")
+                        .IsUnique();
+
+                    b.ToTable("Grant", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("Id"));
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("text");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("SsoConfig", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("Id"));
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)")
+                        .UseCollation("postgresIndetermanisticCollation");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId");
+
+                    b.HasIndex("OrganizationId", "ExternalId")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    NpgsqlIndexBuilderExtensions.IncludeProperties(b.HasIndex("OrganizationId", "ExternalId"), new[] { "UserId" });
+
+                    b.HasIndex("OrganizationId", "UserId")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SsoUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("AaGuid")
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("Counter")
+                        .HasColumnType("integer");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("CredentialId")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("character varying(2000)");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("character varying(2000)");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("character varying(2000)");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("PublicKey")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("SupportsPrf")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("Type")
+                        .HasMaxLength(20)
+                        .HasColumnType("character varying(20)");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("WebAuthnCredential", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ClientOrganizationMigrationRecord", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("Seats")
+                        .HasColumnType("integer");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId", "OrganizationId")
+                        .IsUnique();
+
+                    b.ToTable("ClientOrganizationMigrationRecord", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("InstallationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime?>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("InstallationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationInstallation", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("AssignedSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<Guid?>("ClientId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("ClientName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<DateTime>("Created")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("InvoiceId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("InvoiceNumber")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("PlanName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<decimal>("Total")
+                        .HasColumnType("numeric");
+
+                    b.Property<int>("UsedSeats")
+                        .HasColumnType("integer");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderInvoiceItem", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<int?>("AllocatedSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<int?>("PurchasedSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("SeatMinimum")
+                        .HasColumnType("integer");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("Id", "PlanType")
+                        .IsUnique();
+
+                    b.ToTable("ProviderPlan", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Cache", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(449)
+                        .HasColumnType("character varying(449)");
+
+                    b.Property<DateTime?>("AbsoluteExpiration")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("ExpiresAtTime")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<long?>("SlidingExpirationInSeconds")
+                        .HasColumnType("bigint");
+
+                    b.Property<byte[]>("Value")
+                        .IsRequired()
+                        .HasColumnType("bytea");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpiresAtTime")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Cache", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("character varying(300)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Collection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("CipherId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("CollectionId", "CipherId");
+
+                    b.HasIndex("CipherId");
+
+                    b.ToTable("CollectionCipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("CollectionId", "GroupId");
+
+                    b.HasIndex("GroupId");
+
+                    b.ToTable("CollectionGroups");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("CollectionId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("boolean")
+                        .HasDefaultValue(true);
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Identifier")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("PushToken")
+                        .HasMaxLength(255)
+                        .HasColumnType("character varying(255)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Identifier")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "Identifier")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Device", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Event", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("ActingUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("CollectionId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("Date")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte?>("DeviceType")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("DomainName")
+                        .HasColumnType("text");
+
+                    b.Property<Guid?>("GroupId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("InstallationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("IpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("PolicyId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("ProviderOrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("ProviderUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("SecretId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte?>("SystemUser")
+                        .HasColumnType("smallint");
+
+                    b.Property<int>("Type")
+                        .HasColumnType("integer");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Date", "OrganizationId", "ActingUserId", "CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Event", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("character varying(300)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Group", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("GroupId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("GroupUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("character varying(30)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Config")
+                        .HasColumnType("text");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationConnection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("DomainName")
+                        .IsRequired()
+                        .HasMaxLength(255)
+                        .HasColumnType("character varying(255)");
+
+                    b.Property<int>("JobRunCount")
+                        .HasColumnType("integer");
+
+                    b.Property<DateTime?>("LastCheckedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("NextRunDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Txt")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("VerifiedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationDomain", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("FriendlyName")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<DateTime?>("LastSyncDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("OfferedToEmail")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<byte?>("PlanSponsorshipType")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("SponsoredOrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("SponsoringOrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("SponsoringOrganizationUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("ToDelete")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("ValidUntil")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SponsoredOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationUserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationSponsorship", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("AccessSecretsManager")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("character varying(300)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ResetPasswordKey")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<short>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("AccessCount")
+                        .HasColumnType("integer");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("DeletionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("Disabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool?>("HideEmail")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<int?>("MaxAccessCount")
+                        .HasColumnType("integer");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Password")
+                        .HasMaxLength(300)
+                        .HasColumnType("character varying(300)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("DeletionDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Send", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.TaxRate", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(40)
+                        .HasColumnType("character varying(40)");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("Country")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("PostalCode")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("character varying(10)");
+
+                    b.Property<decimal>("Rate")
+                        .HasColumnType("numeric");
+
+                    b.Property<string>("State")
+                        .HasMaxLength(2)
+                        .HasColumnType("character varying(2)");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("TaxRate", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<decimal>("Amount")
+                        .HasColumnType("numeric");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Details")
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("GatewayId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte?>("PaymentMethodType")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool?>("Refunded")
+                        .HasColumnType("boolean");
+
+                    b.Property<decimal?>("RefundedAmount")
+                        .HasColumnType("numeric");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId", "CreationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Transaction", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("AccountRevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("character varying(30)");
+
+                    b.Property<string>("AvatarColor")
+                        .HasMaxLength(7)
+                        .HasColumnType("character varying(7)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Culture")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("character varying(10)");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)")
+                        .UseCollation("postgresIndetermanisticCollation");
+
+                    b.Property<bool>("EmailVerified")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("EquivalentDomains")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ExcludedGlobalEquivalentDomains")
+                        .HasColumnType("text");
+
+                    b.Property<int>("FailedLoginCount")
+                        .HasColumnType("integer");
+
+                    b.Property<bool>("ForcePasswordReset")
+                        .HasColumnType("boolean");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<byte>("Kdf")
+                        .HasColumnType("smallint");
+
+                    b.Property<int>("KdfIterations")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("KdfMemory")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("KdfParallelism")
+                        .HasColumnType("integer");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("LastEmailChangeDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("LastFailedLoginDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("LastKdfChangeDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("LastKeyRotationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("LastPasswordChangeDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<string>("MasterPassword")
+                        .HasMaxLength(300)
+                        .HasColumnType("character varying(300)");
+
+                    b.Property<string>("MasterPasswordHint")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<bool>("Premium")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("PremiumExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("RenewalReminderDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("SecurityStamp")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("bigint");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("text");
+
+                    b.Property<string>("TwoFactorRecoveryCode")
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<bool>("UsesKeyConnector")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("VerifyDevices")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Email")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Premium", "PremiumExpirationDate", "RenewalReminderDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("User", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Body")
+                        .HasMaxLength(3000)
+                        .HasColumnType("character varying(3000)");
+
+                    b.Property<byte>("ClientType")
+                        .HasColumnType("smallint");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("Global")
+                        .HasColumnType("boolean");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte>("Priority")
+                        .HasColumnType("smallint");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid?>("TaskId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Title")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("TaskId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("ClientType", "Global", "UserId", "OrganizationId", "Priority", "CreationDate")
+                        .IsDescending(false, false, false, false, true, true)
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Notification", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("NotificationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("ReadDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("UserId", "NotificationId")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("NotificationId");
+
+                    b.ToTable("NotificationStatus", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Platform.Installation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(150)
+                        .HasColumnType("character varying(150)");
+
+                    b.Property<DateTime?>("LastActivityDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Installation", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Discriminator")
+                        .IsRequired()
+                        .HasMaxLength(34)
+                        .HasColumnType("character varying(34)");
+
+                    b.Property<bool>("Read")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("Write")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.ToTable("AccessPolicy", (string)null);
+
+                    b.HasDiscriminator().HasValue("AccessPolicy");
+
+                    b.UseTphMappingStrategy();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("ClientSecretHash")
+                        .HasMaxLength(128)
+                        .HasColumnType("character varying(128)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("EncryptedPayload")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("character varying(4000)");
+
+                    b.Property<DateTime?>("ExpireAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Scope")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("character varying(4000)");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ServiceAccountId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Project", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Note")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Value")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Secret", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ServiceAccount", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Uri")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("PasswordHealthReportApplication", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Attachments")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Favorites")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Folders")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte?>("Reprompt")
+                        .HasColumnType("smallint");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Cipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Folder", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SecurityTask", (string)null);
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.Property<Guid>("ProjectsId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("SecretsId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("ProjectsId", "SecretsId");
+
+                    b.HasIndex("SecretsId");
+
+                    b.ToTable("ProjectSecret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Policies")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Device", "ResponseDevice")
+                        .WithMany()
+                        .HasForeignKey("ResponseDeviceId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("ResponseDevice");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantee")
+                        .WithMany()
+                        .HasForeignKey("GranteeId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantor")
+                        .WithMany()
+                        .HasForeignKey("GrantorId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Grantee");
+
+                    b.Navigation("Grantor");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoConfigs")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Platform.Installation", "Installation")
+                        .WithMany()
+                        .HasForeignKey("InstallationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Installation");
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Collections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CipherId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Collection");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionGroups")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Groups")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Group");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Connections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Domains")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoredOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoredOrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoringOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoringOrganizationId");
+
+                    b.Navigation("SponsoredOrganization");
+
+                    b.Navigation("SponsoringOrganization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Transactions")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Transactions")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", "Task")
+                        .WithMany()
+                        .HasForeignKey("TaskId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Task");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", "Notification")
+                        .WithMany()
+                        .HasForeignKey("NotificationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Notification");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Folders")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany()
+                        .HasForeignKey("CipherId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", null)
+                        .WithMany()
+                        .HasForeignKey("ProjectsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", null)
+                        .WithMany()
+                        .HasForeignKey("SecretsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ProjectAccessPolicies")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany()
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Collections");
+
+                    b.Navigation("Connections");
+
+                    b.Navigation("Domains");
+
+                    b.Navigation("Groups");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("Policies");
+
+                    b.Navigation("SsoConfigs");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+
+                    b.Navigation("CollectionGroups");
+
+                    b.Navigation("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Navigation("CollectionUsers");
+
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Folders");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ProjectAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+                });
+#pragma warning restore 612, 618
+        }
+    }
+}
diff --git a/util/PostgresMigrations/Migrations/20250213140406_AddColumn_ProviderDiscountId.cs b/util/PostgresMigrations/Migrations/20250213140406_AddColumn_ProviderDiscountId.cs
new file mode 100644
index 0000000000..282f6f0fb8
--- /dev/null
+++ b/util/PostgresMigrations/Migrations/20250213140406_AddColumn_ProviderDiscountId.cs
@@ -0,0 +1,27 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace Bit.PostgresMigrations.Migrations;
+
+/// <inheritdoc />
+public partial class AddColumn_ProviderDiscountId : Migration
+{
+    /// <inheritdoc />
+    protected override void Up(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.AddColumn<string>(
+            name: "DiscountId",
+            table: "Provider",
+            type: "text",
+            nullable: true);
+    }
+
+    /// <inheritdoc />
+    protected override void Down(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.DropColumn(
+            name: "DiscountId",
+            table: "Provider");
+    }
+}
diff --git a/util/PostgresMigrations/Migrations/DatabaseContextModelSnapshot.cs b/util/PostgresMigrations/Migrations/DatabaseContextModelSnapshot.cs
index a6017652bf..b507984ad1 100644
--- a/util/PostgresMigrations/Migrations/DatabaseContextModelSnapshot.cs
+++ b/util/PostgresMigrations/Migrations/DatabaseContextModelSnapshot.cs
@@ -287,6 +287,9 @@ namespace Bit.PostgresMigrations.Migrations
                     b.Property<DateTime>("CreationDate")
                         .HasColumnType("timestamp with time zone");
 
+                    b.Property<string>("DiscountId")
+                        .HasColumnType("text");
+
                     b.Property<bool>("Enabled")
                         .HasColumnType("boolean");
 
diff --git a/util/SqliteMigrations/Migrations/20250213140401_AddColumn_ProviderDiscountId.Designer.cs b/util/SqliteMigrations/Migrations/20250213140401_AddColumn_ProviderDiscountId.Designer.cs
new file mode 100644
index 0000000000..387e0a7f30
--- /dev/null
+++ b/util/SqliteMigrations/Migrations/20250213140401_AddColumn_ProviderDiscountId.Designer.cs
@@ -0,0 +1,3002 @@
+// <auto-generated />
+using System;
+using Bit.Infrastructure.EntityFramework.Repositories;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Migrations;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
+
+#nullable disable
+
+namespace Bit.SqliteMigrations.Migrations
+{
+    [DbContext(typeof(DatabaseContext))]
+    [Migration("20250213140401_AddColumn_ProviderDiscountId")]
+    partial class AddColumn_ProviderDiscountId
+    {
+        /// <inheritdoc />
+        protected override void BuildTargetModel(ModelBuilder modelBuilder)
+        {
+#pragma warning disable 612, 618
+            modelBuilder.HasAnnotation("ProductVersion", "8.0.8");
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("AllowAdminAccessToAllCollectionItems")
+                        .HasColumnType("INTEGER")
+                        .HasDefaultValue(true);
+
+                    b.Property<string>("BillingEmail")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasMaxLength(2)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessName")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasMaxLength(30)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Identifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("LimitCollectionCreation")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("LimitCollectionDeletion")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("LimitItemDeletion")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("MaxAutoscaleSmSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("MaxAutoscaleSmServiceAccounts")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<short?>("MaxCollections")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("OwnersNotifiedOfAutoscaling")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Plan")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int?>("Seats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("SelfHost")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("SmSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("SmServiceAccounts")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Use2fa")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseApi")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseCustomPermissions")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseDirectory")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseGroups")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseKeyConnector")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UsePasswordManager")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UsePolicies")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseResetPassword")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseRiskInsights")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseScim")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseSecretsManager")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseSso")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseTotp")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UsersGetPremium")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id", "Enabled")
+                        .HasAnnotation("Npgsql:IndexInclude", new[] { "UseTotp" });
+
+                    b.ToTable("Organization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "Type")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Policy", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BillingEmail")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BillingPhone")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessName")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("DiscountId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Provider", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Settings")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderOrganization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Email")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("ProviderUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("AccessCode")
+                        .HasMaxLength(25)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool?>("Approved")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("AuthenticationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("MasterPasswordHash")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("RequestDeviceIdentifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("RequestDeviceType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("RequestIpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ResponseDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ResponseDeviceId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ResponseDeviceId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("AuthRequest", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("GranteeId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("GrantorId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("KeyEncrypted")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastNotificationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("RecoveryInitiatedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int>("WaitTimeDays")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("GranteeId");
+
+                    b.HasIndex("GrantorId");
+
+                    b.ToTable("EmergencyAccess", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.Grant", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("ClientId")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ConsumedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Data")
+                        .IsRequired()
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Description")
+                        .HasMaxLength(200)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("SessionId")
+                        .HasMaxLength(100)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("SubjectId")
+                        .HasMaxLength(200)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Type")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasName("PK_Grant")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpirationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Key")
+                        .IsUnique();
+
+                    b.ToTable("Grant", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("SsoConfig", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId");
+
+                    b.HasIndex("OrganizationId", "ExternalId")
+                        .IsUnique()
+                        .HasAnnotation("Npgsql:IndexInclude", new[] { "UserId" })
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "UserId")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SsoUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("AaGuid")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("Counter")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("CredentialId")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PublicKey")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("SupportsPrf")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Type")
+                        .HasMaxLength(20)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("WebAuthnCredential", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ClientOrganizationMigrationRecord", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("Seats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId", "OrganizationId")
+                        .IsUnique();
+
+                    b.ToTable("ClientOrganizationMigrationRecord", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("InstallationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("InstallationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationInstallation", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("AssignedSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("ClientId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ClientName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("Created")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("InvoiceId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("InvoiceNumber")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PlanName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<decimal>("Total")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("UsedSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderInvoiceItem", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int?>("AllocatedSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int?>("PurchasedSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("SeatMinimum")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("Id", "PlanType")
+                        .IsUnique();
+
+                    b.ToTable("ProviderPlan", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Cache", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(449)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("AbsoluteExpiration")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("ExpiresAtTime")
+                        .HasColumnType("TEXT");
+
+                    b.Property<long?>("SlidingExpirationInSeconds")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte[]>("Value")
+                        .IsRequired()
+                        .HasColumnType("BLOB");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpiresAtTime")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Cache", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Collection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("CipherId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("CollectionId", "CipherId");
+
+                    b.HasIndex("CipherId");
+
+                    b.ToTable("CollectionCipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("CollectionId", "GroupId");
+
+                    b.HasIndex("GroupId");
+
+                    b.ToTable("CollectionGroups");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("CollectionId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("INTEGER")
+                        .HasDefaultValue(true);
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Identifier")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PushToken")
+                        .HasMaxLength(255)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Identifier")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "Identifier")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Device", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Event", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ActingUserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("CollectionId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("Date")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("DeviceType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("DomainName")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("GroupId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("InstallationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("IpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("PolicyId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ProviderOrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ProviderUserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("SecretId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("SystemUser")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Date", "OrganizationId", "ActingUserId", "CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Event", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(100)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Group", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("GroupId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("GroupUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Config")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationConnection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("DomainName")
+                        .IsRequired()
+                        .HasMaxLength(255)
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("JobRunCount")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("LastCheckedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("NextRunDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Txt")
+                        .IsRequired()
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("VerifiedDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationDomain", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("FriendlyName")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastSyncDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("OfferedToEmail")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("PlanSponsorshipType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("SponsoredOrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("SponsoringOrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("SponsoringOrganizationUserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("ToDelete")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("ValidUntil")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SponsoredOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationUserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationSponsorship", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("AccessSecretsManager")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ResetPasswordKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<short>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("AccessCount")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("DeletionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Disabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool?>("HideEmail")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int?>("MaxAccessCount")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Password")
+                        .HasMaxLength(300)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("DeletionDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Send", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.TaxRate", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(40)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Country")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PostalCode")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("TEXT");
+
+                    b.Property<decimal>("Rate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("State")
+                        .HasMaxLength(2)
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("TaxRate", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<decimal>("Amount")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Details")
+                        .HasMaxLength(100)
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("GatewayId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("PaymentMethodType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool?>("Refunded")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<decimal?>("RefundedAmount")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId", "CreationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Transaction", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("AccountRevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("AvatarColor")
+                        .HasMaxLength(7)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Culture")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("EmailVerified")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("EquivalentDomains")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ExcludedGlobalEquivalentDomains")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("FailedLoginCount")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("ForcePasswordReset")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Kdf")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int>("KdfIterations")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("KdfMemory")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("KdfParallelism")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastEmailChangeDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastFailedLoginDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastKdfChangeDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastKeyRotationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastPasswordChangeDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("MasterPassword")
+                        .HasMaxLength(300)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("MasterPasswordHint")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Premium")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("PremiumExpirationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("RenewalReminderDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("SecurityStamp")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("TwoFactorRecoveryCode")
+                        .HasMaxLength(32)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("UsesKeyConnector")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("VerifyDevices")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Email")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Premium", "PremiumExpirationDate", "RenewalReminderDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("User", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Body")
+                        .HasMaxLength(3000)
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("ClientType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Global")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Priority")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("TaskId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Title")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("TaskId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("ClientType", "Global", "UserId", "OrganizationId", "Priority", "CreationDate")
+                        .IsDescending(false, false, false, false, true, true)
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Notification", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("NotificationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ReadDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("UserId", "NotificationId")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("NotificationId");
+
+                    b.ToTable("NotificationStatus", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Platform.Installation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(150)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastActivityDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Installation", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Discriminator")
+                        .IsRequired()
+                        .HasMaxLength(34)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Read")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Write")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.ToTable("AccessPolicy", (string)null);
+
+                    b.HasDiscriminator().HasValue("AccessPolicy");
+
+                    b.UseTphMappingStrategy();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ClientSecretHash")
+                        .HasMaxLength(128)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedPayload")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ExpireAt")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Scope")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ServiceAccountId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Project", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Note")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Value")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Secret", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ServiceAccount", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Uri")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("PasswordHealthReportApplication", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Attachments")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Favorites")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Folders")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("Reprompt")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Cipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Folder", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SecurityTask", (string)null);
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.Property<Guid>("ProjectsId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("SecretsId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("ProjectsId", "SecretsId");
+
+                    b.HasIndex("SecretsId");
+
+                    b.ToTable("ProjectSecret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Policies")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Device", "ResponseDevice")
+                        .WithMany()
+                        .HasForeignKey("ResponseDeviceId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("ResponseDevice");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantee")
+                        .WithMany()
+                        .HasForeignKey("GranteeId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantor")
+                        .WithMany()
+                        .HasForeignKey("GrantorId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Grantee");
+
+                    b.Navigation("Grantor");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoConfigs")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Platform.Installation", "Installation")
+                        .WithMany()
+                        .HasForeignKey("InstallationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Installation");
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Collections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CipherId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Collection");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionGroups")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Groups")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Group");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Connections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Domains")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoredOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoredOrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoringOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoringOrganizationId");
+
+                    b.Navigation("SponsoredOrganization");
+
+                    b.Navigation("SponsoringOrganization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Transactions")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Transactions")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", "Task")
+                        .WithMany()
+                        .HasForeignKey("TaskId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Task");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", "Notification")
+                        .WithMany()
+                        .HasForeignKey("NotificationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Notification");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Folders")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany()
+                        .HasForeignKey("CipherId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", null)
+                        .WithMany()
+                        .HasForeignKey("ProjectsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", null)
+                        .WithMany()
+                        .HasForeignKey("SecretsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ProjectAccessPolicies")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany()
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Collections");
+
+                    b.Navigation("Connections");
+
+                    b.Navigation("Domains");
+
+                    b.Navigation("Groups");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("Policies");
+
+                    b.Navigation("SsoConfigs");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+
+                    b.Navigation("CollectionGroups");
+
+                    b.Navigation("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Navigation("CollectionUsers");
+
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Folders");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ProjectAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+                });
+#pragma warning restore 612, 618
+        }
+    }
+}
diff --git a/util/SqliteMigrations/Migrations/20250213140401_AddColumn_ProviderDiscountId.cs b/util/SqliteMigrations/Migrations/20250213140401_AddColumn_ProviderDiscountId.cs
new file mode 100644
index 0000000000..3081e35ac4
--- /dev/null
+++ b/util/SqliteMigrations/Migrations/20250213140401_AddColumn_ProviderDiscountId.cs
@@ -0,0 +1,27 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace Bit.SqliteMigrations.Migrations;
+
+/// <inheritdoc />
+public partial class AddColumn_ProviderDiscountId : Migration
+{
+    /// <inheritdoc />
+    protected override void Up(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.AddColumn<string>(
+            name: "DiscountId",
+            table: "Provider",
+            type: "TEXT",
+            nullable: true);
+    }
+
+    /// <inheritdoc />
+    protected override void Down(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.DropColumn(
+            name: "DiscountId",
+            table: "Provider");
+    }
+}
diff --git a/util/SqliteMigrations/Migrations/DatabaseContextModelSnapshot.cs b/util/SqliteMigrations/Migrations/DatabaseContextModelSnapshot.cs
index 185caf3074..158a02cd43 100644
--- a/util/SqliteMigrations/Migrations/DatabaseContextModelSnapshot.cs
+++ b/util/SqliteMigrations/Migrations/DatabaseContextModelSnapshot.cs
@@ -279,6 +279,9 @@ namespace Bit.SqliteMigrations.Migrations
                     b.Property<DateTime>("CreationDate")
                         .HasColumnType("TEXT");
 
+                    b.Property<string>("DiscountId")
+                        .HasColumnType("TEXT");
+
                     b.Property<bool>("Enabled")
                         .HasColumnType("INTEGER");
 

From 88ffde930fd8ff608030dcd2148885c5a35458a9 Mon Sep 17 00:00:00 2001
From: Alex Morask <144709477+amorask-bitwarden@users.noreply.github.com>
Date: Wed, 5 Mar 2025 15:29:51 -0500
Subject: [PATCH 336/384] Check to see if cancellation comment is populated
 before disablement checks (#5468)

---
 .../Implementations/SubscriptionDeletedHandler.cs     | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/Billing/Services/Implementations/SubscriptionDeletedHandler.cs b/src/Billing/Services/Implementations/SubscriptionDeletedHandler.cs
index 8155928453..465da86c3f 100644
--- a/src/Billing/Services/Implementations/SubscriptionDeletedHandler.cs
+++ b/src/Billing/Services/Implementations/SubscriptionDeletedHandler.cs
@@ -41,10 +41,15 @@ public class SubscriptionDeletedHandler : ISubscriptionDeletedHandler
             return;
         }
 
-        if (organizationId.HasValue &&
-            subscription.CancellationDetails.Comment != providerMigrationCancellationComment &&
-            !subscription.CancellationDetails.Comment.Contains(addedToProviderCancellationComment))
+        if (organizationId.HasValue)
         {
+            if (!string.IsNullOrEmpty(subscription.CancellationDetails?.Comment) &&
+                (subscription.CancellationDetails.Comment == providerMigrationCancellationComment ||
+                 subscription.CancellationDetails.Comment.Contains(addedToProviderCancellationComment)))
+            {
+                return;
+            }
+
             await _organizationDisableCommand.DisableAsync(organizationId.Value, subscription.CurrentPeriodEnd);
         }
         else if (userId.HasValue)

From ac1d5b1a6959cc3c8476de1dd4110a58d6fa0bea Mon Sep 17 00:00:00 2001
From: Github Actions <actions@github.com>
Date: Wed, 5 Mar 2025 23:05:04 +0000
Subject: [PATCH 337/384] Bumped version to 2025.2.3

---
 Directory.Build.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Directory.Build.props b/Directory.Build.props
index 131de6320a..403bf843d1 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -3,7 +3,7 @@
   <PropertyGroup>
     <TargetFramework>net8.0</TargetFramework>
 
-    <Version>2025.2.2</Version>
+    <Version>2025.2.3</Version>
 
     <RootNamespace>Bit.$(MSBuildProjectName)</RootNamespace>
     <ImplicitUsings>enable</ImplicitUsings>

From 7281dd9b58a53c9f151a99bd9a035fcb105ceba3 Mon Sep 17 00:00:00 2001
From: Jonas Hendrickx <jhendrickx@bitwarden.com>
Date: Thu, 6 Mar 2025 13:19:18 +0100
Subject: [PATCH 338/384] [PM-18163] Remove feature flag
 'AC-1795_updated-subscription-status-section' (#5411)

---
 src/Core/Constants.cs                               |  1 -
 .../Implementations/StripePaymentService.cs         | 13 +++++--------
 2 files changed, 5 insertions(+), 9 deletions(-)

diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index d5e815b4e7..672188ce1f 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -119,7 +119,6 @@ public static class FeatureFlagKeys
     public const string UseTreeWalkerApiForPageDetailsCollection = "use-tree-walker-api-for-page-details-collection";
     public const string DuoRedirect = "duo-redirect";
     public const string AC2101UpdateTrialInitiationEmail = "AC-2101-update-trial-initiation-email";
-    public const string AC1795_UpdatedSubscriptionStatusSection = "AC-1795_updated-subscription-status-section";
     public const string EmailVerification = "email-verification";
     public const string EmailVerificationDisableTimingDelays = "email-verification-disable-timing-delays";
     public const string ExtensionRefresh = "extension-refresh";
diff --git a/src/Core/Services/Implementations/StripePaymentService.cs b/src/Core/Services/Implementations/StripePaymentService.cs
index 1a8fe2085d..bfa94cf5ba 100644
--- a/src/Core/Services/Implementations/StripePaymentService.cs
+++ b/src/Core/Services/Implementations/StripePaymentService.cs
@@ -1609,15 +1609,12 @@ public class StripePaymentService : IPaymentService
         {
             subscriptionInfo.Subscription = new SubscriptionInfo.BillingSubscription(sub);
 
-            if (_featureService.IsEnabled(FeatureFlagKeys.AC1795_UpdatedSubscriptionStatusSection))
-            {
-                var (suspensionDate, unpaidPeriodEndDate) = await GetSuspensionDateAsync(sub);
+            var (suspensionDate, unpaidPeriodEndDate) = await GetSuspensionDateAsync(sub);
 
-                if (suspensionDate.HasValue && unpaidPeriodEndDate.HasValue)
-                {
-                    subscriptionInfo.Subscription.SuspensionDate = suspensionDate;
-                    subscriptionInfo.Subscription.UnpaidPeriodEndDate = unpaidPeriodEndDate;
-                }
+            if (suspensionDate.HasValue && unpaidPeriodEndDate.HasValue)
+            {
+                subscriptionInfo.Subscription.SuspensionDate = suspensionDate;
+                subscriptionInfo.Subscription.UnpaidPeriodEndDate = unpaidPeriodEndDate;
             }
         }
 

From c82908f40b7d67fbf9c736df0aa1578076128dbc Mon Sep 17 00:00:00 2001
From: Jimmy Vo <huynhmaivo82@gmail.com>
Date: Thu, 6 Mar 2025 11:16:58 -0500
Subject: [PATCH 339/384] [PM-15621] Add functionality to map command results
 to HTTP responses. (#5467)

---
 src/Api/Utilities/CommandResultExtensions.cs  |  31 +++++
 src/Core/Models/Commands/BadRequestFailure.cs |  23 ++++
 src/Core/Models/Commands/CommandResult.cs     |  40 ++++++-
 .../Models/Commands/NoRecordFoundFailure.cs   |  24 ++++
 .../Utilities/CommandResultExtensionTests.cs  | 107 ++++++++++++++++++
 5 files changed, 224 insertions(+), 1 deletion(-)
 create mode 100644 src/Api/Utilities/CommandResultExtensions.cs
 create mode 100644 src/Core/Models/Commands/BadRequestFailure.cs
 create mode 100644 src/Core/Models/Commands/NoRecordFoundFailure.cs
 create mode 100644 test/Api.Test/Utilities/CommandResultExtensionTests.cs

diff --git a/src/Api/Utilities/CommandResultExtensions.cs b/src/Api/Utilities/CommandResultExtensions.cs
new file mode 100644
index 0000000000..39104db7ff
--- /dev/null
+++ b/src/Api/Utilities/CommandResultExtensions.cs
@@ -0,0 +1,31 @@
+using Bit.Core.Models.Commands;
+using Microsoft.AspNetCore.Mvc;
+
+namespace Bit.Api.Utilities;
+
+public static class CommandResultExtensions
+{
+    public static IActionResult MapToActionResult<T>(this CommandResult<T> commandResult)
+    {
+        return commandResult switch
+        {
+            NoRecordFoundFailure<T> failure => new ObjectResult(failure.ErrorMessages) { StatusCode = StatusCodes.Status404NotFound },
+            BadRequestFailure<T> failure => new ObjectResult(failure.ErrorMessages) { StatusCode = StatusCodes.Status400BadRequest },
+            Failure<T> failure => new ObjectResult(failure.ErrorMessages) { StatusCode = StatusCodes.Status400BadRequest },
+            Success<T> success => new ObjectResult(success.Data) { StatusCode = StatusCodes.Status200OK },
+            _ => throw new InvalidOperationException($"Unhandled commandResult type: {commandResult.GetType().Name}")
+        };
+    }
+
+    public static IActionResult MapToActionResult(this CommandResult commandResult)
+    {
+        return commandResult switch
+        {
+            NoRecordFoundFailure failure => new ObjectResult(failure.ErrorMessages) { StatusCode = StatusCodes.Status404NotFound },
+            BadRequestFailure failure => new ObjectResult(failure.ErrorMessages) { StatusCode = StatusCodes.Status400BadRequest },
+            Failure failure => new ObjectResult(failure.ErrorMessages) { StatusCode = StatusCodes.Status400BadRequest },
+            Success => new ObjectResult(new { }) { StatusCode = StatusCodes.Status200OK },
+            _ => throw new InvalidOperationException($"Unhandled commandResult type: {commandResult.GetType().Name}")
+        };
+    }
+}
diff --git a/src/Core/Models/Commands/BadRequestFailure.cs b/src/Core/Models/Commands/BadRequestFailure.cs
new file mode 100644
index 0000000000..bd2753d4e4
--- /dev/null
+++ b/src/Core/Models/Commands/BadRequestFailure.cs
@@ -0,0 +1,23 @@
+namespace Bit.Core.Models.Commands;
+
+public class BadRequestFailure<T> : Failure<T>
+{
+    public BadRequestFailure(IEnumerable<string> errorMessage) : base(errorMessage)
+    {
+    }
+
+    public BadRequestFailure(string errorMessage) : base(errorMessage)
+    {
+    }
+}
+
+public class BadRequestFailure : Failure
+{
+    public BadRequestFailure(IEnumerable<string> errorMessage) : base(errorMessage)
+    {
+    }
+
+    public BadRequestFailure(string errorMessage) : base(errorMessage)
+    {
+    }
+}
diff --git a/src/Core/Models/Commands/CommandResult.cs b/src/Core/Models/Commands/CommandResult.cs
index 9e5d91e09c..ae14b7d2f9 100644
--- a/src/Core/Models/Commands/CommandResult.cs
+++ b/src/Core/Models/Commands/CommandResult.cs
@@ -1,4 +1,6 @@
-namespace Bit.Core.Models.Commands;
+#nullable enable
+
+namespace Bit.Core.Models.Commands;
 
 public class CommandResult(IEnumerable<string> errors)
 {
@@ -10,3 +12,39 @@ public class CommandResult(IEnumerable<string> errors)
 
     public CommandResult() : this(Array.Empty<string>()) { }
 }
+
+public class Failure : CommandResult
+{
+    protected Failure(IEnumerable<string> errorMessages) : base(errorMessages)
+    {
+
+    }
+    public Failure(string errorMessage) : base(errorMessage)
+    {
+
+    }
+}
+
+public class Success : CommandResult
+{
+}
+
+public abstract class CommandResult<T>
+{
+
+}
+
+public class Success<T>(T data) : CommandResult<T>
+{
+    public T? Data { get; init; } = data;
+}
+
+public class Failure<T>(IEnumerable<string> errorMessage) : CommandResult<T>
+{
+    public IEnumerable<string> ErrorMessages { get; init; } = errorMessage;
+
+    public Failure(string errorMessage) : this(new[] { errorMessage })
+    {
+    }
+}
+
diff --git a/src/Core/Models/Commands/NoRecordFoundFailure.cs b/src/Core/Models/Commands/NoRecordFoundFailure.cs
new file mode 100644
index 0000000000..a8a322b928
--- /dev/null
+++ b/src/Core/Models/Commands/NoRecordFoundFailure.cs
@@ -0,0 +1,24 @@
+namespace Bit.Core.Models.Commands;
+
+public class NoRecordFoundFailure<T> : Failure<T>
+{
+    public NoRecordFoundFailure(IEnumerable<string> errorMessage) : base(errorMessage)
+    {
+    }
+
+    public NoRecordFoundFailure(string errorMessage) : base(errorMessage)
+    {
+    }
+}
+
+public class NoRecordFoundFailure : Failure
+{
+    public NoRecordFoundFailure(IEnumerable<string> errorMessage) : base(errorMessage)
+    {
+    }
+
+    public NoRecordFoundFailure(string errorMessage) : base(errorMessage)
+    {
+    }
+}
+
diff --git a/test/Api.Test/Utilities/CommandResultExtensionTests.cs b/test/Api.Test/Utilities/CommandResultExtensionTests.cs
new file mode 100644
index 0000000000..dafae10b5b
--- /dev/null
+++ b/test/Api.Test/Utilities/CommandResultExtensionTests.cs
@@ -0,0 +1,107 @@
+using Bit.Api.Utilities;
+using Bit.Core.Models.Commands;
+using Bit.Core.Vault.Entities;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Mvc;
+using Xunit;
+
+namespace Bit.Api.Test.Utilities;
+
+public class CommandResultExtensionTests
+{
+    public static IEnumerable<object[]> WithGenericTypeTestCases()
+    {
+        yield return new object[]
+        {
+            new NoRecordFoundFailure<Cipher>(new[] { "Error 1", "Error 2" }),
+            new ObjectResult(new[] { "Error 1", "Error 2" }) { StatusCode = StatusCodes.Status404NotFound }
+        };
+        yield return new object[]
+        {
+            new BadRequestFailure<Cipher>("Error 3"),
+            new ObjectResult(new[] { "Error 3" }) { StatusCode = StatusCodes.Status400BadRequest }
+        };
+        yield return new object[]
+        {
+            new Failure<Cipher>("Error 4"),
+            new ObjectResult(new[] { "Error 4" }) { StatusCode = StatusCodes.Status400BadRequest }
+        };
+        var cipher = new Cipher() { Id = Guid.NewGuid() };
+
+        yield return new object[]
+        {
+            new Success<Cipher>(cipher),
+            new ObjectResult(cipher) { StatusCode = StatusCodes.Status200OK }
+        };
+    }
+
+
+    [Theory]
+    [MemberData(nameof(WithGenericTypeTestCases))]
+    public void MapToActionResult_WithGenericType_ShouldMapToHttpResponse(CommandResult<Cipher> input, ObjectResult expected)
+    {
+        var result = input.MapToActionResult();
+
+        Assert.Equivalent(expected, result);
+    }
+
+
+    [Fact]
+    public void MapToActionResult_WithGenericType_ShouldThrowExceptionForUnhandledCommandResult()
+    {
+        var result = new NotImplementedCommandResult();
+
+        Assert.Throws<InvalidOperationException>(() => result.MapToActionResult());
+    }
+
+    public static IEnumerable<object[]> TestCases()
+    {
+        yield return new object[]
+        {
+            new NoRecordFoundFailure(new[] { "Error 1", "Error 2" }),
+            new ObjectResult(new[] { "Error 1", "Error 2" }) { StatusCode = StatusCodes.Status404NotFound }
+        };
+        yield return new object[]
+        {
+            new BadRequestFailure("Error 3"),
+            new ObjectResult(new[] { "Error 3" }) { StatusCode = StatusCodes.Status400BadRequest }
+        };
+        yield return new object[]
+        {
+            new Failure("Error 4"),
+            new ObjectResult(new[] { "Error 4" }) { StatusCode = StatusCodes.Status400BadRequest }
+        };
+        yield return new object[]
+        {
+            new Success(),
+            new ObjectResult(new { }) { StatusCode = StatusCodes.Status200OK }
+        };
+    }
+
+    [Theory]
+    [MemberData(nameof(TestCases))]
+    public void MapToActionResult_ShouldMapToHttpResponse(CommandResult input, ObjectResult expected)
+    {
+        var result = input.MapToActionResult();
+
+        Assert.Equivalent(expected, result);
+    }
+
+    [Fact]
+    public void MapToActionResult_ShouldThrowExceptionForUnhandledCommandResult()
+    {
+        var result = new NotImplementedCommandResult<Cipher>();
+
+        Assert.Throws<InvalidOperationException>(() => result.MapToActionResult());
+    }
+}
+
+public class NotImplementedCommandResult<T> : CommandResult<T>
+{
+
+}
+
+public class NotImplementedCommandResult : CommandResult
+{
+
+}

From cb1c12794ff17220ee8b63081773a94f461977e8 Mon Sep 17 00:00:00 2001
From: Alex Morask <144709477+amorask-bitwarden@users.noreply.github.com>
Date: Thu, 6 Mar 2025 13:44:10 -0500
Subject: [PATCH 340/384] Derive item add on status from price metadata (#5389)

---
 src/Core/Models/Business/SubscriptionInfo.cs |  7 +++++--
 src/Core/Utilities/StaticStore.cs            | 17 -----------------
 2 files changed, 5 insertions(+), 19 deletions(-)

diff --git a/src/Core/Models/Business/SubscriptionInfo.cs b/src/Core/Models/Business/SubscriptionInfo.cs
index c9c3b31c7f..78a995fb94 100644
--- a/src/Core/Models/Business/SubscriptionInfo.cs
+++ b/src/Core/Models/Business/SubscriptionInfo.cs
@@ -73,8 +73,11 @@ public class SubscriptionInfo
                     Name = item.Plan.Nickname;
                     Amount = item.Plan.Amount.GetValueOrDefault() / 100M;
                     Interval = item.Plan.Interval;
-                    AddonSubscriptionItem =
-                        Utilities.StaticStore.IsAddonSubscriptionItem(item.Plan.Id);
+
+                    if (item.Metadata != null)
+                    {
+                        AddonSubscriptionItem = item.Metadata.TryGetValue("isAddOn", out var value) && bool.Parse(value);
+                    }
                 }
 
                 Quantity = (int)item.Quantity;
diff --git a/src/Core/Utilities/StaticStore.cs b/src/Core/Utilities/StaticStore.cs
index 24e9ccd7bd..1cae361e29 100644
--- a/src/Core/Utilities/StaticStore.cs
+++ b/src/Core/Utilities/StaticStore.cs
@@ -158,21 +158,4 @@ public static class StaticStore
 
     public static SponsoredPlan GetSponsoredPlan(PlanSponsorshipType planSponsorshipType) =>
         SponsoredPlans.FirstOrDefault(p => p.PlanSponsorshipType == planSponsorshipType);
-
-    /// <summary>
-    /// Determines if the stripe plan id is an addon item by checking if the provided stripe plan id
-    /// matches either the <see cref="Plan.PasswordManagerPlanFeatures.StripeStoragePlanId"/> or <see cref="Plan.SecretsManagerPlanFeatures.StripeServiceAccountPlanId"/>
-    /// in any <see cref="Plans"/>.
-    /// </summary>
-    /// <param name="stripePlanId"></param>
-    /// <returns>
-    /// True if the stripePlanId is a addon product, false otherwise
-    /// </returns>
-    public static bool IsAddonSubscriptionItem(string stripePlanId)
-    {
-        // TODO: PRICING -> https://bitwarden.atlassian.net/browse/PM-16844
-        return Plans.Any(p =>
-                p.PasswordManager.StripeStoragePlanId == stripePlanId ||
-                (p.SecretsManager?.StripeServiceAccountPlanId == stripePlanId));
-    }
 }

From 8628206fa90287e1c169c928e5ecad8b14b2210d Mon Sep 17 00:00:00 2001
From: Maciej Zieniuk <167752252+mzieniukbw@users.noreply.github.com>
Date: Thu, 6 Mar 2025 22:13:02 +0100
Subject: [PATCH 341/384] ArgumentNullException: Value cannot be null in POST
 /push/register (#5472)

---
 .../Push/Controllers/PushController.cs        |  5 +--
 .../Push/Controllers/PushControllerTests.cs   | 32 +++++++++++++------
 2 files changed, 25 insertions(+), 12 deletions(-)

diff --git a/src/Api/Platform/Push/Controllers/PushController.cs b/src/Api/Platform/Push/Controllers/PushController.cs
index 28641a86cf..2a1f2b987d 100644
--- a/src/Api/Platform/Push/Controllers/PushController.cs
+++ b/src/Api/Platform/Push/Controllers/PushController.cs
@@ -43,8 +43,9 @@ public class PushController : Controller
     public async Task RegisterAsync([FromBody] PushRegistrationRequestModel model)
     {
         CheckUsage();
-        await _pushRegistrationService.CreateOrUpdateRegistrationAsync(new PushRegistrationData(model.PushToken), Prefix(model.DeviceId),
-            Prefix(model.UserId), Prefix(model.Identifier), model.Type, model.OrganizationIds.Select(Prefix), model.InstallationId);
+        await _pushRegistrationService.CreateOrUpdateRegistrationAsync(new PushRegistrationData(model.PushToken),
+            Prefix(model.DeviceId), Prefix(model.UserId), Prefix(model.Identifier), model.Type,
+            model.OrganizationIds?.Select(Prefix) ?? [], model.InstallationId);
     }
 
     [HttpPost("delete")]
diff --git a/test/Api.Test/Platform/Push/Controllers/PushControllerTests.cs b/test/Api.Test/Platform/Push/Controllers/PushControllerTests.cs
index 399913a0c4..6df09c17dc 100644
--- a/test/Api.Test/Platform/Push/Controllers/PushControllerTests.cs
+++ b/test/Api.Test/Platform/Push/Controllers/PushControllerTests.cs
@@ -243,20 +243,22 @@ public class PushControllerTests
                 PushToken = "test-push-token",
                 UserId = userId.ToString(),
                 Type = DeviceType.Android,
-                Identifier = identifier.ToString()
+                Identifier = identifier.ToString(),
             }));
 
         Assert.Equal("Not correctly configured for push relays.", exception.Message);
 
         await sutProvider.GetDependency<IPushRegistrationService>().Received(0)
-            .CreateOrUpdateRegistrationAsync(Arg.Any<PushRegistrationData>(), Arg.Any<string>(), Arg.Any<string>(), Arg.Any<string>(),
-                Arg.Any<DeviceType>(), Arg.Any<IEnumerable<string>>(), Arg.Any<Guid>());
+            .CreateOrUpdateRegistrationAsync(Arg.Any<PushRegistrationData>(), Arg.Any<string>(), Arg.Any<string>(),
+                Arg.Any<string>(), Arg.Any<DeviceType>(), Arg.Any<IEnumerable<string>>(), Arg.Any<Guid>());
     }
 
     [Theory]
-    [BitAutoData]
-    public async Task? RegisterAsync_ValidModel_CreatedOrUpdatedRegistration(SutProvider<PushController> sutProvider,
-        Guid installationId, Guid userId, Guid identifier, Guid deviceId, Guid organizationId)
+    [BitAutoData(false)]
+    [BitAutoData(true)]
+    public async Task RegisterAsync_ValidModel_CreatedOrUpdatedRegistration(bool haveOrganizationId,
+        SutProvider<PushController> sutProvider, Guid installationId, Guid userId, Guid identifier, Guid deviceId,
+        Guid organizationId)
     {
         sutProvider.GetDependency<IGlobalSettings>().SelfHosted = false;
         sutProvider.GetDependency<ICurrentContext>().InstallationId.Returns(installationId);
@@ -273,19 +275,29 @@ public class PushControllerTests
             UserId = userId.ToString(),
             Type = DeviceType.Android,
             Identifier = identifier.ToString(),
-            OrganizationIds = [organizationId.ToString()],
+            OrganizationIds = haveOrganizationId ? [organizationId.ToString()] : null,
             InstallationId = installationId
         };
 
         await sutProvider.Sut.RegisterAsync(model);
 
         await sutProvider.GetDependency<IPushRegistrationService>().Received(1)
-            .CreateOrUpdateRegistrationAsync(Arg.Is<PushRegistrationData>(data => data == new PushRegistrationData(model.PushToken)), expectedDeviceId, expectedUserId,
+            .CreateOrUpdateRegistrationAsync(
+                Arg.Is<PushRegistrationData>(data => data == new PushRegistrationData(model.PushToken)),
+                expectedDeviceId, expectedUserId,
                 expectedIdentifier, DeviceType.Android, Arg.Do<IEnumerable<string>>(organizationIds =>
                 {
+                    Assert.NotNull(organizationIds);
                     var organizationIdsList = organizationIds.ToList();
-                    Assert.Contains(expectedOrganizationId, organizationIdsList);
-                    Assert.Single(organizationIdsList);
+                    if (haveOrganizationId)
+                    {
+                        Assert.Contains(expectedOrganizationId, organizationIdsList);
+                        Assert.Single(organizationIdsList);
+                    }
+                    else
+                    {
+                        Assert.Empty(organizationIdsList);
+                    }
                 }), installationId);
     }
 }

From bea0d0d76f0057796f279e34516953b168a668b2 Mon Sep 17 00:00:00 2001
From: Github Actions <actions@github.com>
Date: Thu, 6 Mar 2025 21:51:25 +0000
Subject: [PATCH 342/384] Bumped version to 2025.2.4

---
 Directory.Build.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Directory.Build.props b/Directory.Build.props
index 403bf843d1..03594371e9 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -3,7 +3,7 @@
   <PropertyGroup>
     <TargetFramework>net8.0</TargetFramework>
 
-    <Version>2025.2.3</Version>
+    <Version>2025.2.4</Version>
 
     <RootNamespace>Bit.$(MSBuildProjectName)</RootNamespace>
     <ImplicitUsings>enable</ImplicitUsings>

From 6cb97d9bf9c02d4036a549bd140030f9206f8b5a Mon Sep 17 00:00:00 2001
From: Jared McCannon <jmccannon@bitwarden.com>
Date: Thu, 6 Mar 2025 20:32:21 -0600
Subject: [PATCH 343/384] [PM-18972] - Fix query for Org By User Domain (#5474)

* Changed query to avoid table scan. Added index to speed up query as well.
---
 .../Repositories/OrganizationRepository.cs    | 34 +++++++++++++------
 ...anization_ReadByClaimedUserEmailDomain.sql | 21 ++++++++----
 src/Sql/dbo/Tables/OrganizationDomain.sql     |  5 +++
 ..._ReadByClaimedUserEmailDomain_AndIndex.sql | 31 +++++++++++++++++
 4 files changed, 73 insertions(+), 18 deletions(-)
 create mode 100644 util/Migrator/DbScripts/2025-03-06_00_ReadByClaimedUserEmailDomain_AndIndex.sql

diff --git a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationRepository.cs b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationRepository.cs
index ea4e1334c6..6fc42b699d 100644
--- a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationRepository.cs
+++ b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationRepository.cs
@@ -290,21 +290,33 @@ public class OrganizationRepository : Repository<Core.AdminConsole.Entities.Orga
 
     public async Task<ICollection<Core.AdminConsole.Entities.Organization>> GetByVerifiedUserEmailDomainAsync(Guid userId)
     {
-        using (var scope = ServiceScopeFactory.CreateScope())
-        {
-            var dbContext = GetDatabaseContext(scope);
+        using var scope = ServiceScopeFactory.CreateScope();
 
-            var query = from u in dbContext.Users
-                        join ou in dbContext.OrganizationUsers on u.Id equals ou.UserId
-                        join o in dbContext.Organizations on ou.OrganizationId equals o.Id
-                        join od in dbContext.OrganizationDomains on ou.OrganizationId equals od.OrganizationId
+        var dbContext = GetDatabaseContext(scope);
+
+        var userQuery = from u in dbContext.Users
                         where u.Id == userId
-                              && od.VerifiedDate != null
-                              && u.Email.ToLower().EndsWith("@" + od.DomainName.ToLower())
-                        select o;
+                        select u;
 
-            return await query.ToArrayAsync();
+        var user = await userQuery.FirstOrDefaultAsync();
+
+        if (user is null)
+        {
+            return new List<Core.AdminConsole.Entities.Organization>();
         }
+
+        var userWithDomain = new { UserId = user.Id, EmailDomain = user.Email.Split('@').Last() };
+
+        var query = from o in dbContext.Organizations
+                    join ou in dbContext.OrganizationUsers on o.Id equals ou.OrganizationId
+                    join od in dbContext.OrganizationDomains on ou.OrganizationId equals od.OrganizationId
+                    where ou.UserId == userWithDomain.UserId &&
+                          od.DomainName == userWithDomain.EmailDomain &&
+                          od.VerifiedDate != null &&
+                          o.Enabled == true
+                    select o;
+
+        return await query.ToArrayAsync();
     }
 
     public async Task<ICollection<Core.AdminConsole.Entities.Organization>> GetAddableToProviderByUserIdAsync(
diff --git a/src/Sql/dbo/Stored Procedures/Organization_ReadByClaimedUserEmailDomain.sql b/src/Sql/dbo/Stored Procedures/Organization_ReadByClaimedUserEmailDomain.sql
index 39cf5d384c..583f548c8b 100644
--- a/src/Sql/dbo/Stored Procedures/Organization_ReadByClaimedUserEmailDomain.sql	
+++ b/src/Sql/dbo/Stored Procedures/Organization_ReadByClaimedUserEmailDomain.sql	
@@ -4,12 +4,19 @@ AS
 BEGIN
     SET NOCOUNT ON;
 
+    WITH CTE_User AS (
+        SELECT
+            U.*,
+            SUBSTRING(U.Email, CHARINDEX('@', U.Email) + 1, LEN(U.Email)) AS EmailDomain
+        FROM dbo.[UserView] U
+        WHERE U.[Id] = @UserId
+    )
     SELECT O.*
-    FROM [dbo].[UserView] U
-    INNER JOIN [dbo].[OrganizationUserView] OU ON U.[Id] = OU.[UserId]
-    INNER JOIN [dbo].[OrganizationView] O ON OU.[OrganizationId] = O.[Id]
-    INNER JOIN [dbo].[OrganizationDomainView] OD ON OU.[OrganizationId] = OD.[OrganizationId]
-    WHERE U.[Id] = @UserId
-        AND OD.[VerifiedDate] IS NOT NULL
-        AND U.[Email] LIKE '%@' + OD.[DomainName];
+    FROM CTE_User CU
+             INNER JOIN dbo.[OrganizationUserView] OU ON CU.[Id] = OU.[UserId]
+             INNER JOIN dbo.[OrganizationView] O ON OU.[OrganizationId] = O.[Id]
+             INNER JOIN dbo.[OrganizationDomainView] OD ON OU.[OrganizationId] = OD.[OrganizationId]
+    WHERE OD.[VerifiedDate] IS NOT NULL
+      AND CU.EmailDomain = OD.[DomainName]
+      AND O.[Enabled] = 1
 END
diff --git a/src/Sql/dbo/Tables/OrganizationDomain.sql b/src/Sql/dbo/Tables/OrganizationDomain.sql
index 09e4997d74..615dcc1557 100644
--- a/src/Sql/dbo/Tables/OrganizationDomain.sql
+++ b/src/Sql/dbo/Tables/OrganizationDomain.sql
@@ -22,3 +22,8 @@ CREATE NONCLUSTERED INDEX [IX_OrganizationDomain_VerifiedDate]
     ON [dbo].[OrganizationDomain] ([VerifiedDate])
     INCLUDE ([OrganizationId],[DomainName]);
 GO
+
+CREATE NONCLUSTERED INDEX [IX_OrganizationDomain_DomainNameVerifiedDateOrganizationId]
+    ON [dbo].[OrganizationDomain] ([DomainName],[VerifiedDate])
+    INCLUDE ([OrganizationId])
+GO
diff --git a/util/Migrator/DbScripts/2025-03-06_00_ReadByClaimedUserEmailDomain_AndIndex.sql b/util/Migrator/DbScripts/2025-03-06_00_ReadByClaimedUserEmailDomain_AndIndex.sql
new file mode 100644
index 0000000000..a28b869c4e
--- /dev/null
+++ b/util/Migrator/DbScripts/2025-03-06_00_ReadByClaimedUserEmailDomain_AndIndex.sql
@@ -0,0 +1,31 @@
+CREATE OR ALTER PROCEDURE [dbo].[Organization_ReadByClaimedUserEmailDomain]
+    @UserId UNIQUEIDENTIFIER
+AS
+BEGIN
+    SET NOCOUNT ON;
+
+    WITH CTE_User AS (
+        SELECT
+            U.*,
+            SUBSTRING(U.Email, CHARINDEX('@', U.Email) + 1, LEN(U.Email)) AS EmailDomain
+        FROM dbo.[UserView] U
+        WHERE U.[Id] = @UserId
+    )
+    SELECT O.*
+    FROM CTE_User CU
+             INNER JOIN dbo.[OrganizationUserView] OU ON CU.[Id] = OU.[UserId]
+             INNER JOIN dbo.[OrganizationView] O ON OU.[OrganizationId] = O.[Id]
+             INNER JOIN dbo.[OrganizationDomainView] OD ON OU.[OrganizationId] = OD.[OrganizationId]
+    WHERE OD.[VerifiedDate] IS NOT NULL
+      AND CU.EmailDomain = OD.[DomainName]
+      AND O.[Enabled] = 1
+END
+GO
+
+IF NOT EXISTS(SELECT name FROM sys.indexes WHERE name = 'IX_OrganizationDomain_DomainNameVerifiedDateOrganizationId')
+    BEGIN
+        CREATE NONCLUSTERED INDEX [IX_OrganizationDomain_DomainNameVerifiedDateOrganizationId]
+            ON [dbo].[OrganizationDomain] ([DomainName],[VerifiedDate])
+            INCLUDE ([OrganizationId])
+    END
+GO

From c589f9a330575831b075f93c30223cdb799e28d9 Mon Sep 17 00:00:00 2001
From: Jonas Hendrickx <jhendrickx@bitwarden.com>
Date: Fri, 7 Mar 2025 09:52:04 +0100
Subject: [PATCH 344/384] [BEEEP] [PM-18518] Cleanup StripePaymentService
 (#5435)

---
 .../Billing/Extensions/CustomerExtensions.cs  |   5 +
 .../Extensions/SubscriberExtensions.cs        |  26 +
 src/Core/Services/IPaymentService.cs          |  12 -
 .../Implementations/StripePaymentService.cs   | 737 +---------------
 .../Extensions/SubscriberExtensionsTests.cs   |  23 +
 .../Services/StripePaymentServiceTests.cs     | 828 ------------------
 6 files changed, 58 insertions(+), 1573 deletions(-)
 create mode 100644 src/Core/Billing/Extensions/SubscriberExtensions.cs
 create mode 100644 test/Core.Test/Extensions/SubscriberExtensionsTests.cs
 delete mode 100644 test/Core.Test/Services/StripePaymentServiceTests.cs

diff --git a/src/Core/Billing/Extensions/CustomerExtensions.cs b/src/Core/Billing/Extensions/CustomerExtensions.cs
index 1847abb0ad..1ab595342e 100644
--- a/src/Core/Billing/Extensions/CustomerExtensions.cs
+++ b/src/Core/Billing/Extensions/CustomerExtensions.cs
@@ -22,4 +22,9 @@ public static class CustomerExtensions
     /// <returns></returns>
     public static bool HasTaxLocationVerified(this Customer customer) =>
         customer?.Tax?.AutomaticTax == StripeConstants.AutomaticTaxStatus.Supported;
+
+    public static decimal GetBillingBalance(this Customer customer)
+    {
+        return customer != null ? customer.Balance / 100M : default;
+    }
 }
diff --git a/src/Core/Billing/Extensions/SubscriberExtensions.cs b/src/Core/Billing/Extensions/SubscriberExtensions.cs
new file mode 100644
index 0000000000..e322ed7317
--- /dev/null
+++ b/src/Core/Billing/Extensions/SubscriberExtensions.cs
@@ -0,0 +1,26 @@
+using Bit.Core.Entities;
+
+namespace Bit.Core.Billing.Extensions;
+
+public static class SubscriberExtensions
+{
+    /// <summary>
+    /// We are taking only first 30 characters of the SubscriberName because stripe provide for 30 characters  for
+    /// custom_fields,see the link: https://stripe.com/docs/api/invoices/create
+    /// </summary>
+    /// <param name="subscriber"></param>
+    /// <returns></returns>
+    public static string GetFormattedInvoiceName(this ISubscriber subscriber)
+    {
+        var subscriberName = subscriber.SubscriberName();
+
+        if (string.IsNullOrWhiteSpace(subscriberName))
+        {
+            return string.Empty;
+        }
+
+        return subscriberName.Length <= 30
+            ? subscriberName
+            : subscriberName[..30];
+    }
+}
diff --git a/src/Core/Services/IPaymentService.cs b/src/Core/Services/IPaymentService.cs
index 5bd2bede33..e3495c0e65 100644
--- a/src/Core/Services/IPaymentService.cs
+++ b/src/Core/Services/IPaymentService.cs
@@ -14,18 +14,8 @@ namespace Bit.Core.Services;
 public interface IPaymentService
 {
     Task CancelAndRecoverChargesAsync(ISubscriber subscriber);
-    Task<string> PurchaseOrganizationAsync(Organization org, PaymentMethodType paymentMethodType,
-        string paymentToken, Plan plan, short additionalStorageGb, int additionalSeats,
-        bool premiumAccessAddon, TaxInfo taxInfo, bool provider = false, int additionalSmSeats = 0,
-        int additionalServiceAccount = 0, bool signupIsFromSecretsManagerTrial = false);
-    Task<string> PurchaseOrganizationNoPaymentMethod(Organization org, Plan plan, int additionalSeats,
-        bool premiumAccessAddon, int additionalSmSeats = 0, int additionalServiceAccount = 0,
-        bool signupIsFromSecretsManagerTrial = false);
     Task SponsorOrganizationAsync(Organization org, OrganizationSponsorship sponsorship);
     Task RemoveOrganizationSponsorshipAsync(Organization org, OrganizationSponsorship sponsorship);
-    Task<string> UpgradeFreeOrganizationAsync(Organization org, Plan plan, OrganizationUpgrade upgrade);
-    Task<string> PurchasePremiumAsync(User user, PaymentMethodType paymentMethodType, string paymentToken,
-        short additionalStorageGb, TaxInfo taxInfo);
     Task<string> AdjustSubscription(
         Organization organization,
         Plan updatedPlan,
@@ -56,9 +46,7 @@ public interface IPaymentService
     Task SaveTaxInfoAsync(ISubscriber subscriber, TaxInfo taxInfo);
     Task<string> AddSecretsManagerToSubscription(Organization org, Plan plan, int additionalSmSeats,
         int additionalServiceAccount);
-    Task<bool> RisksSubscriptionFailure(Organization organization);
     Task<bool> HasSecretsManagerStandalone(Organization organization);
-    Task<(DateTime?, DateTime?)> GetSuspensionDateAsync(Stripe.Subscription subscription);
     Task<PreviewInvoiceResponseModel> PreviewInvoiceAsync(PreviewIndividualInvoiceRequestBody parameters, string gatewayCustomerId, string gatewaySubscriptionId);
     Task<PreviewInvoiceResponseModel> PreviewInvoiceAsync(PreviewOrganizationInvoiceRequestBody parameters, string gatewayCustomerId, string gatewaySubscriptionId);
 
diff --git a/src/Core/Services/Implementations/StripePaymentService.cs b/src/Core/Services/Implementations/StripePaymentService.cs
index bfa94cf5ba..ca377407f4 100644
--- a/src/Core/Services/Implementations/StripePaymentService.cs
+++ b/src/Core/Services/Implementations/StripePaymentService.cs
@@ -25,9 +25,6 @@ namespace Bit.Core.Services;
 
 public class StripePaymentService : IPaymentService
 {
-    private const string PremiumPlanId = "premium-annually";
-    private const string StoragePlanId = "storage-gb-annually";
-    private const string ProviderDiscountId = "msp-discount-35";
     private const string SecretsManagerStandaloneDiscountId = "sm-standalone";
 
     private readonly ITransactionRepository _transactionRepository;
@@ -62,240 +59,6 @@ public class StripePaymentService : IPaymentService
         _pricingClient = pricingClient;
     }
 
-    public async Task<string> PurchaseOrganizationAsync(Organization org, PaymentMethodType paymentMethodType,
-        string paymentToken, StaticStore.Plan plan, short additionalStorageGb,
-        int additionalSeats, bool premiumAccessAddon, TaxInfo taxInfo, bool provider = false,
-        int additionalSmSeats = 0, int additionalServiceAccount = 0, bool signupIsFromSecretsManagerTrial = false)
-    {
-        Braintree.Customer braintreeCustomer = null;
-        string stipeCustomerSourceToken = null;
-        string stipeCustomerPaymentMethodId = null;
-        var stripeCustomerMetadata = new Dictionary<string, string>
-        {
-            { "region", _globalSettings.BaseServiceUri.CloudRegion }
-        };
-        var stripePaymentMethod = paymentMethodType == PaymentMethodType.Card ||
-                                  paymentMethodType == PaymentMethodType.BankAccount;
-
-        if (stripePaymentMethod && !string.IsNullOrWhiteSpace(paymentToken))
-        {
-            if (paymentToken.StartsWith("pm_"))
-            {
-                stipeCustomerPaymentMethodId = paymentToken;
-            }
-            else
-            {
-                stipeCustomerSourceToken = paymentToken;
-            }
-        }
-        else if (paymentMethodType == PaymentMethodType.PayPal)
-        {
-            var randomSuffix = Utilities.CoreHelpers.RandomString(3, upper: false, numeric: false);
-            var customerResult = await _btGateway.Customer.CreateAsync(new Braintree.CustomerRequest
-            {
-                PaymentMethodNonce = paymentToken,
-                Email = org.BillingEmail,
-                Id = org.BraintreeCustomerIdPrefix() + org.Id.ToString("N").ToLower() + randomSuffix,
-                CustomFields = new Dictionary<string, string>
-                {
-                    [org.BraintreeIdField()] = org.Id.ToString(),
-                    [org.BraintreeCloudRegionField()] = _globalSettings.BaseServiceUri.CloudRegion
-                }
-            });
-
-            if (!customerResult.IsSuccess() || customerResult.Target.PaymentMethods.Length == 0)
-            {
-                throw new GatewayException("Failed to create PayPal customer record.");
-            }
-
-            braintreeCustomer = customerResult.Target;
-            stripeCustomerMetadata.Add("btCustomerId", braintreeCustomer.Id);
-        }
-        else
-        {
-            throw new GatewayException("Payment method is not supported at this time.");
-        }
-
-        var subCreateOptions = new OrganizationPurchaseSubscriptionOptions(org, plan, taxInfo, additionalSeats, additionalStorageGb, premiumAccessAddon
-        , additionalSmSeats, additionalServiceAccount);
-
-        Customer customer = null;
-        Subscription subscription;
-        try
-        {
-            if (!string.IsNullOrWhiteSpace(taxInfo.TaxIdNumber))
-            {
-                taxInfo.TaxIdType = _taxService.GetStripeTaxCode(taxInfo.BillingAddressCountry,
-                    taxInfo.TaxIdNumber);
-
-                if (taxInfo.TaxIdType == null)
-                {
-                    _logger.LogWarning("Could not infer tax ID type in country '{Country}' with tax ID '{TaxID}'.",
-                        taxInfo.BillingAddressCountry,
-                        taxInfo.TaxIdNumber);
-                    throw new BadRequestException("billingTaxIdTypeInferenceError");
-                }
-            }
-
-            var customerCreateOptions = new CustomerCreateOptions
-            {
-                Description = org.DisplayBusinessName(),
-                Email = org.BillingEmail,
-                Source = stipeCustomerSourceToken,
-                PaymentMethod = stipeCustomerPaymentMethodId,
-                Metadata = stripeCustomerMetadata,
-                InvoiceSettings = new CustomerInvoiceSettingsOptions
-                {
-                    DefaultPaymentMethod = stipeCustomerPaymentMethodId,
-                    CustomFields =
-                    [
-                        new CustomerInvoiceSettingsCustomFieldOptions
-                        {
-                            Name = org.SubscriberType(),
-                            Value = GetFirstThirtyCharacters(org.SubscriberName()),
-                        }
-                    ],
-                },
-                Coupon = signupIsFromSecretsManagerTrial
-                    ? SecretsManagerStandaloneDiscountId
-                    : provider
-                        ? ProviderDiscountId
-                        : null,
-                Address = new AddressOptions
-                {
-                    Country = taxInfo?.BillingAddressCountry,
-                    PostalCode = taxInfo?.BillingAddressPostalCode,
-                    // Line1 is required in Stripe's API, suggestion in Docs is to use Business Name instead.
-                    Line1 = taxInfo?.BillingAddressLine1 ?? string.Empty,
-                    Line2 = taxInfo?.BillingAddressLine2,
-                    City = taxInfo?.BillingAddressCity,
-                    State = taxInfo?.BillingAddressState,
-                },
-                TaxIdData = !string.IsNullOrWhiteSpace(taxInfo.TaxIdNumber)
-                    ? [new CustomerTaxIdDataOptions { Type = taxInfo.TaxIdType, Value = taxInfo.TaxIdNumber }]
-                    : null
-            };
-
-            customerCreateOptions.AddExpand("tax");
-
-            customer = await _stripeAdapter.CustomerCreateAsync(customerCreateOptions);
-            subCreateOptions.AddExpand("latest_invoice.payment_intent");
-            subCreateOptions.Customer = customer.Id;
-            subCreateOptions.EnableAutomaticTax(customer);
-
-            subscription = await _stripeAdapter.SubscriptionCreateAsync(subCreateOptions);
-            if (subscription.Status == "incomplete" && subscription.LatestInvoice?.PaymentIntent != null)
-            {
-                if (subscription.LatestInvoice.PaymentIntent.Status == "requires_payment_method")
-                {
-                    await _stripeAdapter.SubscriptionCancelAsync(subscription.Id, new SubscriptionCancelOptions());
-                    throw new GatewayException("Payment method was declined.");
-                }
-            }
-        }
-        catch (Exception ex)
-        {
-            _logger.LogError(ex, "Error creating customer, walking back operation.");
-            if (customer != null)
-            {
-                await _stripeAdapter.CustomerDeleteAsync(customer.Id);
-            }
-            if (braintreeCustomer != null)
-            {
-                await _btGateway.Customer.DeleteAsync(braintreeCustomer.Id);
-            }
-            throw;
-        }
-
-        org.Gateway = GatewayType.Stripe;
-        org.GatewayCustomerId = customer.Id;
-        org.GatewaySubscriptionId = subscription.Id;
-
-        if (subscription.Status == "incomplete" &&
-            subscription.LatestInvoice?.PaymentIntent?.Status == "requires_action")
-        {
-            org.Enabled = false;
-            return subscription.LatestInvoice.PaymentIntent.ClientSecret;
-        }
-        else
-        {
-            org.Enabled = true;
-            org.ExpirationDate = subscription.CurrentPeriodEnd;
-            return null;
-        }
-    }
-
-    public async Task<string> PurchaseOrganizationNoPaymentMethod(Organization org, StaticStore.Plan plan, int additionalSeats, bool premiumAccessAddon,
-        int additionalSmSeats = 0, int additionalServiceAccount = 0, bool signupIsFromSecretsManagerTrial = false)
-    {
-
-        var stripeCustomerMetadata = new Dictionary<string, string>
-        {
-            { "region", _globalSettings.BaseServiceUri.CloudRegion }
-        };
-        var subCreateOptions = new OrganizationPurchaseSubscriptionOptions(org, plan, new TaxInfo(), additionalSeats, 0, premiumAccessAddon
-        , additionalSmSeats, additionalServiceAccount);
-
-        Customer customer = null;
-        Subscription subscription;
-        try
-        {
-            var customerCreateOptions = new CustomerCreateOptions
-            {
-                Description = org.DisplayBusinessName(),
-                Email = org.BillingEmail,
-                Metadata = stripeCustomerMetadata,
-                InvoiceSettings = new CustomerInvoiceSettingsOptions
-                {
-                    CustomFields =
-                    [
-                        new CustomerInvoiceSettingsCustomFieldOptions
-                        {
-                            Name = org.SubscriberType(),
-                            Value = GetFirstThirtyCharacters(org.SubscriberName()),
-                        }
-                    ],
-                },
-                Coupon = signupIsFromSecretsManagerTrial
-                    ? SecretsManagerStandaloneDiscountId
-                    : null,
-                TaxIdData = null,
-            };
-
-            customer = await _stripeAdapter.CustomerCreateAsync(customerCreateOptions);
-            subCreateOptions.AddExpand("latest_invoice.payment_intent");
-            subCreateOptions.Customer = customer.Id;
-
-            subscription = await _stripeAdapter.SubscriptionCreateAsync(subCreateOptions);
-        }
-        catch (Exception ex)
-        {
-            _logger.LogError(ex, "Error creating customer, walking back operation.");
-            if (customer != null)
-            {
-                await _stripeAdapter.CustomerDeleteAsync(customer.Id);
-            }
-
-            throw;
-        }
-
-        org.Gateway = GatewayType.Stripe;
-        org.GatewayCustomerId = customer.Id;
-        org.GatewaySubscriptionId = subscription.Id;
-
-        if (subscription.Status == "incomplete" &&
-            subscription.LatestInvoice?.PaymentIntent?.Status == "requires_action")
-        {
-            org.Enabled = false;
-            return subscription.LatestInvoice.PaymentIntent.ClientSecret;
-        }
-
-        org.Enabled = true;
-        org.ExpirationDate = subscription.CurrentPeriodEnd;
-        return null;
-
-    }
-
     private async Task ChangeOrganizationSponsorship(
         Organization org,
         OrganizationSponsorship sponsorship,
@@ -324,458 +87,6 @@ public class StripePaymentService : IPaymentService
     public Task RemoveOrganizationSponsorshipAsync(Organization org, OrganizationSponsorship sponsorship) =>
         ChangeOrganizationSponsorship(org, sponsorship, false);
 
-    public async Task<string> UpgradeFreeOrganizationAsync(Organization org, StaticStore.Plan plan,
-        OrganizationUpgrade upgrade)
-    {
-        if (!string.IsNullOrWhiteSpace(org.GatewaySubscriptionId))
-        {
-            throw new BadRequestException("Organization already has a subscription.");
-        }
-
-        var customerOptions = new CustomerGetOptions();
-        customerOptions.AddExpand("default_source");
-        customerOptions.AddExpand("invoice_settings.default_payment_method");
-        customerOptions.AddExpand("tax");
-        var customer = await _stripeAdapter.CustomerGetAsync(org.GatewayCustomerId, customerOptions);
-        if (customer == null)
-        {
-            throw new GatewayException("Could not find customer payment profile.");
-        }
-
-        if (!string.IsNullOrEmpty(upgrade.TaxInfo?.BillingAddressCountry) &&
-            !string.IsNullOrEmpty(upgrade.TaxInfo?.BillingAddressPostalCode))
-        {
-            var addressOptions = new AddressOptions
-            {
-                Country = upgrade.TaxInfo.BillingAddressCountry,
-                PostalCode = upgrade.TaxInfo.BillingAddressPostalCode,
-                // Line1 is required in Stripe's API, suggestion in Docs is to use Business Name instead.
-                Line1 = upgrade.TaxInfo.BillingAddressLine1 ?? string.Empty,
-                Line2 = upgrade.TaxInfo.BillingAddressLine2,
-                City = upgrade.TaxInfo.BillingAddressCity,
-                State = upgrade.TaxInfo.BillingAddressState,
-            };
-            var customerUpdateOptions = new CustomerUpdateOptions { Address = addressOptions };
-            customerUpdateOptions.AddExpand("default_source");
-            customerUpdateOptions.AddExpand("invoice_settings.default_payment_method");
-            customerUpdateOptions.AddExpand("tax");
-            customer = await _stripeAdapter.CustomerUpdateAsync(org.GatewayCustomerId, customerUpdateOptions);
-        }
-
-        var subCreateOptions = new OrganizationUpgradeSubscriptionOptions(customer.Id, org, plan, upgrade);
-
-        subCreateOptions.EnableAutomaticTax(customer);
-
-        var (stripePaymentMethod, paymentMethodType) = IdentifyPaymentMethod(customer, subCreateOptions);
-
-        var subscription = await ChargeForNewSubscriptionAsync(org, customer, false,
-            stripePaymentMethod, paymentMethodType, subCreateOptions, null);
-        org.GatewaySubscriptionId = subscription.Id;
-
-        if (subscription.Status == "incomplete" &&
-            subscription.LatestInvoice?.PaymentIntent?.Status == "requires_action")
-        {
-            org.Enabled = false;
-            return subscription.LatestInvoice.PaymentIntent.ClientSecret;
-        }
-        else
-        {
-            org.Enabled = true;
-            org.ExpirationDate = subscription.CurrentPeriodEnd;
-            return null;
-        }
-    }
-
-    private (bool stripePaymentMethod, PaymentMethodType PaymentMethodType) IdentifyPaymentMethod(
-            Customer customer, SubscriptionCreateOptions subCreateOptions)
-    {
-        var stripePaymentMethod = false;
-        var paymentMethodType = PaymentMethodType.Credit;
-        var hasBtCustomerId = customer.Metadata.ContainsKey("btCustomerId");
-        if (hasBtCustomerId)
-        {
-            paymentMethodType = PaymentMethodType.PayPal;
-        }
-        else
-        {
-            if (customer.InvoiceSettings?.DefaultPaymentMethod?.Type == "card")
-            {
-                paymentMethodType = PaymentMethodType.Card;
-                stripePaymentMethod = true;
-            }
-            else if (customer.DefaultSource != null)
-            {
-                if (customer.DefaultSource is Card || customer.DefaultSource is SourceCard)
-                {
-                    paymentMethodType = PaymentMethodType.Card;
-                    stripePaymentMethod = true;
-                }
-                else if (customer.DefaultSource is BankAccount || customer.DefaultSource is SourceAchDebit)
-                {
-                    paymentMethodType = PaymentMethodType.BankAccount;
-                    stripePaymentMethod = true;
-                }
-            }
-            else
-            {
-                var paymentMethod = GetLatestCardPaymentMethod(customer.Id);
-                if (paymentMethod != null)
-                {
-                    paymentMethodType = PaymentMethodType.Card;
-                    stripePaymentMethod = true;
-                    subCreateOptions.DefaultPaymentMethod = paymentMethod.Id;
-                }
-            }
-        }
-        return (stripePaymentMethod, paymentMethodType);
-    }
-
-    public async Task<string> PurchasePremiumAsync(User user, PaymentMethodType paymentMethodType,
-        string paymentToken, short additionalStorageGb, TaxInfo taxInfo)
-    {
-        if (paymentMethodType != PaymentMethodType.Credit && string.IsNullOrWhiteSpace(paymentToken))
-        {
-            throw new BadRequestException("Payment token is required.");
-        }
-        if (paymentMethodType == PaymentMethodType.Credit &&
-            (user.Gateway != GatewayType.Stripe || string.IsNullOrWhiteSpace(user.GatewayCustomerId)))
-        {
-            throw new BadRequestException("Your account does not have any credit available.");
-        }
-        if (paymentMethodType is PaymentMethodType.BankAccount)
-        {
-            throw new GatewayException("Payment method is not supported at this time.");
-        }
-
-        var createdStripeCustomer = false;
-        Customer customer = null;
-        Braintree.Customer braintreeCustomer = null;
-        var stripePaymentMethod = paymentMethodType is PaymentMethodType.Card or PaymentMethodType.BankAccount
-            or PaymentMethodType.Credit;
-
-        string stipeCustomerPaymentMethodId = null;
-        string stipeCustomerSourceToken = null;
-        if (stripePaymentMethod && !string.IsNullOrWhiteSpace(paymentToken))
-        {
-            if (paymentToken.StartsWith("pm_"))
-            {
-                stipeCustomerPaymentMethodId = paymentToken;
-            }
-            else
-            {
-                stipeCustomerSourceToken = paymentToken;
-            }
-        }
-
-        if (user.Gateway == GatewayType.Stripe && !string.IsNullOrWhiteSpace(user.GatewayCustomerId))
-        {
-            if (!string.IsNullOrWhiteSpace(paymentToken))
-            {
-                await UpdatePaymentMethodAsync(user, paymentMethodType, paymentToken, taxInfo);
-            }
-
-            try
-            {
-                var customerGetOptions = new CustomerGetOptions();
-                customerGetOptions.AddExpand("tax");
-                customer = await _stripeAdapter.CustomerGetAsync(user.GatewayCustomerId, customerGetOptions);
-            }
-            catch
-            {
-                _logger.LogWarning(
-                    "Attempted to get existing customer from Stripe, but customer ID was not found. Attempting to recreate customer...");
-            }
-        }
-
-        if (customer == null && !string.IsNullOrWhiteSpace(paymentToken))
-        {
-            var stripeCustomerMetadata = new Dictionary<string, string>
-            {
-                { "region", _globalSettings.BaseServiceUri.CloudRegion }
-            };
-            if (paymentMethodType == PaymentMethodType.PayPal)
-            {
-                var randomSuffix = Utilities.CoreHelpers.RandomString(3, upper: false, numeric: false);
-                var customerResult = await _btGateway.Customer.CreateAsync(new Braintree.CustomerRequest
-                {
-                    PaymentMethodNonce = paymentToken,
-                    Email = user.Email,
-                    Id = user.BraintreeCustomerIdPrefix() + user.Id.ToString("N").ToLower() + randomSuffix,
-                    CustomFields = new Dictionary<string, string>
-                    {
-                        [user.BraintreeIdField()] = user.Id.ToString(),
-                        [user.BraintreeCloudRegionField()] = _globalSettings.BaseServiceUri.CloudRegion
-                    }
-                });
-
-                if (!customerResult.IsSuccess() || customerResult.Target.PaymentMethods.Length == 0)
-                {
-                    throw new GatewayException("Failed to create PayPal customer record.");
-                }
-
-                braintreeCustomer = customerResult.Target;
-                stripeCustomerMetadata.Add("btCustomerId", braintreeCustomer.Id);
-            }
-            else if (!stripePaymentMethod)
-            {
-                throw new GatewayException("Payment method is not supported at this time.");
-            }
-
-            var customerCreateOptions = new CustomerCreateOptions
-            {
-                Description = user.Name,
-                Email = user.Email,
-                Metadata = stripeCustomerMetadata,
-                PaymentMethod = stipeCustomerPaymentMethodId,
-                Source = stipeCustomerSourceToken,
-                InvoiceSettings = new CustomerInvoiceSettingsOptions
-                {
-                    DefaultPaymentMethod = stipeCustomerPaymentMethodId,
-                    CustomFields =
-                    [
-                        new CustomerInvoiceSettingsCustomFieldOptions()
-                        {
-                            Name = user.SubscriberType(),
-                            Value = GetFirstThirtyCharacters(user.SubscriberName()),
-                        }
-
-                    ]
-                },
-                Address = new AddressOptions
-                {
-                    Line1 = string.Empty,
-                    Country = taxInfo.BillingAddressCountry,
-                    PostalCode = taxInfo.BillingAddressPostalCode,
-                },
-            };
-            customerCreateOptions.AddExpand("tax");
-            customer = await _stripeAdapter.CustomerCreateAsync(customerCreateOptions);
-            createdStripeCustomer = true;
-        }
-
-        if (customer == null)
-        {
-            throw new GatewayException("Could not set up customer payment profile.");
-        }
-
-        var subCreateOptions = new SubscriptionCreateOptions
-        {
-            Customer = customer.Id,
-            Items = [],
-            Metadata = new Dictionary<string, string>
-            {
-                [user.GatewayIdField()] = user.Id.ToString()
-            }
-        };
-
-        subCreateOptions.Items.Add(new SubscriptionItemOptions
-        {
-            Plan = PremiumPlanId,
-            Quantity = 1
-        });
-
-        if (additionalStorageGb > 0)
-        {
-            subCreateOptions.Items.Add(new SubscriptionItemOptions
-            {
-                Plan = StoragePlanId,
-                Quantity = additionalStorageGb
-            });
-        }
-
-        subCreateOptions.EnableAutomaticTax(customer);
-
-        var subscription = await ChargeForNewSubscriptionAsync(user, customer, createdStripeCustomer,
-            stripePaymentMethod, paymentMethodType, subCreateOptions, braintreeCustomer);
-
-        user.Gateway = GatewayType.Stripe;
-        user.GatewayCustomerId = customer.Id;
-        user.GatewaySubscriptionId = subscription.Id;
-
-        if (subscription.Status == "incomplete" &&
-            subscription.LatestInvoice?.PaymentIntent?.Status == "requires_action")
-        {
-            return subscription.LatestInvoice.PaymentIntent.ClientSecret;
-        }
-
-        user.Premium = true;
-        user.PremiumExpirationDate = subscription.CurrentPeriodEnd;
-        return null;
-    }
-
-    private async Task<Subscription> ChargeForNewSubscriptionAsync(ISubscriber subscriber, Customer customer,
-        bool createdStripeCustomer, bool stripePaymentMethod, PaymentMethodType paymentMethodType,
-        SubscriptionCreateOptions subCreateOptions, Braintree.Customer braintreeCustomer)
-    {
-        var addedCreditToStripeCustomer = false;
-        Braintree.Transaction braintreeTransaction = null;
-
-        var subInvoiceMetadata = new Dictionary<string, string>();
-        Subscription subscription = null;
-        try
-        {
-            if (!stripePaymentMethod)
-            {
-                var previewInvoice = await _stripeAdapter.InvoiceUpcomingAsync(new UpcomingInvoiceOptions
-                {
-                    Customer = customer.Id,
-                    SubscriptionItems = ToInvoiceSubscriptionItemOptions(subCreateOptions.Items)
-                });
-
-                if (customer.HasTaxLocationVerified())
-                {
-                    previewInvoice.AutomaticTax = new InvoiceAutomaticTax { Enabled = true };
-                }
-
-                if (previewInvoice.AmountDue > 0)
-                {
-                    var braintreeCustomerId = customer.Metadata != null &&
-                        customer.Metadata.ContainsKey("btCustomerId") ? customer.Metadata["btCustomerId"] : null;
-                    if (!string.IsNullOrWhiteSpace(braintreeCustomerId))
-                    {
-                        var btInvoiceAmount = (previewInvoice.AmountDue / 100M);
-                        var transactionResult = await _btGateway.Transaction.SaleAsync(
-                            new Braintree.TransactionRequest
-                            {
-                                Amount = btInvoiceAmount,
-                                CustomerId = braintreeCustomerId,
-                                Options = new Braintree.TransactionOptionsRequest
-                                {
-                                    SubmitForSettlement = true,
-                                    PayPal = new Braintree.TransactionOptionsPayPalRequest
-                                    {
-                                        CustomField = $"{subscriber.BraintreeIdField()}:{subscriber.Id},{subscriber.BraintreeCloudRegionField()}:{_globalSettings.BaseServiceUri.CloudRegion}"
-                                    }
-                                },
-                                CustomFields = new Dictionary<string, string>
-                                {
-                                    [subscriber.BraintreeIdField()] = subscriber.Id.ToString(),
-                                    [subscriber.BraintreeCloudRegionField()] = _globalSettings.BaseServiceUri.CloudRegion
-                                }
-                            });
-
-                        if (!transactionResult.IsSuccess())
-                        {
-                            throw new GatewayException("Failed to charge PayPal customer.");
-                        }
-
-                        braintreeTransaction = transactionResult.Target;
-                        subInvoiceMetadata.Add("btTransactionId", braintreeTransaction.Id);
-                        subInvoiceMetadata.Add("btPayPalTransactionId",
-                            braintreeTransaction.PayPalDetails.AuthorizationId);
-                    }
-                    else
-                    {
-                        throw new GatewayException("No payment was able to be collected.");
-                    }
-
-                    await _stripeAdapter.CustomerUpdateAsync(customer.Id, new CustomerUpdateOptions
-                    {
-                        Balance = customer.Balance - previewInvoice.AmountDue
-                    });
-                    addedCreditToStripeCustomer = true;
-                }
-            }
-            else if (paymentMethodType == PaymentMethodType.Credit)
-            {
-                var upcomingInvoiceOptions = new UpcomingInvoiceOptions
-                {
-                    Customer = customer.Id,
-                    SubscriptionItems = ToInvoiceSubscriptionItemOptions(subCreateOptions.Items),
-                    SubscriptionDefaultTaxRates = subCreateOptions.DefaultTaxRates,
-                };
-
-                upcomingInvoiceOptions.EnableAutomaticTax(customer, null);
-
-                var previewInvoice = await _stripeAdapter.InvoiceUpcomingAsync(upcomingInvoiceOptions);
-
-                if (previewInvoice.AmountDue > 0)
-                {
-                    throw new GatewayException("Your account does not have enough credit available.");
-                }
-            }
-
-            subCreateOptions.OffSession = true;
-            subCreateOptions.AddExpand("latest_invoice.payment_intent");
-
-            subscription = await _stripeAdapter.SubscriptionCreateAsync(subCreateOptions);
-            if (subscription.Status == "incomplete" && subscription.LatestInvoice?.PaymentIntent != null)
-            {
-                if (subscription.LatestInvoice.PaymentIntent.Status == "requires_payment_method")
-                {
-                    await _stripeAdapter.SubscriptionCancelAsync(subscription.Id, new SubscriptionCancelOptions());
-                    throw new GatewayException("Payment method was declined.");
-                }
-            }
-
-            if (!stripePaymentMethod && subInvoiceMetadata.Any())
-            {
-                var invoices = await _stripeAdapter.InvoiceListAsync(new StripeInvoiceListOptions
-                {
-                    Subscription = subscription.Id
-                });
-
-                var invoice = invoices?.FirstOrDefault();
-                if (invoice == null)
-                {
-                    throw new GatewayException("Invoice not found.");
-                }
-
-                await _stripeAdapter.InvoiceUpdateAsync(invoice.Id, new InvoiceUpdateOptions
-                {
-                    Metadata = subInvoiceMetadata
-                });
-            }
-
-            return subscription;
-        }
-        catch (Exception e)
-        {
-            if (customer != null)
-            {
-                if (createdStripeCustomer)
-                {
-                    await _stripeAdapter.CustomerDeleteAsync(customer.Id);
-                }
-                else if (addedCreditToStripeCustomer || customer.Balance < 0)
-                {
-                    await _stripeAdapter.CustomerUpdateAsync(customer.Id, new CustomerUpdateOptions
-                    {
-                        Balance = customer.Balance
-                    });
-                }
-            }
-            if (braintreeTransaction != null)
-            {
-                await _btGateway.Transaction.RefundAsync(braintreeTransaction.Id);
-            }
-            if (braintreeCustomer != null)
-            {
-                await _btGateway.Customer.DeleteAsync(braintreeCustomer.Id);
-            }
-
-            if (e is StripeException strEx &&
-                (strEx.StripeError?.Message?.Contains("cannot be used because it is not verified") ?? false))
-            {
-                throw new GatewayException("Bank account is not yet verified.");
-            }
-
-            throw;
-        }
-    }
-
-    private List<InvoiceSubscriptionItemOptions> ToInvoiceSubscriptionItemOptions(
-        List<SubscriptionItemOptions> subItemOptions)
-    {
-        return subItemOptions.Select(si => new InvoiceSubscriptionItemOptions
-        {
-            Plan = si.Plan,
-            Price = si.Price,
-            Quantity = si.Quantity,
-            Id = si.Id
-        }).ToList();
-    }
-
     private async Task<string> FinalizeSubscriptionChangeAsync(ISubscriber subscriber,
         SubscriptionUpdate subscriptionUpdate, bool invoiceNow = false)
     {
@@ -1400,7 +711,7 @@ public class StripePaymentService : IPaymentService
                             new CustomerInvoiceSettingsCustomFieldOptions()
                             {
                                 Name = subscriber.SubscriberType(),
-                                Value = GetFirstThirtyCharacters(subscriber.SubscriberName()),
+                                Value = subscriber.GetFormattedInvoiceName()
                             }
 
                         ]
@@ -1492,7 +803,7 @@ public class StripePaymentService : IPaymentService
                             new CustomerInvoiceSettingsCustomFieldOptions()
                             {
                                 Name = subscriber.SubscriberType(),
-                                Value = GetFirstThirtyCharacters(subscriber.SubscriberName())
+                                Value = subscriber.GetFormattedInvoiceName()
                             }
                         ]
                     },
@@ -1560,7 +871,7 @@ public class StripePaymentService : IPaymentService
         var customer = await GetCustomerAsync(subscriber.GatewayCustomerId, GetCustomerPaymentOptions());
         var billingInfo = new BillingInfo
         {
-            Balance = GetBillingBalance(customer),
+            Balance = customer.GetBillingBalance(),
             PaymentSource = await GetBillingPaymentSourceAsync(customer)
         };
 
@@ -1768,27 +1079,6 @@ public class StripePaymentService : IPaymentService
             new SecretsManagerSubscribeUpdate(org, plan, additionalSmSeats, additionalServiceAccount),
             true);
 
-    public async Task<bool> RisksSubscriptionFailure(Organization organization)
-    {
-        var subscriptionInfo = await GetSubscriptionAsync(organization);
-
-        if (subscriptionInfo.Subscription is not
-            {
-                Status: "active" or "trialing" or "past_due",
-                CollectionMethod: "charge_automatically"
-            }
-            || subscriptionInfo.UpcomingInvoice == null)
-        {
-            return false;
-        }
-
-        var customer = await GetCustomerAsync(organization.GatewayCustomerId, GetCustomerPaymentOptions());
-
-        var paymentSource = await GetBillingPaymentSourceAsync(customer);
-
-        return paymentSource == null;
-    }
-
     public async Task<bool> HasSecretsManagerStandalone(Organization organization)
     {
         if (string.IsNullOrEmpty(organization.GatewayCustomerId))
@@ -1801,7 +1091,7 @@ public class StripePaymentService : IPaymentService
         return customer?.Discount?.Coupon?.Id == SecretsManagerStandaloneDiscountId;
     }
 
-    public async Task<(DateTime?, DateTime?)> GetSuspensionDateAsync(Subscription subscription)
+    private async Task<(DateTime?, DateTime?)> GetSuspensionDateAsync(Subscription subscription)
     {
         if (subscription.Status is not "past_due" && subscription.Status is not "unpaid")
         {
@@ -2117,11 +1407,6 @@ public class StripePaymentService : IPaymentService
         return cardPaymentMethods.OrderByDescending(m => m.Created).FirstOrDefault();
     }
 
-    private decimal GetBillingBalance(Customer customer)
-    {
-        return customer != null ? customer.Balance / 100M : default;
-    }
-
     private async Task<BillingInfo.BillingSource> GetBillingPaymentSourceAsync(Customer customer)
     {
         if (customer == null)
@@ -2252,18 +1537,4 @@ public class StripePaymentService : IPaymentService
             throw new GatewayException("Failed to retrieve current invoices", exception);
         }
     }
-
-    // We are taking only first 30 characters of the SubscriberName because stripe provide
-    // for 30 characters  for custom_fields,see the link: https://stripe.com/docs/api/invoices/create
-    private static string GetFirstThirtyCharacters(string subscriberName)
-    {
-        if (string.IsNullOrWhiteSpace(subscriberName))
-        {
-            return string.Empty;
-        }
-
-        return subscriberName.Length <= 30
-            ? subscriberName
-            : subscriberName[..30];
-    }
 }
diff --git a/test/Core.Test/Extensions/SubscriberExtensionsTests.cs b/test/Core.Test/Extensions/SubscriberExtensionsTests.cs
new file mode 100644
index 0000000000..e0b4cfd9f2
--- /dev/null
+++ b/test/Core.Test/Extensions/SubscriberExtensionsTests.cs
@@ -0,0 +1,23 @@
+using Bit.Core.AdminConsole.Entities.Provider;
+using Bit.Core.Billing.Extensions;
+using Xunit;
+
+namespace Bit.Core.Test.Extensions;
+
+public class SubscriberExtensionsTests
+{
+    [Theory]
+    [InlineData("Alexandria Villanueva Gonzalez Pablo", "Alexandria Villanueva Gonzalez")]
+    [InlineData("John Snow", "John Snow")]
+    public void GetFormattedInvoiceName_Returns_FirstThirtyCaractersOfName(string name, string expected)
+    {
+        // arrange
+        var provider = new Provider { Name = name };
+
+        // act
+        var actual = provider.GetFormattedInvoiceName();
+
+        // assert
+        Assert.Equal(expected, actual);
+    }
+}
diff --git a/test/Core.Test/Services/StripePaymentServiceTests.cs b/test/Core.Test/Services/StripePaymentServiceTests.cs
deleted file mode 100644
index 11a19656e1..0000000000
--- a/test/Core.Test/Services/StripePaymentServiceTests.cs
+++ /dev/null
@@ -1,828 +0,0 @@
-using Bit.Core.AdminConsole.Entities;
-using Bit.Core.Billing.Enums;
-using Bit.Core.Billing.Services;
-using Bit.Core.Enums;
-using Bit.Core.Exceptions;
-using Bit.Core.Models.Business;
-using Bit.Core.Services;
-using Bit.Core.Settings;
-using Bit.Core.Utilities;
-using Bit.Test.Common.AutoFixture;
-using Bit.Test.Common.AutoFixture.Attributes;
-using Braintree;
-using NSubstitute;
-using Xunit;
-using Customer = Braintree.Customer;
-using PaymentMethod = Braintree.PaymentMethod;
-using PaymentMethodType = Bit.Core.Enums.PaymentMethodType;
-
-namespace Bit.Core.Test.Services;
-
-[SutProviderCustomize]
-public class StripePaymentServiceTests
-{
-    [Theory]
-    [BitAutoData(PaymentMethodType.BitPay)]
-    [BitAutoData(PaymentMethodType.BitPay)]
-    [BitAutoData(PaymentMethodType.Credit)]
-    [BitAutoData(PaymentMethodType.WireTransfer)]
-    [BitAutoData(PaymentMethodType.Check)]
-    public async Task PurchaseOrganizationAsync_Invalid(PaymentMethodType paymentMethodType, SutProvider<StripePaymentService> sutProvider)
-    {
-        var exception = await Assert.ThrowsAsync<GatewayException>(
-            () => sutProvider.Sut.PurchaseOrganizationAsync(null, paymentMethodType, null, null, 0, 0, false, null, false, -1, -1));
-
-        Assert.Equal("Payment method is not supported at this time.", exception.Message);
-    }
-
-    [Theory, BitAutoData]
-    public async Task PurchaseOrganizationAsync_Stripe_ProviderOrg_Coupon_Add(SutProvider<StripePaymentService> sutProvider, Organization organization, string paymentToken, TaxInfo taxInfo, bool provider = true)
-    {
-        var plan = StaticStore.GetPlan(PlanType.EnterpriseAnnually);
-
-        sutProvider
-            .GetDependency<ITaxService>()
-            .GetStripeTaxCode(Arg.Is<string>(p => p == taxInfo.BillingAddressCountry), Arg.Is<string>(p => p == taxInfo.TaxIdNumber))
-            .Returns(taxInfo.TaxIdType);
-
-        var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
-        stripeAdapter.CustomerCreateAsync(default).ReturnsForAnyArgs(new Stripe.Customer
-        {
-            Id = "C-1",
-        });
-        stripeAdapter.SubscriptionCreateAsync(default).ReturnsForAnyArgs(new Stripe.Subscription
-        {
-            Id = "S-1",
-            CurrentPeriodEnd = DateTime.Today.AddDays(10),
-        });
-        sutProvider.GetDependency<IGlobalSettings>()
-            .BaseServiceUri.CloudRegion
-            .Returns("US");
-
-        var result = await sutProvider.Sut.PurchaseOrganizationAsync(organization, PaymentMethodType.Card, paymentToken, plan, 0, 0, false, taxInfo, provider);
-
-        Assert.Null(result);
-        Assert.Equal(GatewayType.Stripe, organization.Gateway);
-        Assert.Equal("C-1", organization.GatewayCustomerId);
-        Assert.Equal("S-1", organization.GatewaySubscriptionId);
-        Assert.True(organization.Enabled);
-        Assert.Equal(DateTime.Today.AddDays(10), organization.ExpirationDate);
-
-        await stripeAdapter.Received().CustomerCreateAsync(Arg.Is<Stripe.CustomerCreateOptions>(c =>
-            c.Description == organization.BusinessName &&
-            c.Email == organization.BillingEmail &&
-            c.Source == paymentToken &&
-            c.PaymentMethod == null &&
-            c.Coupon == "msp-discount-35" &&
-            c.Metadata.Count == 1 &&
-            c.Metadata["region"] == "US" &&
-            c.InvoiceSettings.DefaultPaymentMethod == null &&
-            c.Address.Country == taxInfo.BillingAddressCountry &&
-            c.Address.PostalCode == taxInfo.BillingAddressPostalCode &&
-            c.Address.Line1 == taxInfo.BillingAddressLine1 &&
-            c.Address.Line2 == taxInfo.BillingAddressLine2 &&
-            c.Address.City == taxInfo.BillingAddressCity &&
-            c.Address.State == taxInfo.BillingAddressState &&
-            c.TaxIdData.First().Value == taxInfo.TaxIdNumber &&
-            c.TaxIdData.First().Type == taxInfo.TaxIdType
-        ));
-
-        await stripeAdapter.Received().SubscriptionCreateAsync(Arg.Is<Stripe.SubscriptionCreateOptions>(s =>
-            s.Customer == "C-1" &&
-            s.Expand[0] == "latest_invoice.payment_intent" &&
-            s.Metadata[organization.GatewayIdField()] == organization.Id.ToString() &&
-            s.Items.Count == 0
-        ));
-    }
-
-    [Theory, BitAutoData]
-    public async Task PurchaseOrganizationAsync_SM_Stripe_ProviderOrg_Coupon_Add(SutProvider<StripePaymentService> sutProvider, Organization organization,
-        string paymentToken, TaxInfo taxInfo, bool provider = true)
-    {
-        var plan = StaticStore.GetPlan(PlanType.EnterpriseAnnually);
-        organization.UseSecretsManager = true;
-
-        sutProvider
-            .GetDependency<ITaxService>()
-            .GetStripeTaxCode(Arg.Is<string>(p => p == taxInfo.BillingAddressCountry), Arg.Is<string>(p => p == taxInfo.TaxIdNumber))
-            .Returns(taxInfo.TaxIdType);
-
-        var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
-        stripeAdapter.CustomerCreateAsync(default).ReturnsForAnyArgs(new Stripe.Customer
-        {
-            Id = "C-1",
-        });
-        stripeAdapter.SubscriptionCreateAsync(default).ReturnsForAnyArgs(new Stripe.Subscription
-        {
-            Id = "S-1",
-            CurrentPeriodEnd = DateTime.Today.AddDays(10),
-
-        });
-        sutProvider.GetDependency<IGlobalSettings>()
-            .BaseServiceUri.CloudRegion
-            .Returns("US");
-
-        var result = await sutProvider.Sut.PurchaseOrganizationAsync(organization, PaymentMethodType.Card, paymentToken, plan, 1, 1,
-            false, taxInfo, provider, 1, 1);
-
-        Assert.Null(result);
-        Assert.Equal(GatewayType.Stripe, organization.Gateway);
-        Assert.Equal("C-1", organization.GatewayCustomerId);
-        Assert.Equal("S-1", organization.GatewaySubscriptionId);
-        Assert.True(organization.Enabled);
-        Assert.Equal(DateTime.Today.AddDays(10), organization.ExpirationDate);
-
-        await stripeAdapter.Received().CustomerCreateAsync(Arg.Is<Stripe.CustomerCreateOptions>(c =>
-            c.Description == organization.BusinessName &&
-            c.Email == organization.BillingEmail &&
-            c.Source == paymentToken &&
-            c.PaymentMethod == null &&
-            c.Coupon == "msp-discount-35" &&
-            c.Metadata.Count == 1 &&
-            c.Metadata["region"] == "US" &&
-            c.InvoiceSettings.DefaultPaymentMethod == null &&
-            c.Address.Country == taxInfo.BillingAddressCountry &&
-            c.Address.PostalCode == taxInfo.BillingAddressPostalCode &&
-            c.Address.Line1 == taxInfo.BillingAddressLine1 &&
-            c.Address.Line2 == taxInfo.BillingAddressLine2 &&
-            c.Address.City == taxInfo.BillingAddressCity &&
-            c.Address.State == taxInfo.BillingAddressState &&
-            c.TaxIdData.First().Value == taxInfo.TaxIdNumber &&
-            c.TaxIdData.First().Type == taxInfo.TaxIdType
-        ));
-
-        await stripeAdapter.Received().SubscriptionCreateAsync(Arg.Is<Stripe.SubscriptionCreateOptions>(s =>
-            s.Customer == "C-1" &&
-            s.Expand[0] == "latest_invoice.payment_intent" &&
-            s.Metadata[organization.GatewayIdField()] == organization.Id.ToString() &&
-            s.Items.Count == 4
-        ));
-    }
-
-    [Theory, BitAutoData]
-    public async Task PurchaseOrganizationAsync_Stripe(SutProvider<StripePaymentService> sutProvider, Organization organization, string paymentToken, TaxInfo taxInfo)
-    {
-        var plan = StaticStore.GetPlan(PlanType.EnterpriseAnnually);
-        organization.UseSecretsManager = true;
-
-        sutProvider
-            .GetDependency<ITaxService>()
-            .GetStripeTaxCode(Arg.Is<string>(p => p == taxInfo.BillingAddressCountry), Arg.Is<string>(p => p == taxInfo.TaxIdNumber))
-            .Returns(taxInfo.TaxIdType);
-
-        var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
-        stripeAdapter.CustomerCreateAsync(default).ReturnsForAnyArgs(new Stripe.Customer
-        {
-            Id = "C-1",
-        });
-        stripeAdapter.SubscriptionCreateAsync(default).ReturnsForAnyArgs(new Stripe.Subscription
-        {
-            Id = "S-1",
-            CurrentPeriodEnd = DateTime.Today.AddDays(10),
-        });
-        sutProvider.GetDependency<IGlobalSettings>()
-            .BaseServiceUri.CloudRegion
-            .Returns("US");
-
-        var result = await sutProvider.Sut.PurchaseOrganizationAsync(organization, PaymentMethodType.Card, paymentToken, plan, 0, 0
-            , false, taxInfo, false, 8, 10);
-
-        Assert.Null(result);
-        Assert.Equal(GatewayType.Stripe, organization.Gateway);
-        Assert.Equal("C-1", organization.GatewayCustomerId);
-        Assert.Equal("S-1", organization.GatewaySubscriptionId);
-        Assert.True(organization.Enabled);
-        Assert.Equal(DateTime.Today.AddDays(10), organization.ExpirationDate);
-        await stripeAdapter.Received().CustomerCreateAsync(Arg.Is<Stripe.CustomerCreateOptions>(c =>
-            c.Description == organization.BusinessName &&
-            c.Email == organization.BillingEmail &&
-            c.Source == paymentToken &&
-            c.PaymentMethod == null &&
-            c.Metadata.Count == 1 &&
-            c.Metadata["region"] == "US" &&
-            c.InvoiceSettings.DefaultPaymentMethod == null &&
-            c.InvoiceSettings.CustomFields != null &&
-            c.InvoiceSettings.CustomFields[0].Name == "Organization" &&
-            c.InvoiceSettings.CustomFields[0].Value == organization.SubscriberName().Substring(0, 30) &&
-            c.Address.Country == taxInfo.BillingAddressCountry &&
-            c.Address.PostalCode == taxInfo.BillingAddressPostalCode &&
-            c.Address.Line1 == taxInfo.BillingAddressLine1 &&
-            c.Address.Line2 == taxInfo.BillingAddressLine2 &&
-            c.Address.City == taxInfo.BillingAddressCity &&
-            c.Address.State == taxInfo.BillingAddressState &&
-            c.TaxIdData.First().Value == taxInfo.TaxIdNumber &&
-            c.TaxIdData.First().Type == taxInfo.TaxIdType
-        ));
-
-        await stripeAdapter.Received().SubscriptionCreateAsync(Arg.Is<Stripe.SubscriptionCreateOptions>(s =>
-            s.Customer == "C-1" &&
-            s.Expand[0] == "latest_invoice.payment_intent" &&
-            s.Metadata[organization.GatewayIdField()] == organization.Id.ToString() &&
-            s.Items.Count == 2
-        ));
-    }
-
-    [Theory, BitAutoData]
-    public async Task PurchaseOrganizationAsync_Stripe_PM(SutProvider<StripePaymentService> sutProvider, Organization organization, string paymentToken, TaxInfo taxInfo)
-    {
-        var plan = StaticStore.GetPlan(PlanType.EnterpriseAnnually);
-        paymentToken = "pm_" + paymentToken;
-
-        sutProvider
-            .GetDependency<ITaxService>()
-            .GetStripeTaxCode(Arg.Is<string>(p => p == taxInfo.BillingAddressCountry), Arg.Is<string>(p => p == taxInfo.TaxIdNumber))
-            .Returns(taxInfo.TaxIdType);
-
-        var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
-        stripeAdapter.CustomerCreateAsync(default).ReturnsForAnyArgs(new Stripe.Customer
-        {
-            Id = "C-1",
-        });
-        stripeAdapter.SubscriptionCreateAsync(default).ReturnsForAnyArgs(new Stripe.Subscription
-        {
-            Id = "S-1",
-            CurrentPeriodEnd = DateTime.Today.AddDays(10),
-        });
-        sutProvider.GetDependency<IGlobalSettings>()
-            .BaseServiceUri.CloudRegion
-            .Returns("US");
-
-        var result = await sutProvider.Sut.PurchaseOrganizationAsync(organization, PaymentMethodType.Card, paymentToken, plan, 0, 0, false, taxInfo);
-
-        Assert.Null(result);
-        Assert.Equal(GatewayType.Stripe, organization.Gateway);
-        Assert.Equal("C-1", organization.GatewayCustomerId);
-        Assert.Equal("S-1", organization.GatewaySubscriptionId);
-        Assert.True(organization.Enabled);
-        Assert.Equal(DateTime.Today.AddDays(10), organization.ExpirationDate);
-
-        await stripeAdapter.Received().CustomerCreateAsync(Arg.Is<Stripe.CustomerCreateOptions>(c =>
-            c.Description == organization.BusinessName &&
-            c.Email == organization.BillingEmail &&
-            c.Source == null &&
-            c.PaymentMethod == paymentToken &&
-            c.Metadata.Count == 1 &&
-            c.Metadata["region"] == "US" &&
-            c.InvoiceSettings.DefaultPaymentMethod == paymentToken &&
-            c.InvoiceSettings.CustomFields != null &&
-            c.InvoiceSettings.CustomFields[0].Name == "Organization" &&
-            c.InvoiceSettings.CustomFields[0].Value == organization.SubscriberName().Substring(0, 30) &&
-            c.Address.Country == taxInfo.BillingAddressCountry &&
-            c.Address.PostalCode == taxInfo.BillingAddressPostalCode &&
-            c.Address.Line1 == taxInfo.BillingAddressLine1 &&
-            c.Address.Line2 == taxInfo.BillingAddressLine2 &&
-            c.Address.City == taxInfo.BillingAddressCity &&
-            c.Address.State == taxInfo.BillingAddressState &&
-            c.TaxIdData.First().Value == taxInfo.TaxIdNumber &&
-            c.TaxIdData.First().Type == taxInfo.TaxIdType
-        ));
-
-        await stripeAdapter.Received().SubscriptionCreateAsync(Arg.Is<Stripe.SubscriptionCreateOptions>(s =>
-            s.Customer == "C-1" &&
-            s.Expand[0] == "latest_invoice.payment_intent" &&
-            s.Metadata[organization.GatewayIdField()] == organization.Id.ToString() &&
-            s.Items.Count == 0
-        ));
-    }
-
-    [Theory, BitAutoData]
-    public async Task PurchaseOrganizationAsync_Stripe_Declined(SutProvider<StripePaymentService> sutProvider, Organization organization, string paymentToken, TaxInfo taxInfo)
-    {
-        var plan = StaticStore.GetPlan(PlanType.EnterpriseAnnually);
-        paymentToken = "pm_" + paymentToken;
-
-        var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
-        stripeAdapter.CustomerCreateAsync(default).ReturnsForAnyArgs(new Stripe.Customer
-        {
-            Id = "C-1",
-        });
-        stripeAdapter.SubscriptionCreateAsync(default).ReturnsForAnyArgs(new Stripe.Subscription
-        {
-            Id = "S-1",
-            CurrentPeriodEnd = DateTime.Today.AddDays(10),
-            Status = "incomplete",
-            LatestInvoice = new Stripe.Invoice
-            {
-                PaymentIntent = new Stripe.PaymentIntent
-                {
-                    Status = "requires_payment_method",
-                },
-            },
-        });
-
-        var exception = await Assert.ThrowsAsync<GatewayException>(
-            () => sutProvider.Sut.PurchaseOrganizationAsync(organization, PaymentMethodType.Card, paymentToken, plan, 0, 0, false, taxInfo));
-
-        Assert.Equal("Payment method was declined.", exception.Message);
-
-        await stripeAdapter.Received(1).CustomerDeleteAsync("C-1");
-    }
-
-    [Theory, BitAutoData]
-    public async Task PurchaseOrganizationAsync_SM_Stripe_Declined(SutProvider<StripePaymentService> sutProvider, Organization organization, string paymentToken, TaxInfo taxInfo)
-    {
-        var plan = StaticStore.GetPlan(PlanType.EnterpriseAnnually);
-        paymentToken = "pm_" + paymentToken;
-
-        var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
-        stripeAdapter.CustomerCreateAsync(default).ReturnsForAnyArgs(new Stripe.Customer
-        {
-            Id = "C-1",
-        });
-        stripeAdapter.SubscriptionCreateAsync(default).ReturnsForAnyArgs(new Stripe.Subscription
-        {
-            Id = "S-1",
-            CurrentPeriodEnd = DateTime.Today.AddDays(10),
-            Status = "incomplete",
-            LatestInvoice = new Stripe.Invoice
-            {
-                PaymentIntent = new Stripe.PaymentIntent
-                {
-                    Status = "requires_payment_method",
-                },
-            },
-        });
-
-        var exception = await Assert.ThrowsAsync<GatewayException>(
-            () => sutProvider.Sut.PurchaseOrganizationAsync(organization, PaymentMethodType.Card, paymentToken, plan,
-                1, 12, false, taxInfo, false, 10, 10));
-
-        Assert.Equal("Payment method was declined.", exception.Message);
-
-        await stripeAdapter.Received(1).CustomerDeleteAsync("C-1");
-    }
-
-    [Theory, BitAutoData]
-    public async Task PurchaseOrganizationAsync_Stripe_RequiresAction(SutProvider<StripePaymentService> sutProvider, Organization organization, string paymentToken, TaxInfo taxInfo)
-    {
-        var plan = StaticStore.GetPlan(PlanType.EnterpriseAnnually);
-
-        var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
-        stripeAdapter.CustomerCreateAsync(default).ReturnsForAnyArgs(new Stripe.Customer
-        {
-            Id = "C-1",
-        });
-        stripeAdapter.SubscriptionCreateAsync(default).ReturnsForAnyArgs(new Stripe.Subscription
-        {
-            Id = "S-1",
-            CurrentPeriodEnd = DateTime.Today.AddDays(10),
-            Status = "incomplete",
-            LatestInvoice = new Stripe.Invoice
-            {
-                PaymentIntent = new Stripe.PaymentIntent
-                {
-                    Status = "requires_action",
-                    ClientSecret = "clientSecret",
-                },
-            },
-        });
-
-        var result = await sutProvider.Sut.PurchaseOrganizationAsync(organization, PaymentMethodType.Card, paymentToken, plan, 0, 0, false, taxInfo);
-
-        Assert.Equal("clientSecret", result);
-        Assert.False(organization.Enabled);
-    }
-
-    [Theory, BitAutoData]
-    public async Task PurchaseOrganizationAsync_SM_Stripe_RequiresAction(SutProvider<StripePaymentService> sutProvider, Organization organization, string paymentToken, TaxInfo taxInfo)
-    {
-        var plan = StaticStore.GetPlan(PlanType.EnterpriseAnnually);
-
-        var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
-        stripeAdapter.CustomerCreateAsync(default).ReturnsForAnyArgs(new Stripe.Customer
-        {
-            Id = "C-1",
-        });
-        stripeAdapter.SubscriptionCreateAsync(default).ReturnsForAnyArgs(new Stripe.Subscription
-        {
-            Id = "S-1",
-            CurrentPeriodEnd = DateTime.Today.AddDays(10),
-            Status = "incomplete",
-            LatestInvoice = new Stripe.Invoice
-            {
-                PaymentIntent = new Stripe.PaymentIntent
-                {
-                    Status = "requires_action",
-                    ClientSecret = "clientSecret",
-                },
-            },
-        });
-
-        var result = await sutProvider.Sut.PurchaseOrganizationAsync(organization, PaymentMethodType.Card, paymentToken, plan,
-            10, 10, false, taxInfo, false, 10, 10);
-
-        Assert.Equal("clientSecret", result);
-        Assert.False(organization.Enabled);
-    }
-
-    [Theory, BitAutoData]
-    public async Task PurchaseOrganizationAsync_Paypal(SutProvider<StripePaymentService> sutProvider, Organization organization, string paymentToken, TaxInfo taxInfo)
-    {
-        var plan = StaticStore.GetPlan(PlanType.EnterpriseAnnually);
-
-        sutProvider
-            .GetDependency<ITaxService>()
-            .GetStripeTaxCode(Arg.Is<string>(p => p == taxInfo.BillingAddressCountry), Arg.Is<string>(p => p == taxInfo.TaxIdNumber))
-            .Returns(taxInfo.TaxIdType);
-
-        var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
-        stripeAdapter.CustomerCreateAsync(default).ReturnsForAnyArgs(new Stripe.Customer
-        {
-            Id = "C-1",
-        });
-        stripeAdapter.SubscriptionCreateAsync(default).ReturnsForAnyArgs(new Stripe.Subscription
-        {
-            Id = "S-1",
-            CurrentPeriodEnd = DateTime.Today.AddDays(10),
-        });
-
-        sutProvider.GetDependency<IGlobalSettings>()
-            .BaseServiceUri.CloudRegion
-            .Returns("US");
-
-        var customer = Substitute.For<Customer>();
-        customer.Id.ReturnsForAnyArgs("Braintree-Id");
-        customer.PaymentMethods.ReturnsForAnyArgs(new[] { Substitute.For<PaymentMethod>() });
-        var customerResult = Substitute.For<Result<Customer>>();
-        customerResult.IsSuccess().Returns(true);
-        customerResult.Target.ReturnsForAnyArgs(customer);
-
-        var braintreeGateway = sutProvider.GetDependency<IBraintreeGateway>();
-        braintreeGateway.Customer.CreateAsync(default).ReturnsForAnyArgs(customerResult);
-
-        var result = await sutProvider.Sut.PurchaseOrganizationAsync(organization, PaymentMethodType.PayPal, paymentToken, plan, 0, 0, false, taxInfo);
-
-        Assert.Null(result);
-        Assert.Equal(GatewayType.Stripe, organization.Gateway);
-        Assert.Equal("C-1", organization.GatewayCustomerId);
-        Assert.Equal("S-1", organization.GatewaySubscriptionId);
-        Assert.True(organization.Enabled);
-        Assert.Equal(DateTime.Today.AddDays(10), organization.ExpirationDate);
-
-        await stripeAdapter.Received().CustomerCreateAsync(Arg.Is<Stripe.CustomerCreateOptions>(c =>
-            c.Description == organization.BusinessName &&
-            c.Email == organization.BillingEmail &&
-            c.PaymentMethod == null &&
-            c.Metadata.Count == 2 &&
-            c.Metadata["btCustomerId"] == "Braintree-Id" &&
-            c.Metadata["region"] == "US" &&
-            c.InvoiceSettings.DefaultPaymentMethod == null &&
-            c.Address.Country == taxInfo.BillingAddressCountry &&
-            c.Address.PostalCode == taxInfo.BillingAddressPostalCode &&
-            c.Address.Line1 == taxInfo.BillingAddressLine1 &&
-            c.Address.Line2 == taxInfo.BillingAddressLine2 &&
-            c.Address.City == taxInfo.BillingAddressCity &&
-            c.Address.State == taxInfo.BillingAddressState &&
-            c.TaxIdData.First().Value == taxInfo.TaxIdNumber &&
-            c.TaxIdData.First().Type == taxInfo.TaxIdType
-        ));
-
-        await stripeAdapter.Received().SubscriptionCreateAsync(Arg.Is<Stripe.SubscriptionCreateOptions>(s =>
-            s.Customer == "C-1" &&
-            s.Expand[0] == "latest_invoice.payment_intent" &&
-            s.Metadata[organization.GatewayIdField()] == organization.Id.ToString() &&
-            s.Items.Count == 0
-        ));
-    }
-
-    [Theory, BitAutoData]
-    public async Task PurchaseOrganizationAsync_SM_Paypal(SutProvider<StripePaymentService> sutProvider, Organization organization, string paymentToken, TaxInfo taxInfo)
-    {
-        var plan = StaticStore.GetPlan(PlanType.EnterpriseAnnually);
-        organization.UseSecretsManager = true;
-
-        sutProvider
-            .GetDependency<ITaxService>()
-            .GetStripeTaxCode(Arg.Is<string>(p => p == taxInfo.BillingAddressCountry), Arg.Is<string>(p => p == taxInfo.TaxIdNumber))
-            .Returns(taxInfo.TaxIdType);
-
-        var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
-        stripeAdapter.CustomerCreateAsync(default).ReturnsForAnyArgs(new Stripe.Customer
-        {
-            Id = "C-1",
-        });
-        stripeAdapter.SubscriptionCreateAsync(default).ReturnsForAnyArgs(new Stripe.Subscription
-        {
-            Id = "S-1",
-            CurrentPeriodEnd = DateTime.Today.AddDays(10),
-        });
-
-        var customer = Substitute.For<Customer>();
-        customer.Id.ReturnsForAnyArgs("Braintree-Id");
-        customer.PaymentMethods.ReturnsForAnyArgs(new[] { Substitute.For<PaymentMethod>() });
-        var customerResult = Substitute.For<Result<Customer>>();
-        customerResult.IsSuccess().Returns(true);
-        customerResult.Target.ReturnsForAnyArgs(customer);
-
-        var braintreeGateway = sutProvider.GetDependency<IBraintreeGateway>();
-        braintreeGateway.Customer.CreateAsync(default).ReturnsForAnyArgs(customerResult);
-
-        sutProvider.GetDependency<IGlobalSettings>()
-            .BaseServiceUri.CloudRegion
-            .Returns("US");
-
-        var additionalStorage = (short)2;
-        var additionalSeats = 10;
-        var additionalSmSeats = 5;
-        var additionalServiceAccounts = 20;
-        var result = await sutProvider.Sut.PurchaseOrganizationAsync(organization, PaymentMethodType.PayPal, paymentToken, plan,
-            additionalStorage, additionalSeats, false, taxInfo, false, additionalSmSeats, additionalServiceAccounts);
-
-        Assert.Null(result);
-        Assert.Equal(GatewayType.Stripe, organization.Gateway);
-        Assert.Equal("C-1", organization.GatewayCustomerId);
-        Assert.Equal("S-1", organization.GatewaySubscriptionId);
-        Assert.True(organization.Enabled);
-        Assert.Equal(DateTime.Today.AddDays(10), organization.ExpirationDate);
-
-        await stripeAdapter.Received().CustomerCreateAsync(Arg.Is<Stripe.CustomerCreateOptions>(c =>
-            c.Description == organization.BusinessName &&
-            c.Email == organization.BillingEmail &&
-            c.PaymentMethod == null &&
-            c.Metadata.Count == 2 &&
-            c.Metadata["region"] == "US" &&
-            c.Metadata["btCustomerId"] == "Braintree-Id" &&
-            c.InvoiceSettings.DefaultPaymentMethod == null &&
-            c.Address.Country == taxInfo.BillingAddressCountry &&
-            c.Address.PostalCode == taxInfo.BillingAddressPostalCode &&
-            c.Address.Line1 == taxInfo.BillingAddressLine1 &&
-            c.Address.Line2 == taxInfo.BillingAddressLine2 &&
-            c.Address.City == taxInfo.BillingAddressCity &&
-            c.Address.State == taxInfo.BillingAddressState &&
-            c.TaxIdData.First().Value == taxInfo.TaxIdNumber &&
-            c.TaxIdData.First().Type == taxInfo.TaxIdType
-        ));
-
-        await stripeAdapter.Received().SubscriptionCreateAsync(Arg.Is<Stripe.SubscriptionCreateOptions>(s =>
-            s.Customer == "C-1" &&
-            s.Expand[0] == "latest_invoice.payment_intent" &&
-            s.Metadata[organization.GatewayIdField()] == organization.Id.ToString() &&
-            s.Items.Count == 4 &&
-            s.Items.Count(i => i.Plan == plan.PasswordManager.StripeSeatPlanId && i.Quantity == additionalSeats) == 1 &&
-            s.Items.Count(i => i.Plan == plan.PasswordManager.StripeStoragePlanId && i.Quantity == additionalStorage) == 1 &&
-            s.Items.Count(i => i.Plan == plan.SecretsManager.StripeSeatPlanId && i.Quantity == additionalSmSeats) == 1 &&
-            s.Items.Count(i => i.Plan == plan.SecretsManager.StripeServiceAccountPlanId && i.Quantity == additionalServiceAccounts) == 1
-        ));
-    }
-
-    [Theory, BitAutoData]
-    public async Task PurchaseOrganizationAsync_Paypal_FailedCreate(SutProvider<StripePaymentService> sutProvider, Organization organization, string paymentToken, TaxInfo taxInfo)
-    {
-        var plan = StaticStore.GetPlan(PlanType.EnterpriseAnnually);
-
-        var customerResult = Substitute.For<Result<Customer>>();
-        customerResult.IsSuccess().Returns(false);
-
-        var braintreeGateway = sutProvider.GetDependency<IBraintreeGateway>();
-        braintreeGateway.Customer.CreateAsync(default).ReturnsForAnyArgs(customerResult);
-
-        var exception = await Assert.ThrowsAsync<GatewayException>(
-            () => sutProvider.Sut.PurchaseOrganizationAsync(organization, PaymentMethodType.PayPal, paymentToken, plan, 0, 0, false, taxInfo));
-
-        Assert.Equal("Failed to create PayPal customer record.", exception.Message);
-    }
-
-    [Theory, BitAutoData]
-    public async Task PurchaseOrganizationAsync_SM_Paypal_FailedCreate(SutProvider<StripePaymentService> sutProvider, Organization organization, string paymentToken, TaxInfo taxInfo)
-    {
-        var plan = StaticStore.GetPlan(PlanType.EnterpriseAnnually);
-
-        var customerResult = Substitute.For<Result<Customer>>();
-        customerResult.IsSuccess().Returns(false);
-
-        var braintreeGateway = sutProvider.GetDependency<IBraintreeGateway>();
-        braintreeGateway.Customer.CreateAsync(default).ReturnsForAnyArgs(customerResult);
-
-        var exception = await Assert.ThrowsAsync<GatewayException>(
-            () => sutProvider.Sut.PurchaseOrganizationAsync(organization, PaymentMethodType.PayPal, paymentToken, plan,
-                1, 1, false, taxInfo, false, 8, 8));
-
-        Assert.Equal("Failed to create PayPal customer record.", exception.Message);
-    }
-
-    [Theory, BitAutoData]
-    public async Task PurchaseOrganizationAsync_PayPal_Declined(SutProvider<StripePaymentService> sutProvider, Organization organization, string paymentToken, TaxInfo taxInfo)
-    {
-        var plans = StaticStore.GetPlan(PlanType.EnterpriseAnnually);
-        paymentToken = "pm_" + paymentToken;
-
-        var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
-        stripeAdapter.CustomerCreateAsync(default).ReturnsForAnyArgs(new Stripe.Customer
-        {
-            Id = "C-1",
-        });
-        stripeAdapter.SubscriptionCreateAsync(default).ReturnsForAnyArgs(new Stripe.Subscription
-        {
-            Id = "S-1",
-            CurrentPeriodEnd = DateTime.Today.AddDays(10),
-            Status = "incomplete",
-            LatestInvoice = new Stripe.Invoice
-            {
-                PaymentIntent = new Stripe.PaymentIntent
-                {
-                    Status = "requires_payment_method",
-                },
-            },
-        });
-
-        var customer = Substitute.For<Customer>();
-        customer.Id.ReturnsForAnyArgs("Braintree-Id");
-        customer.PaymentMethods.ReturnsForAnyArgs(new[] { Substitute.For<PaymentMethod>() });
-        var customerResult = Substitute.For<Result<Customer>>();
-        customerResult.IsSuccess().Returns(true);
-        customerResult.Target.ReturnsForAnyArgs(customer);
-
-        var braintreeGateway = sutProvider.GetDependency<IBraintreeGateway>();
-        braintreeGateway.Customer.CreateAsync(default).ReturnsForAnyArgs(customerResult);
-
-        var exception = await Assert.ThrowsAsync<GatewayException>(
-            () => sutProvider.Sut.PurchaseOrganizationAsync(organization, PaymentMethodType.PayPal, paymentToken, plans, 0, 0, false, taxInfo));
-
-        Assert.Equal("Payment method was declined.", exception.Message);
-
-        await stripeAdapter.Received(1).CustomerDeleteAsync("C-1");
-        await braintreeGateway.Customer.Received(1).DeleteAsync("Braintree-Id");
-    }
-
-    [Theory]
-    [BitAutoData("ES", "A5372895732985327895237")]
-    public async Task PurchaseOrganizationAsync_ThrowsBadRequestException_WhenTaxIdInvalid(string country, string taxId, SutProvider<StripePaymentService> sutProvider, Organization organization, string paymentToken, TaxInfo taxInfo)
-    {
-        taxInfo.BillingAddressCountry = country;
-        taxInfo.TaxIdNumber = taxId;
-        taxInfo.TaxIdType = null;
-
-        var plan = StaticStore.GetPlan(PlanType.EnterpriseAnnually);
-        organization.UseSecretsManager = true;
-        var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
-        stripeAdapter.CustomerCreateAsync(default).ReturnsForAnyArgs(new Stripe.Customer
-        {
-            Id = "C-1",
-        });
-        stripeAdapter.SubscriptionCreateAsync(default).ReturnsForAnyArgs(new Stripe.Subscription
-        {
-            Id = "S-1",
-            CurrentPeriodEnd = DateTime.Today.AddDays(10),
-        });
-        sutProvider.GetDependency<IGlobalSettings>()
-            .BaseServiceUri.CloudRegion
-            .Returns("US");
-        sutProvider
-            .GetDependency<ITaxService>()
-            .GetStripeTaxCode(Arg.Is<string>(p => p == country), Arg.Is<string>(p => p == taxId))
-            .Returns((string)null);
-
-        var actual = await Assert.ThrowsAsync<BadRequestException>(async () => await sutProvider.Sut.PurchaseOrganizationAsync(organization, PaymentMethodType.Card, paymentToken, plan, 0, 0, false, taxInfo, false, 8, 10));
-
-        Assert.Equal("billingTaxIdTypeInferenceError", actual.Message);
-
-        await stripeAdapter.Received(0).CustomerCreateAsync(Arg.Any<Stripe.CustomerCreateOptions>());
-        await stripeAdapter.Received(0).SubscriptionCreateAsync(Arg.Any<Stripe.SubscriptionCreateOptions>());
-    }
-
-
-    [Theory, BitAutoData]
-    public async Task UpgradeFreeOrganizationAsync_Success(SutProvider<StripePaymentService> sutProvider,
-        Organization organization, TaxInfo taxInfo)
-    {
-        organization.GatewaySubscriptionId = null;
-        var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
-        stripeAdapter.CustomerGetAsync(default).ReturnsForAnyArgs(new Stripe.Customer
-        {
-            Id = "C-1",
-            Metadata = new Dictionary<string, string>
-            {
-                { "btCustomerId", "B-123" },
-            }
-        });
-        stripeAdapter.CustomerUpdateAsync(default).ReturnsForAnyArgs(new Stripe.Customer
-        {
-            Id = "C-1",
-            Metadata = new Dictionary<string, string>
-            {
-                { "btCustomerId", "B-123" },
-            }
-        });
-        stripeAdapter.InvoiceUpcomingAsync(default).ReturnsForAnyArgs(new Stripe.Invoice
-        {
-            PaymentIntent = new Stripe.PaymentIntent { Status = "requires_payment_method", },
-            AmountDue = 0
-        });
-        stripeAdapter.SubscriptionCreateAsync(default).ReturnsForAnyArgs(new Stripe.Subscription { });
-
-        var plan = StaticStore.GetPlan(PlanType.EnterpriseAnnually);
-
-        var upgrade = new OrganizationUpgrade()
-        {
-            AdditionalStorageGb = 0,
-            AdditionalSeats = 0,
-            PremiumAccessAddon = false,
-            TaxInfo = taxInfo,
-            AdditionalSmSeats = 0,
-            AdditionalServiceAccounts = 0
-        };
-        var result = await sutProvider.Sut.UpgradeFreeOrganizationAsync(organization, plan, upgrade);
-
-        Assert.Null(result);
-    }
-
-    [Theory, BitAutoData]
-    public async Task UpgradeFreeOrganizationAsync_SM_Success(SutProvider<StripePaymentService> sutProvider,
-        Organization organization, TaxInfo taxInfo)
-    {
-        organization.GatewaySubscriptionId = null;
-        var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
-        stripeAdapter.CustomerGetAsync(default).ReturnsForAnyArgs(new Stripe.Customer
-        {
-            Id = "C-1",
-            Metadata = new Dictionary<string, string>
-            {
-                { "btCustomerId", "B-123" },
-            }
-        });
-        stripeAdapter.CustomerUpdateAsync(default).ReturnsForAnyArgs(new Stripe.Customer
-        {
-            Id = "C-1",
-            Metadata = new Dictionary<string, string>
-            {
-                { "btCustomerId", "B-123" },
-            }
-        });
-        stripeAdapter.InvoiceUpcomingAsync(default).ReturnsForAnyArgs(new Stripe.Invoice
-        {
-            PaymentIntent = new Stripe.PaymentIntent { Status = "requires_payment_method", },
-            AmountDue = 0
-        });
-        stripeAdapter.SubscriptionCreateAsync(default).ReturnsForAnyArgs(new Stripe.Subscription { });
-
-        var upgrade = new OrganizationUpgrade()
-        {
-            AdditionalStorageGb = 1,
-            AdditionalSeats = 10,
-            PremiumAccessAddon = false,
-            TaxInfo = taxInfo,
-            AdditionalSmSeats = 5,
-            AdditionalServiceAccounts = 50
-        };
-
-        var plan = StaticStore.GetPlan(PlanType.EnterpriseAnnually);
-        var result = await sutProvider.Sut.UpgradeFreeOrganizationAsync(organization, plan, upgrade);
-
-        Assert.Null(result);
-    }
-
-    [Theory, BitAutoData]
-    public async Task UpgradeFreeOrganizationAsync_WhenCustomerHasNoAddress_UpdatesCustomerAddressWithTaxInfo(
-        SutProvider<StripePaymentService> sutProvider,
-        Organization organization,
-        TaxInfo taxInfo)
-    {
-        organization.GatewaySubscriptionId = null;
-        var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
-        var featureService = sutProvider.GetDependency<IFeatureService>();
-        stripeAdapter.CustomerGetAsync(default).ReturnsForAnyArgs(new Stripe.Customer
-        {
-            Id = "C-1",
-            Metadata = new Dictionary<string, string>
-            {
-                { "btCustomerId", "B-123" },
-            }
-        });
-        stripeAdapter.CustomerUpdateAsync(default).ReturnsForAnyArgs(new Stripe.Customer
-        {
-            Id = "C-1",
-            Metadata = new Dictionary<string, string>
-            {
-                { "btCustomerId", "B-123" },
-            }
-        });
-        stripeAdapter.InvoiceUpcomingAsync(default).ReturnsForAnyArgs(new Stripe.Invoice
-        {
-            PaymentIntent = new Stripe.PaymentIntent { Status = "requires_payment_method", },
-            AmountDue = 0
-        });
-        stripeAdapter.SubscriptionCreateAsync(default).ReturnsForAnyArgs(new Stripe.Subscription { });
-
-        var upgrade = new OrganizationUpgrade()
-        {
-            AdditionalStorageGb = 1,
-            AdditionalSeats = 10,
-            PremiumAccessAddon = false,
-            TaxInfo = taxInfo,
-            AdditionalSmSeats = 5,
-            AdditionalServiceAccounts = 50
-        };
-
-        var plan = StaticStore.GetPlan(PlanType.EnterpriseAnnually);
-        _ = await sutProvider.Sut.UpgradeFreeOrganizationAsync(organization, plan, upgrade);
-
-        await stripeAdapter.Received()
-            .CustomerUpdateAsync(organization.GatewayCustomerId, Arg.Is<Stripe.CustomerUpdateOptions>(c =>
-                c.Address.Country == taxInfo.BillingAddressCountry &&
-                c.Address.PostalCode == taxInfo.BillingAddressPostalCode &&
-                c.Address.Line1 == taxInfo.BillingAddressLine1 &&
-                c.Address.Line2 == taxInfo.BillingAddressLine2 &&
-                c.Address.City == taxInfo.BillingAddressCity &&
-                c.Address.State == taxInfo.BillingAddressState));
-    }
-}

From 34358acf61035d250ebcdde4fc8cf9324f902659 Mon Sep 17 00:00:00 2001
From: Daniel James Smith <2670567+djsmith85@users.noreply.github.com>
Date: Fri, 7 Mar 2025 15:09:54 +0100
Subject: [PATCH 345/384] Fix user context on importing into individual vaults
 (#5465)

Pass in the current userId instead of trying to infer it from the folders or ciphers passed into the ImportCiphersCommand

Kudos go to @MJebran who pointed this out on https://github.com/bitwarden/server/pull/4896

Co-authored-by: Daniel James Smith <djsmith85@users.noreply.github.com>
---
 .../Tools/Controllers/ImportCiphersController.cs   |  2 +-
 .../Tools/ImportFeatures/ImportCiphersCommand.cs   | 14 +++++---------
 .../Interfaces/IImportCiphersCommand.cs            |  2 +-
 .../Controllers/ImportCiphersControllerTests.cs    |  3 ++-
 .../ImportCiphersAsyncCommandTests.cs              |  4 ++--
 5 files changed, 11 insertions(+), 14 deletions(-)

diff --git a/src/Api/Tools/Controllers/ImportCiphersController.cs b/src/Api/Tools/Controllers/ImportCiphersController.cs
index d6104de354..62c55aceb8 100644
--- a/src/Api/Tools/Controllers/ImportCiphersController.cs
+++ b/src/Api/Tools/Controllers/ImportCiphersController.cs
@@ -56,7 +56,7 @@ public class ImportCiphersController : Controller
         var userId = _userService.GetProperUserId(User).Value;
         var folders = model.Folders.Select(f => f.ToFolder(userId)).ToList();
         var ciphers = model.Ciphers.Select(c => c.ToCipherDetails(userId, false)).ToList();
-        await _importCiphersCommand.ImportIntoIndividualVaultAsync(folders, ciphers, model.FolderRelationships);
+        await _importCiphersCommand.ImportIntoIndividualVaultAsync(folders, ciphers, model.FolderRelationships, userId);
     }
 
     [HttpPost("import-organization")]
diff --git a/src/Core/Tools/ImportFeatures/ImportCiphersCommand.cs b/src/Core/Tools/ImportFeatures/ImportCiphersCommand.cs
index 646121db52..59d3e5be34 100644
--- a/src/Core/Tools/ImportFeatures/ImportCiphersCommand.cs
+++ b/src/Core/Tools/ImportFeatures/ImportCiphersCommand.cs
@@ -54,12 +54,11 @@ public class ImportCiphersCommand : IImportCiphersCommand
     public async Task ImportIntoIndividualVaultAsync(
         List<Folder> folders,
         List<CipherDetails> ciphers,
-        IEnumerable<KeyValuePair<int, int>> folderRelationships)
+        IEnumerable<KeyValuePair<int, int>> folderRelationships,
+        Guid importingUserId)
     {
-        var userId = folders.FirstOrDefault()?.UserId ?? ciphers.FirstOrDefault()?.UserId;
-
         // Make sure the user can save new ciphers to their personal vault
-        var anyPersonalOwnershipPolicies = await _policyService.AnyPoliciesApplicableToUserAsync(userId.Value, PolicyType.PersonalOwnership);
+        var anyPersonalOwnershipPolicies = await _policyService.AnyPoliciesApplicableToUserAsync(importingUserId, PolicyType.PersonalOwnership);
         if (anyPersonalOwnershipPolicies)
         {
             throw new BadRequestException("You cannot import items into your personal vault because you are " +
@@ -76,7 +75,7 @@ public class ImportCiphersCommand : IImportCiphersCommand
             }
         }
 
-        var userfoldersIds = (await _folderRepository.GetManyByUserIdAsync(userId ?? Guid.Empty)).Select(f => f.Id).ToList();
+        var userfoldersIds = (await _folderRepository.GetManyByUserIdAsync(importingUserId)).Select(f => f.Id).ToList();
 
         //Assign id to the ones that don't exist in DB
         //Need to keep the list order to create the relationships
@@ -109,10 +108,7 @@ public class ImportCiphersCommand : IImportCiphersCommand
         await _cipherRepository.CreateAsync(ciphers, newFolders);
 
         // push
-        if (userId.HasValue)
-        {
-            await _pushService.PushSyncVaultAsync(userId.Value);
-        }
+        await _pushService.PushSyncVaultAsync(importingUserId);
     }
 
     public async Task ImportIntoOrganizationalVaultAsync(
diff --git a/src/Core/Tools/ImportFeatures/Interfaces/IImportCiphersCommand.cs b/src/Core/Tools/ImportFeatures/Interfaces/IImportCiphersCommand.cs
index 378024d3a0..732b2f43a8 100644
--- a/src/Core/Tools/ImportFeatures/Interfaces/IImportCiphersCommand.cs
+++ b/src/Core/Tools/ImportFeatures/Interfaces/IImportCiphersCommand.cs
@@ -7,7 +7,7 @@ namespace Bit.Core.Tools.ImportFeatures.Interfaces;
 public interface IImportCiphersCommand
 {
     Task ImportIntoIndividualVaultAsync(List<Folder> folders, List<CipherDetails> ciphers,
-        IEnumerable<KeyValuePair<int, int>> folderRelationships);
+        IEnumerable<KeyValuePair<int, int>> folderRelationships, Guid importingUserId);
 
     Task ImportIntoOrganizationalVaultAsync(List<Collection> collections, List<CipherDetails> ciphers,
         IEnumerable<KeyValuePair<int, int>> collectionRelationships, Guid importingUserId);
diff --git a/test/Api.Test/Tools/Controllers/ImportCiphersControllerTests.cs b/test/Api.Test/Tools/Controllers/ImportCiphersControllerTests.cs
index c07f9791a3..76055a6b64 100644
--- a/test/Api.Test/Tools/Controllers/ImportCiphersControllerTests.cs
+++ b/test/Api.Test/Tools/Controllers/ImportCiphersControllerTests.cs
@@ -79,7 +79,8 @@ public class ImportCiphersControllerTests
             .ImportIntoIndividualVaultAsync(
             Arg.Any<List<Folder>>(),
             Arg.Any<List<CipherDetails>>(),
-            Arg.Any<IEnumerable<KeyValuePair<int, int>>>()
+            Arg.Any<IEnumerable<KeyValuePair<int, int>>>(),
+            user.Id
             );
     }
 
diff --git a/test/Core.Test/Tools/ImportFeatures/ImportCiphersAsyncCommandTests.cs b/test/Core.Test/Tools/ImportFeatures/ImportCiphersAsyncCommandTests.cs
index 1e97856281..5e7a30d814 100644
--- a/test/Core.Test/Tools/ImportFeatures/ImportCiphersAsyncCommandTests.cs
+++ b/test/Core.Test/Tools/ImportFeatures/ImportCiphersAsyncCommandTests.cs
@@ -44,7 +44,7 @@ public class ImportCiphersAsyncCommandTests
         var folderRelationships = new List<KeyValuePair<int, int>>();
 
         // Act
-        await sutProvider.Sut.ImportIntoIndividualVaultAsync(folders, ciphers, folderRelationships);
+        await sutProvider.Sut.ImportIntoIndividualVaultAsync(folders, ciphers, folderRelationships, importingUserId);
 
         // Assert
         await sutProvider.GetDependency<ICipherRepository>().Received(1).CreateAsync(ciphers, Arg.Any<List<Folder>>());
@@ -68,7 +68,7 @@ public class ImportCiphersAsyncCommandTests
         var folderRelationships = new List<KeyValuePair<int, int>>();
 
         var exception = await Assert.ThrowsAsync<BadRequestException>(() =>
-            sutProvider.Sut.ImportIntoIndividualVaultAsync(folders, ciphers, folderRelationships));
+            sutProvider.Sut.ImportIntoIndividualVaultAsync(folders, ciphers, folderRelationships, userId));
 
         Assert.Equal("You cannot import items into your personal vault because you are a member of an organization which forbids it.", exception.Message);
     }

From bd7a0a8ed854afbc366de5ed328bec1137759bbb Mon Sep 17 00:00:00 2001
From: Justin Baur <19896123+justindbaur@users.noreply.github.com>
Date: Sun, 9 Mar 2025 16:56:04 -0400
Subject: [PATCH 346/384] Codespaces improvements (#4969)

* Skip one_time_setup in GH Codespaces

* Make .env File Optional

* Wrap Path in Single Quotes

* Comment out .env File

* Add Modify Database Task

* Work on modify_database.ps1

* Add space

* Remove compose version

* Do changes in community as well

* Do required: false

* Reverse check

* Remove printenv

* Skip DB changes

* Remove docker outside of docker feature

* Remove newlines
---
 .devcontainer/bitwarden_common/docker-compose.yml      | 5 ++---
 .devcontainer/community_dev/postCreateCommand.sh       | 8 +++++++-
 .devcontainer/internal_dev/docker-compose.override.yml | 2 --
 .devcontainer/internal_dev/postCreateCommand.sh        | 8 +++++++-
 4 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/.devcontainer/bitwarden_common/docker-compose.yml b/.devcontainer/bitwarden_common/docker-compose.yml
index 52f0901c70..2f3a62877e 100644
--- a/.devcontainer/bitwarden_common/docker-compose.yml
+++ b/.devcontainer/bitwarden_common/docker-compose.yml
@@ -1,5 +1,3 @@
-version: '3'
-
 services:
   bitwarden_server:
     image: mcr.microsoft.com/devcontainers/dotnet:8.0
@@ -13,7 +11,8 @@ services:
     platform: linux/amd64
     restart: unless-stopped
     env_file:
-      ../../dev/.env
+      - path: ../../dev/.env
+        required: false
     environment:
       ACCEPT_EULA: "Y"
       MSSQL_PID: Developer
diff --git a/.devcontainer/community_dev/postCreateCommand.sh b/.devcontainer/community_dev/postCreateCommand.sh
index 832f510f3f..8f1813ed78 100755
--- a/.devcontainer/community_dev/postCreateCommand.sh
+++ b/.devcontainer/community_dev/postCreateCommand.sh
@@ -51,4 +51,10 @@ Proceed? [y/N] " response
 }
 
 # main
-one_time_setup
+if [[ -z "${CODESPACES}" ]]; then
+  one_time_setup
+else
+  # Ignore interactive elements when running in codespaces since they are not supported there
+  # TODO Write codespaces specific instructions and link here
+  echo "Running in codespaces, follow instructions here: https://contributing.bitwarden.com/getting-started/server/guide/ to continue the setup"
+fi
diff --git a/.devcontainer/internal_dev/docker-compose.override.yml b/.devcontainer/internal_dev/docker-compose.override.yml
index 9aaee9ee62..acf7b0b66e 100644
--- a/.devcontainer/internal_dev/docker-compose.override.yml
+++ b/.devcontainer/internal_dev/docker-compose.override.yml
@@ -1,5 +1,3 @@
-version: '3'
-
 services:
   bitwarden_storage:
     image: mcr.microsoft.com/azure-storage/azurite:latest
diff --git a/.devcontainer/internal_dev/postCreateCommand.sh b/.devcontainer/internal_dev/postCreateCommand.sh
index 668b776447..071ffc0b29 100755
--- a/.devcontainer/internal_dev/postCreateCommand.sh
+++ b/.devcontainer/internal_dev/postCreateCommand.sh
@@ -89,4 +89,10 @@ install_stripe_cli() {
 }
 
 # main
-one_time_setup
+if [[ -z "${CODESPACES}" ]]; then
+  one_time_setup
+else
+  # Ignore interactive elements when running in codespaces since they are not supported there
+  # TODO Write codespaces specific instructions and link here
+  echo "Running in codespaces, follow instructions here: https://contributing.bitwarden.com/getting-started/server/guide/ to continue the setup"
+fi
\ No newline at end of file

From f26f14165ca9067c67c0f66a5acbbfbe596f1cad Mon Sep 17 00:00:00 2001
From: Github Actions <actions@github.com>
Date: Mon, 10 Mar 2025 10:28:50 +0000
Subject: [PATCH 347/384] Bumped version to 2025.3.0

---
 Directory.Build.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Directory.Build.props b/Directory.Build.props
index 03594371e9..a994b2196e 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -3,7 +3,7 @@
   <PropertyGroup>
     <TargetFramework>net8.0</TargetFramework>
 
-    <Version>2025.2.4</Version>
+    <Version>2025.3.0</Version>
 
     <RootNamespace>Bit.$(MSBuildProjectName)</RootNamespace>
     <ImplicitUsings>enable</ImplicitUsings>

From 88e91734f10989d25c959e2ee812399d42fb6b0c Mon Sep 17 00:00:00 2001
From: cyprain-okeke <108260115+cyprain-okeke@users.noreply.github.com>
Date: Mon, 10 Mar 2025 11:46:44 +0100
Subject: [PATCH 348/384] [PM-17594]Remove feature flag self-host license
 refactor (#5372)

* Remove the feature flag

Signed-off-by: Cy Okeke <cokeke@bitwarden.com>

* Resolve the failing test

Signed-off-by: Cy Okeke <cokeke@bitwarden.com>

---------

Signed-off-by: Cy Okeke <cokeke@bitwarden.com>
Co-authored-by: Conner Turnbull <133619638+cturnbull-bitwarden@users.noreply.github.com>
---
 src/Core/Constants.cs                                        | 1 -
 .../Cloud/CloudGetOrganizationLicenseQuery.cs                | 5 +----
 src/Core/Services/Implementations/UserService.cs             | 5 +----
 .../CloudGetOrganizationLicenseQueryTests.cs                 | 4 +---
 4 files changed, 3 insertions(+), 12 deletions(-)

diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index 672188ce1f..b1cbc8d519 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -155,7 +155,6 @@ public static class FeatureFlagKeys
     public const string MacOsNativeCredentialSync = "macos-native-credential-sync";
     public const string PM9111ExtensionPersistAddEditForm = "pm-9111-extension-persist-add-edit-form";
     public const string InlineMenuTotp = "inline-menu-totp";
-    public const string SelfHostLicenseRefactor = "pm-11516-self-host-license-refactor";
     public const string PrivateKeyRegeneration = "pm-12241-private-key-regeneration";
     public const string AppReviewPrompt = "app-review-prompt";
     public const string ResellerManagedOrgAlert = "PM-15814-alert-owners-of-reseller-managed-orgs";
diff --git a/src/Core/OrganizationFeatures/OrganizationLicenses/Cloud/CloudGetOrganizationLicenseQuery.cs b/src/Core/OrganizationFeatures/OrganizationLicenses/Cloud/CloudGetOrganizationLicenseQuery.cs
index 0c3bfe16cf..44edde1495 100644
--- a/src/Core/OrganizationFeatures/OrganizationLicenses/Cloud/CloudGetOrganizationLicenseQuery.cs
+++ b/src/Core/OrganizationFeatures/OrganizationLicenses/Cloud/CloudGetOrganizationLicenseQuery.cs
@@ -42,10 +42,7 @@ public class CloudGetOrganizationLicenseQuery : ICloudGetOrganizationLicenseQuer
 
         var subscriptionInfo = await GetSubscriptionAsync(organization);
         var license = new OrganizationLicense(organization, subscriptionInfo, installationId, _licensingService, version);
-        if (_featureService.IsEnabled(FeatureFlagKeys.SelfHostLicenseRefactor))
-        {
-            license.Token = await _licensingService.CreateOrganizationTokenAsync(organization, installationId, subscriptionInfo);
-        }
+        license.Token = await _licensingService.CreateOrganizationTokenAsync(organization, installationId, subscriptionInfo);
 
         return license;
     }
diff --git a/src/Core/Services/Implementations/UserService.cs b/src/Core/Services/Implementations/UserService.cs
index e419b832a7..5076c8282e 100644
--- a/src/Core/Services/Implementations/UserService.cs
+++ b/src/Core/Services/Implementations/UserService.cs
@@ -1218,10 +1218,7 @@ public class UserService : UserManager<User>, IUserService, IDisposable
             ? new UserLicense(user, _licenseService)
             : new UserLicense(user, subscriptionInfo, _licenseService);
 
-        if (_featureService.IsEnabled(FeatureFlagKeys.SelfHostLicenseRefactor))
-        {
-            userLicense.Token = await _licenseService.CreateUserTokenAsync(user, subscriptionInfo);
-        }
+        userLicense.Token = await _licenseService.CreateUserTokenAsync(user, subscriptionInfo);
 
         return userLicense;
     }
diff --git a/test/Core.Test/OrganizationFeatures/OrganizationLicenses/CloudGetOrganizationLicenseQueryTests.cs b/test/Core.Test/OrganizationFeatures/OrganizationLicenses/CloudGetOrganizationLicenseQueryTests.cs
index 650d33f64c..cc8ab956ca 100644
--- a/test/Core.Test/OrganizationFeatures/OrganizationLicenses/CloudGetOrganizationLicenseQueryTests.cs
+++ b/test/Core.Test/OrganizationFeatures/OrganizationLicenses/CloudGetOrganizationLicenseQueryTests.cs
@@ -56,7 +56,6 @@ public class CloudGetOrganizationLicenseQueryTests
         sutProvider.GetDependency<IInstallationRepository>().GetByIdAsync(installationId).Returns(installation);
         sutProvider.GetDependency<IPaymentService>().GetSubscriptionAsync(organization).Returns(subInfo);
         sutProvider.GetDependency<ILicensingService>().SignLicense(Arg.Any<ILicense>()).Returns(licenseSignature);
-        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.SelfHostLicenseRefactor).Returns(false);
 
         var result = await sutProvider.Sut.GetLicenseAsync(organization, installationId);
 
@@ -64,7 +63,7 @@ public class CloudGetOrganizationLicenseQueryTests
         Assert.Equal(organization.Id, result.Id);
         Assert.Equal(installationId, result.InstallationId);
         Assert.Equal(licenseSignature, result.SignatureBytes);
-        Assert.Null(result.Token);
+        Assert.Equal(string.Empty, result.Token);
     }
 
     [Theory]
@@ -77,7 +76,6 @@ public class CloudGetOrganizationLicenseQueryTests
         sutProvider.GetDependency<IInstallationRepository>().GetByIdAsync(installationId).Returns(installation);
         sutProvider.GetDependency<IPaymentService>().GetSubscriptionAsync(organization).Returns(subInfo);
         sutProvider.GetDependency<ILicensingService>().SignLicense(Arg.Any<ILicense>()).Returns(licenseSignature);
-        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.SelfHostLicenseRefactor).Returns(true);
         sutProvider.GetDependency<ILicensingService>()
             .CreateOrganizationTokenAsync(organization, installationId, subInfo)
             .Returns(token);

From 6e7c5b172ceb5ddad51126ab4ce5b1cd1c7e7da9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rui=20Tom=C3=A9?=
 <108268980+r-tome@users.noreply.github.com>
Date: Mon, 10 Mar 2025 15:27:30 +0000
Subject: [PATCH 349/384] [PM-18087] Add cipher permissions to response models
 (#5418)

* Add Manage permission to UserCipherDetails and CipherDetails_ReadByIdUserId

* Add Manage property to CipherDetails and UserCipherDetailsQuery

* Add integration test for CipherRepository Manage permission rules

* Update CipherDetails_ReadWithoutOrganizationsByUserId to include Manage permission

* Refactor UserCipherDetailsQuery to include detailed permission and organization properties

* Refactor CipherRepositoryTests to improve test organization and readability

- Split large test method into smaller, focused methods
- Added helper methods for creating test data and performing assertions
- Improved test coverage for cipher permissions in different scenarios
- Maintained existing test logic while enhancing code structure

* Refactor CipherRepositoryTests to consolidate cipher permission tests

- Removed redundant helper methods for permission assertions
- Simplified test methods for GetCipherPermissionsForOrganizationAsync, GetManyByUserIdAsync, and GetByIdAsync
- Maintained existing test coverage for cipher manage permissions
- Improved code readability and reduced code duplication

* Add integration test for CipherRepository group collection manage permissions

- Added new test method GetCipherPermissionsForOrganizationAsync_ManageProperty_RespectsCollectionGroupRules
- Implemented helper method CreateCipherInOrganizationCollectionWithGroup to support group-based collection permission testing
- Verified manage permissions are correctly applied based on group collection access settings

* Add @Manage parameter to Cipher stored procedures

- Updated CipherDetails_Create, CipherDetails_CreateWithCollections, and CipherDetails_Update stored procedures
- Added @Manage parameter with comment "-- not used"
- Included new stored procedure implementations in migration script
- Consistent with previous work on adding Manage property to cipher details

* Update UserCipherDetails functions to reorder Manage and ViewPassword columns

* [PM-18086] Add CanRestore and CanDelete authorization methods.

* [PM-18086] Address code review feedback.

* [PM-18086] Add missing part.

* [PM-18087] Add CipherPermissionsResponseModel for cipher permissions

* Add GetManyOrganizationAbilityAsync method to application cache service

* Add organization ability context to cipher response models

This change introduces organization ability context to various cipher response models across multiple controllers. The modifications include:

- Updating CipherResponseModel to include permissions based on user and organization ability
- Modifying CiphersController methods to fetch and pass organization abilities
- Updating SyncController to include organization abilities in sync response
- Adding organization ability context to EmergencyAccessController response generation

* Remove organization ability context from EmergencyAccessController

This change simplifies the EmergencyAccessController by removing unnecessary organization ability fetching and passing. Since emergency access only retrieves personal ciphers, the organization ability context is no longer needed in the response generation.

* Remove unused IApplicationCacheService from EmergencyAccessController

* Refactor EmergencyAccessViewResponseModel constructor

Remove unnecessary JsonConstructor attribute and simplify constructor initialization for EmergencyAccessViewResponseModel

* Refactor organization ability retrieval in CiphersController

Extract methods to simplify organization ability fetching for ciphers, reducing code duplication and improving readability. Added two private helper methods:
- GetOrganizationAbilityAsync: Retrieves organization ability for a single cipher
- GetManyOrganizationAbilitiesAsync: Retrieves organization abilities for multiple ciphers

* Update CiphersControllerTests to use GetUserByPrincipalAsync

Modify test methods to:
- Replace GetProperUserId with GetUserByPrincipalAsync
- Use User object instead of separate userId
- Update mocking to return User object
- Ensure user ID is correctly set in test scenarios

* Refactor CipherPermissionsResponseModel to use constructor-based initialization

* Refactor CipherPermissionsResponseModel to use record type and init-only properties

* [PM-18086] Undo files

* [PM-18086] Undo files

* Refactor organization abilities retrieval in cipher-related controllers and models

- Update CiphersController to use GetOrganizationAbilitiesAsync instead of individual methods
- Modify CipherResponseModel and CipherDetailsResponseModel to accept organization abilities dictionary
- Update CipherPermissionsResponseModel to handle organization abilities lookup
- Remove deprecated organization ability retrieval methods
- Simplify sync and emergency access response model handling of organization abilities

* Remove GetManyOrganizationAbilityAsync method

- Delete unused method from IApplicationCacheService interface
- Remove corresponding implementation in InMemoryApplicationCacheService
- Continues cleanup of organization ability retrieval methods

* Update CiphersControllerTests to include organization abilities retrieval

- Add organization abilities retrieval in test setup for PutCollections_vNext method
- Ensure consistent mocking of IApplicationCacheService in test scenarios

* Update error message for missing organization ability

---------

Co-authored-by: Jimmy Vo <huynhmaivo82@gmail.com>
---
 .../Controllers/EmergencyAccessController.cs  |   2 +-
 .../Response/EmergencyAccessResponseModel.cs  |  10 +-
 .../Vault/Controllers/CiphersController.cs    | 174 ++++++++++++------
 src/Api/Vault/Controllers/SyncController.cs   |   9 +-
 .../CipherPermissionsResponseModel.cs         |  27 +++
 .../Models/Response/CipherResponseModel.cs    |  35 +++-
 .../Models/Response/SyncResponseModel.cs      |  10 +-
 .../Controllers/CiphersControllerTests.cs     |  18 +-
 8 files changed, 206 insertions(+), 79 deletions(-)
 create mode 100644 src/Api/Vault/Models/Response/CipherPermissionsResponseModel.cs

diff --git a/src/Api/Auth/Controllers/EmergencyAccessController.cs b/src/Api/Auth/Controllers/EmergencyAccessController.cs
index 9f8ea3df01..5d1f47de73 100644
--- a/src/Api/Auth/Controllers/EmergencyAccessController.cs
+++ b/src/Api/Auth/Controllers/EmergencyAccessController.cs
@@ -167,7 +167,7 @@ public class EmergencyAccessController : Controller
     {
         var user = await _userService.GetUserByPrincipalAsync(User);
         var viewResult = await _emergencyAccessService.ViewAsync(id, user);
-        return new EmergencyAccessViewResponseModel(_globalSettings, viewResult.EmergencyAccess, viewResult.Ciphers);
+        return new EmergencyAccessViewResponseModel(_globalSettings, viewResult.EmergencyAccess, viewResult.Ciphers, user);
     }
 
     [HttpGet("{id}/{cipherId}/attachment/{attachmentId}")]
diff --git a/src/Api/Auth/Models/Response/EmergencyAccessResponseModel.cs b/src/Api/Auth/Models/Response/EmergencyAccessResponseModel.cs
index a72f3cf03f..2fb9a67199 100644
--- a/src/Api/Auth/Models/Response/EmergencyAccessResponseModel.cs
+++ b/src/Api/Auth/Models/Response/EmergencyAccessResponseModel.cs
@@ -116,11 +116,17 @@ public class EmergencyAccessViewResponseModel : ResponseModel
     public EmergencyAccessViewResponseModel(
         IGlobalSettings globalSettings,
         EmergencyAccess emergencyAccess,
-        IEnumerable<CipherDetails> ciphers)
+        IEnumerable<CipherDetails> ciphers,
+        User user)
         : base("emergencyAccessView")
     {
         KeyEncrypted = emergencyAccess.KeyEncrypted;
-        Ciphers = ciphers.Select(c => new CipherResponseModel(c, globalSettings));
+        Ciphers = ciphers.Select(cipher =>
+            new CipherResponseModel(
+                cipher,
+                user,
+                organizationAbilities: null, // Emergency access only retrieves personal ciphers so organizationAbilities is not needed
+                globalSettings));
     }
 
     public string KeyEncrypted { get; set; }
diff --git a/src/Api/Vault/Controllers/CiphersController.cs b/src/Api/Vault/Controllers/CiphersController.cs
index 5a7d427963..62f07005ee 100644
--- a/src/Api/Vault/Controllers/CiphersController.cs
+++ b/src/Api/Vault/Controllers/CiphersController.cs
@@ -79,14 +79,16 @@ public class CiphersController : Controller
     [HttpGet("{id}")]
     public async Task<CipherResponseModel> Get(Guid id)
     {
-        var userId = _userService.GetProperUserId(User).Value;
-        var cipher = await GetByIdAsync(id, userId);
+        var user = await _userService.GetUserByPrincipalAsync(User);
+        var cipher = await GetByIdAsync(id, user.Id);
         if (cipher == null)
         {
             throw new NotFoundException();
         }
 
-        return new CipherResponseModel(cipher, _globalSettings);
+        var organizationAbilities = await _applicationCacheService.GetOrganizationAbilitiesAsync();
+
+        return new CipherResponseModel(cipher, user, organizationAbilities, _globalSettings);
     }
 
     [HttpGet("{id}/admin")]
@@ -109,32 +111,37 @@ public class CiphersController : Controller
     [HttpGet("{id}/details")]
     public async Task<CipherDetailsResponseModel> GetDetails(Guid id)
     {
-        var userId = _userService.GetProperUserId(User).Value;
-        var cipher = await GetByIdAsync(id, userId);
+        var user = await _userService.GetUserByPrincipalAsync(User);
+        var cipher = await GetByIdAsync(id, user.Id);
         if (cipher == null)
         {
             throw new NotFoundException();
         }
 
-        var collectionCiphers = await _collectionCipherRepository.GetManyByUserIdCipherIdAsync(userId, id);
-        return new CipherDetailsResponseModel(cipher, _globalSettings, collectionCiphers);
+        var organizationAbilities = await _applicationCacheService.GetOrganizationAbilitiesAsync();
+        var collectionCiphers = await _collectionCipherRepository.GetManyByUserIdCipherIdAsync(user.Id, id);
+        return new CipherDetailsResponseModel(cipher, user, organizationAbilities, _globalSettings, collectionCiphers);
     }
 
     [HttpGet("")]
     public async Task<ListResponseModel<CipherDetailsResponseModel>> Get()
     {
-        var userId = _userService.GetProperUserId(User).Value;
+        var user = await _userService.GetUserByPrincipalAsync(User);
         var hasOrgs = _currentContext.Organizations?.Any() ?? false;
         // TODO: Use hasOrgs proper for cipher listing here?
-        var ciphers = await _cipherRepository.GetManyByUserIdAsync(userId, withOrganizations: true || hasOrgs);
+        var ciphers = await _cipherRepository.GetManyByUserIdAsync(user.Id, withOrganizations: true || hasOrgs);
         Dictionary<Guid, IGrouping<Guid, CollectionCipher>> collectionCiphersGroupDict = null;
         if (hasOrgs)
         {
-            var collectionCiphers = await _collectionCipherRepository.GetManyByUserIdAsync(userId);
+            var collectionCiphers = await _collectionCipherRepository.GetManyByUserIdAsync(user.Id);
             collectionCiphersGroupDict = collectionCiphers.GroupBy(c => c.CipherId).ToDictionary(s => s.Key);
         }
-
-        var responses = ciphers.Select(c => new CipherDetailsResponseModel(c, _globalSettings,
+        var organizationAbilities = await _applicationCacheService.GetOrganizationAbilitiesAsync();
+        var responses = ciphers.Select(cipher => new CipherDetailsResponseModel(
+            cipher,
+            user,
+            organizationAbilities,
+            _globalSettings,
             collectionCiphersGroupDict)).ToList();
         return new ListResponseModel<CipherDetailsResponseModel>(responses);
     }
@@ -142,30 +149,38 @@ public class CiphersController : Controller
     [HttpPost("")]
     public async Task<CipherResponseModel> Post([FromBody] CipherRequestModel model)
     {
-        var userId = _userService.GetProperUserId(User).Value;
-        var cipher = model.ToCipherDetails(userId);
+        var user = await _userService.GetUserByPrincipalAsync(User);
+        var cipher = model.ToCipherDetails(user.Id);
         if (cipher.OrganizationId.HasValue && !await _currentContext.OrganizationUser(cipher.OrganizationId.Value))
         {
             throw new NotFoundException();
         }
 
-        await _cipherService.SaveDetailsAsync(cipher, userId, model.LastKnownRevisionDate, null, cipher.OrganizationId.HasValue);
-        var response = new CipherResponseModel(cipher, _globalSettings);
+        await _cipherService.SaveDetailsAsync(cipher, user.Id, model.LastKnownRevisionDate, null, cipher.OrganizationId.HasValue);
+        var response = new CipherResponseModel(
+            cipher,
+            user,
+            await _applicationCacheService.GetOrganizationAbilitiesAsync(),
+            _globalSettings);
         return response;
     }
 
     [HttpPost("create")]
     public async Task<CipherResponseModel> PostCreate([FromBody] CipherCreateRequestModel model)
     {
-        var userId = _userService.GetProperUserId(User).Value;
-        var cipher = model.Cipher.ToCipherDetails(userId);
+        var user = await _userService.GetUserByPrincipalAsync(User);
+        var cipher = model.Cipher.ToCipherDetails(user.Id);
         if (cipher.OrganizationId.HasValue && !await _currentContext.OrganizationUser(cipher.OrganizationId.Value))
         {
             throw new NotFoundException();
         }
 
-        await _cipherService.SaveDetailsAsync(cipher, userId, model.Cipher.LastKnownRevisionDate, model.CollectionIds, cipher.OrganizationId.HasValue);
-        var response = new CipherResponseModel(cipher, _globalSettings);
+        await _cipherService.SaveDetailsAsync(cipher, user.Id, model.Cipher.LastKnownRevisionDate, model.CollectionIds, cipher.OrganizationId.HasValue);
+        var response = new CipherResponseModel(
+            cipher,
+            user,
+            await _applicationCacheService.GetOrganizationAbilitiesAsync(),
+            _globalSettings);
         return response;
     }
 
@@ -191,8 +206,8 @@ public class CiphersController : Controller
     [HttpPost("{id}")]
     public async Task<CipherResponseModel> Put(Guid id, [FromBody] CipherRequestModel model)
     {
-        var userId = _userService.GetProperUserId(User).Value;
-        var cipher = await GetByIdAsync(id, userId);
+        var user = await _userService.GetUserByPrincipalAsync(User);
+        var cipher = await GetByIdAsync(id, user.Id);
         if (cipher == null)
         {
             throw new NotFoundException();
@@ -200,7 +215,7 @@ public class CiphersController : Controller
 
         ValidateClientVersionForFido2CredentialSupport(cipher);
 
-        var collectionIds = (await _collectionCipherRepository.GetManyByUserIdCipherIdAsync(userId, id)).Select(c => c.CollectionId).ToList();
+        var collectionIds = (await _collectionCipherRepository.GetManyByUserIdCipherIdAsync(user.Id, id)).Select(c => c.CollectionId).ToList();
         var modelOrgId = string.IsNullOrWhiteSpace(model.OrganizationId) ?
             (Guid?)null : new Guid(model.OrganizationId);
         if (cipher.OrganizationId != modelOrgId)
@@ -209,9 +224,13 @@ public class CiphersController : Controller
                 "then try again.");
         }
 
-        await _cipherService.SaveDetailsAsync(model.ToCipherDetails(cipher), userId, model.LastKnownRevisionDate, collectionIds);
+        await _cipherService.SaveDetailsAsync(model.ToCipherDetails(cipher), user.Id, model.LastKnownRevisionDate, collectionIds);
 
-        var response = new CipherResponseModel(cipher, _globalSettings);
+        var response = new CipherResponseModel(
+            cipher,
+            user,
+            await _applicationCacheService.GetOrganizationAbilitiesAsync(),
+            _globalSettings);
         return response;
     }
 
@@ -278,7 +297,14 @@ public class CiphersController : Controller
             }));
         }
 
-        var responses = ciphers.Select(c => new CipherDetailsResponseModel(c, _globalSettings));
+        var user = await _userService.GetUserByPrincipalAsync(User);
+        var organizationAbilities = await _applicationCacheService.GetOrganizationAbilitiesAsync();
+        var responses = ciphers.Select(cipher =>
+            new CipherDetailsResponseModel(
+                cipher,
+                user,
+                organizationAbilities,
+                _globalSettings));
 
         return new ListResponseModel<CipherDetailsResponseModel>(responses);
     }
@@ -572,12 +598,16 @@ public class CiphersController : Controller
     [HttpPost("{id}/partial")]
     public async Task<CipherResponseModel> PutPartial(Guid id, [FromBody] CipherPartialRequestModel model)
     {
-        var userId = _userService.GetProperUserId(User).Value;
+        var user = await _userService.GetUserByPrincipalAsync(User);
         var folderId = string.IsNullOrWhiteSpace(model.FolderId) ? null : (Guid?)new Guid(model.FolderId);
-        await _cipherRepository.UpdatePartialAsync(id, userId, folderId, model.Favorite);
+        await _cipherRepository.UpdatePartialAsync(id, user.Id, folderId, model.Favorite);
 
-        var cipher = await GetByIdAsync(id, userId);
-        var response = new CipherResponseModel(cipher, _globalSettings);
+        var cipher = await GetByIdAsync(id, user.Id);
+        var response = new CipherResponseModel(
+            cipher,
+            user,
+            await _applicationCacheService.GetOrganizationAbilitiesAsync(),
+            _globalSettings);
         return response;
     }
 
@@ -585,9 +615,9 @@ public class CiphersController : Controller
     [HttpPost("{id}/share")]
     public async Task<CipherResponseModel> PutShare(Guid id, [FromBody] CipherShareRequestModel model)
     {
-        var userId = _userService.GetProperUserId(User).Value;
+        var user = await _userService.GetUserByPrincipalAsync(User);
         var cipher = await _cipherRepository.GetByIdAsync(id);
-        if (cipher == null || cipher.UserId != userId ||
+        if (cipher == null || cipher.UserId != user.Id ||
             !await _currentContext.OrganizationUser(new Guid(model.Cipher.OrganizationId)))
         {
             throw new NotFoundException();
@@ -597,10 +627,14 @@ public class CiphersController : Controller
 
         var original = cipher.Clone();
         await _cipherService.ShareAsync(original, model.Cipher.ToCipher(cipher), new Guid(model.Cipher.OrganizationId),
-            model.CollectionIds.Select(c => new Guid(c)), userId, model.Cipher.LastKnownRevisionDate);
+            model.CollectionIds.Select(c => new Guid(c)), user.Id, model.Cipher.LastKnownRevisionDate);
 
-        var sharedCipher = await GetByIdAsync(id, userId);
-        var response = new CipherResponseModel(sharedCipher, _globalSettings);
+        var sharedCipher = await GetByIdAsync(id, user.Id);
+        var response = new CipherResponseModel(
+            sharedCipher,
+            user,
+            await _applicationCacheService.GetOrganizationAbilitiesAsync(),
+            _globalSettings);
         return response;
     }
 
@@ -608,8 +642,8 @@ public class CiphersController : Controller
     [HttpPost("{id}/collections")]
     public async Task<CipherDetailsResponseModel> PutCollections(Guid id, [FromBody] CipherCollectionsRequestModel model)
     {
-        var userId = _userService.GetProperUserId(User).Value;
-        var cipher = await GetByIdAsync(id, userId);
+        var user = await _userService.GetUserByPrincipalAsync(User);
+        var cipher = await GetByIdAsync(id, user.Id);
         if (cipher == null || !cipher.OrganizationId.HasValue ||
             !await _currentContext.OrganizationUser(cipher.OrganizationId.Value))
         {
@@ -617,20 +651,25 @@ public class CiphersController : Controller
         }
 
         await _cipherService.SaveCollectionsAsync(cipher,
-            model.CollectionIds.Select(c => new Guid(c)), userId, false);
+            model.CollectionIds.Select(c => new Guid(c)), user.Id, false);
 
-        var updatedCipher = await GetByIdAsync(id, userId);
-        var collectionCiphers = await _collectionCipherRepository.GetManyByUserIdCipherIdAsync(userId, id);
+        var updatedCipher = await GetByIdAsync(id, user.Id);
+        var collectionCiphers = await _collectionCipherRepository.GetManyByUserIdCipherIdAsync(user.Id, id);
 
-        return new CipherDetailsResponseModel(updatedCipher, _globalSettings, collectionCiphers);
+        return new CipherDetailsResponseModel(
+            updatedCipher,
+            user,
+            await _applicationCacheService.GetOrganizationAbilitiesAsync(),
+            _globalSettings,
+            collectionCiphers);
     }
 
     [HttpPut("{id}/collections_v2")]
     [HttpPost("{id}/collections_v2")]
     public async Task<OptionalCipherDetailsResponseModel> PutCollections_vNext(Guid id, [FromBody] CipherCollectionsRequestModel model)
     {
-        var userId = _userService.GetProperUserId(User).Value;
-        var cipher = await GetByIdAsync(id, userId);
+        var user = await _userService.GetUserByPrincipalAsync(User);
+        var cipher = await GetByIdAsync(id, user.Id);
         if (cipher == null || !cipher.OrganizationId.HasValue ||
             !await _currentContext.OrganizationUser(cipher.OrganizationId.Value) || !cipher.ViewPassword)
         {
@@ -638,10 +677,10 @@ public class CiphersController : Controller
         }
 
         await _cipherService.SaveCollectionsAsync(cipher,
-            model.CollectionIds.Select(c => new Guid(c)), userId, false);
+            model.CollectionIds.Select(c => new Guid(c)), user.Id, false);
 
-        var updatedCipher = await GetByIdAsync(id, userId);
-        var collectionCiphers = await _collectionCipherRepository.GetManyByUserIdCipherIdAsync(userId, id);
+        var updatedCipher = await GetByIdAsync(id, user.Id);
+        var collectionCiphers = await _collectionCipherRepository.GetManyByUserIdCipherIdAsync(user.Id, id);
         // If a user removes the last Can Manage access of a cipher, the "updatedCipher" will return null
         // We will be returning an "Unavailable" property so the client knows the user can no longer access this
         var response = new OptionalCipherDetailsResponseModel()
@@ -649,7 +688,12 @@ public class CiphersController : Controller
             Unavailable = updatedCipher is null,
             Cipher = updatedCipher is null
                 ? null
-                : new CipherDetailsResponseModel(updatedCipher, _globalSettings, collectionCiphers)
+                : new CipherDetailsResponseModel(
+                    updatedCipher,
+                    user,
+                    await _applicationCacheService.GetOrganizationAbilitiesAsync(),
+                    _globalSettings,
+                    collectionCiphers)
         };
         return response;
     }
@@ -839,15 +883,19 @@ public class CiphersController : Controller
     [HttpPut("{id}/restore")]
     public async Task<CipherResponseModel> PutRestore(Guid id)
     {
-        var userId = _userService.GetProperUserId(User).Value;
-        var cipher = await GetByIdAsync(id, userId);
+        var user = await _userService.GetUserByPrincipalAsync(User);
+        var cipher = await GetByIdAsync(id, user.Id);
         if (cipher == null)
         {
             throw new NotFoundException();
         }
 
-        await _cipherService.RestoreAsync(cipher, userId);
-        return new CipherResponseModel(cipher, _globalSettings);
+        await _cipherService.RestoreAsync(cipher, user.Id);
+        return new CipherResponseModel(
+            cipher,
+            user,
+            await _applicationCacheService.GetOrganizationAbilitiesAsync(),
+            _globalSettings);
     }
 
     [HttpPut("{id}/restore-admin")]
@@ -996,10 +1044,10 @@ public class CiphersController : Controller
     [HttpPost("{id}/attachment/v2")]
     public async Task<AttachmentUploadDataResponseModel> PostAttachment(Guid id, [FromBody] AttachmentRequestModel request)
     {
-        var userId = _userService.GetProperUserId(User).Value;
+        var user = await _userService.GetUserByPrincipalAsync(User);
         var cipher = request.AdminRequest ?
             await _cipherRepository.GetOrganizationDetailsByIdAsync(id) :
-            await GetByIdAsync(id, userId);
+            await GetByIdAsync(id, user.Id);
 
         if (cipher == null || (request.AdminRequest && (!cipher.OrganizationId.HasValue ||
             !await CanEditCipherAsAdminAsync(cipher.OrganizationId.Value, new[] { cipher.Id }))))
@@ -1013,13 +1061,17 @@ public class CiphersController : Controller
         }
 
         var (attachmentId, uploadUrl) = await _cipherService.CreateAttachmentForDelayedUploadAsync(cipher,
-            request.Key, request.FileName, request.FileSize, request.AdminRequest, userId);
+            request.Key, request.FileName, request.FileSize, request.AdminRequest, user.Id);
         return new AttachmentUploadDataResponseModel
         {
             AttachmentId = attachmentId,
             Url = uploadUrl,
             FileUploadType = _attachmentStorageService.FileUploadType,
-            CipherResponse = request.AdminRequest ? null : new CipherResponseModel((CipherDetails)cipher, _globalSettings),
+            CipherResponse = request.AdminRequest ? null : new CipherResponseModel(
+                (CipherDetails)cipher,
+                user,
+                await _applicationCacheService.GetOrganizationAbilitiesAsync(),
+                _globalSettings),
             CipherMiniResponse = request.AdminRequest ? new CipherMiniResponseModel(cipher, _globalSettings, cipher.OrganizationUseTotp) : null,
         };
     }
@@ -1077,8 +1129,8 @@ public class CiphersController : Controller
     {
         ValidateAttachment();
 
-        var userId = _userService.GetProperUserId(User).Value;
-        var cipher = await GetByIdAsync(id, userId);
+        var user = await _userService.GetUserByPrincipalAsync(User);
+        var cipher = await GetByIdAsync(id, user.Id);
         if (cipher == null)
         {
             throw new NotFoundException();
@@ -1087,10 +1139,14 @@ public class CiphersController : Controller
         await Request.GetFileAsync(async (stream, fileName, key) =>
         {
             await _cipherService.CreateAttachmentAsync(cipher, stream, fileName, key,
-                    Request.ContentLength.GetValueOrDefault(0), userId);
+                    Request.ContentLength.GetValueOrDefault(0), user.Id);
         });
 
-        return new CipherResponseModel(cipher, _globalSettings);
+        return new CipherResponseModel(
+            cipher,
+            user,
+            await _applicationCacheService.GetOrganizationAbilitiesAsync(),
+            _globalSettings);
     }
 
     [HttpPost("{id}/attachment-admin")]
diff --git a/src/Api/Vault/Controllers/SyncController.cs b/src/Api/Vault/Controllers/SyncController.cs
index c08a5f86e0..1b8978fc65 100644
--- a/src/Api/Vault/Controllers/SyncController.cs
+++ b/src/Api/Vault/Controllers/SyncController.cs
@@ -36,6 +36,7 @@ public class SyncController : Controller
     private readonly ICurrentContext _currentContext;
     private readonly Version _sshKeyCipherMinimumVersion = new(Constants.SSHKeyCipherMinimumVersion);
     private readonly IFeatureService _featureService;
+    private readonly IApplicationCacheService _applicationCacheService;
 
     public SyncController(
         IUserService userService,
@@ -49,7 +50,8 @@ public class SyncController : Controller
         ISendRepository sendRepository,
         GlobalSettings globalSettings,
         ICurrentContext currentContext,
-        IFeatureService featureService)
+        IFeatureService featureService,
+        IApplicationCacheService applicationCacheService)
     {
         _userService = userService;
         _folderRepository = folderRepository;
@@ -63,6 +65,7 @@ public class SyncController : Controller
         _globalSettings = globalSettings;
         _currentContext = currentContext;
         _featureService = featureService;
+        _applicationCacheService = applicationCacheService;
     }
 
     [HttpGet("")]
@@ -104,7 +107,9 @@ public class SyncController : Controller
         var organizationManagingActiveUser = await _userService.GetOrganizationsManagingUserAsync(user.Id);
         var organizationIdsManagingActiveUser = organizationManagingActiveUser.Select(o => o.Id);
 
-        var response = new SyncResponseModel(_globalSettings, user, userTwoFactorEnabled, userHasPremiumFromOrganization,
+        var organizationAbilities = await _applicationCacheService.GetOrganizationAbilitiesAsync();
+
+        var response = new SyncResponseModel(_globalSettings, user, userTwoFactorEnabled, userHasPremiumFromOrganization, organizationAbilities,
             organizationIdsManagingActiveUser, organizationUserDetails, providerUserDetails, providerUserOrganizationDetails,
             folders, collections, ciphers, collectionCiphersGroupDict, excludeDomains, policies, sends);
         return response;
diff --git a/src/Api/Vault/Models/Response/CipherPermissionsResponseModel.cs b/src/Api/Vault/Models/Response/CipherPermissionsResponseModel.cs
new file mode 100644
index 0000000000..4f2f7e86b2
--- /dev/null
+++ b/src/Api/Vault/Models/Response/CipherPermissionsResponseModel.cs
@@ -0,0 +1,27 @@
+using Bit.Core.Entities;
+using Bit.Core.Models.Data.Organizations;
+using Bit.Core.Vault.Authorization.Permissions;
+using Bit.Core.Vault.Models.Data;
+
+namespace Bit.Api.Vault.Models.Response;
+
+public record CipherPermissionsResponseModel
+{
+    public bool Delete { get; init; }
+    public bool Restore { get; init; }
+
+    public CipherPermissionsResponseModel(
+        User user,
+        CipherDetails cipherDetails,
+        IDictionary<Guid, OrganizationAbility> organizationAbilities)
+    {
+        OrganizationAbility organizationAbility = null;
+        if (cipherDetails.OrganizationId.HasValue && !organizationAbilities.TryGetValue(cipherDetails.OrganizationId.Value, out organizationAbility))
+        {
+            throw new Exception("OrganizationAbility not found for organization cipher.");
+        }
+
+        Delete = NormalCipherPermissions.CanDelete(user, cipherDetails, organizationAbility);
+        Restore = NormalCipherPermissions.CanRestore(user, cipherDetails, organizationAbility);
+    }
+}
diff --git a/src/Api/Vault/Models/Response/CipherResponseModel.cs b/src/Api/Vault/Models/Response/CipherResponseModel.cs
index 207017227a..358da3e62a 100644
--- a/src/Api/Vault/Models/Response/CipherResponseModel.cs
+++ b/src/Api/Vault/Models/Response/CipherResponseModel.cs
@@ -1,6 +1,7 @@
 using System.Text.Json;
 using Bit.Core.Entities;
 using Bit.Core.Models.Api;
+using Bit.Core.Models.Data.Organizations;
 using Bit.Core.Settings;
 using Bit.Core.Vault.Entities;
 using Bit.Core.Vault.Enums;
@@ -96,26 +97,37 @@ public class CipherMiniResponseModel : ResponseModel
 
 public class CipherResponseModel : CipherMiniResponseModel
 {
-    public CipherResponseModel(CipherDetails cipher, IGlobalSettings globalSettings, string obj = "cipher")
+    public CipherResponseModel(
+        CipherDetails cipher,
+        User user,
+        IDictionary<Guid, OrganizationAbility> organizationAbilities,
+        IGlobalSettings globalSettings,
+        string obj = "cipher")
         : base(cipher, globalSettings, cipher.OrganizationUseTotp, obj)
     {
         FolderId = cipher.FolderId;
         Favorite = cipher.Favorite;
         Edit = cipher.Edit;
         ViewPassword = cipher.ViewPassword;
+        Permissions = new CipherPermissionsResponseModel(user, cipher, organizationAbilities);
     }
 
     public Guid? FolderId { get; set; }
     public bool Favorite { get; set; }
     public bool Edit { get; set; }
     public bool ViewPassword { get; set; }
+    public CipherPermissionsResponseModel Permissions { get; set; }
 }
 
 public class CipherDetailsResponseModel : CipherResponseModel
 {
-    public CipherDetailsResponseModel(CipherDetails cipher, GlobalSettings globalSettings,
+    public CipherDetailsResponseModel(
+        CipherDetails cipher,
+        User user,
+        IDictionary<Guid, OrganizationAbility> organizationAbilities,
+        GlobalSettings globalSettings,
         IDictionary<Guid, IGrouping<Guid, CollectionCipher>> collectionCiphers, string obj = "cipherDetails")
-        : base(cipher, globalSettings, obj)
+        : base(cipher, user, organizationAbilities, globalSettings, obj)
     {
         if (collectionCiphers?.ContainsKey(cipher.Id) ?? false)
         {
@@ -127,15 +139,24 @@ public class CipherDetailsResponseModel : CipherResponseModel
         }
     }
 
-    public CipherDetailsResponseModel(CipherDetails cipher, GlobalSettings globalSettings,
+    public CipherDetailsResponseModel(
+        CipherDetails cipher,
+        User user,
+        IDictionary<Guid, OrganizationAbility> organizationAbilities,
+        GlobalSettings globalSettings,
         IEnumerable<CollectionCipher> collectionCiphers, string obj = "cipherDetails")
-        : base(cipher, globalSettings, obj)
+        : base(cipher, user, organizationAbilities, globalSettings, obj)
     {
         CollectionIds = collectionCiphers?.Select(c => c.CollectionId) ?? new List<Guid>();
     }
 
-    public CipherDetailsResponseModel(CipherDetailsWithCollections cipher, GlobalSettings globalSettings, string obj = "cipherDetails")
-        : base(cipher, globalSettings, obj)
+    public CipherDetailsResponseModel(
+        CipherDetailsWithCollections cipher,
+        User user,
+        IDictionary<Guid, OrganizationAbility> organizationAbilities,
+        GlobalSettings globalSettings,
+        string obj = "cipherDetails")
+        : base(cipher, user, organizationAbilities, globalSettings, obj)
     {
         CollectionIds = cipher.CollectionIds ?? new List<Guid>();
     }
diff --git a/src/Api/Vault/Models/Response/SyncResponseModel.cs b/src/Api/Vault/Models/Response/SyncResponseModel.cs
index a9b87ac31e..f1465264f2 100644
--- a/src/Api/Vault/Models/Response/SyncResponseModel.cs
+++ b/src/Api/Vault/Models/Response/SyncResponseModel.cs
@@ -6,6 +6,7 @@ using Bit.Core.AdminConsole.Models.Data.Provider;
 using Bit.Core.Entities;
 using Bit.Core.Models.Api;
 using Bit.Core.Models.Data;
+using Bit.Core.Models.Data.Organizations;
 using Bit.Core.Models.Data.Organizations.OrganizationUsers;
 using Bit.Core.Settings;
 using Bit.Core.Tools.Entities;
@@ -21,6 +22,7 @@ public class SyncResponseModel : ResponseModel
         User user,
         bool userTwoFactorEnabled,
         bool userHasPremiumFromOrganization,
+        IDictionary<Guid, OrganizationAbility> organizationAbilities,
         IEnumerable<Guid> organizationIdsManagingUser,
         IEnumerable<OrganizationUserOrganizationDetails> organizationUserDetails,
         IEnumerable<ProviderUserProviderDetails> providerUserDetails,
@@ -37,7 +39,13 @@ public class SyncResponseModel : ResponseModel
         Profile = new ProfileResponseModel(user, organizationUserDetails, providerUserDetails,
             providerUserOrganizationDetails, userTwoFactorEnabled, userHasPremiumFromOrganization, organizationIdsManagingUser);
         Folders = folders.Select(f => new FolderResponseModel(f));
-        Ciphers = ciphers.Select(c => new CipherDetailsResponseModel(c, globalSettings, collectionCiphersDict));
+        Ciphers = ciphers.Select(cipher =>
+            new CipherDetailsResponseModel(
+                cipher,
+                user,
+                organizationAbilities,
+                globalSettings,
+                collectionCiphersDict));
         Collections = collections?.Select(
             c => new CollectionDetailsResponseModel(c)) ?? new List<CollectionDetailsResponseModel>();
         Domains = excludeDomains ? null : new DomainsResponseModel(user, false);
diff --git a/test/Api.Test/Vault/Controllers/CiphersControllerTests.cs b/test/Api.Test/Vault/Controllers/CiphersControllerTests.cs
index 2afce14ac5..5c8de51062 100644
--- a/test/Api.Test/Vault/Controllers/CiphersControllerTests.cs
+++ b/test/Api.Test/Vault/Controllers/CiphersControllerTests.cs
@@ -27,17 +27,18 @@ namespace Bit.Api.Test.Controllers;
 public class CiphersControllerTests
 {
     [Theory, BitAutoData]
-    public async Task PutPartialShouldReturnCipherWithGivenFolderAndFavoriteValues(Guid userId, Guid folderId, SutProvider<CiphersController> sutProvider)
+    public async Task PutPartialShouldReturnCipherWithGivenFolderAndFavoriteValues(User user, Guid folderId, SutProvider<CiphersController> sutProvider)
     {
         var isFavorite = true;
         var cipherId = Guid.NewGuid();
 
         sutProvider.GetDependency<IUserService>()
-            .GetProperUserId(Arg.Any<ClaimsPrincipal>())
-            .Returns(userId);
+            .GetUserByPrincipalAsync(Arg.Any<ClaimsPrincipal>())
+            .Returns(user);
 
         var cipherDetails = new CipherDetails
         {
+            UserId = user.Id,
             Favorite = isFavorite,
             FolderId = folderId,
             Type = Core.Vault.Enums.CipherType.SecureNote,
@@ -45,7 +46,7 @@ public class CiphersControllerTests
         };
 
         sutProvider.GetDependency<ICipherRepository>()
-            .GetByIdAsync(cipherId, userId)
+            .GetByIdAsync(cipherId, user.Id)
             .Returns(Task.FromResult(cipherDetails));
 
         var result = await sutProvider.Sut.PutPartial(cipherId, new CipherPartialRequestModel { Favorite = isFavorite, FolderId = folderId.ToString() });
@@ -55,12 +56,12 @@ public class CiphersControllerTests
     }
 
     [Theory, BitAutoData]
-    public async Task PutCollections_vNextShouldThrowExceptionWhenCipherIsNullOrNoOrgValue(Guid id, CipherCollectionsRequestModel model, Guid userId,
+    public async Task PutCollections_vNextShouldThrowExceptionWhenCipherIsNullOrNoOrgValue(Guid id, CipherCollectionsRequestModel model, User user,
         SutProvider<CiphersController> sutProvider)
     {
-        sutProvider.GetDependency<IUserService>().GetProperUserId(default).Returns(userId);
+        sutProvider.GetDependency<IUserService>().GetUserByPrincipalAsync(default).ReturnsForAnyArgs(user);
         sutProvider.GetDependency<ICurrentContext>().OrganizationUser(Guid.NewGuid()).Returns(false);
-        sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(id, userId).ReturnsNull();
+        sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(id, user.Id).ReturnsNull();
 
         var requestAction = async () => await sutProvider.Sut.PutCollections_vNext(id, model);
 
@@ -75,6 +76,7 @@ public class CiphersControllerTests
         sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(id, userId).ReturnsForAnyArgs(cipherDetails);
 
         sutProvider.GetDependency<ICollectionCipherRepository>().GetManyByUserIdCipherIdAsync(userId, id).Returns((ICollection<CollectionCipher>)new List<CollectionCipher>());
+        sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilitiesAsync().Returns(new Dictionary<Guid, OrganizationAbility> { { cipherDetails.OrganizationId.Value, new OrganizationAbility() } });
         var cipherService = sutProvider.GetDependency<ICipherService>();
 
         await sutProvider.Sut.PutCollections_vNext(id, model);
@@ -90,6 +92,7 @@ public class CiphersControllerTests
         sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(id, userId).ReturnsForAnyArgs(cipherDetails);
 
         sutProvider.GetDependency<ICollectionCipherRepository>().GetManyByUserIdCipherIdAsync(userId, id).Returns((ICollection<CollectionCipher>)new List<CollectionCipher>());
+        sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilitiesAsync().Returns(new Dictionary<Guid, OrganizationAbility> { { cipherDetails.OrganizationId.Value, new OrganizationAbility() } });
 
         var result = await sutProvider.Sut.PutCollections_vNext(id, model);
 
@@ -115,6 +118,7 @@ public class CiphersControllerTests
     private void SetupUserAndOrgMocks(Guid id, Guid userId, SutProvider<CiphersController> sutProvider)
     {
         sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<IUserService>().GetUserByPrincipalAsync(default).ReturnsForAnyArgs(new User { Id = userId });
         sutProvider.GetDependency<ICurrentContext>().OrganizationUser(default).ReturnsForAnyArgs(true);
         sutProvider.GetDependency<ICollectionCipherRepository>().GetManyByUserIdCipherIdAsync(userId, id).Returns(new List<CollectionCipher>());
     }

From 031e188e82f6f2e4278979479eb094b27b4fb431 Mon Sep 17 00:00:00 2001
From: Daniel James Smith <2670567+djsmith85@users.noreply.github.com>
Date: Mon, 10 Mar 2025 16:53:07 +0100
Subject: [PATCH 350/384] Remove extension-refresh feature flag (#5410)

Co-authored-by: Daniel James Smith <djsmith85@users.noreply.github.com>
---
 src/Core/Constants.cs | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index b1cbc8d519..6baa9227e1 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -121,7 +121,6 @@ public static class FeatureFlagKeys
     public const string AC2101UpdateTrialInitiationEmail = "AC-2101-update-trial-initiation-email";
     public const string EmailVerification = "email-verification";
     public const string EmailVerificationDisableTimingDelays = "email-verification-disable-timing-delays";
-    public const string ExtensionRefresh = "extension-refresh";
     public const string RestrictProviderAccess = "restrict-provider-access";
     public const string PM4154BulkEncryptionService = "PM-4154-bulk-encryption-service";
     public const string VaultBulkManagementAction = "vault-bulk-management-action";

From 913da4a629c156ef2634a99dd3324bed060abc46 Mon Sep 17 00:00:00 2001
From: Ike <137194738+ike-kottlowski@users.noreply.github.com>
Date: Mon, 10 Mar 2025 12:16:43 -0400
Subject: [PATCH 351/384] [PM-15015] Add Country Name to auth request from
 request headers (#5471)

* feat(pm-15015) :
  * Add `CountryName` column to AuthRequest Table in Database, and refreshing AuthRequestView
  * Modify database stored procedures and Entity Framework migrations for AuthRequest Repositories
  * Add property to `ICurrentContext` and response models.
---
 ...ingOrganizationAuthRequestResponseModel.cs |    2 +
 .../Response/AuthRequestResponseModel.cs      |    2 +
 src/Core/Auth/Entities/AuthRequest.cs         |    6 +
 .../Implementations/AuthRequestService.cs     |    8 +-
 src/Core/Context/CurrentContext.cs            |    7 +
 src/Core/Context/ICurrentContext.cs           |    1 +
 .../Stored Procedures/AuthRequest_Create.sql  |   43 +-
 .../Stored Procedures/AuthRequest_Update.sql  |   44 +-
 .../AuthRequest_UpdateMany.sql                |    4 +-
 src/Sql/Auth/dbo/Tables/AuthRequest.sql       |    2 +-
 .../2025-02-27_00_AlterAuthRequest.sql        |  168 +
 ...0250304221039_AlterAuthRequest.Designer.cs | 3014 ++++++++++++++++
 .../20250304221039_AlterAuthRequest.cs        |   29 +
 .../DatabaseContextModelSnapshot.cs           |    4 +
 ...04204625_AlterAuthRequestTable.Designer.cs | 3020 +++++++++++++++++
 .../20250304204625_AlterAuthRequestTable.cs   |   28 +
 .../DatabaseContextModelSnapshot.cs           |    4 +
 ...04204635_AlterAuthRequestTable.Designer.cs | 3003 ++++++++++++++++
 .../20250304204635_AlterAuthRequestTable.cs   |   28 +
 .../DatabaseContextModelSnapshot.cs           |    4 +
 20 files changed, 9372 insertions(+), 49 deletions(-)
 create mode 100644 util/Migrator/DbScripts/2025-02-27_00_AlterAuthRequest.sql
 create mode 100644 util/MySqlMigrations/Migrations/20250304221039_AlterAuthRequest.Designer.cs
 create mode 100644 util/MySqlMigrations/Migrations/20250304221039_AlterAuthRequest.cs
 create mode 100644 util/PostgresMigrations/Migrations/20250304204625_AlterAuthRequestTable.Designer.cs
 create mode 100644 util/PostgresMigrations/Migrations/20250304204625_AlterAuthRequestTable.cs
 create mode 100644 util/SqliteMigrations/Migrations/20250304204635_AlterAuthRequestTable.Designer.cs
 create mode 100644 util/SqliteMigrations/Migrations/20250304204635_AlterAuthRequestTable.cs

diff --git a/src/Api/AdminConsole/Models/Response/PendingOrganizationAuthRequestResponseModel.cs b/src/Api/AdminConsole/Models/Response/PendingOrganizationAuthRequestResponseModel.cs
index 1805bdb07e..3e242cba7b 100644
--- a/src/Api/AdminConsole/Models/Response/PendingOrganizationAuthRequestResponseModel.cs
+++ b/src/Api/AdminConsole/Models/Response/PendingOrganizationAuthRequestResponseModel.cs
@@ -23,6 +23,7 @@ public class PendingOrganizationAuthRequestResponseModel : ResponseModel
         RequestDeviceType = authRequest.RequestDeviceType.GetType().GetMember(authRequest.RequestDeviceType.ToString())
             .FirstOrDefault()?.GetCustomAttribute<DisplayAttribute>()?.GetName();
         RequestIpAddress = authRequest.RequestIpAddress;
+        RequestCountryName = authRequest.RequestCountryName;
         CreationDate = authRequest.CreationDate;
     }
 
@@ -34,5 +35,6 @@ public class PendingOrganizationAuthRequestResponseModel : ResponseModel
     public string RequestDeviceIdentifier { get; set; }
     public string RequestDeviceType { get; set; }
     public string RequestIpAddress { get; set; }
+    public string RequestCountryName { get; set; }
     public DateTime CreationDate { get; set; }
 }
diff --git a/src/Api/Auth/Models/Response/AuthRequestResponseModel.cs b/src/Api/Auth/Models/Response/AuthRequestResponseModel.cs
index 50f7f5a3e7..7a9734d844 100644
--- a/src/Api/Auth/Models/Response/AuthRequestResponseModel.cs
+++ b/src/Api/Auth/Models/Response/AuthRequestResponseModel.cs
@@ -23,6 +23,7 @@ public class AuthRequestResponseModel : ResponseModel
         RequestDeviceType = authRequest.RequestDeviceType.GetType().GetMember(authRequest.RequestDeviceType.ToString())
             .FirstOrDefault()?.GetCustomAttribute<DisplayAttribute>()?.GetName();
         RequestIpAddress = authRequest.RequestIpAddress;
+        RequestCountryName = authRequest.RequestCountryName;
         Key = authRequest.Key;
         MasterPasswordHash = authRequest.MasterPasswordHash;
         CreationDate = authRequest.CreationDate;
@@ -37,6 +38,7 @@ public class AuthRequestResponseModel : ResponseModel
     public DeviceType RequestDeviceTypeValue { get; set; }
     public string RequestDeviceType { get; set; }
     public string RequestIpAddress { get; set; }
+    public string RequestCountryName { get; set; }
     public string Key { get; set; }
     public string MasterPasswordHash { get; set; }
     public DateTime CreationDate { get; set; }
diff --git a/src/Core/Auth/Entities/AuthRequest.cs b/src/Core/Auth/Entities/AuthRequest.cs
index d1d337b8a1..088c24b88a 100644
--- a/src/Core/Auth/Entities/AuthRequest.cs
+++ b/src/Core/Auth/Entities/AuthRequest.cs
@@ -16,6 +16,12 @@ public class AuthRequest : ITableObject<Guid>
     public DeviceType RequestDeviceType { get; set; }
     [MaxLength(50)]
     public string RequestIpAddress { get; set; }
+    /// <summary>
+    /// This country name is populated through a header value fetched from the ISO-3166 country code.
+    /// It will always be the English short form of the country name. The length should never be over 200 characters.
+    /// </summary>
+    [MaxLength(200)]
+    public string RequestCountryName { get; set; }
     public Guid? ResponseDeviceId { get; set; }
     [MaxLength(25)]
     public string AccessCode { get; set; }
diff --git a/src/Core/Auth/Services/Implementations/AuthRequestService.cs b/src/Core/Auth/Services/Implementations/AuthRequestService.cs
index b70a690338..c10fa6ce92 100644
--- a/src/Core/Auth/Services/Implementations/AuthRequestService.cs
+++ b/src/Core/Auth/Services/Implementations/AuthRequestService.cs
@@ -164,6 +164,7 @@ public class AuthRequestService : IAuthRequestService
             RequestDeviceIdentifier = model.DeviceIdentifier,
             RequestDeviceType = _currentContext.DeviceType.Value,
             RequestIpAddress = _currentContext.IpAddress,
+            RequestCountryName = _currentContext.CountryName,
             AccessCode = model.AccessCode,
             PublicKey = model.PublicKey,
             UserId = user.Id,
@@ -176,12 +177,7 @@ public class AuthRequestService : IAuthRequestService
 
     public async Task<AuthRequest> UpdateAuthRequestAsync(Guid authRequestId, Guid currentUserId, AuthRequestUpdateRequestModel model)
     {
-        var authRequest = await _authRequestRepository.GetByIdAsync(authRequestId);
-
-        if (authRequest == null)
-        {
-            throw new NotFoundException();
-        }
+        var authRequest = await _authRequestRepository.GetByIdAsync(authRequestId) ?? throw new NotFoundException();
 
         // Once Approval/Disapproval has been set, this AuthRequest should not be updated again.
         if (authRequest.Approved is not null)
diff --git a/src/Core/Context/CurrentContext.cs b/src/Core/Context/CurrentContext.cs
index b4a250fe2b..cbd90055b0 100644
--- a/src/Core/Context/CurrentContext.cs
+++ b/src/Core/Context/CurrentContext.cs
@@ -30,6 +30,7 @@ public class CurrentContext : ICurrentContext
     public virtual string DeviceIdentifier { get; set; }
     public virtual DeviceType? DeviceType { get; set; }
     public virtual string IpAddress { get; set; }
+    public virtual string CountryName { get; set; }
     public virtual List<CurrentContextOrganization> Organizations { get; set; }
     public virtual List<CurrentContextProvider> Providers { get; set; }
     public virtual Guid? InstallationId { get; set; }
@@ -104,6 +105,12 @@ public class CurrentContext : ICurrentContext
         {
             ClientVersionIsPrerelease = clientVersionIsPrerelease == "1";
         }
+
+        if (httpContext.Request.Headers.TryGetValue("country-name", out var countryName))
+        {
+            CountryName = countryName;
+        }
+
     }
 
     public async virtual Task BuildAsync(ClaimsPrincipal user, GlobalSettings globalSettings)
diff --git a/src/Core/Context/ICurrentContext.cs b/src/Core/Context/ICurrentContext.cs
index 9361480229..42843ce6d7 100644
--- a/src/Core/Context/ICurrentContext.cs
+++ b/src/Core/Context/ICurrentContext.cs
@@ -20,6 +20,7 @@ public interface ICurrentContext
     string DeviceIdentifier { get; set; }
     DeviceType? DeviceType { get; set; }
     string IpAddress { get; set; }
+    string CountryName { get; set; }
     List<CurrentContextOrganization> Organizations { get; set; }
     Guid? InstallationId { get; set; }
     Guid? OrganizationId { get; set; }
diff --git a/src/Sql/Auth/dbo/Stored Procedures/AuthRequest_Create.sql b/src/Sql/Auth/dbo/Stored Procedures/AuthRequest_Create.sql
index 81490182f3..41d1698220 100644
--- a/src/Sql/Auth/dbo/Stored Procedures/AuthRequest_Create.sql	
+++ b/src/Sql/Auth/dbo/Stored Procedures/AuthRequest_Create.sql	
@@ -6,6 +6,7 @@
     @RequestDeviceIdentifier NVARCHAR(50),
     @RequestDeviceType TINYINT,
     @RequestIpAddress VARCHAR(50),
+    @RequestCountryName NVARCHAR(200),
     @ResponseDeviceId UNIQUEIDENTIFIER,
     @AccessCode VARCHAR(25),
     @PublicKey VARCHAR(MAX),
@@ -20,7 +21,7 @@ BEGIN
     SET NOCOUNT ON
 
     INSERT INTO [dbo].[AuthRequest]
-    (
+        (
         [Id],
         [UserId],
         [OrganizationId],
@@ -28,6 +29,7 @@ BEGIN
         [RequestDeviceIdentifier],
         [RequestDeviceType],
         [RequestIpAddress],
+        [RequestCountryName],
         [ResponseDeviceId],
         [AccessCode],
         [PublicKey],
@@ -37,24 +39,25 @@ BEGIN
         [CreationDate],
         [ResponseDate],
         [AuthenticationDate]
-    )
+        )
     VALUES
-    (
-        @Id,
-        @UserId,
-        @OrganizationId,
-        @Type,
-        @RequestDeviceIdentifier,
-        @RequestDeviceType,
-        @RequestIpAddress,
-        @ResponseDeviceId,
-        @AccessCode,
-        @PublicKey,
-        @Key,
-        @MasterPasswordHash,
-        @Approved,
-        @CreationDate,
-        @ResponseDate,
-        @AuthenticationDate
+        (
+            @Id,
+            @UserId,
+            @OrganizationId,
+            @Type,
+            @RequestDeviceIdentifier,
+            @RequestDeviceType,
+            @RequestIpAddress,
+            @RequestCountryName,
+            @ResponseDeviceId,
+            @AccessCode,
+            @PublicKey,
+            @Key,
+            @MasterPasswordHash,
+            @Approved,
+            @CreationDate,
+            @ResponseDate,
+            @AuthenticationDate
     )
-END
\ No newline at end of file
+END
diff --git a/src/Sql/Auth/dbo/Stored Procedures/AuthRequest_Update.sql b/src/Sql/Auth/dbo/Stored Procedures/AuthRequest_Update.sql
index 0af4109da4..dde8de1b44 100644
--- a/src/Sql/Auth/dbo/Stored Procedures/AuthRequest_Update.sql	
+++ b/src/Sql/Auth/dbo/Stored Procedures/AuthRequest_Update.sql	
@@ -2,10 +2,11 @@
     @Id UNIQUEIDENTIFIER OUTPUT,
     @UserId UNIQUEIDENTIFIER,
     @OrganizationId UNIQUEIDENTIFIER = NULL,
-    @Type SMALLINT, 
+    @Type SMALLINT,
     @RequestDeviceIdentifier NVARCHAR(50),
     @RequestDeviceType SMALLINT,
     @RequestIpAddress VARCHAR(50),
+    @RequestCountryName NVARCHAR(200),
     @ResponseDeviceId UNIQUEIDENTIFIER,
     @AccessCode VARCHAR(25),
     @PublicKey VARCHAR(MAX),
@@ -14,29 +15,30 @@
     @Approved BIT,
     @CreationDate DATETIME2 (7),
     @ResponseDate DATETIME2 (7),
-    @AuthenticationDate DATETIME2 (7)    
+    @AuthenticationDate DATETIME2 (7)
 AS
 BEGIN
     SET NOCOUNT ON
 
     UPDATE
-        [dbo].[AuthRequest]
-    SET
-        [UserId] = @UserId,
-        [Type] = @Type,
-        [OrganizationId] = @OrganizationId,
-        [RequestDeviceIdentifier] = @RequestDeviceIdentifier,
-        [RequestDeviceType] = @RequestDeviceType,
-        [RequestIpAddress] = @RequestIpAddress,
-        [ResponseDeviceId] = @ResponseDeviceId,
-        [AccessCode] = @AccessCode,
-        [PublicKey] = @PublicKey,
-        [Key] = @Key,
-        [MasterPasswordHash] = @MasterPasswordHash,
-        [Approved] = @Approved,
-        [CreationDate] = @CreationDate,
-        [ResponseDate] = @ResponseDate,
-        [AuthenticationDate] = @AuthenticationDate
-    WHERE
-        [Id] = @Id
+    [dbo].[AuthRequest]
+SET
+    [UserId] = @UserId,
+    [Type] = @Type,
+    [OrganizationId] = @OrganizationId,
+    [RequestDeviceIdentifier] = @RequestDeviceIdentifier,
+    [RequestDeviceType] = @RequestDeviceType,
+    [RequestIpAddress] = @RequestIpAddress,
+    [RequestCountryName] = @RequestCountryName,
+    [ResponseDeviceId] = @ResponseDeviceId,
+    [AccessCode] = @AccessCode,
+    [PublicKey] = @PublicKey,
+    [Key] = @Key,
+    [MasterPasswordHash] = @MasterPasswordHash,
+    [Approved] = @Approved,
+    [CreationDate] = @CreationDate,
+    [ResponseDate] = @ResponseDate,
+    [AuthenticationDate] = @AuthenticationDate
+WHERE
+    [Id] = @Id
 END
diff --git a/src/Sql/Auth/dbo/Stored Procedures/AuthRequest_UpdateMany.sql b/src/Sql/Auth/dbo/Stored Procedures/AuthRequest_UpdateMany.sql
index 227abbb3e1..c42ceba9f6 100644
--- a/src/Sql/Auth/dbo/Stored Procedures/AuthRequest_UpdateMany.sql	
+++ b/src/Sql/Auth/dbo/Stored Procedures/AuthRequest_UpdateMany.sql	
@@ -10,6 +10,7 @@ BEGIN
         [RequestDeviceIdentifier] = ARI.[RequestDeviceIdentifier],
         [RequestDeviceType] = ARI.[RequestDeviceType],
         [RequestIpAddress] = ARI.[RequestIpAddress],
+        [RequestCountryName] = ARI.[RequestCountryName],
         [ResponseDeviceId] = ARI.[ResponseDeviceId],
         [AccessCode] = ARI.[AccessCode],
         [PublicKey] = ARI.[PublicKey],
@@ -22,7 +23,7 @@ BEGIN
         [OrganizationId] = ARI.[OrganizationId]
     FROM
         [dbo].[AuthRequest] AR
-    INNER JOIN
+        INNER JOIN
         OPENJSON(@jsonData)
         WITH (
             Id UNIQUEIDENTIFIER '$.Id',
@@ -31,6 +32,7 @@ BEGIN
             RequestDeviceIdentifier NVARCHAR(50) '$.RequestDeviceIdentifier',
             RequestDeviceType SMALLINT '$.RequestDeviceType',
             RequestIpAddress VARCHAR(50) '$.RequestIpAddress',
+            RequestCountryName NVARCHAR(200) '$.RequestCountryName',
             ResponseDeviceId UNIQUEIDENTIFIER '$.ResponseDeviceId',
             AccessCode VARCHAR(25) '$.AccessCode',
             PublicKey VARCHAR(MAX) '$.PublicKey',
diff --git a/src/Sql/Auth/dbo/Tables/AuthRequest.sql b/src/Sql/Auth/dbo/Tables/AuthRequest.sql
index 4f2b3193fb..234f89c5ec 100644
--- a/src/Sql/Auth/dbo/Tables/AuthRequest.sql
+++ b/src/Sql/Auth/dbo/Tables/AuthRequest.sql
@@ -15,11 +15,11 @@
     [ResponseDate]              DATETIME2 (7)    NULL,
     [AuthenticationDate]        DATETIME2 (7)    NULL,
     [OrganizationId]            UNIQUEIDENTIFIER NULL,
+    [RequestCountryName]        NVARCHAR(200)     NULL,
     CONSTRAINT [PK_AuthRequest] PRIMARY KEY CLUSTERED ([Id] ASC),
     CONSTRAINT [FK_AuthRequest_User] FOREIGN KEY ([UserId]) REFERENCES [dbo].[User] ([Id]),
     CONSTRAINT [FK_AuthRequest_ResponseDevice] FOREIGN KEY ([ResponseDeviceId]) REFERENCES [dbo].[Device] ([Id]),
     CONSTRAINT [FK_AuthRequest_Organization] FOREIGN KEY ([OrganizationId]) REFERENCES [dbo].[Organization] ([Id])
 );
 
-
 GO
diff --git a/util/Migrator/DbScripts/2025-02-27_00_AlterAuthRequest.sql b/util/Migrator/DbScripts/2025-02-27_00_AlterAuthRequest.sql
new file mode 100644
index 0000000000..3d0732ed88
--- /dev/null
+++ b/util/Migrator/DbScripts/2025-02-27_00_AlterAuthRequest.sql
@@ -0,0 +1,168 @@
+ALTER TABLE
+  [dbo].[AuthRequest]
+ADD
+  [RequestCountryName] NVARCHAR(200) NULL;
+GO
+
+EXECUTE sp_refreshview 'dbo.AuthRequestView'
+GO
+
+CREATE OR ALTER PROCEDURE [dbo].[AuthRequest_Create]
+    @Id UNIQUEIDENTIFIER OUTPUT,
+    @UserId UNIQUEIDENTIFIER,
+    @OrganizationId UNIQUEIDENTIFIER = NULL,
+    @Type TINYINT,
+    @RequestDeviceIdentifier NVARCHAR(50),
+    @RequestDeviceType TINYINT,
+    @RequestIpAddress VARCHAR(50),
+    @RequestCountryName NVARCHAR(200),
+    @ResponseDeviceId UNIQUEIDENTIFIER,
+    @AccessCode VARCHAR(25),
+    @PublicKey VARCHAR(MAX),
+    @Key VARCHAR(MAX),
+    @MasterPasswordHash VARCHAR(MAX),
+    @Approved BIT,
+    @CreationDate DATETIME2(7),
+    @ResponseDate DATETIME2(7),
+    @AuthenticationDate DATETIME2(7)
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    INSERT INTO [dbo].[AuthRequest]
+        (
+        [Id],
+        [UserId],
+        [OrganizationId],
+        [Type],
+        [RequestDeviceIdentifier],
+        [RequestDeviceType],
+        [RequestIpAddress],
+        [RequestCountryName],
+        [ResponseDeviceId],
+        [AccessCode],
+        [PublicKey],
+        [Key],
+        [MasterPasswordHash],
+        [Approved],
+        [CreationDate],
+        [ResponseDate],
+        [AuthenticationDate]
+        )
+    VALUES
+        (
+            @Id,
+            @UserId,
+            @OrganizationId,
+            @Type,
+            @RequestDeviceIdentifier,
+            @RequestDeviceType,
+            @RequestIpAddress,
+            @RequestCountryName,
+            @ResponseDeviceId,
+            @AccessCode,
+            @PublicKey,
+            @Key,
+            @MasterPasswordHash,
+            @Approved,
+            @CreationDate,
+            @ResponseDate,
+            @AuthenticationDate
+    )
+END
+GO
+
+CREATE OR ALTER PROCEDURE [dbo].[AuthRequest_Update]
+    @Id UNIQUEIDENTIFIER OUTPUT,
+    @UserId UNIQUEIDENTIFIER,
+    @OrganizationId UNIQUEIDENTIFIER = NULL,
+    @Type SMALLINT,
+    @RequestDeviceIdentifier NVARCHAR(50),
+    @RequestDeviceType SMALLINT,
+    @RequestIpAddress VARCHAR(50),
+    @RequestCountryName NVARCHAR(200),
+    @ResponseDeviceId UNIQUEIDENTIFIER,
+    @AccessCode VARCHAR(25),
+    @PublicKey VARCHAR(MAX),
+    @Key VARCHAR(MAX),
+    @MasterPasswordHash VARCHAR(MAX),
+    @Approved BIT,
+    @CreationDate DATETIME2 (7),
+    @ResponseDate DATETIME2 (7),
+    @AuthenticationDate DATETIME2 (7)
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    UPDATE
+    [dbo].[AuthRequest]
+SET
+    [UserId] = @UserId,
+    [Type] = @Type,
+    [OrganizationId] = @OrganizationId,
+    [RequestDeviceIdentifier] = @RequestDeviceIdentifier,
+    [RequestDeviceType] = @RequestDeviceType,
+    [RequestIpAddress] = @RequestIpAddress,
+    [RequestCountryName] = @RequestCountryName,
+    [ResponseDeviceId] = @ResponseDeviceId,
+    [AccessCode] = @AccessCode,
+    [PublicKey] = @PublicKey,
+    [Key] = @Key,
+    [MasterPasswordHash] = @MasterPasswordHash,
+    [Approved] = @Approved,
+    [CreationDate] = @CreationDate,
+    [ResponseDate] = @ResponseDate,
+    [AuthenticationDate] = @AuthenticationDate
+WHERE
+    [Id] = @Id
+END
+GO
+
+CREATE OR ALTER PROCEDURE AuthRequest_UpdateMany
+    @jsonData NVARCHAR(MAX)
+AS
+BEGIN
+    UPDATE AR
+    SET
+        [Id] = ARI.[Id],
+        [UserId] = ARI.[UserId],
+        [Type] = ARI.[Type],
+        [RequestDeviceIdentifier] = ARI.[RequestDeviceIdentifier],
+        [RequestDeviceType] = ARI.[RequestDeviceType],
+        [RequestIpAddress] = ARI.[RequestIpAddress],
+        [RequestCountryName] = ARI.[RequestCountryName],
+        [ResponseDeviceId] = ARI.[ResponseDeviceId],
+        [AccessCode] = ARI.[AccessCode],
+        [PublicKey] = ARI.[PublicKey],
+        [Key] = ARI.[Key],
+        [MasterPasswordHash] = ARI.[MasterPasswordHash],
+        [Approved] = ARI.[Approved],
+        [CreationDate] = ARI.[CreationDate],
+        [ResponseDate] = ARI.[ResponseDate],
+        [AuthenticationDate] = ARI.[AuthenticationDate],
+        [OrganizationId] = ARI.[OrganizationId]
+    FROM
+        [dbo].[AuthRequest] AR
+        INNER JOIN
+        OPENJSON(@jsonData)
+        WITH (
+            Id UNIQUEIDENTIFIER '$.Id',
+            UserId UNIQUEIDENTIFIER '$.UserId',
+            Type SMALLINT '$.Type',
+            RequestDeviceIdentifier NVARCHAR(50) '$.RequestDeviceIdentifier',
+            RequestDeviceType SMALLINT '$.RequestDeviceType',
+            RequestIpAddress VARCHAR(50) '$.RequestIpAddress',
+            RequestCountryName NVARCHAR(200) '$.RequestCountryName',
+            ResponseDeviceId UNIQUEIDENTIFIER '$.ResponseDeviceId',
+            AccessCode VARCHAR(25) '$.AccessCode',
+            PublicKey VARCHAR(MAX) '$.PublicKey',
+            [Key] VARCHAR(MAX) '$.Key',
+            MasterPasswordHash VARCHAR(MAX) '$.MasterPasswordHash',
+            Approved BIT '$.Approved',
+            CreationDate DATETIME2 '$.CreationDate',
+            ResponseDate DATETIME2 '$.ResponseDate',
+            AuthenticationDate DATETIME2 '$.AuthenticationDate',
+            OrganizationId UNIQUEIDENTIFIER '$.OrganizationId'
+        ) ARI ON AR.Id = ARI.Id;
+END
+GO
\ No newline at end of file
diff --git a/util/MySqlMigrations/Migrations/20250304221039_AlterAuthRequest.Designer.cs b/util/MySqlMigrations/Migrations/20250304221039_AlterAuthRequest.Designer.cs
new file mode 100644
index 0000000000..771b7a372f
--- /dev/null
+++ b/util/MySqlMigrations/Migrations/20250304221039_AlterAuthRequest.Designer.cs
@@ -0,0 +1,3014 @@
+// <auto-generated />
+using System;
+using Bit.Infrastructure.EntityFramework.Repositories;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Metadata;
+using Microsoft.EntityFrameworkCore.Migrations;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
+
+#nullable disable
+
+namespace Bit.MySqlMigrations.Migrations
+{
+    [DbContext(typeof(DatabaseContext))]
+    [Migration("20250304221039_AlterAuthRequest")]
+    partial class AlterAuthRequest
+    {
+        /// <inheritdoc />
+        protected override void BuildTargetModel(ModelBuilder modelBuilder)
+        {
+#pragma warning disable 612, 618
+            modelBuilder
+                .HasAnnotation("ProductVersion", "8.0.8")
+                .HasAnnotation("Relational:MaxIdentifierLength", 64);
+
+            MySqlModelBuilderExtensions.AutoIncrementColumns(modelBuilder);
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("AllowAdminAccessToAllCollectionItems")
+                        .HasColumnType("tinyint(1)")
+                        .HasDefaultValue(true);
+
+                    b.Property<string>("BillingEmail")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasMaxLength(2)
+                        .HasColumnType("varchar(2)");
+
+                    b.Property<string>("BusinessName")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasMaxLength(30)
+                        .HasColumnType("varchar(30)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("Identifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("varchar(100)");
+
+                    b.Property<bool>("LimitCollectionCreation")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("LimitCollectionDeletion")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("LimitItemDeletion")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("MaxAutoscaleSmSeats")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("MaxAutoscaleSmServiceAccounts")
+                        .HasColumnType("int");
+
+                    b.Property<short?>("MaxCollections")
+                        .HasColumnType("smallint");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<DateTime?>("OwnersNotifiedOfAutoscaling")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Plan")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<int?>("Seats")
+                        .HasColumnType("int");
+
+                    b.Property<bool>("SelfHost")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<int?>("SmSeats")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("SmServiceAccounts")
+                        .HasColumnType("int");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("bigint");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("longtext");
+
+                    b.Property<bool>("Use2fa")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseApi")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseCustomPermissions")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseDirectory")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseGroups")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseKeyConnector")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UsePasswordManager")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UsePolicies")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseResetPassword")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseRiskInsights")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseScim")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseSecretsManager")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseSso")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseTotp")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UsersGetPremium")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id", "Enabled")
+                        .HasAnnotation("Npgsql:IndexInclude", new[] { "UseTotp" });
+
+                    b.ToTable("Organization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("longtext");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "Type")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Policy", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("BillingEmail")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BillingPhone")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessName")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Provider", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Settings")
+                        .HasColumnType("longtext");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderOrganization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Email")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("ProviderUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("AccessCode")
+                        .HasMaxLength(25)
+                        .HasColumnType("varchar(25)");
+
+                    b.Property<bool?>("Approved")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime?>("AuthenticationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("RequestCountryName")
+                        .HasMaxLength(200)
+                        .HasColumnType("varchar(200)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("MasterPasswordHash")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("RequestDeviceIdentifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<byte>("RequestDeviceType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("RequestIpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<DateTime?>("ResponseDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid?>("ResponseDeviceId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ResponseDeviceId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("AuthRequest", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<Guid?>("GranteeId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("GrantorId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("KeyEncrypted")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime?>("LastNotificationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("RecoveryInitiatedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<int>("WaitTimeDays")
+                        .HasColumnType("int");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("GranteeId");
+
+                    b.HasIndex("GrantorId");
+
+                    b.ToTable("EmergencyAccess", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.Grant", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("int");
+
+                    MySqlPropertyBuilderExtensions.UseMySqlIdentityColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("ClientId")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("varchar(200)");
+
+                    b.Property<DateTime?>("ConsumedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Data")
+                        .IsRequired()
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Description")
+                        .HasMaxLength(200)
+                        .HasColumnType("varchar(200)");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("varchar(200)");
+
+                    b.Property<string>("SessionId")
+                        .HasMaxLength(100)
+                        .HasColumnType("varchar(100)");
+
+                    b.Property<string>("SubjectId")
+                        .HasMaxLength(200)
+                        .HasColumnType("varchar(200)");
+
+                    b.Property<string>("Type")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.HasKey("Id")
+                        .HasName("PK_Grant")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpirationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Key")
+                        .IsUnique();
+
+                    b.ToTable("Grant", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    MySqlPropertyBuilderExtensions.UseMySqlIdentityColumn(b.Property<long>("Id"));
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("longtext");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("SsoConfig", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    MySqlPropertyBuilderExtensions.UseMySqlIdentityColumn(b.Property<long>("Id"));
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId");
+
+                    b.HasIndex("OrganizationId", "ExternalId")
+                        .IsUnique()
+                        .HasAnnotation("Npgsql:IndexInclude", new[] { "UserId" })
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "UserId")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SsoUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("AaGuid")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int>("Counter")
+                        .HasColumnType("int");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("CredentialId")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("varchar(2000)");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("varchar(2000)");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("varchar(2000)");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("PublicKey")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("SupportsPrf")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<string>("Type")
+                        .HasMaxLength(20)
+                        .HasColumnType("varchar(20)");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("WebAuthnCredential", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ClientOrganizationMigrationRecord", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("int");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int>("Seats")
+                        .HasColumnType("int");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId", "OrganizationId")
+                        .IsUnique();
+
+                    b.ToTable("ClientOrganizationMigrationRecord", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid>("InstallationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime?>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("InstallationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationInstallation", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int>("AssignedSeats")
+                        .HasColumnType("int");
+
+                    b.Property<Guid?>("ClientId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("ClientName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<DateTime>("Created")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("InvoiceId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("InvoiceNumber")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("PlanName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<decimal>("Total")
+                        .HasColumnType("decimal(65,30)");
+
+                    b.Property<int>("UsedSeats")
+                        .HasColumnType("int");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderInvoiceItem", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int?>("AllocatedSeats")
+                        .HasColumnType("int");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int?>("PurchasedSeats")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("SeatMinimum")
+                        .HasColumnType("int");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("Id", "PlanType")
+                        .IsUnique();
+
+                    b.ToTable("ProviderPlan", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Cache", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(449)
+                        .HasColumnType("varchar(449)");
+
+                    b.Property<DateTime?>("AbsoluteExpiration")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("ExpiresAtTime")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<long?>("SlidingExpirationInSeconds")
+                        .HasColumnType("bigint");
+
+                    b.Property<byte[]>("Value")
+                        .IsRequired()
+                        .HasColumnType("longblob");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpiresAtTime")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Cache", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("varchar(300)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Collection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("CipherId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("CollectionId", "CipherId");
+
+                    b.HasIndex("CipherId");
+
+                    b.ToTable("CollectionCipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("CollectionId", "GroupId");
+
+                    b.HasIndex("GroupId");
+
+                    b.ToTable("CollectionGroups");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("CollectionId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("tinyint(1)")
+                        .HasDefaultValue(true);
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Identifier")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("PushToken")
+                        .HasMaxLength(255)
+                        .HasColumnType("varchar(255)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Identifier")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "Identifier")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Device", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Event", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("ActingUserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("CollectionId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("Date")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte?>("DeviceType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("DomainName")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid?>("GroupId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("InstallationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("IpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("PolicyId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("ProviderOrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("ProviderUserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("SecretId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte?>("SystemUser")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<int>("Type")
+                        .HasColumnType("int");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Date", "OrganizationId", "ActingUserId", "CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Event", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("varchar(300)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(100)
+                        .HasColumnType("varchar(100)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Group", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("GroupId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("GroupUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("varchar(30)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Config")
+                        .HasColumnType("longtext");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationConnection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("DomainName")
+                        .IsRequired()
+                        .HasMaxLength(255)
+                        .HasColumnType("varchar(255)");
+
+                    b.Property<int>("JobRunCount")
+                        .HasColumnType("int");
+
+                    b.Property<DateTime?>("LastCheckedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("NextRunDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Txt")
+                        .IsRequired()
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime?>("VerifiedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationDomain", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("FriendlyName")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<DateTime?>("LastSyncDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("OfferedToEmail")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<byte?>("PlanSponsorshipType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("SponsoredOrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("SponsoringOrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("SponsoringOrganizationUserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("ToDelete")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime?>("ValidUntil")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SponsoredOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationUserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationSponsorship", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("AccessSecretsManager")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("varchar(300)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("ResetPasswordKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<short>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int>("AccessCount")
+                        .HasColumnType("int");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("DeletionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("Disabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool?>("HideEmail")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<int?>("MaxAccessCount")
+                        .HasColumnType("int");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Password")
+                        .HasMaxLength(300)
+                        .HasColumnType("varchar(300)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("DeletionDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Send", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.TaxRate", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(40)
+                        .HasColumnType("varchar(40)");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<string>("Country")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("PostalCode")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("varchar(10)");
+
+                    b.Property<decimal>("Rate")
+                        .HasColumnType("decimal(65,30)");
+
+                    b.Property<string>("State")
+                        .HasMaxLength(2)
+                        .HasColumnType("varchar(2)");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("TaxRate", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<decimal>("Amount")
+                        .HasColumnType("decimal(65,30)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Details")
+                        .HasMaxLength(100)
+                        .HasColumnType("varchar(100)");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("GatewayId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte?>("PaymentMethodType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool?>("Refunded")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<decimal?>("RefundedAmount")
+                        .HasColumnType("decimal(65,30)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId", "CreationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Transaction", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("AccountRevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("varchar(30)");
+
+                    b.Property<string>("AvatarColor")
+                        .HasMaxLength(7)
+                        .HasColumnType("varchar(7)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Culture")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("varchar(10)");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<bool>("EmailVerified")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<string>("EquivalentDomains")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("ExcludedGlobalEquivalentDomains")
+                        .HasColumnType("longtext");
+
+                    b.Property<int>("FailedLoginCount")
+                        .HasColumnType("int");
+
+                    b.Property<bool>("ForcePasswordReset")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<byte>("Kdf")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<int>("KdfIterations")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("KdfMemory")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("KdfParallelism")
+                        .HasColumnType("int");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime?>("LastEmailChangeDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("LastFailedLoginDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("LastKdfChangeDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("LastKeyRotationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("LastPasswordChangeDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("varchar(100)");
+
+                    b.Property<string>("MasterPassword")
+                        .HasMaxLength(300)
+                        .HasColumnType("varchar(300)");
+
+                    b.Property<string>("MasterPasswordHint")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<bool>("Premium")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime?>("PremiumExpirationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime?>("RenewalReminderDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("SecurityStamp")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("bigint");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("TwoFactorRecoveryCode")
+                        .HasMaxLength(32)
+                        .HasColumnType("varchar(32)");
+
+                    b.Property<bool>("UsesKeyConnector")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("VerifyDevices")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Email")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Premium", "PremiumExpirationDate", "RenewalReminderDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("User", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Body")
+                        .HasMaxLength(3000)
+                        .HasColumnType("varchar(3000)");
+
+                    b.Property<byte>("ClientType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("Global")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte>("Priority")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid?>("TaskId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Title")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("TaskId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("ClientType", "Global", "UserId", "OrganizationId", "Priority", "CreationDate")
+                        .IsDescending(false, false, false, false, true, true)
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Notification", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("NotificationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("ReadDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("UserId", "NotificationId")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("NotificationId");
+
+                    b.ToTable("NotificationStatus", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Platform.Installation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(150)
+                        .HasColumnType("varchar(150)");
+
+                    b.Property<DateTime?>("LastActivityDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Installation", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Discriminator")
+                        .IsRequired()
+                        .HasMaxLength(34)
+                        .HasColumnType("varchar(34)");
+
+                    b.Property<bool>("Read")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("Write")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.ToTable("AccessPolicy", (string)null);
+
+                    b.HasDiscriminator().HasValue("AccessPolicy");
+
+                    b.UseTphMappingStrategy();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("ClientSecretHash")
+                        .HasMaxLength(128)
+                        .HasColumnType("varchar(128)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("EncryptedPayload")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("varchar(4000)");
+
+                    b.Property<DateTime?>("ExpireAt")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("varchar(200)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Scope")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("varchar(4000)");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ServiceAccountId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Project", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Note")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Value")
+                        .HasColumnType("longtext");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Secret", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ServiceAccount", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Uri")
+                        .HasColumnType("longtext");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("PasswordHealthReportApplication", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Attachments")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Favorites")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Folders")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte?>("Reprompt")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Cipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Folder", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SecurityTask", (string)null);
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.Property<Guid>("ProjectsId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("SecretsId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("ProjectsId", "SecretsId");
+
+                    b.HasIndex("SecretsId");
+
+                    b.ToTable("ProjectSecret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Policies")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Device", "ResponseDevice")
+                        .WithMany()
+                        .HasForeignKey("ResponseDeviceId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("ResponseDevice");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantee")
+                        .WithMany()
+                        .HasForeignKey("GranteeId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantor")
+                        .WithMany()
+                        .HasForeignKey("GrantorId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Grantee");
+
+                    b.Navigation("Grantor");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoConfigs")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Platform.Installation", "Installation")
+                        .WithMany()
+                        .HasForeignKey("InstallationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Installation");
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Collections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CipherId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Collection");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionGroups")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Groups")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Group");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Connections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Domains")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoredOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoredOrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoringOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoringOrganizationId");
+
+                    b.Navigation("SponsoredOrganization");
+
+                    b.Navigation("SponsoringOrganization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Transactions")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Transactions")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", "Task")
+                        .WithMany()
+                        .HasForeignKey("TaskId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Task");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", "Notification")
+                        .WithMany()
+                        .HasForeignKey("NotificationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Notification");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Folders")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany()
+                        .HasForeignKey("CipherId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", null)
+                        .WithMany()
+                        .HasForeignKey("ProjectsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", null)
+                        .WithMany()
+                        .HasForeignKey("SecretsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ProjectAccessPolicies")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany()
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Collections");
+
+                    b.Navigation("Connections");
+
+                    b.Navigation("Domains");
+
+                    b.Navigation("Groups");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("Policies");
+
+                    b.Navigation("SsoConfigs");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+
+                    b.Navigation("CollectionGroups");
+
+                    b.Navigation("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Navigation("CollectionUsers");
+
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Folders");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ProjectAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+                });
+#pragma warning restore 612, 618
+        }
+    }
+}
diff --git a/util/MySqlMigrations/Migrations/20250304221039_AlterAuthRequest.cs b/util/MySqlMigrations/Migrations/20250304221039_AlterAuthRequest.cs
new file mode 100644
index 0000000000..ec6e89baad
--- /dev/null
+++ b/util/MySqlMigrations/Migrations/20250304221039_AlterAuthRequest.cs
@@ -0,0 +1,29 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace Bit.MySqlMigrations.Migrations;
+
+/// <inheritdoc />
+public partial class AlterAuthRequest : Migration
+{
+    /// <inheritdoc />
+    protected override void Up(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.AddColumn<string>(
+            name: "RequestCountryName",
+            table: "AuthRequest",
+            type: "varchar(200)",
+            maxLength: 200,
+            nullable: true)
+            .Annotation("MySql:CharSet", "utf8mb4");
+    }
+
+    /// <inheritdoc />
+    protected override void Down(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.DropColumn(
+            name: "RequestCountryName",
+            table: "AuthRequest");
+    }
+}
diff --git a/util/MySqlMigrations/Migrations/DatabaseContextModelSnapshot.cs b/util/MySqlMigrations/Migrations/DatabaseContextModelSnapshot.cs
index bd04151035..dfd5d4a983 100644
--- a/util/MySqlMigrations/Migrations/DatabaseContextModelSnapshot.cs
+++ b/util/MySqlMigrations/Migrations/DatabaseContextModelSnapshot.cs
@@ -407,6 +407,10 @@ namespace Bit.MySqlMigrations.Migrations
                     b.Property<DateTime?>("AuthenticationDate")
                         .HasColumnType("datetime(6)");
 
+                    b.Property<string>("RequestCountryName")
+                        .HasMaxLength(200)
+                        .HasColumnType("varchar(200)");
+
                     b.Property<DateTime>("CreationDate")
                         .HasColumnType("datetime(6)");
 
diff --git a/util/PostgresMigrations/Migrations/20250304204625_AlterAuthRequestTable.Designer.cs b/util/PostgresMigrations/Migrations/20250304204625_AlterAuthRequestTable.Designer.cs
new file mode 100644
index 0000000000..a761482cfd
--- /dev/null
+++ b/util/PostgresMigrations/Migrations/20250304204625_AlterAuthRequestTable.Designer.cs
@@ -0,0 +1,3020 @@
+// <auto-generated />
+using System;
+using Bit.Infrastructure.EntityFramework.Repositories;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Migrations;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
+using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata;
+
+#nullable disable
+
+namespace Bit.PostgresMigrations.Migrations
+{
+    [DbContext(typeof(DatabaseContext))]
+    [Migration("20250304204625_AlterAuthRequestTable")]
+    partial class AlterAuthRequestTable
+    {
+        /// <inheritdoc />
+        protected override void BuildTargetModel(ModelBuilder modelBuilder)
+        {
+#pragma warning disable 612, 618
+            modelBuilder
+                .HasAnnotation("Npgsql:CollationDefinition:postgresIndetermanisticCollation", "en-u-ks-primary,en-u-ks-primary,icu,False")
+                .HasAnnotation("ProductVersion", "8.0.8")
+                .HasAnnotation("Relational:MaxIdentifierLength", 63);
+
+            NpgsqlModelBuilderExtensions.UseIdentityByDefaultColumns(modelBuilder);
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("AllowAdminAccessToAllCollectionItems")
+                        .HasColumnType("boolean")
+                        .HasDefaultValue(true);
+
+                    b.Property<string>("BillingEmail")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasMaxLength(2)
+                        .HasColumnType("character varying(2)");
+
+                    b.Property<string>("BusinessName")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasMaxLength(30)
+                        .HasColumnType("character varying(30)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("Identifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)")
+                        .UseCollation("postgresIndetermanisticCollation");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<bool>("LimitCollectionCreation")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("LimitCollectionDeletion")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("LimitItemDeletion")
+                        .HasColumnType("boolean");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("MaxAutoscaleSmSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("MaxAutoscaleSmServiceAccounts")
+                        .HasColumnType("integer");
+
+                    b.Property<short?>("MaxCollections")
+                        .HasColumnType("smallint");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<DateTime?>("OwnersNotifiedOfAutoscaling")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Plan")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<int?>("Seats")
+                        .HasColumnType("integer");
+
+                    b.Property<bool>("SelfHost")
+                        .HasColumnType("boolean");
+
+                    b.Property<int?>("SmSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("SmServiceAccounts")
+                        .HasColumnType("integer");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("bigint");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("text");
+
+                    b.Property<bool>("Use2fa")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseApi")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseCustomPermissions")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseDirectory")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseGroups")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseKeyConnector")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UsePasswordManager")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UsePolicies")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseResetPassword")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseRiskInsights")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseScim")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseSecretsManager")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseSso")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseTotp")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UsersGetPremium")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id", "Enabled");
+
+                    NpgsqlIndexBuilderExtensions.IncludeProperties(b.HasIndex("Id", "Enabled"), new[] { "UseTotp" });
+
+                    b.ToTable("Organization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("text");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "Type")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Policy", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("BillingEmail")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BillingPhone")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessName")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasColumnType("text");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Provider", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Settings")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderOrganization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Email")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("ProviderUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("AccessCode")
+                        .HasMaxLength(25)
+                        .HasColumnType("character varying(25)");
+
+                    b.Property<bool?>("Approved")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("AuthenticationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("RequestCountryName")
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<string>("MasterPasswordHash")
+                        .HasColumnType("text");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("RequestDeviceIdentifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<byte>("RequestDeviceType")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("RequestIpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<DateTime?>("ResponseDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid?>("ResponseDeviceId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ResponseDeviceId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("AuthRequest", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<Guid?>("GranteeId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("GrantorId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("KeyEncrypted")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("LastNotificationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("RecoveryInitiatedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<int>("WaitTimeDays")
+                        .HasColumnType("integer");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("GranteeId");
+
+                    b.HasIndex("GrantorId");
+
+                    b.ToTable("EmergencyAccess", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.Grant", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("ClientId")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<DateTime?>("ConsumedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Data")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("Description")
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<string>("SessionId")
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<string>("SubjectId")
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<string>("Type")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.HasKey("Id")
+                        .HasName("PK_Grant")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpirationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Key")
+                        .IsUnique();
+
+                    b.ToTable("Grant", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("Id"));
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("text");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("SsoConfig", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("Id"));
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)")
+                        .UseCollation("postgresIndetermanisticCollation");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId");
+
+                    b.HasIndex("OrganizationId", "ExternalId")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    NpgsqlIndexBuilderExtensions.IncludeProperties(b.HasIndex("OrganizationId", "ExternalId"), new[] { "UserId" });
+
+                    b.HasIndex("OrganizationId", "UserId")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SsoUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("AaGuid")
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("Counter")
+                        .HasColumnType("integer");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("CredentialId")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("character varying(2000)");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("character varying(2000)");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("character varying(2000)");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("PublicKey")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("SupportsPrf")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("Type")
+                        .HasMaxLength(20)
+                        .HasColumnType("character varying(20)");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("WebAuthnCredential", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ClientOrganizationMigrationRecord", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("Seats")
+                        .HasColumnType("integer");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId", "OrganizationId")
+                        .IsUnique();
+
+                    b.ToTable("ClientOrganizationMigrationRecord", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("InstallationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime?>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("InstallationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationInstallation", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("AssignedSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<Guid?>("ClientId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("ClientName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<DateTime>("Created")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("InvoiceId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("InvoiceNumber")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("PlanName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<decimal>("Total")
+                        .HasColumnType("numeric");
+
+                    b.Property<int>("UsedSeats")
+                        .HasColumnType("integer");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderInvoiceItem", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<int?>("AllocatedSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<int?>("PurchasedSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("SeatMinimum")
+                        .HasColumnType("integer");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("Id", "PlanType")
+                        .IsUnique();
+
+                    b.ToTable("ProviderPlan", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Cache", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(449)
+                        .HasColumnType("character varying(449)");
+
+                    b.Property<DateTime?>("AbsoluteExpiration")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("ExpiresAtTime")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<long?>("SlidingExpirationInSeconds")
+                        .HasColumnType("bigint");
+
+                    b.Property<byte[]>("Value")
+                        .IsRequired()
+                        .HasColumnType("bytea");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpiresAtTime")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Cache", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("character varying(300)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Collection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("CipherId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("CollectionId", "CipherId");
+
+                    b.HasIndex("CipherId");
+
+                    b.ToTable("CollectionCipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("CollectionId", "GroupId");
+
+                    b.HasIndex("GroupId");
+
+                    b.ToTable("CollectionGroups");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("CollectionId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("boolean")
+                        .HasDefaultValue(true);
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Identifier")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("PushToken")
+                        .HasMaxLength(255)
+                        .HasColumnType("character varying(255)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Identifier")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "Identifier")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Device", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Event", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("ActingUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("CollectionId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("Date")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte?>("DeviceType")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("DomainName")
+                        .HasColumnType("text");
+
+                    b.Property<Guid?>("GroupId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("InstallationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("IpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("PolicyId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("ProviderOrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("ProviderUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("SecretId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte?>("SystemUser")
+                        .HasColumnType("smallint");
+
+                    b.Property<int>("Type")
+                        .HasColumnType("integer");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Date", "OrganizationId", "ActingUserId", "CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Event", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("character varying(300)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Group", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("GroupId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("GroupUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("character varying(30)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Config")
+                        .HasColumnType("text");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationConnection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("DomainName")
+                        .IsRequired()
+                        .HasMaxLength(255)
+                        .HasColumnType("character varying(255)");
+
+                    b.Property<int>("JobRunCount")
+                        .HasColumnType("integer");
+
+                    b.Property<DateTime?>("LastCheckedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("NextRunDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Txt")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("VerifiedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationDomain", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("FriendlyName")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<DateTime?>("LastSyncDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("OfferedToEmail")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<byte?>("PlanSponsorshipType")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("SponsoredOrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("SponsoringOrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("SponsoringOrganizationUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("ToDelete")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("ValidUntil")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SponsoredOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationUserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationSponsorship", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("AccessSecretsManager")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("character varying(300)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ResetPasswordKey")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<short>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("AccessCount")
+                        .HasColumnType("integer");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("DeletionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("Disabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool?>("HideEmail")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<int?>("MaxAccessCount")
+                        .HasColumnType("integer");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Password")
+                        .HasMaxLength(300)
+                        .HasColumnType("character varying(300)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("DeletionDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Send", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.TaxRate", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(40)
+                        .HasColumnType("character varying(40)");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("Country")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("PostalCode")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("character varying(10)");
+
+                    b.Property<decimal>("Rate")
+                        .HasColumnType("numeric");
+
+                    b.Property<string>("State")
+                        .HasMaxLength(2)
+                        .HasColumnType("character varying(2)");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("TaxRate", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<decimal>("Amount")
+                        .HasColumnType("numeric");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Details")
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("GatewayId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte?>("PaymentMethodType")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool?>("Refunded")
+                        .HasColumnType("boolean");
+
+                    b.Property<decimal?>("RefundedAmount")
+                        .HasColumnType("numeric");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId", "CreationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Transaction", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("AccountRevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("character varying(30)");
+
+                    b.Property<string>("AvatarColor")
+                        .HasMaxLength(7)
+                        .HasColumnType("character varying(7)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Culture")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("character varying(10)");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)")
+                        .UseCollation("postgresIndetermanisticCollation");
+
+                    b.Property<bool>("EmailVerified")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("EquivalentDomains")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ExcludedGlobalEquivalentDomains")
+                        .HasColumnType("text");
+
+                    b.Property<int>("FailedLoginCount")
+                        .HasColumnType("integer");
+
+                    b.Property<bool>("ForcePasswordReset")
+                        .HasColumnType("boolean");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<byte>("Kdf")
+                        .HasColumnType("smallint");
+
+                    b.Property<int>("KdfIterations")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("KdfMemory")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("KdfParallelism")
+                        .HasColumnType("integer");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("LastEmailChangeDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("LastFailedLoginDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("LastKdfChangeDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("LastKeyRotationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("LastPasswordChangeDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<string>("MasterPassword")
+                        .HasMaxLength(300)
+                        .HasColumnType("character varying(300)");
+
+                    b.Property<string>("MasterPasswordHint")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<bool>("Premium")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("PremiumExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("RenewalReminderDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("SecurityStamp")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("bigint");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("text");
+
+                    b.Property<string>("TwoFactorRecoveryCode")
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<bool>("UsesKeyConnector")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("VerifyDevices")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Email")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Premium", "PremiumExpirationDate", "RenewalReminderDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("User", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Body")
+                        .HasMaxLength(3000)
+                        .HasColumnType("character varying(3000)");
+
+                    b.Property<byte>("ClientType")
+                        .HasColumnType("smallint");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("Global")
+                        .HasColumnType("boolean");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte>("Priority")
+                        .HasColumnType("smallint");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid?>("TaskId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Title")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("TaskId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("ClientType", "Global", "UserId", "OrganizationId", "Priority", "CreationDate")
+                        .IsDescending(false, false, false, false, true, true)
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Notification", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("NotificationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("ReadDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("UserId", "NotificationId")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("NotificationId");
+
+                    b.ToTable("NotificationStatus", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Platform.Installation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(150)
+                        .HasColumnType("character varying(150)");
+
+                    b.Property<DateTime?>("LastActivityDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Installation", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Discriminator")
+                        .IsRequired()
+                        .HasMaxLength(34)
+                        .HasColumnType("character varying(34)");
+
+                    b.Property<bool>("Read")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("Write")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.ToTable("AccessPolicy", (string)null);
+
+                    b.HasDiscriminator().HasValue("AccessPolicy");
+
+                    b.UseTphMappingStrategy();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("ClientSecretHash")
+                        .HasMaxLength(128)
+                        .HasColumnType("character varying(128)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("EncryptedPayload")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("character varying(4000)");
+
+                    b.Property<DateTime?>("ExpireAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Scope")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("character varying(4000)");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ServiceAccountId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Project", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Note")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Value")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Secret", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ServiceAccount", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Uri")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("PasswordHealthReportApplication", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Attachments")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Favorites")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Folders")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte?>("Reprompt")
+                        .HasColumnType("smallint");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Cipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Folder", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SecurityTask", (string)null);
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.Property<Guid>("ProjectsId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("SecretsId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("ProjectsId", "SecretsId");
+
+                    b.HasIndex("SecretsId");
+
+                    b.ToTable("ProjectSecret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Policies")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Device", "ResponseDevice")
+                        .WithMany()
+                        .HasForeignKey("ResponseDeviceId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("ResponseDevice");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantee")
+                        .WithMany()
+                        .HasForeignKey("GranteeId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantor")
+                        .WithMany()
+                        .HasForeignKey("GrantorId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Grantee");
+
+                    b.Navigation("Grantor");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoConfigs")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Platform.Installation", "Installation")
+                        .WithMany()
+                        .HasForeignKey("InstallationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Installation");
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Collections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CipherId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Collection");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionGroups")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Groups")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Group");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Connections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Domains")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoredOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoredOrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoringOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoringOrganizationId");
+
+                    b.Navigation("SponsoredOrganization");
+
+                    b.Navigation("SponsoringOrganization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Transactions")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Transactions")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", "Task")
+                        .WithMany()
+                        .HasForeignKey("TaskId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Task");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", "Notification")
+                        .WithMany()
+                        .HasForeignKey("NotificationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Notification");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Folders")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany()
+                        .HasForeignKey("CipherId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", null)
+                        .WithMany()
+                        .HasForeignKey("ProjectsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", null)
+                        .WithMany()
+                        .HasForeignKey("SecretsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ProjectAccessPolicies")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany()
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Collections");
+
+                    b.Navigation("Connections");
+
+                    b.Navigation("Domains");
+
+                    b.Navigation("Groups");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("Policies");
+
+                    b.Navigation("SsoConfigs");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+
+                    b.Navigation("CollectionGroups");
+
+                    b.Navigation("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Navigation("CollectionUsers");
+
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Folders");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ProjectAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+                });
+#pragma warning restore 612, 618
+        }
+    }
+}
diff --git a/util/PostgresMigrations/Migrations/20250304204625_AlterAuthRequestTable.cs b/util/PostgresMigrations/Migrations/20250304204625_AlterAuthRequestTable.cs
new file mode 100644
index 0000000000..be5cfae89b
--- /dev/null
+++ b/util/PostgresMigrations/Migrations/20250304204625_AlterAuthRequestTable.cs
@@ -0,0 +1,28 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace Bit.PostgresMigrations.Migrations;
+
+/// <inheritdoc />
+public partial class AlterAuthRequestTable : Migration
+{
+    /// <inheritdoc />
+    protected override void Up(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.AddColumn<string>(
+            name: "RequestCountryName",
+            table: "AuthRequest",
+            type: "character varying(200)",
+            maxLength: 200,
+            nullable: true);
+    }
+
+    /// <inheritdoc />
+    protected override void Down(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.DropColumn(
+            name: "RequestCountryName",
+            table: "AuthRequest");
+    }
+}
diff --git a/util/PostgresMigrations/Migrations/DatabaseContextModelSnapshot.cs b/util/PostgresMigrations/Migrations/DatabaseContextModelSnapshot.cs
index b507984ad1..a54bc6bddf 100644
--- a/util/PostgresMigrations/Migrations/DatabaseContextModelSnapshot.cs
+++ b/util/PostgresMigrations/Migrations/DatabaseContextModelSnapshot.cs
@@ -410,6 +410,10 @@ namespace Bit.PostgresMigrations.Migrations
                     b.Property<DateTime?>("AuthenticationDate")
                         .HasColumnType("timestamp with time zone");
 
+                    b.Property<string>("RequestCountryName")
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
                     b.Property<DateTime>("CreationDate")
                         .HasColumnType("timestamp with time zone");
 
diff --git a/util/SqliteMigrations/Migrations/20250304204635_AlterAuthRequestTable.Designer.cs b/util/SqliteMigrations/Migrations/20250304204635_AlterAuthRequestTable.Designer.cs
new file mode 100644
index 0000000000..5708973630
--- /dev/null
+++ b/util/SqliteMigrations/Migrations/20250304204635_AlterAuthRequestTable.Designer.cs
@@ -0,0 +1,3003 @@
+// <auto-generated />
+using System;
+using Bit.Infrastructure.EntityFramework.Repositories;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Migrations;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
+
+#nullable disable
+
+namespace Bit.SqliteMigrations.Migrations
+{
+    [DbContext(typeof(DatabaseContext))]
+    [Migration("20250304204635_AlterAuthRequestTable")]
+    partial class AlterAuthRequestTable
+    {
+        /// <inheritdoc />
+        protected override void BuildTargetModel(ModelBuilder modelBuilder)
+        {
+#pragma warning disable 612, 618
+            modelBuilder.HasAnnotation("ProductVersion", "8.0.8");
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("AllowAdminAccessToAllCollectionItems")
+                        .HasColumnType("INTEGER")
+                        .HasDefaultValue(true);
+
+                    b.Property<string>("BillingEmail")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasMaxLength(2)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessName")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasMaxLength(30)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Identifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("LimitCollectionCreation")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("LimitCollectionDeletion")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("LimitItemDeletion")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("MaxAutoscaleSmSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("MaxAutoscaleSmServiceAccounts")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<short?>("MaxCollections")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("OwnersNotifiedOfAutoscaling")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Plan")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int?>("Seats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("SelfHost")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("SmSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("SmServiceAccounts")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Use2fa")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseApi")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseCustomPermissions")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseDirectory")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseGroups")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseKeyConnector")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UsePasswordManager")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UsePolicies")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseResetPassword")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseRiskInsights")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseScim")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseSecretsManager")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseSso")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseTotp")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UsersGetPremium")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id", "Enabled")
+                        .HasAnnotation("Npgsql:IndexInclude", new[] { "UseTotp" });
+
+                    b.ToTable("Organization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "Type")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Policy", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BillingEmail")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BillingPhone")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessName")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Provider", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Settings")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderOrganization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Email")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("ProviderUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("AccessCode")
+                        .HasMaxLength(25)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool?>("Approved")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("AuthenticationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("RequestCountryName")
+                        .HasMaxLength(200)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("MasterPasswordHash")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("RequestDeviceIdentifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("RequestDeviceType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("RequestIpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ResponseDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ResponseDeviceId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ResponseDeviceId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("AuthRequest", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("GranteeId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("GrantorId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("KeyEncrypted")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastNotificationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("RecoveryInitiatedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int>("WaitTimeDays")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("GranteeId");
+
+                    b.HasIndex("GrantorId");
+
+                    b.ToTable("EmergencyAccess", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.Grant", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("ClientId")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ConsumedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Data")
+                        .IsRequired()
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Description")
+                        .HasMaxLength(200)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("SessionId")
+                        .HasMaxLength(100)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("SubjectId")
+                        .HasMaxLength(200)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Type")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasName("PK_Grant")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpirationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Key")
+                        .IsUnique();
+
+                    b.ToTable("Grant", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("SsoConfig", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId");
+
+                    b.HasIndex("OrganizationId", "ExternalId")
+                        .IsUnique()
+                        .HasAnnotation("Npgsql:IndexInclude", new[] { "UserId" })
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "UserId")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SsoUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("AaGuid")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("Counter")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("CredentialId")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PublicKey")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("SupportsPrf")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Type")
+                        .HasMaxLength(20)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("WebAuthnCredential", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ClientOrganizationMigrationRecord", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("Seats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId", "OrganizationId")
+                        .IsUnique();
+
+                    b.ToTable("ClientOrganizationMigrationRecord", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("InstallationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("InstallationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationInstallation", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("AssignedSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("ClientId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ClientName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("Created")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("InvoiceId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("InvoiceNumber")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PlanName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<decimal>("Total")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("UsedSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderInvoiceItem", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int?>("AllocatedSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int?>("PurchasedSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("SeatMinimum")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("Id", "PlanType")
+                        .IsUnique();
+
+                    b.ToTable("ProviderPlan", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Cache", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(449)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("AbsoluteExpiration")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("ExpiresAtTime")
+                        .HasColumnType("TEXT");
+
+                    b.Property<long?>("SlidingExpirationInSeconds")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte[]>("Value")
+                        .IsRequired()
+                        .HasColumnType("BLOB");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpiresAtTime")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Cache", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Collection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("CipherId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("CollectionId", "CipherId");
+
+                    b.HasIndex("CipherId");
+
+                    b.ToTable("CollectionCipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("CollectionId", "GroupId");
+
+                    b.HasIndex("GroupId");
+
+                    b.ToTable("CollectionGroups");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("CollectionId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("INTEGER")
+                        .HasDefaultValue(true);
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Identifier")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PushToken")
+                        .HasMaxLength(255)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Identifier")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "Identifier")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Device", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Event", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ActingUserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("CollectionId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("Date")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("DeviceType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("DomainName")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("GroupId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("InstallationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("IpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("PolicyId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ProviderOrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ProviderUserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("SecretId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("SystemUser")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Date", "OrganizationId", "ActingUserId", "CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Event", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(100)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Group", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("GroupId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("GroupUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Config")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationConnection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("DomainName")
+                        .IsRequired()
+                        .HasMaxLength(255)
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("JobRunCount")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("LastCheckedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("NextRunDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Txt")
+                        .IsRequired()
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("VerifiedDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationDomain", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("FriendlyName")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastSyncDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("OfferedToEmail")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("PlanSponsorshipType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("SponsoredOrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("SponsoringOrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("SponsoringOrganizationUserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("ToDelete")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("ValidUntil")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SponsoredOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationUserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationSponsorship", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("AccessSecretsManager")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ResetPasswordKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<short>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("AccessCount")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("DeletionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Disabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool?>("HideEmail")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int?>("MaxAccessCount")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Password")
+                        .HasMaxLength(300)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("DeletionDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Send", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.TaxRate", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(40)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Country")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PostalCode")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("TEXT");
+
+                    b.Property<decimal>("Rate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("State")
+                        .HasMaxLength(2)
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("TaxRate", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<decimal>("Amount")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Details")
+                        .HasMaxLength(100)
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("GatewayId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("PaymentMethodType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool?>("Refunded")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<decimal?>("RefundedAmount")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId", "CreationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Transaction", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("AccountRevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("AvatarColor")
+                        .HasMaxLength(7)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Culture")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("EmailVerified")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("EquivalentDomains")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ExcludedGlobalEquivalentDomains")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("FailedLoginCount")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("ForcePasswordReset")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Kdf")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int>("KdfIterations")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("KdfMemory")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("KdfParallelism")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastEmailChangeDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastFailedLoginDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastKdfChangeDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastKeyRotationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastPasswordChangeDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("MasterPassword")
+                        .HasMaxLength(300)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("MasterPasswordHint")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Premium")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("PremiumExpirationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("RenewalReminderDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("SecurityStamp")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("TwoFactorRecoveryCode")
+                        .HasMaxLength(32)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("UsesKeyConnector")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("VerifyDevices")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Email")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Premium", "PremiumExpirationDate", "RenewalReminderDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("User", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Body")
+                        .HasMaxLength(3000)
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("ClientType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Global")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Priority")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("TaskId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Title")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("TaskId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("ClientType", "Global", "UserId", "OrganizationId", "Priority", "CreationDate")
+                        .IsDescending(false, false, false, false, true, true)
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Notification", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("NotificationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ReadDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("UserId", "NotificationId")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("NotificationId");
+
+                    b.ToTable("NotificationStatus", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Platform.Installation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(150)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastActivityDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Installation", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Discriminator")
+                        .IsRequired()
+                        .HasMaxLength(34)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Read")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Write")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.ToTable("AccessPolicy", (string)null);
+
+                    b.HasDiscriminator().HasValue("AccessPolicy");
+
+                    b.UseTphMappingStrategy();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ClientSecretHash")
+                        .HasMaxLength(128)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedPayload")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ExpireAt")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Scope")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ServiceAccountId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Project", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Note")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Value")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Secret", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ServiceAccount", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Uri")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("PasswordHealthReportApplication", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Attachments")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Favorites")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Folders")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("Reprompt")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Cipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Folder", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SecurityTask", (string)null);
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.Property<Guid>("ProjectsId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("SecretsId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("ProjectsId", "SecretsId");
+
+                    b.HasIndex("SecretsId");
+
+                    b.ToTable("ProjectSecret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Policies")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Device", "ResponseDevice")
+                        .WithMany()
+                        .HasForeignKey("ResponseDeviceId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("ResponseDevice");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantee")
+                        .WithMany()
+                        .HasForeignKey("GranteeId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantor")
+                        .WithMany()
+                        .HasForeignKey("GrantorId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Grantee");
+
+                    b.Navigation("Grantor");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoConfigs")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Platform.Installation", "Installation")
+                        .WithMany()
+                        .HasForeignKey("InstallationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Installation");
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Collections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CipherId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Collection");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionGroups")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Groups")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Group");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Connections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Domains")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoredOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoredOrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoringOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoringOrganizationId");
+
+                    b.Navigation("SponsoredOrganization");
+
+                    b.Navigation("SponsoringOrganization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Transactions")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Transactions")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", "Task")
+                        .WithMany()
+                        .HasForeignKey("TaskId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Task");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", "Notification")
+                        .WithMany()
+                        .HasForeignKey("NotificationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Notification");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Folders")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany()
+                        .HasForeignKey("CipherId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", null)
+                        .WithMany()
+                        .HasForeignKey("ProjectsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", null)
+                        .WithMany()
+                        .HasForeignKey("SecretsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ProjectAccessPolicies")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany()
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Collections");
+
+                    b.Navigation("Connections");
+
+                    b.Navigation("Domains");
+
+                    b.Navigation("Groups");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("Policies");
+
+                    b.Navigation("SsoConfigs");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+
+                    b.Navigation("CollectionGroups");
+
+                    b.Navigation("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Navigation("CollectionUsers");
+
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Folders");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ProjectAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+                });
+#pragma warning restore 612, 618
+        }
+    }
+}
diff --git a/util/SqliteMigrations/Migrations/20250304204635_AlterAuthRequestTable.cs b/util/SqliteMigrations/Migrations/20250304204635_AlterAuthRequestTable.cs
new file mode 100644
index 0000000000..3f851d0176
--- /dev/null
+++ b/util/SqliteMigrations/Migrations/20250304204635_AlterAuthRequestTable.cs
@@ -0,0 +1,28 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace Bit.SqliteMigrations.Migrations;
+
+/// <inheritdoc />
+public partial class AlterAuthRequestTable : Migration
+{
+    /// <inheritdoc />
+    protected override void Up(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.AddColumn<string>(
+            name: "RequestCountryName",
+            table: "AuthRequest",
+            type: "TEXT",
+            maxLength: 200,
+            nullable: true);
+    }
+
+    /// <inheritdoc />
+    protected override void Down(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.DropColumn(
+            name: "RequestCountryName",
+            table: "AuthRequest");
+    }
+}
diff --git a/util/SqliteMigrations/Migrations/DatabaseContextModelSnapshot.cs b/util/SqliteMigrations/Migrations/DatabaseContextModelSnapshot.cs
index 158a02cd43..824f2ffec5 100644
--- a/util/SqliteMigrations/Migrations/DatabaseContextModelSnapshot.cs
+++ b/util/SqliteMigrations/Migrations/DatabaseContextModelSnapshot.cs
@@ -402,6 +402,10 @@ namespace Bit.SqliteMigrations.Migrations
                     b.Property<DateTime?>("AuthenticationDate")
                         .HasColumnType("TEXT");
 
+                    b.Property<string>("RequestCountryName")
+                        .HasMaxLength(200)
+                        .HasColumnType("TEXT");
+
                     b.Property<DateTime>("CreationDate")
                         .HasColumnType("TEXT");
 

From ac25ec45194dd62bab6956e005647c8fb3492562 Mon Sep 17 00:00:00 2001
From: Jonas Hendrickx <jhendrickx@bitwarden.com>
Date: Mon, 10 Mar 2025 18:14:22 +0100
Subject: [PATCH 352/384] [PM-19002] Extract billing code from
 AccountsController (#5477)

---
 .../Auth/Controllers/AccountsController.cs    | 231 -----------------
 .../Billing/Controllers/AccountsController.cs | 237 ++++++++++++++++++
 .../Controllers/AccountsControllerTests.cs    |  19 --
 3 files changed, 237 insertions(+), 250 deletions(-)
 create mode 100644 src/Api/Billing/Controllers/AccountsController.cs

diff --git a/src/Api/Auth/Controllers/AccountsController.cs b/src/Api/Auth/Controllers/AccountsController.cs
index 176bc183b6..6c19049c49 100644
--- a/src/Api/Auth/Controllers/AccountsController.cs
+++ b/src/Api/Auth/Controllers/AccountsController.cs
@@ -4,11 +4,9 @@ using Bit.Api.Auth.Models.Request;
 using Bit.Api.Auth.Models.Request.Accounts;
 using Bit.Api.Auth.Models.Request.WebAuthn;
 using Bit.Api.KeyManagement.Validators;
-using Bit.Api.Models.Request;
 using Bit.Api.Models.Request.Accounts;
 using Bit.Api.Models.Response;
 using Bit.Api.Tools.Models.Request;
-using Bit.Api.Utilities;
 using Bit.Api.Vault.Models.Request;
 using Bit.Core;
 using Bit.Core.AdminConsole.Enums.Provider;
@@ -19,23 +17,15 @@ using Bit.Core.Auth.Models.Api.Request.Accounts;
 using Bit.Core.Auth.Models.Data;
 using Bit.Core.Auth.UserFeatures.TdeOffboardingPassword.Interfaces;
 using Bit.Core.Auth.UserFeatures.UserMasterPassword.Interfaces;
-using Bit.Core.Billing.Models;
-using Bit.Core.Billing.Services;
-using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.KeyManagement.Models.Data;
 using Bit.Core.KeyManagement.UserKey;
 using Bit.Core.Models.Api.Response;
-using Bit.Core.Models.Business;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
-using Bit.Core.Settings;
 using Bit.Core.Tools.Entities;
-using Bit.Core.Tools.Enums;
-using Bit.Core.Tools.Models.Business;
-using Bit.Core.Tools.Services;
 using Bit.Core.Utilities;
 using Bit.Core.Vault.Entities;
 using Microsoft.AspNetCore.Authorization;
@@ -47,20 +37,15 @@ namespace Bit.Api.Auth.Controllers;
 [Authorize("Application")]
 public class AccountsController : Controller
 {
-    private readonly GlobalSettings _globalSettings;
     private readonly IOrganizationService _organizationService;
     private readonly IOrganizationUserRepository _organizationUserRepository;
     private readonly IProviderUserRepository _providerUserRepository;
-    private readonly IPaymentService _paymentService;
     private readonly IUserService _userService;
     private readonly IPolicyService _policyService;
     private readonly ISetInitialMasterPasswordCommand _setInitialMasterPasswordCommand;
     private readonly ITdeOffboardingPasswordCommand _tdeOffboardingPasswordCommand;
     private readonly IRotateUserKeyCommand _rotateUserKeyCommand;
     private readonly IFeatureService _featureService;
-    private readonly ISubscriberService _subscriberService;
-    private readonly IReferenceEventService _referenceEventService;
-    private readonly ICurrentContext _currentContext;
 
     private readonly IRotationValidator<IEnumerable<CipherWithIdRequestModel>, IEnumerable<Cipher>> _cipherValidator;
     private readonly IRotationValidator<IEnumerable<FolderWithIdRequestModel>, IEnumerable<Folder>> _folderValidator;
@@ -75,20 +60,15 @@ public class AccountsController : Controller
 
 
     public AccountsController(
-        GlobalSettings globalSettings,
         IOrganizationService organizationService,
         IOrganizationUserRepository organizationUserRepository,
         IProviderUserRepository providerUserRepository,
-        IPaymentService paymentService,
         IUserService userService,
         IPolicyService policyService,
         ISetInitialMasterPasswordCommand setInitialMasterPasswordCommand,
         ITdeOffboardingPasswordCommand tdeOffboardingPasswordCommand,
         IRotateUserKeyCommand rotateUserKeyCommand,
         IFeatureService featureService,
-        ISubscriberService subscriberService,
-        IReferenceEventService referenceEventService,
-        ICurrentContext currentContext,
         IRotationValidator<IEnumerable<CipherWithIdRequestModel>, IEnumerable<Cipher>> cipherValidator,
         IRotationValidator<IEnumerable<FolderWithIdRequestModel>, IEnumerable<Folder>> folderValidator,
         IRotationValidator<IEnumerable<SendWithIdRequestModel>, IReadOnlyList<Send>> sendValidator,
@@ -99,20 +79,15 @@ public class AccountsController : Controller
         IRotationValidator<IEnumerable<WebAuthnLoginRotateKeyRequestModel>, IEnumerable<WebAuthnLoginRotateKeyData>> webAuthnKeyValidator
         )
     {
-        _globalSettings = globalSettings;
         _organizationService = organizationService;
         _organizationUserRepository = organizationUserRepository;
         _providerUserRepository = providerUserRepository;
-        _paymentService = paymentService;
         _userService = userService;
         _policyService = policyService;
         _setInitialMasterPasswordCommand = setInitialMasterPasswordCommand;
         _tdeOffboardingPasswordCommand = tdeOffboardingPasswordCommand;
         _rotateUserKeyCommand = rotateUserKeyCommand;
         _featureService = featureService;
-        _subscriberService = subscriberService;
-        _referenceEventService = referenceEventService;
-        _currentContext = currentContext;
         _cipherValidator = cipherValidator;
         _folderValidator = folderValidator;
         _sendValidator = sendValidator;
@@ -638,212 +613,6 @@ public class AccountsController : Controller
         throw new BadRequestException(ModelState);
     }
 
-    [HttpPost("premium")]
-    public async Task<PaymentResponseModel> PostPremium(PremiumRequestModel model)
-    {
-        var user = await _userService.GetUserByPrincipalAsync(User);
-        if (user == null)
-        {
-            throw new UnauthorizedAccessException();
-        }
-
-        var valid = model.Validate(_globalSettings);
-        UserLicense license = null;
-        if (valid && _globalSettings.SelfHosted)
-        {
-            license = await ApiHelpers.ReadJsonFileFromBody<UserLicense>(HttpContext, model.License);
-        }
-
-        if (!valid && !_globalSettings.SelfHosted && string.IsNullOrWhiteSpace(model.Country))
-        {
-            throw new BadRequestException("Country is required.");
-        }
-
-        if (!valid || (_globalSettings.SelfHosted && license == null))
-        {
-            throw new BadRequestException("Invalid license.");
-        }
-
-        var result = await _userService.SignUpPremiumAsync(user, model.PaymentToken,
-            model.PaymentMethodType.Value, model.AdditionalStorageGb.GetValueOrDefault(0), license,
-            new TaxInfo
-            {
-                BillingAddressCountry = model.Country,
-                BillingAddressPostalCode = model.PostalCode
-            });
-
-        var userTwoFactorEnabled = await _userService.TwoFactorIsEnabledAsync(user);
-        var userHasPremiumFromOrganization = await _userService.HasPremiumFromOrganization(user);
-        var organizationIdsManagingActiveUser = await GetOrganizationIdsManagingUserAsync(user.Id);
-
-        var profile = new ProfileResponseModel(user, null, null, null, userTwoFactorEnabled, userHasPremiumFromOrganization, organizationIdsManagingActiveUser);
-        return new PaymentResponseModel
-        {
-            UserProfile = profile,
-            PaymentIntentClientSecret = result.Item2,
-            Success = result.Item1
-        };
-    }
-
-    [HttpGet("subscription")]
-    public async Task<SubscriptionResponseModel> GetSubscription()
-    {
-        var user = await _userService.GetUserByPrincipalAsync(User);
-        if (user == null)
-        {
-            throw new UnauthorizedAccessException();
-        }
-
-        if (!_globalSettings.SelfHosted && user.Gateway != null)
-        {
-            var subscriptionInfo = await _paymentService.GetSubscriptionAsync(user);
-            var license = await _userService.GenerateLicenseAsync(user, subscriptionInfo);
-            return new SubscriptionResponseModel(user, subscriptionInfo, license);
-        }
-        else if (!_globalSettings.SelfHosted)
-        {
-            var license = await _userService.GenerateLicenseAsync(user);
-            return new SubscriptionResponseModel(user, license);
-        }
-        else
-        {
-            return new SubscriptionResponseModel(user);
-        }
-    }
-
-    [HttpPost("payment")]
-    [SelfHosted(NotSelfHostedOnly = true)]
-    public async Task PostPayment([FromBody] PaymentRequestModel model)
-    {
-        var user = await _userService.GetUserByPrincipalAsync(User);
-        if (user == null)
-        {
-            throw new UnauthorizedAccessException();
-        }
-
-        await _userService.ReplacePaymentMethodAsync(user, model.PaymentToken, model.PaymentMethodType.Value,
-            new TaxInfo
-            {
-                BillingAddressLine1 = model.Line1,
-                BillingAddressLine2 = model.Line2,
-                BillingAddressCity = model.City,
-                BillingAddressState = model.State,
-                BillingAddressCountry = model.Country,
-                BillingAddressPostalCode = model.PostalCode,
-                TaxIdNumber = model.TaxId
-            });
-    }
-
-    [HttpPost("storage")]
-    [SelfHosted(NotSelfHostedOnly = true)]
-    public async Task<PaymentResponseModel> PostStorage([FromBody] StorageRequestModel model)
-    {
-        var user = await _userService.GetUserByPrincipalAsync(User);
-        if (user == null)
-        {
-            throw new UnauthorizedAccessException();
-        }
-
-        var result = await _userService.AdjustStorageAsync(user, model.StorageGbAdjustment.Value);
-        return new PaymentResponseModel
-        {
-            Success = true,
-            PaymentIntentClientSecret = result
-        };
-    }
-
-    [HttpPost("license")]
-    [SelfHosted(SelfHostedOnly = true)]
-    public async Task PostLicense(LicenseRequestModel model)
-    {
-        var user = await _userService.GetUserByPrincipalAsync(User);
-        if (user == null)
-        {
-            throw new UnauthorizedAccessException();
-        }
-
-        var license = await ApiHelpers.ReadJsonFileFromBody<UserLicense>(HttpContext, model.License);
-        if (license == null)
-        {
-            throw new BadRequestException("Invalid license");
-        }
-
-        await _userService.UpdateLicenseAsync(user, license);
-    }
-
-    [HttpPost("cancel")]
-    public async Task PostCancel([FromBody] SubscriptionCancellationRequestModel request)
-    {
-        var user = await _userService.GetUserByPrincipalAsync(User);
-
-        if (user == null)
-        {
-            throw new UnauthorizedAccessException();
-        }
-
-        await _subscriberService.CancelSubscription(user,
-            new OffboardingSurveyResponse
-            {
-                UserId = user.Id,
-                Reason = request.Reason,
-                Feedback = request.Feedback
-            },
-            user.IsExpired());
-
-        await _referenceEventService.RaiseEventAsync(new ReferenceEvent(
-            ReferenceEventType.CancelSubscription,
-            user,
-            _currentContext)
-        {
-            EndOfPeriod = user.IsExpired()
-        });
-    }
-
-    [HttpPost("reinstate-premium")]
-    [SelfHosted(NotSelfHostedOnly = true)]
-    public async Task PostReinstate()
-    {
-        var user = await _userService.GetUserByPrincipalAsync(User);
-        if (user == null)
-        {
-            throw new UnauthorizedAccessException();
-        }
-
-        await _userService.ReinstatePremiumAsync(user);
-    }
-
-    [HttpGet("tax")]
-    [SelfHosted(NotSelfHostedOnly = true)]
-    public async Task<TaxInfoResponseModel> GetTaxInfo()
-    {
-        var user = await _userService.GetUserByPrincipalAsync(User);
-        if (user == null)
-        {
-            throw new UnauthorizedAccessException();
-        }
-
-        var taxInfo = await _paymentService.GetTaxInfoAsync(user);
-        return new TaxInfoResponseModel(taxInfo);
-    }
-
-    [HttpPut("tax")]
-    [SelfHosted(NotSelfHostedOnly = true)]
-    public async Task PutTaxInfo([FromBody] TaxInfoUpdateRequestModel model)
-    {
-        var user = await _userService.GetUserByPrincipalAsync(User);
-        if (user == null)
-        {
-            throw new UnauthorizedAccessException();
-        }
-
-        var taxInfo = new TaxInfo
-        {
-            BillingAddressPostalCode = model.PostalCode,
-            BillingAddressCountry = model.Country,
-        };
-        await _paymentService.SaveTaxInfoAsync(user, taxInfo);
-    }
-
     [HttpDelete("sso/{organizationId}")]
     public async Task DeleteSsoUser(string organizationId)
     {
diff --git a/src/Api/Billing/Controllers/AccountsController.cs b/src/Api/Billing/Controllers/AccountsController.cs
new file mode 100644
index 0000000000..9c5811b195
--- /dev/null
+++ b/src/Api/Billing/Controllers/AccountsController.cs
@@ -0,0 +1,237 @@
+#nullable enable
+using Bit.Api.Models.Request;
+using Bit.Api.Models.Request.Accounts;
+using Bit.Api.Models.Response;
+using Bit.Api.Utilities;
+using Bit.Core.Billing.Models;
+using Bit.Core.Billing.Services;
+using Bit.Core.Context;
+using Bit.Core.Exceptions;
+using Bit.Core.Models.Business;
+using Bit.Core.Services;
+using Bit.Core.Settings;
+using Bit.Core.Tools.Enums;
+using Bit.Core.Tools.Models.Business;
+using Bit.Core.Tools.Services;
+using Bit.Core.Utilities;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+
+namespace Bit.Api.Billing.Controllers;
+
+[Route("accounts")]
+[Authorize("Application")]
+public class AccountsController(
+    IUserService userService) : Controller
+{
+    [HttpPost("premium")]
+    public async Task<PaymentResponseModel> PostPremiumAsync(
+        PremiumRequestModel model,
+        [FromServices] GlobalSettings globalSettings)
+    {
+        var user = await userService.GetUserByPrincipalAsync(User);
+        if (user == null)
+        {
+            throw new UnauthorizedAccessException();
+        }
+
+        var valid = model.Validate(globalSettings);
+        UserLicense? license = null;
+        if (valid && globalSettings.SelfHosted)
+        {
+            license = await ApiHelpers.ReadJsonFileFromBody<UserLicense>(HttpContext, model.License);
+        }
+
+        if (!valid && !globalSettings.SelfHosted && string.IsNullOrWhiteSpace(model.Country))
+        {
+            throw new BadRequestException("Country is required.");
+        }
+
+        if (!valid || (globalSettings.SelfHosted && license == null))
+        {
+            throw new BadRequestException("Invalid license.");
+        }
+
+        var result = await userService.SignUpPremiumAsync(user, model.PaymentToken,
+            model.PaymentMethodType!.Value, model.AdditionalStorageGb.GetValueOrDefault(0), license,
+            new TaxInfo { BillingAddressCountry = model.Country, BillingAddressPostalCode = model.PostalCode });
+
+        var userTwoFactorEnabled = await userService.TwoFactorIsEnabledAsync(user);
+        var userHasPremiumFromOrganization = await userService.HasPremiumFromOrganization(user);
+        var organizationIdsManagingActiveUser = await GetOrganizationIdsManagingUserAsync(user.Id);
+
+        var profile = new ProfileResponseModel(user, null, null, null, userTwoFactorEnabled,
+            userHasPremiumFromOrganization, organizationIdsManagingActiveUser);
+        return new PaymentResponseModel
+        {
+            UserProfile = profile,
+            PaymentIntentClientSecret = result.Item2,
+            Success = result.Item1
+        };
+    }
+
+    [HttpGet("subscription")]
+    public async Task<SubscriptionResponseModel> GetSubscriptionAsync(
+        [FromServices] GlobalSettings globalSettings,
+        [FromServices] IPaymentService paymentService)
+    {
+        var user = await userService.GetUserByPrincipalAsync(User);
+        if (user == null)
+        {
+            throw new UnauthorizedAccessException();
+        }
+
+        if (!globalSettings.SelfHosted && user.Gateway != null)
+        {
+            var subscriptionInfo = await paymentService.GetSubscriptionAsync(user);
+            var license = await userService.GenerateLicenseAsync(user, subscriptionInfo);
+            return new SubscriptionResponseModel(user, subscriptionInfo, license);
+        }
+        else if (!globalSettings.SelfHosted)
+        {
+            var license = await userService.GenerateLicenseAsync(user);
+            return new SubscriptionResponseModel(user, license);
+        }
+        else
+        {
+            return new SubscriptionResponseModel(user);
+        }
+    }
+
+    [HttpPost("payment")]
+    [SelfHosted(NotSelfHostedOnly = true)]
+    public async Task PostPaymentAsync([FromBody] PaymentRequestModel model)
+    {
+        var user = await userService.GetUserByPrincipalAsync(User);
+        if (user == null)
+        {
+            throw new UnauthorizedAccessException();
+        }
+
+        await userService.ReplacePaymentMethodAsync(user, model.PaymentToken, model.PaymentMethodType!.Value,
+            new TaxInfo
+            {
+                BillingAddressLine1 = model.Line1,
+                BillingAddressLine2 = model.Line2,
+                BillingAddressCity = model.City,
+                BillingAddressState = model.State,
+                BillingAddressCountry = model.Country,
+                BillingAddressPostalCode = model.PostalCode,
+                TaxIdNumber = model.TaxId
+            });
+    }
+
+    [HttpPost("storage")]
+    [SelfHosted(NotSelfHostedOnly = true)]
+    public async Task<PaymentResponseModel> PostStorageAsync([FromBody] StorageRequestModel model)
+    {
+        var user = await userService.GetUserByPrincipalAsync(User);
+        if (user == null)
+        {
+            throw new UnauthorizedAccessException();
+        }
+
+        var result = await userService.AdjustStorageAsync(user, model.StorageGbAdjustment!.Value);
+        return new PaymentResponseModel { Success = true, PaymentIntentClientSecret = result };
+    }
+
+
+
+    [HttpPost("license")]
+    [SelfHosted(SelfHostedOnly = true)]
+    public async Task PostLicenseAsync(LicenseRequestModel model)
+    {
+        var user = await userService.GetUserByPrincipalAsync(User);
+        if (user == null)
+        {
+            throw new UnauthorizedAccessException();
+        }
+
+        var license = await ApiHelpers.ReadJsonFileFromBody<UserLicense>(HttpContext, model.License);
+        if (license == null)
+        {
+            throw new BadRequestException("Invalid license");
+        }
+
+        await userService.UpdateLicenseAsync(user, license);
+    }
+
+    [HttpPost("cancel")]
+    public async Task PostCancelAsync(
+        [FromBody] SubscriptionCancellationRequestModel request,
+        [FromServices] ICurrentContext currentContext,
+        [FromServices] IReferenceEventService referenceEventService,
+        [FromServices] ISubscriberService subscriberService)
+    {
+        var user = await userService.GetUserByPrincipalAsync(User);
+
+        if (user == null)
+        {
+            throw new UnauthorizedAccessException();
+        }
+
+        await subscriberService.CancelSubscription(user,
+            new OffboardingSurveyResponse { UserId = user.Id, Reason = request.Reason, Feedback = request.Feedback },
+            user.IsExpired());
+
+        await referenceEventService.RaiseEventAsync(new ReferenceEvent(
+            ReferenceEventType.CancelSubscription,
+            user,
+            currentContext)
+        { EndOfPeriod = user.IsExpired() });
+    }
+
+    [HttpPost("reinstate-premium")]
+    [SelfHosted(NotSelfHostedOnly = true)]
+    public async Task PostReinstateAsync()
+    {
+        var user = await userService.GetUserByPrincipalAsync(User);
+        if (user == null)
+        {
+            throw new UnauthorizedAccessException();
+        }
+
+        await userService.ReinstatePremiumAsync(user);
+    }
+
+    [HttpGet("tax")]
+    [SelfHosted(NotSelfHostedOnly = true)]
+    public async Task<TaxInfoResponseModel> GetTaxInfoAsync(
+        [FromServices] IPaymentService paymentService)
+    {
+        var user = await userService.GetUserByPrincipalAsync(User);
+        if (user == null)
+        {
+            throw new UnauthorizedAccessException();
+        }
+
+        var taxInfo = await paymentService.GetTaxInfoAsync(user);
+        return new TaxInfoResponseModel(taxInfo);
+    }
+
+    [HttpPut("tax")]
+    [SelfHosted(NotSelfHostedOnly = true)]
+    public async Task PutTaxInfoAsync(
+        [FromBody] TaxInfoUpdateRequestModel model,
+        [FromServices] IPaymentService paymentService)
+    {
+        var user = await userService.GetUserByPrincipalAsync(User);
+        if (user == null)
+        {
+            throw new UnauthorizedAccessException();
+        }
+
+        var taxInfo = new TaxInfo
+        {
+            BillingAddressPostalCode = model.PostalCode,
+            BillingAddressCountry = model.Country,
+        };
+        await paymentService.SaveTaxInfoAsync(user, taxInfo);
+    }
+
+    private async Task<IEnumerable<Guid>> GetOrganizationIdsManagingUserAsync(Guid userId)
+    {
+        var organizationManagingUser = await userService.GetOrganizationsManagingUserAsync(userId);
+        return organizationManagingUser.Select(o => o.Id);
+    }
+}
diff --git a/test/Api.Test/Auth/Controllers/AccountsControllerTests.cs b/test/Api.Test/Auth/Controllers/AccountsControllerTests.cs
index 6a9862b3d6..15c7573aca 100644
--- a/test/Api.Test/Auth/Controllers/AccountsControllerTests.cs
+++ b/test/Api.Test/Auth/Controllers/AccountsControllerTests.cs
@@ -15,16 +15,12 @@ using Bit.Core.Auth.Models.Api.Request.Accounts;
 using Bit.Core.Auth.Models.Data;
 using Bit.Core.Auth.UserFeatures.TdeOffboardingPassword.Interfaces;
 using Bit.Core.Auth.UserFeatures.UserMasterPassword.Interfaces;
-using Bit.Core.Billing.Services;
-using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.Exceptions;
 using Bit.Core.KeyManagement.UserKey;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
-using Bit.Core.Settings;
 using Bit.Core.Tools.Entities;
-using Bit.Core.Tools.Services;
 using Bit.Core.Vault.Entities;
 using Bit.Test.Common.AutoFixture.Attributes;
 using Microsoft.AspNetCore.Identity;
@@ -37,10 +33,8 @@ public class AccountsControllerTests : IDisposable
 {
 
     private readonly AccountsController _sut;
-    private readonly GlobalSettings _globalSettings;
     private readonly IOrganizationService _organizationService;
     private readonly IOrganizationUserRepository _organizationUserRepository;
-    private readonly IPaymentService _paymentService;
     private readonly IUserService _userService;
     private readonly IProviderUserRepository _providerUserRepository;
     private readonly IPolicyService _policyService;
@@ -48,9 +42,6 @@ public class AccountsControllerTests : IDisposable
     private readonly IRotateUserKeyCommand _rotateUserKeyCommand;
     private readonly ITdeOffboardingPasswordCommand _tdeOffboardingPasswordCommand;
     private readonly IFeatureService _featureService;
-    private readonly ISubscriberService _subscriberService;
-    private readonly IReferenceEventService _referenceEventService;
-    private readonly ICurrentContext _currentContext;
 
     private readonly IRotationValidator<IEnumerable<CipherWithIdRequestModel>, IEnumerable<Cipher>> _cipherValidator;
     private readonly IRotationValidator<IEnumerable<FolderWithIdRequestModel>, IEnumerable<Folder>> _folderValidator;
@@ -70,16 +61,11 @@ public class AccountsControllerTests : IDisposable
         _organizationService = Substitute.For<IOrganizationService>();
         _organizationUserRepository = Substitute.For<IOrganizationUserRepository>();
         _providerUserRepository = Substitute.For<IProviderUserRepository>();
-        _paymentService = Substitute.For<IPaymentService>();
-        _globalSettings = new GlobalSettings();
         _policyService = Substitute.For<IPolicyService>();
         _setInitialMasterPasswordCommand = Substitute.For<ISetInitialMasterPasswordCommand>();
         _rotateUserKeyCommand = Substitute.For<IRotateUserKeyCommand>();
         _tdeOffboardingPasswordCommand = Substitute.For<ITdeOffboardingPasswordCommand>();
         _featureService = Substitute.For<IFeatureService>();
-        _subscriberService = Substitute.For<ISubscriberService>();
-        _referenceEventService = Substitute.For<IReferenceEventService>();
-        _currentContext = Substitute.For<ICurrentContext>();
         _cipherValidator =
             Substitute.For<IRotationValidator<IEnumerable<CipherWithIdRequestModel>, IEnumerable<Cipher>>>();
         _folderValidator =
@@ -93,20 +79,15 @@ public class AccountsControllerTests : IDisposable
                 IReadOnlyList<OrganizationUser>>>();
 
         _sut = new AccountsController(
-            _globalSettings,
             _organizationService,
             _organizationUserRepository,
             _providerUserRepository,
-            _paymentService,
             _userService,
             _policyService,
             _setInitialMasterPasswordCommand,
             _tdeOffboardingPasswordCommand,
             _rotateUserKeyCommand,
             _featureService,
-            _subscriberService,
-            _referenceEventService,
-            _currentContext,
             _cipherValidator,
             _folderValidator,
             _sendValidator,

From 8287d0a968946f3418184db9f300dbe8153e7d89 Mon Sep 17 00:00:00 2001
From: Matt Andreko <mandreko@bitwarden.com>
Date: Mon, 10 Mar 2025 15:57:56 -0400
Subject: [PATCH 353/384] Replace secret checking logic with branch detection
 logic (#5454)

---
 .github/workflows/test-database.yml | 20 +-------------------
 .github/workflows/test.yml          | 20 +-------------------
 2 files changed, 2 insertions(+), 38 deletions(-)

diff --git a/.github/workflows/test-database.yml b/.github/workflows/test-database.yml
index 81119414ff..0e10d15ad1 100644
--- a/.github/workflows/test-database.yml
+++ b/.github/workflows/test-database.yml
@@ -32,28 +32,10 @@ on:
       - "src/**/Entities/**/*.cs" # Database entity definitions
 
 jobs:
-  check-test-secrets:
-    name: Check for test secrets
-    runs-on: ubuntu-22.04
-    outputs:
-      available: ${{ steps.check-test-secrets.outputs.available }}
-    permissions:
-      contents: read
-
-    steps:
-      - name: Check
-        id: check-test-secrets
-        run: |
-          if [ "${{ secrets.CODECOV_TOKEN }}" != '' ]; then
-            echo "available=true" >> $GITHUB_OUTPUT;
-          else
-            echo "available=false" >> $GITHUB_OUTPUT;
-          fi
 
   test:
     name: Run tests
     runs-on: ubuntu-22.04
-    needs: check-test-secrets
     steps:
       - name: Check out repo
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -167,7 +149,7 @@ jobs:
 
       - name: Report test results
         uses: dorny/test-reporter@31a54ee7ebcacc03a09ea97a7e5465a47b84aea5 # v1.9.1
-        if: ${{ needs.check-test-secrets.outputs.available == 'true' && !cancelled() }}
+        if: ${{ github.event.pull_request.head.repo.full_name == github.repository &&  && !cancelled() }}
         with:
           name: Test Results
           path: "**/*-test-results.trx"
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 817547fc65..8d115b39cd 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -13,29 +13,11 @@ env:
   _AZ_REGISTRY: "bitwardenprod.azurecr.io"
 
 jobs:
-  check-test-secrets:
-    name: Check for test secrets
-    runs-on: ubuntu-22.04
-    outputs:
-      available: ${{ steps.check-test-secrets.outputs.available }}
-    permissions:
-      contents: read
-
-    steps:
-      - name: Check
-        id: check-test-secrets
-        run: |
-          if [ "${{ secrets.CODECOV_TOKEN }}" != '' ]; then
-            echo "available=true" >> $GITHUB_OUTPUT;
-          else
-            echo "available=false" >> $GITHUB_OUTPUT;
-          fi
 
   testing:
     name: Run tests
     if: ${{ startsWith(github.head_ref, 'version_bump_') == false }}
     runs-on: ubuntu-22.04
-    needs: check-test-secrets
     permissions:
       checks: write
       contents: read
@@ -69,7 +51,7 @@ jobs:
 
       - name: Report test results
         uses: dorny/test-reporter@31a54ee7ebcacc03a09ea97a7e5465a47b84aea5 # v1.9.1
-        if: ${{ needs.check-test-secrets.outputs.available == 'true' && !cancelled() }}
+        if: ${{ github.event.pull_request.head.repo.full_name == github.repository && !cancelled() }}
         with:
           name: Test Results
           path: "**/*-test-results.trx"

From 29dc69a77b7b1a781dc93cbbcd4bf5475184ddf1 Mon Sep 17 00:00:00 2001
From: Matt Andreko <mandreko@bitwarden.com>
Date: Mon, 10 Mar 2025 16:13:35 -0400
Subject: [PATCH 354/384] Remove extra && (#5484)

---
 .github/workflows/test-database.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/test-database.yml b/.github/workflows/test-database.yml
index 0e10d15ad1..a9c4737acc 100644
--- a/.github/workflows/test-database.yml
+++ b/.github/workflows/test-database.yml
@@ -149,7 +149,7 @@ jobs:
 
       - name: Report test results
         uses: dorny/test-reporter@31a54ee7ebcacc03a09ea97a7e5465a47b84aea5 # v1.9.1
-        if: ${{ github.event.pull_request.head.repo.full_name == github.repository &&  && !cancelled() }}
+        if: ${{ github.event.pull_request.head.repo.full_name == github.repository && !cancelled() }}
         with:
           name: Test Results
           path: "**/*-test-results.trx"

From 224ef1272e92add54e04d31687e57221c93d7473 Mon Sep 17 00:00:00 2001
From: Thomas Rittson <31796059+eliykat@users.noreply.github.com>
Date: Tue, 11 Mar 2025 10:46:09 +1000
Subject: [PATCH 355/384] [PM-18876] Refine PolicyRequirements API (#5445)

* make the PolicyRequirements API more granular, e.g.
  replace factory methods with a factory interface
* update Send to use the new API
---
 .../Implementations/PolicyRequirementQuery.cs |  18 ++-
 .../BasePolicyRequirementFactory.cs           |  44 ++++++
 .../DisableSendPolicyRequirement.cs           |  27 ++++
 .../PolicyRequirements/IPolicyRequirement.cs  |  23 +--
 .../IPolicyRequirementFactory.cs              |  39 +++++
 .../PolicyRequirementHelpers.cs               |  36 +----
 .../SendOptionsPolicyRequirement.cs           |  34 +++++
 .../SendPolicyRequirement.cs                  |  54 -------
 .../PolicyServiceCollectionExtensions.cs      |  29 +---
 .../Services/Implementations/SendService.cs   |   8 +-
 .../Policies/PolicyRequirementFixtures.cs     |  23 +++
 .../Policies/PolicyRequirementQueryTests.cs   |  80 ++++++----
 .../BasePolicyRequirementFactoryTests.cs      |  90 ++++++++++++
 ...isableSendPolicyRequirementFactoryTests.cs |  32 ++++
 ...endOptionsPolicyRequirementFactoryTests.cs |  49 +++++++
 .../SendPolicyRequirementTests.cs             | 138 ------------------
 .../Tools/Services/SendServiceTests.cs        |  18 ++-
 17 files changed, 429 insertions(+), 313 deletions(-)
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/BasePolicyRequirementFactory.cs
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/DisableSendPolicyRequirement.cs
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/IPolicyRequirementFactory.cs
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/SendOptionsPolicyRequirement.cs
 delete mode 100644 src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/SendPolicyRequirement.cs
 create mode 100644 test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyRequirementFixtures.cs
 create mode 100644 test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/BasePolicyRequirementFactoryTests.cs
 create mode 100644 test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/DisableSendPolicyRequirementFactoryTests.cs
 create mode 100644 test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/SendOptionsPolicyRequirementFactoryTests.cs
 delete mode 100644 test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/SendPolicyRequirementTests.cs

diff --git a/src/Core/AdminConsole/OrganizationFeatures/Policies/Implementations/PolicyRequirementQuery.cs b/src/Core/AdminConsole/OrganizationFeatures/Policies/Implementations/PolicyRequirementQuery.cs
index 585d2348ef..de4796d4b5 100644
--- a/src/Core/AdminConsole/OrganizationFeatures/Policies/Implementations/PolicyRequirementQuery.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Policies/Implementations/PolicyRequirementQuery.cs
@@ -8,21 +8,25 @@ namespace Bit.Core.AdminConsole.OrganizationFeatures.Policies.Implementations;
 
 public class PolicyRequirementQuery(
     IPolicyRepository policyRepository,
-    IEnumerable<RequirementFactory<IPolicyRequirement>> factories)
+    IEnumerable<IPolicyRequirementFactory<IPolicyRequirement>> factories)
     : IPolicyRequirementQuery
 {
     public async Task<T> GetAsync<T>(Guid userId) where T : IPolicyRequirement
     {
-        var factory = factories.OfType<RequirementFactory<T>>().SingleOrDefault();
+        var factory = factories.OfType<IPolicyRequirementFactory<T>>().SingleOrDefault();
         if (factory is null)
         {
-            throw new NotImplementedException("No Policy Requirement found for " + typeof(T));
+            throw new NotImplementedException("No Requirement Factory found for " + typeof(T));
         }
 
-        return factory(await GetPolicyDetails(userId));
+        var policyDetails = await GetPolicyDetails(userId);
+        var filteredPolicies = policyDetails
+            .Where(p => p.PolicyType == factory.PolicyType)
+            .Where(factory.Enforce);
+        var requirement = factory.Create(filteredPolicies);
+        return requirement;
     }
 
-    private Task<IEnumerable<PolicyDetails>> GetPolicyDetails(Guid userId) =>
-        policyRepository.GetPolicyDetailsByUserId(userId);
+    private Task<IEnumerable<PolicyDetails>> GetPolicyDetails(Guid userId)
+        => policyRepository.GetPolicyDetailsByUserId(userId);
 }
-
diff --git a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/BasePolicyRequirementFactory.cs b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/BasePolicyRequirementFactory.cs
new file mode 100644
index 0000000000..cebbe91904
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/BasePolicyRequirementFactory.cs
@@ -0,0 +1,44 @@
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
+using Bit.Core.Enums;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+
+/// <summary>
+/// A simple base implementation of <see cref="IPolicyRequirementFactory{T}"/> which will be suitable for most policies.
+/// It provides sensible defaults to help teams to implement their own Policy Requirements.
+/// </summary>
+/// <typeparam name="T"></typeparam>
+public abstract class BasePolicyRequirementFactory<T> : IPolicyRequirementFactory<T> where T : IPolicyRequirement
+{
+    /// <summary>
+    /// User roles that are exempt from policy enforcement.
+    /// Owners and Admins are exempt by default but this may be overridden.
+    /// </summary>
+    protected virtual IEnumerable<OrganizationUserType> ExemptRoles { get; } =
+        [OrganizationUserType.Owner, OrganizationUserType.Admin];
+
+    /// <summary>
+    /// User statuses that are exempt from policy enforcement.
+    /// Invited and Revoked users are exempt by default, which is appropriate in the majority of cases.
+    /// </summary>
+    protected virtual IEnumerable<OrganizationUserStatusType> ExemptStatuses { get; } =
+        [OrganizationUserStatusType.Invited, OrganizationUserStatusType.Revoked];
+
+    /// <summary>
+    /// Whether a Provider User for the organization is exempt from policy enforcement.
+    /// Provider Users are exempt by default, which is appropriate in the majority of cases.
+    /// </summary>
+    protected virtual bool ExemptProviders { get; } = true;
+
+    /// <inheritdoc />
+    public abstract PolicyType PolicyType { get; }
+
+    public bool Enforce(PolicyDetails policyDetails)
+        => !policyDetails.HasRole(ExemptRoles) &&
+            !policyDetails.HasStatus(ExemptStatuses) &&
+            (!policyDetails.IsProvider || !ExemptProviders);
+
+    /// <inheritdoc />
+    public abstract T Create(IEnumerable<PolicyDetails> policyDetails);
+}
diff --git a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/DisableSendPolicyRequirement.cs b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/DisableSendPolicyRequirement.cs
new file mode 100644
index 0000000000..1cb7f4f619
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/DisableSendPolicyRequirement.cs
@@ -0,0 +1,27 @@
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+
+/// <summary>
+/// Policy requirements for the Disable Send policy.
+/// </summary>
+public class DisableSendPolicyRequirement : IPolicyRequirement
+{
+    /// <summary>
+    /// Indicates whether Send is disabled for the user. If true, the user should not be able to create or edit Sends.
+    /// They may still delete existing Sends.
+    /// </summary>
+    public bool DisableSend { get; init; }
+}
+
+public class DisableSendPolicyRequirementFactory : BasePolicyRequirementFactory<DisableSendPolicyRequirement>
+{
+    public override PolicyType PolicyType => PolicyType.DisableSend;
+
+    public override DisableSendPolicyRequirement Create(IEnumerable<PolicyDetails> policyDetails)
+    {
+        var result = new DisableSendPolicyRequirement { DisableSend = policyDetails.Any() };
+        return result;
+    }
+}
diff --git a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/IPolicyRequirement.cs b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/IPolicyRequirement.cs
index 3f331b1130..dcb82b1ac0 100644
--- a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/IPolicyRequirement.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/IPolicyRequirement.cs
@@ -1,24 +1,11 @@
-#nullable enable
-
-using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Enums;
 
 namespace Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
 
 /// <summary>
-/// Represents the business requirements of how one or more enterprise policies will be enforced against a user.
-/// The implementation of this interface will depend on how the policies are enforced in the relevant domain.
+/// An object that represents how a <see cref="PolicyType"/> will be enforced against a user.
+/// This acts as a bridge between the <see cref="Policy"/> entity saved to the database and the domain that the policy
+/// affects. You may represent the impact of the policy in any way that makes sense for the domain.
 /// </summary>
 public interface IPolicyRequirement;
-
-/// <summary>
-/// A factory function that takes a sequence of <see cref="PolicyDetails"/> and transforms them into a single
-/// <see cref="IPolicyRequirement"/> for consumption by the relevant domain. This will receive *all* policy types
-/// that may be enforced against a user; when implementing this delegate, you must filter out irrelevant policy types
-/// as well as policies that should not be enforced against a user (e.g. due to the user's role or status).
-/// </summary>
-/// <remarks>
-/// See <see cref="PolicyRequirementHelpers"/> for extension methods to handle common requirements when implementing
-/// this delegate.
-/// </remarks>
-public delegate T RequirementFactory<out T>(IEnumerable<PolicyDetails> policyDetails)
-    where T : IPolicyRequirement;
diff --git a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/IPolicyRequirementFactory.cs b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/IPolicyRequirementFactory.cs
new file mode 100644
index 0000000000..e0b51a46a2
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/IPolicyRequirementFactory.cs
@@ -0,0 +1,39 @@
+#nullable enable
+
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+
+/// <summary>
+/// An interface that defines how to create a single <see cref="IPolicyRequirement"/> from a sequence of
+/// <see cref="PolicyDetails"/>.
+/// </summary>
+/// <typeparam name="T">The <see cref="IPolicyRequirement"/> that the factory produces.</typeparam>
+/// <remarks>
+/// See <see cref="BasePolicyRequirementFactory{T}"/> for a simple base implementation suitable for most policies.
+/// </remarks>
+public interface IPolicyRequirementFactory<out T> where T : IPolicyRequirement
+{
+    /// <summary>
+    /// The <see cref="PolicyType"/> that the requirement relates to.
+    /// </summary>
+    PolicyType PolicyType { get; }
+
+    /// <summary>
+    /// A predicate that determines whether a policy should be enforced against the user.
+    /// </summary>
+    /// <remarks>Use this to exempt users based on their role, status or other attributes.</remarks>
+    /// <param name="policyDetails">Policy details for the defined PolicyType.</param>
+    /// <returns>True if the policy should be enforced against the user, false otherwise.</returns>
+    bool Enforce(PolicyDetails policyDetails);
+
+    /// <summary>
+    /// A reducer method that creates a single <see cref="IPolicyRequirement"/> from a set of PolicyDetails.
+    /// </summary>
+    /// <param name="policyDetails">
+    /// PolicyDetails for the specified PolicyType, after they have been filtered by the Enforce predicate. That is,
+    /// this is the final interface to be called.
+    /// </param>
+    T Create(IEnumerable<PolicyDetails> policyDetails);
+}
diff --git a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/PolicyRequirementHelpers.cs b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/PolicyRequirementHelpers.cs
index fc4cd91a3d..3497c18031 100644
--- a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/PolicyRequirementHelpers.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/PolicyRequirementHelpers.cs
@@ -1,5 +1,4 @@
-using Bit.Core.AdminConsole.Enums;
-using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
+using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
 using Bit.Core.Enums;
 
 namespace Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
@@ -7,35 +6,16 @@ namespace Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements
 public static class PolicyRequirementHelpers
 {
     /// <summary>
-    /// Filters the PolicyDetails by PolicyType. This is generally required to only get the PolicyDetails that your
-    /// IPolicyRequirement relates to.
+    /// Returns true if the <see cref="PolicyDetails"/> is for one of the specified roles, false otherwise.
     /// </summary>
-    public static IEnumerable<PolicyDetails> GetPolicyType(
-        this IEnumerable<PolicyDetails> policyDetails,
-        PolicyType type)
-        => policyDetails.Where(x => x.PolicyType == type);
-
-    /// <summary>
-    /// Filters the PolicyDetails to remove the specified user roles. This can be used to exempt
-    /// owners and admins from policy enforcement.
-    /// </summary>
-    public static IEnumerable<PolicyDetails> ExemptRoles(
-        this IEnumerable<PolicyDetails> policyDetails,
+    public static bool HasRole(
+        this PolicyDetails policyDetails,
         IEnumerable<OrganizationUserType> roles)
-        => policyDetails.Where(x => !roles.Contains(x.OrganizationUserType));
+        => roles.Contains(policyDetails.OrganizationUserType);
 
     /// <summary>
-    /// Filters the PolicyDetails to remove organization users who are also provider users for the organization.
-    /// This can be used to exempt provider users from policy enforcement.
+    /// Returns true if the <see cref="PolicyDetails"/> relates to one of the specified statuses, false otherwise.
     /// </summary>
-    public static IEnumerable<PolicyDetails> ExemptProviders(this IEnumerable<PolicyDetails> policyDetails)
-        => policyDetails.Where(x => !x.IsProvider);
-
-    /// <summary>
-    /// Filters the PolicyDetails to remove the specified organization user statuses. For example, this can be used
-    /// to exempt users in the invited and revoked statuses from policy enforcement.
-    /// </summary>
-    public static IEnumerable<PolicyDetails> ExemptStatus(
-        this IEnumerable<PolicyDetails> policyDetails, IEnumerable<OrganizationUserStatusType> status)
-        => policyDetails.Where(x => !status.Contains(x.OrganizationUserStatus));
+    public static bool HasStatus(this PolicyDetails policyDetails, IEnumerable<OrganizationUserStatusType> status)
+        => status.Contains(policyDetails.OrganizationUserStatus);
 }
diff --git a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/SendOptionsPolicyRequirement.cs b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/SendOptionsPolicyRequirement.cs
new file mode 100644
index 0000000000..9ba11c11df
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/SendOptionsPolicyRequirement.cs
@@ -0,0 +1,34 @@
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+
+/// <summary>
+/// Policy requirements for the Send Options policy.
+/// </summary>
+public class SendOptionsPolicyRequirement : IPolicyRequirement
+{
+    /// <summary>
+    /// Indicates whether the user is prohibited from hiding their email from the recipient of a Send.
+    /// </summary>
+    public bool DisableHideEmail { get; init; }
+}
+
+public class SendOptionsPolicyRequirementFactory : BasePolicyRequirementFactory<SendOptionsPolicyRequirement>
+{
+    public override PolicyType PolicyType => PolicyType.SendOptions;
+
+    public override SendOptionsPolicyRequirement Create(IEnumerable<PolicyDetails> policyDetails)
+    {
+        var result = policyDetails
+            .Select(p => p.GetDataModel<SendOptionsPolicyData>())
+            .Aggregate(
+                new SendOptionsPolicyRequirement(),
+                (result, data) => new SendOptionsPolicyRequirement
+                {
+                    DisableHideEmail = result.DisableHideEmail || data.DisableHideEmail
+                });
+
+        return result;
+    }
+}
diff --git a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/SendPolicyRequirement.cs b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/SendPolicyRequirement.cs
deleted file mode 100644
index c54cc98373..0000000000
--- a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/SendPolicyRequirement.cs
+++ /dev/null
@@ -1,54 +0,0 @@
-using Bit.Core.AdminConsole.Enums;
-using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
-using Bit.Core.Enums;
-
-namespace Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
-
-/// <summary>
-/// Policy requirements for the Disable Send and Send Options policies.
-/// </summary>
-public class SendPolicyRequirement : IPolicyRequirement
-{
-    /// <summary>
-    /// Indicates whether Send is disabled for the user. If true, the user should not be able to create or edit Sends.
-    /// They may still delete existing Sends.
-    /// </summary>
-    public bool DisableSend { get; init; }
-    /// <summary>
-    /// Indicates whether the user is prohibited from hiding their email from the recipient of a Send.
-    /// </summary>
-    public bool DisableHideEmail { get; init; }
-
-    /// <summary>
-    /// Create a new SendPolicyRequirement.
-    /// </summary>
-    /// <param name="policyDetails">All PolicyDetails relating to the user.</param>
-    /// <remarks>
-    /// This is a <see cref="RequirementFactory{T}"/> for the SendPolicyRequirement.
-    /// </remarks>
-    public static SendPolicyRequirement Create(IEnumerable<PolicyDetails> policyDetails)
-    {
-        var filteredPolicies = policyDetails
-            .ExemptRoles([OrganizationUserType.Owner, OrganizationUserType.Admin])
-            .ExemptStatus([OrganizationUserStatusType.Invited, OrganizationUserStatusType.Revoked])
-            .ExemptProviders()
-            .ToList();
-
-        var result = filteredPolicies
-            .GetPolicyType(PolicyType.SendOptions)
-            .Select(p => p.GetDataModel<SendOptionsPolicyData>())
-            .Aggregate(
-                new SendPolicyRequirement
-                {
-                    // Set Disable Send requirement in the initial seed
-                    DisableSend = filteredPolicies.GetPolicyType(PolicyType.DisableSend).Any()
-                },
-                (result, data) => new SendPolicyRequirement
-                {
-                    DisableSend = result.DisableSend,
-                    DisableHideEmail = result.DisableHideEmail || data.DisableHideEmail
-                });
-
-        return result;
-    }
-}
diff --git a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyServiceCollectionExtensions.cs b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyServiceCollectionExtensions.cs
index 7bc8a7b5a3..6c698f9ffc 100644
--- a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyServiceCollectionExtensions.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyServiceCollectionExtensions.cs
@@ -31,32 +31,7 @@ public static class PolicyServiceCollectionExtensions
 
     private static void AddPolicyRequirements(this IServiceCollection services)
     {
-        // Register policy requirement factories here
-        services.AddPolicyRequirement(SendPolicyRequirement.Create);
+        services.AddScoped<IPolicyRequirementFactory<IPolicyRequirement>, DisableSendPolicyRequirementFactory>();
+        services.AddScoped<IPolicyRequirementFactory<IPolicyRequirement>, SendOptionsPolicyRequirementFactory>();
     }
-
-    /// <summary>
-    /// Used to register simple policy requirements where its factory method implements CreateRequirement.
-    /// This MUST be used rather than calling AddScoped directly, because it will ensure the factory method has
-    /// the correct type to be injected and then identified by <see cref="PolicyRequirementQuery"/> at runtime.
-    /// </summary>
-    /// <typeparam name="T">The specific PolicyRequirement being registered.</typeparam>
-    private static void AddPolicyRequirement<T>(this IServiceCollection serviceCollection, RequirementFactory<T> factory)
-        where T : class, IPolicyRequirement
-        => serviceCollection.AddPolicyRequirement(_ => factory);
-
-    /// <summary>
-    /// Used to register policy requirements where you need to access additional dependencies (usually to return a
-    /// curried factory method).
-    /// This MUST be used rather than calling AddScoped directly, because it will ensure the factory method has
-    /// the correct type to be injected and then identified by <see cref="PolicyRequirementQuery"/> at runtime.
-    /// </summary>
-    /// <typeparam name="T">
-    /// A callback that takes IServiceProvider and returns a RequirementFactory for
-    /// your policy requirement.
-    /// </typeparam>
-    private static void AddPolicyRequirement<T>(this IServiceCollection serviceCollection,
-        Func<IServiceProvider, RequirementFactory<T>> factory)
-        where T : class, IPolicyRequirement
-        => serviceCollection.AddScoped<RequirementFactory<IPolicyRequirement>>(factory);
 }
diff --git a/src/Core/Tools/Services/Implementations/SendService.cs b/src/Core/Tools/Services/Implementations/SendService.cs
index bddaa93bfc..e09787d7eb 100644
--- a/src/Core/Tools/Services/Implementations/SendService.cs
+++ b/src/Core/Tools/Services/Implementations/SendService.cs
@@ -326,14 +326,14 @@ public class SendService : ISendService
             return;
         }
 
-        var sendPolicyRequirement = await _policyRequirementQuery.GetAsync<SendPolicyRequirement>(userId.Value);
-
-        if (sendPolicyRequirement.DisableSend)
+        var disableSendRequirement = await _policyRequirementQuery.GetAsync<DisableSendPolicyRequirement>(userId.Value);
+        if (disableSendRequirement.DisableSend)
         {
             throw new BadRequestException("Due to an Enterprise Policy, you are only able to delete an existing Send.");
         }
 
-        if (sendPolicyRequirement.DisableHideEmail && send.HideEmail.GetValueOrDefault())
+        var sendOptionsRequirement = await _policyRequirementQuery.GetAsync<SendOptionsPolicyRequirement>(userId.Value);
+        if (sendOptionsRequirement.DisableHideEmail && send.HideEmail.GetValueOrDefault())
         {
             throw new BadRequestException("Due to an Enterprise Policy, you are not allowed to hide your email address from recipients when creating or editing a Send.");
         }
diff --git a/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyRequirementFixtures.cs b/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyRequirementFixtures.cs
new file mode 100644
index 0000000000..4838d1e3c4
--- /dev/null
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyRequirementFixtures.cs
@@ -0,0 +1,23 @@
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+
+namespace Bit.Core.Test.AdminConsole.OrganizationFeatures.Policies;
+
+/// <summary>
+/// Intentionally simplified PolicyRequirement that just holds the input PolicyDetails for us to assert against.
+/// </summary>
+public class TestPolicyRequirement : IPolicyRequirement
+{
+    public IEnumerable<PolicyDetails> Policies { get; init; } = [];
+}
+
+public class TestPolicyRequirementFactory(Func<PolicyDetails, bool> enforce) : IPolicyRequirementFactory<TestPolicyRequirement>
+{
+    public PolicyType PolicyType => PolicyType.SingleOrg;
+
+    public bool Enforce(PolicyDetails policyDetails) => enforce(policyDetails);
+
+    public TestPolicyRequirement Create(IEnumerable<PolicyDetails> policyDetails)
+        => new() { Policies = policyDetails };
+}
diff --git a/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyRequirementQueryTests.cs b/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyRequirementQueryTests.cs
index 4c98353774..56b6740678 100644
--- a/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyRequirementQueryTests.cs
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyRequirementQueryTests.cs
@@ -1,6 +1,6 @@
-using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies.Implementations;
-using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Test.Common.AutoFixture.Attributes;
 using NSubstitute;
@@ -11,50 +11,72 @@ namespace Bit.Core.Test.AdminConsole.OrganizationFeatures.Policies;
 [SutProviderCustomize]
 public class PolicyRequirementQueryTests
 {
-    /// <summary>
-    /// Tests that the query correctly registers, retrieves and instantiates arbitrary IPolicyRequirements
-    /// according to their provided CreateRequirement delegate.
-    /// </summary>
     [Theory, BitAutoData]
-    public async Task GetAsync_Works(Guid userId, Guid organizationId)
+    public async Task GetAsync_IgnoresOtherPolicyTypes(Guid userId)
     {
+        var thisPolicy = new PolicyDetails { PolicyType = PolicyType.SingleOrg };
+        var otherPolicy = new PolicyDetails { PolicyType = PolicyType.RequireSso };
         var policyRepository = Substitute.For<IPolicyRepository>();
-        var factories = new List<RequirementFactory<IPolicyRequirement>>
-        {
-            // In prod this cast is handled when the CreateRequirement delegate is registered in DI
-            (RequirementFactory<TestPolicyRequirement>)TestPolicyRequirement.Create
-        };
+        policyRepository.GetPolicyDetailsByUserId(userId).Returns([otherPolicy, thisPolicy]);
 
-        var sut = new PolicyRequirementQuery(policyRepository, factories);
-        policyRepository.GetPolicyDetailsByUserId(userId).Returns([
-            new PolicyDetails
-            {
-                OrganizationId = organizationId
-            }
-        ]);
+        var factory = new TestPolicyRequirementFactory(_ => true);
+        var sut = new PolicyRequirementQuery(policyRepository, [factory]);
 
         var requirement = await sut.GetAsync<TestPolicyRequirement>(userId);
-        Assert.Equal(organizationId, requirement.OrganizationId);
+
+        Assert.Contains(thisPolicy, requirement.Policies);
+        Assert.DoesNotContain(otherPolicy, requirement.Policies);
     }
 
     [Theory, BitAutoData]
-    public async Task GetAsync_ThrowsIfNoRequirementRegistered(Guid userId)
+    public async Task GetAsync_CallsEnforceCallback(Guid userId)
+    {
+        // Arrange policies
+        var policyRepository = Substitute.For<IPolicyRepository>();
+        var thisPolicy = new PolicyDetails { PolicyType = PolicyType.SingleOrg };
+        var otherPolicy = new PolicyDetails { PolicyType = PolicyType.SingleOrg };
+        policyRepository.GetPolicyDetailsByUserId(userId).Returns([thisPolicy, otherPolicy]);
+
+        // Arrange a substitute Enforce function so that we can inspect the received calls
+        var callback = Substitute.For<Func<PolicyDetails, bool>>();
+        callback(Arg.Any<PolicyDetails>()).Returns(x => x.Arg<PolicyDetails>() == thisPolicy);
+
+        // Arrange the sut
+        var factory = new TestPolicyRequirementFactory(callback);
+        var sut = new PolicyRequirementQuery(policyRepository, [factory]);
+
+        // Act
+        var requirement = await sut.GetAsync<TestPolicyRequirement>(userId);
+
+        // Assert
+        Assert.Contains(thisPolicy, requirement.Policies);
+        Assert.DoesNotContain(otherPolicy, requirement.Policies);
+        callback.Received()(Arg.Is(thisPolicy));
+        callback.Received()(Arg.Is(otherPolicy));
+    }
+
+    [Theory, BitAutoData]
+    public async Task GetAsync_ThrowsIfNoFactoryRegistered(Guid userId)
     {
         var policyRepository = Substitute.For<IPolicyRepository>();
         var sut = new PolicyRequirementQuery(policyRepository, []);
 
         var exception = await Assert.ThrowsAsync<NotImplementedException>(()
             => sut.GetAsync<TestPolicyRequirement>(userId));
-        Assert.Contains("No Policy Requirement found", exception.Message);
+        Assert.Contains("No Requirement Factory found", exception.Message);
     }
 
-    /// <summary>
-    /// Intentionally simplified PolicyRequirement that just holds the Policy.OrganizationId for us to assert against.
-    /// </summary>
-    private class TestPolicyRequirement : IPolicyRequirement
+    [Theory, BitAutoData]
+    public async Task GetAsync_HandlesNoPolicies(Guid userId)
     {
-        public Guid OrganizationId { get; init; }
-        public static TestPolicyRequirement Create(IEnumerable<PolicyDetails> policyDetails)
-            => new() { OrganizationId = policyDetails.Single().OrganizationId };
+        var policyRepository = Substitute.For<IPolicyRepository>();
+        policyRepository.GetPolicyDetailsByUserId(userId).Returns([]);
+
+        var factory = new TestPolicyRequirementFactory(x => x.IsProvider);
+        var sut = new PolicyRequirementQuery(policyRepository, [factory]);
+
+        var requirement = await sut.GetAsync<TestPolicyRequirement>(userId);
+
+        Assert.Empty(requirement.Policies);
     }
 }
diff --git a/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/BasePolicyRequirementFactoryTests.cs b/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/BasePolicyRequirementFactoryTests.cs
new file mode 100644
index 0000000000..e81459808d
--- /dev/null
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/BasePolicyRequirementFactoryTests.cs
@@ -0,0 +1,90 @@
+using AutoFixture.Xunit2;
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+using Bit.Core.Enums;
+using Bit.Core.Test.AdminConsole.AutoFixture;
+using Xunit;
+
+namespace Bit.Core.Test.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+
+public class BasePolicyRequirementFactoryTests
+{
+    [Theory, AutoData]
+    public void ExemptRoles_DoesNotEnforceAgainstThoseRoles(
+        [PolicyDetails(PolicyType.SingleOrg, OrganizationUserType.Owner)] PolicyDetails ownerPolicy,
+        [PolicyDetails(PolicyType.SingleOrg, OrganizationUserType.Admin)] PolicyDetails adminPolicy,
+        [PolicyDetails(PolicyType.SingleOrg, OrganizationUserType.Custom)] PolicyDetails customPolicy,
+        [PolicyDetails(PolicyType.SingleOrg)] PolicyDetails userPolicy)
+    {
+        var sut = new TestPolicyRequirementFactory(
+            // These exempt roles are intentionally unusual to make sure we're properly testing the sut
+            [OrganizationUserType.User, OrganizationUserType.Custom],
+            [],
+            false);
+
+        Assert.True(sut.Enforce(ownerPolicy));
+        Assert.True(sut.Enforce(adminPolicy));
+        Assert.False(sut.Enforce(customPolicy));
+        Assert.False(sut.Enforce(userPolicy));
+    }
+
+    [Theory, AutoData]
+    public void ExemptStatuses_DoesNotEnforceAgainstThoseStatuses(
+        [PolicyDetails(PolicyType.SingleOrg, userStatus: OrganizationUserStatusType.Invited)] PolicyDetails invitedPolicy,
+        [PolicyDetails(PolicyType.SingleOrg, userStatus: OrganizationUserStatusType.Accepted)] PolicyDetails acceptedPolicy,
+        [PolicyDetails(PolicyType.SingleOrg, userStatus: OrganizationUserStatusType.Confirmed)] PolicyDetails confirmedPolicy,
+        [PolicyDetails(PolicyType.SingleOrg, userStatus: OrganizationUserStatusType.Revoked)] PolicyDetails revokedPolicy)
+    {
+        var sut = new TestPolicyRequirementFactory(
+            [],
+            // These exempt statuses are intentionally unusual to make sure we're properly testing the sut
+            [OrganizationUserStatusType.Confirmed, OrganizationUserStatusType.Accepted],
+            false);
+
+        Assert.True(sut.Enforce(invitedPolicy));
+        Assert.True(sut.Enforce(revokedPolicy));
+        Assert.False(sut.Enforce(confirmedPolicy));
+        Assert.False(sut.Enforce(acceptedPolicy));
+    }
+
+    [Theory, AutoData]
+    public void ExemptProviders_DoesNotEnforceAgainstProviders(
+        [PolicyDetails(PolicyType.SingleOrg, isProvider: true)] PolicyDetails policy)
+    {
+        var sut = new TestPolicyRequirementFactory(
+            [],
+            [],
+            true);
+
+        Assert.False(sut.Enforce(policy));
+    }
+
+    [Theory, AutoData]
+    public void NoExemptions_EnforcesAgainstAdminsAndProviders(
+        [PolicyDetails(PolicyType.SingleOrg, OrganizationUserType.Owner, isProvider: true)] PolicyDetails policy)
+    {
+        var sut = new TestPolicyRequirementFactory(
+            [],
+            [],
+            false);
+
+        Assert.True(sut.Enforce(policy));
+    }
+
+    private class TestPolicyRequirementFactory(
+        IEnumerable<OrganizationUserType> exemptRoles,
+        IEnumerable<OrganizationUserStatusType> exemptStatuses,
+        bool exemptProviders
+        ) : BasePolicyRequirementFactory<TestPolicyRequirement>
+    {
+        public override PolicyType PolicyType => PolicyType.SingleOrg;
+        protected override IEnumerable<OrganizationUserType> ExemptRoles => exemptRoles;
+        protected override IEnumerable<OrganizationUserStatusType> ExemptStatuses => exemptStatuses;
+
+        protected override bool ExemptProviders => exemptProviders;
+
+        public override TestPolicyRequirement Create(IEnumerable<PolicyDetails> policyDetails)
+            => new() { Policies = policyDetails };
+    }
+}
diff --git a/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/DisableSendPolicyRequirementFactoryTests.cs b/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/DisableSendPolicyRequirementFactoryTests.cs
new file mode 100644
index 0000000000..2304c0e9ae
--- /dev/null
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/DisableSendPolicyRequirementFactoryTests.cs
@@ -0,0 +1,32 @@
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+using Bit.Core.Test.AdminConsole.AutoFixture;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using Xunit;
+
+namespace Bit.Core.Test.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+
+[SutProviderCustomize]
+public class DisableSendPolicyRequirementFactoryTests
+{
+    [Theory, BitAutoData]
+    public void DisableSend_IsFalse_IfNoPolicies(SutProvider<DisableSendPolicyRequirementFactory> sutProvider)
+    {
+        var actual = sutProvider.Sut.Create([]);
+
+        Assert.False(actual.DisableSend);
+    }
+
+    [Theory, BitAutoData]
+    public void DisableSend_IsTrue_IfAnyDisableSendPolicies(
+        [PolicyDetails(PolicyType.DisableSend)] PolicyDetails[] policies,
+        SutProvider<DisableSendPolicyRequirementFactory> sutProvider
+        )
+    {
+        var actual = sutProvider.Sut.Create(policies);
+
+        Assert.True(actual.DisableSend);
+    }
+}
diff --git a/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/SendOptionsPolicyRequirementFactoryTests.cs b/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/SendOptionsPolicyRequirementFactoryTests.cs
new file mode 100644
index 0000000000..af66d858ef
--- /dev/null
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/SendOptionsPolicyRequirementFactoryTests.cs
@@ -0,0 +1,49 @@
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+using Bit.Core.Test.AdminConsole.AutoFixture;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using Xunit;
+
+namespace Bit.Core.Test.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+
+[SutProviderCustomize]
+public class SendOptionsPolicyRequirementFactoryTests
+{
+    [Theory, BitAutoData]
+    public void DisableHideEmail_IsFalse_IfNoPolicies(SutProvider<SendOptionsPolicyRequirementFactory> sutProvider)
+    {
+        var actual = sutProvider.Sut.Create([]);
+
+        Assert.False(actual.DisableHideEmail);
+    }
+
+    [Theory, BitAutoData]
+    public void DisableHideEmail_IsFalse_IfNotConfigured(
+        [PolicyDetails(PolicyType.SendOptions)] PolicyDetails[] policies,
+        SutProvider<SendOptionsPolicyRequirementFactory> sutProvider
+        )
+    {
+        policies[0].SetDataModel(new SendOptionsPolicyData { DisableHideEmail = false });
+        policies[1].SetDataModel(new SendOptionsPolicyData { DisableHideEmail = false });
+
+        var actual = sutProvider.Sut.Create(policies);
+
+        Assert.False(actual.DisableHideEmail);
+    }
+
+    [Theory, BitAutoData]
+    public void DisableHideEmail_IsTrue_IfAnyConfigured(
+        [PolicyDetails(PolicyType.SendOptions)] PolicyDetails[] policies,
+        SutProvider<SendOptionsPolicyRequirementFactory> sutProvider
+        )
+    {
+        policies[0].SetDataModel(new SendOptionsPolicyData { DisableHideEmail = true });
+        policies[1].SetDataModel(new SendOptionsPolicyData { DisableHideEmail = false });
+
+        var actual = sutProvider.Sut.Create(policies);
+
+        Assert.True(actual.DisableHideEmail);
+    }
+}
diff --git a/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/SendPolicyRequirementTests.cs b/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/SendPolicyRequirementTests.cs
deleted file mode 100644
index 4d7bf5db4e..0000000000
--- a/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/SendPolicyRequirementTests.cs
+++ /dev/null
@@ -1,138 +0,0 @@
-using AutoFixture.Xunit2;
-using Bit.Core.AdminConsole.Enums;
-using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
-using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
-using Bit.Core.Enums;
-using Bit.Core.Test.AdminConsole.AutoFixture;
-using Xunit;
-
-namespace Bit.Core.Test.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
-
-public class SendPolicyRequirementTests
-{
-    [Theory, AutoData]
-    public void DisableSend_IsFalse_IfNoDisableSendPolicies(
-        [PolicyDetails(PolicyType.RequireSso)] PolicyDetails otherPolicy1,
-        [PolicyDetails(PolicyType.SendOptions)] PolicyDetails otherPolicy2)
-    {
-        EnableDisableHideEmail(otherPolicy2);
-
-        var actual = SendPolicyRequirement.Create([otherPolicy1, otherPolicy2]);
-
-        Assert.False(actual.DisableSend);
-    }
-
-    [Theory]
-    [InlineAutoData(OrganizationUserType.Owner, false)]
-    [InlineAutoData(OrganizationUserType.Admin, false)]
-    [InlineAutoData(OrganizationUserType.User, true)]
-    [InlineAutoData(OrganizationUserType.Custom, true)]
-    public void DisableSend_TestRoles(
-        OrganizationUserType userType,
-        bool shouldBeEnforced,
-        [PolicyDetails(PolicyType.DisableSend)] PolicyDetails policyDetails)
-    {
-        policyDetails.OrganizationUserType = userType;
-
-        var actual = SendPolicyRequirement.Create([policyDetails]);
-
-        Assert.Equal(shouldBeEnforced, actual.DisableSend);
-    }
-
-    [Theory, AutoData]
-    public void DisableSend_Not_EnforcedAgainstProviders(
-        [PolicyDetails(PolicyType.DisableSend, isProvider: true)] PolicyDetails policyDetails)
-    {
-        var actual = SendPolicyRequirement.Create([policyDetails]);
-
-        Assert.False(actual.DisableSend);
-    }
-
-    [Theory]
-    [InlineAutoData(OrganizationUserStatusType.Confirmed, true)]
-    [InlineAutoData(OrganizationUserStatusType.Accepted, true)]
-    [InlineAutoData(OrganizationUserStatusType.Invited, false)]
-    [InlineAutoData(OrganizationUserStatusType.Revoked, false)]
-    public void DisableSend_TestStatuses(
-        OrganizationUserStatusType userStatus,
-        bool shouldBeEnforced,
-        [PolicyDetails(PolicyType.DisableSend)] PolicyDetails policyDetails)
-    {
-        policyDetails.OrganizationUserStatus = userStatus;
-
-        var actual = SendPolicyRequirement.Create([policyDetails]);
-
-        Assert.Equal(shouldBeEnforced, actual.DisableSend);
-    }
-
-    [Theory, AutoData]
-    public void DisableHideEmail_IsFalse_IfNoSendOptionsPolicies(
-        [PolicyDetails(PolicyType.RequireSso)] PolicyDetails otherPolicy1,
-        [PolicyDetails(PolicyType.DisableSend)] PolicyDetails otherPolicy2)
-    {
-        var actual = SendPolicyRequirement.Create([otherPolicy1, otherPolicy2]);
-
-        Assert.False(actual.DisableHideEmail);
-    }
-
-    [Theory]
-    [InlineAutoData(OrganizationUserType.Owner, false)]
-    [InlineAutoData(OrganizationUserType.Admin, false)]
-    [InlineAutoData(OrganizationUserType.User, true)]
-    [InlineAutoData(OrganizationUserType.Custom, true)]
-    public void DisableHideEmail_TestRoles(
-        OrganizationUserType userType,
-        bool shouldBeEnforced,
-        [PolicyDetails(PolicyType.SendOptions)] PolicyDetails policyDetails)
-    {
-        EnableDisableHideEmail(policyDetails);
-        policyDetails.OrganizationUserType = userType;
-
-        var actual = SendPolicyRequirement.Create([policyDetails]);
-
-        Assert.Equal(shouldBeEnforced, actual.DisableHideEmail);
-    }
-
-    [Theory, AutoData]
-    public void DisableHideEmail_Not_EnforcedAgainstProviders(
-        [PolicyDetails(PolicyType.SendOptions, isProvider: true)] PolicyDetails policyDetails)
-    {
-        EnableDisableHideEmail(policyDetails);
-
-        var actual = SendPolicyRequirement.Create([policyDetails]);
-
-        Assert.False(actual.DisableHideEmail);
-    }
-
-    [Theory]
-    [InlineAutoData(OrganizationUserStatusType.Confirmed, true)]
-    [InlineAutoData(OrganizationUserStatusType.Accepted, true)]
-    [InlineAutoData(OrganizationUserStatusType.Invited, false)]
-    [InlineAutoData(OrganizationUserStatusType.Revoked, false)]
-    public void DisableHideEmail_TestStatuses(
-        OrganizationUserStatusType userStatus,
-        bool shouldBeEnforced,
-        [PolicyDetails(PolicyType.SendOptions)] PolicyDetails policyDetails)
-    {
-        EnableDisableHideEmail(policyDetails);
-        policyDetails.OrganizationUserStatus = userStatus;
-
-        var actual = SendPolicyRequirement.Create([policyDetails]);
-
-        Assert.Equal(shouldBeEnforced, actual.DisableHideEmail);
-    }
-
-    [Theory, AutoData]
-    public void DisableHideEmail_HandlesNullData(
-        [PolicyDetails(PolicyType.SendOptions)] PolicyDetails policyDetails)
-    {
-        policyDetails.PolicyData = null;
-
-        var actual = SendPolicyRequirement.Create([policyDetails]);
-
-        Assert.False(actual.DisableHideEmail);
-    }
-
-    private static void EnableDisableHideEmail(PolicyDetails policyDetails)
-        => policyDetails.SetDataModel(new SendOptionsPolicyData { DisableHideEmail = true });
-}
diff --git a/test/Core.Test/Tools/Services/SendServiceTests.cs b/test/Core.Test/Tools/Services/SendServiceTests.cs
index ae65ee1388..86d476340d 100644
--- a/test/Core.Test/Tools/Services/SendServiceTests.cs
+++ b/test/Core.Test/Tools/Services/SendServiceTests.cs
@@ -123,10 +123,12 @@ public class SendServiceTests
 
     // Disable Send policy check - vNext
     private void SaveSendAsync_Setup_vNext(SutProvider<SendService> sutProvider, Send send,
-        SendPolicyRequirement sendPolicyRequirement)
+        DisableSendPolicyRequirement disableSendPolicyRequirement, SendOptionsPolicyRequirement sendOptionsPolicyRequirement)
     {
-        sutProvider.GetDependency<IPolicyRequirementQuery>().GetAsync<SendPolicyRequirement>(send.UserId!.Value)
-            .Returns(sendPolicyRequirement);
+        sutProvider.GetDependency<IPolicyRequirementQuery>().GetAsync<DisableSendPolicyRequirement>(send.UserId!.Value)
+            .Returns(disableSendPolicyRequirement);
+        sutProvider.GetDependency<IPolicyRequirementQuery>().GetAsync<SendOptionsPolicyRequirement>(send.UserId!.Value)
+            .Returns(sendOptionsPolicyRequirement);
         sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.PolicyRequirements).Returns(true);
 
         // Should not be called in these tests
@@ -141,7 +143,7 @@ public class SendServiceTests
         SutProvider<SendService> sutProvider, [NewUserSendCustomize] Send send)
     {
         send.Type = sendType;
-        SaveSendAsync_Setup_vNext(sutProvider, send, new SendPolicyRequirement { DisableSend = true });
+        SaveSendAsync_Setup_vNext(sutProvider, send, new DisableSendPolicyRequirement { DisableSend = true }, new SendOptionsPolicyRequirement());
 
         var exception = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.SaveSendAsync(send));
         Assert.Contains("Due to an Enterprise Policy, you are only able to delete an existing Send.",
@@ -155,7 +157,7 @@ public class SendServiceTests
         SutProvider<SendService> sutProvider, [NewUserSendCustomize] Send send)
     {
         send.Type = sendType;
-        SaveSendAsync_Setup_vNext(sutProvider, send, new SendPolicyRequirement());
+        SaveSendAsync_Setup_vNext(sutProvider, send, new DisableSendPolicyRequirement(), new SendOptionsPolicyRequirement());
 
         await sutProvider.Sut.SaveSendAsync(send);
 
@@ -171,7 +173,7 @@ public class SendServiceTests
         SutProvider<SendService> sutProvider, [NewUserSendCustomize] Send send)
     {
         send.Type = sendType;
-        SaveSendAsync_Setup_vNext(sutProvider, send, new SendPolicyRequirement { DisableHideEmail = true });
+        SaveSendAsync_Setup_vNext(sutProvider, send, new DisableSendPolicyRequirement(), new SendOptionsPolicyRequirement { DisableHideEmail = true });
         send.HideEmail = true;
 
         var exception = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.SaveSendAsync(send));
@@ -185,7 +187,7 @@ public class SendServiceTests
         SutProvider<SendService> sutProvider, [NewUserSendCustomize] Send send)
     {
         send.Type = sendType;
-        SaveSendAsync_Setup_vNext(sutProvider, send, new SendPolicyRequirement { DisableHideEmail = true });
+        SaveSendAsync_Setup_vNext(sutProvider, send, new DisableSendPolicyRequirement(), new SendOptionsPolicyRequirement { DisableHideEmail = true });
         send.HideEmail = false;
 
         await sutProvider.Sut.SaveSendAsync(send);
@@ -200,7 +202,7 @@ public class SendServiceTests
         SutProvider<SendService> sutProvider, [NewUserSendCustomize] Send send)
     {
         send.Type = sendType;
-        SaveSendAsync_Setup_vNext(sutProvider, send, new SendPolicyRequirement());
+        SaveSendAsync_Setup_vNext(sutProvider, send, new DisableSendPolicyRequirement(), new SendOptionsPolicyRequirement());
         send.HideEmail = true;
 
         await sutProvider.Sut.SaveSendAsync(send);

From 6510f2a3e80d84263d8a077b7d584b0bca2236c8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rui=20Tom=C3=A9?=
 <108268980+r-tome@users.noreply.github.com>
Date: Tue, 11 Mar 2025 10:10:20 +0000
Subject: [PATCH 356/384] [PM-18088] Add unit test coverage for admin methods
 on CiphersController and CipherService (#5460)

* Add comprehensive test coverage for CipherService restore, delete, and soft delete methods

* Add comprehensive admin cipher management tests for CiphersController

* Enhance CiphersController admin methods with comprehensive test coverage

- Add tests for provider user scenarios in admin cipher management methods
- Implement tests for custom user with edit any collection permissions
- Add test coverage for RestrictProviderAccess feature flag
- Improve test scenarios for delete, soft delete, and restore operations

* Refactor CiphersControllerTests to simplify and optimize test methods

* Optimize CiphersControllerTests with code cleanup and test method improvements

* Extend CiphersControllerTests to support Admin and Owner roles

* Add test cases for custom user cipher admin operations with EditAnyCollection permission checks

- Extend CiphersControllerTests with scenarios for custom users without EditAnyCollection permission
- Add test methods to verify NotFoundException is thrown when EditAnyCollection is false
- Cover delete, soft delete, and restore operations for single and bulk cipher admin actions

* Enhance CiphersControllerTests with granular access permission scenarios

- Add test methods for admin and owner roles with specific cipher access scenarios
- Implement tests for accessing specific and unassigned ciphers
- Extend test coverage for delete, soft delete, and restore operations
- Improve test method naming for clarity and precision

* Add bulk admin cipher delete and soft delete tests for specific and unassigned ciphers

- Implement test methods for DeleteManyAdmin and PutDeleteManyAdmin
- Cover scenarios for owner and admin roles with access to specific and unassigned ciphers
- Verify correct invocation of DeleteManyAsync and SoftDeleteManyAsync methods
- Enhance test coverage for bulk cipher admin operations
---
 .../Controllers/CiphersControllerTests.cs     | 1043 +++++++++++++++++
 .../Vault/Services/CipherServiceTests.cs      |  254 ++++
 2 files changed, 1297 insertions(+)

diff --git a/test/Api.Test/Vault/Controllers/CiphersControllerTests.cs b/test/Api.Test/Vault/Controllers/CiphersControllerTests.cs
index 5c8de51062..14013d9c1c 100644
--- a/test/Api.Test/Vault/Controllers/CiphersControllerTests.cs
+++ b/test/Api.Test/Vault/Controllers/CiphersControllerTests.cs
@@ -1,6 +1,8 @@
 using System.Security.Claims;
+using System.Text.Json;
 using Bit.Api.Vault.Controllers;
 using Bit.Api.Vault.Models.Request;
+using Bit.Api.Vault.Models.Response;
 using Bit.Core;
 using Bit.Core.Context;
 using Bit.Core.Entities;
@@ -232,4 +234,1045 @@ public class CiphersControllerTests
 
         await sutProvider.GetDependency<ICurrentContext>().Received().ProviderUserForOrgAsync(organization.Id);
     }
+
+    [Theory]
+    [BitAutoData(OrganizationUserType.Owner)]
+    [BitAutoData(OrganizationUserType.Admin)]
+    public async Task DeleteAdmin_WithOwnerOrAdmin_WithAccessToSpecificCipher_DeletesCipher(
+        OrganizationUserType organizationUserType, Cipher cipher, Guid userId,
+        CurrentContextOrganization organization, SutProvider<CiphersController> sutProvider)
+    {
+        cipher.OrganizationId = organization.Id;
+        organization.Type = organizationUserType;
+
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(cipher.Id).Returns(cipher);
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetManyByUserIdAsync(userId)
+            .Returns(new List<CipherDetails>
+            {
+                new() { Id = cipher.Id, OrganizationId = cipher.OrganizationId, Edit = true }
+            });
+
+        await sutProvider.Sut.DeleteAdmin(cipher.Id.ToString());
+
+        await sutProvider.GetDependency<ICipherService>().Received(1).DeleteAsync(cipher, userId, true);
+    }
+
+    [Theory]
+    [BitAutoData(OrganizationUserType.Owner)]
+    [BitAutoData(OrganizationUserType.Admin)]
+    public async Task DeleteAdmin_WithOwnerOrAdmin_WithAccessToUnassignedCipher_DeletesCipher(
+        OrganizationUserType organizationUserType, Cipher cipher, Guid userId,
+        CurrentContextOrganization organization, SutProvider<CiphersController> sutProvider)
+    {
+        cipher.OrganizationId = organization.Id;
+        organization.Type = organizationUserType;
+
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(cipher.Id).Returns(cipher);
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetManyUnassignedOrganizationDetailsByOrganizationIdAsync(organization.Id)
+            .Returns(new List<CipherOrganizationDetails> { new() { Id = cipher.Id } });
+
+        await sutProvider.Sut.DeleteAdmin(cipher.Id.ToString());
+
+        await sutProvider.GetDependency<ICipherService>().Received(1).DeleteAsync(cipher, userId, true);
+    }
+
+    [Theory]
+    [BitAutoData(OrganizationUserType.Owner)]
+    [BitAutoData(OrganizationUserType.Admin)]
+    public async Task DeleteAdmin_WithAdminOrOwnerAndAccessToAllCollectionItems_DeletesCipher(
+        OrganizationUserType organizationUserType, Cipher cipher, Guid userId,
+        CurrentContextOrganization organization, SutProvider<CiphersController> sutProvider)
+    {
+        cipher.OrganizationId = organization.Id;
+        organization.Type = organizationUserType;
+
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(cipher.Id).Returns(cipher);
+        sutProvider.GetDependency<ICipherRepository>().GetManyByOrganizationIdAsync(organization.Id).Returns(new List<Cipher> { cipher });
+        sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilityAsync(organization.Id).Returns(new OrganizationAbility
+        {
+            Id = organization.Id,
+            AllowAdminAccessToAllCollectionItems = true
+        });
+
+        await sutProvider.Sut.DeleteAdmin(cipher.Id.ToString());
+
+        await sutProvider.GetDependency<ICipherService>().Received(1).DeleteAsync(cipher, userId, true);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task DeleteAdmin_WithCustomUser_WithEditAnyCollectionTrue_DeletesCipher(
+        Cipher cipher, Guid userId,
+        CurrentContextOrganization organization, SutProvider<CiphersController> sutProvider)
+    {
+        cipher.OrganizationId = organization.Id;
+        organization.Type = OrganizationUserType.Custom;
+        organization.Permissions.EditAnyCollection = true;
+
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(cipher.Id).Returns(cipher);
+        sutProvider.GetDependency<ICipherRepository>().GetManyByOrganizationIdAsync(organization.Id).Returns(new List<Cipher> { cipher });
+
+        await sutProvider.Sut.DeleteAdmin(cipher.Id.ToString());
+
+        await sutProvider.GetDependency<ICipherService>().Received(1).DeleteAsync(cipher, userId, true);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task DeleteAdmin_WithCustomUser_WithEditAnyCollectionFalse_ThrowsNotFoundException(
+        Cipher cipher, Guid userId,
+        CurrentContextOrganization organization, SutProvider<CiphersController> sutProvider)
+    {
+        cipher.OrganizationId = organization.Id;
+        organization.Type = OrganizationUserType.Custom;
+        organization.Permissions.EditAnyCollection = false;
+
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(cipher.Id).Returns(cipher);
+
+        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.DeleteAdmin(cipher.Id.ToString()));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task DeleteAdmin_WithProviderUser_DeletesCipher(
+        Cipher cipher, Guid userId, SutProvider<CiphersController> sutProvider)
+    {
+        cipher.OrganizationId = Guid.NewGuid();
+
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(cipher.OrganizationId.Value).Returns(true);
+        sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(cipher.Id).Returns(cipher);
+        sutProvider.GetDependency<ICipherRepository>().GetManyByOrganizationIdAsync(cipher.OrganizationId.Value).Returns(new List<Cipher> { cipher });
+
+        await sutProvider.Sut.DeleteAdmin(cipher.Id.ToString());
+
+        await sutProvider.GetDependency<ICipherService>().Received(1).DeleteAsync(cipher, userId, true);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task DeleteAdmin_WithProviderUser_WithRestrictProviderAccessTrue_ThrowsNotFoundException(
+        Cipher cipher, Guid userId, SutProvider<CiphersController> sutProvider)
+    {
+        cipher.OrganizationId = Guid.NewGuid();
+
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(cipher.OrganizationId.Value).Returns(true);
+        sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(cipher.Id).Returns(cipher);
+        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.RestrictProviderAccess).Returns(true);
+
+        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.DeleteAdmin(cipher.Id.ToString()));
+    }
+
+    [Theory]
+    [BitAutoData(OrganizationUserType.Owner)]
+    [BitAutoData(OrganizationUserType.Admin)]
+    public async Task DeleteManyAdmin_WithOwnerOrAdmin_WithAccessToSpecificCiphers_DeletesCiphers(
+        OrganizationUserType organizationUserType, CipherBulkDeleteRequestModel model, Guid userId, List<Cipher> ciphers,
+        CurrentContextOrganization organization, SutProvider<CiphersController> sutProvider)
+    {
+        model.OrganizationId = organization.Id.ToString();
+        model.Ids = ciphers.Select(c => c.Id.ToString()).ToList();
+        organization.Type = organizationUserType;
+
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetManyByUserIdAsync(userId)
+            .Returns(ciphers.Select(c => new CipherDetails
+            {
+                Id = c.Id,
+                OrganizationId = organization.Id,
+                Edit = true
+            }).ToList());
+
+        await sutProvider.Sut.DeleteManyAdmin(model);
+
+        await sutProvider.GetDependency<ICipherService>()
+            .Received(1)
+            .DeleteManyAsync(
+                Arg.Is<IEnumerable<Guid>>(ids =>
+                    ids.All(id => model.Ids.Contains(id.ToString())) && ids.Count() == model.Ids.Count()),
+                userId, organization.Id, true);
+    }
+
+    [Theory]
+    [BitAutoData(OrganizationUserType.Owner)]
+    [BitAutoData(OrganizationUserType.Admin)]
+    public async Task DeleteManyAdmin_WithOwnerOrAdmin_WithAccessToUnassignedCiphers_DeletesCiphers(
+        OrganizationUserType organizationUserType, CipherBulkDeleteRequestModel model, Guid userId, List<Cipher> ciphers,
+        CurrentContextOrganization organization, SutProvider<CiphersController> sutProvider)
+    {
+        model.OrganizationId = organization.Id.ToString();
+        model.Ids = ciphers.Select(c => c.Id.ToString()).ToList();
+        organization.Type = organizationUserType;
+
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetManyUnassignedOrganizationDetailsByOrganizationIdAsync(organization.Id)
+            .Returns(ciphers.Select(c => new CipherOrganizationDetails { Id = c.Id }).ToList());
+
+        await sutProvider.Sut.DeleteManyAdmin(model);
+
+        await sutProvider.GetDependency<ICipherService>()
+            .Received(1)
+            .DeleteManyAsync(
+                Arg.Is<IEnumerable<Guid>>(ids =>
+                    ids.All(id => model.Ids.Contains(id.ToString())) && ids.Count() == model.Ids.Count()),
+                userId, organization.Id, true);
+    }
+
+    [Theory]
+    [BitAutoData(OrganizationUserType.Owner)]
+    [BitAutoData(OrganizationUserType.Admin)]
+    public async Task DeleteManyAdmin_WithOwnerOrAdmin_WithAccessToAllCollectionItems_DeletesCiphers(
+        OrganizationUserType organizationUserType, CipherBulkDeleteRequestModel model, Guid userId, List<Cipher> ciphers,
+        CurrentContextOrganization organization, SutProvider<CiphersController> sutProvider)
+    {
+        model.OrganizationId = organization.Id.ToString();
+        model.Ids = ciphers.Select(c => c.Id.ToString()).ToList();
+        organization.Type = organizationUserType;
+
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<ICipherRepository>().GetManyByOrganizationIdAsync(organization.Id).Returns(ciphers);
+        sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilityAsync(organization.Id).Returns(new OrganizationAbility
+        {
+            Id = organization.Id,
+            AllowAdminAccessToAllCollectionItems = true
+        });
+
+        await sutProvider.Sut.DeleteManyAdmin(model);
+
+        await sutProvider.GetDependency<ICipherService>()
+            .Received(1)
+            .DeleteManyAsync(
+                Arg.Is<IEnumerable<Guid>>(ids =>
+                    ids.All(id => model.Ids.Contains(id.ToString())) && ids.Count() == model.Ids.Count()),
+                userId, organization.Id, true);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task DeleteManyAdmin_WithCustomUser_WithEditAnyCollectionTrue_DeletesCiphers(
+        CipherBulkDeleteRequestModel model,
+        Guid userId, List<Cipher> ciphers, CurrentContextOrganization organization,
+        SutProvider<CiphersController> sutProvider)
+    {
+        model.OrganizationId = organization.Id.ToString();
+        model.Ids = ciphers.Select(c => c.Id.ToString()).ToList();
+        organization.Type = OrganizationUserType.Custom;
+        organization.Permissions.EditAnyCollection = true;
+
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<ICipherRepository>().GetManyByOrganizationIdAsync(organization.Id).Returns(ciphers);
+
+        await sutProvider.Sut.DeleteManyAdmin(model);
+
+        await sutProvider.GetDependency<ICipherService>()
+            .Received(1)
+            .DeleteManyAsync(
+                Arg.Is<IEnumerable<Guid>>(ids =>
+                    ids.All(id => model.Ids.Contains(id.ToString())) && ids.Count() == model.Ids.Count()),
+                userId, organization.Id, true);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task DeleteManyAdmin_WithCustomUser_WithEditAnyCollectionFalse_ThrowsNotFoundException(
+        CipherBulkDeleteRequestModel model,
+        Guid userId, List<Cipher> ciphers, CurrentContextOrganization organization,
+        SutProvider<CiphersController> sutProvider)
+    {
+        model.OrganizationId = organization.Id.ToString();
+        model.Ids = ciphers.Select(c => c.Id.ToString()).ToList();
+        organization.Type = OrganizationUserType.Custom;
+        organization.Permissions.EditAnyCollection = false;
+
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+
+        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.DeleteManyAdmin(model));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task DeleteManyAdmin_WithProviderUser_DeletesCiphers(
+        CipherBulkDeleteRequestModel model, Guid userId,
+        List<Cipher> ciphers, SutProvider<CiphersController> sutProvider)
+    {
+        var organizationId = Guid.NewGuid();
+        model.OrganizationId = organizationId.ToString();
+        model.Ids = ciphers.Select(c => c.Id.ToString()).ToList();
+
+        foreach (var cipher in ciphers)
+        {
+            cipher.OrganizationId = organizationId;
+        }
+
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(organizationId).Returns(true);
+        sutProvider.GetDependency<ICipherRepository>().GetManyByOrganizationIdAsync(organizationId).Returns(ciphers);
+
+        await sutProvider.Sut.DeleteManyAdmin(model);
+
+        await sutProvider.GetDependency<ICipherService>()
+            .Received(1)
+            .DeleteManyAsync(
+                Arg.Is<IEnumerable<Guid>>(ids =>
+                    ids.All(id => model.Ids.Contains(id.ToString())) && ids.Count() == model.Ids.Count()),
+                userId, organizationId, true);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task DeleteManyAdmin_WithProviderUser_WithRestrictProviderAccessTrue_ThrowsNotFoundException(
+        CipherBulkDeleteRequestModel model, SutProvider<CiphersController> sutProvider)
+    {
+        var organizationId = Guid.NewGuid();
+        model.OrganizationId = organizationId.ToString();
+
+        sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(organizationId).Returns(true);
+        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.RestrictProviderAccess).Returns(true);
+
+        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.DeleteManyAdmin(model));
+    }
+
+    [Theory]
+    [BitAutoData(OrganizationUserType.Owner)]
+    [BitAutoData(OrganizationUserType.Admin)]
+    public async Task PutDeleteAdmin_WithOwnerOrAdmin_WithAccessToSpecificCipher_SoftDeletesCipher(
+        OrganizationUserType organizationUserType, Cipher cipher, Guid userId,
+        CurrentContextOrganization organization, SutProvider<CiphersController> sutProvider)
+    {
+        cipher.OrganizationId = organization.Id;
+        organization.Type = organizationUserType;
+
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(cipher.Id).Returns(cipher);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetManyByUserIdAsync(userId)
+            .Returns(new List<CipherDetails>
+            {
+                new() { Id = cipher.Id, OrganizationId = cipher.OrganizationId, Edit = true }
+            });
+
+        await sutProvider.Sut.PutDeleteAdmin(cipher.Id.ToString());
+
+        await sutProvider.GetDependency<ICipherService>().Received(1).SoftDeleteAsync(cipher, userId, true);
+    }
+
+    [Theory]
+    [BitAutoData(OrganizationUserType.Owner)]
+    [BitAutoData(OrganizationUserType.Admin)]
+    public async Task PutDeleteAdmin_WithOwnerOrAdmin_WithAccessToUnassignedCipher_SoftDeletesCipher(
+        OrganizationUserType organizationUserType, Cipher cipher, Guid userId,
+        CurrentContextOrganization organization, SutProvider<CiphersController> sutProvider)
+    {
+        cipher.OrganizationId = organization.Id;
+        organization.Type = organizationUserType;
+
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(cipher.Id).Returns(cipher);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetManyUnassignedOrganizationDetailsByOrganizationIdAsync(organization.Id)
+            .Returns(new List<CipherOrganizationDetails> { new() { Id = cipher.Id } });
+
+        await sutProvider.Sut.PutDeleteAdmin(cipher.Id.ToString());
+
+        await sutProvider.GetDependency<ICipherService>().Received(1).SoftDeleteAsync(cipher, userId, true);
+    }
+
+    [Theory]
+    [BitAutoData(OrganizationUserType.Owner)]
+    [BitAutoData(OrganizationUserType.Admin)]
+    public async Task PutDeleteAdmin_WithOwnerOrAdmin_WithAccessToAllCollectionItems_SoftDeletesCipher(
+        OrganizationUserType organizationUserType, Cipher cipher, Guid userId,
+        CurrentContextOrganization organization, SutProvider<CiphersController> sutProvider)
+    {
+        cipher.OrganizationId = organization.Id;
+        organization.Type = organizationUserType;
+
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(cipher.Id).Returns(cipher);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<ICipherRepository>().GetManyByOrganizationIdAsync(organization.Id).Returns(new List<Cipher> { cipher });
+        sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilityAsync(organization.Id).Returns(new OrganizationAbility
+        {
+            Id = organization.Id,
+            AllowAdminAccessToAllCollectionItems = true
+        });
+
+        await sutProvider.Sut.PutDeleteAdmin(cipher.Id.ToString());
+
+        await sutProvider.GetDependency<ICipherService>().Received(1).SoftDeleteAsync(cipher, userId, true);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task PutDeleteAdmin_WithCustomUser_WithEditAnyCollectionTrue_SoftDeletesCipher(
+        Cipher cipher, Guid userId,
+        CurrentContextOrganization organization, SutProvider<CiphersController> sutProvider)
+    {
+        cipher.OrganizationId = organization.Id;
+        organization.Type = OrganizationUserType.Custom;
+        organization.Permissions.EditAnyCollection = true;
+
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(cipher.Id).Returns(cipher);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<ICipherRepository>().GetManyByOrganizationIdAsync(organization.Id).Returns(new List<Cipher> { cipher });
+
+        await sutProvider.Sut.PutDeleteAdmin(cipher.Id.ToString());
+
+        await sutProvider.GetDependency<ICipherService>().Received(1).SoftDeleteAsync(cipher, userId, true);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task PutDeleteAdmin_WithCustomUser_WithEditAnyCollectionFalse_ThrowsNotFoundException(
+        Cipher cipher, Guid userId,
+        CurrentContextOrganization organization, SutProvider<CiphersController> sutProvider)
+    {
+        cipher.OrganizationId = organization.Id;
+        organization.Type = OrganizationUserType.Custom;
+        organization.Permissions.EditAnyCollection = false;
+
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(cipher.Id).Returns(cipher);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<ICipherRepository>().GetManyByOrganizationIdAsync(organization.Id).Returns(new List<Cipher> { cipher });
+
+        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.PutDeleteAdmin(cipher.Id.ToString()));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task PutDeleteAdmin_WithProviderUser_SoftDeletesCipher(
+        Cipher cipher, Guid userId, SutProvider<CiphersController> sutProvider)
+    {
+        cipher.OrganizationId = Guid.NewGuid();
+
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(cipher.OrganizationId.Value).Returns(true);
+        sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(cipher.Id).Returns(cipher);
+        sutProvider.GetDependency<ICipherRepository>().GetManyByOrganizationIdAsync(cipher.OrganizationId.Value).Returns(new List<Cipher> { cipher });
+
+        await sutProvider.Sut.PutDeleteAdmin(cipher.Id.ToString());
+
+        await sutProvider.GetDependency<ICipherService>().Received(1).SoftDeleteAsync(cipher, userId, true);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task PutDeleteAdmin_WithProviderUser_WithRestrictProviderAccessTrue_ThrowsNotFoundException(
+        Cipher cipher, Guid userId, SutProvider<CiphersController> sutProvider)
+    {
+        cipher.OrganizationId = Guid.NewGuid();
+
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(cipher.OrganizationId.Value).Returns(true);
+        sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(cipher.Id).Returns(cipher);
+        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.RestrictProviderAccess).Returns(true);
+
+        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.PutDeleteAdmin(cipher.Id.ToString()));
+    }
+
+    [Theory]
+    [BitAutoData(OrganizationUserType.Owner)]
+    [BitAutoData(OrganizationUserType.Admin)]
+    public async Task PutDeleteManyAdmin_WithOwnerOrAdmin_WithAccessToSpecificCiphers_SoftDeletesCiphers(
+        OrganizationUserType organizationUserType, CipherBulkDeleteRequestModel model, Guid userId, List<Cipher> ciphers,
+        CurrentContextOrganization organization, SutProvider<CiphersController> sutProvider)
+    {
+        model.OrganizationId = organization.Id.ToString();
+        model.Ids = ciphers.Select(c => c.Id.ToString()).ToList();
+        organization.Type = organizationUserType;
+
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetManyByUserIdAsync(userId)
+            .Returns(ciphers.Select(c => new CipherDetails
+            {
+                Id = c.Id,
+                OrganizationId = organization.Id,
+                Edit = true
+            }).ToList());
+
+        await sutProvider.Sut.PutDeleteManyAdmin(model);
+
+        await sutProvider.GetDependency<ICipherService>()
+            .Received(1)
+            .SoftDeleteManyAsync(
+                Arg.Is<IEnumerable<Guid>>(ids =>
+                    ids.All(id => model.Ids.Contains(id.ToString())) && ids.Count() == model.Ids.Count()),
+                userId, organization.Id, true);
+    }
+
+    [Theory]
+    [BitAutoData(OrganizationUserType.Owner)]
+    [BitAutoData(OrganizationUserType.Admin)]
+    public async Task PutDeleteManyAdmin_WithOwnerOrAdmin_WithAccessToUnassignedCiphers_SoftDeletesCiphers(
+        OrganizationUserType organizationUserType, CipherBulkDeleteRequestModel model, Guid userId, List<Cipher> ciphers,
+        CurrentContextOrganization organization, SutProvider<CiphersController> sutProvider)
+    {
+        model.OrganizationId = organization.Id.ToString();
+        model.Ids = ciphers.Select(c => c.Id.ToString()).ToList();
+        organization.Type = organizationUserType;
+
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetManyUnassignedOrganizationDetailsByOrganizationIdAsync(organization.Id)
+            .Returns(ciphers.Select(c => new CipherOrganizationDetails { Id = c.Id }).ToList());
+
+        await sutProvider.Sut.PutDeleteManyAdmin(model);
+
+        await sutProvider.GetDependency<ICipherService>()
+            .Received(1)
+            .SoftDeleteManyAsync(
+                Arg.Is<IEnumerable<Guid>>(ids =>
+                    ids.All(id => model.Ids.Contains(id.ToString())) && ids.Count() == model.Ids.Count()),
+                userId, organization.Id, true);
+    }
+
+    [Theory]
+    [BitAutoData(OrganizationUserType.Owner)]
+    [BitAutoData(OrganizationUserType.Admin)]
+    public async Task PutDeleteManyAdmin_WithOwnerOrAdmin_WithAccessToAllCollectionItems_SoftDeletesCiphers(
+        OrganizationUserType organizationUserType, CipherBulkDeleteRequestModel model, Guid userId, List<Cipher> ciphers,
+        CurrentContextOrganization organization, SutProvider<CiphersController> sutProvider)
+    {
+        model.OrganizationId = organization.Id.ToString();
+        model.Ids = ciphers.Select(c => c.Id.ToString()).ToList();
+        organization.Type = organizationUserType;
+
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<ICipherRepository>().GetManyByOrganizationIdAsync(organization.Id).Returns(ciphers);
+        sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilityAsync(organization.Id).Returns(new OrganizationAbility
+        {
+            Id = organization.Id,
+            AllowAdminAccessToAllCollectionItems = true
+        });
+
+        await sutProvider.Sut.PutDeleteManyAdmin(model);
+
+        await sutProvider.GetDependency<ICipherService>()
+            .Received(1)
+            .SoftDeleteManyAsync(
+                Arg.Is<IEnumerable<Guid>>(ids =>
+                    ids.All(id => model.Ids.Contains(id.ToString())) && ids.Count() == model.Ids.Count()),
+                userId, organization.Id, true);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task PutDeleteManyAdmin_WithCustomUser_WithEditAnyCollectionTrue_SoftDeletesCiphers(
+        CipherBulkDeleteRequestModel model,
+        Guid userId, List<Cipher> ciphers, CurrentContextOrganization organization,
+        SutProvider<CiphersController> sutProvider)
+    {
+        model.OrganizationId = organization.Id.ToString();
+        model.Ids = ciphers.Select(c => c.Id.ToString()).ToList();
+        organization.Type = OrganizationUserType.Custom;
+        organization.Permissions.EditAnyCollection = true;
+
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<ICipherRepository>().GetManyByOrganizationIdAsync(organization.Id).Returns(ciphers);
+
+        await sutProvider.Sut.PutDeleteManyAdmin(model);
+
+        await sutProvider.GetDependency<ICipherService>()
+            .Received(1)
+            .SoftDeleteManyAsync(
+                Arg.Is<IEnumerable<Guid>>(ids =>
+                    ids.All(id => model.Ids.Contains(id.ToString())) && ids.Count() == model.Ids.Count()),
+                userId, organization.Id, true);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task PutDeleteManyAdmin_WithCustomUser_WithEditAnyCollectionFalse_ThrowsNotFoundException(
+        CipherBulkDeleteRequestModel model,
+        Guid userId, List<Cipher> ciphers, CurrentContextOrganization organization,
+        SutProvider<CiphersController> sutProvider)
+    {
+        model.OrganizationId = organization.Id.ToString();
+        model.Ids = ciphers.Select(c => c.Id.ToString()).ToList();
+        organization.Type = OrganizationUserType.Custom;
+        organization.Permissions.EditAnyCollection = false;
+
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+
+        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.PutDeleteManyAdmin(model));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task PutDeleteManyAdmin_WithProviderUser_SoftDeletesCiphers(
+        CipherBulkDeleteRequestModel model, Guid userId,
+        List<Cipher> ciphers, SutProvider<CiphersController> sutProvider)
+    {
+        var organizationId = Guid.NewGuid();
+        model.OrganizationId = organizationId.ToString();
+        model.Ids = ciphers.Select(c => c.Id.ToString()).ToList();
+
+        foreach (var cipher in ciphers)
+        {
+            cipher.OrganizationId = organizationId;
+        }
+
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(organizationId).Returns(true);
+        sutProvider.GetDependency<ICipherRepository>().GetManyByOrganizationIdAsync(organizationId).Returns(ciphers);
+
+        await sutProvider.Sut.PutDeleteManyAdmin(model);
+
+        await sutProvider.GetDependency<ICipherService>()
+            .Received(1)
+            .SoftDeleteManyAsync(
+                Arg.Is<IEnumerable<Guid>>(ids =>
+                    ids.All(id => model.Ids.Contains(id.ToString())) && ids.Count() == model.Ids.Count()),
+                userId, organizationId, true);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task PutDeleteManyAdmin_WithProviderUser_WithRestrictProviderAccessTrue_ThrowsNotFoundException(
+        CipherBulkDeleteRequestModel model, SutProvider<CiphersController> sutProvider)
+    {
+        var organizationId = Guid.NewGuid();
+        model.OrganizationId = organizationId.ToString();
+
+        sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(organizationId).Returns(true);
+        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.RestrictProviderAccess).Returns(true);
+
+        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.PutDeleteManyAdmin(model));
+    }
+
+    [Theory]
+    [BitAutoData(OrganizationUserType.Owner)]
+    [BitAutoData(OrganizationUserType.Admin)]
+    public async Task PutRestoreAdmin_WithOwnerOrAdmin_WithAccessToSpecificCipher_RestoresCipher(
+        OrganizationUserType organizationUserType, CipherDetails cipher, Guid userId,
+        CurrentContextOrganization organization, SutProvider<CiphersController> sutProvider)
+    {
+        cipher.OrganizationId = organization.Id;
+        cipher.Type = CipherType.Login;
+        cipher.Data = JsonSerializer.Serialize(new CipherLoginData());
+        organization.Type = organizationUserType;
+
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICipherRepository>().GetOrganizationDetailsByIdAsync(cipher.Id).Returns(cipher);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetManyByUserIdAsync(userId)
+            .Returns(new List<CipherDetails>
+            {
+                new() { Id = cipher.Id, OrganizationId = cipher.OrganizationId, Edit = true }
+            });
+
+        var result = await sutProvider.Sut.PutRestoreAdmin(cipher.Id.ToString());
+
+        Assert.NotNull(result);
+        Assert.IsType<CipherMiniResponseModel>(result);
+        await sutProvider.GetDependency<ICipherService>().Received(1).RestoreAsync(cipher, userId, true);
+    }
+
+    [Theory]
+    [BitAutoData(OrganizationUserType.Owner)]
+    [BitAutoData(OrganizationUserType.Admin)]
+    public async Task PutRestoreAdmin_WithOwnerOrAdmin_WithAccessToUnassignedCipher_RestoresCipher(
+        OrganizationUserType organizationUserType, CipherDetails cipher, Guid userId,
+        CurrentContextOrganization organization, SutProvider<CiphersController> sutProvider)
+    {
+        cipher.OrganizationId = organization.Id;
+        cipher.Type = CipherType.Login;
+        cipher.Data = JsonSerializer.Serialize(new CipherLoginData());
+        organization.Type = organizationUserType;
+
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICipherRepository>().GetOrganizationDetailsByIdAsync(cipher.Id).Returns(cipher);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetManyUnassignedOrganizationDetailsByOrganizationIdAsync(organization.Id)
+            .Returns(new List<CipherOrganizationDetails> { new() { Id = cipher.Id } });
+
+        var result = await sutProvider.Sut.PutRestoreAdmin(cipher.Id.ToString());
+
+        Assert.NotNull(result);
+        Assert.IsType<CipherMiniResponseModel>(result);
+        await sutProvider.GetDependency<ICipherService>().Received(1).RestoreAsync(cipher, userId, true);
+    }
+
+    [Theory]
+    [BitAutoData(OrganizationUserType.Owner)]
+    [BitAutoData(OrganizationUserType.Admin)]
+    public async Task PutRestoreAdmin_WithOwnerOrAdmin_WithAccessToAllCollectionItems_RestoresCipher(
+        OrganizationUserType organizationUserType, CipherDetails cipher, Guid userId,
+        CurrentContextOrganization organization, SutProvider<CiphersController> sutProvider)
+    {
+        cipher.OrganizationId = organization.Id;
+        cipher.Type = CipherType.Login;
+        cipher.Data = JsonSerializer.Serialize(new CipherLoginData());
+        organization.Type = organizationUserType;
+
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICipherRepository>().GetOrganizationDetailsByIdAsync(cipher.Id).Returns(cipher);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<ICipherRepository>().GetManyByOrganizationIdAsync(organization.Id).Returns(new List<Cipher> { cipher });
+        sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilityAsync(organization.Id).Returns(new OrganizationAbility
+        {
+            Id = organization.Id,
+            AllowAdminAccessToAllCollectionItems = true
+        });
+
+        var result = await sutProvider.Sut.PutRestoreAdmin(cipher.Id.ToString());
+
+        Assert.NotNull(result);
+        await sutProvider.GetDependency<ICipherService>().Received(1).RestoreAsync(cipher, userId, true);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task PutRestoreAdmin_WithCustomUser_WithEditAnyCollectionTrue_RestoresCipher(
+        CipherDetails cipher, Guid userId,
+        CurrentContextOrganization organization, SutProvider<CiphersController> sutProvider)
+    {
+        cipher.OrganizationId = organization.Id;
+        cipher.Type = CipherType.Login;
+        cipher.Data = JsonSerializer.Serialize(new CipherLoginData());
+        organization.Type = OrganizationUserType.Custom;
+        organization.Permissions.EditAnyCollection = true;
+
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICipherRepository>().GetOrganizationDetailsByIdAsync(cipher.Id).Returns(cipher);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<ICipherRepository>().GetManyByOrganizationIdAsync(organization.Id).Returns(new List<Cipher> { cipher });
+
+        var result = await sutProvider.Sut.PutRestoreAdmin(cipher.Id.ToString());
+
+        Assert.NotNull(result);
+        Assert.IsType<CipherMiniResponseModel>(result);
+        await sutProvider.GetDependency<ICipherService>().Received(1).RestoreAsync(cipher, userId, true);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task PutRestoreAdmin_WithCustomUser_WithEditAnyCollectionFalse_ThrowsNotFoundException(
+        CipherDetails cipher, Guid userId,
+        CurrentContextOrganization organization, SutProvider<CiphersController> sutProvider)
+    {
+        cipher.OrganizationId = organization.Id;
+        cipher.Type = CipherType.Login;
+        cipher.Data = JsonSerializer.Serialize(new CipherLoginData());
+        organization.Type = OrganizationUserType.Custom;
+        organization.Permissions.EditAnyCollection = false;
+
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICipherRepository>().GetOrganizationDetailsByIdAsync(cipher.Id).Returns(cipher);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<ICipherRepository>().GetManyByOrganizationIdAsync(organization.Id).Returns(new List<Cipher> { cipher });
+
+        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.PutRestoreAdmin(cipher.Id.ToString()));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task PutRestoreAdmin_WithProviderUser_RestoresCipher(
+        CipherDetails cipher, Guid userId, SutProvider<CiphersController> sutProvider)
+    {
+        cipher.OrganizationId = Guid.NewGuid();
+        cipher.Type = CipherType.Login;
+        cipher.Data = JsonSerializer.Serialize(new CipherLoginData());
+
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(cipher.OrganizationId.Value).Returns(true);
+        sutProvider.GetDependency<ICipherRepository>().GetOrganizationDetailsByIdAsync(cipher.Id).Returns(cipher);
+        sutProvider.GetDependency<ICipherRepository>().GetManyByOrganizationIdAsync(cipher.OrganizationId.Value).Returns(new List<Cipher> { cipher });
+
+        var result = await sutProvider.Sut.PutRestoreAdmin(cipher.Id.ToString());
+
+        Assert.NotNull(result);
+        Assert.IsType<CipherMiniResponseModel>(result);
+        await sutProvider.GetDependency<ICipherService>().Received(1).RestoreAsync(cipher, userId, true);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task PutRestoreAdmin_WithProviderUser_WithRestrictProviderAccessTrue_ThrowsNotFoundException(
+        CipherDetails cipher, Guid userId, SutProvider<CiphersController> sutProvider)
+    {
+        cipher.OrganizationId = Guid.NewGuid();
+
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(cipher.OrganizationId.Value).Returns(true);
+        sutProvider.GetDependency<ICipherRepository>().GetOrganizationDetailsByIdAsync(cipher.Id).Returns(cipher);
+        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.RestrictProviderAccess).Returns(true);
+
+        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.PutRestoreAdmin(cipher.Id.ToString()));
+    }
+
+    [Theory]
+    [BitAutoData(OrganizationUserType.Owner)]
+    [BitAutoData(OrganizationUserType.Admin)]
+    public async Task PutRestoreManyAdmin_WithOwnerOrAdmin_WithAccessToSpecificCiphers_RestoresCiphers(
+        OrganizationUserType organizationUserType, CipherBulkRestoreRequestModel model, Guid userId, List<Cipher> ciphers,
+        CurrentContextOrganization organization, SutProvider<CiphersController> sutProvider)
+    {
+        model.OrganizationId = organization.Id;
+        model.Ids = ciphers.Select(c => c.Id.ToString()).ToList();
+        organization.Type = organizationUserType;
+
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<ICipherRepository>().GetManyByOrganizationIdAsync(organization.Id).Returns(ciphers);
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetManyByUserIdAsync(userId)
+            .Returns(ciphers.Select(c => new CipherDetails
+            {
+                Id = c.Id,
+                OrganizationId = organization.Id,
+                Edit = true
+            }).ToList());
+
+        var cipherOrgDetails = ciphers.Select(c => new CipherOrganizationDetails
+        {
+            Id = c.Id,
+            OrganizationId = organization.Id
+        }).ToList();
+
+        sutProvider.GetDependency<ICipherService>()
+            .RestoreManyAsync(Arg.Is<HashSet<Guid>>(ids =>
+                    ids.All(id => model.Ids.Contains(id.ToString())) && ids.Count == model.Ids.Count()),
+                userId, organization.Id, true)
+            .Returns(cipherOrgDetails);
+
+        var result = await sutProvider.Sut.PutRestoreManyAdmin(model);
+
+        Assert.NotNull(result);
+        await sutProvider.GetDependency<ICipherService>().Received(1)
+            .RestoreManyAsync(
+                Arg.Is<HashSet<Guid>>(ids =>
+                    ids.All(id => model.Ids.Contains(id.ToString())) && ids.Count == model.Ids.Count()),
+                userId, organization.Id, true);
+    }
+
+    [Theory]
+    [BitAutoData(OrganizationUserType.Owner)]
+    [BitAutoData(OrganizationUserType.Admin)]
+    public async Task PutRestoreManyAdmin_WithOwnerOrAdmin_WithAccessToUnassignedCiphers_RestoresCiphers(
+        OrganizationUserType organizationUserType, CipherBulkRestoreRequestModel model, Guid userId,
+        List<Cipher> ciphers, CurrentContextOrganization organization, SutProvider<CiphersController> sutProvider)
+    {
+        model.OrganizationId = organization.Id;
+        model.Ids = ciphers.Select(c => c.Id.ToString()).ToList();
+        organization.Type = organizationUserType;
+
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+
+        var cipherOrgDetails = ciphers.Select(c => new CipherOrganizationDetails
+        {
+            Id = c.Id,
+            OrganizationId = organization.Id,
+            Type = CipherType.Login,
+            Data = JsonSerializer.Serialize(new CipherLoginData())
+        }).ToList();
+
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetManyUnassignedOrganizationDetailsByOrganizationIdAsync(organization.Id)
+            .Returns(cipherOrgDetails);
+        sutProvider.GetDependency<ICipherService>()
+            .RestoreManyAsync(Arg.Is<HashSet<Guid>>(ids =>
+                ids.All(id => model.Ids.Contains(id.ToString()) && ids.Count == model.Ids.Count())),
+                userId, organization.Id, true)
+            .Returns(cipherOrgDetails);
+
+        var result = await sutProvider.Sut.PutRestoreManyAdmin(model);
+
+        Assert.NotNull(result);
+        Assert.Equal(model.Ids.Count(), result.Data.Count());
+        await sutProvider.GetDependency<ICipherService>()
+            .Received(1)
+            .RestoreManyAsync(
+                Arg.Is<HashSet<Guid>>(ids =>
+                    ids.All(id => model.Ids.Contains(id.ToString())) && ids.Count == model.Ids.Count()),
+                userId, organization.Id, true);
+    }
+
+    [Theory]
+    [BitAutoData(OrganizationUserType.Owner)]
+    [BitAutoData(OrganizationUserType.Admin)]
+    public async Task PutRestoreManyAdmin_WithOwnerOrAdmin_WithAccessToAllCollectionItems_RestoresCiphers(
+        OrganizationUserType organizationUserType, CipherBulkRestoreRequestModel model, Guid userId, List<Cipher> ciphers,
+        CurrentContextOrganization organization, SutProvider<CiphersController> sutProvider)
+    {
+        model.OrganizationId = organization.Id;
+        model.Ids = ciphers.Select(c => c.Id.ToString()).ToList();
+        organization.Type = organizationUserType;
+
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<ICipherRepository>().GetManyByOrganizationIdAsync(organization.Id).Returns(ciphers);
+        sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilityAsync(organization.Id).Returns(new OrganizationAbility
+        {
+            Id = organization.Id,
+            AllowAdminAccessToAllCollectionItems = true
+        });
+
+        var cipherOrgDetails = ciphers.Select(c => new CipherOrganizationDetails
+        {
+            Id = c.Id,
+            OrganizationId = organization.Id,
+            Type = CipherType.Login,
+            Data = JsonSerializer.Serialize(new CipherLoginData())
+        }).ToList();
+
+        sutProvider.GetDependency<ICipherService>()
+            .RestoreManyAsync(Arg.Any<HashSet<Guid>>(), userId, organization.Id, true)
+            .Returns(cipherOrgDetails);
+
+        var result = await sutProvider.Sut.PutRestoreManyAdmin(model);
+
+        Assert.NotNull(result);
+        Assert.Equal(ciphers.Count, result.Data.Count());
+        await sutProvider.GetDependency<ICipherService>().Received(1)
+            .RestoreManyAsync(
+                Arg.Is<HashSet<Guid>>(ids =>
+                    ids.All(id => model.Ids.Contains(id.ToString())) && ids.Count == model.Ids.Count()),
+                userId, organization.Id, true);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task PutRestoreManyAdmin_WithCustomUser_WithEditAnyCollectionTrue_RestoresCiphers(
+        CipherBulkRestoreRequestModel model,
+        Guid userId, List<Cipher> ciphers, CurrentContextOrganization organization,
+        SutProvider<CiphersController> sutProvider)
+    {
+        model.OrganizationId = organization.Id;
+        model.Ids = ciphers.Select(c => c.Id.ToString()).ToList();
+        organization.Type = OrganizationUserType.Custom;
+        organization.Permissions.EditAnyCollection = true;
+
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<ICipherRepository>().GetManyByOrganizationIdAsync(organization.Id).Returns(ciphers);
+
+        var cipherOrgDetails = ciphers.Select(c => new CipherOrganizationDetails
+        {
+            Id = c.Id,
+            OrganizationId = organization.Id,
+            Type = CipherType.Login,
+            Data = JsonSerializer.Serialize(new CipherLoginData())
+        }).ToList();
+
+        sutProvider.GetDependency<ICipherService>()
+            .RestoreManyAsync(
+                Arg.Is<HashSet<Guid>>(ids =>
+                    ids.All(id => model.Ids.Contains(id.ToString())) && ids.Count == model.Ids.Count()),
+                userId, organization.Id, true)
+            .Returns(cipherOrgDetails);
+
+        var result = await sutProvider.Sut.PutRestoreManyAdmin(model);
+
+        Assert.NotNull(result);
+        Assert.Equal(ciphers.Count, result.Data.Count());
+        await sutProvider.GetDependency<ICipherService>()
+            .Received(1)
+            .RestoreManyAsync(
+                Arg.Is<HashSet<Guid>>(ids =>
+                    ids.All(id => model.Ids.Contains(id.ToString())) && ids.Count == model.Ids.Count()),
+                userId, organization.Id, true);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task PutRestoreManyAdmin_WithCustomUser_WithEditAnyCollectionFalse_ThrowsNotFoundException(
+        CipherBulkRestoreRequestModel model,
+        Guid userId, List<Cipher> ciphers, CurrentContextOrganization organization,
+        SutProvider<CiphersController> sutProvider)
+    {
+        model.OrganizationId = organization.Id;
+        model.Ids = ciphers.Select(c => c.Id.ToString()).ToList();
+        organization.Type = OrganizationUserType.Custom;
+        organization.Permissions.EditAnyCollection = false;
+
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<ICipherRepository>().GetManyByOrganizationIdAsync(organization.Id).Returns(ciphers);
+
+        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.PutRestoreManyAdmin(model));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task PutRestoreManyAdmin_WithProviderUser_RestoresCiphers(
+        CipherBulkRestoreRequestModel model, Guid userId,
+        List<Cipher> ciphers, SutProvider<CiphersController> sutProvider)
+    {
+        model.OrganizationId = Guid.NewGuid();
+        model.Ids = ciphers.Select(c => c.Id.ToString()).ToList();
+
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(model.OrganizationId).Returns(true);
+        sutProvider.GetDependency<ICipherRepository>().GetManyByOrganizationIdAsync(model.OrganizationId).Returns(ciphers);
+
+        var cipherOrgDetails = ciphers.Select(c => new CipherOrganizationDetails
+        {
+            Id = c.Id,
+            OrganizationId = model.OrganizationId
+        }).ToList();
+
+        sutProvider.GetDependency<ICipherService>()
+            .RestoreManyAsync(
+                Arg.Any<HashSet<Guid>>(),
+                userId, model.OrganizationId, true)
+            .Returns(cipherOrgDetails);
+
+        var result = await sutProvider.Sut.PutRestoreManyAdmin(model);
+
+        Assert.NotNull(result);
+        await sutProvider.GetDependency<ICipherService>()
+            .Received(1)
+            .RestoreManyAsync(
+                Arg.Is<HashSet<Guid>>(ids =>
+                    ids.All(id => model.Ids.Contains(id.ToString())) && ids.Count == model.Ids.Count()),
+                userId, model.OrganizationId, true);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task PutRestoreManyAdmin_WithProviderUser_WithRestrictProviderAccessTrue_ThrowsNotFoundException(
+        CipherBulkRestoreRequestModel model, SutProvider<CiphersController> sutProvider)
+    {
+        model.OrganizationId = Guid.NewGuid();
+
+        sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(model.OrganizationId).Returns(true);
+        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.RestrictProviderAccess).Returns(true);
+
+        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.PutRestoreManyAdmin(model));
+    }
 }
diff --git a/test/Core.Test/Vault/Services/CipherServiceTests.cs b/test/Core.Test/Vault/Services/CipherServiceTests.cs
index 4f02d94c9c..1803c980c2 100644
--- a/test/Core.Test/Vault/Services/CipherServiceTests.cs
+++ b/test/Core.Test/Vault/Services/CipherServiceTests.cs
@@ -602,6 +602,78 @@ public class CipherServiceTests
         Assert.NotEqual(initialRevisionDate, cipher.RevisionDate);
     }
 
+    [Theory]
+    [BitAutoData]
+    public async Task RestoreAsync_WithAlreadyRestoredCipher_SkipsOperation(
+        Guid restoringUserId, Cipher cipher, SutProvider<CipherService> sutProvider)
+    {
+        cipher.DeletedDate = null;
+
+        await sutProvider.Sut.RestoreAsync(cipher, restoringUserId, true);
+
+        await sutProvider.GetDependency<ICipherRepository>().DidNotReceiveWithAnyArgs().UpsertAsync(default);
+        await sutProvider.GetDependency<IEventService>().DidNotReceiveWithAnyArgs().LogCipherEventAsync(default, default);
+        await sutProvider.GetDependency<IPushNotificationService>().DidNotReceiveWithAnyArgs().PushSyncCipherUpdateAsync(default, default);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task RestoreAsync_WithPersonalCipherBelongingToDifferentUser_ThrowsBadRequestException(
+        Guid restoringUserId, Cipher cipher, SutProvider<CipherService> sutProvider)
+    {
+        cipher.UserId = Guid.NewGuid();
+        cipher.OrganizationId = null;
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.RestoreAsync(cipher, restoringUserId));
+
+        Assert.Contains("do not have permissions", exception.Message);
+        await sutProvider.GetDependency<ICipherRepository>().DidNotReceiveWithAnyArgs().UpsertAsync(default);
+        await sutProvider.GetDependency<IEventService>().DidNotReceiveWithAnyArgs().LogCipherEventAsync(default, default);
+        await sutProvider.GetDependency<IPushNotificationService>().DidNotReceiveWithAnyArgs().PushSyncCipherUpdateAsync(default, default);
+    }
+
+    [Theory]
+    [OrganizationCipherCustomize]
+    [BitAutoData]
+    public async Task RestoreAsync_WithOrgCipherLackingEditPermission_ThrowsBadRequestException(
+        Guid restoringUserId, Cipher cipher, SutProvider<CipherService> sutProvider)
+    {
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetCanEditByIdAsync(restoringUserId, cipher.Id)
+            .Returns(false);
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.RestoreAsync(cipher, restoringUserId));
+
+        Assert.Contains("do not have permissions", exception.Message);
+        await sutProvider.GetDependency<ICipherRepository>().DidNotReceiveWithAnyArgs().UpsertAsync(default);
+        await sutProvider.GetDependency<IEventService>().DidNotReceiveWithAnyArgs().LogCipherEventAsync(default, default);
+        await sutProvider.GetDependency<IPushNotificationService>().DidNotReceiveWithAnyArgs().PushSyncCipherUpdateAsync(default, default);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task RestoreAsync_WithCipherDetailsType_RestoresCipherDetails(
+        Guid restoringUserId, CipherDetails cipherDetails, SutProvider<CipherService> sutProvider)
+    {
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetCanEditByIdAsync(restoringUserId, cipherDetails.Id)
+            .Returns(true);
+
+        var initialRevisionDate = new DateTime(1970, 1, 1, 0, 0, 0);
+        cipherDetails.DeletedDate = initialRevisionDate;
+        cipherDetails.RevisionDate = initialRevisionDate;
+
+        await sutProvider.Sut.RestoreAsync(cipherDetails, restoringUserId);
+
+        Assert.Null(cipherDetails.DeletedDate);
+        Assert.NotEqual(initialRevisionDate, cipherDetails.RevisionDate);
+        await sutProvider.GetDependency<ICipherRepository>().Received(1).UpsertAsync(cipherDetails);
+        await sutProvider.GetDependency<IEventService>().Received(1).LogCipherEventAsync(cipherDetails, EventType.Cipher_Restored);
+        await sutProvider.GetDependency<IPushNotificationService>().Received(1).PushSyncCipherUpdateAsync(cipherDetails, null);
+    }
+
     [Theory]
     [BitAutoData]
     public async Task RestoreManyAsync_UpdatesCiphers(ICollection<CipherDetails> ciphers,
@@ -725,6 +797,188 @@ public class CipherServiceTests
             Arg.Is<IEnumerable<Cipher>>(arg => !arg.Except(ciphers).Any()));
     }
 
+    [Theory]
+    [BitAutoData]
+    public async Task DeleteAsync_WithPersonalCipherOwner_DeletesCipher(
+        Guid deletingUserId, Cipher cipher, SutProvider<CipherService> sutProvider)
+    {
+        cipher.UserId = deletingUserId;
+        cipher.OrganizationId = null;
+
+        await sutProvider.Sut.DeleteAsync(cipher, deletingUserId);
+
+        await sutProvider.GetDependency<ICipherRepository>().Received(1).DeleteAsync(cipher);
+        await sutProvider.GetDependency<IAttachmentStorageService>().Received(1).DeleteAttachmentsForCipherAsync(cipher.Id);
+        await sutProvider.GetDependency<IEventService>().Received(1).LogCipherEventAsync(cipher, EventType.Cipher_Deleted);
+        await sutProvider.GetDependency<IPushNotificationService>().Received(1).PushSyncCipherDeleteAsync(cipher);
+    }
+
+    [Theory]
+    [OrganizationCipherCustomize]
+    [BitAutoData]
+    public async Task DeleteAsync_WithOrgCipherAndEditPermission_DeletesCipher(
+        Guid deletingUserId, Cipher cipher, SutProvider<CipherService> sutProvider)
+    {
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetCanEditByIdAsync(deletingUserId, cipher.Id)
+            .Returns(true);
+
+        await sutProvider.Sut.DeleteAsync(cipher, deletingUserId);
+
+        await sutProvider.GetDependency<ICipherRepository>().Received(1).DeleteAsync(cipher);
+        await sutProvider.GetDependency<IAttachmentStorageService>().Received(1).DeleteAttachmentsForCipherAsync(cipher.Id);
+        await sutProvider.GetDependency<IEventService>().Received(1).LogCipherEventAsync(cipher, EventType.Cipher_Deleted);
+        await sutProvider.GetDependency<IPushNotificationService>().Received(1).PushSyncCipherDeleteAsync(cipher);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task DeleteAsync_WithPersonalCipherBelongingToDifferentUser_ThrowsBadRequestException(
+        Guid deletingUserId, Cipher cipher, SutProvider<CipherService> sutProvider)
+    {
+        cipher.UserId = Guid.NewGuid();
+        cipher.OrganizationId = null;
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.DeleteAsync(cipher, deletingUserId));
+
+        Assert.Contains("do not have permissions", exception.Message);
+        await sutProvider.GetDependency<ICipherRepository>().DidNotReceiveWithAnyArgs().DeleteAsync(default);
+        await sutProvider.GetDependency<IAttachmentStorageService>().DidNotReceiveWithAnyArgs().DeleteAttachmentsForCipherAsync(default);
+        await sutProvider.GetDependency<IEventService>().DidNotReceiveWithAnyArgs().LogCipherEventAsync(default, default);
+        await sutProvider.GetDependency<IPushNotificationService>().DidNotReceiveWithAnyArgs().PushSyncCipherDeleteAsync(default);
+    }
+
+    [Theory]
+    [OrganizationCipherCustomize]
+    [BitAutoData]
+    public async Task DeleteAsync_WithOrgCipherLackingEditPermission_ThrowsBadRequestException(
+        Guid deletingUserId, Cipher cipher, SutProvider<CipherService> sutProvider)
+    {
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetCanEditByIdAsync(deletingUserId, cipher.Id)
+            .Returns(false);
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.DeleteAsync(cipher, deletingUserId));
+
+        Assert.Contains("do not have permissions", exception.Message);
+        await sutProvider.GetDependency<ICipherRepository>().DidNotReceiveWithAnyArgs().DeleteAsync(default);
+        await sutProvider.GetDependency<IAttachmentStorageService>().DidNotReceiveWithAnyArgs().DeleteAttachmentsForCipherAsync(default);
+        await sutProvider.GetDependency<IEventService>().DidNotReceiveWithAnyArgs().LogCipherEventAsync(default, default);
+        await sutProvider.GetDependency<IPushNotificationService>().DidNotReceiveWithAnyArgs().PushSyncCipherDeleteAsync(default);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task SoftDeleteAsync_WithPersonalCipherOwner_SoftDeletesCipher(
+        Guid deletingUserId, Cipher cipher, SutProvider<CipherService> sutProvider)
+    {
+        cipher.UserId = deletingUserId;
+        cipher.OrganizationId = null;
+        cipher.DeletedDate = null;
+
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetCanEditByIdAsync(deletingUserId, cipher.Id)
+            .Returns(true);
+
+        await sutProvider.Sut.SoftDeleteAsync(cipher, deletingUserId);
+
+        Assert.NotNull(cipher.DeletedDate);
+        Assert.Equal(cipher.RevisionDate, cipher.DeletedDate);
+        await sutProvider.GetDependency<ICipherRepository>().Received(1).UpsertAsync(cipher);
+        await sutProvider.GetDependency<IEventService>().Received(1).LogCipherEventAsync(cipher, EventType.Cipher_SoftDeleted);
+        await sutProvider.GetDependency<IPushNotificationService>().Received(1).PushSyncCipherUpdateAsync(cipher, null);
+    }
+
+    [Theory]
+    [OrganizationCipherCustomize]
+    [BitAutoData]
+    public async Task SoftDeleteAsync_WithOrgCipherAndEditPermission_SoftDeletesCipher(
+        Guid deletingUserId, Cipher cipher, SutProvider<CipherService> sutProvider)
+    {
+        cipher.DeletedDate = null;
+
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetCanEditByIdAsync(deletingUserId, cipher.Id)
+            .Returns(true);
+
+        await sutProvider.Sut.SoftDeleteAsync(cipher, deletingUserId);
+
+        Assert.NotNull(cipher.DeletedDate);
+        Assert.Equal(cipher.DeletedDate, cipher.RevisionDate);
+        await sutProvider.GetDependency<ICipherRepository>().Received(1).UpsertAsync(cipher);
+        await sutProvider.GetDependency<IEventService>().Received(1).LogCipherEventAsync(cipher, EventType.Cipher_SoftDeleted);
+        await sutProvider.GetDependency<IPushNotificationService>().Received(1).PushSyncCipherUpdateAsync(cipher, null);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task SoftDeleteAsync_WithPersonalCipherBelongingToDifferentUser_ThrowsBadRequestException(
+        Guid deletingUserId, Cipher cipher, SutProvider<CipherService> sutProvider)
+    {
+        cipher.UserId = Guid.NewGuid();
+        cipher.OrganizationId = null;
+
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetCanEditByIdAsync(deletingUserId, cipher.Id)
+            .Returns(false);
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.SoftDeleteAsync(cipher, deletingUserId));
+
+        Assert.Contains("do not have permissions", exception.Message);
+    }
+
+    [Theory]
+    [OrganizationCipherCustomize]
+    [BitAutoData]
+    public async Task SoftDeleteAsync_WithOrgCipherLackingEditPermission_ThrowsBadRequestException(
+        Guid deletingUserId, Cipher cipher, SutProvider<CipherService> sutProvider)
+    {
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetCanEditByIdAsync(deletingUserId, cipher.Id)
+            .Returns(false);
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.SoftDeleteAsync(cipher, deletingUserId));
+
+        Assert.Contains("do not have permissions", exception.Message);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task SoftDeleteAsync_WithCipherDetailsType_SoftDeletesCipherDetails(
+        Guid deletingUserId, CipherDetails cipher, SutProvider<CipherService> sutProvider)
+    {
+        cipher.DeletedDate = null;
+
+        await sutProvider.Sut.SoftDeleteAsync(cipher, deletingUserId, true);
+
+        Assert.NotNull(cipher.DeletedDate);
+        Assert.Equal(cipher.DeletedDate, cipher.RevisionDate);
+        await sutProvider.GetDependency<ICipherRepository>().Received(1).UpsertAsync(cipher);
+        await sutProvider.GetDependency<IEventService>().Received(1).LogCipherEventAsync(cipher, EventType.Cipher_SoftDeleted);
+        await sutProvider.GetDependency<IPushNotificationService>().Received(1).PushSyncCipherUpdateAsync(cipher, null);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task SoftDeleteAsync_WithAlreadySoftDeletedCipher_SkipsOperation(
+        Guid deletingUserId, Cipher cipher, SutProvider<CipherService> sutProvider)
+    {
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetCanEditByIdAsync(deletingUserId, cipher.Id)
+            .Returns(true);
+        cipher.DeletedDate = DateTime.UtcNow.AddDays(-1);
+
+        await sutProvider.Sut.SoftDeleteAsync(cipher, deletingUserId);
+
+        await sutProvider.GetDependency<ICipherRepository>().DidNotReceive().UpsertAsync(Arg.Any<Cipher>());
+        await sutProvider.GetDependency<IEventService>().DidNotReceive().LogCipherEventAsync(Arg.Any<Cipher>(), Arg.Any<EventType>());
+        await sutProvider.GetDependency<IPushNotificationService>().DidNotReceive().PushSyncCipherUpdateAsync(Arg.Any<Cipher>(), Arg.Any<IEnumerable<Guid>>());
+    }
+
     private async Task AssertNoActionsAsync(SutProvider<CipherService> sutProvider)
     {
         await sutProvider.GetDependency<ICipherRepository>().DidNotReceiveWithAnyArgs().GetManyOrganizationDetailsByOrganizationIdAsync(default);

From f038e8c5e4e064b469f35ccf94e676e46536b447 Mon Sep 17 00:00:00 2001
From: Daniel James Smith <2670567+djsmith85@users.noreply.github.com>
Date: Tue, 11 Mar 2025 16:22:00 +0100
Subject: [PATCH 357/384] Create desktop-send-ui-refresh feature flag (#5487)

Co-authored-by: Daniel James Smith <djsmith85@users.noreply.github.com>
---
 src/Core/Constants.cs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index 6baa9227e1..0591617f5e 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -114,6 +114,7 @@ public static class FeatureFlagKeys
     public const string ItemShare = "item-share";
     public const string RiskInsightsCriticalApplication = "pm-14466-risk-insights-critical-application";
     public const string EnableRiskInsightsNotifications = "enable-risk-insights-notifications";
+    public const string DesktopSendUIRefresh = "desktop-send-ui-refresh";
 
     public const string ReturnErrorOnExistingKeypair = "return-error-on-existing-keypair";
     public const string UseTreeWalkerApiForPageDetailsCollection = "use-tree-walker-api-for-page-details-collection";

From 0153d9dfd9e4014bbf12f3d33a361d61da6704d9 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Tue, 11 Mar 2025 16:01:23 -0400
Subject: [PATCH 358/384] Update DockerCompose template to point to ghcr.io
 registry (#5491)

---
 util/Setup/Templates/DockerCompose.hbs | 26 +++++++++++++-------------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/util/Setup/Templates/DockerCompose.hbs b/util/Setup/Templates/DockerCompose.hbs
index ffe9121089..741e1085f9 100644
--- a/util/Setup/Templates/DockerCompose.hbs
+++ b/util/Setup/Templates/DockerCompose.hbs
@@ -15,7 +15,7 @@
 
 services:
   mssql:
-    image: bitwarden/mssql:{{{CoreVersion}}}
+    image: ghcr.io/bitwarden/mssql:{{{CoreVersion}}}
     container_name: bitwarden-mssql
     restart: always
     stop_grace_period: 60s
@@ -33,7 +33,7 @@ services:
       - ../env/mssql.override.env
 
   web:
-    image: bitwarden/web:{{{WebVersion}}}
+    image: ghcr.io/bitwarden/web:{{{WebVersion}}}
     container_name: bitwarden-web
     restart: always
     volumes:
@@ -43,7 +43,7 @@ services:
       - ../env/uid.env
 
   attachments:
-    image: bitwarden/attachments:{{{CoreVersion}}}
+    image: ghcr.io/bitwarden/attachments:{{{CoreVersion}}}
     container_name: bitwarden-attachments
     restart: always
     volumes:
@@ -53,7 +53,7 @@ services:
       - ../env/uid.env
 
   api:
-    image: bitwarden/api:{{{CoreVersion}}}
+    image: ghcr.io/bitwarden/api:{{{CoreVersion}}}
     container_name: bitwarden-api
     restart: always
     volumes:
@@ -69,7 +69,7 @@ services:
       - public
 
   identity:
-    image: bitwarden/identity:{{{CoreVersion}}}
+    image: ghcr.io/bitwarden/identity:{{{CoreVersion}}}
     container_name: bitwarden-identity
     restart: always
     volumes:
@@ -86,7 +86,7 @@ services:
       - public
 
   sso:
-    image: bitwarden/sso:{{{CoreVersion}}}
+    image: ghcr.io/bitwarden/sso:{{{CoreVersion}}}
     container_name: bitwarden-sso
     restart: always
     volumes:
@@ -103,7 +103,7 @@ services:
       - public
 
   admin:
-    image: bitwarden/admin:{{{CoreVersion}}}
+    image: ghcr.io/bitwarden/admin:{{{CoreVersion}}}
     container_name: bitwarden-admin
     restart: always
     depends_on:
@@ -121,7 +121,7 @@ services:
       - public
 
   icons:
-    image: bitwarden/icons:{{{CoreVersion}}}
+    image: ghcr.io/bitwarden/icons:{{{CoreVersion}}}
     container_name: bitwarden-icons
     restart: always
     volumes:
@@ -135,7 +135,7 @@ services:
       - public
 
   notifications:
-    image: bitwarden/notifications:{{{CoreVersion}}}
+    image: ghcr.io/bitwarden/notifications:{{{CoreVersion}}}
     container_name: bitwarden-notifications
     restart: always
     volumes:
@@ -150,7 +150,7 @@ services:
       - public
 
   events:
-    image: bitwarden/events:{{{CoreVersion}}}
+    image: ghcr.io/bitwarden/events:{{{CoreVersion}}}
     container_name: bitwarden-events
     restart: always
     volumes:
@@ -165,7 +165,7 @@ services:
       - public
 
   nginx:
-    image: bitwarden/nginx:{{{CoreVersion}}}
+    image: ghcr.io/bitwarden/nginx:{{{CoreVersion}}}
     container_name: bitwarden-nginx
     restart: always
     depends_on:
@@ -195,7 +195,7 @@ services:
 
 {{#if EnableKeyConnector}}
   key-connector:
-    image: bitwarden/key-connector:{{{KeyConnectorVersion}}}
+    image: ghcr.io/bitwarden/key-connector:{{{KeyConnectorVersion}}}
     container_name: bitwarden-key-connector
     restart: always
     volumes:
@@ -212,7 +212,7 @@ services:
 {{#if EnableScim}}
 
   scim:
-    image: bitwarden/scim:{{{CoreVersion}}}
+    image: ghcr.io/bitwarden/scim:{{{CoreVersion}}}
     container_name: bitwarden-scim
     restart: always
     volumes:

From 1b90bfe2a114e73b583100e955e57ac48b9733b9 Mon Sep 17 00:00:00 2001
From: Ike <137194738+ike-kottlowski@users.noreply.github.com>
Date: Tue, 11 Mar 2025 17:01:50 -0400
Subject: [PATCH 359/384] [PM-18944] Update error response from invalid OTP
 (#5485)

* fix(newDeviceVerification): updated error response from invalid OTP
---
 .../IdentityServer/RequestValidators/DeviceValidator.cs   | 8 ++++----
 test/Identity.Test/IdentityServer/DeviceValidatorTests.cs | 8 ++++----
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/src/Identity/IdentityServer/RequestValidators/DeviceValidator.cs b/src/Identity/IdentityServer/RequestValidators/DeviceValidator.cs
index 3ddc28c0e1..4744f4aca3 100644
--- a/src/Identity/IdentityServer/RequestValidators/DeviceValidator.cs
+++ b/src/Identity/IdentityServer/RequestValidators/DeviceValidator.cs
@@ -252,19 +252,19 @@ public class DeviceValidator(
         {
             case DeviceValidationResultType.InvalidUser:
                 result.ErrorDescription = "Invalid user";
-                customResponse.Add("ErrorModel", new ErrorResponseModel("invalid user"));
+                customResponse.Add("ErrorModel", new ErrorResponseModel("Invalid user."));
                 break;
             case DeviceValidationResultType.InvalidNewDeviceOtp:
                 result.ErrorDescription = "Invalid New Device OTP";
-                customResponse.Add("ErrorModel", new ErrorResponseModel("invalid new device otp"));
+                customResponse.Add("ErrorModel", new ErrorResponseModel("Invalid new device OTP. Try again."));
                 break;
             case DeviceValidationResultType.NewDeviceVerificationRequired:
                 result.ErrorDescription = "New device verification required";
-                customResponse.Add("ErrorModel", new ErrorResponseModel("new device verification required"));
+                customResponse.Add("ErrorModel", new ErrorResponseModel("New device verification required."));
                 break;
             case DeviceValidationResultType.NoDeviceInformationProvided:
                 result.ErrorDescription = "No device information provided";
-                customResponse.Add("ErrorModel", new ErrorResponseModel("no device information provided"));
+                customResponse.Add("ErrorModel", new ErrorResponseModel("No device information provided."));
                 break;
         }
         return (result, customResponse);
diff --git a/test/Identity.Test/IdentityServer/DeviceValidatorTests.cs b/test/Identity.Test/IdentityServer/DeviceValidatorTests.cs
index b71dd6c230..bcb357d640 100644
--- a/test/Identity.Test/IdentityServer/DeviceValidatorTests.cs
+++ b/test/Identity.Test/IdentityServer/DeviceValidatorTests.cs
@@ -172,7 +172,7 @@ public class DeviceValidatorTests
 
         Assert.False(result);
         Assert.NotNull(context.CustomResponse["ErrorModel"]);
-        var expectedErrorModel = new ErrorResponseModel("no device information provided");
+        var expectedErrorModel = new ErrorResponseModel("No device information provided.");
         var actualResponse = (ErrorResponseModel)context.CustomResponse["ErrorModel"];
         Assert.Equal(expectedErrorModel.Message, actualResponse.Message);
     }
@@ -418,7 +418,7 @@ public class DeviceValidatorTests
         Assert.False(result);
         Assert.NotNull(context.CustomResponse["ErrorModel"]);
         // PM-13340: The error message should be "invalid user" instead of "no device information provided"
-        var expectedErrorMessage = "no device information provided";
+        var expectedErrorMessage = "No device information provided.";
         var actualResponse = (ErrorResponseModel)context.CustomResponse["ErrorModel"];
         Assert.Equal(expectedErrorMessage, actualResponse.Message);
     }
@@ -552,7 +552,7 @@ public class DeviceValidatorTests
 
         Assert.False(result);
         Assert.NotNull(context.CustomResponse["ErrorModel"]);
-        var expectedErrorMessage = "invalid new device otp";
+        var expectedErrorMessage = "Invalid new device OTP. Try again.";
         var actualResponse = (ErrorResponseModel)context.CustomResponse["ErrorModel"];
         Assert.Equal(expectedErrorMessage, actualResponse.Message);
     }
@@ -604,7 +604,7 @@ public class DeviceValidatorTests
 
         Assert.False(result);
         Assert.NotNull(context.CustomResponse["ErrorModel"]);
-        var expectedErrorMessage = "new device verification required";
+        var expectedErrorMessage = "New device verification required.";
         var actualResponse = (ErrorResponseModel)context.CustomResponse["ErrorModel"];
         Assert.Equal(expectedErrorMessage, actualResponse.Message);
     }

From ef3b8b782a1a02fd9fccc80c1742b19092f7975f Mon Sep 17 00:00:00 2001
From: Alex Morask <144709477+amorask-bitwarden@users.noreply.github.com>
Date: Wed, 12 Mar 2025 11:56:47 -0400
Subject: [PATCH 360/384] Provide plans to OrganizationEditModel for resellers
 (#5493)

---
 .../AdminConsole/Controllers/ProvidersController.cs    | 10 ++++++++--
 src/Admin/AdminConsole/Models/OrganizationEditModel.cs |  3 ++-
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/src/Admin/AdminConsole/Controllers/ProvidersController.cs b/src/Admin/AdminConsole/Controllers/ProvidersController.cs
index 9e3dc00cd6..c38bb64419 100644
--- a/src/Admin/AdminConsole/Controllers/ProvidersController.cs
+++ b/src/Admin/AdminConsole/Controllers/ProvidersController.cs
@@ -11,6 +11,7 @@ using Bit.Core.AdminConsole.Services;
 using Bit.Core.Billing.Entities;
 using Bit.Core.Billing.Enums;
 using Bit.Core.Billing.Extensions;
+using Bit.Core.Billing.Pricing;
 using Bit.Core.Billing.Repositories;
 using Bit.Core.Billing.Services;
 using Bit.Core.Billing.Services.Contracts;
@@ -42,6 +43,7 @@ public class ProvidersController : Controller
     private readonly IFeatureService _featureService;
     private readonly IProviderPlanRepository _providerPlanRepository;
     private readonly IProviderBillingService _providerBillingService;
+    private readonly IPricingClient _pricingClient;
     private readonly string _stripeUrl;
     private readonly string _braintreeMerchantUrl;
     private readonly string _braintreeMerchantId;
@@ -60,7 +62,8 @@ public class ProvidersController : Controller
         IFeatureService featureService,
         IProviderPlanRepository providerPlanRepository,
         IProviderBillingService providerBillingService,
-        IWebHostEnvironment webHostEnvironment)
+        IWebHostEnvironment webHostEnvironment,
+        IPricingClient pricingClient)
     {
         _organizationRepository = organizationRepository;
         _organizationService = organizationService;
@@ -75,6 +78,7 @@ public class ProvidersController : Controller
         _featureService = featureService;
         _providerPlanRepository = providerPlanRepository;
         _providerBillingService = providerBillingService;
+        _pricingClient = pricingClient;
         _stripeUrl = webHostEnvironment.GetStripeUrl();
         _braintreeMerchantUrl = webHostEnvironment.GetBraintreeMerchantUrl();
         _braintreeMerchantId = globalSettings.Braintree.MerchantId;
@@ -415,7 +419,9 @@ public class ProvidersController : Controller
             return RedirectToAction("Index");
         }
 
-        return View(new OrganizationEditModel(provider));
+        var plans = await _pricingClient.ListPlans();
+
+        return View(new OrganizationEditModel(provider, plans));
     }
 
     [HttpPost]
diff --git a/src/Admin/AdminConsole/Models/OrganizationEditModel.cs b/src/Admin/AdminConsole/Models/OrganizationEditModel.cs
index 729b4f7990..1d23afd491 100644
--- a/src/Admin/AdminConsole/Models/OrganizationEditModel.cs
+++ b/src/Admin/AdminConsole/Models/OrganizationEditModel.cs
@@ -22,13 +22,14 @@ public class OrganizationEditModel : OrganizationViewModel
 
     public OrganizationEditModel() { }
 
-    public OrganizationEditModel(Provider provider)
+    public OrganizationEditModel(Provider provider, List<Plan> plans)
     {
         Provider = provider;
         BillingEmail = provider.Type == ProviderType.Reseller ? provider.BillingEmail : string.Empty;
         PlanType = Core.Billing.Enums.PlanType.TeamsMonthly;
         Plan = Core.Billing.Enums.PlanType.TeamsMonthly.GetDisplayAttribute()?.GetName();
         LicenseKey = RandomLicenseKey;
+        _plans = plans;
     }
 
     public OrganizationEditModel(

From a5c792dba9633030002fa2e993d77bfaef1f79cc Mon Sep 17 00:00:00 2001
From: Vincent Salucci <26154748+vincentsalucci@users.noreply.github.com>
Date: Wed, 12 Mar 2025 15:33:52 -0500
Subject: [PATCH 361/384] chore: organize vault team feature flag (#5494)

---
 src/Core/Constants.cs | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index 0591617f5e..5da356faca 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -116,15 +116,21 @@ public static class FeatureFlagKeys
     public const string EnableRiskInsightsNotifications = "enable-risk-insights-notifications";
     public const string DesktopSendUIRefresh = "desktop-send-ui-refresh";
 
+    /* Vault Team */
+    public const string PM9111ExtensionPersistAddEditForm = "pm-9111-extension-persist-add-edit-form";
+    public const string NewDeviceVerificationPermanentDismiss = "new-device-permanent-dismiss";
+    public const string NewDeviceVerificationTemporaryDismiss = "new-device-temporary-dismiss";
+    public const string VaultBulkManagementAction = "vault-bulk-management-action";
+    public const string RestrictProviderAccess = "restrict-provider-access";
+    public const string SecurityTasks = "security-tasks";
+
     public const string ReturnErrorOnExistingKeypair = "return-error-on-existing-keypair";
     public const string UseTreeWalkerApiForPageDetailsCollection = "use-tree-walker-api-for-page-details-collection";
     public const string DuoRedirect = "duo-redirect";
     public const string AC2101UpdateTrialInitiationEmail = "AC-2101-update-trial-initiation-email";
     public const string EmailVerification = "email-verification";
     public const string EmailVerificationDisableTimingDelays = "email-verification-disable-timing-delays";
-    public const string RestrictProviderAccess = "restrict-provider-access";
     public const string PM4154BulkEncryptionService = "PM-4154-bulk-encryption-service";
-    public const string VaultBulkManagementAction = "vault-bulk-management-action";
     public const string InlineMenuFieldQualification = "inline-menu-field-qualification";
     public const string InlineMenuPositioningImprovements = "inline-menu-positioning-improvements";
     public const string DeviceTrustLogging = "pm-8285-device-trust-logging";
@@ -149,11 +155,7 @@ public static class FeatureFlagKeys
     public const string RemoveServerVersionHeader = "remove-server-version-header";
     public const string GeneratorToolsModernization = "generator-tools-modernization";
     public const string NewDeviceVerification = "new-device-verification";
-    public const string NewDeviceVerificationTemporaryDismiss = "new-device-temporary-dismiss";
-    public const string NewDeviceVerificationPermanentDismiss = "new-device-permanent-dismiss";
-    public const string SecurityTasks = "security-tasks";
     public const string MacOsNativeCredentialSync = "macos-native-credential-sync";
-    public const string PM9111ExtensionPersistAddEditForm = "pm-9111-extension-persist-add-edit-form";
     public const string InlineMenuTotp = "inline-menu-totp";
     public const string PrivateKeyRegeneration = "pm-12241-private-key-regeneration";
     public const string AppReviewPrompt = "app-review-prompt";

From d40fbe32170080ab81a299681d541af486e6526b Mon Sep 17 00:00:00 2001
From: Matt Bishop <mbishop@bitwarden.com>
Date: Thu, 13 Mar 2025 11:55:39 -0400
Subject: [PATCH 362/384] Upgrade test reporter (#5492)

---
 .github/workflows/test-database.yml | 3 +--
 .github/workflows/test.yml          | 3 +--
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/test-database.yml b/.github/workflows/test-database.yml
index a9c4737acc..26db5ea0a4 100644
--- a/.github/workflows/test-database.yml
+++ b/.github/workflows/test-database.yml
@@ -32,7 +32,6 @@ on:
       - "src/**/Entities/**/*.cs" # Database entity definitions
 
 jobs:
-
   test:
     name: Run tests
     runs-on: ubuntu-22.04
@@ -148,7 +147,7 @@ jobs:
         run: 'docker logs $(docker ps --quiet --filter "name=mssql")'
 
       - name: Report test results
-        uses: dorny/test-reporter@31a54ee7ebcacc03a09ea97a7e5465a47b84aea5 # v1.9.1
+        uses: dorny/test-reporter@6e6a65b7a0bd2c9197df7d0ae36ac5cee784230c # v2.0.0
         if: ${{ github.event.pull_request.head.repo.full_name == github.repository && !cancelled() }}
         with:
           name: Test Results
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 8d115b39cd..e44d7aa8b8 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -13,7 +13,6 @@ env:
   _AZ_REGISTRY: "bitwardenprod.azurecr.io"
 
 jobs:
-
   testing:
     name: Run tests
     if: ${{ startsWith(github.head_ref, 'version_bump_') == false }}
@@ -50,7 +49,7 @@ jobs:
         run: dotnet test ./bitwarden_license/test --configuration Debug --logger "trx;LogFileName=bw-test-results.trx" /p:CoverletOutputFormatter="cobertura" --collect:"XPlat Code Coverage"
 
       - name: Report test results
-        uses: dorny/test-reporter@31a54ee7ebcacc03a09ea97a7e5465a47b84aea5 # v1.9.1
+        uses: dorny/test-reporter@6e6a65b7a0bd2c9197df7d0ae36ac5cee784230c # v2.0.0
         if: ${{ github.event.pull_request.head.repo.full_name == github.repository && !cancelled() }}
         with:
           name: Test Results

From 2df4076a6b259d4dfec31c740ba99df152df1ccb Mon Sep 17 00:00:00 2001
From: Daniel James Smith <2670567+djsmith85@users.noreply.github.com>
Date: Thu, 13 Mar 2025 17:59:19 +0100
Subject: [PATCH 363/384] Add export-attachments feature flag (#5501)

Co-authored-by: Daniel James Smith <djsmith85@users.noreply.github.com>
---
 src/Core/Constants.cs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index 5da356faca..72224319fb 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -115,6 +115,7 @@ public static class FeatureFlagKeys
     public const string RiskInsightsCriticalApplication = "pm-14466-risk-insights-critical-application";
     public const string EnableRiskInsightsNotifications = "enable-risk-insights-notifications";
     public const string DesktopSendUIRefresh = "desktop-send-ui-refresh";
+    public const string ExportAttachments = "export-attachments";
 
     /* Vault Team */
     public const string PM9111ExtensionPersistAddEditForm = "pm-9111-extension-persist-add-edit-form";

From 7daf6cfad48260cb33f5f6b32f8f580a266d6f71 Mon Sep 17 00:00:00 2001
From: Alex Morask <144709477+amorask-bitwarden@users.noreply.github.com>
Date: Fri, 14 Mar 2025 11:33:24 -0400
Subject: [PATCH 364/384] [PM-18794] Allow provider payment method (#5500)

* Add PaymentSource to ProviderSubscriptionResponse

* Add UpdatePaymentMethod to ProviderBillingController

* Add GetTaxInformation to ProviderBillingController

* Add VerifyBankAccount to ProviderBillingController

* Add feature flag
---
 .../Billing/ProviderBillingService.cs         | 13 +++
 .../Controllers/ProviderBillingController.cs  | 83 ++++++++++++++++++-
 .../Responses/ProviderSubscriptionResponse.cs |  9 +-
 .../Services/IProviderBillingService.cs       | 11 +++
 src/Core/Constants.cs                         |  1 +
 5 files changed, 113 insertions(+), 4 deletions(-)

diff --git a/bitwarden_license/src/Commercial.Core/Billing/ProviderBillingService.cs b/bitwarden_license/src/Commercial.Core/Billing/ProviderBillingService.cs
index 294a926022..74cfc1f916 100644
--- a/bitwarden_license/src/Commercial.Core/Billing/ProviderBillingService.cs
+++ b/bitwarden_license/src/Commercial.Core/Billing/ProviderBillingService.cs
@@ -628,6 +628,19 @@ public class ProviderBillingService(
         }
     }
 
+    public async Task UpdatePaymentMethod(
+        Provider provider,
+        TokenizedPaymentSource tokenizedPaymentSource,
+        TaxInformation taxInformation)
+    {
+        await Task.WhenAll(
+            subscriberService.UpdatePaymentSource(provider, tokenizedPaymentSource),
+            subscriberService.UpdateTaxInformation(provider, taxInformation));
+
+        await stripeAdapter.SubscriptionUpdateAsync(provider.GatewaySubscriptionId,
+            new SubscriptionUpdateOptions { CollectionMethod = StripeConstants.CollectionMethod.ChargeAutomatically });
+    }
+
     public async Task UpdateSeatMinimums(UpdateProviderSeatMinimumsCommand command)
     {
         if (command.Configuration.Any(x => x.SeatsMinimum < 0))
diff --git a/src/Api/Billing/Controllers/ProviderBillingController.cs b/src/Api/Billing/Controllers/ProviderBillingController.cs
index 73c992040c..bb1fd7bb25 100644
--- a/src/Api/Billing/Controllers/ProviderBillingController.cs
+++ b/src/Api/Billing/Controllers/ProviderBillingController.cs
@@ -1,5 +1,6 @@
 using Bit.Api.Billing.Models.Requests;
 using Bit.Api.Billing.Models.Responses;
+using Bit.Core;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Billing.Models;
 using Bit.Core.Billing.Pricing;
@@ -20,6 +21,7 @@ namespace Bit.Api.Billing.Controllers;
 [Authorize("Application")]
 public class ProviderBillingController(
     ICurrentContext currentContext,
+    IFeatureService featureService,
     ILogger<BaseProviderController> logger,
     IPricingClient pricingClient,
     IProviderBillingService providerBillingService,
@@ -71,6 +73,65 @@ public class ProviderBillingController(
             "text/csv");
     }
 
+    [HttpPut("payment-method")]
+    public async Task<IResult> UpdatePaymentMethodAsync(
+        [FromRoute] Guid providerId,
+        [FromBody] UpdatePaymentMethodRequestBody requestBody)
+    {
+        var allowProviderPaymentMethod = featureService.IsEnabled(FeatureFlagKeys.PM18794_ProviderPaymentMethod);
+
+        if (!allowProviderPaymentMethod)
+        {
+            return TypedResults.NotFound();
+        }
+
+        var (provider, result) = await TryGetBillableProviderForAdminOperation(providerId);
+
+        if (provider == null)
+        {
+            return result;
+        }
+
+        var tokenizedPaymentSource = requestBody.PaymentSource.ToDomain();
+        var taxInformation = requestBody.TaxInformation.ToDomain();
+
+        await providerBillingService.UpdatePaymentMethod(
+            provider,
+            tokenizedPaymentSource,
+            taxInformation);
+
+        return TypedResults.Ok();
+    }
+
+    [HttpPost("payment-method/verify-bank-account")]
+    public async Task<IResult> VerifyBankAccountAsync(
+        [FromRoute] Guid providerId,
+        [FromBody] VerifyBankAccountRequestBody requestBody)
+    {
+        var allowProviderPaymentMethod = featureService.IsEnabled(FeatureFlagKeys.PM18794_ProviderPaymentMethod);
+
+        if (!allowProviderPaymentMethod)
+        {
+            return TypedResults.NotFound();
+        }
+
+        var (provider, result) = await TryGetBillableProviderForAdminOperation(providerId);
+
+        if (provider == null)
+        {
+            return result;
+        }
+
+        if (requestBody.DescriptorCode.Length != 6 || !requestBody.DescriptorCode.StartsWith("SM"))
+        {
+            return Error.BadRequest("Statement descriptor should be a 6-character value that starts with 'SM'");
+        }
+
+        await subscriberService.VerifyBankAccount(provider, requestBody.DescriptorCode);
+
+        return TypedResults.Ok();
+    }
+
     [HttpGet("subscription")]
     public async Task<IResult> GetSubscriptionAsync([FromRoute] Guid providerId)
     {
@@ -102,12 +163,32 @@ public class ProviderBillingController(
 
         var subscriptionSuspension = await GetSubscriptionSuspensionAsync(stripeAdapter, subscription);
 
+        var paymentSource = await subscriberService.GetPaymentSource(provider);
+
         var response = ProviderSubscriptionResponse.From(
             subscription,
             configuredProviderPlans,
             taxInformation,
             subscriptionSuspension,
-            provider);
+            provider,
+            paymentSource);
+
+        return TypedResults.Ok(response);
+    }
+
+    [HttpGet("tax-information")]
+    public async Task<IResult> GetTaxInformationAsync([FromRoute] Guid providerId)
+    {
+        var (provider, result) = await TryGetBillableProviderForAdminOperation(providerId);
+
+        if (provider == null)
+        {
+            return result;
+        }
+
+        var taxInformation = await subscriberService.GetTaxInformation(provider);
+
+        var response = TaxInformationResponse.From(taxInformation);
 
         return TypedResults.Ok(response);
     }
diff --git a/src/Api/Billing/Models/Responses/ProviderSubscriptionResponse.cs b/src/Api/Billing/Models/Responses/ProviderSubscriptionResponse.cs
index 34c3817e51..ea1479c9df 100644
--- a/src/Api/Billing/Models/Responses/ProviderSubscriptionResponse.cs
+++ b/src/Api/Billing/Models/Responses/ProviderSubscriptionResponse.cs
@@ -16,7 +16,8 @@ public record ProviderSubscriptionResponse(
     TaxInformation TaxInformation,
     DateTime? CancelAt,
     SubscriptionSuspension Suspension,
-    ProviderType ProviderType)
+    ProviderType ProviderType,
+    PaymentSource PaymentSource)
 {
     private const string _annualCadence = "Annual";
     private const string _monthlyCadence = "Monthly";
@@ -26,7 +27,8 @@ public record ProviderSubscriptionResponse(
         ICollection<ConfiguredProviderPlan> providerPlans,
         TaxInformation taxInformation,
         SubscriptionSuspension subscriptionSuspension,
-        Provider provider)
+        Provider provider,
+        PaymentSource paymentSource)
     {
         var providerPlanResponses = providerPlans
             .Select(providerPlan =>
@@ -57,7 +59,8 @@ public record ProviderSubscriptionResponse(
             taxInformation,
             subscription.CancelAt,
             subscriptionSuspension,
-            provider.Type);
+            provider.Type,
+            paymentSource);
     }
 }
 
diff --git a/src/Core/Billing/Services/IProviderBillingService.cs b/src/Core/Billing/Services/IProviderBillingService.cs
index d6983da03e..64585f3361 100644
--- a/src/Core/Billing/Services/IProviderBillingService.cs
+++ b/src/Core/Billing/Services/IProviderBillingService.cs
@@ -95,5 +95,16 @@ public interface IProviderBillingService
     Task<Subscription> SetupSubscription(
         Provider provider);
 
+    /// <summary>
+    /// Updates the <paramref name="provider"/>'s payment source and tax information and then sets their subscription's collection_method to be "charge_automatically".
+    /// </summary>
+    /// <param name="provider">The <paramref name="provider"/> to update the payment source and tax information for.</param>
+    /// <param name="tokenizedPaymentSource">The tokenized payment source (ex. Credit Card) to attach to the <paramref name="provider"/>.</param>
+    /// <param name="taxInformation">The <paramref name="provider"/>'s updated tax information.</param>
+    Task UpdatePaymentMethod(
+        Provider provider,
+        TokenizedPaymentSource tokenizedPaymentSource,
+        TaxInformation taxInformation);
+
     Task UpdateSeatMinimums(UpdateProviderSeatMinimumsCommand command);
 }
diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index 72224319fb..9cbf6b788a 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -175,6 +175,7 @@ public static class FeatureFlagKeys
     public const string WebPush = "web-push";
     public const string AndroidImportLoginsFlow = "import-logins-flow";
     public const string PM12276Breadcrumbing = "pm-12276-breadcrumbing-for-business-features";
+    public const string PM18794_ProviderPaymentMethod = "pm-18794-provider-payment-method";
 
     public static List<string> GetAllKeys()
     {

From 488a9847ea15d977d28582bc44da110758e46ad1 Mon Sep 17 00:00:00 2001
From: Jared McCannon <jmccannon@bitwarden.com>
Date: Fri, 14 Mar 2025 12:00:58 -0500
Subject: [PATCH 365/384] Partial<T> for CommandResult<T> (#5482)

* Example of how a partial success/failure command result would look.

* Fixed code.

* Added Validator and ValidationResult

* Moved errors into their own files.

* Fixing tests

* fixed import.

* Forgot mock error.
---
 src/Api/Utilities/CommandResultExtensions.cs  |  2 +-
 src/Core/AdminConsole/Errors/Error.cs         |  3 +
 .../Errors/InsufficientPermissionsError.cs    | 11 ++++
 .../Errors/RecordNotFoundError.cs             | 11 ++++
 .../Shared/Validation/IValidator.cs           |  6 ++
 .../Shared/Validation/ValidationResult.cs     | 15 +++++
 src/Core/Models/Commands/CommandResult.cs     | 27 ++++++---
 .../AdminConsole/Shared/IValidatorTests.cs    | 58 +++++++++++++++++++
 .../Models/Commands/CommandResultTests.cs     | 53 +++++++++++++++++
 9 files changed, 176 insertions(+), 10 deletions(-)
 create mode 100644 src/Core/AdminConsole/Errors/Error.cs
 create mode 100644 src/Core/AdminConsole/Errors/InsufficientPermissionsError.cs
 create mode 100644 src/Core/AdminConsole/Errors/RecordNotFoundError.cs
 create mode 100644 src/Core/AdminConsole/Shared/Validation/IValidator.cs
 create mode 100644 src/Core/AdminConsole/Shared/Validation/ValidationResult.cs
 create mode 100644 test/Core.Test/AdminConsole/Shared/IValidatorTests.cs
 create mode 100644 test/Core.Test/Models/Commands/CommandResultTests.cs

diff --git a/src/Api/Utilities/CommandResultExtensions.cs b/src/Api/Utilities/CommandResultExtensions.cs
index 39104db7ff..c7315a0fa0 100644
--- a/src/Api/Utilities/CommandResultExtensions.cs
+++ b/src/Api/Utilities/CommandResultExtensions.cs
@@ -12,7 +12,7 @@ public static class CommandResultExtensions
             NoRecordFoundFailure<T> failure => new ObjectResult(failure.ErrorMessages) { StatusCode = StatusCodes.Status404NotFound },
             BadRequestFailure<T> failure => new ObjectResult(failure.ErrorMessages) { StatusCode = StatusCodes.Status400BadRequest },
             Failure<T> failure => new ObjectResult(failure.ErrorMessages) { StatusCode = StatusCodes.Status400BadRequest },
-            Success<T> success => new ObjectResult(success.Data) { StatusCode = StatusCodes.Status200OK },
+            Success<T> success => new ObjectResult(success.Value) { StatusCode = StatusCodes.Status200OK },
             _ => throw new InvalidOperationException($"Unhandled commandResult type: {commandResult.GetType().Name}")
         };
     }
diff --git a/src/Core/AdminConsole/Errors/Error.cs b/src/Core/AdminConsole/Errors/Error.cs
new file mode 100644
index 0000000000..6c8eed41a4
--- /dev/null
+++ b/src/Core/AdminConsole/Errors/Error.cs
@@ -0,0 +1,3 @@
+namespace Bit.Core.AdminConsole.Errors;
+
+public record Error<T>(string Message, T ErroredValue);
diff --git a/src/Core/AdminConsole/Errors/InsufficientPermissionsError.cs b/src/Core/AdminConsole/Errors/InsufficientPermissionsError.cs
new file mode 100644
index 0000000000..d04ceba7c9
--- /dev/null
+++ b/src/Core/AdminConsole/Errors/InsufficientPermissionsError.cs
@@ -0,0 +1,11 @@
+namespace Bit.Core.AdminConsole.Errors;
+
+public record InsufficientPermissionsError<T>(string Message, T ErroredValue) : Error<T>(Message, ErroredValue)
+{
+    public const string Code = "Insufficient Permissions";
+
+    public InsufficientPermissionsError(T ErroredValue) : this(Code, ErroredValue)
+    {
+
+    }
+}
diff --git a/src/Core/AdminConsole/Errors/RecordNotFoundError.cs b/src/Core/AdminConsole/Errors/RecordNotFoundError.cs
new file mode 100644
index 0000000000..25a169efe1
--- /dev/null
+++ b/src/Core/AdminConsole/Errors/RecordNotFoundError.cs
@@ -0,0 +1,11 @@
+namespace Bit.Core.AdminConsole.Errors;
+
+public record RecordNotFoundError<T>(string Message, T ErroredValue) : Error<T>(Message, ErroredValue)
+{
+    public const string Code = "Record Not Found";
+
+    public RecordNotFoundError(T ErroredValue) : this(Code, ErroredValue)
+    {
+
+    }
+}
diff --git a/src/Core/AdminConsole/Shared/Validation/IValidator.cs b/src/Core/AdminConsole/Shared/Validation/IValidator.cs
new file mode 100644
index 0000000000..d90386f00e
--- /dev/null
+++ b/src/Core/AdminConsole/Shared/Validation/IValidator.cs
@@ -0,0 +1,6 @@
+namespace Bit.Core.AdminConsole.Shared.Validation;
+
+public interface IValidator<T>
+{
+    public Task<ValidationResult<T>> ValidateAsync(T value);
+}
diff --git a/src/Core/AdminConsole/Shared/Validation/ValidationResult.cs b/src/Core/AdminConsole/Shared/Validation/ValidationResult.cs
new file mode 100644
index 0000000000..e25103e701
--- /dev/null
+++ b/src/Core/AdminConsole/Shared/Validation/ValidationResult.cs
@@ -0,0 +1,15 @@
+using Bit.Core.AdminConsole.Errors;
+
+namespace Bit.Core.AdminConsole.Shared.Validation;
+
+public abstract record ValidationResult<T>;
+
+public record Valid<T> : ValidationResult<T>
+{
+    public T Value { get; init; }
+}
+
+public record Invalid<T> : ValidationResult<T>
+{
+    public IEnumerable<Error<T>> Errors { get; init; }
+}
diff --git a/src/Core/Models/Commands/CommandResult.cs b/src/Core/Models/Commands/CommandResult.cs
index ae14b7d2f9..a8ec772fc1 100644
--- a/src/Core/Models/Commands/CommandResult.cs
+++ b/src/Core/Models/Commands/CommandResult.cs
@@ -1,5 +1,7 @@
 #nullable enable
 
+using Bit.Core.AdminConsole.Errors;
+
 namespace Bit.Core.Models.Commands;
 
 public class CommandResult(IEnumerable<string> errors)
@@ -9,7 +11,6 @@ public class CommandResult(IEnumerable<string> errors)
     public bool Success => ErrorMessages.Count == 0;
     public bool HasErrors => ErrorMessages.Count > 0;
     public List<string> ErrorMessages { get; } = errors.ToList();
-
     public CommandResult() : this(Array.Empty<string>()) { }
 }
 
@@ -29,22 +30,30 @@ public class Success : CommandResult
 {
 }
 
-public abstract class CommandResult<T>
-{
+public abstract class CommandResult<T>;
 
+public class Success<T>(T value) : CommandResult<T>
+{
+    public T Value { get; } = value;
 }
 
-public class Success<T>(T data) : CommandResult<T>
+public class Failure<T>(IEnumerable<string> errorMessages) : CommandResult<T>
 {
-    public T? Data { get; init; } = data;
+    public List<string> ErrorMessages { get; } = errorMessages.ToList();
+
+    public string ErrorMessage => string.Join(" ", ErrorMessages);
+
+    public Failure(string error) : this([error]) { }
 }
 
-public class Failure<T>(IEnumerable<string> errorMessage) : CommandResult<T>
+public class Partial<T> : CommandResult<T>
 {
-    public IEnumerable<string> ErrorMessages { get; init; } = errorMessage;
+    public T[] Successes { get; set; } = [];
+    public Error<T>[] Failures { get; set; } = [];
 
-    public Failure(string errorMessage) : this(new[] { errorMessage })
+    public Partial(IEnumerable<T> successfulItems, IEnumerable<Error<T>> failedItems)
     {
+        Successes = successfulItems.ToArray();
+        Failures = failedItems.ToArray();
     }
 }
-
diff --git a/test/Core.Test/AdminConsole/Shared/IValidatorTests.cs b/test/Core.Test/AdminConsole/Shared/IValidatorTests.cs
new file mode 100644
index 0000000000..abb49c25c6
--- /dev/null
+++ b/test/Core.Test/AdminConsole/Shared/IValidatorTests.cs
@@ -0,0 +1,58 @@
+using Bit.Core.AdminConsole.Errors;
+using Bit.Core.AdminConsole.Shared.Validation;
+using Xunit;
+
+namespace Bit.Core.Test.AdminConsole.Shared;
+
+public class IValidatorTests
+{
+    public class TestClass
+    {
+        public string Name { get; set; } = string.Empty;
+    }
+
+    public record InvalidRequestError<T>(T ErroredValue) : Error<T>(Code, ErroredValue)
+    {
+        public const string Code = "InvalidRequest";
+    }
+
+    public class TestClassValidator : IValidator<TestClass>
+    {
+        public Task<ValidationResult<TestClass>> ValidateAsync(TestClass value)
+        {
+            if (string.IsNullOrWhiteSpace(value.Name))
+            {
+                return Task.FromResult<ValidationResult<TestClass>>(new Invalid<TestClass>
+                {
+                    Errors = [new InvalidRequestError<TestClass>(value)]
+                });
+            }
+
+            return Task.FromResult<ValidationResult<TestClass>>(new Valid<TestClass> { Value = value });
+        }
+    }
+
+    [Fact]
+    public async Task ValidateAsync_WhenSomethingIsInvalid_ReturnsInvalidWithError()
+    {
+        var example = new TestClass();
+
+        var result = await new TestClassValidator().ValidateAsync(example);
+
+        Assert.IsType<Invalid<TestClass>>(result);
+        var invalidResult = result as Invalid<TestClass>;
+        Assert.Equal(InvalidRequestError<TestClass>.Code, invalidResult.Errors.First().Message);
+    }
+
+    [Fact]
+    public async Task ValidateAsync_WhenIsValid_ReturnsValid()
+    {
+        var example = new TestClass { Name = "Valid" };
+
+        var result = await new TestClassValidator().ValidateAsync(example);
+
+        Assert.IsType<Valid<TestClass>>(result);
+        var validResult = result as Valid<TestClass>;
+        Assert.Equal(example.Name, validResult.Value.Name);
+    }
+}
diff --git a/test/Core.Test/Models/Commands/CommandResultTests.cs b/test/Core.Test/Models/Commands/CommandResultTests.cs
new file mode 100644
index 0000000000..c500fef4f5
--- /dev/null
+++ b/test/Core.Test/Models/Commands/CommandResultTests.cs
@@ -0,0 +1,53 @@
+using Bit.Core.AdminConsole.Errors;
+using Bit.Core.Models.Commands;
+using Bit.Test.Common.AutoFixture.Attributes;
+using Xunit;
+
+namespace Bit.Core.Test.Models.Commands;
+
+public class CommandResultTests
+{
+    public class TestItem
+    {
+        public Guid Id { get; set; }
+        public string Value { get; set; }
+    }
+
+    public CommandResult<TestItem> BulkAction(IEnumerable<TestItem> items)
+    {
+        var itemList = items.ToList();
+        var successfulItems = items.Where(x => x.Value == "SuccessfulRequest").ToArray();
+
+        var failedItems = itemList.Except(successfulItems).ToArray();
+
+        var notFound = failedItems.First(x => x.Value == "Failed due to not found");
+        var invalidPermissions = failedItems.First(x => x.Value == "Failed due to invalid permissions");
+
+        var notFoundError = new RecordNotFoundError<TestItem>(notFound);
+        var insufficientPermissionsError = new InsufficientPermissionsError<TestItem>(invalidPermissions);
+
+        return new Partial<TestItem>(successfulItems.ToArray(), [notFoundError, insufficientPermissionsError]);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public void Partial_CommandResult_BulkRequestWithSuccessAndFailures(Guid successId1, Guid failureId1, Guid failureId2)
+    {
+        var listOfRecords = new List<TestItem>
+        {
+            new TestItem() { Id = successId1, Value = "SuccessfulRequest" },
+            new TestItem() { Id = failureId1, Value = "Failed due to not found" },
+            new TestItem() { Id = failureId2, Value = "Failed due to invalid permissions" }
+        };
+
+        var result = BulkAction(listOfRecords);
+
+        Assert.IsType<Partial<TestItem>>(result);
+
+        var failures = (result as Partial<TestItem>).Failures.ToArray();
+        var success = (result as Partial<TestItem>).Successes.First();
+
+        Assert.Equal(listOfRecords.First(), success);
+        Assert.Equal(2, failures.Length);
+    }
+}

From 27606e2d334f03d59571c5eb6b4c123e40f9071a Mon Sep 17 00:00:00 2001
From: Patrick Honkonen <1883101+SaintPatrck@users.noreply.github.com>
Date: Fri, 14 Mar 2025 13:22:22 -0400
Subject: [PATCH 366/384] [PM-3553] Feature flag: Mobile SimpleLogin self host
 alias generation (#5392)

---
 src/Core/Constants.cs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index 9cbf6b788a..e09422871d 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -176,6 +176,7 @@ public static class FeatureFlagKeys
     public const string AndroidImportLoginsFlow = "import-logins-flow";
     public const string PM12276Breadcrumbing = "pm-12276-breadcrumbing-for-business-features";
     public const string PM18794_ProviderPaymentMethod = "pm-18794-provider-payment-method";
+    public const string PM3553_MobileSimpleLoginSelfHostAlias = "simple-login-self-host-alias";
 
     public static List<string> GetAllKeys()
     {

From abfdf6f5cb0f1f1504dbaaaa0e04ce9cb60faf19 Mon Sep 17 00:00:00 2001
From: Ike <137194738+ike-kottlowski@users.noreply.github.com>
Date: Mon, 17 Mar 2025 12:37:34 -0400
Subject: [PATCH 367/384] Revert "[PM-18944] Update error response from invalid
 OTP" (#5504)

* Revert "[PM-18944] Update error response from invalid OTP (#5485)"

This reverts commit 1b90bfe2a114e73b583100e955e57ac48b9733b9.
---
 .../RequestValidators/DeviceValidator.cs            | 13 +++++++++----
 .../IdentityServer/DeviceValidatorTests.cs          |  8 ++++----
 2 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/src/Identity/IdentityServer/RequestValidators/DeviceValidator.cs b/src/Identity/IdentityServer/RequestValidators/DeviceValidator.cs
index 4744f4aca3..36a08326ab 100644
--- a/src/Identity/IdentityServer/RequestValidators/DeviceValidator.cs
+++ b/src/Identity/IdentityServer/RequestValidators/DeviceValidator.cs
@@ -250,21 +250,26 @@ public class DeviceValidator(
         var customResponse = new Dictionary<string, object>();
         switch (errorType)
         {
+            /* 
+             * The ErrorMessage is brittle and is used to control the flow in the clients. Do not change them without updating the client as well.
+             * There is a backwards compatibility issue as well: if you make a change on the clients then ensure that they are backwards
+             * compatible.
+             */
             case DeviceValidationResultType.InvalidUser:
                 result.ErrorDescription = "Invalid user";
-                customResponse.Add("ErrorModel", new ErrorResponseModel("Invalid user."));
+                customResponse.Add("ErrorModel", new ErrorResponseModel("invalid user"));
                 break;
             case DeviceValidationResultType.InvalidNewDeviceOtp:
                 result.ErrorDescription = "Invalid New Device OTP";
-                customResponse.Add("ErrorModel", new ErrorResponseModel("Invalid new device OTP. Try again."));
+                customResponse.Add("ErrorModel", new ErrorResponseModel("invalid new device otp"));
                 break;
             case DeviceValidationResultType.NewDeviceVerificationRequired:
                 result.ErrorDescription = "New device verification required";
-                customResponse.Add("ErrorModel", new ErrorResponseModel("New device verification required."));
+                customResponse.Add("ErrorModel", new ErrorResponseModel("new device verification required"));
                 break;
             case DeviceValidationResultType.NoDeviceInformationProvided:
                 result.ErrorDescription = "No device information provided";
-                customResponse.Add("ErrorModel", new ErrorResponseModel("No device information provided."));
+                customResponse.Add("ErrorModel", new ErrorResponseModel("no device information provided"));
                 break;
         }
         return (result, customResponse);
diff --git a/test/Identity.Test/IdentityServer/DeviceValidatorTests.cs b/test/Identity.Test/IdentityServer/DeviceValidatorTests.cs
index bcb357d640..b71dd6c230 100644
--- a/test/Identity.Test/IdentityServer/DeviceValidatorTests.cs
+++ b/test/Identity.Test/IdentityServer/DeviceValidatorTests.cs
@@ -172,7 +172,7 @@ public class DeviceValidatorTests
 
         Assert.False(result);
         Assert.NotNull(context.CustomResponse["ErrorModel"]);
-        var expectedErrorModel = new ErrorResponseModel("No device information provided.");
+        var expectedErrorModel = new ErrorResponseModel("no device information provided");
         var actualResponse = (ErrorResponseModel)context.CustomResponse["ErrorModel"];
         Assert.Equal(expectedErrorModel.Message, actualResponse.Message);
     }
@@ -418,7 +418,7 @@ public class DeviceValidatorTests
         Assert.False(result);
         Assert.NotNull(context.CustomResponse["ErrorModel"]);
         // PM-13340: The error message should be "invalid user" instead of "no device information provided"
-        var expectedErrorMessage = "No device information provided.";
+        var expectedErrorMessage = "no device information provided";
         var actualResponse = (ErrorResponseModel)context.CustomResponse["ErrorModel"];
         Assert.Equal(expectedErrorMessage, actualResponse.Message);
     }
@@ -552,7 +552,7 @@ public class DeviceValidatorTests
 
         Assert.False(result);
         Assert.NotNull(context.CustomResponse["ErrorModel"]);
-        var expectedErrorMessage = "Invalid new device OTP. Try again.";
+        var expectedErrorMessage = "invalid new device otp";
         var actualResponse = (ErrorResponseModel)context.CustomResponse["ErrorModel"];
         Assert.Equal(expectedErrorMessage, actualResponse.Message);
     }
@@ -604,7 +604,7 @@ public class DeviceValidatorTests
 
         Assert.False(result);
         Assert.NotNull(context.CustomResponse["ErrorModel"]);
-        var expectedErrorMessage = "New device verification required.";
+        var expectedErrorMessage = "new device verification required";
         var actualResponse = (ErrorResponseModel)context.CustomResponse["ErrorModel"];
         Assert.Equal(expectedErrorMessage, actualResponse.Message);
     }

From d3f8a99fa6d40ea3346560eb7a5259617ed536e4 Mon Sep 17 00:00:00 2001
From: Todd Martin <106564991+trmartin4@users.noreply.github.com>
Date: Mon, 17 Mar 2025 16:20:51 -0400
Subject: [PATCH 368/384] [PM-18175] Remove flag check for 2FA recovery code
 login (#5513)

* Remove server-side flagging

* Linting

* Linting.
---
 .../RequestValidators/TwoFactorAuthenticationValidator.cs | 8 ++------
 .../TwoFactorAuthenticationValidatorTests.cs              | 5 +----
 2 files changed, 3 insertions(+), 10 deletions(-)

diff --git a/src/Identity/IdentityServer/RequestValidators/TwoFactorAuthenticationValidator.cs b/src/Identity/IdentityServer/RequestValidators/TwoFactorAuthenticationValidator.cs
index 856846cdd6..e733d4f410 100644
--- a/src/Identity/IdentityServer/RequestValidators/TwoFactorAuthenticationValidator.cs
+++ b/src/Identity/IdentityServer/RequestValidators/TwoFactorAuthenticationValidator.cs
@@ -1,5 +1,4 @@
 using System.Text.Json;
-using Bit.Core;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Identity.TokenProviders;
@@ -155,12 +154,9 @@ public class TwoFactorAuthenticationValidator(
             return false;
         }
 
-        if (_featureService.IsEnabled(FeatureFlagKeys.RecoveryCodeLogin))
+        if (type is TwoFactorProviderType.RecoveryCode)
         {
-            if (type is TwoFactorProviderType.RecoveryCode)
-            {
-                return await _userService.RecoverTwoFactorAsync(user, token);
-            }
+            return await _userService.RecoverTwoFactorAsync(user, token);
         }
 
         // These cases we want to always return false, U2f is deprecated and OrganizationDuo
diff --git a/test/Identity.Test/IdentityServer/TwoFactorAuthenticationValidatorTests.cs b/test/Identity.Test/IdentityServer/TwoFactorAuthenticationValidatorTests.cs
index e59a66a9e7..fb4d7c321a 100644
--- a/test/Identity.Test/IdentityServer/TwoFactorAuthenticationValidatorTests.cs
+++ b/test/Identity.Test/IdentityServer/TwoFactorAuthenticationValidatorTests.cs
@@ -1,5 +1,4 @@
-using Bit.Core;
-using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Entities;
 using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Identity.TokenProviders;
 using Bit.Core.Auth.Models.Business.Tokenables;
@@ -464,7 +463,6 @@ public class TwoFactorAuthenticationValidatorTests
         user.TwoFactorRecoveryCode = token;
 
         _userService.RecoverTwoFactorAsync(Arg.Is(user), Arg.Is(token)).Returns(true);
-        _featureService.IsEnabled(FeatureFlagKeys.RecoveryCodeLogin).Returns(true);
 
         // Act
         var result = await _sut.VerifyTwoFactorAsync(
@@ -486,7 +484,6 @@ public class TwoFactorAuthenticationValidatorTests
         user.TwoFactorRecoveryCode = token;
 
         _userService.RecoverTwoFactorAsync(Arg.Is(user), Arg.Is(token)).Returns(false);
-        _featureService.IsEnabled(FeatureFlagKeys.RecoveryCodeLogin).Returns(true);
 
         // Act
         var result = await _sut.VerifyTwoFactorAsync(

From 43d0f1052b4b0aeca3f57d729a42b6a4f84b9aa9 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Tue, 18 Mar 2025 14:04:54 +0100
Subject: [PATCH 369/384] [deps] Tools: Update MailKit to 4.11.0 (#5515)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 src/Core/Core.csproj | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Core/Core.csproj b/src/Core/Core.csproj
index 8a8de3d77d..2a3edcdc00 100644
--- a/src/Core/Core.csproj
+++ b/src/Core/Core.csproj
@@ -36,7 +36,7 @@
     <PackageReference Include="DnsClient" Version="1.8.0" />
     <PackageReference Include="Fido2.AspNet" Version="3.0.1" />
     <PackageReference Include="Handlebars.Net" Version="2.1.6" />
-    <PackageReference Include="MailKit" Version="4.10.0" />
+    <PackageReference Include="MailKit" Version="4.11.0" />
     <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.10" />
     <PackageReference Include="Microsoft.Azure.Cosmos" Version="3.46.1" />
     <PackageReference Include="Microsoft.Azure.NotificationHubs" Version="4.2.0" />

From 87cdb923a5a3bf1b0a23aff4641728505dd9563b Mon Sep 17 00:00:00 2001
From: Alex Morask <144709477+amorask-bitwarden@users.noreply.github.com>
Date: Tue, 18 Mar 2025 11:44:36 -0400
Subject: [PATCH 370/384] [PM-17901] Replaced hard-coded Bitwarden Vault URLs
 (#5458)

* Replaced hard-coded Bitwarden Vault URLs

* Jared's feedback
---
 ...nizationUserRevokedForSingleOrgPolicy.html.hbs |  2 +-
 ...nizationUserRevokedForSingleOrgPolicy.text.hbs |  2 +-
 .../OrganizationSeatsAutoscaled.html.hbs          |  2 +-
 .../OrganizationSeatsMaxReached.html.hbs          |  2 +-
 .../OrganizationSmSeatsMaxReached.html.hbs        |  2 +-
 ...ganizationSmServiceAccountsMaxReached.html.hbs |  2 +-
 .../Mail/OrganizationSeatsAutoscaledViewModel.cs  |  2 +-
 .../Mail/OrganizationSeatsMaxReachedViewModel.cs  |  2 +-
 ...anizationServiceAccountsMaxReachedViewModel.cs |  2 +-
 .../Implementations/HandlebarsMailService.cs      | 15 +++++++++++----
 10 files changed, 20 insertions(+), 13 deletions(-)

diff --git a/src/Core/MailTemplates/Handlebars/AdminConsole/OrganizationUserRevokedForSingleOrgPolicy.html.hbs b/src/Core/MailTemplates/Handlebars/AdminConsole/OrganizationUserRevokedForSingleOrgPolicy.html.hbs
index d04abe86c9..5b2b1a70c5 100644
--- a/src/Core/MailTemplates/Handlebars/AdminConsole/OrganizationUserRevokedForSingleOrgPolicy.html.hbs
+++ b/src/Core/MailTemplates/Handlebars/AdminConsole/OrganizationUserRevokedForSingleOrgPolicy.html.hbs
@@ -7,7 +7,7 @@
         </tr>
         <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
             <td class="content-block" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0 0 10px; -webkit-text-size-adjust: none;" valign="top" align="left">
-                To leave an organization, first log into the <a href="https://vault.bitwarden.com/#/login">web app</a>, select the three dot menu next to the organization name, and select Leave.
+                To leave an organization, first log into the <a href="{{{WebVaultUrl}}}/login">web app</a>, select the three dot menu next to the organization name, and select Leave.
             </td>
         </tr>
     </table>
diff --git a/src/Core/MailTemplates/Handlebars/AdminConsole/OrganizationUserRevokedForSingleOrgPolicy.text.hbs b/src/Core/MailTemplates/Handlebars/AdminConsole/OrganizationUserRevokedForSingleOrgPolicy.text.hbs
index f933e8cf62..6a4b48006b 100644
--- a/src/Core/MailTemplates/Handlebars/AdminConsole/OrganizationUserRevokedForSingleOrgPolicy.text.hbs
+++ b/src/Core/MailTemplates/Handlebars/AdminConsole/OrganizationUserRevokedForSingleOrgPolicy.text.hbs
@@ -1,5 +1,5 @@
 {{#>BasicTextLayout}}
 Your user account has been revoked from the {{OrganizationName}} organization because your account is part of multiple organizations. Before you can rejoin {{OrganizationName}}, you must first leave all other organizations.
 
-To leave an organization, first log in the web app (https://vault.bitwarden.com/#/login), select the three dot menu next to the organization name, and select Leave.
+To leave an organization, first log in the web app ({{{WebVaultUrl}}}/login), select the three dot menu next to the organization name, and select Leave.
 {{/BasicTextLayout}}
diff --git a/src/Core/MailTemplates/Handlebars/OrganizationSeatsAutoscaled.html.hbs b/src/Core/MailTemplates/Handlebars/OrganizationSeatsAutoscaled.html.hbs
index 8277e3894a..6bdb982194 100644
--- a/src/Core/MailTemplates/Handlebars/OrganizationSeatsAutoscaled.html.hbs
+++ b/src/Core/MailTemplates/Handlebars/OrganizationSeatsAutoscaled.html.hbs
@@ -26,7 +26,7 @@
     </tr>
     <tr style="margin: 0; box-sizing: border-box; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
         <td class="content-block" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0 0 10px; -webkit-text-size-adjust: none; text-align: center;" valign="top" align="center">
-            <a href="https://vault.bitwarden.com/#/organizations/{{{OrganizationId}}}/billing/subscription" clicktracking=off target="_blank" style="color: #ffffff; text-decoration: none; text-align: center; cursor: pointer; display: inline-block; border-radius: 5px; background-color: #175DDC; border-color: #175DDC; border-style: solid; border-width: 10px 20px; margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+            <a href="{{{VaultSubscriptionUrl}}}" clicktracking=off target="_blank" style="color: #ffffff; text-decoration: none; text-align: center; cursor: pointer; display: inline-block; border-radius: 5px; background-color: #175DDC; border-color: #175DDC; border-style: solid; border-width: 10px 20px; margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
                 Manage subscription
             </a>
             <br class="line-break" />
diff --git a/src/Core/MailTemplates/Handlebars/OrganizationSeatsMaxReached.html.hbs b/src/Core/MailTemplates/Handlebars/OrganizationSeatsMaxReached.html.hbs
index 6ac2ee74a5..49dbe41c72 100644
--- a/src/Core/MailTemplates/Handlebars/OrganizationSeatsMaxReached.html.hbs
+++ b/src/Core/MailTemplates/Handlebars/OrganizationSeatsMaxReached.html.hbs
@@ -24,7 +24,7 @@
     </tr>
     <tr style="margin: 0; box-sizing: border-box; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
         <td class="content-block" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0 0 10px; -webkit-text-size-adjust: none; text-align: center;" valign="top" align="center">
-            <a href="https://vault.bitwarden.com/#/organizations/{{{OrganizationId}}}/billing/subscription" clicktracking=off target="_blank" style="color: #ffffff; text-decoration: none; text-align: center; cursor: pointer; display: inline-block; border-radius: 5px; background-color: #175DDC; border-color: #175DDC; border-style: solid; border-width: 10px 20px; margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+            <a href="{{{VaultSubscriptionUrl}}}" clicktracking=off target="_blank" style="color: #ffffff; text-decoration: none; text-align: center; cursor: pointer; display: inline-block; border-radius: 5px; background-color: #175DDC; border-color: #175DDC; border-style: solid; border-width: 10px 20px; margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
                 Manage subscription
             </a>
             <br class="line-break" />
diff --git a/src/Core/MailTemplates/Handlebars/OrganizationSmSeatsMaxReached.html.hbs b/src/Core/MailTemplates/Handlebars/OrganizationSmSeatsMaxReached.html.hbs
index a6db21effc..2ef6707f1f 100644
--- a/src/Core/MailTemplates/Handlebars/OrganizationSmSeatsMaxReached.html.hbs
+++ b/src/Core/MailTemplates/Handlebars/OrganizationSmSeatsMaxReached.html.hbs
@@ -24,7 +24,7 @@
     </tr>
     <tr style="margin: 0; box-sizing: border-box; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
         <td class="content-block" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0 0 10px; -webkit-text-size-adjust: none; text-align: center;" valign="top" align="center">
-            <a href="https://vault.bitwarden.com/#/organizations/{{{OrganizationId}}}/billing/subscription" clicktracking=off target="_blank" rel="noopener noreferrer" style="color: #ffffff; text-decoration: none; text-align: center; cursor: pointer; display: inline-block; border-radius: 5px; background-color: #175DDC; border-color: #175DDC; border-style: solid; border-width: 10px 20px; margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+            <a href="{{{VaultSubscriptionUrl}}}" clicktracking=off target="_blank" rel="noopener noreferrer" style="color: #ffffff; text-decoration: none; text-align: center; cursor: pointer; display: inline-block; border-radius: 5px; background-color: #175DDC; border-color: #175DDC; border-style: solid; border-width: 10px 20px; margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
                 Manage subscription
             </a>
             <br class="line-break" />
diff --git a/src/Core/MailTemplates/Handlebars/OrganizationSmServiceAccountsMaxReached.html.hbs b/src/Core/MailTemplates/Handlebars/OrganizationSmServiceAccountsMaxReached.html.hbs
index 507fdc33a9..1f4300c23e 100644
--- a/src/Core/MailTemplates/Handlebars/OrganizationSmServiceAccountsMaxReached.html.hbs
+++ b/src/Core/MailTemplates/Handlebars/OrganizationSmServiceAccountsMaxReached.html.hbs
@@ -24,7 +24,7 @@
     </tr>
     <tr style="margin: 0; box-sizing: border-box; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
         <td class="content-block" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0 0 10px; -webkit-text-size-adjust: none; text-align: center;" valign="top" align="center">
-            <a href="https://vault.bitwarden.com/#/organizations/{{{OrganizationId}}}/billing/subscription" clicktracking=off target="_blank" rel="noopener noreferrer" style="color: #ffffff; text-decoration: none; text-align: center; cursor: pointer; display: inline-block; border-radius: 5px; background-color: #175DDC; border-color: #175DDC; border-style: solid; border-width: 10px 20px; margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+            <a href="{{{VaultSubscriptionUrl}}}" clicktracking=off target="_blank" rel="noopener noreferrer" style="color: #ffffff; text-decoration: none; text-align: center; cursor: pointer; display: inline-block; border-radius: 5px; background-color: #175DDC; border-color: #175DDC; border-style: solid; border-width: 10px 20px; margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
                 Manage subscription
             </a>
             <br class="line-break" />
diff --git a/src/Core/Models/Mail/OrganizationSeatsAutoscaledViewModel.cs b/src/Core/Models/Mail/OrganizationSeatsAutoscaledViewModel.cs
index 87f87b1c69..425b853d3e 100644
--- a/src/Core/Models/Mail/OrganizationSeatsAutoscaledViewModel.cs
+++ b/src/Core/Models/Mail/OrganizationSeatsAutoscaledViewModel.cs
@@ -2,7 +2,7 @@
 
 public class OrganizationSeatsAutoscaledViewModel : BaseMailModel
 {
-    public Guid OrganizationId { get; set; }
     public int InitialSeatCount { get; set; }
     public int CurrentSeatCount { get; set; }
+    public string VaultSubscriptionUrl { get; set; }
 }
diff --git a/src/Core/Models/Mail/OrganizationSeatsMaxReachedViewModel.cs b/src/Core/Models/Mail/OrganizationSeatsMaxReachedViewModel.cs
index cdfb57b2dc..ad9c48ab31 100644
--- a/src/Core/Models/Mail/OrganizationSeatsMaxReachedViewModel.cs
+++ b/src/Core/Models/Mail/OrganizationSeatsMaxReachedViewModel.cs
@@ -2,6 +2,6 @@
 
 public class OrganizationSeatsMaxReachedViewModel : BaseMailModel
 {
-    public Guid OrganizationId { get; set; }
     public int MaxSeatCount { get; set; }
+    public string VaultSubscriptionUrl { get; set; }
 }
diff --git a/src/Core/Models/Mail/OrganizationServiceAccountsMaxReachedViewModel.cs b/src/Core/Models/Mail/OrganizationServiceAccountsMaxReachedViewModel.cs
index 1b9c925720..c814a3e564 100644
--- a/src/Core/Models/Mail/OrganizationServiceAccountsMaxReachedViewModel.cs
+++ b/src/Core/Models/Mail/OrganizationServiceAccountsMaxReachedViewModel.cs
@@ -2,6 +2,6 @@
 
 public class OrganizationServiceAccountsMaxReachedViewModel
 {
-    public Guid OrganizationId { get; set; }
     public int MaxServiceAccountsCount { get; set; }
+    public string VaultSubscriptionUrl { get; set; }
 }
diff --git a/src/Core/Services/Implementations/HandlebarsMailService.cs b/src/Core/Services/Implementations/HandlebarsMailService.cs
index c598a9d432..d96f69b0a6 100644
--- a/src/Core/Services/Implementations/HandlebarsMailService.cs
+++ b/src/Core/Services/Implementations/HandlebarsMailService.cs
@@ -214,9 +214,9 @@ public class HandlebarsMailService : IMailService
         var message = CreateDefaultMessage($"{organization.DisplayName()} Seat Count Has Increased", ownerEmails);
         var model = new OrganizationSeatsAutoscaledViewModel
         {
-            OrganizationId = organization.Id,
             InitialSeatCount = initialSeatCount,
             CurrentSeatCount = organization.Seats.Value,
+            VaultSubscriptionUrl = GetCloudVaultSubscriptionUrl(organization.Id)
         };
 
         await AddMessageContentAsync(message, "OrganizationSeatsAutoscaled", model);
@@ -229,8 +229,8 @@ public class HandlebarsMailService : IMailService
         var message = CreateDefaultMessage($"{organization.DisplayName()} Seat Limit Reached", ownerEmails);
         var model = new OrganizationSeatsMaxReachedViewModel
         {
-            OrganizationId = organization.Id,
             MaxSeatCount = maxSeatCount,
+            VaultSubscriptionUrl = GetCloudVaultSubscriptionUrl(organization.Id)
         };
 
         await AddMessageContentAsync(message, "OrganizationSeatsMaxReached", model);
@@ -1103,8 +1103,8 @@ public class HandlebarsMailService : IMailService
         var message = CreateDefaultMessage($"{organization.DisplayName()} Secrets Manager Seat Limit Reached", ownerEmails);
         var model = new OrganizationSeatsMaxReachedViewModel
         {
-            OrganizationId = organization.Id,
             MaxSeatCount = maxSeatCount,
+            VaultSubscriptionUrl = GetCloudVaultSubscriptionUrl(organization.Id)
         };
 
         await AddMessageContentAsync(message, "OrganizationSmSeatsMaxReached", model);
@@ -1118,8 +1118,8 @@ public class HandlebarsMailService : IMailService
         var message = CreateDefaultMessage($"{organization.DisplayName()} Secrets Manager Machine Accounts Limit Reached", ownerEmails);
         var model = new OrganizationServiceAccountsMaxReachedViewModel
         {
-            OrganizationId = organization.Id,
             MaxServiceAccountsCount = maxSeatCount,
+            VaultSubscriptionUrl = GetCloudVaultSubscriptionUrl(organization.Id)
         };
 
         await AddMessageContentAsync(message, "OrganizationSmServiceAccountsMaxReached", model);
@@ -1223,4 +1223,11 @@ public class HandlebarsMailService : IMailService
     {
         return string.IsNullOrEmpty(userName) ? email : CoreHelpers.SanitizeForEmail(userName, false);
     }
+
+    private string GetCloudVaultSubscriptionUrl(Guid organizationId)
+        => _globalSettings.BaseServiceUri.CloudRegion?.ToLower() switch
+        {
+            "eu" => $"https://vault.bitwarden.eu/#/organizations/{organizationId}/billing/subscription",
+            _ => $"https://vault.bitwarden.com/#/organizations/{organizationId}/billing/subscription"
+        };
 }

From 508bf2c9f846de1d184acd65d6dab1ccea19b9fc Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Tue, 18 Mar 2025 14:26:29 -0400
Subject: [PATCH 371/384] [deps] Vault: Update AngleSharp to 1.2.0 (#5220)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 src/Icons/Icons.csproj | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Icons/Icons.csproj b/src/Icons/Icons.csproj
index 1674e2f877..455c8b3155 100644
--- a/src/Icons/Icons.csproj
+++ b/src/Icons/Icons.csproj
@@ -7,7 +7,7 @@
 
   <PropertyGroup Condition=" '$(RunConfiguration)' == 'Icons' " />
   <ItemGroup>
-    <PackageReference Include="AngleSharp" Version="1.1.2" />
+    <PackageReference Include="AngleSharp" Version="1.2.0" />
   </ItemGroup>
 
   <ItemGroup>

From 7f0dd6d1c320bb9f8ec336cad11521ae98150fa0 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Tue, 18 Mar 2025 13:02:39 -0700
Subject: [PATCH 372/384] Update FROM directive in Dockerfile (#5522)

---
 util/Attachments/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/util/Attachments/Dockerfile b/util/Attachments/Dockerfile
index 2d99aa5911..37b23a1b95 100644
--- a/util/Attachments/Dockerfile
+++ b/util/Attachments/Dockerfile
@@ -1,4 +1,4 @@
-FROM bitwarden/server:latest
+FROM ghcr.io/bitwarden/server
 
 LABEL com.bitwarden.product="bitwarden"
 

From bb3ec6aca13b691120b052747f6b4198e639d97d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rui=20Tom=C3=A9?=
 <108268980+r-tome@users.noreply.github.com>
Date: Wed, 19 Mar 2025 11:01:06 +0000
Subject: [PATCH 373/384] [PM-16888] Refactor OrganizationUser status update
 procedure to use a GuidIdArray parameter and remove JSON parsing logic
 (#5237)

* Refactor OrganizationUser status update procedure to use a GuidIdArray parameter and remove JSON parsing logic

* Fix OrganizationUser_SetStatusForUsersById procedure and bump script date

* Restore OrganizationUser_SetStatusForUsersById for possible server version rollback. Add new version with the name OrganizationUser_SetStatusForUsersByGuidIdArray

* Add migration script to add stored procedure OrganizationUser_SetStatusForUsersByGuidIdArray to update user status by GUID array
---
 .../Repositories/OrganizationUserRepository.cs    |  4 ++--
 ...izationUser_SetStatusForUsersByGuidIdArray.sql | 14 ++++++++++++++
 ...0_AddOrgUserSetStatusForUsersByGuidIdArray.sql | 15 +++++++++++++++
 3 files changed, 31 insertions(+), 2 deletions(-)
 create mode 100644 src/Sql/dbo/Stored Procedures/OrganizationUser_SetStatusForUsersByGuidIdArray.sql
 create mode 100644 util/Migrator/DbScripts/2025-03-13-00_AddOrgUserSetStatusForUsersByGuidIdArray.sql

diff --git a/src/Infrastructure.Dapper/AdminConsole/Repositories/OrganizationUserRepository.cs b/src/Infrastructure.Dapper/AdminConsole/Repositories/OrganizationUserRepository.cs
index 9b77fb216e..07b55aa44a 100644
--- a/src/Infrastructure.Dapper/AdminConsole/Repositories/OrganizationUserRepository.cs
+++ b/src/Infrastructure.Dapper/AdminConsole/Repositories/OrganizationUserRepository.cs
@@ -563,8 +563,8 @@ public class OrganizationUserRepository : Repository<OrganizationUser, Guid>, IO
         await using var connection = new SqlConnection(ConnectionString);
 
         await connection.ExecuteAsync(
-            "[dbo].[OrganizationUser_SetStatusForUsersById]",
-            new { OrganizationUserIds = JsonSerializer.Serialize(organizationUserIds), Status = OrganizationUserStatusType.Revoked },
+            "[dbo].[OrganizationUser_SetStatusForUsersByGuidIdArray]",
+            new { OrganizationUserIds = organizationUserIds.ToGuidIdArrayTVP(), Status = OrganizationUserStatusType.Revoked },
             commandType: CommandType.StoredProcedure);
     }
 
diff --git a/src/Sql/dbo/Stored Procedures/OrganizationUser_SetStatusForUsersByGuidIdArray.sql b/src/Sql/dbo/Stored Procedures/OrganizationUser_SetStatusForUsersByGuidIdArray.sql
new file mode 100644
index 0000000000..7843748d72
--- /dev/null
+++ b/src/Sql/dbo/Stored Procedures/OrganizationUser_SetStatusForUsersByGuidIdArray.sql	
@@ -0,0 +1,14 @@
+CREATE PROCEDURE [dbo].[OrganizationUser_SetStatusForUsersByGuidIdArray]
+    @OrganizationUserIds AS [dbo].[GuidIdArray] READONLY,
+    @Status SMALLINT
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    UPDATE OU
+    SET OU.[Status] = @Status
+    FROM [dbo].[OrganizationUser] OU
+    INNER JOIN @OrganizationUserIds OUI ON OUI.[Id] = OU.[Id]
+
+    EXEC [dbo].[User_BumpAccountRevisionDateByOrganizationUserIds] @OrganizationUserIds
+END
diff --git a/util/Migrator/DbScripts/2025-03-13-00_AddOrgUserSetStatusForUsersByGuidIdArray.sql b/util/Migrator/DbScripts/2025-03-13-00_AddOrgUserSetStatusForUsersByGuidIdArray.sql
new file mode 100644
index 0000000000..e7c0477710
--- /dev/null
+++ b/util/Migrator/DbScripts/2025-03-13-00_AddOrgUserSetStatusForUsersByGuidIdArray.sql
@@ -0,0 +1,15 @@
+CREATE OR ALTER PROCEDURE [dbo].[OrganizationUser_SetStatusForUsersByGuidIdArray]
+    @OrganizationUserIds AS [dbo].[GuidIdArray] READONLY,
+    @Status SMALLINT
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    UPDATE OU
+    SET OU.[Status] = @Status
+    FROM [dbo].[OrganizationUser] OU
+    INNER JOIN @OrganizationUserIds OUI ON OUI.[Id] = OU.[Id]
+
+    EXEC [dbo].[User_BumpAccountRevisionDateByOrganizationUserIds] @OrganizationUserIds
+END
+GO

From fc827ed2097ca601c8933760993ce602373c3789 Mon Sep 17 00:00:00 2001
From: Todd Martin <106564991+trmartin4@users.noreply.github.com>
Date: Wed, 19 Mar 2025 13:49:02 -0400
Subject: [PATCH 374/384] feat(set password) [PM-17647] Add set/change password
 feature flags

* Added flag values

* Added flag values

* Removed extra space

* Linting
---
 src/Core/Constants.cs | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index e09422871d..fb3757daab 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -177,6 +177,8 @@ public static class FeatureFlagKeys
     public const string PM12276Breadcrumbing = "pm-12276-breadcrumbing-for-business-features";
     public const string PM18794_ProviderPaymentMethod = "pm-18794-provider-payment-method";
     public const string PM3553_MobileSimpleLoginSelfHostAlias = "simple-login-self-host-alias";
+    public const string SetInitialPasswordRefactor = "pm-16117-set-initial-password-refactor";
+    public const string ChangeExistingPasswordRefactor = "pm-16117-change-existing-password-refactor";
 
     public static List<string> GetAllKeys()
     {

From 21717ec71eb59057f3ac71dcce4c467f17d92bbc Mon Sep 17 00:00:00 2001
From: Jordan Aasen <166539328+jaasen-livefront@users.noreply.github.com>
Date: Wed, 19 Mar 2025 11:13:38 -0700
Subject: [PATCH 375/384] [PM-17733] - [Privilege Escalation] - Unauthorised
 access allows limited access user to change password of Items (#5452)

* prevent view-only users from updating passwords

* revert change to licensing service

* add tests

* check if organizationId is there

* move logic to private method

* move logic to private method

* move logic into method

* revert change to licensing service

* throw exception when cipher key is created by hidden password users

* fix tests

* don't allow totp or passkeys changes from hidden password users

* add tests

* revert change to licensing service
---
 .../Services/Implementations/CipherService.cs |  36 ++-
 .../Vault/Services/CipherServiceTests.cs      | 232 +++++++++++++++++-
 2 files changed, 266 insertions(+), 2 deletions(-)

diff --git a/src/Core/Vault/Services/Implementations/CipherService.cs b/src/Core/Vault/Services/Implementations/CipherService.cs
index 90c03df90b..a315528e59 100644
--- a/src/Core/Vault/Services/Implementations/CipherService.cs
+++ b/src/Core/Vault/Services/Implementations/CipherService.cs
@@ -13,7 +13,9 @@ using Bit.Core.Tools.Models.Business;
 using Bit.Core.Tools.Services;
 using Bit.Core.Utilities;
 using Bit.Core.Vault.Entities;
+using Bit.Core.Vault.Enums;
 using Bit.Core.Vault.Models.Data;
+using Bit.Core.Vault.Queries;
 using Bit.Core.Vault.Repositories;
 
 namespace Bit.Core.Vault.Services;
@@ -38,6 +40,7 @@ public class CipherService : ICipherService
     private const long _fileSizeLeeway = 1024L * 1024L; // 1MB
     private readonly IReferenceEventService _referenceEventService;
     private readonly ICurrentContext _currentContext;
+    private readonly IGetCipherPermissionsForUserQuery _getCipherPermissionsForUserQuery;
 
     public CipherService(
         ICipherRepository cipherRepository,
@@ -54,7 +57,8 @@ public class CipherService : ICipherService
         IPolicyService policyService,
         GlobalSettings globalSettings,
         IReferenceEventService referenceEventService,
-        ICurrentContext currentContext)
+        ICurrentContext currentContext,
+        IGetCipherPermissionsForUserQuery getCipherPermissionsForUserQuery)
     {
         _cipherRepository = cipherRepository;
         _folderRepository = folderRepository;
@@ -71,6 +75,7 @@ public class CipherService : ICipherService
         _globalSettings = globalSettings;
         _referenceEventService = referenceEventService;
         _currentContext = currentContext;
+        _getCipherPermissionsForUserQuery = getCipherPermissionsForUserQuery;
     }
 
     public async Task SaveAsync(Cipher cipher, Guid savingUserId, DateTime? lastKnownRevisionDate,
@@ -161,6 +166,7 @@ public class CipherService : ICipherService
         {
             ValidateCipherLastKnownRevisionDateAsync(cipher, lastKnownRevisionDate);
             cipher.RevisionDate = DateTime.UtcNow;
+            await ValidateViewPasswordUserAsync(cipher);
             await _cipherRepository.ReplaceAsync(cipher);
             await _eventService.LogCipherEventAsync(cipher, Bit.Core.Enums.EventType.Cipher_Updated);
 
@@ -966,4 +972,32 @@ public class CipherService : ICipherService
 
         ValidateCipherLastKnownRevisionDateAsync(cipher, lastKnownRevisionDate);
     }
+
+    private async Task ValidateViewPasswordUserAsync(Cipher cipher)
+    {
+        if (cipher.Type != CipherType.Login || cipher.Data == null || !cipher.OrganizationId.HasValue)
+        {
+            return;
+        }
+        var existingCipher = await _cipherRepository.GetByIdAsync(cipher.Id);
+        if (existingCipher == null) return;
+
+        var cipherPermissions = await _getCipherPermissionsForUserQuery.GetByOrganization(cipher.OrganizationId.Value);
+        // Check if user is a "hidden password" user
+        if (!cipherPermissions.TryGetValue(cipher.Id, out var permission) || !(permission.ViewPassword && permission.Edit))
+        {
+            // "hidden password" users may not add cipher key encryption
+            if (existingCipher.Key == null && cipher.Key != null)
+            {
+                throw new BadRequestException("You do not have permission to add cipher key encryption.");
+            }
+            // "hidden password" users may not change passwords, TOTP codes, or passkeys, so we need to set them back to the original values
+            var existingCipherData = JsonSerializer.Deserialize<CipherLoginData>(existingCipher.Data);
+            var newCipherData = JsonSerializer.Deserialize<CipherLoginData>(cipher.Data);
+            newCipherData.Fido2Credentials = existingCipherData.Fido2Credentials;
+            newCipherData.Totp = existingCipherData.Totp;
+            newCipherData.Password = existingCipherData.Password;
+            cipher.Data = JsonSerializer.Serialize(newCipherData);
+        }
+    }
 }
diff --git a/test/Core.Test/Vault/Services/CipherServiceTests.cs b/test/Core.Test/Vault/Services/CipherServiceTests.cs
index 1803c980c2..3ef29146c2 100644
--- a/test/Core.Test/Vault/Services/CipherServiceTests.cs
+++ b/test/Core.Test/Vault/Services/CipherServiceTests.cs
@@ -1,4 +1,5 @@
-using Bit.Core.AdminConsole.Entities;
+using System.Text.Json;
+using Bit.Core.AdminConsole.Entities;
 using Bit.Core.Billing.Enums;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
@@ -9,7 +10,9 @@ using Bit.Core.Services;
 using Bit.Core.Test.AutoFixture.CipherFixtures;
 using Bit.Core.Utilities;
 using Bit.Core.Vault.Entities;
+using Bit.Core.Vault.Enums;
 using Bit.Core.Vault.Models.Data;
+using Bit.Core.Vault.Queries;
 using Bit.Core.Vault.Repositories;
 using Bit.Core.Vault.Services;
 using Bit.Test.Common.AutoFixture;
@@ -797,6 +800,233 @@ public class CipherServiceTests
             Arg.Is<IEnumerable<Cipher>>(arg => !arg.Except(ciphers).Any()));
     }
 
+    private class SaveDetailsAsyncDependencies
+    {
+        public CipherDetails CipherDetails { get; set; }
+        public SutProvider<CipherService> SutProvider { get; set; }
+    }
+
+    private static SaveDetailsAsyncDependencies GetSaveDetailsAsyncDependencies(
+        SutProvider<CipherService> sutProvider,
+        string newPassword,
+        bool viewPassword,
+        bool editPermission,
+        string? key = null,
+        string? totp = null,
+        CipherLoginFido2CredentialData[]? passkeys = null
+        )
+    {
+        var cipherDetails = new CipherDetails
+        {
+            Id = Guid.NewGuid(),
+            OrganizationId = Guid.NewGuid(),
+            Type = CipherType.Login,
+            UserId = Guid.NewGuid(),
+            RevisionDate = DateTime.UtcNow,
+            Key = key,
+        };
+
+        var newLoginData = new CipherLoginData { Username = "user", Password = newPassword, Totp = totp, Fido2Credentials = passkeys };
+        cipherDetails.Data = JsonSerializer.Serialize(newLoginData);
+
+        var existingCipher = new Cipher
+        {
+            Id = cipherDetails.Id,
+            Data = JsonSerializer.Serialize(
+                new CipherLoginData
+                {
+                    Username = "user",
+                    Password = "OriginalPassword",
+                    Totp = "OriginalTotp",
+                    Fido2Credentials = []
+                }
+            ),
+        };
+
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetByIdAsync(cipherDetails.Id)
+            .Returns(existingCipher);
+
+        sutProvider.GetDependency<ICipherRepository>()
+            .ReplaceAsync(Arg.Any<CipherDetails>())
+            .Returns(Task.CompletedTask);
+
+        var permissions = new Dictionary<Guid, OrganizationCipherPermission>
+        {
+            { cipherDetails.Id, new OrganizationCipherPermission { ViewPassword = viewPassword, Edit = editPermission } }
+        };
+
+        sutProvider.GetDependency<IGetCipherPermissionsForUserQuery>()
+            .GetByOrganization(cipherDetails.OrganizationId.Value)
+            .Returns(permissions);
+
+        return new SaveDetailsAsyncDependencies
+        {
+            CipherDetails = cipherDetails,
+            SutProvider = sutProvider,
+        };
+    }
+
+    [Theory, BitAutoData]
+    public async Task SaveDetailsAsync_PasswordNotChangedWithoutViewPasswordPermission(string _, SutProvider<CipherService> sutProvider)
+    {
+        var deps = GetSaveDetailsAsyncDependencies(sutProvider, "NewPassword", viewPassword: false, editPermission: true);
+
+        await deps.SutProvider.Sut.SaveDetailsAsync(
+            deps.CipherDetails,
+            deps.CipherDetails.UserId.Value,
+            deps.CipherDetails.RevisionDate,
+            null,
+            true);
+
+        var updatedLoginData = JsonSerializer.Deserialize<CipherLoginData>(deps.CipherDetails.Data);
+        Assert.Equal("OriginalPassword", updatedLoginData.Password);
+    }
+
+    [Theory, BitAutoData]
+    public async Task SaveDetailsAsync_PasswordNotChangedWithoutEditPermission(string _, SutProvider<CipherService> sutProvider)
+    {
+        var deps = GetSaveDetailsAsyncDependencies(sutProvider, "NewPassword", viewPassword: true, editPermission: false);
+
+        await deps.SutProvider.Sut.SaveDetailsAsync(
+            deps.CipherDetails,
+            deps.CipherDetails.UserId.Value,
+            deps.CipherDetails.RevisionDate,
+            null,
+            true);
+
+        var updatedLoginData = JsonSerializer.Deserialize<CipherLoginData>(deps.CipherDetails.Data);
+        Assert.Equal("OriginalPassword", updatedLoginData.Password);
+    }
+
+    [Theory, BitAutoData]
+    public async Task SaveDetailsAsync_PasswordChangedWithPermission(string _, SutProvider<CipherService> sutProvider)
+    {
+        var deps = GetSaveDetailsAsyncDependencies(sutProvider, "NewPassword", viewPassword: true, editPermission: true);
+
+        await deps.SutProvider.Sut.SaveDetailsAsync(
+            deps.CipherDetails,
+            deps.CipherDetails.UserId.Value,
+            deps.CipherDetails.RevisionDate,
+            null,
+            true);
+
+        var updatedLoginData = JsonSerializer.Deserialize<CipherLoginData>(deps.CipherDetails.Data);
+        Assert.Equal("NewPassword", updatedLoginData.Password);
+    }
+
+    [Theory, BitAutoData]
+    public async Task SaveDetailsAsync_CipherKeyChangedWithPermission(string _, SutProvider<CipherService> sutProvider)
+    {
+        var deps = GetSaveDetailsAsyncDependencies(sutProvider, "NewPassword", viewPassword: true, editPermission: true, "NewKey");
+
+        await deps.SutProvider.Sut.SaveDetailsAsync(
+            deps.CipherDetails,
+            deps.CipherDetails.UserId.Value,
+            deps.CipherDetails.RevisionDate,
+            null,
+            true);
+
+        Assert.Equal("NewKey", deps.CipherDetails.Key);
+    }
+
+    [Theory, BitAutoData]
+    public async Task SaveDetailsAsync_CipherKeyChangedWithoutPermission(string _, SutProvider<CipherService> sutProvider)
+    {
+        var deps = GetSaveDetailsAsyncDependencies(sutProvider, "NewPassword", viewPassword: true, editPermission: false, "NewKey");
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(() => deps.SutProvider.Sut.SaveDetailsAsync(
+            deps.CipherDetails,
+            deps.CipherDetails.UserId.Value,
+            deps.CipherDetails.RevisionDate,
+            null,
+            true));
+
+        Assert.Contains("do not have permission", exception.Message);
+    }
+
+    [Theory, BitAutoData]
+    public async Task SaveDetailsAsync_TotpChangedWithoutPermission(string _, SutProvider<CipherService> sutProvider)
+    {
+        var deps = GetSaveDetailsAsyncDependencies(sutProvider, "NewPassword", viewPassword: true, editPermission: false, totp: "NewTotp");
+
+        await deps.SutProvider.Sut.SaveDetailsAsync(
+            deps.CipherDetails,
+            deps.CipherDetails.UserId.Value,
+            deps.CipherDetails.RevisionDate,
+            null,
+            true);
+
+        var updatedLoginData = JsonSerializer.Deserialize<CipherLoginData>(deps.CipherDetails.Data);
+        Assert.Equal("OriginalTotp", updatedLoginData.Totp);
+    }
+
+    [Theory, BitAutoData]
+    public async Task SaveDetailsAsync_TotpChangedWithPermission(string _, SutProvider<CipherService> sutProvider)
+    {
+        var deps = GetSaveDetailsAsyncDependencies(sutProvider, "NewPassword", viewPassword: true, editPermission: true, totp: "NewTotp");
+
+        await deps.SutProvider.Sut.SaveDetailsAsync(
+            deps.CipherDetails,
+            deps.CipherDetails.UserId.Value,
+            deps.CipherDetails.RevisionDate,
+            null,
+            true);
+
+        var updatedLoginData = JsonSerializer.Deserialize<CipherLoginData>(deps.CipherDetails.Data);
+        Assert.Equal("NewTotp", updatedLoginData.Totp);
+    }
+
+    [Theory, BitAutoData]
+    public async Task SaveDetailsAsync_Fido2CredentialsChangedWithoutPermission(string _, SutProvider<CipherService> sutProvider)
+    {
+        var passkeys = new[]
+        {
+            new CipherLoginFido2CredentialData
+            {
+                CredentialId = "CredentialId",
+                UserHandle = "UserHandle",
+            }
+        };
+
+        var deps = GetSaveDetailsAsyncDependencies(sutProvider, "NewPassword", viewPassword: true, editPermission: false, passkeys: passkeys);
+
+        await deps.SutProvider.Sut.SaveDetailsAsync(
+            deps.CipherDetails,
+            deps.CipherDetails.UserId.Value,
+            deps.CipherDetails.RevisionDate,
+            null,
+            true);
+
+        var updatedLoginData = JsonSerializer.Deserialize<CipherLoginData>(deps.CipherDetails.Data);
+        Assert.Empty(updatedLoginData.Fido2Credentials);
+    }
+
+    [Theory, BitAutoData]
+    public async Task SaveDetailsAsync_Fido2CredentialsChangedWithPermission(string _, SutProvider<CipherService> sutProvider)
+    {
+        var passkeys = new[]
+        {
+            new CipherLoginFido2CredentialData
+            {
+                CredentialId = "CredentialId",
+                UserHandle = "UserHandle",
+            }
+        };
+
+        var deps = GetSaveDetailsAsyncDependencies(sutProvider, "NewPassword", viewPassword: true, editPermission: true, passkeys: passkeys);
+
+        await deps.SutProvider.Sut.SaveDetailsAsync(
+            deps.CipherDetails,
+            deps.CipherDetails.UserId.Value,
+            deps.CipherDetails.RevisionDate,
+            null,
+            true);
+
+        var updatedLoginData = JsonSerializer.Deserialize<CipherLoginData>(deps.CipherDetails.Data);
+        Assert.Equal(passkeys.Length, updatedLoginData.Fido2Credentials.Length);
+    }
+
     [Theory]
     [BitAutoData]
     public async Task DeleteAsync_WithPersonalCipherOwner_DeletesCipher(

From 481df89cf0991c02dc9ddd194de83c92cf72db14 Mon Sep 17 00:00:00 2001
From: Jason Ng <jcory.ng@gmail.com>
Date: Wed, 19 Mar 2025 14:24:12 -0400
Subject: [PATCH 376/384] [PM-19342] Onboarding Nudges Feature Flag (#5530)

---
 src/Core/Constants.cs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index fb3757daab..970bcb4082 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -118,6 +118,7 @@ public static class FeatureFlagKeys
     public const string ExportAttachments = "export-attachments";
 
     /* Vault Team */
+    public const string PM8851_BrowserOnboardingNudge = "pm-8851-browser-onboarding-nudge";
     public const string PM9111ExtensionPersistAddEditForm = "pm-9111-extension-persist-add-edit-form";
     public const string NewDeviceVerificationPermanentDismiss = "new-device-permanent-dismiss";
     public const string NewDeviceVerificationTemporaryDismiss = "new-device-temporary-dismiss";

From 3422f4cd5033c751a0479ed91e5b15820dfdd997 Mon Sep 17 00:00:00 2001
From: Nick Krantz <125900171+nick-livefront@users.noreply.github.com>
Date: Wed, 19 Mar 2025 13:55:30 -0500
Subject: [PATCH 377/384] [PM-18971] Special Characters in Org Names (#5514)

* sanitize organization name for email to avoid encoding

* fix spelling mistake in variable name
---
 src/Core/Services/IMailService.cs                        | 2 +-
 .../Services/Implementations/HandlebarsMailService.cs    | 9 +++++----
 src/Core/Services/NoopImplementations/NoopMailService.cs | 2 +-
 .../Vault/Commands/CreateManyTaskNotificationsCommand.cs | 2 +-
 4 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/src/Core/Services/IMailService.cs b/src/Core/Services/IMailService.cs
index b0b884eb3e..04b302bad9 100644
--- a/src/Core/Services/IMailService.cs
+++ b/src/Core/Services/IMailService.cs
@@ -99,5 +99,5 @@ public interface IMailService
         string organizationName);
     Task SendClaimedDomainUserEmailAsync(ManagedUserDomainClaimedEmails emailList);
     Task SendDeviceApprovalRequestedNotificationEmailAsync(IEnumerable<string> adminEmails, Guid organizationId, string email, string userName);
-    Task SendBulkSecurityTaskNotificationsAsync(string orgName, IEnumerable<UserSecurityTasksCount> securityTaskNotificaitons);
+    Task SendBulkSecurityTaskNotificationsAsync(Organization org, IEnumerable<UserSecurityTasksCount> securityTaskNotifications);
 }
diff --git a/src/Core/Services/Implementations/HandlebarsMailService.cs b/src/Core/Services/Implementations/HandlebarsMailService.cs
index d96f69b0a6..588365f8c9 100644
--- a/src/Core/Services/Implementations/HandlebarsMailService.cs
+++ b/src/Core/Services/Implementations/HandlebarsMailService.cs
@@ -1201,21 +1201,22 @@ public class HandlebarsMailService : IMailService
         await _mailDeliveryService.SendEmailAsync(message);
     }
 
-    public async Task SendBulkSecurityTaskNotificationsAsync(string orgName, IEnumerable<UserSecurityTasksCount> securityTaskNotificaitons)
+    public async Task SendBulkSecurityTaskNotificationsAsync(Organization org, IEnumerable<UserSecurityTasksCount> securityTaskNotifications)
     {
         MailQueueMessage CreateMessage(UserSecurityTasksCount notification)
         {
-            var message = CreateDefaultMessage($"{orgName} has identified {notification.TaskCount} at-risk password{(notification.TaskCount.Equals(1) ? "" : "s")}", notification.Email);
+            var sanitizedOrgName = CoreHelpers.SanitizeForEmail(org.DisplayName(), false);
+            var message = CreateDefaultMessage($"{sanitizedOrgName} has identified {notification.TaskCount} at-risk password{(notification.TaskCount.Equals(1) ? "" : "s")}", notification.Email);
             var model = new SecurityTaskNotificationViewModel
             {
-                OrgName = orgName,
+                OrgName = CoreHelpers.SanitizeForEmail(sanitizedOrgName, false),
                 TaskCount = notification.TaskCount,
                 WebVaultUrl = _globalSettings.BaseServiceUri.VaultWithHash,
             };
             message.Category = "SecurityTasksNotification";
             return new MailQueueMessage(message, "SecurityTasksNotification", model);
         }
-        var messageModels = securityTaskNotificaitons.Select(CreateMessage);
+        var messageModels = securityTaskNotifications.Select(CreateMessage);
         await EnqueueMailAsync(messageModels.ToList());
     }
 
diff --git a/src/Core/Services/NoopImplementations/NoopMailService.cs b/src/Core/Services/NoopImplementations/NoopMailService.cs
index 5fba545903..776dd07f19 100644
--- a/src/Core/Services/NoopImplementations/NoopMailService.cs
+++ b/src/Core/Services/NoopImplementations/NoopMailService.cs
@@ -324,7 +324,7 @@ public class NoopMailService : IMailService
         return Task.FromResult(0);
     }
 
-    public Task SendBulkSecurityTaskNotificationsAsync(string orgName, IEnumerable<UserSecurityTasksCount> securityTaskNotificaitons)
+    public Task SendBulkSecurityTaskNotificationsAsync(Organization org, IEnumerable<UserSecurityTasksCount> securityTaskNotifications)
     {
         return Task.FromResult(0);
     }
diff --git a/src/Core/Vault/Commands/CreateManyTaskNotificationsCommand.cs b/src/Core/Vault/Commands/CreateManyTaskNotificationsCommand.cs
index 58b5f65e0f..f939816301 100644
--- a/src/Core/Vault/Commands/CreateManyTaskNotificationsCommand.cs
+++ b/src/Core/Vault/Commands/CreateManyTaskNotificationsCommand.cs
@@ -46,7 +46,7 @@ public class CreateManyTaskNotificationsCommand : ICreateManyTaskNotificationsCo
 
         var organization = await _organizationRepository.GetByIdAsync(orgId);
 
-        await _mailService.SendBulkSecurityTaskNotificationsAsync(organization.Name, userTaskCount);
+        await _mailService.SendBulkSecurityTaskNotificationsAsync(organization, userTaskCount);
 
         // Break securityTaskCiphers into separate lists by user Id
         var securityTaskCiphersByUser = securityTaskCiphers.GroupBy(x => x.UserId)

From db3151160a06daf0dac896d061e4dca2b982682c Mon Sep 17 00:00:00 2001
From: Patrick-Pimentel-Bitwarden <ppimentel@bitwarden.com>
Date: Wed, 19 Mar 2025 15:27:51 -0400
Subject: [PATCH 378/384] fix(device-approval-persistence): [PM-9112] Device
 Approval Persistence - Added feature flag. (#5495)

---
 src/Core/Constants.cs | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index 970bcb4082..0ae9f1d8d7 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -126,6 +126,9 @@ public static class FeatureFlagKeys
     public const string RestrictProviderAccess = "restrict-provider-access";
     public const string SecurityTasks = "security-tasks";
 
+    /* Auth Team */
+    public const string PM9112DeviceApprovalPersistence = "pm-9112-device-approval-persistence";
+
     public const string ReturnErrorOnExistingKeypair = "return-error-on-existing-keypair";
     public const string UseTreeWalkerApiForPageDetailsCollection = "use-tree-walker-api-for-page-details-collection";
     public const string DuoRedirect = "duo-redirect";

From f6cc140fded360256429b24a378cbcd969e7d50a Mon Sep 17 00:00:00 2001
From: Jared McCannon <jmccannon@bitwarden.com>
Date: Thu, 20 Mar 2025 09:12:39 -0500
Subject: [PATCH 379/384] Switched from .Any to Count. Remove unreachable code.
 (#5519)

---
 src/Api/Vault/Controllers/CiphersController.cs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/Api/Vault/Controllers/CiphersController.cs b/src/Api/Vault/Controllers/CiphersController.cs
index 62f07005ee..daaf8a03fb 100644
--- a/src/Api/Vault/Controllers/CiphersController.cs
+++ b/src/Api/Vault/Controllers/CiphersController.cs
@@ -127,9 +127,9 @@ public class CiphersController : Controller
     public async Task<ListResponseModel<CipherDetailsResponseModel>> Get()
     {
         var user = await _userService.GetUserByPrincipalAsync(User);
-        var hasOrgs = _currentContext.Organizations?.Any() ?? false;
+        var hasOrgs = _currentContext.Organizations.Count != 0;
         // TODO: Use hasOrgs proper for cipher listing here?
-        var ciphers = await _cipherRepository.GetManyByUserIdAsync(user.Id, withOrganizations: true || hasOrgs);
+        var ciphers = await _cipherRepository.GetManyByUserIdAsync(user.Id, withOrganizations: true);
         Dictionary<Guid, IGrouping<Guid, CollectionCipher>> collectionCiphersGroupDict = null;
         if (hasOrgs)
         {

From bb674b8990499f0c6680fb5efb009c9316a99218 Mon Sep 17 00:00:00 2001
From: Github Actions <actions@github.com>
Date: Thu, 20 Mar 2025 17:14:35 +0000
Subject: [PATCH 380/384] Bumped version to 2025.3.1

---
 Directory.Build.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Directory.Build.props b/Directory.Build.props
index a994b2196e..082f85906d 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -3,7 +3,7 @@
   <PropertyGroup>
     <TargetFramework>net8.0</TargetFramework>
 
-    <Version>2025.3.0</Version>
+    <Version>2025.3.1</Version>
 
     <RootNamespace>Bit.$(MSBuildProjectName)</RootNamespace>
     <ImplicitUsings>enable</ImplicitUsings>

From 2d02ad3f61b939d08bc901e510007d8ed9ce2fe1 Mon Sep 17 00:00:00 2001
From: Github Actions <actions@github.com>
Date: Thu, 20 Mar 2025 17:30:55 +0000
Subject: [PATCH 381/384] Bumped version to 2025.3.2

---
 Directory.Build.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Directory.Build.props b/Directory.Build.props
index 082f85906d..cbe9786d65 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -3,7 +3,7 @@
   <PropertyGroup>
     <TargetFramework>net8.0</TargetFramework>
 
-    <Version>2025.3.1</Version>
+    <Version>2025.3.2</Version>
 
     <RootNamespace>Bit.$(MSBuildProjectName)</RootNamespace>
     <ImplicitUsings>enable</ImplicitUsings>

From 948d8f707d7d98506b6f87f4157721e8b2838c22 Mon Sep 17 00:00:00 2001
From: Nick Krantz <125900171+nick-livefront@users.noreply.github.com>
Date: Thu, 20 Mar 2025 14:41:58 -0500
Subject: [PATCH 382/384] [PM-18858] Security Task email bugs (#5536)

* make "Review at-risk passwords" bold

* add owner and admin email address to the bottom of the security notification email

* fix plurality of text email
---
 .../SecurityTasksNotification.html.hbs        | 11 ++++-
 .../SecurityTasksNotification.text.hbs        |  9 ++++
 .../Mail/SecurityTaskNotificationViewModel.cs |  2 +
 src/Core/Services/IMailService.cs             |  2 +-
 .../Implementations/HandlebarsMailService.cs  | 42 ++++++++++++++++++-
 .../NoopImplementations/NoopMailService.cs    |  2 +-
 .../CreateManyTaskNotificationsCommand.cs     | 10 ++++-
 7 files changed, 71 insertions(+), 7 deletions(-)

diff --git a/src/Core/MailTemplates/Handlebars/SecurityTasksNotification.html.hbs b/src/Core/MailTemplates/Handlebars/SecurityTasksNotification.html.hbs
index 039806f44b..ca015e3e83 100644
--- a/src/Core/MailTemplates/Handlebars/SecurityTasksNotification.html.hbs
+++ b/src/Core/MailTemplates/Handlebars/SecurityTasksNotification.html.hbs
@@ -15,14 +15,21 @@
   </tr>
 </table>
 <table width="100%" border="0" cellpadding="0" cellspacing="0"
-  style="display: table; width:100%; padding-bottom: 35px; text-align: center;" align="center">
+  style="display: table; width:100%; padding-bottom: 24px; text-align: center;" align="center">
   <tr>
     <td display="display: table-cell">
       <a href="{{ReviewPasswordsUrl}}" clicktracking=off target="_blank"
-        style="display: inline-block; color: #ffffff; text-decoration: none; text-align: center; cursor: pointer; border-radius: 999px; background-color: #175DDC; border-color: #175DDC; border-style: solid; border-width: 10px 20px; margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+        style="display: inline-block; font-weight: bold; color: #ffffff; text-decoration: none; text-align: center; cursor: pointer; border-radius: 999px; background-color: #175DDC; border-color: #175DDC; border-style: solid; border-width: 10px 20px; margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
         Review at-risk passwords
       </a>
     </td>
   </tr>
+<table width="100%" border="0" cellpadding="0" cellspacing="0"
+  style="display: table; width:100%; padding-bottom: 24px; text-align: center;" align="center">
+  <tr>
+    <td display="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-style: normal; font-weight: 400; font-size: 12px; line-height: 16px;">
+      {{formatAdminOwnerEmails AdminOwnerEmails}}
+    </td>
+  </tr>
 </table>
 {{/SecurityTasksHtmlLayout}}
diff --git a/src/Core/MailTemplates/Handlebars/SecurityTasksNotification.text.hbs b/src/Core/MailTemplates/Handlebars/SecurityTasksNotification.text.hbs
index ba8650ad10..f5493e4503 100644
--- a/src/Core/MailTemplates/Handlebars/SecurityTasksNotification.text.hbs
+++ b/src/Core/MailTemplates/Handlebars/SecurityTasksNotification.text.hbs
@@ -5,4 +5,13 @@ breach.
 Launch the Bitwarden extension to review your at-risk passwords.
 
 Review at-risk passwords ({{{ReviewPasswordsUrl}}})
+
+{{#if (eq (length AdminOwnerEmails) 1)}}
+This request was initiated by {{AdminOwnerEmails.[0]}}.
+{{else}}
+This request was initiated by
+{{#each AdminOwnerEmails}}
+  {{#if @last}}and {{/if}}{{this}}{{#unless @last}}, {{/unless}}
+{{/each}}.
+{{/if}}
 {{/SecurityTasksHtmlLayout}}
diff --git a/src/Core/Models/Mail/SecurityTaskNotificationViewModel.cs b/src/Core/Models/Mail/SecurityTaskNotificationViewModel.cs
index 7f93ac2439..8871a53424 100644
--- a/src/Core/Models/Mail/SecurityTaskNotificationViewModel.cs
+++ b/src/Core/Models/Mail/SecurityTaskNotificationViewModel.cs
@@ -8,5 +8,7 @@ public class SecurityTaskNotificationViewModel : BaseMailModel
 
     public bool TaskCountPlural => TaskCount != 1;
 
+    public IEnumerable<string> AdminOwnerEmails { get; set; }
+
     public string ReviewPasswordsUrl => $"{WebVaultUrl}/browser-extension-prompt";
 }
diff --git a/src/Core/Services/IMailService.cs b/src/Core/Services/IMailService.cs
index 04b302bad9..e61127c57a 100644
--- a/src/Core/Services/IMailService.cs
+++ b/src/Core/Services/IMailService.cs
@@ -99,5 +99,5 @@ public interface IMailService
         string organizationName);
     Task SendClaimedDomainUserEmailAsync(ManagedUserDomainClaimedEmails emailList);
     Task SendDeviceApprovalRequestedNotificationEmailAsync(IEnumerable<string> adminEmails, Guid organizationId, string email, string userName);
-    Task SendBulkSecurityTaskNotificationsAsync(Organization org, IEnumerable<UserSecurityTasksCount> securityTaskNotifications);
+    Task SendBulkSecurityTaskNotificationsAsync(Organization org, IEnumerable<UserSecurityTasksCount> securityTaskNotifications, IEnumerable<string> adminOwnerEmails);
 }
diff --git a/src/Core/Services/Implementations/HandlebarsMailService.cs b/src/Core/Services/Implementations/HandlebarsMailService.cs
index 588365f8c9..edb99809f7 100644
--- a/src/Core/Services/Implementations/HandlebarsMailService.cs
+++ b/src/Core/Services/Implementations/HandlebarsMailService.cs
@@ -740,6 +740,45 @@ public class HandlebarsMailService : IMailService
             var clickTrackingText = (clickTrackingOff ? "clicktracking=off" : string.Empty);
             writer.WriteSafeString($"<a href=\"{href}\" target=\"_blank\" {clickTrackingText}>{text}</a>");
         });
+
+        // Construct markup for admin and owner email addresses.
+        // Using conditionals within the handlebar syntax was including extra spaces around
+        // concatenated strings, which this helper avoids.
+        Handlebars.RegisterHelper("formatAdminOwnerEmails", (writer, context, parameters) =>
+        {
+            if (parameters.Length == 0)
+            {
+                writer.WriteSafeString(string.Empty);
+                return;
+            }
+
+            var emailList = ((IEnumerable<string>)parameters[0]).ToList();
+            if (emailList.Count == 0)
+            {
+                writer.WriteSafeString(string.Empty);
+                return;
+            }
+
+            string constructAnchorElement(string email)
+            {
+                return $"<a style=\"color: #175DDC\" href=\"mailto:{email}\">{email}</a>";
+            }
+
+            var outputMessage = "This request was initiated by ";
+
+            if (emailList.Count == 1)
+            {
+                outputMessage += $"{constructAnchorElement(emailList[0])}.";
+            }
+            else
+            {
+                outputMessage += string.Join(", ", emailList.Take(emailList.Count - 1)
+                    .Select(email => constructAnchorElement(email)));
+                outputMessage += $", and {constructAnchorElement(emailList.Last())}.";
+            }
+
+            writer.WriteSafeString($"{outputMessage}");
+        });
     }
 
     public async Task SendEmergencyAccessInviteEmailAsync(EmergencyAccess emergencyAccess, string name, string token)
@@ -1201,7 +1240,7 @@ public class HandlebarsMailService : IMailService
         await _mailDeliveryService.SendEmailAsync(message);
     }
 
-    public async Task SendBulkSecurityTaskNotificationsAsync(Organization org, IEnumerable<UserSecurityTasksCount> securityTaskNotifications)
+    public async Task SendBulkSecurityTaskNotificationsAsync(Organization org, IEnumerable<UserSecurityTasksCount> securityTaskNotifications, IEnumerable<string> adminOwnerEmails)
     {
         MailQueueMessage CreateMessage(UserSecurityTasksCount notification)
         {
@@ -1211,6 +1250,7 @@ public class HandlebarsMailService : IMailService
             {
                 OrgName = CoreHelpers.SanitizeForEmail(sanitizedOrgName, false),
                 TaskCount = notification.TaskCount,
+                AdminOwnerEmails = adminOwnerEmails,
                 WebVaultUrl = _globalSettings.BaseServiceUri.VaultWithHash,
             };
             message.Category = "SecurityTasksNotification";
diff --git a/src/Core/Services/NoopImplementations/NoopMailService.cs b/src/Core/Services/NoopImplementations/NoopMailService.cs
index 776dd07f19..d829fbbacb 100644
--- a/src/Core/Services/NoopImplementations/NoopMailService.cs
+++ b/src/Core/Services/NoopImplementations/NoopMailService.cs
@@ -324,7 +324,7 @@ public class NoopMailService : IMailService
         return Task.FromResult(0);
     }
 
-    public Task SendBulkSecurityTaskNotificationsAsync(Organization org, IEnumerable<UserSecurityTasksCount> securityTaskNotifications)
+    public Task SendBulkSecurityTaskNotificationsAsync(Organization org, IEnumerable<UserSecurityTasksCount> securityTaskNotifications, IEnumerable<string> adminOwnerEmails)
     {
         return Task.FromResult(0);
     }
diff --git a/src/Core/Vault/Commands/CreateManyTaskNotificationsCommand.cs b/src/Core/Vault/Commands/CreateManyTaskNotificationsCommand.cs
index f939816301..a335b059a4 100644
--- a/src/Core/Vault/Commands/CreateManyTaskNotificationsCommand.cs
+++ b/src/Core/Vault/Commands/CreateManyTaskNotificationsCommand.cs
@@ -17,19 +17,22 @@ public class CreateManyTaskNotificationsCommand : ICreateManyTaskNotificationsCo
     private readonly IMailService _mailService;
     private readonly ICreateNotificationCommand _createNotificationCommand;
     private readonly IPushNotificationService _pushNotificationService;
+    private readonly IOrganizationUserRepository _organizationUserRepository;
 
     public CreateManyTaskNotificationsCommand(
         IGetSecurityTasksNotificationDetailsQuery getSecurityTasksNotificationDetailsQuery,
         IOrganizationRepository organizationRepository,
         IMailService mailService,
         ICreateNotificationCommand createNotificationCommand,
-        IPushNotificationService pushNotificationService)
+        IPushNotificationService pushNotificationService,
+        IOrganizationUserRepository organizationUserRepository)
     {
         _getSecurityTasksNotificationDetailsQuery = getSecurityTasksNotificationDetailsQuery;
         _organizationRepository = organizationRepository;
         _mailService = mailService;
         _createNotificationCommand = createNotificationCommand;
         _pushNotificationService = pushNotificationService;
+        _organizationUserRepository = organizationUserRepository;
     }
 
     public async Task CreateAsync(Guid orgId, IEnumerable<SecurityTask> securityTasks)
@@ -45,8 +48,11 @@ public class CreateManyTaskNotificationsCommand : ICreateManyTaskNotificationsCo
         }).ToList();
 
         var organization = await _organizationRepository.GetByIdAsync(orgId);
+        var orgAdminEmails = await _organizationUserRepository.GetManyDetailsByRoleAsync(orgId, OrganizationUserType.Admin);
+        var orgOwnerEmails = await _organizationUserRepository.GetManyDetailsByRoleAsync(orgId, OrganizationUserType.Owner);
+        var orgAdminAndOwnerEmails = orgAdminEmails.Concat(orgOwnerEmails).Select(x => x.Email).Distinct().ToList();
 
-        await _mailService.SendBulkSecurityTaskNotificationsAsync(organization, userTaskCount);
+        await _mailService.SendBulkSecurityTaskNotificationsAsync(organization, userTaskCount, orgAdminAndOwnerEmails);
 
         // Break securityTaskCiphers into separate lists by user Id
         var securityTaskCiphersByUser = securityTaskCiphers.GroupBy(x => x.UserId)

From 5d549402c713f179781c9680952ac95186055934 Mon Sep 17 00:00:00 2001
From: Github Actions <actions@github.com>
Date: Fri, 21 Mar 2025 10:15:22 +0000
Subject: [PATCH 383/384] Bumped version to 2025.3.3

---
 Directory.Build.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Directory.Build.props b/Directory.Build.props
index cbe9786d65..2ede6ad8d1 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -3,7 +3,7 @@
   <PropertyGroup>
     <TargetFramework>net8.0</TargetFramework>
 
-    <Version>2025.3.2</Version>
+    <Version>2025.3.3</Version>
 
     <RootNamespace>Bit.$(MSBuildProjectName)</RootNamespace>
     <ImplicitUsings>enable</ImplicitUsings>

From c7c6528faaa2fb6f20b9e3e9186404405986abe0 Mon Sep 17 00:00:00 2001
From: Brandon Treston <btreston@bitwarden.com>
Date: Fri, 21 Mar 2025 10:07:55 -0400
Subject: [PATCH 384/384] Ac/pm 18240 implement policy requirement for reset
 password policy (#5521)

* wip

* fix test

* fix test

* refactor

* fix factory method and tests

* cleanup

* refactor

* update copy

* cleanup
---
 .../OrganizationUsersController.cs            | 11 ++-
 .../Controllers/OrganizationsController.cs    | 15 ++-
 .../ResetPasswordPolicyRequirement.cs         | 46 ++++++++++
 .../PolicyServiceCollectionExtensions.cs      |  1 +
 .../Implementations/OrganizationService.cs    | 29 ++++--
 .../OrganizationUsersControllerTests.cs       | 91 +++++++++++++++++++
 .../OrganizationsControllerTests.cs           | 57 ++++++++++++
 ...etPasswordPolicyRequirementFactoryTests.cs | 37 ++++++++
 8 files changed, 277 insertions(+), 10 deletions(-)
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/ResetPasswordPolicyRequirement.cs
 create mode 100644 test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/ResetPasswordPolicyRequirementFactoryTests.cs

diff --git a/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs b/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs
index 5a73e57204..cc7f2314fd 100644
--- a/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs
+++ b/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs
@@ -8,6 +8,8 @@ using Bit.Core.AdminConsole.Enums;
 using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Authorization;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
 using Bit.Core.AdminConsole.OrganizationFeatures.Shared.Authorization;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Auth.Enums;
@@ -55,6 +57,7 @@ public class OrganizationUsersController : Controller
     private readonly IRemoveOrganizationUserCommand _removeOrganizationUserCommand;
     private readonly IDeleteManagedOrganizationUserAccountCommand _deleteManagedOrganizationUserAccountCommand;
     private readonly IGetOrganizationUsersManagementStatusQuery _getOrganizationUsersManagementStatusQuery;
+    private readonly IPolicyRequirementQuery _policyRequirementQuery;
     private readonly IFeatureService _featureService;
     private readonly IPricingClient _pricingClient;
 
@@ -79,6 +82,7 @@ public class OrganizationUsersController : Controller
         IRemoveOrganizationUserCommand removeOrganizationUserCommand,
         IDeleteManagedOrganizationUserAccountCommand deleteManagedOrganizationUserAccountCommand,
         IGetOrganizationUsersManagementStatusQuery getOrganizationUsersManagementStatusQuery,
+        IPolicyRequirementQuery policyRequirementQuery,
         IFeatureService featureService,
         IPricingClient pricingClient)
     {
@@ -102,6 +106,7 @@ public class OrganizationUsersController : Controller
         _removeOrganizationUserCommand = removeOrganizationUserCommand;
         _deleteManagedOrganizationUserAccountCommand = deleteManagedOrganizationUserAccountCommand;
         _getOrganizationUsersManagementStatusQuery = getOrganizationUsersManagementStatusQuery;
+        _policyRequirementQuery = policyRequirementQuery;
         _featureService = featureService;
         _pricingClient = pricingClient;
     }
@@ -315,11 +320,13 @@ public class OrganizationUsersController : Controller
             throw new UnauthorizedAccessException();
         }
 
-        var useMasterPasswordPolicy = await ShouldHandleResetPasswordAsync(orgId);
+        var useMasterPasswordPolicy = _featureService.IsEnabled(FeatureFlagKeys.PolicyRequirements)
+        ? (await _policyRequirementQuery.GetAsync<ResetPasswordPolicyRequirement>(user.Id)).AutoEnrollEnabled(orgId)
+        : await ShouldHandleResetPasswordAsync(orgId);
 
         if (useMasterPasswordPolicy && string.IsNullOrWhiteSpace(model.ResetPasswordKey))
         {
-            throw new BadRequestException(string.Empty, "Master Password reset is required, but not provided.");
+            throw new BadRequestException("Master Password reset is required, but not provided.");
         }
 
         await _acceptOrgUserCommand.AcceptOrgUserByEmailTokenAsync(organizationUserId, user, model.Token, _userService);
diff --git a/src/Api/AdminConsole/Controllers/OrganizationsController.cs b/src/Api/AdminConsole/Controllers/OrganizationsController.cs
index 34da3de10c..9fa9cb6672 100644
--- a/src/Api/AdminConsole/Controllers/OrganizationsController.cs
+++ b/src/Api/AdminConsole/Controllers/OrganizationsController.cs
@@ -16,6 +16,8 @@ using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationApiKeys.Interfaces;
 using Bit.Core.AdminConsole.OrganizationFeatures.Organizations;
 using Bit.Core.AdminConsole.OrganizationFeatures.Organizations.Interfaces;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Repositories;
@@ -61,6 +63,7 @@ public class OrganizationsController : Controller
     private readonly IRemoveOrganizationUserCommand _removeOrganizationUserCommand;
     private readonly ICloudOrganizationSignUpCommand _cloudOrganizationSignUpCommand;
     private readonly IOrganizationDeleteCommand _organizationDeleteCommand;
+    private readonly IPolicyRequirementQuery _policyRequirementQuery;
     private readonly IPricingClient _pricingClient;
 
     public OrganizationsController(
@@ -84,6 +87,7 @@ public class OrganizationsController : Controller
         IRemoveOrganizationUserCommand removeOrganizationUserCommand,
         ICloudOrganizationSignUpCommand cloudOrganizationSignUpCommand,
         IOrganizationDeleteCommand organizationDeleteCommand,
+        IPolicyRequirementQuery policyRequirementQuery,
         IPricingClient pricingClient)
     {
         _organizationRepository = organizationRepository;
@@ -106,6 +110,7 @@ public class OrganizationsController : Controller
         _removeOrganizationUserCommand = removeOrganizationUserCommand;
         _cloudOrganizationSignUpCommand = cloudOrganizationSignUpCommand;
         _organizationDeleteCommand = organizationDeleteCommand;
+        _policyRequirementQuery = policyRequirementQuery;
         _pricingClient = pricingClient;
     }
 
@@ -163,8 +168,13 @@ public class OrganizationsController : Controller
             throw new NotFoundException();
         }
 
-        var resetPasswordPolicy =
-            await _policyRepository.GetByOrganizationIdTypeAsync(organization.Id, PolicyType.ResetPassword);
+        if (_featureService.IsEnabled(FeatureFlagKeys.PolicyRequirements))
+        {
+            var resetPasswordPolicyRequirement = await _policyRequirementQuery.GetAsync<ResetPasswordPolicyRequirement>(user.Id);
+            return new OrganizationAutoEnrollStatusResponseModel(organization.Id, resetPasswordPolicyRequirement.AutoEnrollEnabled(organization.Id));
+        }
+
+        var resetPasswordPolicy = await _policyRepository.GetByOrganizationIdTypeAsync(organization.Id, PolicyType.ResetPassword);
         if (resetPasswordPolicy == null || !resetPasswordPolicy.Enabled || resetPasswordPolicy.Data == null)
         {
             return new OrganizationAutoEnrollStatusResponseModel(organization.Id, false);
@@ -172,6 +182,7 @@ public class OrganizationsController : Controller
 
         var data = JsonSerializer.Deserialize<ResetPasswordDataModel>(resetPasswordPolicy.Data, JsonHelpers.IgnoreCase);
         return new OrganizationAutoEnrollStatusResponseModel(organization.Id, data?.AutoEnrollEnabled ?? false);
+
     }
 
     [HttpPost("")]
diff --git a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/ResetPasswordPolicyRequirement.cs b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/ResetPasswordPolicyRequirement.cs
new file mode 100644
index 0000000000..4feef1b088
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/ResetPasswordPolicyRequirement.cs
@@ -0,0 +1,46 @@
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
+using Bit.Core.Enums;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+
+/// <summary>
+/// Policy requirements for the Account recovery administration policy.
+/// </summary>
+public class ResetPasswordPolicyRequirement : IPolicyRequirement
+{
+    /// <summary>
+    /// List of Organization Ids that require automatic enrollment in password recovery.
+    /// </summary>
+    private IEnumerable<Guid> _autoEnrollOrganizations;
+    public IEnumerable<Guid> AutoEnrollOrganizations { init => _autoEnrollOrganizations = value; }
+
+    /// <summary>
+    /// Returns true if provided organizationId requires automatic enrollment in password recovery.
+    /// </summary>
+    public bool AutoEnrollEnabled(Guid organizationId)
+    {
+        return _autoEnrollOrganizations.Contains(organizationId);
+    }
+
+
+}
+
+public class ResetPasswordPolicyRequirementFactory : BasePolicyRequirementFactory<ResetPasswordPolicyRequirement>
+{
+    public override PolicyType PolicyType => PolicyType.ResetPassword;
+
+    protected override bool ExemptProviders => false;
+
+    protected override IEnumerable<OrganizationUserType> ExemptRoles => [];
+
+    public override ResetPasswordPolicyRequirement Create(IEnumerable<PolicyDetails> policyDetails)
+    {
+        var result = policyDetails
+        .Where(p => p.GetDataModel<ResetPasswordDataModel>().AutoEnrollEnabled)
+        .Select(p => p.OrganizationId)
+        .ToHashSet();
+
+        return new ResetPasswordPolicyRequirement() { AutoEnrollOrganizations = result };
+    }
+}
diff --git a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyServiceCollectionExtensions.cs b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyServiceCollectionExtensions.cs
index 6c698f9ffc..d386006ad2 100644
--- a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyServiceCollectionExtensions.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyServiceCollectionExtensions.cs
@@ -33,5 +33,6 @@ public static class PolicyServiceCollectionExtensions
     {
         services.AddScoped<IPolicyRequirementFactory<IPolicyRequirement>, DisableSendPolicyRequirementFactory>();
         services.AddScoped<IPolicyRequirementFactory<IPolicyRequirement>, SendOptionsPolicyRequirementFactory>();
+        services.AddScoped<IPolicyRequirementFactory<IPolicyRequirement>, ResetPasswordPolicyRequirementFactory>();
     }
 }
diff --git a/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs b/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
index 1b44eea496..772b407951 100644
--- a/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
+++ b/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
@@ -6,6 +6,8 @@ using Bit.Core.AdminConsole.Enums.Provider;
 using Bit.Core.AdminConsole.Models.Business;
 using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.AdminConsole.Services;
 using Bit.Core.Auth.Enums;
@@ -76,6 +78,7 @@ public class OrganizationService : IOrganizationService
     private readonly IOrganizationBillingService _organizationBillingService;
     private readonly IHasConfirmedOwnersExceptQuery _hasConfirmedOwnersExceptQuery;
     private readonly IPricingClient _pricingClient;
+    private readonly IPolicyRequirementQuery _policyRequirementQuery;
 
     public OrganizationService(
         IOrganizationRepository organizationRepository,
@@ -111,7 +114,8 @@ public class OrganizationService : IOrganizationService
         ITwoFactorIsEnabledQuery twoFactorIsEnabledQuery,
         IOrganizationBillingService organizationBillingService,
         IHasConfirmedOwnersExceptQuery hasConfirmedOwnersExceptQuery,
-        IPricingClient pricingClient)
+        IPricingClient pricingClient,
+        IPolicyRequirementQuery policyRequirementQuery)
     {
         _organizationRepository = organizationRepository;
         _organizationUserRepository = organizationUserRepository;
@@ -147,6 +151,7 @@ public class OrganizationService : IOrganizationService
         _organizationBillingService = organizationBillingService;
         _hasConfirmedOwnersExceptQuery = hasConfirmedOwnersExceptQuery;
         _pricingClient = pricingClient;
+        _policyRequirementQuery = policyRequirementQuery;
     }
 
     public async Task ReplacePaymentMethodAsync(Guid organizationId, string paymentToken,
@@ -1353,13 +1358,25 @@ public class OrganizationService : IOrganizationService
         }
 
         // Block the user from withdrawal if auto enrollment is enabled
-        if (resetPasswordKey == null && resetPasswordPolicy.Data != null)
+        if (_featureService.IsEnabled(FeatureFlagKeys.PolicyRequirements))
         {
-            var data = JsonSerializer.Deserialize<ResetPasswordDataModel>(resetPasswordPolicy.Data, JsonHelpers.IgnoreCase);
-
-            if (data?.AutoEnrollEnabled ?? false)
+            var resetPasswordPolicyRequirement = await _policyRequirementQuery.GetAsync<ResetPasswordPolicyRequirement>(userId);
+            if (resetPasswordKey == null && resetPasswordPolicyRequirement.AutoEnrollEnabled(organizationId))
             {
-                throw new BadRequestException("Due to an Enterprise Policy, you are not allowed to withdraw from Password Reset.");
+                throw new BadRequestException("Due to an Enterprise Policy, you are not allowed to withdraw from account recovery.");
+            }
+
+        }
+        else
+        {
+            if (resetPasswordKey == null && resetPasswordPolicy.Data != null)
+            {
+                var data = JsonSerializer.Deserialize<ResetPasswordDataModel>(resetPasswordPolicy.Data, JsonHelpers.IgnoreCase);
+
+                if (data?.AutoEnrollEnabled ?? false)
+                {
+                    throw new BadRequestException("Due to an Enterprise Policy, you are not allowed to withdraw from account recovery.");
+                }
             }
         }
 
diff --git a/test/Api.Test/AdminConsole/Controllers/OrganizationUsersControllerTests.cs b/test/Api.Test/AdminConsole/Controllers/OrganizationUsersControllerTests.cs
index e3071bd227..a19560ecee 100644
--- a/test/Api.Test/AdminConsole/Controllers/OrganizationUsersControllerTests.cs
+++ b/test/Api.Test/AdminConsole/Controllers/OrganizationUsersControllerTests.cs
@@ -7,6 +7,8 @@ using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Enums;
 using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Auth.Entities;
 using Bit.Core.Auth.Repositories;
@@ -424,4 +426,93 @@ public class OrganizationUsersControllerTests
             .GetManyDetailsByOrganizationAsync(organizationAbility.Id, Arg.Any<bool>(), Arg.Any<bool>())
             .Returns(organizationUsers);
     }
+
+    [Theory]
+    [BitAutoData]
+    public async Task Accept_WhenOrganizationUsePoliciesIsEnabledAndResetPolicyIsEnabled_WithPolicyRequirementsEnabled_ShouldHandleResetPassword(Guid orgId, Guid orgUserId,
+        OrganizationUserAcceptRequestModel model, User user, SutProvider<OrganizationUsersController> sutProvider)
+    {
+        // Arrange
+        var applicationCacheService = sutProvider.GetDependency<IApplicationCacheService>();
+        applicationCacheService.GetOrganizationAbilityAsync(orgId).Returns(new OrganizationAbility { UsePolicies = true });
+
+        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.PolicyRequirements).Returns(true);
+
+        var policy = new Policy
+        {
+            Enabled = true,
+            Data = CoreHelpers.ClassToJsonData(new ResetPasswordDataModel { AutoEnrollEnabled = true, }),
+        };
+        var userService = sutProvider.GetDependency<IUserService>();
+        userService.GetUserByPrincipalAsync(default).ReturnsForAnyArgs(user);
+
+        var policyRequirementQuery = sutProvider.GetDependency<IPolicyRequirementQuery>();
+
+        var policyRepository = sutProvider.GetDependency<IPolicyRepository>();
+
+        var policyRequirement = new ResetPasswordPolicyRequirement { AutoEnrollOrganizations = [orgId] };
+
+        policyRequirementQuery.GetAsync<ResetPasswordPolicyRequirement>(user.Id).Returns(policyRequirement);
+
+        // Act
+        await sutProvider.Sut.Accept(orgId, orgUserId, model);
+
+        // Assert
+        await sutProvider.GetDependency<IAcceptOrgUserCommand>().Received(1)
+            .AcceptOrgUserByEmailTokenAsync(orgUserId, user, model.Token, userService);
+        await sutProvider.GetDependency<IOrganizationService>().Received(1)
+            .UpdateUserResetPasswordEnrollmentAsync(orgId, user.Id, model.ResetPasswordKey, user.Id);
+
+        await userService.Received(1).GetUserByPrincipalAsync(default);
+        await applicationCacheService.Received(0).GetOrganizationAbilityAsync(orgId);
+        await policyRepository.Received(0).GetByOrganizationIdTypeAsync(orgId, PolicyType.ResetPassword);
+        await policyRequirementQuery.Received(1).GetAsync<ResetPasswordPolicyRequirement>(user.Id);
+        Assert.True(policyRequirement.AutoEnrollEnabled(orgId));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task Accept_WithInvalidModelResetPasswordKey_WithPolicyRequirementsEnabled_ThrowsBadRequestException(Guid orgId, Guid orgUserId,
+        OrganizationUserAcceptRequestModel model, User user, SutProvider<OrganizationUsersController> sutProvider)
+    {
+        // Arrange
+        model.ResetPasswordKey = " ";
+        var applicationCacheService = sutProvider.GetDependency<IApplicationCacheService>();
+        applicationCacheService.GetOrganizationAbilityAsync(orgId).Returns(new OrganizationAbility { UsePolicies = true });
+
+        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.PolicyRequirements).Returns(true);
+
+        var policy = new Policy
+        {
+            Enabled = true,
+            Data = CoreHelpers.ClassToJsonData(new ResetPasswordDataModel { AutoEnrollEnabled = true, }),
+        };
+        var userService = sutProvider.GetDependency<IUserService>();
+        userService.GetUserByPrincipalAsync(default).ReturnsForAnyArgs(user);
+
+        var policyRepository = sutProvider.GetDependency<IPolicyRepository>();
+
+        var policyRequirementQuery = sutProvider.GetDependency<IPolicyRequirementQuery>();
+
+        var policyRequirement = new ResetPasswordPolicyRequirement { AutoEnrollOrganizations = [orgId] };
+
+        policyRequirementQuery.GetAsync<ResetPasswordPolicyRequirement>(user.Id).Returns(policyRequirement);
+
+        // Act
+        var exception = await Assert.ThrowsAsync<BadRequestException>(() =>
+        sutProvider.Sut.Accept(orgId, orgUserId, model));
+
+        // Assert
+        await sutProvider.GetDependency<IAcceptOrgUserCommand>().Received(0)
+            .AcceptOrgUserByEmailTokenAsync(orgUserId, user, model.Token, userService);
+        await sutProvider.GetDependency<IOrganizationService>().Received(0)
+            .UpdateUserResetPasswordEnrollmentAsync(orgId, user.Id, model.ResetPasswordKey, user.Id);
+
+        await userService.Received(1).GetUserByPrincipalAsync(default);
+        await applicationCacheService.Received(0).GetOrganizationAbilityAsync(orgId);
+        await policyRepository.Received(0).GetByOrganizationIdTypeAsync(orgId, PolicyType.ResetPassword);
+        await policyRequirementQuery.Received(1).GetAsync<ResetPasswordPolicyRequirement>(user.Id);
+
+        Assert.Equal("Master Password reset is required, but not provided.", exception.Message);
+    }
 }
diff --git a/test/Api.Test/AdminConsole/Controllers/OrganizationsControllerTests.cs b/test/Api.Test/AdminConsole/Controllers/OrganizationsControllerTests.cs
index b0906ddc43..8e6d2ce27b 100644
--- a/test/Api.Test/AdminConsole/Controllers/OrganizationsControllerTests.cs
+++ b/test/Api.Test/AdminConsole/Controllers/OrganizationsControllerTests.cs
@@ -4,12 +4,15 @@ using Bit.Api.AdminConsole.Controllers;
 using Bit.Api.Auth.Models.Request.Accounts;
 using Bit.Core;
 using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Enums;
 using Bit.Core.AdminConsole.Enums.Provider;
 using Bit.Core.AdminConsole.Models.Business.Tokenables;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationApiKeys.Interfaces;
 using Bit.Core.AdminConsole.OrganizationFeatures.Organizations;
 using Bit.Core.AdminConsole.OrganizationFeatures.Organizations.Interfaces;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Auth.Entities;
 using Bit.Core.Auth.Enums;
@@ -55,6 +58,7 @@ public class OrganizationsControllerTests : IDisposable
     private readonly IRemoveOrganizationUserCommand _removeOrganizationUserCommand;
     private readonly ICloudOrganizationSignUpCommand _cloudOrganizationSignUpCommand;
     private readonly IOrganizationDeleteCommand _organizationDeleteCommand;
+    private readonly IPolicyRequirementQuery _policyRequirementQuery;
     private readonly IPricingClient _pricingClient;
     private readonly OrganizationsController _sut;
 
@@ -80,6 +84,7 @@ public class OrganizationsControllerTests : IDisposable
         _removeOrganizationUserCommand = Substitute.For<IRemoveOrganizationUserCommand>();
         _cloudOrganizationSignUpCommand = Substitute.For<ICloudOrganizationSignUpCommand>();
         _organizationDeleteCommand = Substitute.For<IOrganizationDeleteCommand>();
+        _policyRequirementQuery = Substitute.For<IPolicyRequirementQuery>();
         _pricingClient = Substitute.For<IPricingClient>();
 
         _sut = new OrganizationsController(
@@ -103,6 +108,7 @@ public class OrganizationsControllerTests : IDisposable
             _removeOrganizationUserCommand,
             _cloudOrganizationSignUpCommand,
             _organizationDeleteCommand,
+            _policyRequirementQuery,
             _pricingClient);
     }
 
@@ -236,4 +242,55 @@ public class OrganizationsControllerTests : IDisposable
 
         await _organizationDeleteCommand.Received(1).DeleteAsync(organization);
     }
+
+    [Theory, AutoData]
+    public async Task GetAutoEnrollStatus_WithPolicyRequirementsEnabled_ReturnsOrganizationAutoEnrollStatus_WithResetPasswordEnabledTrue(
+        User user,
+        Organization organization,
+        OrganizationUser organizationUser
+    )
+    {
+        var policyRequirement = new ResetPasswordPolicyRequirement() { AutoEnrollOrganizations = [organization.Id] };
+
+        _userService.GetUserByPrincipalAsync(Arg.Any<ClaimsPrincipal>()).Returns(user);
+        _organizationRepository.GetByIdentifierAsync(organization.Id.ToString()).Returns(organization);
+        _featureService.IsEnabled(FeatureFlagKeys.PolicyRequirements).Returns(true);
+        _organizationUserRepository.GetByOrganizationAsync(organization.Id, user.Id).Returns(organizationUser);
+        _policyRequirementQuery.GetAsync<ResetPasswordPolicyRequirement>(user.Id).Returns(policyRequirement);
+
+        var result = await _sut.GetAutoEnrollStatus(organization.Id.ToString());
+
+        await _userService.Received(1).GetUserByPrincipalAsync(Arg.Any<ClaimsPrincipal>());
+        await _organizationRepository.Received(1).GetByIdentifierAsync(organization.Id.ToString());
+        await _policyRequirementQuery.Received(1).GetAsync<ResetPasswordPolicyRequirement>(user.Id);
+
+        Assert.True(result.ResetPasswordEnabled);
+        Assert.Equal(result.Id, organization.Id);
+    }
+
+    [Theory, AutoData]
+    public async Task GetAutoEnrollStatus_WithPolicyRequirementsDisabled_ReturnsOrganizationAutoEnrollStatus_WithResetPasswordEnabledTrue(
+    User user,
+    Organization organization,
+    OrganizationUser organizationUser
+)
+    {
+
+        var policy = new Policy() { Type = PolicyType.ResetPassword, Enabled = true, Data = "{\"AutoEnrollEnabled\": true}", OrganizationId = organization.Id };
+
+        _userService.GetUserByPrincipalAsync(Arg.Any<ClaimsPrincipal>()).Returns(user);
+        _organizationRepository.GetByIdentifierAsync(organization.Id.ToString()).Returns(organization);
+        _featureService.IsEnabled(FeatureFlagKeys.PolicyRequirements).Returns(false);
+        _organizationUserRepository.GetByOrganizationAsync(organization.Id, user.Id).Returns(organizationUser);
+        _policyRepository.GetByOrganizationIdTypeAsync(organization.Id, PolicyType.ResetPassword).Returns(policy);
+
+        var result = await _sut.GetAutoEnrollStatus(organization.Id.ToString());
+
+        await _userService.Received(1).GetUserByPrincipalAsync(Arg.Any<ClaimsPrincipal>());
+        await _organizationRepository.Received(1).GetByIdentifierAsync(organization.Id.ToString());
+        await _policyRequirementQuery.Received(0).GetAsync<ResetPasswordPolicyRequirement>(user.Id);
+        await _policyRepository.Received(1).GetByOrganizationIdTypeAsync(organization.Id, PolicyType.ResetPassword);
+
+        Assert.True(result.ResetPasswordEnabled);
+    }
 }
diff --git a/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/ResetPasswordPolicyRequirementFactoryTests.cs b/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/ResetPasswordPolicyRequirementFactoryTests.cs
new file mode 100644
index 0000000000..181f4f170e
--- /dev/null
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/ResetPasswordPolicyRequirementFactoryTests.cs
@@ -0,0 +1,37 @@
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+using Bit.Core.Test.AdminConsole.AutoFixture;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using Xunit;
+
+namespace Bit.Core.Test.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+
+[SutProviderCustomize]
+public class ResetPasswordPolicyRequirementFactoryTests
+{
+    [Theory, BitAutoData]
+    public void AutoEnroll_WithNoPolicies_IsEmpty(SutProvider<ResetPasswordPolicyRequirementFactory> sutProvider, Guid orgId)
+    {
+        var actual = sutProvider.Sut.Create([]);
+
+        Assert.False(actual.AutoEnrollEnabled(orgId));
+    }
+
+    [Theory, BitAutoData]
+    public void AutoEnrollAdministration_WithAnyResetPasswordPolices_ReturnsEnabledOrganizationIds(
+        [PolicyDetails(PolicyType.ResetPassword)] PolicyDetails[] policies,
+        SutProvider<ResetPasswordPolicyRequirementFactory> sutProvider)
+    {
+        policies[0].SetDataModel(new ResetPasswordDataModel { AutoEnrollEnabled = true });
+        policies[1].SetDataModel(new ResetPasswordDataModel { AutoEnrollEnabled = false });
+        policies[2].SetDataModel(new ResetPasswordDataModel { AutoEnrollEnabled = true });
+
+        var actual = sutProvider.Sut.Create(policies);
+
+        Assert.True(actual.AutoEnrollEnabled(policies[0].OrganizationId));
+        Assert.False(actual.AutoEnrollEnabled(policies[1].OrganizationId));
+        Assert.True(actual.AutoEnrollEnabled(policies[2].OrganizationId));
+    }
+}